fix(telemetry): use bare consensus_ledger_id tempo filter tag

The Tempo datasource search filter used the stale dotted xrpl.consensus.ledger_id
tag, but the consensus.round span emits the bare consensus_ledger_id key
(ConsensusSpanNames.h). The dotted tag matched no spans and failed the Rule C
naming check. Align it with L1.

.clang-format

@@ -1,5 +1,21 @@
 ---
-Language:        Cpp
+BreakBeforeBraces: Custom
+BraceWrapping:
+  AfterClass: true
+  AfterControlStatement: true
+  AfterEnum: false
+  AfterFunction: true
+  AfterNamespace: false
+  AfterObjCDeclaration: true
+  AfterStruct: true
+  AfterUnion: true
+  BeforeCatch: true
+  BeforeElse: true
+  IndentBraces: false
+KeepEmptyLinesAtTheStartOfBlocks: false
+MaxEmptyLinesToKeep: 1
+---
+Language: Cpp
 AccessModifierOffset: -4
 AlignAfterOpenBracket: AlwaysBreak
 AlignConsecutiveAssignments: false
@@ -18,51 +34,42 @@ AlwaysBreakBeforeMultilineStrings: true
 AlwaysBreakTemplateDeclarations: true
 BinPackArguments: false
 BinPackParameters: false
-BraceWrapping:
-  AfterClass:      true
-  AfterControlStatement: true
-  AfterEnum:       false
-  AfterFunction:   true
-  AfterNamespace:  false
-  AfterObjCDeclaration: true
-  AfterStruct:     true
-  AfterUnion:      true
-  BeforeCatch:     true
-  BeforeElse:      true
-  IndentBraces:    false
 BreakBeforeBinaryOperators: false
-BreakBeforeBraces: Custom
 BreakBeforeTernaryOperators: true
 BreakConstructorInitializersBeforeComma: true
-ColumnLimit:     80
-CommentPragmas:  '^ IWYU pragma:'
+ColumnLimit: 100
+CommentPragmas: "^ IWYU pragma:"
 ConstructorInitializerAllOnOneLineOrOnePerLine: true
 ConstructorInitializerIndentWidth: 4
 ContinuationIndentWidth: 4
 Cpp11BracedListStyle: true
 DerivePointerAlignment: false
-DisableFormat:   false
+DisableFormat: false
 ExperimentalAutoDetectBinPacking: false
-ForEachMacros:   [ Q_FOREACH,  BOOST_FOREACH ]
+ForEachMacros: [Q_FOREACH, BOOST_FOREACH]
+IncludeBlocks: Regroup
 IncludeCategories:
-  - Regex:           '^<(test)/'
-    Priority:        0
-  - Regex:           '^<(xrpld)/'
-    Priority:        1
-  - Regex:           '^<(xrpl)/'
-    Priority:        2
-  - Regex:           '^<(boost)/'
-    Priority:        3
-  - Regex:           '.*'
-    Priority:        4
-IncludeIsMainRegex: '$'
+  - Regex: "^<(test)/"
+    Priority: 1
+  - Regex: "^<(xrpld)/"
+    Priority: 2
+  - Regex: "^<(xrpl)/"
+    Priority: 3
+  - Regex: "^<(boost)/"
+    Priority: 4
+  - Regex: "^.*/"
+    Priority: 5
+  - Regex: '^.*\.h'
+    Priority: 6
+  - Regex: ".*"
+    Priority: 7
+IncludeIsMainRegex: "$"
+MainIncludeChar: AngleBracket
 IndentCaseLabels: true
 IndentFunctionDeclarationAfterType: false
 IndentRequiresClause: true
-IndentWidth:     4
+IndentWidth: 4
 IndentWrappedFunctionNames: false
-KeepEmptyLinesAtTheStartOfBlocks: false
-MaxEmptyLinesToKeep: 1
 NamespaceIndentation: None
 ObjCSpaceAfterProperty: false
 ObjCSpaceBeforeProtocolList: false
@@ -73,19 +80,25 @@ PenaltyBreakString: 1000
 PenaltyExcessCharacter: 1000000
 PenaltyReturnTypeOnItsOwnLine: 200
 PointerAlignment: Left
-ReflowComments:  true
+ReflowComments: true
 RequiresClausePosition: OwnLine
-SortIncludes:    true
+SortIncludes: true
 SpaceAfterCStyleCast: false
 SpaceBeforeAssignmentOperators: true
 SpaceBeforeParens: ControlStatements
 SpaceInEmptyParentheses: false
 SpacesBeforeTrailingComments: 2
-SpacesInAngles:  false
+SpacesInAngles: false
 SpacesInContainerLiterals: true
 SpacesInCStyleCastParentheses: false
 SpacesInParentheses: false
 SpacesInSquareBrackets: false
-Standard:        Cpp11
-TabWidth:        8
-UseTab:          Never
+Standard: Cpp11
+TabWidth: 8
+UseTab: Never
+QualifierAlignment: Right
+---
+Language: Proto
+BasedOnStyle: Google
+ColumnLimit: 0
+IndentWidth: 2

.clang-tidy

@@ -0,0 +1,204 @@
+---
+Checks: "-*,
+  bugprone-argument-comment,
+  bugprone-assert-side-effect,
+  bugprone-bad-signal-to-kill-thread,
+  bugprone-bool-pointer-implicit-conversion,
+  bugprone-capturing-this-in-member-variable,
+  bugprone-casting-through-void,
+  bugprone-chained-comparison,
+  bugprone-compare-pointer-to-member-virtual-function,
+  bugprone-copy-constructor-init,
+  bugprone-crtp-constructor-accessibility,
+  bugprone-dangling-handle,
+  bugprone-dynamic-static-initializers,
+  bugprone-empty-catch,
+  bugprone-fold-init-type,
+  bugprone-forward-declaration-namespace,
+  bugprone-inaccurate-erase,
+  bugprone-inc-dec-in-conditions,
+  bugprone-incorrect-enable-if,
+  bugprone-incorrect-roundings,
+  bugprone-infinite-loop,
+  bugprone-integer-division,
+  bugprone-lambda-function-name,
+  bugprone-macro-parentheses,
+  bugprone-macro-repeated-side-effects,
+  bugprone-misleading-setter-of-reference,
+  bugprone-misplaced-operator-in-strlen-in-alloc,
+  bugprone-misplaced-pointer-arithmetic-in-alloc,
+  bugprone-misplaced-widening-cast,
+  bugprone-move-forwarding-reference,
+  bugprone-multi-level-implicit-pointer-conversion,
+  bugprone-multiple-new-in-one-expression,
+  bugprone-multiple-statement-macro,
+  bugprone-no-escape,
+  bugprone-non-zero-enum-to-bool-conversion,
+  bugprone-optional-value-conversion,
+  bugprone-parent-virtual-call,
+  bugprone-pointer-arithmetic-on-polymorphic-object,
+  bugprone-posix-return,
+  bugprone-redundant-branch-condition,
+  bugprone-reserved-identifier,
+  bugprone-return-const-ref-from-parameter,
+  bugprone-shared-ptr-array-mismatch,
+  bugprone-signal-handler,
+  bugprone-signed-char-misuse,
+  bugprone-sizeof-container,
+  bugprone-sizeof-expression,
+  bugprone-spuriously-wake-up-functions,
+  bugprone-standalone-empty,
+  bugprone-string-constructor,
+  bugprone-string-integer-assignment,
+  bugprone-string-literal-with-embedded-nul,
+  bugprone-stringview-nullptr,
+  bugprone-suspicious-enum-usage,
+  bugprone-suspicious-include,
+  bugprone-suspicious-memory-comparison,
+  bugprone-suspicious-memset-usage,
+  bugprone-suspicious-missing-comma,
+  bugprone-suspicious-realloc-usage,
+  bugprone-suspicious-semicolon,
+  bugprone-suspicious-string-compare,
+  bugprone-suspicious-stringview-data-usage,
+  bugprone-swapped-arguments,
+  bugprone-switch-missing-default-case,
+  bugprone-terminating-continue,
+  bugprone-throw-keyword-missing,
+  bugprone-too-small-loop-variable,
+  bugprone-unchecked-optional-access,
+  bugprone-undefined-memory-manipulation,
+  bugprone-undelegated-constructor,
+  bugprone-unhandled-exception-at-new,
+  bugprone-unhandled-self-assignment,
+  bugprone-unique-ptr-array-mismatch,
+  bugprone-unsafe-functions,
+  bugprone-unused-local-non-trivial-variable,
+  bugprone-unused-raii,
+  bugprone-unused-return-value,
+  bugprone-use-after-move,
+  bugprone-virtual-near-miss,
+  cppcoreguidelines-init-variables,
+  cppcoreguidelines-misleading-capture-default-by-value,
+  cppcoreguidelines-no-suspend-with-lock,
+  cppcoreguidelines-pro-type-member-init,
+  cppcoreguidelines-pro-type-static-cast-downcast,
+  cppcoreguidelines-rvalue-reference-param-not-moved,
+  cppcoreguidelines-use-default-member-init,
+  cppcoreguidelines-use-enum-class,
+  cppcoreguidelines-virtual-class-destructor,
+  hicpp-ignored-remove-result,
+  llvm-namespace-comment,
+  misc-const-correctness,
+  misc-definitions-in-headers,
+  misc-header-include-cycle,
+  misc-include-cleaner,
+  misc-misplaced-const,
+  misc-redundant-expression,
+  misc-static-assert,
+  misc-throw-by-value-catch-by-reference,
+  misc-unused-alias-decls,
+  misc-unused-using-decls,
+  modernize-concat-nested-namespaces,
+  modernize-deprecated-headers,
+  modernize-make-shared,
+  modernize-make-unique,
+  modernize-pass-by-value,
+  modernize-type-traits,
+  modernize-use-designated-initializers,
+  modernize-use-emplace,
+  modernize-use-equals-default,
+  modernize-use-equals-delete,
+  modernize-use-nodiscard,
+  modernize-use-override,
+  modernize-use-ranges,
+  modernize-use-scoped-lock,
+  modernize-use-starts-ends-with,
+  modernize-use-std-numbers,
+  modernize-use-using,
+  performance-faster-string-find,
+  performance-for-range-copy,
+  performance-implicit-conversion-in-loop,
+  performance-inefficient-vector-operation,
+  performance-move-const-arg,
+  performance-move-constructor-init,
+  performance-no-automatic-move,
+  performance-trivially-destructible,
+  readability-ambiguous-smartptr-reset-call,
+  readability-avoid-nested-conditional-operator,
+  readability-avoid-return-with-void-value,
+  readability-braces-around-statements,
+  readability-const-return-type,
+  readability-container-contains,
+  readability-container-size-empty,
+  readability-convert-member-functions-to-static,
+  readability-duplicate-include,
+  readability-else-after-return,
+  readability-enum-initial-value,
+  readability-identifier-naming,
+  readability-implicit-bool-conversion,
+  readability-make-member-function-const,
+  readability-math-missing-parentheses,
+  readability-misleading-indentation,
+  readability-non-const-parameter,
+  readability-redundant-casting,
+  readability-redundant-declaration,
+  readability-redundant-inline-specifier,
+  readability-redundant-member-init,
+  readability-redundant-string-init,
+  readability-reference-to-constructed-temporary,
+  readability-simplify-boolean-expr,
+  readability-static-definition-in-anonymous-namespace,
+  readability-suspicious-call-argument,
+  readability-use-std-min-max
+  "
+# ---
+# readability-inconsistent-declaration-parameter-name, # In this codebase this check will break a lot of arg names
+# readability-static-accessed-through-instance,        # this check is probably unnecessary. It makes the code less readable
+# ---
+
+CheckOptions:
+  bugprone-unsafe-functions.ReportMoreUnsafeFunctions: true
+  bugprone-unused-return-value.CheckedReturnTypes: ::std::error_code;::std::error_condition;::std::errc
+
+  misc-include-cleaner.IgnoreHeaders: ".*/(detail|impl)/.*;.*fwd\\.h(pp)?;time.h;stdlib.h;sqlite3.h;netinet/in\\.h;sys/resource\\.h;sys/sysinfo\\.h;linux/sysinfo\\.h;__chrono/.*;bits/.*;_abort\\.h;boost/uuid/uuid_hash.hpp;boost/beast/core/flat_buffer\\.hpp;boost/beast/http/field\\.hpp;boost/beast/http/dynamic_body\\.hpp;boost/beast/http/message\\.hpp;boost/beast/http/read\\.hpp;boost/beast/http/write\\.hpp;openssl/obj_mac\\.h"
+
+  readability-braces-around-statements.ShortStatementLines: 2
+  readability-identifier-naming.MacroDefinitionCase: UPPER_CASE
+  readability-identifier-naming.ClassCase: CamelCase
+  readability-identifier-naming.StructCase: CamelCase
+  readability-identifier-naming.UnionCase: CamelCase
+  readability-identifier-naming.EnumCase: CamelCase
+  readability-identifier-naming.EnumConstantCase: CamelCase
+  readability-identifier-naming.ScopedEnumConstantCase: CamelCase
+  readability-identifier-naming.GlobalConstantCase: CamelCase
+  readability-identifier-naming.GlobalConstantPrefix: "k"
+  readability-identifier-naming.GlobalVariableCase: CamelCase
+  readability-identifier-naming.GlobalVariablePrefix: "g"
+  readability-identifier-naming.ConstexprFunctionCase: camelBack
+  readability-identifier-naming.ConstexprMethodCase: camelBack
+  readability-identifier-naming.ClassMethodCase: camelBack
+  readability-identifier-naming.ClassMemberCase: camelBack
+  readability-identifier-naming.ClassConstantCase: CamelCase
+  readability-identifier-naming.ClassConstantPrefix: "k"
+  readability-identifier-naming.StaticConstantCase: CamelCase
+  readability-identifier-naming.StaticConstantPrefix: "k"
+  readability-identifier-naming.StaticVariableCase: camelBack
+  readability-identifier-naming.ConstexprVariableCase: camelBack
+  readability-identifier-naming.LocalConstantCase: camelBack
+  readability-identifier-naming.LocalVariableCase: camelBack
+  readability-identifier-naming.TemplateParameterCase: CamelCase
+  readability-identifier-naming.ParameterCase: camelBack
+  readability-identifier-naming.FunctionCase: camelBack
+  readability-identifier-naming.MemberCase: camelBack
+  readability-identifier-naming.PrivateMemberCase: camelBack
+  readability-identifier-naming.PrivateMemberSuffix: _
+  readability-identifier-naming.ProtectedMemberCase: camelBack
+  readability-identifier-naming.ProtectedMemberSuffix: _
+  readability-identifier-naming.PublicMemberCase: camelBack
+  readability-identifier-naming.PublicMemberSuffix: ""
+  readability-identifier-naming.GlobalFunctionIgnoredRegexp: "^(to_string|hash_append|tuple_hash)$"
+
+HeaderFilterRegex: '^.*/(tests?|xrpl|xrpld)/.*\.(h|hpp|ipp)$'
+ExcludeHeaderFilterRegex: '^.*/protocol_autogen/.*\.(h|hpp)$'
+WarningsAsErrors: "*"

.codecov.yml

@@ -7,13 +7,13 @@ comment:
   show_carryforward_flags: false
 
 coverage:
-  range: "60..80"
+  range: "70..85"
   precision: 1
   round: nearest
   status:
     project:
       default:
-        target: 60%
+        target: 75%
         threshold: 2%
     patch:
       default:
@@ -27,11 +27,15 @@ github_checks:
 parsers:
   cobertura:
     partials_as_hits: true
-    handle_missing_conditions : true
+    handle_missing_conditions: true
 
 slack_app: false
 
 ignore:
   - "src/test/"
+  - "src/tests/"
   - "include/xrpl/beast/test/"
   - "include/xrpl/beast/unit_test/"
+  # Telemetry modules — conditionally compiled behind XRPL_ENABLE_TELEMETRY,
+  # which is not enabled in coverage builds.
+  - "src/xrpld/telemetry/"

.gersemi/definitions.cmake

@@ -0,0 +1,98 @@
+# Custom CMake command definitions for gersemi formatting.
+# These stubs teach gersemi the signatures of project-specific commands
+# so it can format their invocations correctly.
+
+function(git_branch branch_val)
+endfunction()
+
+function(isolate_headers target A B scope)
+endfunction()
+
+function(create_symbolic_link target link)
+endfunction()
+
+macro(exclude_from_default target_)
+endmacro()
+
+macro(exclude_if_included target_)
+endmacro()
+
+function(target_protobuf_sources target prefix)
+    set(options APPEND_PATH DESCRIPTORS)
+    set(oneValueArgs
+        LANGUAGE
+        OUT_VAR
+        EXPORT_MACRO
+        TARGET
+        PROTOC_OUT_DIR
+        PLUGIN
+        PLUGIN_OPTIONS
+        PROTOC_EXE
+    )
+    set(multiValueArgs
+        PROTOS
+        IMPORT_DIRS
+        GENERATE_EXTENSIONS
+        PROTOC_OPTIONS
+        DEPENDENCIES
+    )
+    cmake_parse_arguments(
+        THIS_FUNCTION_PREFIX
+        "${options}"
+        "${oneValueArgs}"
+        "${multiValueArgs}"
+        ${ARGN}
+    )
+endfunction()
+
+function(add_module parent name)
+endfunction()
+
+function(setup_protocol_autogen)
+endfunction()
+
+function(target_link_modules parent scope)
+endfunction()
+
+function(setup_target_for_coverage_gcovr)
+    set(options NONE)
+    set(oneValueArgs BASE_DIRECTORY NAME FORMAT)
+    set(multiValueArgs EXCLUDE EXECUTABLE EXECUTABLE_ARGS DEPENDENCIES)
+    cmake_parse_arguments(
+        THIS_FUNCTION_PREFIX
+        "${options}"
+        "${oneValueArgs}"
+        "${multiValueArgs}"
+        ${ARGN}
+    )
+endfunction()
+
+function(add_code_coverage_to_target name scope)
+endfunction()
+
+function(verbose_find_path variable name)
+    set(options
+        NO_CACHE
+        REQUIRED
+        OPTIONAL
+        NO_DEFAULT_PATH
+        NO_PACKAGE_ROOT_PATH
+        NO_CMAKE_PATH
+        NO_CMAKE_ENVIRONMENT_PATH
+        NO_SYSTEM_ENVIRONMENT_PATH
+        NO_CMAKE_SYSTEM_PATH
+        NO_CMAKE_INSTALL_PREFIX
+        CMAKE_FIND_ROOT_PATH_BOTH
+        ONLY_CMAKE_FIND_ROOT_PATH
+        NO_CMAKE_FIND_ROOT_PATH
+    )
+    set(oneValueArgs REGISTRY_VIEW VALIDATOR DOC)
+    set(multiValueArgs NAMES HINTS PATHS PATH_SUFFIXES)
+    cmake_parse_arguments(
+        THIS_FUNCTION_PREFIX
+        "${options}"
+        "${oneValueArgs}"
+        "${multiValueArgs}"
+        ${ARGN}
+    )
+endfunction()

.gersemirc

@@ -0,0 +1 @@
+definitions: [.gersemi]

.git-blame-ignore-revs

@@ -1,13 +1,81 @@
 # This feature requires Git >= 2.24
 # To use it by default in git blame:
 # git config blame.ignoreRevsFile .git-blame-ignore-revs
-50760c693510894ca368e90369b0cc2dabfd07f3
-e2384885f5f630c8f0ffe4bf21a169b433a16858
-241b9ddde9e11beb7480600fd5ed90e1ef109b21
-760f16f56835663d9286bd29294d074de26a7ba6
-0eebe6a5f4246fced516d52b83ec4e7f47373edd
-2189cc950c0cebb89e4e2fa3b2d8817205bf7cef
-b9d007813378ad0ff45660dc07285b823c7e9855
-fe9a5365b8a52d4acc42eb27369247e6f238a4f9
-9a93577314e6a8d4b4a8368cc9d2b15a5d8303e8
+
+# This file is sorted in reverse chronological order, with the most recent commits at the top.
+# The commits listed here are ignored by git blame, which is useful for formatting-only commits that would otherwise obscure the history of changes to a file.
+
+# refactor: Enable clang-tidy `readability-identifier-naming` check (#6571)
+8995564ed6b9e453e144bb663303072a3c1ba305
+# refactor: Enable remaining clang-tidy `cppcoreguidelines` checks (#6538)
+72f4cb097f626b08b02fc3efcb4aa11cb2e7adb8
+# refactor: Rename system name from 'ripple' to 'xrpld' (#6347)
+ffea3977f0b771fe8e43a8f74e4d393d63a7afd8
+# refactor: Update transaction folder structure (#6483)
+5865bd017f777491b4a956f9210be0c4161f5442
+# chore: Use gersemi instead of ancient cmake-format (#6486)
+0c74270b055133a57a497b5c9fc5a75f7647b1f4
+# chore: Apply clang-format width 100 (#6387)
+2c1fad102353e11293e3edde1c043224e7d3e983
+# chore: Set clang-format width to 100 in config file (#6387)
+25cca465538a56cce501477f9e5e2c1c7ea2d84c
+# chore: Set cmake-format width to 100 (#6386)
+469ce9f291a4480c38d4ee3baca5136b2f053cd0
+# refactor: Modularize app/tx (#6228)
+0976b2b68b64972af8e6e7c497900b5bce9fe22f
+# chore: Update clang-format to 21.1.8 (#6352)
+958d8f375453d80bb1aa4c293b5102c045a3e4b4
+# refactor: Replace include guards by '#pragma once' (#6322)
+34ef577604782ca8d6e1c17df8bd7470990a52ff
+# chore: Format all cmake files without comments (#6294)
+fe9c8d568fcf6ac21483024e01f58962dd5c8260
+# chore: Add cmake-format pre-commit hook (#6279)
+a0e09187b9370805d027c611a7e9ff5a0125282a
+# chore: Set ColumnLimit to 120 in clang-format (#6288)
+5f638f55536def0d88b970d1018a465a238e55f4
+# refactor: Fix typos in comments, configure cspell (#6164)
+3c9f5b62525cb1d6ca1153eeb10433db7d7379fd
+# refactor: Rename `rippled.cfg` to `xrpld.cfg` (#6098)
+3d1b3a49b3601a0a7037fa0b19d5df7b5e0e2fc1
+# refactor: Rename `ripple` namespace to `xrpl` (#5982)
+1eb0fdac6543706b4b9ddca57fd4102928a1f871
+# refactor: Rename `rippled` binary to `xrpld` (#5983)
+9eb84a561ef8bb066d89f098bd9b4ac71baed67c
+# refactor: Replaces secp256k1 source by Conan package (#6089)
+813bc4d9491b078bb950f8255f93b02f71320478
+# refactor: Remove unnecessary copyright notices already covered by LICENSE.md (#5929)
+1d42c4f6de6bf01d1286fc7459b17a37a5189e88
+# refactor: Rename `RIPPLE_` and `RIPPLED_` definitions to `XRPL_` (#5821)
+ada83564d894829424b0f4d922b0e737e07abbf7
+# refactor: Modularize shamap and nodestore (#5668)
+8eb233c2ea8ad5a159be73b77f0f5e1496d547ac
+# refactor: Modularise ledger (#5493)
+dc8b37a52448b005153c13a7f046ad494128cf94
+# chore: Update clang-format and prettier with pre-commit (#5709)
+c14ce956adeabe476ad73c18d73103f347c9c613
+# chore: Fix file formatting (#5718)
+896b8c3b54a22b0497cb0d1ce95e1095f9a227ce
+# chore: Reverts formatting changes to external files, adds formatting changes to proto files (#5711)
+b13370ac0d207217354f1fc1c29aef87769fb8a1
+# chore: Run prettier on all files (#5657)
+97f0747e103f13e26e45b731731059b32f7679ac
+# Reformat code with clang-format-18
 552377c76f55b403a1c876df873a23d780fcc81c
+# Recompute loops (#4997)
+d028005aa6319338b0adae1aebf8abe113162960
+# Rewrite includes (#4997)
+1d23148e6dd53957fcb6205c07a5c6cd7b64d50c
+# Rearrange sources (#4997)
+e416ee72ca26fa0c09d2aee1b68bdfb2b7046eed
+# Move CMake directory (#4997)
+2e902dee53aab2a8f27f32971047bb81e022f94f
+# Rewrite includes
+0eebe6a5f4246fced516d52b83ec4e7f47373edd
+# Format formerly .hpp files
+760f16f56835663d9286bd29294d074de26a7ba6
+# Rename .hpp to .h
+241b9ddde9e11beb7480600fd5ed90e1ef109b21
+# Consolidate external libraries
+e2384885f5f630c8f0ffe4bf21a169b433a16858
+# Format first-party source according to .clang-format
+50760c693510894ca368e90369b0cc2dabfd07f3

.gitattributes

@@ -1,9 +1,6 @@
 # Set default behaviour, in case users don't have core.autocrlf set.
 #* text=auto
-
-# These annoying files
-rippled.1 binary
-LICENSE binary
+# cspell: disable
 
 # Visual Studio
 *.sln       text eol=crlf

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,31 +1,36 @@
 ---
 name: Bug Report
-about: Create a report to help us improve rippled
-title: "[Title with short description] (Version: [rippled version])"
-labels: ''
-assignees: ''
-
+about: Create a report to help us improve xrpld
+title: "[Title with short description] (Version: [xrpld version])"
+labels: ""
+assignees: ""
 ---
+
 <!-- Please search existing issues to avoid creating duplicates.-->
 
 ## Issue Description
+
 <!--Provide a summary for your issue/bug.-->
 
 ## Steps to Reproduce
+
 <!--List in detail the exact steps to reproduce the unexpected behavior of the software.-->
 
 ## Expected Result
+
 <!--Explain in detail what behavior you expected to happen.-->
 
 ## Actual Result
+
 <!--Explain in detail what behavior actually happened.-->
 
 ## Environment
+
 <!--Please describe your environment setup (such as Ubuntu 18.04 with Boost 1.70).-->
-<!-- If you are using a formal release, please use the version returned by './rippled --version' as the version number-->
+<!-- If you are using a formal release, please use the version returned by './xrpld --version' as the version number-->
 <!-- If you are working off of develop, please add the git hash via 'git rev-parse HEAD'-->
 
 ## Supporting Files
+
 <!--If you have supporting files such as a log, feel free to post a link here using Github Gist.-->
 <!--Consider adding configuration files with private information removed via Github Gist. -->
-

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,21 +1,25 @@
 ---
 name: Feature Request
-about: Suggest a new feature for the rippled project
-title: "[Title with short description] (Version: [rippled version])"
+about: Suggest a new feature for the xrpld project
+title: "[Title with short description] (Version: [xrpld version])"
 labels: Feature Request
-assignees: ''
-
+assignees: ""
 ---
+
 <!-- Please search existing issues to avoid creating duplicates.-->
 
 ## Summary
+
 <!-- Provide a summary to the feature request-->
 
 ## Motivation
+
 <!-- Why do we need this feature?-->
 
 ## Solution
+
 <!-- What is the solution?-->
 
 ## Paths Not Taken
+
 <!-- What other alternatives have been considered?-->

.github/actions/build-deps/action.yml

@@ -0,0 +1,47 @@
+name: Build Conan dependencies
+description: "Install Conan dependencies, optionally forcing a rebuild of all dependencies."
+
+# Note that actions do not support 'type' and all inputs are strings, see
+# https://docs.github.com/en/actions/reference/workflows-and-actions/metadata-syntax#inputs.
+inputs:
+  build_type:
+    description: 'The build type to use ("Debug", "Release").'
+    required: true
+  build_nproc:
+    description: "The number of processors to use for building."
+    required: true
+  force_build:
+    description: 'Force building of all dependencies ("true", "false").'
+    required: false
+    default: "false"
+  log_verbosity:
+    description: "The logging verbosity."
+    required: false
+    default: "verbose"
+  sanitizers:
+    description: "The sanitizers to enable."
+    required: false
+    default: ""
+
+runs:
+  using: composite
+  steps:
+    - name: Install Conan dependencies
+      shell: bash
+      env:
+        BUILD_NPROC: ${{ inputs.build_nproc }}
+        BUILD_OPTION: ${{ inputs.force_build == 'true' && '*' || 'missing' }}
+        BUILD_TYPE: ${{ inputs.build_type }}
+        LOG_VERBOSITY: ${{ inputs.log_verbosity }}
+        SANITIZERS: ${{ inputs.sanitizers }}
+      run: |
+        conan install \
+            --profile:all ci \
+            --build="${BUILD_OPTION}" \
+            --options:host='&:tests=True' \
+            --options:host='&:xrpld=True' \
+            --settings:all build_type="${BUILD_TYPE}" \
+            --conf:all tools.build:jobs=${BUILD_NPROC} \
+            --conf:all tools.build:verbosity="${LOG_VERBOSITY}" \
+            --conf:all tools.compilation:verbosity="${LOG_VERBOSITY}" \
+            .

.github/actions/build/action.yml

@@ -1,34 +0,0 @@
-name: build
-inputs:
-  generator:
-    default: null
-  configuration:
-    required: true
-  cmake-args:
-    default: null
-  cmake-target:
-    default: all
-# An implicit input is the environment variable `build_dir`.
-runs:
-  using: composite
-  steps:
-    - name: configure
-      shell: bash
-      run: |
-        cd ${build_dir}
-        cmake \
-          ${{ inputs.generator && format('-G "{0}"', inputs.generator) || '' }} \
-          -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
-          -DCMAKE_BUILD_TYPE=${{ inputs.configuration }} \
-          -Dtests=TRUE \
-          -Dxrpld=TRUE \
-          ${{ inputs.cmake-args }} \
-          ..
-    - name: build
-      shell: bash
-      run: |
-        cmake \
-          --build ${build_dir} \
-          --config ${{ inputs.configuration }} \
-          --parallel ${NUM_PROCESSORS:-$(nproc)} \
-          --target ${{ inputs.cmake-target }}

.github/actions/dependencies/action.yml

@@ -1,60 +0,0 @@
-name: dependencies
-inputs:
-  configuration:
-    required: true
-# An implicit input is the environment variable `build_dir`.
-runs:
-  using: composite
-  steps:
-    - name: unlock Conan
-      shell: bash
-      run: conan remove --locks
-    - name: export custom recipes
-      shell: bash
-      run: |
-        conan config set general.revisions_enabled=1
-        conan export external/snappy snappy/1.1.10@
-        conan export external/rocksdb rocksdb/6.29.5@
-        conan export external/soci soci/4.0.3@
-    - name: add Ripple Conan remote
-      shell: bash
-      run: |
-        conan remote list
-        conan remote remove ripple || true
-        # Do not quote the URL. An empty string will be accepted (with
-        # a non-fatal warning), but a missing argument will not.
-        conan remote add ripple ${{ env.CONAN_URL }} --insert 0
-    - name: try to authenticate to Ripple Conan remote
-      id: remote
-      shell: bash
-      run: |
-        # `conan user` implicitly uses the environment variables
-        # CONAN_LOGIN_USERNAME_<REMOTE> and CONAN_PASSWORD_<REMOTE>.
-        # https://docs.conan.io/1/reference/commands/misc/user.html#using-environment-variables
-        # https://docs.conan.io/1/reference/env_vars.html#conan-login-username-conan-login-username-remote-name
-        # https://docs.conan.io/1/reference/env_vars.html#conan-password-conan-password-remote-name
-        echo outcome=$(conan user --remote ripple --password >&2 \
-          && echo success || echo failure) | tee ${GITHUB_OUTPUT}
-    - name: list missing binaries
-      id: binaries
-      shell: bash
-      # Print the list of dependencies that would need to be built locally.
-      # A non-empty list means we have "failed" to cache binaries remotely.
-      run: |
-        echo missing=$(conan info . --build missing --settings build_type=${{ inputs.configuration }} --json 2>/dev/null  | grep '^\[') | tee ${GITHUB_OUTPUT}
-    - name: install dependencies
-      shell: bash
-      run: |
-        mkdir ${build_dir}
-        cd ${build_dir}
-        conan install \
-          --output-folder . \
-          --build missing \
-          --options tests=True \
-          --options xrpld=True \
-          --settings build_type=${{ inputs.configuration }} \
-          ..
-    - name: upload dependencies to remote
-      if: (steps.binaries.outputs.missing != '[]') && (steps.remote.outputs.outcome == 'success')
-      shell: bash
-      run: conan upload --remote ripple '*' --all --parallel --confirm

.github/actions/generate-version/action.yml

@@ -0,0 +1,44 @@
+name: Generate build version number
+description: "Generate build version number."
+
+outputs:
+  version:
+    description: "The generated build version number."
+    value: ${{ steps.version.outputs.version }}
+
+runs:
+  using: composite
+  steps:
+    # When a tag is pushed, the version is used as-is.
+    - name: Generate version for tag event
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
+      shell: bash
+      env:
+        VERSION: ${{ github.ref_name }}
+      run: echo "VERSION=${VERSION}" >>"${GITHUB_ENV}"
+
+    # When a tag is not pushed, then the version (e.g. 1.2.3-b0) is extracted
+    # from the BuildInfo.cpp file and the shortened commit hash appended to it.
+    # We use a plus sign instead of a hyphen because Conan recipe versions do
+    # not support two hyphens.
+    - name: Generate version for non-tag event
+      if: ${{ !startsWith(github.ref, 'refs/tags/') }}
+      shell: bash
+      run: |
+        echo 'Extracting version from BuildInfo.cpp.'
+        VERSION="$(cat src/libxrpl/protocol/BuildInfo.cpp | grep "versionString =" | awk -F '"' '{print $2}')"
+        if [[ -z "${VERSION}" ]]; then
+            echo 'Unable to extract version from BuildInfo.cpp.'
+            exit 1
+        fi
+
+        echo 'Appending shortened commit hash to version.'
+        SHA='${{ github.sha }}'
+        VERSION="${VERSION}+${SHA:0:7}"
+
+        echo "VERSION=${VERSION}" >>"${GITHUB_ENV}"
+
+    - name: Output version
+      id: version
+      shell: bash
+      run: echo "version=${VERSION}" >>"${GITHUB_OUTPUT}"

.github/actions/set-compiler-env/action.yml

@@ -0,0 +1,34 @@
+name: Set compiler environment
+description: "Set CC and CXX environment variables for the given compiler."
+
+inputs:
+  compiler:
+    description: 'The compiler to use ("gcc" or "clang").'
+    required: true
+
+runs:
+  using: composite
+
+  steps:
+    - name: Set CC and CXX for gcc
+      if: ${{ inputs.compiler == 'gcc' }}
+      shell: bash
+      run: |
+        echo "CC=gcc" >>"${GITHUB_ENV}"
+        echo "CXX=g++" >>"${GITHUB_ENV}"
+
+    - name: Set CC and CXX for clang
+      if: ${{ inputs.compiler == 'clang' }}
+      shell: bash
+      run: |
+        echo "CC=clang" >>"${GITHUB_ENV}"
+        echo "CXX=clang++" >>"${GITHUB_ENV}"
+
+    - name: Fail on unknown compiler
+      if: ${{ inputs.compiler != 'gcc' && inputs.compiler != 'clang' }}
+      shell: bash
+      env:
+        COMPILER: ${{ inputs.compiler }}
+      run: |
+        echo "Unknown compiler: $COMPILER" >&2
+        exit 1

.github/actions/setup-conan/action.yml

@@ -0,0 +1,49 @@
+name: Setup Conan
+description: "Set up Conan configuration, profile, and remote."
+
+inputs:
+  remote_name:
+    description: "The name of the Conan remote to use."
+    required: false
+    default: xrplf
+  remote_url:
+    description: "The URL of the Conan endpoint to use."
+    required: false
+    default: https://conan.ripplex.io
+
+runs:
+  using: composite
+
+  steps:
+    - name: Apply custom configuration to global.conf
+      shell: bash
+      run: |
+        cat conan/global.conf ${{ runner.os == 'Linux' && '>>' || '>' }} $(conan config home)/global.conf
+
+    - name: Show global configuration
+      shell: bash
+      run: |
+        conan config show '*'
+
+    - name: Install profiles
+      shell: bash
+      run: |
+        conan config install conan/profiles/ -tf $(conan config home)/profiles/
+
+    - name: Show CI profile
+      shell: bash
+      run: |
+        conan profile show --profile ci
+
+    - name: Add a remote
+      shell: bash
+      env:
+        REMOTE_NAME: ${{ inputs.remote_name }}
+        REMOTE_URL: ${{ inputs.remote_url }}
+      run: |
+        conan remote add --index 0 --force "${REMOTE_NAME}" "${REMOTE_URL}"
+
+    - name: List remotes
+      shell: bash
+      run: |
+        conan remote list

.github/dependabot.yml

@@ -0,0 +1,17 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directories:
+      - /
+      - .github/actions/build-deps/
+      - .github/actions/generate-version/
+      - .github/actions/set-compiler-env/
+      - .github/actions/setup-conan/
+    schedule:
+      interval: weekly
+      day: monday
+      time: "04:00"
+      timezone: Etc/GMT
+    commit-message:
+      prefix: "ci: [DEPENDABOT] "
+    target-branch: develop

.github/pull_request_template.md

@@ -29,22 +29,6 @@ If a refactor, how is this better than the previous implementation?
 If there is a spec or design document for this feature, please link it here.
 -->
 
-### Type of Change
-
-<!--
-Please check [x] relevant options, delete irrelevant ones.
--->
-
-- [ ] Bug fix (non-breaking change which fixes an issue)
-- [ ] New feature (non-breaking change which adds functionality)
-- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
-- [ ] Refactor (non-breaking change that only restructures code)
-- [ ] Performance (increase or change in throughput and/or latency)
-- [ ] Tests (you added tests for code that already exists, or your new feature included in this PR)
-- [ ] Documentation update
-- [ ] Chore (no impact to binary, e.g. `.gitignore`, formatting, dropping support for older tooling)
-- [ ] Release
-
 ### API Impact
 
 <!--

.github/scripts/check-pr-description.py

@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+
+"""
+Checks that a pull request description has been customized from the
+pull_request_template.md. Exits with code 1 if the description is empty
+or identical to the template (ignoring HTML comments and whitespace).
+
+Usage:
+    python check-pr-description.py --template-file TEMPLATE --pr-body-file BODY
+"""
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+
+def normalize(text: str) -> str:
+    """Strip HTML comments, trim lines, and remove blank lines."""
+    # Remove HTML comments (possibly multi-line)
+    text = re.sub(r"<!--.*?-->", "", text, flags=re.DOTALL)
+    # Strip each line and drop empties
+    lines = [line.strip() for line in text.splitlines()]
+    lines = [line for line in lines if line]
+    return "\n".join(lines)
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(
+        description="Check that a PR description differs from the template."
+    )
+    parser.add_argument(
+        "--template-file",
+        type=Path,
+        required=True,
+        help="Path to the pull request template file.",
+    )
+    parser.add_argument(
+        "--pr-body-file",
+        type=Path,
+        required=True,
+        help="Path to a file containing the PR body text.",
+    )
+    args = parser.parse_args()
+
+    template_path: Path = args.template_file
+    pr_body_path: Path = args.pr_body_file
+
+    if not template_path.is_file():
+        print(f"::error::Template file {template_path} not found")
+        return 1
+
+    if not pr_body_path.is_file():
+        print(f"::error::PR body file {pr_body_path} not found")
+        return 1
+
+    template = template_path.read_text(encoding="utf-8")
+    pr_body = pr_body_path.read_text(encoding="utf-8")
+
+    # Check if the PR body is empty or whitespace-only
+    if not pr_body.strip():
+        print(
+            "::error::PR description is empty. "
+            "Please fill in the pull request template."
+        )
+        return 1
+
+    norm_template = normalize(template)
+    norm_pr_body = normalize(pr_body)
+
+    if norm_pr_body == norm_template:
+        print(
+            "::error::PR description (ignoring HTML comments) is identical"
+            " to the template. Please fill in the details of your change."
+            f"\n\nVisible template content:\n---\n{norm_template}\n---"
+            f"\n\nVisible PR description content:\n---\n{norm_pr_body}\n---"
+        )
+        return 1
+
+    print("PR description has been customized from the template.")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

.github/scripts/format-inline-bash.py

@@ -0,0 +1,403 @@
+#!/usr/bin/env python3
+
+"""
+Format embedded shell snippets using the shfmt hook configured in
+.pre-commit-config.yaml.
+
+Two shapes are recognised:
+
+* YAML workflow/action files: literal block-scalar runs (`run: |`) and
+  single-line runs (`run: some command`). A single-line run is upgraded to
+  a `run: |` block scalar if shfmt's output spans multiple lines.
+
+* Markdown files: ``` ```bash ``` fenced code blocks.
+
+Any block that shfmt cannot parse is skipped with a warning on stderr, so
+the file is left untouched and surrounding blocks still get formatted.
+
+For each occurrence the body is dedented, written to a temp .sh file,
+formatted via `pre-commit run shfmt --files <temp>` (falling back to
+`prek`), then re-indented and written back in place.
+
+When invoked without arguments, every .yml/.yaml under .github/ plus every
+.md file in the repo is scanned. When invoked with file arguments (the
+pre-commit case), only those files are processed.
+"""
+
+from __future__ import annotations
+
+import re
+import shutil
+import subprocess
+import sys
+import tempfile
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Union
+
+REPO = Path(__file__).resolve().parents[2]
+
+_HOOK_RUNNER = next((cmd for cmd in ("pre-commit", "prek") if shutil.which(cmd)), None)
+if _HOOK_RUNNER is None:
+    sys.exit("error: neither `pre-commit` nor `prek` found on PATH")
+
+RUN_BLOCK_RE = re.compile(r"^(?P<prefix>[ \t]*(?:- )?)run:[ \t]*\|[+-]?[ \t]*$")
+RUN_INLINE_RE = re.compile(
+    r"^(?P<prefix>[ \t]*(?:- )?)run:[ \t]+" r"(?P<value>(?!\|[+-]?[ \t]*$)\S.*?)[ \t]*$"
+)
+MD_BASH_OPEN_RE = re.compile(r"^(?P<indent>[ ]{0,3})`{3}bash[ \t]*$")
+MD_FENCE_CLOSE_RE = re.compile(r"^[ ]{0,3}`{3,}[ \t]*$")
+
+
+@dataclass(frozen=True)
+class BlockRun:
+    """A `run: |` block scalar; `body_start:body_end` slices into `lines`."""
+
+    body_start: int
+    body_end: int
+    body_indent: int
+
+
+@dataclass(frozen=True)
+class InlineRun:
+    """A single-line `run: value` at `line_idx`."""
+
+    line_idx: int
+    prefix: str
+    value: str
+
+
+@dataclass(frozen=True)
+class MdBashBlock:
+    """A markdown ``` ```bash ``` fenced code block.
+
+    `body_start:body_end` slices into the file's lines; `open_line_idx`
+    points at the opening fence line.
+    """
+
+    open_line_idx: int
+    body_start: int
+    body_end: int
+    body_indent: int
+
+
+RunItem = Union[BlockRun, InlineRun]
+
+
+def _scan_block_body(
+    lines: list[str], body_start: int, run_col: int
+) -> tuple[int | None, int]:
+    """Locate the body of a `run: |` block scalar starting at `body_start`.
+
+    Returns `(body_indent, scan_end)`. `scan_end` is the line index where the
+    outer scanner should resume. `body_indent` is `None` when no body is
+    present (the scalar is empty, or the next non-blank line has indent
+    `<= run_col`).
+    """
+    body_indent: int | None = None
+    scan_end = len(lines)
+    for idx in range(body_start, len(lines)):
+        line = lines[idx]
+        if line.strip() == "":
+            continue
+        indent = len(line) - len(line.lstrip(" "))
+        if body_indent is None:
+            if indent > run_col:
+                body_indent = indent
+            else:
+                scan_end = idx
+                break
+        elif indent < body_indent:
+            scan_end = idx
+            break
+    if body_indent is not None:
+        while scan_end > body_start and lines[scan_end - 1].strip() == "":
+            scan_end -= 1
+        if scan_end <= body_start:
+            body_indent = None
+    return body_indent, scan_end
+
+
+def find_run_blocks(lines: list[str]) -> list[RunItem]:
+    """Return run items in document order."""
+    items: list[RunItem] = []
+    line_idx = 0
+    while line_idx < len(lines):
+        line = lines[line_idx]
+        if block_match := RUN_BLOCK_RE.match(line):
+            run_col = len(block_match.group("prefix"))
+            body_start = line_idx + 1
+            body_indent, scan_end = _scan_block_body(lines, body_start, run_col)
+            if body_indent is not None:
+                items.append(
+                    BlockRun(
+                        body_start=body_start,
+                        body_end=scan_end,
+                        body_indent=body_indent,
+                    )
+                )
+            line_idx = scan_end
+            continue
+        if inline_match := RUN_INLINE_RE.match(line):
+            items.append(
+                InlineRun(
+                    line_idx=line_idx,
+                    prefix=inline_match.group("prefix"),
+                    value=inline_match.group("value"),
+                )
+            )
+        line_idx += 1
+    return items
+
+
+def find_md_bash_blocks(lines: list[str]) -> list[MdBashBlock]:
+    """Return ``` ```bash ``` fenced code blocks in document order."""
+    blocks: list[MdBashBlock] = []
+    line_idx = 0
+    while line_idx < len(lines):
+        open_match = MD_BASH_OPEN_RE.match(lines[line_idx])
+        if not open_match:
+            line_idx += 1
+            continue
+        body_start = line_idx + 1
+        close_idx = next(
+            (
+                j
+                for j in range(body_start, len(lines))
+                if MD_FENCE_CLOSE_RE.match(lines[j])
+            ),
+            None,
+        )
+        if close_idx is None:
+            line_idx = body_start
+            continue
+        body = lines[body_start:close_idx]
+        non_blank = [b for b in body if b.strip()]
+        body_indent = (
+            min(len(b) - len(b.lstrip(" ")) for b in non_blank)
+            if non_blank
+            else len(open_match.group("indent"))
+        )
+        blocks.append(
+            MdBashBlock(
+                open_line_idx=line_idx,
+                body_start=body_start,
+                body_end=close_idx,
+                body_indent=body_indent,
+            )
+        )
+        line_idx = close_idx + 1
+    return blocks
+
+
+def dedent(lines: list[str], n: int) -> list[str]:
+    pad = " " * n
+    return [
+        (
+            ""
+            if line.strip() == ""
+            else (line[n:] if line.startswith(pad) else line.lstrip(" "))
+        )
+        for line in lines
+    ]
+
+
+def reindent(lines: list[str], n: int) -> list[str]:
+    pad = " " * n
+    return [pad + line if line else "" for line in lines]
+
+
+_SHFMT_ERR_RE = re.compile(r"\.sh:\d+:\d+:\s")
+_GHA_EXPR_RE = re.compile(r"\$\{\{.*?\}\}", re.DOTALL)
+_GHA_PLACEHOLDER_RE = re.compile(r"__GHA_EXPR_(\d+)__")
+
+
+def _encode_gha_exprs(text: str) -> tuple[str, list[str]]:
+    """Replace `${{ ... }}` expressions with bash-safe placeholder identifiers."""
+    exprs: list[str] = []
+
+    def repl(match: re.Match[str]) -> str:
+        exprs.append(match.group(0))
+        return f"__GHA_EXPR_{len(exprs) - 1}__"
+
+    return _GHA_EXPR_RE.sub(repl, text), exprs
+
+
+def _decode_gha_exprs(text: str, exprs: list[str]) -> str:
+    """Restore `${{ ... }}` expressions from placeholder identifiers."""
+    return _GHA_PLACEHOLDER_RE.sub(lambda m: exprs[int(m.group(1))], text)
+
+
+def shfmt_via_hook(tmp_path: Path) -> tuple[bool, str]:
+    # `${{ ... }}` is not valid shell, so swap it for a placeholder identifier
+    # that shfmt can parse, then restore it after formatting.
+    encoded, exprs = _encode_gha_exprs(tmp_path.read_text())
+    if exprs:
+        tmp_path.write_text(encoded)
+    res = subprocess.run(
+        [_HOOK_RUNNER, "run", "shfmt", "--files", str(tmp_path)],
+        cwd=REPO,
+        capture_output=True,
+        text=True,
+    )
+    output = res.stdout + res.stderr
+    # shfmt emits parse errors as "<path>:<line>:<col>: <message>".
+    parse_err = bool(_SHFMT_ERR_RE.search(output))
+    # A non-zero exit that is neither a parse error nor pre-commit's "I had
+    # to modify files" signal means the hook itself failed to run (missing
+    # binary, install failure, bad config, ...). Surface that loudly rather
+    # than silently treating it as a no-op.
+    if (
+        res.returncode != 0
+        and not parse_err
+        and "files were modified by this hook" not in output
+    ):
+        sys.exit(
+            f"error: `{_HOOK_RUNNER} run shfmt` failed with exit {res.returncode}:\n{output}"
+        )
+    if exprs and not parse_err:
+        tmp_path.write_text(_decode_gha_exprs(tmp_path.read_text(), exprs))
+    return not parse_err, output
+
+
+def _skip(path: Path, where: int, kind: str, output: str) -> None:
+    print(
+        f"  shfmt could not parse {kind} at {path}:{where + 1} — skipped",
+        file=sys.stderr,
+    )
+    print(f"    {output.strip()}", file=sys.stderr)
+
+
+def process_yaml_file(path: Path, tmp_path: Path) -> int:
+    text = path.read_text()
+    had_nl = text.endswith("\n")
+    lines = text.split("\n")
+    if had_nl:
+        lines = lines[:-1]
+    items = find_run_blocks(lines)
+    if not items:
+        return 0
+    changed = 0
+    # Process in reverse so earlier indices remain valid as we splice.
+    for item in reversed(items):
+        if isinstance(item, BlockRun):
+            body = lines[item.body_start : item.body_end]
+            tmp_path.write_text("\n".join(dedent(body, item.body_indent)) + "\n")
+            ok, output = shfmt_via_hook(tmp_path)
+            if not ok:
+                _skip(path, item.body_start, "block", output)
+                continue
+            formatted = tmp_path.read_text().rstrip("\n")
+            new_body = reindent(formatted.split("\n"), item.body_indent)
+            if new_body != body:
+                lines[item.body_start : item.body_end] = new_body
+                changed += 1
+        else:
+            tmp_path.write_text(item.value + "\n")
+            ok, output = shfmt_via_hook(tmp_path)
+            if not ok:
+                _skip(path, item.line_idx, "inline run", output)
+                continue
+            formatted = tmp_path.read_text().rstrip("\n")
+            if formatted == item.value:
+                continue
+            formatted_lines = formatted.split("\n")
+            if len(formatted_lines) == 1:
+                lines[item.line_idx] = f"{item.prefix}run: {formatted}"
+            else:
+                body_indent = len(item.prefix) + 2
+                lines[item.line_idx : item.line_idx + 1] = [
+                    f"{item.prefix}run: |",
+                    *reindent(formatted_lines, body_indent),
+                ]
+            changed += 1
+    new_text = "\n".join(lines) + ("\n" if had_nl else "")
+    if new_text != text:
+        path.write_text(new_text)
+    return changed
+
+
+def process_md_file(path: Path, tmp_path: Path) -> int:
+    text = path.read_text()
+    had_nl = text.endswith("\n")
+    lines = text.split("\n")
+    if had_nl:
+        lines = lines[:-1]
+    blocks = find_md_bash_blocks(lines)
+    if not blocks:
+        return 0
+    changed = 0
+    for block in reversed(blocks):
+        body = lines[block.body_start : block.body_end]
+        tmp_path.write_text("\n".join(dedent(body, block.body_indent)) + "\n")
+        ok, output = shfmt_via_hook(tmp_path)
+        if not ok:
+            _skip(path, block.open_line_idx, "```bash block", output)
+            continue
+        formatted = tmp_path.read_text().rstrip("\n")
+        formatted_lines = formatted.split("\n") if formatted else []
+        new_body = reindent(formatted_lines, block.body_indent)
+        if new_body != body:
+            lines[block.body_start : block.body_end] = new_body
+            changed += 1
+    new_text = "\n".join(lines) + ("\n" if had_nl else "")
+    if new_text != text:
+        path.write_text(new_text)
+    return changed
+
+
+def process_file(path: Path, tmp_path: Path) -> int:
+    if path.suffix in (".yml", ".yaml"):
+        return process_yaml_file(path, tmp_path)
+    if path.suffix == ".md":
+        return process_md_file(path, tmp_path)
+    return 0
+
+
+def gather_files(argv: list[str]) -> list[Path]:
+    """Return YAML workflow/action files and markdown files that we should
+    process — either the paths in `argv` or, when `argv` is empty, every
+    such file in the repo (skipping `external/`)."""
+    if argv:
+        candidates: list[Path] = [
+            (REPO / a).resolve() if not Path(a).is_absolute() else Path(a) for a in argv
+        ]
+    else:
+        gh = REPO / ".github"
+        candidates = [
+            *gh.rglob("*.yml"),
+            *gh.rglob("*.yaml"),
+            *(
+                p
+                for p in REPO.rglob("*.md")
+                if "external" not in p.relative_to(REPO).parts
+            ),
+        ]
+    return sorted(
+        p
+        for p in candidates
+        if p.exists()
+        and (
+            (p.suffix in (".yml", ".yaml") and ".github" in p.parts)
+            or p.suffix == ".md"
+        )
+    )
+
+
+def main(argv: list[str]) -> int:
+    files = gather_files(argv)
+    if not files:
+        return 0
+    with tempfile.TemporaryDirectory(prefix="format-inline-bash-") as tmpdir:
+        tmp_path = Path(tmpdir) / "shfmt.sh"
+        total = 0
+        for f in files:
+            n = process_file(f, tmp_path)
+            if n:
+                print(f"{f.relative_to(REPO)}: reformatted {n} block(s)")
+                total += n
+        return 1 if total else 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))

.github/scripts/levelization/README.md

@@ -0,0 +1,134 @@
+# Levelization
+
+Levelization is the term used to describe efforts to prevent xrpld from
+having or creating cyclic dependencies.
+
+xrpld code is organized into directories under `src/xrpld`, `src/libxrpl` (and
+`src/test`) representing modules. The modules are intended to be
+organized into "tiers" or "levels" such that a module from one level can
+only include code from lower levels. Additionally, a module
+in one level should never include code in an `impl` or `detail` folder of any level
+other than its own.
+
+The codebase is split into two main areas:
+
+- **libxrpl** (`src/libxrpl`, `include/xrpl`): Reusable library modules with public interfaces
+- **xrpld** (`src/xrpld`): Application-specific implementation code
+
+Unfortunately, over time, enforcement of levelization has been
+inconsistent, so the current state of the code doesn't necessarily
+reflect these rules. Whenever possible, developers should refactor any
+levelization violations they find (by moving files or individual
+classes). At the very least, don't make things worse.
+
+The table below summarizes the _desired_ division of modules, based on the current
+state of the xrpld code. The levels are numbered from
+the bottom up with the lower level, lower numbered, more independent
+modules listed first, and the higher level, higher numbered modules with
+more dependencies listed later.
+
+**tl;dr:** The modules listed first are more independent than the modules
+listed later.
+
+## libxrpl Modules (Reusable Libraries)
+
+| Level / Tier | Module(s)                           |
+| ------------ | ----------------------------------- |
+| 01           | xrpl/beast                          |
+| 02           | xrpl/basics                         |
+| 03           | xrpl/json xrpl/crypto               |
+| 04           | xrpl/protocol                       |
+| 05           | xrpl/core xrpl/resource xrpl/server |
+| 06           | xrpl/ledger xrpl/nodestore xrpl/net |
+| 07           | xrpl/shamap                         |
+
+## xrpld Modules (Application Implementation)
+
+| Level / Tier | Module(s)                        |
+| ------------ | -------------------------------- |
+| 05           | xrpld/conditions xrpld/consensus |
+| 06           | xrpld/core xrpld/peerfinder      |
+| 07           | xrpld/shamap xrpld/overlay       |
+| 08           | xrpld/app                        |
+| 09           | xrpld/rpc                        |
+| 10           | xrpld/perflog                    |
+
+## Test Modules
+
+| Level / Tier | Module(s)                                                                                                |
+| ------------ | -------------------------------------------------------------------------------------------------------- |
+| 11           | test/jtx test/beast test/csf                                                                             |
+| 12           | test/unit_test                                                                                           |
+| 13           | test/crypto test/conditions test/json test/resource test/shamap test/peerfinder test/basics test/overlay |
+| 14           | test                                                                                                     |
+| 15           | test/net test/protocol test/ledger test/consensus test/core test/server test/nodestore                   |
+| 16           | test/rpc test/app                                                                                        |
+
+(Note that `test` levelization is _much_ less important and _much_ less
+strictly enforced than `xrpl`/`xrpld` levelization, other than the requirement
+that `test` code should _never_ be included in `xrpl` or `xrpld` code.)
+
+## Validation
+
+The [levelization](generate.py) script takes no parameters,
+reads no environment variables, and can be run from any directory,
+as long as it is in the expected location in the xrpld repo.
+It can be run at any time from within a checked out repo, and will
+do an analysis of all the `#include`s in
+the xrpld source. The only caveat is that it runs much slower
+under Windows than in Linux. It hasn't yet been tested under MacOS.
+It generates many files of [results](results):
+
+- `rawincludes.txt`: The raw dump of the `#includes`
+- `paths.txt`: A second dump grouping the source module
+  to the destination module, de-duped, and with frequency counts.
+- `includes/`: A directory where each file represents a module and
+  contains a list of modules and counts that the module _includes_.
+- `included_by/`: Similar to `includes/`, but the other way around. Each
+  file represents a module and contains a list of modules and counts
+  that _include_ the module.
+- [`loops.txt`](results/loops.txt): A list of direct loops detected
+  between modules as they actually exist, as opposed to how they are
+  desired as described above. In a perfect repo, this file will be
+  empty.
+  This file is committed to the repo, and is used by the [levelization
+  Github workflow](../../workflows/reusable-check-levelization.yml) to validate
+  that nothing changed.
+- [`ordering.txt`](results/ordering.txt): A list showing relationships
+  between modules where there are no loops as they actually exist, as
+  opposed to how they are desired as described above.
+  This file is committed to the repo, and is used by the [levelization
+  Github workflow](../../workflows/reusable-check-levelization.yml) to validate
+  that nothing changed.
+- [`levelization.yml`](../../workflows/reusable-check-levelization.yml)
+  Github Actions workflow to test that levelization loops haven't
+  changed. Unfortunately, if changes are detected, it can't tell if
+  they are improvements or not, so if you have resolved any issues or
+  done anything else to improve levelization, run `generate.py`,
+  and commit the updated results.
+
+The `loops.txt` and `ordering.txt` files relate the modules
+using comparison signs, which indicate the number of times each
+module is included in the other.
+
+- `A > B` means that A should probably be at a higher level than B,
+  because B is included in A significantly more than A is included in B.
+  These results can be included in both `loops.txt` and `ordering.txt`.
+  Because `ordering.txt`only includes relationships where B is not
+  included in A at all, it will only include these types of results.
+- `A ~= B` means that A and B are included in each other a different
+  number of times, but the values are so close that the script can't
+  definitively say that one should be above the other. These results
+  will only be included in `loops.txt`.
+- `A == B` means that A and B include each other the same number of
+  times, so the script has no clue which should be higher. These results
+  will only be included in `loops.txt`.
+
+The committed files hide the detailed values intentionally, to
+prevent false alarms and merging issues, and because it's easy to
+get those details locally.
+
+1. Run `generate.py`
+2. Grep the modules in `paths.txt`.
+   - For example, if a cycle is found `A ~= B`, simply `grep -w
+A .github/scripts/levelization/results/paths.txt | grep -w B`

.github/scripts/levelization/generate.py

@@ -0,0 +1,335 @@
+#!/usr/bin/env python3
+
+"""
+Usage: generate.py
+This script takes no parameters, and can be called from any directory in the file system.
+"""
+
+import os
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from pathlib import Path
+from typing import Dict, List, Tuple, Set, Optional
+
+# Compile regex patterns once at module level
+INCLUDE_PATTERN = re.compile(r"^\s*#include.*/.*\.h")
+INCLUDE_PATH_PATTERN = re.compile(r'[<"]([^>"]+)[>"]')
+
+
+def dictionary_sort_key(s: str) -> str:
+    """
+    Create a sort key that mimics 'sort -d' (dictionary order).
+    Dictionary order only considers blanks and alphanumeric characters.
+    This means punctuation like '.' is ignored during sorting.
+    """
+    # Keep only alphanumeric characters and spaces
+    return "".join(c for c in s if c.isalnum() or c.isspace())
+
+
+def get_level(file_path: str) -> str:
+    """
+    Extract the level from a file path (second and third directory components).
+    Equivalent to bash: cut -d/ -f 2,3
+
+    Examples:
+        src/xrpld/app/main.cpp -> xrpld.app
+        src/libxrpl/protocol/STObject.cpp -> libxrpl.protocol
+        include/xrpl/basics/base_uint.h -> xrpl.basics
+    """
+    parts = file_path.split("/")
+
+    # Get fields 2 and 3 (indices 1 and 2 in 0-based indexing)
+    if len(parts) >= 3:
+        level = f"{parts[1]}/{parts[2]}"
+    elif len(parts) >= 2:
+        level = f"{parts[1]}/toplevel"
+    else:
+        level = file_path
+
+    # If the "level" indicates a file, cut off the filename
+    if "." in level.split("/")[-1]:  # Avoid Path object creation
+        # Use the "toplevel" label as a workaround for `sort`
+        # inconsistencies between different utility versions
+        level = level.rsplit("/", 1)[0] + "/toplevel"
+
+    return level.replace("/", ".")
+
+
+def extract_include_level(include_line: str) -> Optional[str]:
+    """
+    Extract the include path from an #include directive.
+    Gets the first two directory components from the include path.
+    Equivalent to bash: cut -d/ -f 1,2
+
+    Examples:
+        #include <xrpl/basics/base_uint.h> -> xrpl.basics
+        #include "xrpld/app/main/Application.h" -> xrpld.app
+    """
+    # Remove everything before the quote or angle bracket
+    match = INCLUDE_PATH_PATTERN.search(include_line)
+    if not match:
+        return None
+
+    include_path = match.group(1)
+    parts = include_path.split("/")
+
+    # Get first two fields (indices 0 and 1)
+    if len(parts) >= 2:
+        include_level = f"{parts[0]}/{parts[1]}"
+    else:
+        include_level = include_path
+
+    # If the "includelevel" indicates a file, cut off the filename
+    if "." in include_level.split("/")[-1]:  # Avoid Path object creation
+        include_level = include_level.rsplit("/", 1)[0] + "/toplevel"
+
+    return include_level.replace("/", ".")
+
+
+def find_repository_directories(
+    start_path: Path, depth_limit: int = 10
+) -> Tuple[Path, List[Path]]:
+    """
+    Find the repository root by looking for src or include folders.
+    Walks up the directory tree from the start path.
+    """
+    current = start_path.resolve()
+
+    # Walk up the directory tree
+    for _ in range(depth_limit):  # Limit search depth to prevent infinite loops
+        src_path = current / "src"
+        include_path = current / "include"
+        # Check if this directory has src or include folders
+        has_src = src_path.exists()
+        has_include = include_path.exists()
+
+        if has_src or has_include:
+            return current, [src_path, include_path]
+
+        # Move up one level
+        parent = current.parent
+        if parent == current:  # Reached filesystem root
+            break
+        current = parent
+
+    # If we couldn't find it, raise an error
+    raise RuntimeError(
+        "Could not find repository root. "
+        "Expected to find a directory containing 'src' and/or 'include' folders."
+    )
+
+
+def main():
+    # Change to the script's directory
+    script_dir = Path(__file__).parent.resolve()
+    os.chdir(script_dir)
+
+    # Clean up and create results directory.
+    results_dir = script_dir / "results"
+    if results_dir.exists():
+        import shutil
+
+        shutil.rmtree(results_dir)
+    results_dir.mkdir()
+
+    # Find the repository root by searching for src and include directories.
+    try:
+        repo_root, scan_dirs = find_repository_directories(script_dir)
+
+        print(f"Found repository root: {repo_root}")
+        print(f"Scanning directories:")
+        for scan_dir in scan_dirs:
+            print(f"  - {scan_dir.relative_to(repo_root)}")
+    except RuntimeError as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    print("\nScanning for raw includes...")
+    # Find all #include directives
+    raw_includes: List[Tuple[str, str]] = []
+    rawincludes_file = results_dir / "rawincludes.txt"
+
+    # Write to file as we go to avoid storing everything in memory.
+    with open(rawincludes_file, "w", buffering=8192) as raw_f:
+        for dir_path in scan_dirs:
+            print(f"  Scanning {dir_path.relative_to(repo_root)}...")
+
+            for file_path in dir_path.rglob("*"):
+                if not file_path.is_file():
+                    continue
+
+                try:
+                    rel_path_str = str(file_path.relative_to(repo_root))
+
+                    # Read file with a large buffer for performance.
+                    with open(
+                        file_path,
+                        "r",
+                        encoding="utf-8",
+                        errors="ignore",
+                        buffering=8192,
+                    ) as f:
+                        for line in f:
+                            # Quick check before regex
+                            if "#include" not in line or "boost" in line:
+                                continue
+
+                            if INCLUDE_PATTERN.match(line):
+                                line_stripped = line.strip()
+                                entry = f"{rel_path_str}:{line_stripped}\n"
+                                print(entry, end="")
+                                raw_f.write(entry)
+                                raw_includes.append((rel_path_str, line_stripped))
+                except Exception as e:
+                    print(f"Error reading {file_path}: {e}", file=sys.stderr)
+
+    # Build levelization paths and count directly (no need to sort first).
+    print("Build levelization paths")
+    path_counts: Dict[Tuple[str, str], int] = defaultdict(int)
+
+    for file_path, include_line in raw_includes:
+        include_level = extract_include_level(include_line)
+        if not include_level:
+            continue
+
+        level = get_level(file_path)
+        if level != include_level:
+            path_counts[(level, include_level)] += 1
+
+    # Sort and deduplicate paths (using dictionary order like bash 'sort -d').
+    print("Sort and deduplicate paths")
+
+    paths_file = results_dir / "paths.txt"
+    with open(paths_file, "w") as f:
+        # Sort using dictionary order: only alphanumeric and spaces matter
+        sorted_items = sorted(
+            path_counts.items(),
+            key=lambda x: (dictionary_sort_key(x[0][0]), dictionary_sort_key(x[0][1])),
+        )
+        for (level, include_level), count in sorted_items:
+            line = f"{count:7} {level} {include_level}\n"
+            print(line.rstrip())
+            f.write(line)
+
+    # Split into flat-file database
+    print("Split into flat-file database")
+    includes_dir = results_dir / "includes"
+    included_by_dir = results_dir / "included_by"
+    includes_dir.mkdir()
+    included_by_dir.mkdir()
+
+    # Batch writes by grouping data first to avoid repeated file opens.
+    includes_data: Dict[str, List[Tuple[str, int]]] = defaultdict(list)
+    included_by_data: Dict[str, List[Tuple[str, int]]] = defaultdict(list)
+
+    # Process in sorted order to match bash script behaviour (dictionary order).
+    sorted_items = sorted(
+        path_counts.items(),
+        key=lambda x: (dictionary_sort_key(x[0][0]), dictionary_sort_key(x[0][1])),
+    )
+    for (level, include_level), count in sorted_items:
+        includes_data[level].append((include_level, count))
+        included_by_data[include_level].append((level, count))
+
+    # Write all includes files in sorted order (dictionary order).
+    for level in sorted(includes_data.keys(), key=dictionary_sort_key):
+        entries = includes_data[level]
+        with open(includes_dir / level, "w") as f:
+            for include_level, count in entries:
+                line = f"{include_level} {count}\n"
+                print(line.rstrip())
+                f.write(line)
+
+    # Write all included_by files in sorted order (dictionary order).
+    for include_level in sorted(included_by_data.keys(), key=dictionary_sort_key):
+        entries = included_by_data[include_level]
+        with open(included_by_dir / include_level, "w") as f:
+            for level, count in entries:
+                line = f"{level} {count}\n"
+                print(line.rstrip())
+                f.write(line)
+
+    # Search for loops
+    print("Search for loops")
+    loops_file = results_dir / "loops.txt"
+    ordering_file = results_dir / "ordering.txt"
+
+    loops_found: Set[Tuple[str, str]] = set()
+
+    # Pre-load all include files into memory to avoid repeated I/O.
+    # This is the biggest optimisation - we were reading files repeatedly in nested loops.
+    # Use list of tuples to preserve file order.
+    includes_cache: Dict[str, List[Tuple[str, int]]] = {}
+    includes_lookup: Dict[str, Dict[str, int]] = {}  # For fast lookup
+
+    # Note: bash script uses 'for source in *' which uses standard glob sorting,
+    # NOT dictionary order. So we use standard sorted() here, not dictionary_sort_key.
+    for include_file in sorted(includes_dir.iterdir(), key=lambda p: p.name):
+        if not include_file.is_file():
+            continue
+
+        includes_cache[include_file.name] = []
+        includes_lookup[include_file.name] = {}
+        with open(include_file, "r") as f:
+            for line in f:
+                parts = line.strip().split()
+                if len(parts) >= 2:
+                    include_name = parts[0]
+                    include_count = int(parts[1])
+                    includes_cache[include_file.name].append(
+                        (include_name, include_count)
+                    )
+                    includes_lookup[include_file.name][include_name] = include_count
+
+    with open(loops_file, "w", buffering=8192) as loops_f, open(
+        ordering_file, "w", buffering=8192
+    ) as ordering_f:
+
+        # Use standard sorting to match bash glob expansion 'for source in *'.
+        for source in sorted(includes_cache.keys()):
+            source_includes = includes_cache[source]
+
+            for include, include_freq in source_includes:
+                # Check if include file exists and references source
+                if include not in includes_lookup:
+                    continue
+
+                source_freq = includes_lookup[include].get(source)
+
+                if source_freq is not None:
+                    # Found a loop
+                    loop_key = tuple(sorted([source, include]))
+                    if loop_key in loops_found:
+                        continue
+                    loops_found.add(loop_key)
+
+                    loops_f.write(f"Loop: {source} {include}\n")
+
+                    # If the counts are close, indicate that the two modules are
+                    # on the same level, though they shouldn't be.
+                    diff = include_freq - source_freq
+                    if diff > 3:
+                        loops_f.write(f"  {source} > {include}\n\n")
+                    elif diff < -3:
+                        loops_f.write(f"  {include} > {source}\n\n")
+                    elif source_freq == include_freq:
+                        loops_f.write(f"  {include} == {source}\n\n")
+                    else:
+                        loops_f.write(f"  {include} ~= {source}\n\n")
+                else:
+                    ordering_f.write(f"{source} > {include}\n")
+
+    # Print results
+    print("\nOrdering:")
+    with open(ordering_file, "r") as f:
+        print(f.read(), end="")
+
+    print("\nLoops:")
+    with open(loops_file, "r") as f:
+        print(f.read(), end="")
+
+
+if __name__ == "__main__":
+    main()

.github/scripts/levelization/results/loops.txt

@@ -0,0 +1,27 @@
+Loop: test.jtx test.toplevel
+  test.toplevel > test.jtx
+
+Loop: test.jtx test.unit_test
+  test.unit_test ~= test.jtx
+
+Loop: xrpl.telemetry xrpld.rpc
+  xrpld.rpc > xrpl.telemetry
+
+Loop: xrpld.app xrpld.overlay
+  xrpld.app > xrpld.overlay
+
+Loop: xrpld.app xrpld.peerfinder
+  xrpld.peerfinder ~= xrpld.app
+
+Loop: xrpld.app xrpld.rpc
+  xrpld.rpc > xrpld.app
+
+Loop: xrpld.app xrpld.shamap
+  xrpld.shamap > xrpld.app
+
+Loop: xrpld.app xrpld.telemetry
+  xrpld.telemetry ~= xrpld.app
+
+Loop: xrpld.overlay xrpld.rpc
+  xrpld.rpc ~= xrpld.overlay
+

.github/scripts/levelization/results/ordering.txt

@@ -0,0 +1,335 @@
+libxrpl.basics > xrpl.basics
+libxrpl.conditions > xrpl.basics
+libxrpl.conditions > xrpl.conditions
+libxrpl.config > xrpl.basics
+libxrpl.config > xrpl.config
+libxrpl.core > xrpl.basics
+libxrpl.core > xrpl.core
+libxrpl.core > xrpl.json
+libxrpl.crypto > xrpl.basics
+libxrpl.json > xrpl.basics
+libxrpl.json > xrpl.json
+libxrpl.ledger > xrpl.basics
+libxrpl.ledger > xrpl.json
+libxrpl.ledger > xrpl.ledger
+libxrpl.ledger > xrpl.nodestore
+libxrpl.ledger > xrpl.protocol
+libxrpl.ledger > xrpl.server
+libxrpl.ledger > xrpl.shamap
+libxrpl.net > xrpl.basics
+libxrpl.net > xrpl.net
+libxrpl.nodestore > xrpl.basics
+libxrpl.nodestore > xrpl.config
+libxrpl.nodestore > xrpl.json
+libxrpl.nodestore > xrpl.nodestore
+libxrpl.nodestore > xrpl.protocol
+libxrpl.protocol > xrpl.basics
+libxrpl.protocol > xrpl.json
+libxrpl.protocol > xrpl.protocol
+libxrpl.rdb > xrpl.basics
+libxrpl.rdb > xrpl.config
+libxrpl.rdb > xrpl.core
+libxrpl.rdb > xrpl.rdb
+libxrpl.resource > xrpl.basics
+libxrpl.resource > xrpl.json
+libxrpl.resource > xrpl.protocol
+libxrpl.resource > xrpl.resource
+libxrpl.server > xrpl.basics
+libxrpl.server > xrpl.config
+libxrpl.server > xrpl.core
+libxrpl.server > xrpl.json
+libxrpl.server > xrpl.protocol
+libxrpl.server > xrpl.rdb
+libxrpl.server > xrpl.resource
+libxrpl.server > xrpl.server
+libxrpl.shamap > xrpl.basics
+libxrpl.shamap > xrpl.nodestore
+libxrpl.shamap > xrpl.protocol
+libxrpl.shamap > xrpl.shamap
+libxrpl.telemetry > xrpl.basics
+libxrpl.telemetry > xrpl.config
+libxrpl.telemetry > xrpl.telemetry
+libxrpl.tx > xrpl.basics
+libxrpl.tx > xrpl.conditions
+libxrpl.tx > xrpl.core
+libxrpl.tx > xrpl.json
+libxrpl.tx > xrpl.ledger
+libxrpl.tx > xrpl.protocol
+libxrpl.tx > xrpl.server
+libxrpl.tx > xrpl.telemetry
+libxrpl.tx > xrpl.tx
+test.app > test.jtx
+test.app > test.unit_test
+test.app > xrpl.basics
+test.app > xrpl.config
+test.app > xrpl.core
+test.app > xrpld.app
+test.app > xrpld.consensus
+test.app > xrpld.core
+test.app > xrpld.overlay
+test.app > xrpld.rpc
+test.app > xrpl.json
+test.app > xrpl.ledger
+test.app > xrpl.nodestore
+test.app > xrpl.protocol
+test.app > xrpl.resource
+test.app > xrpl.server
+test.app > xrpl.shamap
+test.app > xrpl.tx
+test.basics > test.jtx
+test.basics > test.unit_test
+test.basics > xrpl.basics
+test.basics > xrpl.core
+test.basics > xrpld.rpc
+test.basics > xrpl.json
+test.basics > xrpl.protocol
+test.beast > xrpl.basics
+test.conditions > xrpl.basics
+test.conditions > xrpl.conditions
+test.consensus > test.csf
+test.consensus > test.jtx
+test.consensus > test.toplevel
+test.consensus > test.unit_test
+test.consensus > xrpl.basics
+test.consensus > xrpld.app
+test.consensus > xrpld.consensus
+test.consensus > xrpl.ledger
+test.consensus > xrpl.protocol
+test.consensus > xrpl.shamap
+test.consensus > xrpl.tx
+test.core > test.jtx
+test.core > test.unit_test
+test.core > xrpl.basics
+test.core > xrpl.config
+test.core > xrpl.core
+test.core > xrpld.core
+test.core > xrpl.json
+test.core > xrpl.protocol
+test.core > xrpl.rdb
+test.core > xrpl.server
+test.csf > xrpl.basics
+test.csf > xrpld.consensus
+test.csf > xrpl.json
+test.csf > xrpl.ledger
+test.csf > xrpl.protocol
+test.json > test.jtx
+test.json > xrpl.json
+test.jtx > xrpl.basics
+test.jtx > xrpl.config
+test.jtx > xrpl.core
+test.jtx > xrpld.app
+test.jtx > xrpld.core
+test.jtx > xrpld.rpc
+test.jtx > xrpl.json
+test.jtx > xrpl.ledger
+test.jtx > xrpl.net
+test.jtx > xrpl.protocol
+test.jtx > xrpl.resource
+test.jtx > xrpl.server
+test.jtx > xrpl.tx
+test.ledger > test.jtx
+test.ledger > xrpl.basics
+test.ledger > xrpl.core
+test.ledger > xrpld.app
+test.ledger > xrpld.core
+test.ledger > xrpl.json
+test.ledger > xrpl.ledger
+test.ledger > xrpl.protocol
+test.nodestore > test.jtx
+test.nodestore > test.unit_test
+test.nodestore > xrpl.basics
+test.nodestore > xrpl.config
+test.nodestore > xrpld.core
+test.nodestore > xrpl.nodestore
+test.nodestore > xrpl.protocol
+test.nodestore > xrpl.rdb
+test.overlay > test.jtx
+test.overlay > test.unit_test
+test.overlay > xrpl.basics
+test.overlay > xrpl.config
+test.overlay > xrpld.app
+test.overlay > xrpld.core
+test.overlay > xrpld.overlay
+test.overlay > xrpld.peerfinder
+test.overlay > xrpl.json
+test.overlay > xrpl.nodestore
+test.overlay > xrpl.protocol
+test.overlay > xrpl.resource
+test.overlay > xrpl.server
+test.overlay > xrpl.shamap
+test.peerfinder > test.beast
+test.peerfinder > test.unit_test
+test.peerfinder > xrpl.basics
+test.peerfinder > xrpld.core
+test.peerfinder > xrpld.peerfinder
+test.peerfinder > xrpl.protocol
+test.protocol > test.jtx
+test.protocol > test.unit_test
+test.protocol > xrpl.basics
+test.protocol > xrpl.json
+test.protocol > xrpl.protocol
+test.resource > test.unit_test
+test.resource > xrpl.basics
+test.resource > xrpl.resource
+test.rpc > test.jtx
+test.rpc > xrpl.basics
+test.rpc > xrpl.config
+test.rpc > xrpl.core
+test.rpc > xrpld.app
+test.rpc > xrpld.core
+test.rpc > xrpld.overlay
+test.rpc > xrpld.rpc
+test.rpc > xrpl.json
+test.rpc > xrpl.ledger
+test.rpc > xrpl.protocol
+test.rpc > xrpl.resource
+test.rpc > xrpl.server
+test.rpc > xrpl.tx
+test.server > test.jtx
+test.server > test.unit_test
+test.server > xrpl.basics
+test.server > xrpl.config
+test.server > xrpld.app
+test.server > xrpld.core
+test.server > xrpl.json
+test.server > xrpl.protocol
+test.server > xrpl.server
+test.shamap > test.unit_test
+test.shamap > xrpl.basics
+test.shamap > xrpl.config
+test.shamap > xrpl.nodestore
+test.shamap > xrpl.protocol
+test.shamap > xrpl.shamap
+test.toplevel > test.csf
+test.toplevel > xrpl.json
+test.unit_test > xrpl.basics
+test.unit_test > xrpl.protocol
+tests.libxrpl > xrpl.basics
+tests.libxrpl > xrpl.config
+tests.libxrpl > xrpl.core
+tests.libxrpl > xrpl.json
+tests.libxrpl > xrpl.ledger
+tests.libxrpl > xrpl.net
+tests.libxrpl > xrpl.nodestore
+tests.libxrpl > xrpl.protocol
+tests.libxrpl > xrpl.protocol_autogen
+tests.libxrpl > xrpl.server
+tests.libxrpl > xrpl.shamap
+tests.libxrpl > xrpl.telemetry
+tests.libxrpl > xrpl.tx
+xrpl.conditions > xrpl.basics
+xrpl.conditions > xrpl.protocol
+xrpl.config > xrpl.basics
+xrpl.core > xrpl.basics
+xrpl.core > xrpl.json
+xrpl.core > xrpl.protocol
+xrpl.json > xrpl.basics
+xrpl.ledger > xrpl.basics
+xrpl.ledger > xrpl.protocol
+xrpl.ledger > xrpl.server
+xrpl.ledger > xrpl.shamap
+xrpl.net > xrpl.basics
+xrpl.nodestore > xrpl.basics
+xrpl.nodestore > xrpl.config
+xrpl.nodestore > xrpl.protocol
+xrpl.protocol > xrpl.basics
+xrpl.protocol > xrpl.json
+xrpl.protocol_autogen > xrpl.json
+xrpl.protocol_autogen > xrpl.protocol
+xrpl.rdb > xrpl.basics
+xrpl.rdb > xrpl.core
+xrpl.rdb > xrpl.protocol
+xrpl.resource > xrpl.basics
+xrpl.resource > xrpl.json
+xrpl.resource > xrpl.protocol
+xrpl.server > xrpl.basics
+xrpl.server > xrpl.core
+xrpl.server > xrpl.json
+xrpl.server > xrpl.protocol
+xrpl.server > xrpl.rdb
+xrpl.server > xrpl.resource
+xrpl.server > xrpl.shamap
+xrpl.shamap > xrpl.basics
+xrpl.shamap > xrpl.nodestore
+xrpl.shamap > xrpl.protocol
+xrpl.telemetry > xrpl.config
+xrpl.tx > xrpl.basics
+xrpl.tx > xrpl.core
+xrpl.tx > xrpl.ledger
+xrpl.tx > xrpl.protocol
+xrpl.tx > xrpl.telemetry
+xrpld.app > test.unit_test
+xrpld.app > xrpl.basics
+xrpld.app > xrpl.config
+xrpld.app > xrpl.core
+xrpld.app > xrpld.consensus
+xrpld.app > xrpld.core
+xrpld.app > xrpl.json
+xrpld.app > xrpl.ledger
+xrpld.app > xrpl.net
+xrpld.app > xrpl.nodestore
+xrpld.app > xrpl.protocol
+xrpld.app > xrpl.rdb
+xrpld.app > xrpl.resource
+xrpld.app > xrpl.server
+xrpld.app > xrpl.shamap
+xrpld.app > xrpl.telemetry
+xrpld.app > xrpl.tx
+xrpld.consensus > xrpl.basics
+xrpld.consensus > xrpl.json
+xrpld.consensus > xrpl.ledger
+xrpld.consensus > xrpl.protocol
+xrpld.consensus > xrpl.telemetry
+xrpld.core > xrpl.basics
+xrpld.core > xrpl.config
+xrpld.core > xrpl.core
+xrpld.core > xrpl.net
+xrpld.core > xrpl.protocol
+xrpld.core > xrpl.rdb
+xrpld.overlay > xrpl.basics
+xrpld.overlay > xrpl.config
+xrpld.overlay > xrpl.core
+xrpld.overlay > xrpld.consensus
+xrpld.overlay > xrpld.core
+xrpld.overlay > xrpld.peerfinder
+xrpld.overlay > xrpld.telemetry
+xrpld.overlay > xrpl.json
+xrpld.overlay > xrpl.ledger
+xrpld.overlay > xrpl.protocol
+xrpld.overlay > xrpl.resource
+xrpld.overlay > xrpl.server
+xrpld.overlay > xrpl.shamap
+xrpld.overlay > xrpl.telemetry
+xrpld.overlay > xrpl.tx
+xrpld.peerfinder > xrpl.basics
+xrpld.peerfinder > xrpl.config
+xrpld.peerfinder > xrpld.core
+xrpld.peerfinder > xrpl.protocol
+xrpld.peerfinder > xrpl.rdb
+xrpld.perflog > xrpl.basics
+xrpld.perflog > xrpl.config
+xrpld.perflog > xrpl.core
+xrpld.perflog > xrpld.rpc
+xrpld.perflog > xrpl.json
+xrpld.perflog > xrpl.protocol
+xrpld.rpc > xrpl.basics
+xrpld.rpc > xrpl.config
+xrpld.rpc > xrpl.core
+xrpld.rpc > xrpld.core
+xrpld.rpc > xrpl.json
+xrpld.rpc > xrpl.ledger
+xrpld.rpc > xrpl.net
+xrpld.rpc > xrpl.nodestore
+xrpld.rpc > xrpl.protocol
+xrpld.rpc > xrpl.rdb
+xrpld.rpc > xrpl.resource
+xrpld.rpc > xrpl.server
+xrpld.rpc > xrpl.shamap
+xrpld.rpc > xrpl.tx
+xrpld.shamap > xrpl.basics
+xrpld.shamap > xrpld.core
+xrpld.shamap > xrpl.protocol
+xrpld.shamap > xrpl.shamap
+xrpld.telemetry > xrpl.basics
+xrpld.telemetry > xrpld.consensus
+xrpld.telemetry > xrpl.telemetry

.github/scripts/otel-naming/README.md

@@ -0,0 +1,70 @@
+# OTel naming-consistency check
+
+`check_otel_naming.py` enforces the OpenTelemetry span-attribute naming
+convention documented in
+[CONTRIBUTING.md](../../../CONTRIBUTING.md#telemetry-span-attribute-naming)
+across every layer of the telemetry pipeline. The `*SpanNames.h` constants are
+the single source of truth (L1); every other layer must agree with them.
+
+## Running locally
+
+```
+python .github/scripts/otel-naming/check_otel_naming.py
+```
+
+It takes no arguments, can be run from any directory inside the repo, and uses
+only the Python standard library (no `pip install`, matching the levelization
+check). A non-zero exit code means a violation was found; the output lists each
+violation as `RULE | location | token | expected`.
+
+## What it checks
+
+The valid key set is **derived dynamically from the OTel code** — there is no
+hardcoded allowlist:
+
+- **L1 keys** come from the `namespace attr { ... }` blocks of every
+  `*SpanNames.h`, resolving the `makeStr("x")` / `join(seg::a, seg::b)` DSL
+  (cross-file, so `join(seg::rpc, ...)` resolves `seg::rpc` from the base
+  `SpanNames.h`). Each constant is resolved against **its own** header, so two
+  headers that define a same-named constant (e.g. a base `attr::ledgerHash` and
+  a domain `attr::ledgerHash`) each contribute their real wire key — a later
+  header cannot clobber an earlier one's value in a flat table.
+- **Legitimate dotted keys** = ONLY the keys the code actually sets as resource
+  attributes, i.e. the entries inside `Telemetry.cpp`'s `Resource::Create({...})`
+  call: the `semconv::service::*` keys (`service.*`) plus any `attr::<name>`
+  constants passed there (`xrpl.network.*`). A dotted key that is _declared_ in a
+  header but never set as a resource attr is a span attribute in resource
+  clothing — a Rule-A violation, even if it lives in the base `SpanNames.h`.
+
+### Rules (each fails the build, when its inputs are present)
+
+| Rule | Check                                                                                                                                                                                                                              |
+| ---- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| A    | No stray dotted span-attribute key (only the derived resource keys may be dotted).                                                                                                                                                 |
+| G    | Attribute keys are `lower_snake_case` (`^[a-z][a-z0-9_]*$` per dot-segment) — no camelCase, UPPERCASE, or spaces.                                                                                                                  |
+| F    | No string literals as attribute keys or span-name arguments in `setAttribute`/`addEvent`/`span`/`childSpan`. Attribute _values_ are exempt (runtime data); `*SpanNames.h` definitions and test files are exempt.                   |
+| B    | Every collector `spanmetrics.dimensions` name exists in the L1 key set.                                                                                                                                                            |
+| C    | Every Tempo span-filter tag exists in the L1 key set.                                                                                                                                                                              |
+| D    | Every dashboard label resolves to an L1 span attribute, a native-metric label (L6, emitted by MetricsRegistry), or a Prometheus/Grafana builtin. TraceQL scope prefixes (`span.`/`resource.`/…) are stripped before the L1 lookup. |
+| E    | No dotted `xrpl.<domain>.<field>` attribute key in the runbook (only the L1 resource attrs `xrpl.network.*` may be dotted). Span names, filenames, OTel-standard keys, and metric labels are not flagged.                          |
+
+Rule F runs **unconditionally** (it is a purely syntactic check on the
+call-sites and needs no `*SpanNames.h`), so a code path that calls
+`SpanGuard::span`/`setAttribute` directly without ever defining a header is
+still caught.
+
+### Warnings (printed, never fail the build)
+
+| Rule | Check                                                                                                                                                                                                                                                                                                                                                                                      |
+| ---- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| H    | A namespace-qualified constant (e.g. `foo::bar::myKey`) used at a telemetry call-site is not defined in any `*SpanNames.h`. The constant should live in the proper header; defining it in-place bypasses rules A/G/F. Warns rather than fails — the argument may be a legitimately dynamic value, and the header may live on a later branch. Bare locals and `std::` names are not warned. |
+
+## Presence-gated
+
+Every rule runs **only when the source files it needs are present** in the tree
+and is otherwise skipped (printed as `SKIP: <rule> — <reason>`), never failed.
+This keeps the check correct no matter how telemetry work is split across PRs —
+a stacked chain, one large PR, or independent per-stage PRs where (for example)
+the collector config lands before the dashboards. The collector/Tempo/dashboard/
+runbook layers are introduced in later phases; on a branch without them, only
+the L1-intrinsic rules (A, G, F) run.

.github/scripts/otel-naming/check_otel_naming.py

@@ -0,0 +1,885 @@
+#!/usr/bin/env python3
+
+"""
+Usage: check_otel_naming.py
+This script takes no parameters and can be called from any directory inside the
+repository (it locates the repo root via `git rev-parse`).
+
+Enforces the OpenTelemetry span-attribute naming convention documented in
+CONTRIBUTING.md ("Telemetry span attribute naming") across every layer of the
+telemetry pipeline. The `*SpanNames.h` constants are the single source of truth
+(L1); every other layer must agree with them.
+
+Design principles
+-----------------
+1. No hardcoded allowlist. The set of valid attribute keys — including which
+   dotted keys are legitimate resource attributes — is derived dynamically by
+   parsing the repository's own OTel code:
+     * `*SpanNames.h` `namespace attr { ... }` blocks (the underscore/bare keys
+       and the `join(seg::..., ...)` dotted resource compositions), and
+     * the keys the code passes to `Resource::Create({ ... })` in Telemetry.cpp
+       (the standard `semconv::service::*` keys -> service.name/version/...).
+
+2. Presence-gated enforcement. Every rule runs ONLY when the source files it
+   needs are present in the tree, and is otherwise skipped (never failed). This
+   keeps the check correct no matter how work is split across PRs: a stacked
+   chain, one large PR, or independent per-stage PRs where (for example) the
+   collector config lands in a different PR than the dashboards. The check never
+   assumes a file from another phase/PR exists.
+
+Layers
+------
+  L1 code      : src/**/*SpanNames.h, include/**/*SpanNames.h  (ground truth)
+  L1 resource  : src/libxrpl/telemetry/Telemetry.cpp           (dotted allowlist)
+  L1 callsites : setAttribute/addEvent/span/childSpan in src/**, include/**
+  L2 collector : docker/telemetry/otel-collector-config.yaml   (spanmetrics dims)
+  L3 tempo     : docker/telemetry/tempo.yaml                    (span filter tags)
+  L4 dashboards: docker/telemetry/grafana/dashboards/*.json     (PromQL labels)
+  L5 runbook   : docs/telemetry-runbook.md                      (attr tables)
+  L6 metrics   : MetricsRegistry.cpp instrument labels          (native-metric
+                 label keys, a valid dashboard-label source besides L1)
+
+Rules (each FAILS the build, when its inputs are present)
+---------------------------------------------------------
+  A  No stray dotted span-attribute key. A dotted `<a>.<b>` used as a span
+     attribute that is not in the derived resource-key set is a violation.
+  G  Attribute keys must be lower_snake_case (^[a-z][a-z0-9_]*$ per segment).
+     Flags camelCase, UPPERCASE, spaces, and other stray characters.
+  F  No string literals as attribute keys or span-name arguments. The
+     setAttribute/addEvent key and the span/childSpan prefix/name args must
+     reference a *SpanNames.h constant, never a "literal". Attribute VALUES are
+     exempt (runtime data). Definitions inside *SpanNames.h are exempt, and
+     test files are exempt (they pass arbitrary literals to exercise the API).
+  B  Every collector spanmetrics dimension exists in the L1 key set.
+  C  Every tempo span-filter tag exists in the L1 key set.
+  D  Every dashboard label resolves to an L1 span attribute, an L6
+     native-metric label, or a builtin. TraceQL `span.`/`resource.` scope
+     prefixes are stripped before the L1 lookup.
+  E  No dotted `xrpl.<domain>.<field>` attribute key in the runbook (only the
+     L1 resource attrs xrpl.network.* may be dotted). Span names, filenames,
+     OTel-standard keys, and metric labels are not flagged.
+
+Warnings (printed, but do NOT fail the build)
+----------------------------------------------
+  H  A constant referenced at a telemetry call-site is not defined in any
+     *SpanNames.h. Span constants should live in the corresponding
+     *SpanNames.h (single source of truth); defining one in-place bypasses the
+     naming rules. A warning (not a failure) because the argument may instead
+     be a legitimately dynamic local (e.g. a computed span-name leaf).
+
+Exit code is non-zero if any present-and-enforced rule finds a violation.
+Warnings never change the exit code.
+"""
+
+import re
+import subprocess
+import sys
+from pathlib import Path
+from typing import Dict, List, Optional, Set, Tuple
+
+# ---------------------------------------------------------------------------
+# Repo location
+# ---------------------------------------------------------------------------
+
+
+def repo_root() -> Path:
+    """Return the repository root, so the script works from any CWD.
+
+    Exits with a readable message (not a traceback) if git is unavailable or the
+    CWD is outside a repository."""
+    try:
+        out = subprocess.run(
+            ["git", "rev-parse", "--show-toplevel"],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+    except (subprocess.CalledProcessError, FileNotFoundError):
+        print(
+            "error: check_otel_naming.py must be run inside the git repository.",
+            file=sys.stderr,
+        )
+        sys.exit(2)
+    return Path(out.stdout.strip())
+
+
+def read_source(path: Path) -> str:
+    """Read a file as UTF-8, tolerating stray non-UTF-8 bytes rather than
+    crashing the whole check on one bad byte."""
+    return path.read_text(encoding="utf-8", errors="ignore")
+
+
+# ---------------------------------------------------------------------------
+# Regexes (compiled once)
+# ---------------------------------------------------------------------------
+
+# A segment/string constant definition: `inline constexpr auto NAME = <expr>;`
+CONST_DEF = re.compile(r"inline\s+constexpr\s+auto\s+(\w+)\s*=\s*(.+?);", re.DOTALL)
+MAKESTR = re.compile(r'makeStr\(\s*"([^"]*)"\s*\)')
+# A `namespace <name> {` opener, to track which namespace a constant lives in.
+NS_OPEN = re.compile(r"namespace\s+([\w:]+)\s*\{")
+# A `using ::a::b::field;` re-export inside an attr block; captures the leaf.
+USING_DECL = re.compile(r"using\s+(?:::)?[\w:]*::(\w+)\s*;")
+# Telemetry call-sites whose string arguments must be constants, not literals.
+# Require a receiver so we match real SpanGuard calls, not std::span / a math
+# `span(...)` / a bare method declaration:
+#   - `SpanGuard::span(` / `SpanGuard::childSpan(`  (static factory)
+#   - `<obj>.span(` / `<obj>->setAttribute(` etc.   (member call)
+# `span`/`childSpan` additionally require the `SpanGuard`/`.`/`->` receiver;
+# `setAttribute`/`addEvent` only ever exist on a guard, so a `.`/`->` suffices.
+CALLSITE = re.compile(
+    r"(?:SpanGuard::|\.|->)\s*(setAttribute|addEvent|span|childSpan)\s*\("
+)
+# A C++ string literal (used to flag literals inside call-site argument lists).
+STRING_LITERAL = re.compile(r'"((?:[^"\\]|\\.)*)"')
+# A C++ line comment (`//` ... end of line) and a block comment (`/* ... */`).
+LINE_COMMENT = re.compile(r"//[^\n]*")
+BLOCK_COMMENT = re.compile(r"/\*.*?\*/", re.DOTALL)
+# A TraceQL scope prefix on a label (`span.`, `resource.`, `event.`, etc.).
+# Dashboards reference span attributes in TraceQL as `span.<attr>`; the bare
+# attribute is what must exist in L1, so strip the scope before validating.
+TRACEQL_SCOPE = re.compile(r"^(?:span|resource|event|link|instrumentation_scope)\.")
+# An OTel metric label key as emitted in C++: `Add(.., {{"label", ...}})` /
+# `{{"label", value}}` instrument calls in MetricsRegistry.
+METRIC_LABEL = re.compile(r'\{\{\s*"([a-z_][a-z0-9_]*)"\s*,')
+
+
+def strip_comments(text: str) -> str:
+    """Remove C/C++ `//` line comments and `/* ... */` block comments.
+
+    Used only for L1 attribute-key extraction so that a commented-out or
+    illustrative `makeStr("...")` inside a `namespace attr` block does not leak
+    into the authoritative key set. Rule F deliberately does NOT strip comments
+    — it must still see `@code` doc-comment examples so their call-site
+    arguments are held to the constant-only convention.
+
+    String literals are not specially handled; a `//` or `/*` appearing inside a
+    string is vanishingly rare in the *SpanNames.h headers and would at worst
+    drop a constant from L1 (a conservative direction).
+    """
+    text = BLOCK_COMMENT.sub("", text)
+    text = LINE_COMMENT.sub("", text)
+    return text
+
+
+# ---------------------------------------------------------------------------
+# L1: parse *SpanNames.h into the authoritative key set
+# ---------------------------------------------------------------------------
+
+
+def find_spanname_headers(root: Path) -> List[Path]:
+    return sorted(
+        p
+        for p in list((root / "src").rglob("*SpanNames.h"))
+        + list((root / "include").rglob("*SpanNames.h"))
+        if p.is_file()
+    )
+
+
+def resolve_constants(
+    text: str, symbols: Optional[Dict[str, str]] = None
+) -> Dict[str, str]:
+    """Resolve `inline constexpr auto NAME = <makeStr/join expr>` to strings.
+
+    Supports the small constexpr DSL used by SpanNames.h:
+      makeStr("x")          -> "x"
+      join(a, b)            -> resolve(a) + "." + resolve(b)
+      seg::xrpl / attr::foo -> looked up in the symbol table
+    The optional `symbols` argument seeds (and is updated in place with) the
+    table, so a global pass over ALL *SpanNames.h headers can resolve
+    cross-file references such as `join(seg::rpc, ...)` where `seg::rpc` is
+    defined in the base SpanNames.h. Keys are stored by their bare name
+    (last `::` component), so `seg::rpc` and `rpc` both resolve.
+    """
+    if symbols is None:
+        symbols = {}
+
+    def resolve_expr(expr: str) -> Optional[str]:
+        expr = expr.strip()
+        m = MAKESTR.fullmatch(expr)
+        if m:
+            return m.group(1)
+        if expr.startswith("join(") and expr.endswith(")"):
+            args = split_top_level_args(expr[len("join(") : -1])
+            parts = [resolve_expr(a) for a in args]
+            if any(p is None for p in parts):
+                return None
+            return ".".join(p for p in parts if p is not None)
+        # Bare or qualified symbol reference, e.g. `seg::xrpl` or `networkId`.
+        key = expr.split("::")[-1]
+        return symbols.get(key, symbols.get(expr))
+
+    # Iterate definitions in source order so earlier symbols are available.
+    for m in CONST_DEF.finditer(text):
+        name, expr = m.group(1), m.group(2)
+        val = resolve_expr(expr)
+        if val is not None:
+            symbols[name] = val
+    return symbols
+
+
+def build_global_symbols(headers: List[Path]) -> Dict[str, str]:
+    """Resolve constants across ALL headers so cross-file `seg::`/`join`
+    references (e.g. `join(seg::rpc, ...)` in RpcSpanNames.h, where `seg::rpc`
+    lives in the base SpanNames.h) resolve. Base SpanNames.h is processed
+    first so its `seg::` segments seed the table."""
+    symbols: Dict[str, str] = {}
+    ordered = sorted(headers, key=lambda p: (p.name != "SpanNames.h", str(p)))
+    # Two passes: the first seeds segments, the second resolves dependents.
+    # Comments are stripped so a commented-out constant cannot seed the table.
+    for _ in range(2):
+        for h in ordered:
+            resolve_constants(strip_comments(read_source(h)), symbols)
+    return symbols
+
+
+def split_top_level_args(s: str) -> List[str]:
+    """Split a comma-separated arg list, respecting nested parentheses and
+    ignoring parens/commas that appear inside a "string literal" (so a value
+    like `setAttribute(k, ",")` does not get mis-split)."""
+    args, depth, cur = [], 0, ""
+    in_str = False
+    escaped = False
+    for ch in s:
+        if in_str:
+            cur += ch
+            if escaped:
+                escaped = False
+            elif ch == "\\":
+                escaped = True
+            elif ch == '"':
+                in_str = False
+            continue
+        if ch == '"':
+            in_str = True
+            cur += ch
+        elif ch == "(":
+            depth += 1
+            cur += ch
+        elif ch == ")":
+            depth -= 1
+            cur += ch
+        elif ch == "," and depth == 0:
+            args.append(cur)
+            cur = ""
+        else:
+            cur += ch
+    if cur.strip():
+        args.append(cur)
+    return args
+
+
+def attr_namespace_spans(text: str) -> List[str]:
+    """Return the source text of each `namespace attr { ... }` block in `text`.
+
+    Brace-matched over the whole (comment-stripped) text, so a definition that
+    wraps across several physical lines is contained in one span. Nested braces
+    inside the block are balanced correctly."""
+    spans: List[str] = []
+    for opener in NS_OPEN.finditer(text):
+        if opener.group(1).split("::")[-1] != "attr":
+            continue
+        # Walk from the opening brace, balancing nesting to the matching close.
+        i = opener.end()  # one char past the namespace's `{`
+        depth = 1
+        start = i
+        while i < len(text) and depth > 0:
+            c = text[i]
+            if c == "{":
+                depth += 1
+            elif c == "}":
+                depth -= 1
+            i += 1
+        spans.append(text[start : i - 1])
+    return spans
+
+
+def attr_keys_from_header(path: Path, symbols: Dict[str, str]) -> Set[str]:
+    """Return the set of attribute-key strings declared in a header's
+    `namespace attr { ... }` block(s). `symbols` is the global cross-file
+    table, used ONLY to seed `seg::`/segment references for `join(...)`
+    resolution — never to look up an attr constant's value.
+
+    A constant DEFINED in this header is resolved against this header's OWN
+    text, so two headers that each define a same-named constant (e.g. the base
+    `attr::ledgerHash = xrpl.ledger.hash` and consensus
+    `attr::ledgerHash = ledger_hash`) each report their real wire key. The
+    global table is keyed by bare name and would otherwise let a later header
+    clobber an earlier one, erasing the real key from L1 (a Rule-A blind spot).
+    A `using`-re-export, by contrast, imports a constant defined elsewhere, so
+    it is resolved against the global table.
+
+    Comments are stripped first (a commented constant must not enter L1), and
+    each attr block is brace-matched over the whole text so multi-line
+    `inline constexpr auto NAME = join(\\n  ...);` definitions are captured."""
+    text = strip_comments(read_source(path))
+    # Local table: the global segments/symbols seed cross-file `join` parts,
+    # then this header's own definitions overwrite any same-named global entry
+    # so a locally-defined attr resolves to ITS value, not another header's.
+    local = dict(symbols)
+    resolve_constants(text, local)
+    keys: Set[str] = set()
+    for block in attr_namespace_spans(text):
+        for md in CONST_DEF.finditer(block):
+            # Resolve a locally-defined constant against the LOCAL table; this
+            # captures makeStr("x") and join(seg::y, ...) with the header's own
+            # value, immune to cross-header bare-name collisions.
+            val = local.get(md.group(1))
+            if val is not None:
+                keys.add(val)
+        # `using ::ns::attr::field;` re-exports a constant defined in ANOTHER
+        # header (e.g. PeerSpanNames imports the base ledgerHash). Resolve the
+        # imported name against the global table.
+        for um in USING_DECL.finditer(block):
+            val = symbols.get(um.group(1))
+            if val is not None:
+                keys.add(val)
+    return keys
+
+
+# ---------------------------------------------------------------------------
+# Reporting
+# ---------------------------------------------------------------------------
+
+
+class Report:
+    def __init__(self) -> None:
+        self.violations: List[Tuple[str, str, str, str]] = []
+        self.warnings: List[Tuple[str, str, str, str]] = []
+        self.skips: List[str] = []
+        self.checked: List[str] = []
+
+    def violation(self, rule: str, loc: str, token: str, expected: str) -> None:
+        self.violations.append((rule, loc, token, expected))
+
+    def warning(self, rule: str, loc: str, token: str, note: str) -> None:
+        """A non-fatal finding: printed, but does not fail the build. Used where
+        the script cannot be certain a finding is wrong (e.g. a constant used at
+        a call-site that is not defined in any *SpanNames.h — it might be a
+        misplaced constant, or a legitimately dynamic value)."""
+        self.warnings.append((rule, loc, token, note))
+
+    def skip(self, rule: str, reason: str) -> None:
+        self.skips.append(f"SKIP: {rule} — {reason}")
+
+    def ok(self, msg: str) -> None:
+        self.checked.append(f"OK:   {msg}")
+
+    def render_and_exit(self) -> None:
+        for line in self.skips:
+            print(line)
+        for line in self.checked:
+            print(line)
+        if self.warnings:
+            print("\nNaming-convention warnings (non-fatal):\n")
+            print(f"  {'RULE':<5} {'LOCATION':<48} {'TOKEN':<28} NOTE")
+            print(f"  {'-' * 5} {'-' * 48} {'-' * 28} {'-' * 30}")
+            for rule, loc, token, note in self.warnings:
+                print(f"  {rule:<5} {loc:<48} {token:<28} {note}")
+        if self.violations:
+            print("\nNaming-convention violations:\n")
+            print(f"  {'RULE':<5} {'LOCATION':<48} {'TOKEN':<28} EXPECTED")
+            print(f"  {'-' * 5} {'-' * 48} {'-' * 28} {'-' * 30}")
+            for rule, loc, token, expected in self.violations:
+                print(f"  {rule:<5} {loc:<48} {token:<28} {expected}")
+            print(
+                "\nSee CONTRIBUTING.md -> 'Telemetry span attribute naming'. "
+                "The *SpanNames.h constants are the single source of truth."
+            )
+            sys.exit(1)
+        print("\nAll present telemetry naming layers are consistent.")
+        sys.exit(0)
+
+
+def main() -> None:
+    root = repo_root()
+    report = Report()
+
+    # --- Build the L1 ground-truth key set (presence-gated) ----------------
+    headers = find_spanname_headers(root)
+    l1_keys: Set[str] = set()
+    if headers:
+        symbols = build_global_symbols(headers)
+        # Map each key to the header(s) that declare it, so Rule A can tell a
+        # legitimate resource attr (declared in the base SpanNames.h) from a
+        # stray dotted key declared in a domain header.
+        keys_by_header: Dict[Path, Set[str]] = {}
+        for h in headers:
+            hk = attr_keys_from_header(h, symbols)
+            keys_by_header[h] = hk
+            l1_keys |= hk
+        report.ok(
+            f"L1: {len(l1_keys)} attribute keys from {len(headers)} "
+            f"*SpanNames.h header(s)"
+        )
+    else:
+        report.skip("L1", "no *SpanNames.h present (not a naming-relevant tree)")
+        keys_by_header = {}
+
+    # --- Derive the legitimate dotted (resource) keys dynamically ----------
+    # ONLY the keys actually passed to Resource::Create() in Telemetry.cpp
+    # (semconv service.* + the attr:: constants set there, e.g. xrpl.network.*).
+    # A dotted key declared in a header but NOT set as a resource attr is a
+    # Rule-A violation, not an allowlist entry.
+    resource_symbols = symbols if headers else {}
+    dotted_allow = derive_dotted_resource_keys(root, resource_symbols, report)
+
+    # --- Rule A: no stray dotted span-attribute keys -----------------------
+    if l1_keys:
+        run_rule_a(keys_by_header, dotted_allow, report)
+    # --- Rule G: keys must be lower_snake_case -----------------------------
+    if l1_keys:
+        run_rule_g(keys_by_header, report)
+    # --- Rule F (+ Rule H): scan telemetry call-sites ----------------------
+    # Runs UNCONDITIONALLY: Rule F is a purely syntactic check (is this argument
+    # a literal?) and does not need the L1 key set, so a code path that uses
+    # SpanGuard::span/setAttribute directly without ever defining a *SpanNames.h
+    # is still caught. Rule H (warning) additionally flags constant references
+    # not defined in any *SpanNames.h.
+    header_symbols = spanname_symbol_names(headers)
+    run_rule_f(root, report, header_symbols)
+
+    # --- Cross-layer rules B/C/D/E (each presence-gated) -------------------
+    # L6 native-metric labels: span attributes are not the only valid dashboard
+    # labels — the MetricsRegistry emits OTel metrics whose label keys are an
+    # additional source of truth. Derive them dynamically (same principle as L1)
+    # so dashboards may reference them without tripping Rule D.
+    metric_labels = metric_label_names(root)
+    run_rule_b_collector(root, l1_keys, report)
+    run_rule_c_tempo(root, l1_keys, report)
+    run_rule_d_dashboards(root, l1_keys, metric_labels, report)
+    run_rule_e_runbook(root, l1_keys, report)
+
+    report.render_and_exit()
+
+
+def resource_create_block(text: str) -> str:
+    """Return the text inside the first `Resource::Create({ ... })` argument
+    list, brace-matched so nested `{key, value}` initializers are contained.
+    Empty string if the call is absent."""
+    m = re.search(r"Resource::Create\(\s*\{", text)
+    if not m:
+        return ""
+    i = m.end()  # one char past the opening `{`
+    depth, start = 1, i
+    while i < len(text) and depth > 0:
+        c = text[i]
+        if c == "{":
+            depth += 1
+        elif c == "}":
+            depth -= 1
+        i += 1
+    return text[start : i - 1]
+
+
+def derive_dotted_resource_keys(
+    root: Path, symbols: Dict[str, str], report: Report
+) -> Set[str]:
+    """Legitimate dotted keys = ONLY the keys the code actually sets as RESOURCE
+    attributes, i.e. the entries inside Telemetry.cpp's `Resource::Create({...})`
+    call: the standard semconv keys (`service.*`) plus any `attr::<name>`
+    constants passed there (resolved to their wire key via the global symbol
+    table, e.g. `attr::networkId` -> `xrpl.network.id`).
+
+    A dotted key DECLARED in a `*SpanNames.h` header but NOT passed to
+    Resource::Create() is a span attribute wearing the resource form — a Rule-A
+    violation, never allowlisted. Deriving the allowlist from the actual
+    resource call (not from "any dotted key in the base header") is what lets
+    Rule A catch a stray dotted span attr such as `xrpl.ledger.hash`."""
+    allow: Set[str] = set()
+    tele = root / "src" / "libxrpl" / "telemetry" / "Telemetry.cpp"
+    if not tele.is_file():
+        report.skip("resource-derive", "Telemetry.cpp not present")
+        return allow
+    block = resource_create_block(read_source(tele))
+    # semconv::<group>::k<CamelKey> -> the dotted OTel-standard key. The
+    # CamelKey already embeds the group, e.g. service::kServiceInstanceId
+    # -> service.instance.id. Split the CamelCase name into dotted lowercase
+    # segments; if it does not lead with the group, prepend the group.
+    for m in re.finditer(r"semconv::(\w+)::k(\w+)", block):
+        group, camel = m.group(1), m.group(2)
+        segments = camel_to_dotsegments(camel)
+        if segments and segments[0] == group:
+            allow.add(".".join(segments))
+        else:
+            allow.add(group + "." + ".".join(segments))
+    # attr::<name> constants set as resource attrs (e.g. networkId/networkType);
+    # resolve each to its wire key and allowlist only the dotted ones.
+    for m in re.finditer(r"attr::(\w+)", block):
+        val = symbols.get(m.group(1))
+        if val is not None and "." in val:
+            allow.add(val)
+    report.ok(f"resource dotted-key allowlist derived: {sorted(allow)}")
+    return allow
+
+
+def camel_to_dotsegments(s: str) -> List[str]:
+    """Split a CamelCase identifier into lowercase dot-segment parts, e.g.
+    `ServiceInstanceId` -> ['service', 'instance', 'id']."""
+    return [w.lower() for w in re.findall(r"[A-Z][a-z0-9]*", s)]
+
+
+def run_rule_a(
+    keys_by_header: Dict[Path, Set[str]], dotted_allow: Set[str], report: Report
+) -> None:
+    """Any dotted attribute key that is not an allowed resource key is a
+    violation, reported against the header that declares it."""
+    found = False
+    for h in sorted(keys_by_header):
+        for key in sorted(keys_by_header[h]):
+            if "." in key and key not in dotted_allow:
+                found = True
+                report.violation("A", h.name, key, "underscore form, not dotted")
+    if not found:
+        report.ok("A: no stray dotted span-attribute keys")
+
+
+# A lower_snake_case identifier segment: starts lowercase, then lowercase /
+# digits / underscores. No uppercase, no spaces, no camelCase.
+SNAKE_SEGMENT = re.compile(r"^[a-z][a-z0-9_]*$")
+
+
+def run_rule_g(keys_by_header: Dict[Path, Set[str]], report: Report) -> None:
+    """Every attribute key must be lower_snake_case. Bare/underscore keys must
+    match ^[a-z][a-z0-9_]*$; dotted resource keys must be lowercase
+    dot-separated segments (each segment lower_snake_case). Flags camelCase,
+    UPPERCASE, spaces, and other stray characters."""
+    found = False
+    for h in sorted(keys_by_header):
+        for key in sorted(keys_by_header[h]):
+            segments = key.split(".")
+            if all(SNAKE_SEGMENT.match(seg) for seg in segments):
+                continue
+            found = True
+            report.violation("G", h.name, key, "must be lower_snake_case")
+    if not found:
+        report.ok("G: all attribute keys are lower_snake_case")
+
+
+# Which argument positions of each call must be a constant (0-based). The
+# attribute VALUE position is intentionally absent: values are runtime data
+# (command names, hashes, counts), not naming-convention surface.
+#   setAttribute(key, value)        -> check arg 0 (key); value (arg 1) exempt
+#   addEvent(name[, attrs])         -> check arg 0 (event name)
+#   span(category, prefix, name)    -> check args 1,2 (prefix + span-name leaf)
+#   childSpan(name[, parentCtx])    -> check arg 0 (span-name leaf)
+CONSTANT_ARG_POSITIONS: Dict[str, Set[int]] = {
+    "setAttribute": {0},
+    "addEvent": {0},
+    "span": {1, 2},
+    "childSpan": {0},
+}
+
+
+def is_test_path(path: Path) -> bool:
+    """True if the path is test code. Tests legitimately pass arbitrary literal
+    keys/names to exercise the API mechanics, so Rule F does not apply to them.
+    Matches a `test`/`tests` directory anywhere in the path (e.g. src/test/,
+    src/tests/, .../detail/tests/)."""
+    return any(part in ("test", "tests") for part in path.parts)
+
+
+# A constant reference passed at a call-site, e.g. `rpc_span::attr::command`
+# or a bare `myKey`. We capture the leaf identifier (after the last `::`).
+IDENTIFIER_ARG = re.compile(r"^[\s&*]*([A-Za-z_][\w:]*)\s*$")
+
+
+def spanname_symbol_names(headers: List[Path]) -> Set[str]:
+    """Every `inline constexpr auto NAME = ...;` symbol defined across the
+    *SpanNames.h headers, by bare name. Used by Rule H to tell whether a
+    constant referenced at a call-site actually lives in a SpanNames header."""
+    names: Set[str] = set()
+    for h in headers:
+        for m in CONST_DEF.finditer(strip_comments(read_source(h))):
+            names.add(m.group(1))
+    return names
+
+
+def run_rule_f(root: Path, report: Report, header_symbols: Set[str]) -> None:
+    """Walk every telemetry call-site (non-test, non-*SpanNames.h) and check the
+    constant-only argument positions of setAttribute/addEvent/span/childSpan:
+
+      Rule F (FAIL): a string literal in a key / span-name position. Attribute
+        VALUES are exempt (runtime data).
+      Rule H (WARN): a constant reference whose name is not defined in any
+        *SpanNames.h. The constant should live in the corresponding
+        *SpanNames.h (single source of truth); defining it in-place bypasses
+        the naming rules. Warn rather than fail — the argument may instead be a
+        legitimately dynamic local (e.g. a computed span-name leaf)."""
+    found_f = False
+    sources = [
+        p
+        for base in ("src", "include")
+        for ext in ("*.h", "*.cpp")
+        for p in (root / base).rglob(ext)
+        if p.is_file()
+    ]
+    for path in sorted(sources):
+        if path.name.endswith("SpanNames.h") or is_test_path(path):
+            continue
+        text = read_source(path)
+        rel = path.relative_to(root)
+        for call, arglist, lineno in iter_calls(text):
+            positions = CONSTANT_ARG_POSITIONS.get(call, set())
+            args = split_top_level_args(arglist)
+            for idx in positions:
+                if idx >= len(args):
+                    continue
+                arg = args[idx]
+                lit = STRING_LITERAL.search(arg)
+                if lit:
+                    found_f = True
+                    report.violation(
+                        "F",
+                        f"{rel}:{lineno}",
+                        f'{call} arg{idx} "{lit.group(1)}"',
+                        "use a *SpanNames.h constant",
+                    )
+                    continue
+                # Not a literal: Rule H warns when a NAMESPACE-QUALIFIED constant
+                # reference (e.g. `consensus::span::accept`) is not defined in
+                # any *SpanNames.h — i.e. the constant was defined in-place
+                # instead of in the proper header. We only consider qualified
+                # refs (containing `::`): a bare lowercase identifier is almost
+                # always a legitimately dynamic local (a computed span-name leaf
+                # or attribute value), not a misplaced constant, so warning on it
+                # would be noise. Standard-library types (std::...) are skipped.
+                ident = IDENTIFIER_ARG.match(arg)
+                if not (ident and header_symbols):
+                    continue
+                ref = ident.group(1)
+                if "::" not in ref or ref.startswith("std::"):
+                    continue
+                leaf = ref.split("::")[-1]
+                if leaf not in header_symbols:
+                    report.warning(
+                        "H",
+                        f"{rel}:{lineno}",
+                        f"{call} arg{idx} {ref}",
+                        "not defined in any *SpanNames.h",
+                    )
+    if not found_f:
+        report.ok("F: no string-literal keys/names at telemetry call-sites")
+
+
+def iter_calls(text: str):
+    """Yield (call_name, raw_arglist, lineno) for each setAttribute/addEvent/
+    span/childSpan invocation, spanning multiple physical lines if needed."""
+    for m in CALLSITE.finditer(text):
+        name = m.group(1)
+        # Walk from the opening paren, balancing nesting to find the close.
+        # Parens inside a "string literal" are ignored so a value such as
+        # `setAttribute(k, ")")` does not close the call early.
+        i = m.end()  # one char past the '('
+        depth = 1
+        in_str = False
+        escaped = False
+        while i < len(text) and depth > 0:
+            c = text[i]
+            if in_str:
+                if escaped:
+                    escaped = False
+                elif c == "\\":
+                    escaped = True
+                elif c == '"':
+                    in_str = False
+            elif c == '"':
+                in_str = True
+            elif c == "(":
+                depth += 1
+            elif c == ")":
+                depth -= 1
+            i += 1
+        arglist = text[m.end() : i - 1]
+        lineno = text.count("\n", 0, m.start()) + 1
+        yield name, arglist, lineno
+
+
+def run_rule_b_collector(root: Path, l1_keys: Set[str], report: Report) -> None:
+    path = root / "docker" / "telemetry" / "otel-collector-config.yaml"
+    if not path.is_file():
+        report.skip("B", "collector config not present")
+        return
+    text = read_source(path)
+    if "spanmetrics" not in text:
+        report.skip("B", "no spanmetrics block in collector config")
+        return
+    dims = extract_spanmetrics_dimensions(text)
+    if not l1_keys:
+        report.skip("B", "no L1 key set to validate against")
+        return
+    miss = [d for d in dims if d not in l1_keys]
+    for d in miss:
+        report.violation("B", str(path.relative_to(root)), d, "must exist in L1")
+    if not miss:
+        report.ok(f"B: {len(dims)} collector dimension(s) all in L1")
+
+
+def extract_spanmetrics_dimensions(text: str) -> List[str]:
+    dims: List[str] = []
+    in_dims = False
+    for line in text.splitlines():
+        if re.search(r"\bdimensions\s*:", line):
+            in_dims = True
+            continue
+        if in_dims:
+            m = re.search(r"-\s*name\s*:\s*([A-Za-z0-9_.]+)", line)
+            if m:
+                dims.append(m.group(1))
+            elif line.strip() and not line.lstrip().startswith("-") and ":" in line:
+                in_dims = False
+    return dims
+
+
+def run_rule_c_tempo(root: Path, l1_keys: Set[str], report: Report) -> None:
+    # The trace-search filter tags live in the Grafana Tempo DATASOURCE
+    # provisioning file (search.filters[].{tag,scope}); the Tempo server
+    # tempo.yaml has no such tags. Prefer the datasource file; fall back to the
+    # server file so the rule still does something if the layout changes.
+    candidates = [
+        root / "docker/telemetry/grafana/provisioning/datasources/tempo.yaml",
+        root / "docker/telemetry/tempo.yaml",
+    ]
+    path = next((p for p in candidates if p.is_file()), None)
+    if path is None:
+        report.skip("C", "tempo datasource provisioning not present")
+        return
+    if not l1_keys:
+        report.skip("C", "no L1 key set to validate against")
+        return
+    # Pair each filter's `tag:` with its `scope:` (a few lines below it) and
+    # validate only span-scope tags — resource/intrinsic tags (service.*, name,
+    # status, duration) are not span attributes. Strip a TraceQL span. prefix.
+    lines = read_source(path).splitlines()
+    span_tags: List[str] = []
+    for i, line in enumerate(lines):
+        m = re.search(r"^\s*tag:\s*(\S+)", line)
+        if not m:
+            continue
+        scope = next(
+            (
+                sm.group(1)
+                for j in range(i, min(i + 4, len(lines)))
+                for sm in [re.search(r"scope:\s*(\S+)", lines[j])]
+                if sm
+            ),
+            "",
+        )
+        if scope == "span":
+            span_tags.append(TRACEQL_SCOPE.sub("", m.group(1)))
+    if not span_tags:
+        report.skip("C", "no span-scope filter tags in tempo datasource")
+        return
+    miss = [t for t in span_tags if t not in l1_keys]
+    for t in sorted(set(miss)):
+        report.violation("C", str(path.relative_to(root)), t, "must exist in L1")
+    if not miss:
+        report.ok(f"C: {len(span_tags)} tempo span-filter tag(s) all in L1")
+
+
+def metric_label_names(root: Path) -> Set[str]:
+    """L6: OTel native-metric label keys emitted by the telemetry code, e.g.
+    `counter->Add(1, {{"job_type", value}})` in MetricsRegistry.cpp. These are
+    a valid source of dashboard labels distinct from span attributes (L1)."""
+    labels: Set[str] = set()
+    for base in ("src", "include"):
+        for p in (root / base).rglob("*.cpp"):
+            if not p.is_file():
+                continue
+            text = read_source(p)
+            if "MetricsRegistry" not in p.name and "metric" not in text.lower():
+                continue
+            labels |= set(METRIC_LABEL.findall(text))
+    return labels
+
+
+def run_rule_d_dashboards(
+    root: Path, l1_keys: Set[str], metric_labels: Set[str], report: Report
+) -> None:
+    dash_dir = root / "docker" / "telemetry" / "grafana" / "dashboards"
+    files = sorted(dash_dir.glob("*.json")) if dash_dir.is_dir() else []
+    if not files:
+        report.skip("D", "no dashboard JSON present")
+        return
+    if not l1_keys:
+        report.skip("D", "no L1 key set to validate against")
+        return
+    builtins = {
+        "__name__",  # Prometheus reserved label for the metric name itself
+        "le",
+        "exported_instance",
+        "span_name",
+        "status_code",
+        "service_name",
+        "service_version",
+        "service_instance_id",
+        "job",
+        "instance",
+    }
+    # A dashboard label is valid if it is a span attribute (L1), a native-metric
+    # label (L6), or a Prometheus/Grafana builtin.
+    valid = l1_keys | metric_labels | builtins
+    found = False
+    for f in files:
+        try:
+            text = read_source(f)
+        except OSError:
+            continue
+        # PromQL `sum by (a, b)` and `{label="..."}` references.
+        labels: Set[str] = set()
+        for m in re.finditer(r"by\s*\(([^)]*)\)", text):
+            labels |= {x.strip() for x in m.group(1).split(",") if x.strip()}
+        for m in re.finditer(r"\b([a-z_][a-z0-9_.]*)\s*[=!]~?\s*\"", text):
+            labels.add(m.group(1))
+        for lbl in sorted(labels):
+            # Strip a TraceQL scope prefix (span./resource./...) — the bare
+            # attribute is what must resolve against L1.
+            bare = TRACEQL_SCOPE.sub("", lbl)
+            if bare in valid:
+                continue
+            found = True
+            report.violation(
+                "D",
+                str(f.relative_to(root)),
+                lbl,
+                "must exist in L1, a metric label, or be a builtin",
+            )
+    if not found:
+        report.ok(f"D: dashboard PromQL labels all resolve ({len(files)} file(s))")
+
+
+def run_rule_e_runbook(root: Path, l1_keys: Set[str], report: Report) -> None:
+    path = root / "docs" / "telemetry-runbook.md"
+    if not path.is_file():
+        report.skip("E", "runbook not present")
+        return
+    if not l1_keys:
+        report.skip("E", "no L1 key set to validate against")
+        return
+    text = read_source(path)
+    found = False
+    # Only the dotted `xrpl.<domain>.<field>` attribute form is a violation. The
+    # `xrpl.`-with-trailing-dot anchor is the discriminator: it matches the old
+    # dotted attribute convention being migrated away from, while everything
+    # else legitimately dotted in the runbook does NOT match it —
+    #   * span names      (`consensus.round`, `tx.process`)   no `xrpl.` prefix
+    #   * filenames       (`xrpld.cfg`, `RCLConsensus.cpp`)   `xrpld.`/`.cpp`, not `xrpl.`
+    #   * OTel-standard   (`service.name`, `http.method`)     no `xrpl.` prefix
+    #   * metric labels   (`xrpl_rpc_command`)                underscore, no dot
+    # Legitimate dotted resource attrs (`xrpl.network.id`/`.type`) are in L1 and
+    # are skipped. A dotted `xrpl.` token absent from L1 is a genuine doc/code
+    # mismatch (e.g. `xrpl.tx.hash` where the code emits `tx_hash`).
+    for m in re.finditer(r"`(xrpl\.[a-z][a-z0-9_.]*)`", text):
+        token = m.group(1)
+        if token in l1_keys:  # legitimate dotted resource attr (xrpl.network.*)
+            continue
+        found = True
+        report.violation(
+            "E", str(path.relative_to(root)), token, "underscore, not dotted"
+        )
+    if not found:
+        report.ok("E: runbook attribute references consistent with L1")
+
+
+if __name__ == "__main__":
+    main()

.github/scripts/otel-naming/test_check_otel_naming.py

@@ -0,0 +1,864 @@
+#!/usr/bin/env python3
+
+"""Unit tests for check_otel_naming.py.
+
+Stdlib-only (unittest), matching the dependency-free policy of the check itself.
+Run from anywhere:
+
+    python .github/scripts/otel-naming/test_check_otel_naming.py
+
+Each rule is exercised in isolation against a synthetic tree / synthetic L1 key
+set, covering positive (must flag), negative (must not flag), and boundary
+cases. Rule E (runbook dotted-attribute detection) has the densest coverage
+because its discriminator — the `xrpl.<domain>.` prefix vs span names,
+filenames, OTel-standard keys, and metric labels — is the subtlest.
+"""
+
+import contextlib
+import importlib.util
+import io
+import shutil
+import tempfile
+import unittest
+from pathlib import Path
+
+# Load the check module by path (it is not an importable package).
+_spec = importlib.util.spec_from_file_location(
+    "check_otel_naming", str(Path(__file__).with_name("check_otel_naming.py"))
+)
+chk = importlib.util.module_from_spec(_spec)
+_spec.loader.exec_module(chk)
+
+
+# A controlled L1 set used across tests: the two legitimate dotted resource
+# attrs plus a handful of underscore span-attribute keys.
+L1 = {
+    "xrpl.network.id",
+    "xrpl.network.type",
+    "tx_hash",
+    "peer_id",
+    "consensus_mode",
+    "command",
+    "rpc_status",
+    "ledger_seq",
+}
+
+
+def _run_rule_e(runbook_text: str):
+    """Run Rule E against a synthetic runbook; return the flagged tokens."""
+    d = Path(tempfile.mkdtemp())
+    try:
+        (d / "docs").mkdir()
+        (d / "docs" / "telemetry-runbook.md").write_text(runbook_text)
+        report = chk.Report()
+        chk.run_rule_e_runbook(d, set(L1), report)
+        return sorted(v[2] for v in report.violations)
+    finally:
+        shutil.rmtree(d)
+
+
+class RuleERunbook(unittest.TestCase):
+    """Rule E: only dotted `xrpl.<domain>.<field>` attribute keys are flagged."""
+
+    # ----- positive: genuine dotted attribute-key violations -----
+    def test_single_dotted_attr(self):
+        self.assertEqual(_run_rule_e("`xrpl.tx.hash`"), ["xrpl.tx.hash"])
+
+    def test_multiple_dotted_attrs(self):
+        self.assertEqual(
+            _run_rule_e("`xrpl.tx.hash` and `xrpl.consensus.mode`"),
+            ["xrpl.consensus.mode", "xrpl.tx.hash"],
+        )
+
+    def test_deep_dotted_three_segments(self):
+        self.assertEqual(
+            _run_rule_e("`xrpl.consensus.ledger.seq`"), ["xrpl.consensus.ledger.seq"]
+        )
+
+    def test_dotted_attr_with_underscore_field(self):
+        self.assertEqual(
+            _run_rule_e("`xrpl.consensus.round_id`"), ["xrpl.consensus.round_id"]
+        )
+
+    def test_repeated_token_reported_each_occurrence(self):
+        self.assertEqual(
+            _run_rule_e("`xrpl.tx.hash` ... `xrpl.tx.hash`"),
+            ["xrpl.tx.hash", "xrpl.tx.hash"],
+        )
+
+    def test_resource_attr_not_in_l1_is_flagged(self):
+        self.assertEqual(
+            _run_rule_e("`xrpl.network.unknown`"), ["xrpl.network.unknown"]
+        )
+
+    # ----- negative: legitimately-dotted tokens that must NOT be flagged -----
+    def test_span_name_single(self):
+        self.assertEqual(_run_rule_e("`consensus.round`"), [])
+
+    def test_span_name_multi_segment(self):
+        self.assertEqual(
+            _run_rule_e("`consensus.phase.open` `rpc.command.server_info`"), []
+        )
+
+    def test_filename_cfg(self):
+        self.assertEqual(_run_rule_e("`xrpld.cfg`"), [])
+
+    def test_filename_cpp(self):
+        self.assertEqual(_run_rule_e("`RCLConsensus.cpp`"), [])
+
+    def test_otel_standard_service_name(self):
+        self.assertEqual(_run_rule_e("`service.name`"), [])
+
+    def test_otel_standard_http_method(self):
+        self.assertEqual(_run_rule_e("`http.method`"), [])
+
+    def test_metric_label_underscore(self):
+        self.assertEqual(_run_rule_e("`xrpl_rpc_command`"), [])
+
+    def test_bare_underscore_attrs(self):
+        self.assertEqual(_run_rule_e("`tx_hash` `consensus_mode`"), [])
+
+    def test_legit_dotted_resource_attrs_in_l1(self):
+        self.assertEqual(_run_rule_e("`xrpl.network.id` `xrpl.network.type`"), [])
+
+    def test_prose_word(self):
+        self.assertEqual(_run_rule_e("the `command` attribute"), [])
+
+    def test_plain_prose_no_backticks(self):
+        self.assertEqual(_run_rule_e("xrpl.tx.hash without backticks is prose"), [])
+
+    # ----- boundary -----
+    def test_empty_runbook(self):
+        self.assertEqual(_run_rule_e(""), [])
+
+    def test_lookalike_prefix_xrpld(self):
+        # `xrpld.` is NOT `xrpl.` — must not match.
+        self.assertEqual(_run_rule_e("`xrpld.foo`"), [])
+
+    def test_lookalike_prefix_underscore(self):
+        # `xrpl_rpc.command` starts with `xrpl_`, not `xrpl.`.
+        self.assertEqual(_run_rule_e("`xrpl_rpc.command`"), [])
+
+    def test_uppercase_segment_not_matched(self):
+        # The pattern requires a lowercase char after `xrpl.`; uppercase keys are
+        # caught by Rule G at the L1 layer, not by the runbook text scan.
+        self.assertEqual(_run_rule_e("`xrpl.TX.hash`"), [])
+
+    def test_token_touching_table_pipes(self):
+        self.assertEqual(_run_rule_e("| `xrpl.tx.hash` | desc |"), ["xrpl.tx.hash"])
+
+    def test_mixed_line_only_xrpl_dotted_flagged(self):
+        self.assertEqual(
+            _run_rule_e("`consensus.round` uses `xrpl.tx.hash` and `service.name`"),
+            ["xrpl.tx.hash"],
+        )
+
+    def test_skips_when_runbook_absent(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            report = chk.Report()
+            chk.run_rule_e_runbook(d, set(L1), report)
+            self.assertEqual(report.violations, [])
+            self.assertTrue(any("SKIP: E" in s for s in report.skips))
+        finally:
+            shutil.rmtree(d)
+
+    def test_skips_when_l1_empty(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            (d / "docs").mkdir()
+            (d / "docs" / "telemetry-runbook.md").write_text("`xrpl.tx.hash`")
+            report = chk.Report()
+            chk.run_rule_e_runbook(d, set(), report)
+            self.assertEqual(report.violations, [])
+            self.assertTrue(any("SKIP: E" in s for s in report.skips))
+        finally:
+            shutil.rmtree(d)
+
+
+class DslParser(unittest.TestCase):
+    """The makeStr/join/seg:: constexpr DSL resolver — the foundation of the
+    L1 key set. Covers flat, nested, cross-file, alias, and multi-line forms."""
+
+    def test_flat_join(self):
+        syms = chk.resolve_constants(
+            'inline constexpr auto a = makeStr("xrpl");\n'
+            'inline constexpr auto b = makeStr("network");\n'
+            "inline constexpr auto c = join(a, b);\n"
+        )
+        self.assertEqual(syms["c"], "xrpl.network")
+
+    def test_nested_join_three_segments(self):
+        syms = chk.resolve_constants(
+            'inline constexpr auto xrpl = makeStr("xrpl");\n'
+            'inline constexpr auto network = makeStr("network");\n'
+            "inline constexpr auto networkId = "
+            'join(join(xrpl, network), makeStr("id"));\n'
+        )
+        self.assertEqual(syms["networkId"], "xrpl.network.id")
+
+    def test_qualified_seg_reference(self):
+        # `seg::rpc` resolves by its bare leaf `rpc`.
+        syms = chk.resolve_constants('inline constexpr auto rpc = makeStr("rpc");\n')
+        syms2 = chk.resolve_constants(
+            'inline constexpr auto command = join(seg::rpc, makeStr("command"));\n',
+            syms,
+        )
+        self.assertEqual(syms2["command"], "rpc.command")
+
+    def test_alias_reference(self):
+        syms = chk.resolve_constants('inline constexpr auto rpc = makeStr("rpc");\n')
+        chk.resolve_constants("inline constexpr auto alias = seg::rpc;\n", syms)
+        self.assertEqual(syms["alias"], "rpc")
+
+    def test_unresolvable_expr_omitted(self):
+        syms = chk.resolve_constants("inline constexpr auto x = join(unknown, y);\n")
+        self.assertNotIn("x", syms)
+
+    def test_split_top_level_args_respects_nesting(self):
+        self.assertEqual(
+            chk.split_top_level_args("join(seg::a, b), c"),
+            ["join(seg::a, b)", " c"],
+        )
+
+    def test_split_top_level_args_ignores_comma_in_string(self):
+        self.assertEqual(
+            chk.split_top_level_args('key, ","'),
+            ["key", ' ","'],
+        )
+
+    def test_strip_comments_removes_line_and_block(self):
+        self.assertEqual(
+            chk.strip_comments("a // line\nb /* blk */ c").split(),
+            ["a", "b", "c"],
+        )
+
+
+def _write(path: Path, text: str) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(text)
+
+
+def _header(ns_attr_body: str, prefix_seg: str = "") -> str:
+    """A minimal *SpanNames.h body: optional seg defs + a namespace attr block."""
+    return (
+        "#pragma once\n"
+        + prefix_seg
+        + "namespace xrpl::telemetry::demo::span {\n"
+        + "namespace attr {\n"
+        + ns_attr_body
+        + "}  // namespace attr\n"
+        + "}\n"
+    )
+
+
+class AttrKeyExtraction(unittest.TestCase):
+    """attr_keys_from_header: comment-stripping + multi-line + using re-export."""
+
+    def _l1(self, header_text):
+        d = Path(tempfile.mkdtemp())
+        try:
+            h = d / "src" / "DemoSpanNames.h"
+            _write(h, header_text)
+            syms = chk.build_global_symbols([h])
+            return chk.attr_keys_from_header(h, syms)
+        finally:
+            shutil.rmtree(d)
+
+    def test_single_line_makestr(self):
+        keys = self._l1(_header('inline constexpr auto k = makeStr("tx_hash");\n'))
+        self.assertIn("tx_hash", keys)
+
+    def test_multiline_constexpr_captured(self):
+        keys = self._l1(
+            _header("inline constexpr auto k =\n" '    makeStr("round_time_ms");\n')
+        )
+        self.assertIn("round_time_ms", keys)
+
+    def test_commented_makestr_not_leaked(self):
+        keys = self._l1(
+            _header(
+                'inline constexpr auto k = makeStr("good");\n'
+                '// inline constexpr auto bad = makeStr("old.dotted");\n'
+            )
+        )
+        self.assertIn("good", keys)
+        self.assertNotIn("old.dotted", keys)
+
+    def test_block_commented_makestr_not_leaked(self):
+        keys = self._l1(
+            _header(
+                'inline constexpr auto k = makeStr("good");\n'
+                '/* makeStr("blockbad") */\n'
+            )
+        )
+        self.assertNotIn("blockbad", keys)
+
+
+class CamelToDotSegments(unittest.TestCase):
+    """semconv CamelCase -> dotted OTel-standard key derivation."""
+
+    def test_service_instance_id(self):
+        self.assertEqual(
+            chk.camel_to_dotsegments("ServiceInstanceId"),
+            ["service", "instance", "id"],
+        )
+
+    def test_service_name(self):
+        self.assertEqual(chk.camel_to_dotsegments("ServiceName"), ["service", "name"])
+
+    def test_derive_keys_from_telemetry_cpp(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            tele = d / "src" / "libxrpl" / "telemetry" / "Telemetry.cpp"
+            _write(
+                tele,
+                "resource::Resource::Create({\n"
+                "  {semconv::service::kServiceName, x},\n"
+                "  {semconv::service::kServiceInstanceId, y},\n"
+                "});\n",
+            )
+            report = chk.Report()
+            allow = chk.derive_dotted_resource_keys(d, {}, report)
+            self.assertIn("service.name", allow)
+            self.assertIn("service.instance.id", allow)
+        finally:
+            shutil.rmtree(d)
+
+
+class SymbolCollision(unittest.TestCase):
+    """attr_keys_from_header must resolve a constant against ITS OWN header, so
+    two headers defining a same-named constant each report their real wire key.
+    Regression for the flat-symbol-table collision that let a later header
+    clobber an earlier one and erased a dotted key from L1 (a Rule-A blind
+    spot)."""
+
+    def _build(self, files):
+        d = Path(tempfile.mkdtemp())
+        paths = {}
+        for rel, text in files.items():
+            p = d / rel
+            _write(p, text)
+            paths[rel] = p
+        return d, paths
+
+    def test_same_named_const_not_clobbered_across_headers(self):
+        base = (
+            "#pragma once\n"
+            "namespace xrpl::telemetry {\n"
+            'namespace seg { inline constexpr auto xrpl = makeStr("xrpl");\n'
+            'inline constexpr auto ledger = makeStr("ledger"); }\n'
+            "namespace attr {\n"
+            "inline constexpr auto ledgerHash = "
+            'join(join(seg::xrpl, seg::ledger), makeStr("hash"));\n'
+            "}\n}\n"
+        )
+        cons = (
+            "#pragma once\n"
+            "namespace xrpl::telemetry::consensus::span {\n"
+            "namespace attr { inline constexpr auto ledgerHash = "
+            'makeStr("ledger_hash"); }\n}\n'
+        )
+        d, paths = self._build(
+            {
+                "include/xrpl/telemetry/SpanNames.h": base,
+                "src/xrpld/consensus/ConsensusSpanNames.h": cons,
+            }
+        )
+        try:
+            headers = chk.find_spanname_headers(d)
+            syms = chk.build_global_symbols(headers)
+            by_name = {p.name: chk.attr_keys_from_header(p, syms) for p in headers}
+            # The base header keeps its dotted key; consensus keeps the bare one.
+            self.assertIn("xrpl.ledger.hash", by_name["SpanNames.h"])
+            self.assertEqual(by_name["ConsensusSpanNames.h"], {"ledger_hash"})
+        finally:
+            shutil.rmtree(d)
+
+    def test_using_reexport_still_resolves_globally(self):
+        # A `using`-re-export imports a constant defined elsewhere; it must
+        # resolve against the global table, not the local header.
+        base = (
+            "#pragma once\n"
+            "namespace xrpl::telemetry {\n"
+            "namespace attr { inline constexpr auto txHash = "
+            'makeStr("tx_hash"); }\n}\n'
+        )
+        dom = (
+            "#pragma once\n"
+            "namespace xrpl::telemetry::tx::span {\n"
+            "namespace attr { using ::xrpl::telemetry::attr::txHash; }\n}\n"
+        )
+        d, paths = self._build(
+            {
+                "include/xrpl/telemetry/SpanNames.h": base,
+                "src/xrpld/app/misc/TxSpanNames.h": dom,
+            }
+        )
+        try:
+            headers = chk.find_spanname_headers(d)
+            syms = chk.build_global_symbols(headers)
+            keys = chk.attr_keys_from_header(
+                paths["src/xrpld/app/misc/TxSpanNames.h"], syms
+            )
+            self.assertEqual(keys, {"tx_hash"})
+        finally:
+            shutil.rmtree(d)
+
+
+class ResourceAllowlistScope(unittest.TestCase):
+    """derive_dotted_resource_keys must allowlist ONLY the dotted keys actually
+    passed to Resource::Create() — not every dotted key in the base header. A
+    dotted attr declared in a header but not set as a resource attr is a Rule-A
+    violation."""
+
+    def _derive(self, tele_text, span_text):
+        d = Path(tempfile.mkdtemp())
+        try:
+            _write(d / "src" / "libxrpl" / "telemetry" / "Telemetry.cpp", tele_text)
+            _write(d / "include" / "xrpl" / "telemetry" / "SpanNames.h", span_text)
+            headers = chk.find_spanname_headers(d)
+            syms = chk.build_global_symbols(headers)
+            allow = chk.derive_dotted_resource_keys(d, syms, chk.Report())
+            return allow, syms, headers, d
+        except Exception:
+            shutil.rmtree(d)
+            raise
+
+    def test_dotted_span_attr_not_allowlisted_and_flagged(self):
+        span = (
+            "#pragma once\n"
+            "namespace xrpl::telemetry {\n"
+            'namespace seg { inline constexpr auto xrpl = makeStr("xrpl");\n'
+            'inline constexpr auto ledger = makeStr("ledger");\n'
+            'inline constexpr auto network = makeStr("network"); }\n'
+            "namespace attr {\n"
+            "inline constexpr auto networkId = "
+            'join(join(seg::xrpl, seg::network), makeStr("id"));\n'
+            "inline constexpr auto ledgerHash = "
+            'join(join(seg::xrpl, seg::ledger), makeStr("hash"));\n'
+            "}\n}\n"
+        )
+        tele = (
+            "auto r = resource::Resource::Create({\n"
+            "  {semconv::service::kServiceName, x},\n"
+            "  {std::string(attr::networkId), n},\n"
+            "});\n"
+        )
+        allow, syms, headers, d = self._derive(tele, span)
+        try:
+            # networkId IS a resource attr; ledgerHash is NOT, despite living in
+            # the base header.
+            self.assertIn("xrpl.network.id", allow)
+            self.assertNotIn("xrpl.ledger.hash", allow)
+            kbh = {h: chk.attr_keys_from_header(h, syms) for h in headers}
+            report = chk.Report()
+            chk.run_rule_a(kbh, allow, report)
+            self.assertEqual([v[2] for v in report.violations], ["xrpl.ledger.hash"])
+        finally:
+            shutil.rmtree(d)
+
+    def test_resource_block_brace_matched(self):
+        # A nested {key,value} initializer must not truncate the block scan.
+        tele = (
+            "auto r = resource::Resource::Create({\n"
+            "  {semconv::service::kServiceName, x},\n"
+            "  {std::string(attr::networkType), t},\n"
+            "});\n"
+        )
+        span = (
+            "#pragma once\n"
+            "namespace xrpl::telemetry {\n"
+            'namespace seg { inline constexpr auto xrpl = makeStr("xrpl");\n'
+            'inline constexpr auto network = makeStr("network"); }\n'
+            "namespace attr { inline constexpr auto networkType = "
+            'join(join(seg::xrpl, seg::network), makeStr("type")); }\n}\n'
+        )
+        allow, _syms, _headers, d = self._derive(tele, span)
+        try:
+            self.assertIn("xrpl.network.type", allow)
+            self.assertIn("service.name", allow)
+        finally:
+            shutil.rmtree(d)
+
+
+def _run_rule_a(keys_by_header, allow):
+    report = chk.Report()
+    chk.run_rule_a(keys_by_header, allow, report)
+    return sorted(v[2] for v in report.violations)
+
+
+class RuleADotted(unittest.TestCase):
+    def test_dotted_attr_not_in_allow_flagged(self):
+        kbh = {Path("src/RpcSpanNames.h"): {"xrpl.tx.hash", "command"}}
+        self.assertEqual(_run_rule_a(kbh, {"xrpl.network.id"}), ["xrpl.tx.hash"])
+
+    def test_resource_attr_in_allow_passes(self):
+        kbh = {Path("src/SpanNames.h"): {"xrpl.network.id"}}
+        self.assertEqual(_run_rule_a(kbh, {"xrpl.network.id"}), [])
+
+    def test_bare_key_never_flagged(self):
+        kbh = {Path("src/TxSpanNames.h"): {"tx_hash", "command"}}
+        self.assertEqual(_run_rule_a(kbh, set()), [])
+
+
+def _run_rule_g(keys_by_header):
+    report = chk.Report()
+    chk.run_rule_g(keys_by_header, report)
+    return sorted(v[2] for v in report.violations)
+
+
+class RuleGSnakeCase(unittest.TestCase):
+    def test_camelcase_flagged(self):
+        self.assertEqual(_run_rule_g({Path("h"): {"txHash"}}), ["txHash"])
+
+    def test_uppercase_flagged(self):
+        self.assertEqual(_run_rule_g({Path("h"): {"TX_HASH"}}), ["TX_HASH"])
+
+    def test_space_flagged(self):
+        self.assertEqual(_run_rule_g({Path("h"): {"bad key"}}), ["bad key"])
+
+    def test_snake_case_passes(self):
+        self.assertEqual(_run_rule_g({Path("h"): {"tx_hash", "rpc_status"}}), [])
+
+    def test_dotted_resource_segments_pass(self):
+        self.assertEqual(_run_rule_g({Path("h"): {"xrpl.network.id"}}), [])
+
+    def test_dotted_with_bad_segment_flagged(self):
+        self.assertEqual(
+            _run_rule_g({Path("h"): {"xrpl.Network.id"}}), ["xrpl.Network.id"]
+        )
+
+
+class RuleFAndH(unittest.TestCase):
+    """run_rule_f: literal keys/span-names flagged; values & tests exempt.
+    Rule H: qualified constant not in any header warns (non-fatal)."""
+
+    def _run(self, rel_path, source, header_symbols=frozenset()):
+        d = Path(tempfile.mkdtemp())
+        try:
+            _write(d / rel_path, source)
+            report = chk.Report()
+            chk.run_rule_f(d, report, set(header_symbols))
+            return (
+                sorted(v[2] for v in report.violations),
+                sorted(w[2] for w in report.warnings),
+            )
+        finally:
+            shutil.rmtree(d)
+
+    def test_literal_key_flagged(self):
+        v, _ = self._run("src/Foo.cpp", 'g.setAttribute("lit_key", v);\n')
+        self.assertEqual(v, ['setAttribute arg0 "lit_key"'])
+
+    def test_literal_value_exempt(self):
+        v, _ = self._run("src/Foo.cpp", 'g.setAttribute(attr::command, "submit");\n')
+        self.assertEqual(v, [])
+
+    def test_span_name_args_flagged(self):
+        v, _ = self._run("src/Foo.cpp", 'SpanGuard::span(cat, "rpc", "command");\n')
+        self.assertEqual(v, ['span arg1 "rpc"', 'span arg2 "command"'])
+
+    def test_test_path_exempt(self):
+        v, _ = self._run("src/test/Foo.cpp", 'g.setAttribute("lit_key", v);\n')
+        self.assertEqual(v, [])
+
+    def test_spannames_header_exempt(self):
+        v, _ = self._run("src/DemoSpanNames.h", 'g.setAttribute("lit_key", v);\n')
+        self.assertEqual(v, [])
+
+    def test_bare_span_call_not_matched(self):
+        # No SpanGuard/./-> receiver -> not a telemetry call-site.
+        v, _ = self._run("src/Foo.cpp", 'auto s = span("not", "telemetry");\n')
+        self.assertEqual(v, [])
+
+    def test_multiline_call_reports_first_line(self):
+        v, _ = self._run("src/Foo.cpp", 'g.setAttribute(\n    "k",\n    v);\n')
+        self.assertEqual(v, ['setAttribute arg0 "k"'])
+
+    def test_paren_in_string_value_does_not_break_parsing(self):
+        # The ")" inside the value must not end the call early; key still seen.
+        v, _ = self._run("src/Foo.cpp", 'g.setAttribute("k", ")");\n')
+        self.assertEqual(v, ['setAttribute arg0 "k"'])
+
+    def test_rule_h_qualified_constant_warns(self):
+        v, w = self._run(
+            "src/Foo.cpp",
+            "g.setAttribute(consensus::span::accept, v);\n",
+            header_symbols={"command"},
+        )
+        self.assertEqual(v, [])
+        self.assertEqual(w, ["setAttribute arg0 consensus::span::accept"])
+
+    def test_rule_h_known_constant_no_warning(self):
+        _, w = self._run(
+            "src/Foo.cpp",
+            "g.setAttribute(rpc_span::attr::command, v);\n",
+            header_symbols={"command"},
+        )
+        self.assertEqual(w, [])
+
+    def test_rule_h_bare_local_no_warning(self):
+        _, w = self._run(
+            "src/Foo.cpp", "g.setAttribute(myLeaf, v);\n", header_symbols={"command"}
+        )
+        self.assertEqual(w, [])
+
+
+class RuleBCollector(unittest.TestCase):
+    def _run(self, yaml_text, l1):
+        d = Path(tempfile.mkdtemp())
+        try:
+            _write(d / "docker" / "telemetry" / "otel-collector-config.yaml", yaml_text)
+            report = chk.Report()
+            chk.run_rule_b_collector(d, set(l1), report)
+            return sorted(v[2] for v in report.violations), report.skips
+        finally:
+            shutil.rmtree(d)
+
+    def test_dimension_not_in_l1_flagged(self):
+        y = "spanmetrics:\n  dimensions:\n    - name: bogus_dim\n    - name: command\n"
+        v, _ = self._run(y, {"command"})
+        self.assertEqual(v, ["bogus_dim"])
+
+    def test_all_dimensions_in_l1_pass(self):
+        y = "spanmetrics:\n  dimensions:\n    - name: command\n    - name: rpc_status\n"
+        v, _ = self._run(y, {"command", "rpc_status"})
+        self.assertEqual(v, [])
+
+    def test_skip_when_no_spanmetrics_block(self):
+        v, skips = self._run("receivers:\n  otlp:\n", {"command"})
+        self.assertEqual(v, [])
+        self.assertTrue(any("SKIP: B" in s for s in skips))
+
+
+class RuleCTempo(unittest.TestCase):
+    """Rule C reads the Grafana Tempo DATASOURCE file's search.filters and
+    validates only span-scope tags against L1."""
+
+    DS = "docker/telemetry/grafana/provisioning/datasources/tempo.yaml"
+
+    def _run(self, yaml_text, l1):
+        d = Path(tempfile.mkdtemp())
+        try:
+            _write(d / self.DS, yaml_text)
+            report = chk.Report()
+            chk.run_rule_c_tempo(d, set(l1), report)
+            return sorted(v[2] for v in report.violations), report.skips
+        finally:
+            shutil.rmtree(d)
+
+    def _filter(self, fid, tag, scope):
+        return (
+            f"          - id: {fid}\n"
+            f"            tag: {tag}\n"
+            f'            operator: "="\n'
+            f"            scope: {scope}\n"
+            f"            type: static\n"
+        )
+
+    def test_span_tag_not_in_l1_flagged(self):
+        y = "search:\n        filters:\n" + self._filter("f1", "bogus_tag", "span")
+        v, _ = self._run(y, {"command"})
+        self.assertEqual(v, ["bogus_tag"])
+
+    def test_span_tags_in_l1_pass(self):
+        y = (
+            "search:\n        filters:\n"
+            + self._filter("f1", "command", "span")
+            + self._filter("f2", "tx_hash", "span")
+        )
+        v, _ = self._run(y, {"command", "tx_hash"})
+        self.assertEqual(v, [])
+
+    def test_resource_and_intrinsic_tags_ignored(self):
+        # service.* (resource) and name/status/duration (intrinsic) are not
+        # span attributes — they must not be validated against L1.
+        y = (
+            "search:\n        filters:\n"
+            + self._filter("f1", "service.instance.id", "resource")
+            + self._filter("f2", "name", "intrinsic")
+            + self._filter("f3", "duration", "intrinsic")
+        )
+        v, skips = self._run(y, {"command"})
+        self.assertEqual(v, [])
+        self.assertTrue(any("SKIP: C" in s for s in skips))
+
+    def test_skip_when_datasource_absent(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            report = chk.Report()
+            chk.run_rule_c_tempo(d, {"command"}, report)
+            self.assertEqual(report.violations, [])
+            self.assertTrue(any("SKIP: C" in s for s in report.skips))
+        finally:
+            shutil.rmtree(d)
+
+
+class RuleDDashboards(unittest.TestCase):
+    def _run(self, json_text, l1, metric_labels=frozenset()):
+        d = Path(tempfile.mkdtemp())
+        try:
+            _write(
+                d / "docker" / "telemetry" / "grafana" / "dashboards" / "x.json",
+                json_text,
+            )
+            report = chk.Report()
+            chk.run_rule_d_dashboards(d, set(l1), set(metric_labels), report)
+            return sorted(v[2] for v in report.violations)
+        finally:
+            shutil.rmtree(d)
+
+    def test_unknown_promql_label_flagged(self):
+        self.assertEqual(
+            self._run('"expr": "sum by (bogus_label) (x)"', {"command"}),
+            ["bogus_label"],
+        )
+
+    def test_builtin_labels_not_flagged(self):
+        self.assertEqual(
+            self._run('"expr": "sum by (le, span_name, exported_instance) (x)"', set()),
+            [],
+        )
+
+    def test_prometheus_name_label_not_flagged(self):
+        # `__name__` is the Prometheus reserved metric-name label; the renamed
+        # system-*.json dashboards use `sum by (le, __name__)`.
+        self.assertEqual(
+            self._run('"expr": "sum by (le, __name__) (rate(x[5m]))"', set()),
+            [],
+        )
+
+    def test_l1_label_passes(self):
+        self.assertEqual(self._run('"q": "{command=\\"x\\"}"', {"command"}), [])
+
+    def test_traceql_span_prefix_stripped(self):
+        # `span.establish_count` must validate against the bare L1 key.
+        self.assertEqual(
+            self._run(
+                '"expr": "count_over_time(x) by (span.establish_count)"',
+                {"establish_count"},
+            ),
+            [],
+        )
+
+    def test_traceql_resource_prefix_stripped(self):
+        self.assertEqual(self._run('"q": "{resource.service_name=\\"x\\"}"', set()), [])
+
+    def test_native_metric_label_passes(self):
+        # `job_type` / `reason` are emitted by MetricsRegistry, not span attrs.
+        self.assertEqual(
+            self._run(
+                '"expr": "sum by (job_type, reason) (x)"',
+                {"command"},
+                metric_labels={"job_type", "reason"},
+            ),
+            [],
+        )
+
+    def test_unknown_label_still_flagged_with_metric_labels(self):
+        # A label that is neither L1, metric label, nor builtin still fails.
+        self.assertEqual(
+            self._run(
+                '"expr": "sum by (bogus) (x)"',
+                {"command"},
+                metric_labels={"job_type"},
+            ),
+            ["bogus"],
+        )
+
+    def test_span_prefixed_unknown_still_flagged(self):
+        # `span.not_a_key` whose bare form is unknown is still a violation.
+        self.assertEqual(
+            self._run('"expr": "x by (span.not_a_key)"', {"command"}),
+            ["span.not_a_key"],
+        )
+
+
+class MetricLabelExtraction(unittest.TestCase):
+    """L6: native-metric label keys parsed from C++ instrument calls."""
+
+    def test_extracts_add_label(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            _write(
+                d / "src" / "xrpld" / "telemetry" / "MetricsRegistry.cpp",
+                'counter->Add(1, {{"job_type", std::string(jobType)}});\n'
+                'c2->Add(1, {{"reason", std::string(r)}});\n',
+            )
+            self.assertEqual(chk.metric_label_names(d), {"job_type", "reason"})
+        finally:
+            shutil.rmtree(d)
+
+    def test_no_metrics_file_empty(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            (d / "src").mkdir()
+            self.assertEqual(chk.metric_label_names(d), set())
+        finally:
+            shutil.rmtree(d)
+
+
+class ReportExitContract(unittest.TestCase):
+    @staticmethod
+    def _exit_code(report):
+        """Call render_and_exit (which prints + raises SystemExit), swallowing
+        its stdout, and return the exit code."""
+        with contextlib.redirect_stdout(io.StringIO()):
+            try:
+                report.render_and_exit()
+            except SystemExit as e:
+                return e.code
+        return None  # pragma: no cover - render_and_exit always exits
+
+    def test_violation_exits_nonzero(self):
+        r = chk.Report()
+        r.violation("A", "f", "tok", "exp")
+        self.assertEqual(self._exit_code(r), 1)
+
+    def test_clean_exits_zero(self):
+        r = chk.Report()
+        r.ok("all good")
+        self.assertEqual(self._exit_code(r), 0)
+
+    def test_warning_only_exits_zero(self):
+        r = chk.Report()
+        r.warning("H", "f", "tok", "note")
+        self.assertEqual(self._exit_code(r), 0)
+
+
+class RuleEReportTuple(unittest.TestCase):
+    """Assert Rule E records the full (rule, expected) tuple, not just token."""
+
+    def test_violation_tuple_fields(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            (d / "docs").mkdir()
+            (d / "docs" / "telemetry-runbook.md").write_text("`xrpl.tx.hash`")
+            report = chk.Report()
+            chk.run_rule_e_runbook(d, {"xrpl.network.id"}, report)
+            self.assertEqual(len(report.violations), 1)
+            rule, _loc, token, expected = report.violations[0]
+            self.assertEqual(rule, "E")
+            self.assertEqual(token, "xrpl.tx.hash")
+            self.assertEqual(expected, "underscore, not dotted")
+        finally:
+            shutil.rmtree(d)
+
+    def test_clean_runbook_records_ok(self):
+        d = Path(tempfile.mkdtemp())
+        try:
+            (d / "docs").mkdir()
+            (d / "docs" / "telemetry-runbook.md").write_text(
+                "`tx_hash` `consensus.round`"
+            )
+            report = chk.Report()
+            chk.run_rule_e_runbook(d, {"tx_hash"}, report)
+            self.assertEqual(report.violations, [])
+            self.assertTrue(any("E:" in c for c in report.checked))
+        finally:
+            shutil.rmtree(d)
+
+
+if __name__ == "__main__":
+    unittest.main(verbosity=2)

.github/scripts/rename/README.md

@@ -0,0 +1,50 @@
+## Renaming ripple(d) to xrpl(d)
+
+In the initial phases of development of the XRPL, the open source codebase was
+called "xrpld" and it remains with that name even today. Today, over 1000
+nodes run the application, and code contributions have been submitted by
+developers located around the world. The XRPL community is larger than ever.
+In light of the decentralized and diversified nature of XRPL, we will rename any
+references to `ripple` and `xrpld` to `xrpl` and `xrpld`, when appropriate.
+
+See [here](https://xls.xrpl.org/xls/XLS-0095-rename-rippled-to-xrpld.html) for
+more information.
+
+### Scripts
+
+To facilitate this transition, there will be multiple scripts that developers
+can run on their own PRs and forks to minimize conflicts. Each script should be
+run from the repository root.
+
+1. `.github/scripts/rename/definitions.sh`: This script will rename all
+   definitions, such as include guards, from `RIPPLE_XXX` and `RIPPLED_XXX` to
+   `XRPL_XXX`.
+2. `.github/scripts/rename/copyright.sh`: This script will remove superfluous
+   copyright notices.
+3. `.github/scripts/rename/cmake.sh`: This script will rename all CMake files
+   from `RippleXXX.cmake` or `XrpldXXX.cmake` to `XrplXXX.cmake`, and any
+   references to `ripple` and `xrpld` (with or without capital letters) to
+   `xrpl` and `xrpld`, respectively. The name of the binary will remain as-is,
+   and will only be renamed to `xrpld` by a later script.
+4. `.github/scripts/rename/binary.sh`: This script will rename the binary from
+   `xrpld` to `xrpld`, and reverses the symlink so that `xrpld` points to
+   the `xrpld` binary.
+5. `.github/scripts/rename/namespace.sh`: This script will rename the C++
+   namespaces from `ripple` to `xrpl`.
+6. `.github/scripts/rename/config.sh`: This script will rename the config from
+   `xrpld.cfg` to `xrpld.cfg`, and updating the code accordingly. The old
+   filename will still be accepted.
+7. `.github/scripts/rename/docs.sh`: This script will rename any lingering
+   references of `ripple(d)` to `xrpl(d)` in code, comments, and documentation.
+
+You can run all these scripts from the repository root as follows:
+
+```shell
+./.github/scripts/rename/definitions.sh .
+./.github/scripts/rename/copyright.sh .
+./.github/scripts/rename/cmake.sh .
+./.github/scripts/rename/binary.sh .
+./.github/scripts/rename/namespace.sh .
+./.github/scripts/rename/config.sh .
+./.github/scripts/rename/docs.sh .
+```

.github/scripts/rename/binary.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script changes the binary name from `rippled` to `xrpld`, and reverses
+# the symlink that currently points from `xrpld` to `rippled` so that it points
+# from `rippled` to `xrpld` instead.
+# Usage: .github/scripts/rename/binary.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+# Remove the binary name override added by the cmake.sh script.
+${SED_COMMAND} -z -i -E 's@\s+# For the time being.+"rippled"\)@@' cmake/XrplCore.cmake
+
+# Reverse the symlink.
+${SED_COMMAND} -i -E 's@create_symbolic_link\(rippled@create_symbolic_link(xrpld@' cmake/XrplInstall.cmake
+${SED_COMMAND} -i -E 's@/xrpld\$\{suffix\}@/rippled${suffix}@' cmake/XrplInstall.cmake
+
+# Rename references to the binary.
+${SED_COMMAND} -i -E 's@rippled@xrpld@g' BUILD.md
+${SED_COMMAND} -i -E 's@rippled@xrpld@g' CONTRIBUTING.md
+${SED_COMMAND} -i -E 's@rippled@xrpld@g' .github/ISSUE_TEMPLATE/bug_report.md
+
+# Restore and/or fix certain renames. The pre-commit hook will update the
+# formatting upon saving/committing.
+${SED_COMMAND} -i -E 's@ripple/xrpld@XRPLF/rippled@g' BUILD.md
+${SED_COMMAND} -i -E 's@XRPLF/xrpld@XRPLF/rippled@g' BUILD.md
+${SED_COMMAND} -i -E 's@xrpld \(`xrpld`\)@xrpld@g' BUILD.md
+${SED_COMMAND} -i -E 's@XRPLF/xrpld@XRPLF/rippled@g' CONTRIBUTING.md
+${SED_COMMAND} -i -E 's@XRPLF/xrpld@XRPLF/rippled@g' docs/build/install.md
+
+popd
+echo "Processing complete."

.github/scripts/rename/cmake.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed and head are installed and available as `gsed`
+# and `ghead`, respectively.
+SED_COMMAND=sed
+HEAD_COMMAND=head
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+    if ! command -v ghead &>/dev/null; then
+        echo "Error: ghead is not installed. Please install it using 'brew install coreutils'."
+        exit 1
+    fi
+    HEAD_COMMAND=ghead
+fi
+
+# This script renames CMake files from `RippleXXX.cmake` or `RippledXXX.cmake`
+# to `XrplXXX.cmake`, and any references to `ripple` and `rippled` (with or
+# without capital letters) to `xrpl` and `xrpld`, respectively. The name of the
+# binary will remain as-is, and will only be renamed to `xrpld` in a different
+# script, but the proto file will be renamed.
+# Usage: .github/scripts/rename/cmake.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+# Rename the files.
+find cmake -type f -name 'Rippled*.cmake' -exec bash -c 'mv "${1}" "${1/Rippled/Xrpl}"' - {} \;
+find cmake -type f -name 'Ripple*.cmake' -exec bash -c 'mv "${1}" "${1/Ripple/Xrpl}"' - {} \;
+if [ -e include/xrpl/proto/ripple.proto ]; then
+    mv include/xrpl/proto/ripple.proto include/xrpl/proto/xrpl.proto
+fi
+
+# Rename inside the files.
+find cmake -type f -name '*.cmake' | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    ${SED_COMMAND} -i 's/Rippled/Xrpld/g' "${FILE}"
+    ${SED_COMMAND} -i 's/Ripple/Xrpl/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippled/xrpld/g' "${FILE}"
+    ${SED_COMMAND} -i 's/ripple/xrpl/g' "${FILE}"
+done
+${SED_COMMAND} -i -E 's/Rippled?/Xrpl/g' CMakeLists.txt
+${SED_COMMAND} -i 's/ripple/xrpl/g' CMakeLists.txt
+${SED_COMMAND} -i 's/ripple.pb.h/xrpl.pb.h/' include/xrpl/protocol/messages.h
+${SED_COMMAND} -i 's/ripple.pb.h/xrpl.pb.h/' BUILD.md
+${SED_COMMAND} -i 's/ripple.pb.h/xrpl.pb.h/' BUILD.md
+
+# Restore the name of the validator keys repository.
+${SED_COMMAND} -i 's@xrpl/validator-keys-tool@ripple/validator-keys-tool@' cmake/XrplValidatorKeys.cmake
+
+# Ensure the name of the binary and config remain 'rippled' for now.
+${SED_COMMAND} -i -E 's/xrpld(-example)?\.cfg/rippled\1.cfg/g' cmake/XrplInstall.cmake
+if grep -q '"xrpld"' cmake/XrplCore.cmake; then
+    # The script has been rerun, so just restore the name of the binary.
+    ${SED_COMMAND} -i 's/"xrpld"/"rippled"/' cmake/XrplCore.cmake
+elif ! grep -q '"rippled"' cmake/XrplCore.cmake; then
+    ${HEAD_COMMAND} -n -1 cmake/XrplCore.cmake >cmake.tmp
+    echo '  # For the time being, we will keep the name of the binary as it was.' >>cmake.tmp
+    echo '  set_target_properties(xrpld PROPERTIES OUTPUT_NAME "rippled")' >>cmake.tmp
+    tail -1 cmake/XrplCore.cmake >>cmake.tmp
+    mv cmake.tmp cmake/XrplCore.cmake
+fi
+
+# Restore the symlink from 'xrpld' to 'rippled'.
+${SED_COMMAND} -i -E 's@create_symbolic_link\(xrpld@create_symbolic_link(rippled@' cmake/XrplInstall.cmake
+
+# Remove the symlink that previously pointed from 'ripple' to 'xrpl' but now is
+# no longer needed.
+${SED_COMMAND} -z -i -E 's@install\(CODE.+CMAKE_INSTALL_INCLUDEDIR}/xrpl\)\n"\)\n+@@' cmake/XrplInstall.cmake
+
+popd
+echo "Renaming complete."

.github/scripts/rename/config.sh

@@ -0,0 +1,71 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script renames the config from `rippled.cfg` to `xrpld.cfg`, and updates
+# the code accordingly. The old filename will still be accepted.
+# Usage: .github/scripts/rename/config.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+# Add the xrpld.cfg to the .gitignore.
+if ! grep -q 'xrpld.cfg' .gitignore; then
+    ${SED_COMMAND} -i '/rippled.cfg/a\
+/xrpld.cfg' .gitignore
+fi
+
+# Rename the files.
+if [ -e rippled.cfg ]; then
+    mv rippled.cfg xrpld.cfg
+fi
+if [ -e cfg/rippled-example.cfg ]; then
+    mv cfg/rippled-example.cfg cfg/xrpld-example.cfg
+fi
+
+# Rename inside the files.
+DIRECTORIES=("cfg" "cmake" "include" "src")
+for DIRECTORY in "${DIRECTORIES[@]}"; do
+    echo "Processing directory: ${DIRECTORY}"
+
+    find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.cmake" -o -name "*.txt" -o -name "*.cfg" -o -name "*.md" \) | while read -r FILE; do
+        echo "Processing file: ${FILE}"
+        ${SED_COMMAND} -i -E 's/rippled(-example)?[ .]cfg/xrpld\1.cfg/g' "${FILE}"
+        ${SED_COMMAND} -i 's/rippleConfig/xrpldConfig/g' "${FILE}"
+    done
+done
+${SED_COMMAND} -i 's/rippled/xrpld/g' cfg/xrpld-example.cfg
+${SED_COMMAND} -i 's/rippled/xrpld/g' src/test/core/Config_test.cpp
+${SED_COMMAND} -i 's/ripplevalidators/xrplvalidators/g' src/test/core/Config_test.cpp # cspell: disable-line
+${SED_COMMAND} -i 's@ripple/@xrpld/@g' src/test/core/Config_test.cpp
+${SED_COMMAND} -i 's/Rippled/File/g' src/test/core/Config_test.cpp
+
+# Restore the old config file name in the code that maintains support for now.
+${SED_COMMAND} -i 's/kConfigLegacyName = "xrpld.cfg"/kConfigLegacyName = "rippled.cfg"/g' src/xrpld/core/detail/Config.cpp
+
+# Restore an URL.
+${SED_COMMAND} -i 's/connect-your-xrpld-to-the-xrp-test-net.html/connect-your-rippled-to-the-xrp-test-net.html/g' cfg/xrpld-example.cfg
+
+popd
+echo "Renaming complete."

.github/scripts/rename/copyright.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script removes superfluous copyright notices in source and header files
+# in this project. Specifically, it removes all notices referencing Ripple,
+# XRPLF, and certain individual contributors upon mutual agreement, so the one
+# in the LICENSE.md file applies throughout. Copyright notices referencing
+# external contributions, e.g. from Bitcoin, remain as-is.
+# Usage: .github/scripts/rename/copyright.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+# Prevent sed and echo from removing newlines and tabs in string literals by
+# temporarily replacing them with placeholders. This only affects one file.
+PLACEHOLDER_NEWLINE="__NEWLINE__"
+PLACEHOLDER_TAB="__TAB__"
+${SED_COMMAND} -i -E "s@\\\n@${PLACEHOLDER_NEWLINE}@g" src/test/rpc/ValidatorInfo_test.cpp
+${SED_COMMAND} -i -E "s@\\\t@${PLACEHOLDER_TAB}@g" src/test/rpc/ValidatorInfo_test.cpp
+
+# Process the include/ and src/ directories.
+DIRECTORIES=("include" "src")
+for DIRECTORY in "${DIRECTORIES[@]}"; do
+    echo "Processing directory: ${DIRECTORY}"
+
+    find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.macro" \) | while read -r FILE; do
+        echo "Processing file: ${FILE}"
+        # Handle the cases where the copyright notice is enclosed in /* ... */
+        # and usually surrounded by //---- and //======.
+        ${SED_COMMAND} -z -i -E 's@^//-------+\n+@@' "${FILE}"
+        ${SED_COMMAND} -z -i -E 's@^.*Copyright.+(Ripple|Bougalis|Falco|Hinnant|Null|Ritchford|XRPLF).+PERFORMANCE OF THIS SOFTWARE\.\n\*/\n+@@' "${FILE}" # cspell: ignore Bougalis Falco Hinnant Ritchford
+        ${SED_COMMAND} -z -i -E 's@^//=======+\n+@@' "${FILE}"
+
+        # Handle the cases where the copyright notice is commented out with //.
+        ${SED_COMMAND} -z -i -E 's@^//\n// Copyright.+Falco \(vinnie dot falco at gmail dot com\)\n//\n+@@' "${FILE}" # cspell: ignore Vinnie Falco
+    done
+done
+
+# Restore copyright notices that were removed from specific files, without
+# restoring the verbiage that is already present in LICENSE.md. Ensure that if
+# the script is run multiple times, duplicate notices are not added.
+if ! grep -q 'Raw Material Software' include/xrpl/beast/core/CurrentThreadName.h; then
+    echo -e "// Portions of this file are from JUCE (http://www.juce.com).\n// Copyright (c) 2013 - Raw Material Software Ltd.\n// Please visit http://www.juce.com\n\n$(cat include/xrpl/beast/core/CurrentThreadName.h)" >include/xrpl/beast/core/CurrentThreadName.h
+fi
+if ! grep -q 'Dev Null' src/test/app/NetworkID_test.cpp; then
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/app/NetworkID_test.cpp)" >src/test/app/NetworkID_test.cpp
+fi
+if ! grep -q 'Dev Null' src/test/app/tx/apply_test.cpp; then
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/app/tx/apply_test.cpp)" >src/test/app/tx/apply_test.cpp
+fi
+if ! grep -q 'Dev Null' src/test/rpc/ManifestRPC_test.cpp; then
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/rpc/ManifestRPC_test.cpp)" >src/test/rpc/ManifestRPC_test.cpp
+fi
+if ! grep -q 'Dev Null' src/test/rpc/ValidatorInfo_test.cpp; then
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/rpc/ValidatorInfo_test.cpp)" >src/test/rpc/ValidatorInfo_test.cpp
+fi
+if ! grep -q 'Dev Null' src/xrpld/rpc/handlers/server_info/Manifest.cpp; then
+    echo -e "// Copyright (c) 2019 Dev Null Productions\n\n$(cat src/xrpld/rpc/handlers/server_info/Manifest.cpp)" >src/xrpld/rpc/handlers/server_info/Manifest.cpp
+fi
+if ! grep -q 'Dev Null' src/xrpld/rpc/handlers/admin/status/ValidatorInfo.cpp; then
+    echo -e "// Copyright (c) 2019 Dev Null Productions\n\n$(cat src/xrpld/rpc/handlers/admin/status/ValidatorInfo.cpp)" >src/xrpld/rpc/handlers/admin/status/ValidatorInfo.cpp
+fi
+if ! grep -q 'Bougalis' include/xrpl/basics/SlabAllocator.h; then
+    echo -e "// Copyright (c) 2022, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/SlabAllocator.h)" >include/xrpl/basics/SlabAllocator.h # cspell: ignore Nikolaos Bougalis nikb
+fi
+if ! grep -q 'Bougalis' include/xrpl/basics/spinlock.h; then
+    echo -e "// Copyright (c) 2022, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/spinlock.h)" >include/xrpl/basics/spinlock.h # cspell: ignore Nikolaos Bougalis nikb
+fi
+if ! grep -q 'Bougalis' include/xrpl/basics/tagged_integer.h; then
+    echo -e "// Copyright (c) 2014, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/tagged_integer.h)" >include/xrpl/basics/tagged_integer.h # cspell: ignore Nikolaos Bougalis nikb
+fi
+if ! grep -q 'Ritchford' include/xrpl/beast/utility/Zero.h; then
+    echo -e "// Copyright (c) 2014, Tom Ritchford <tom@swirly.com>\n\n$(cat include/xrpl/beast/utility/Zero.h)" >include/xrpl/beast/utility/Zero.h # cspell: ignore Ritchford
+fi
+
+# Restore newlines and tabs in string literals in the affected file.
+${SED_COMMAND} -i -E "s@${PLACEHOLDER_NEWLINE}@\\\n@g" src/test/rpc/ValidatorInfo_test.cpp
+${SED_COMMAND} -i -E "s@${PLACEHOLDER_TAB}@\\\t@g" src/test/rpc/ValidatorInfo_test.cpp
+
+popd
+echo "Removal complete."

.github/scripts/rename/definitions.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script renames definitions, such as include guards, in this project.
+# Specifically, it renames "RIPPLED_XXX" and "RIPPLE_XXX" to "XRPL_XXX" by
+# scanning all cmake, header, and source files in the specified directory and
+# its subdirectories.
+# Usage: .github/scripts/rename/definitions.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+
+find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" \) | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    ${SED_COMMAND} -i -E 's@#(define|endif|if|ifdef|ifndef)(.*)(RIPPLED_|RIPPLE_)([A-Z0-9_]+)@#\1\2XRPL_\4@g' "${FILE}"
+done
+find "${DIRECTORY}" -type f \( -name "*.cmake" -o -name "*.txt" \) | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    ${SED_COMMAND} -i -E 's@(RIPPLED_|RIPPLE_)([A-Z0-9_]+)@XRPL_\2@g' "${FILE}"
+done
+echo "Renaming complete."

.github/scripts/rename/docs.sh

@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script renames all remaining references to `ripple` and `rippled` to
+# `xrpl` and `xrpld`, respectively, in code, comments, and documentation.
+# Usage: .github/scripts/rename/docs.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+find . -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.txt" -o -name "*.cfg" -o -name "*.md" -o -name "*.proto" \) -not -path "./.github/scripts/*" | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    ${SED_COMMAND} -i 's/rippleLockEscrowMPT/lockEscrowMPT/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippleUnlockEscrowMPT/unlockEscrowMPT/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippleCredit/directSendNoFee/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippleSend/directSendNoLimit/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's@([^/+-])rippled@\1xrpld@g' "${FILE}"
+    ${SED_COMMAND} -i -E 's@([^/+-])Rippled@\1Xrpld@g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/^rippled/xrpld/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/^Rippled/Xrpld/g' "${FILE}"
+    # cspell: disable
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (a|A)ddress/XRPL address/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (a|A)ccount/XRPL account/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (a|A)lgorithm/XRPL algorithm/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (c|C)lient/XRPL client/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (c|C)luster/XRPL cluster/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (c|C)onsensus/XRPL consensus/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (d|D)efault/XRPL default/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (e|E)poch/XRPL epoch/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (f|F)eature/XRPL feature/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (n|N)etwork/XRPL network/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (p|P)ayment/XRPL payment/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (p|P)rotocol/XRPL protocol/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (r|R)epository/XRPL repository/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple RPC/XRPL RPC/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (s|S)erialization/XRPL serialization/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (s|S)erver/XRPL server/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (s|S)pecific/XRPL specific/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple Source/XRPL Source/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (t|T)imestamp/XRPL timestamp/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple uses the consensus/XRPL uses the consensus/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (v|V)alidator/XRPL validator/g' "${FILE}"
+    # cspell: enable
+    ${SED_COMMAND} -i 's/RippleLib/XrplLib/g' "${FILE}"
+    ${SED_COMMAND} -i 's/ripple-lib/XrplLib/g' "${FILE}"
+    ${SED_COMMAND} -i 's@opt/ripple/@opt/xrpld/@g' "${FILE}"
+    ${SED_COMMAND} -i 's@src/ripple/@src/xrpld/@g' "${FILE}"
+    ${SED_COMMAND} -i 's@ripple/app/@xrpld/app/@g' "${FILE}"
+    ${SED_COMMAND} -i 's@github.com/ripple/rippled@github.com/XRPLF/rippled@g' "${FILE}"
+    ${SED_COMMAND} -i 's/\ba xrpl/an xrpl/g' "${FILE}"
+    ${SED_COMMAND} -i 's/\ba XRPL/an XRPL/g' "${FILE}"
+done
+${SED_COMMAND} -i 's/ripple_libs/xrpl_libs/' BUILD.md
+${SED_COMMAND} -i 's/Ripple integrators/XRPL developers/' README.md
+${SED_COMMAND} -i 's/sanitizer-configuration-for-rippled/sanitizer-configuration-for-xrpld/' docs/build/sanitizers.md
+${SED_COMMAND} -i 's/rippled/xrpld/g' .github/scripts/levelization/README.md
+${SED_COMMAND} -i 's/rippled/xrpld/g' .github/scripts/strategy-matrix/generate.py
+${SED_COMMAND} -i 's@/rippled@/xrpld@g' docs/build/install.md
+${SED_COMMAND} -i 's@github.com/XRPLF/xrpld@github.com/XRPLF/rippled@g' docs/build/install.md
+${SED_COMMAND} -i 's/rippled/xrpld/g' docs/Doxyfile
+${SED_COMMAND} -i 's/ripple_basics/basics/' include/xrpl/basics/CountedObject.h
+${SED_COMMAND} -i 's/<ripple/<xrpl/' include/xrpl/protocol/AccountID.h
+${SED_COMMAND} -i 's/Ripple:/the XRPL:/g' include/xrpl/protocol/SecretKey.h
+${SED_COMMAND} -i 's/Ripple:/the XRPL:/g' include/xrpl/protocol/Seed.h
+${SED_COMMAND} -i 's/ripple/xrpl/g' src/test/README.md
+${SED_COMMAND} -i 's/www.ripple.com/www.xrpl.org/g' src/test/protocol/Seed_test.cpp
+
+# Restore specific changes.
+${SED_COMMAND} -i 's@b5efcc/src/xrpld@b5efcc/src/ripple@' include/xrpl/protocol/README.md
+${SED_COMMAND} -i 's/dbPrefix_ = "xrpldb"/dbPrefix_ = "rippledb"/' src/xrpld/app/misc/SHAMapStoreImp.h # cspell: disable-line
+${SED_COMMAND} -i 's/kConfigLegacyName = "xrpld.cfg"/kConfigLegacyName = "rippled.cfg"/' src/xrpld/core/detail/Config.cpp
+
+popd
+echo "Renaming complete."

.github/scripts/rename/include.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# This script checks whether there are no new include guards introduced by a new
+# PR, as header files should use "#pragma once" instead. The script assumes any
+# include guards will use "XRPL_" as prefix.
+# Usage: .github/scripts/rename/include.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+
+find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" \) | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    if grep -q "#ifndef XRPL_" "${FILE}"; then
+        echo "Please replace all include guards by #pragma once."
+        exit 1
+    fi
+done
+echo "Checking complete."

.github/scripts/rename/namespace.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script renames the `ripple` namespace to `xrpl` in this project.
+# Specifically, it renames all occurrences of `namespace ripple` and `ripple::`
+# to `namespace xrpl` and `xrpl::`, respectively, by scanning all header and
+# source files in the specified directory and its subdirectories, as well as any
+# occurrences in the documentation. It also renames them in the test suites.
+# Usage: .github/scripts/rename/namespace.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+DIRECTORIES=("include" "src" "tests")
+for DIRECTORY in "${DIRECTORIES[@]}"; do
+    echo "Processing directory: ${DIRECTORY}"
+
+    find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.macro" \) | while read -r FILE; do
+        echo "Processing file: ${FILE}"
+        ${SED_COMMAND} -i 's/namespace ripple/namespace xrpl/g' "${FILE}"
+        ${SED_COMMAND} -i 's/ripple::/xrpl::/g' "${FILE}"
+        ${SED_COMMAND} -i 's/"ripple:/"xrpl::/g' "${FILE}"
+        ${SED_COMMAND} -i -E 's/(BEAST_DEFINE_TESTSUITE.+)ripple(.+)/\1xrpl\2/g' "${FILE}"
+    done
+done
+
+# Special case for NuDBFactory that has ripple twice in the test suite name.
+${SED_COMMAND} -i -E 's/(BEAST_DEFINE_TESTSUITE.+)ripple(.+)/\1xrpl\2/g' src/test/nodestore/NuDBFactory_test.cpp
+
+DIRECTORY=$1
+find "${DIRECTORY}" -type f -name "*.md" | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    ${SED_COMMAND} -i 's/ripple::/xrpl::/g' "${FILE}"
+done
+
+popd
+echo "Renaming complete."

.github/scripts/strategy-matrix/generate.py

@@ -0,0 +1,324 @@
+#!/usr/bin/env python3
+import argparse
+import dataclasses
+import itertools
+import json
+from pathlib import Path
+
+THIS_DIR = Path(__file__).parent.resolve()
+
+_BASE_CMAKE_ARGS = ["-Dtests=ON", "-Dwerr=ON", "-Dxrpld=ON", "-Dwextra=ON"]
+
+# Maps sanitizer names (as used in cmake) to short config-name suffixes.
+_SANITIZER_SUFFIX: dict[str, str] = {
+    "address": "asan",
+    "undefinedbehavior": "ubsan",
+    "thread": "tsan",
+}
+
+
+def get_cmake_args(build_type: str, extra_args: str) -> str:
+    """Get the full list of CMake arguments for a config."""
+    args = _BASE_CMAKE_ARGS.copy()
+    if build_type == "Release":
+        args.append("-Dassert=ON")
+    if extra_args:
+        args.extend(extra_args.split())
+    return " ".join(args)
+
+
+def runs_on_event(exclude_event_types: list[str], event: str | None) -> bool:
+    """Whether a config should run for the current event.
+
+    'exclude_event_types' is a list of GitHub event names (e.g.
+    ["pull_request"]) on which the config should NOT run; an empty list means
+    the config runs on every event. When no event is given (event is None), no
+    filtering is applied.
+    """
+    if event is None:
+        return True
+    return event not in exclude_event_types
+
+
+# ---------------------------------------------------------------------------
+# Input types — shapes of the JSON config files
+# ---------------------------------------------------------------------------
+
+
+@dataclasses.dataclass
+class LinuxConfig:
+    """One entry in linux.json's 'configs' or 'package_configs' arrays."""
+
+    compiler: list[str]
+    build_type: list[str]
+    arch: list[str]
+    sanitizers: list[str] = dataclasses.field(default_factory=list)
+    suffix: str = ""
+    extra_cmake_args: str = ""
+    image: str = ""  # only used by package_configs entries
+    # List of GitHub event names (e.g. "pull_request") on which this config
+    # should NOT run. Empty means it runs on every event.
+    exclude_event_types: list[str] = dataclasses.field(default_factory=list)
+
+
+@dataclasses.dataclass
+class LinuxFile:
+    """Shape of linux.json."""
+
+    image_tag: str
+    configs: dict[str, list[LinuxConfig]]  # distro → configs
+    package_configs: dict[str, list[LinuxConfig]]  # distro → packaging configs
+
+    @classmethod
+    def load(cls, path: Path) -> "LinuxFile":
+        data = json.loads(path.read_text())
+
+        def parse(section: dict) -> dict[str, list[LinuxConfig]]:
+            return {
+                distro: [LinuxConfig(**c) for c in cfgs]
+                for distro, cfgs in section.items()
+            }
+
+        return cls(
+            image_tag=data["image_tag"],
+            configs=parse(data["configs"]),
+            package_configs=parse(data.get("package_configs", {})),
+        )
+
+
+@dataclasses.dataclass
+class PlatformConfig:
+    """One entry in macos.json's or windows.json's 'configs' array."""
+
+    build_type: list[str]
+    build_only: bool = False  # if true, skip tests (e.g. macos/Windows Debug)
+    extra_cmake_args: str = ""
+    # List of GitHub event names (e.g. "pull_request") on which this config
+    # should NOT run. Empty means it runs on every event.
+    exclude_event_types: list[str] = dataclasses.field(default_factory=list)
+
+    def __post_init__(self) -> None:
+        if isinstance(self.build_type, str):
+            self.build_type = [self.build_type]
+
+
+@dataclasses.dataclass
+class PlatformFile:
+    """Shape of macos.json and windows.json."""
+
+    platform: str  # e.g. "macos/arm64" or "windows/amd64"
+    runner: list[str]  # GitHub Actions runner labels
+    configs: list[PlatformConfig]
+
+    @classmethod
+    def load(cls, path: Path) -> "PlatformFile":
+        data = json.loads(path.read_text())
+        return cls(
+            platform=data["platform"],
+            runner=data["runner"],
+            configs=[PlatformConfig(**c) for c in data["configs"]],
+        )
+
+
+# ---------------------------------------------------------------------------
+# Output types — shapes of the generated GitHub Actions matrix entries
+# ---------------------------------------------------------------------------
+
+
+@dataclasses.dataclass
+class Architecture:
+    platform: str
+    runner: list[str]
+
+
+@dataclasses.dataclass
+class MatrixEntry:
+    """One entry in the generated build/test strategy matrix."""
+
+    config_name: str
+    cmake_args: str
+    cmake_target: str
+    build_only: bool
+    build_type: str
+    architecture: Architecture
+    sanitizers: str
+    image: str = ""  # container image; empty for macOS/Windows (runs natively)
+    compiler: str = ""  # compiler name ("gcc" or "clang"); empty for macOS/Windows
+
+
+@dataclasses.dataclass
+class PackagingEntry:
+    """One entry in the generated packaging strategy matrix."""
+
+    artifact_name: str
+    image: str
+    distro: str  # e.g. "debian" or "rhel"; drives package-format-specific steps
+
+
+# ---------------------------------------------------------------------------
+# Matrix expansion
+# ---------------------------------------------------------------------------
+
+_ARCHS: dict[str, Architecture] = {
+    "amd64": Architecture(
+        platform="linux/amd64", runner=["self-hosted", "Linux", "X64", "heavy"]
+    ),
+    "arm64": Architecture(
+        platform="linux/arm64",
+        runner=["self-hosted", "Linux", "ARM64", "heavy-arm64"],
+    ),
+}
+
+
+def expand_linux_matrix(
+    linux: LinuxFile, event: str | None = None
+) -> list[MatrixEntry]:
+    """Expand a LinuxFile into a flat list of matrix entries.
+
+    Each config entry is expanded over the cross-product of its
+    compiler, build_type, sanitizers, and architecture lists. Configs that
+    exclude the current event are skipped.
+    """
+    entries: list[MatrixEntry] = []
+
+    for distro, configs in linux.configs.items():
+        for cfg in configs:
+            if not runs_on_event(cfg.exclude_event_types, event):
+                continue
+            # An empty sanitizers list means "one entry with no sanitizer".
+            effective_sanitizers = cfg.sanitizers or [""]
+            effective_archs = {arch: _ARCHS[arch] for arch in cfg.arch}
+
+            for compiler, build_type, sanitizer, (arch, arch_info) in itertools.product(
+                cfg.compiler,
+                cfg.build_type,
+                effective_sanitizers,
+                effective_archs.items(),
+            ):
+                name = f"{distro}-{compiler}-{build_type.lower()}-{arch}"
+                suffix_parts = [
+                    s for s in [cfg.suffix, _SANITIZER_SUFFIX.get(sanitizer, "")] if s
+                ]
+                if suffix_parts:
+                    name += "-" + "-".join(suffix_parts)
+
+                entries.append(
+                    MatrixEntry(
+                        config_name=name,
+                        image=f"ghcr.io/xrplf/xrpld/nix-{distro}:{linux.image_tag}",
+                        cmake_args=get_cmake_args(build_type, cfg.extra_cmake_args),
+                        cmake_target="all",
+                        build_only=False,
+                        build_type=build_type,
+                        architecture=arch_info,
+                        sanitizers=sanitizer,
+                        compiler=compiler,
+                    )
+                )
+
+    return entries
+
+
+def expand_linux_packaging(linux: LinuxFile) -> list[PackagingEntry]:
+    """Generate the packaging matrix from a LinuxFile's package_configs section.
+
+    Packaging uses vanilla distro images (debian:bookworm, ubi9, …) instead of
+    the nix-based build images, because deb/rpm tooling (debhelper, rpm-build)
+    is taken from the distro's archive rather than from nixpkgs. Each config
+    entry carries its own 'image'.
+    """
+    entries = []
+    for distro, configs in linux.package_configs.items():
+        for cfg in configs:
+            for compiler, build_type in itertools.product(cfg.compiler, cfg.build_type):
+                entries.append(
+                    PackagingEntry(
+                        artifact_name=f"xrpld-{distro}-{compiler}-{build_type.lower()}-amd64",
+                        image=cfg.image,
+                        distro=distro,
+                    )
+                )
+
+    return entries
+
+
+def expand_platform_matrix(
+    pf: PlatformFile, event: str | None = None
+) -> list[MatrixEntry]:
+    """Expand a PlatformFile (macOS or Windows) into matrix entries.
+
+    Configs that exclude the current event are skipped.
+    """
+    platform_name, arch = pf.platform.split("/")
+    is_windows = platform_name == "windows"
+
+    entries: list[MatrixEntry] = []
+    for cfg in pf.configs:
+        if not runs_on_event(cfg.exclude_event_types, event):
+            continue
+        for build_type in cfg.build_type:
+            entries.append(
+                MatrixEntry(
+                    config_name=f"{platform_name}-{arch}-{build_type.lower()}",
+                    cmake_args=get_cmake_args(build_type, cfg.extra_cmake_args),
+                    cmake_target="install" if is_windows else "all",
+                    build_only=cfg.build_only,
+                    build_type=build_type,
+                    architecture=Architecture(platform=pf.platform, runner=pf.runner),
+                    sanitizers="",
+                )
+            )
+    return entries
+
+
+# ---------------------------------------------------------------------------
+# Entry point
+# ---------------------------------------------------------------------------
+
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(
+        description="Generate a CI strategy matrix for all platforms or a specific one."
+    )
+    parser.add_argument(
+        "-c",
+        "--config",
+        help="Platform to generate for ('linux', 'macos', or 'windows'). Defaults to all platforms.",
+        choices=["linux", "macos", "windows"],
+        default=None,
+    )
+    parser.add_argument(
+        "-p",
+        "--packaging",
+        help="Emit the Linux packaging matrix instead of the build/test matrix.",
+        action="store_true",
+    )
+    parser.add_argument(
+        "-e",
+        "--event",
+        help="The GitHub event name that triggered the workflow (e.g. 'push', "
+        "'pull_request'). Configs are filtered by their 'event_type'. If "
+        "omitted, no filtering is applied.",
+        default=None,
+    )
+    args = parser.parse_args()
+
+    matrix: list[MatrixEntry] | list[PackagingEntry] = []
+
+    if args.packaging:
+        matrix = expand_linux_packaging(LinuxFile.load(THIS_DIR / "linux.json"))
+    else:
+        if args.config in ("linux", None):
+            matrix += expand_linux_matrix(
+                LinuxFile.load(THIS_DIR / "linux.json"), args.event
+            )
+        if args.config in ("macos", None):
+            matrix += expand_platform_matrix(
+                PlatformFile.load(THIS_DIR / "macos.json"), args.event
+            )
+        if args.config in ("windows", None):
+            matrix += expand_platform_matrix(
+                PlatformFile.load(THIS_DIR / "windows.json"), args.event
+            )
+
+    print(f"matrix={json.dumps({'include': [dataclasses.asdict(e) for e in matrix]})}")

.github/scripts/strategy-matrix/linux.json

@@ -0,0 +1,84 @@
+{
+  "image_tag": "sha-63ffdc3",
+  "configs": {
+    "ubuntu": [
+      {
+        "compiler": ["gcc", "clang"],
+        "build_type": ["Debug", "Release"],
+        "arch": ["amd64", "arm64"]
+      },
+
+      {
+        "compiler": ["gcc", "clang"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "sanitizers": ["address", "undefinedbehavior"]
+      },
+
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "suffix": "coverage",
+        "extra_cmake_args": "-DUNIT_TEST_REFERENCE_FEE=500 -Dcoverage=ON -Dcoverage_format=xml -DCODE_COVERAGE_VERBOSE=ON -DCMAKE_C_FLAGS=-O0 -DCMAKE_CXX_FLAGS=-O0"
+      },
+      {
+        "compiler": ["clang"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "suffix": "voidstar",
+        "extra_cmake_args": "-Dvoidstar=ON"
+      },
+      {
+        "compiler": ["clang"],
+        "build_type": ["Release"],
+        "arch": ["amd64"],
+        "suffix": "reffee",
+        "extra_cmake_args": "-DUNIT_TEST_REFERENCE_FEE=1000"
+      },
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Debug"],
+        "arch": ["amd64"],
+        "suffix": "unity",
+        "extra_cmake_args": "-Dunity=ON",
+        "exclude_event_types": ["pull_request"]
+      }
+    ],
+
+    "debian": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"]
+      }
+    ],
+
+    "rhel": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"]
+      }
+    ]
+  },
+  "package_configs": {
+    "debian": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"],
+        "image": "ghcr.io/xrplf/xrpld/packaging-debian:sha-63ffdc3"
+      }
+    ],
+
+    "rhel": [
+      {
+        "compiler": ["gcc"],
+        "build_type": ["Release"],
+        "arch": ["amd64"],
+        "image": "ghcr.io/xrplf/xrpld/packaging-rhel:sha-63ffdc3"
+      }
+    ]
+  }
+}

.github/scripts/strategy-matrix/macos.json

@@ -0,0 +1,16 @@
+{
+  "platform": "macos/arm64",
+  "runner": ["self-hosted", "macOS", "ARM64", "mac-runner-m1"],
+  "configs": [
+    {
+      "build_type": "Release",
+      "extra_cmake_args": "-DCMAKE_POLICY_VERSION_MINIMUM=3.5"
+    },
+    {
+      "build_type": "Debug",
+      "extra_cmake_args": "-DCMAKE_POLICY_VERSION_MINIMUM=3.5",
+      "build_only": true,
+      "exclude_event_types": ["pull_request"]
+    }
+  ]
+}

.github/scripts/strategy-matrix/windows.json

@@ -0,0 +1,12 @@
+{
+  "platform": "windows/amd64",
+  "runner": ["self-hosted", "Windows", "devbox"],
+  "configs": [
+    { "build_type": "Release" },
+    {
+      "build_type": "Debug",
+      "build_only": true,
+      "exclude_event_types": ["pull_request"]
+    }
+  ]
+}

.github/workflows/build-nix-images.yml

@@ -0,0 +1,54 @@
+name: Build Nix Docker images
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - ".github/workflows/build-nix-images.yml"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  pull_request:
+    paths:
+      - ".github/workflows/build-nix-images.yml"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  workflow_dispatch:
+
+concurrency:
+  # Read `on-trigger.yml` for the rationale behind this concurrency group name.
+  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-merge:
+    name: Build and push nix-${{ matrix.distro.name }}
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        # The base images are the oldest supported version of each distro
+        # that we want to build images for.
+        distro:
+          - name: nixos
+            base_image: nixos/nix:latest
+          - name: ubuntu
+            base_image: ubuntu:20.04
+          - name: debian
+            base_image: debian:bookworm
+          - name: rhel
+            base_image: registry.access.redhat.com/ubi9/ubi:latest
+    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@c1b480188519e0cad040e6aa70db1cbc5a797e07
+    with:
+      image_name: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro.name }}
+      dockerfile: nix/docker/Dockerfile
+      base_image: ${{ matrix.distro.base_image }}
+      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}

.github/workflows/build-packaging-images.yml

@@ -0,0 +1,46 @@
+name: Build packaging Docker images
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - ".github/workflows/build-packaging-images.yml"
+      - "package/Dockerfile"
+      - "package/install-packaging-tools.sh"
+  pull_request:
+    paths:
+      - ".github/workflows/build-packaging-images.yml"
+      - "package/Dockerfile"
+      - "package/install-packaging-tools.sh"
+  workflow_dispatch:
+
+concurrency:
+  # Read `on-trigger.yml` for the rationale behind this concurrency group name.
+  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build-merge:
+    name: Build and push packaging-${{ matrix.distro.name }}
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        distro:
+          - name: debian
+            base_image: debian:bookworm
+          - name: rhel
+            base_image: registry.access.redhat.com/ubi9/ubi:latest
+    uses: XRPLF/actions/.github/workflows/build-multiarch-image.yml@c1b480188519e0cad040e6aa70db1cbc5a797e07
+    with:
+      image_name: ghcr.io/xrplf/xrpld/packaging-${{ matrix.distro.name }}
+      dockerfile: package/Dockerfile
+      base_image: ${{ matrix.distro.base_image }}
+      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}

.github/workflows/check-pr-commits.yml

@@ -0,0 +1,13 @@
+name: Check PR commits
+
+on:
+  pull_request_target:
+
+# The action needs to have write permissions to post comments on the PR.
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  check_commits:
+    uses: XRPLF/actions/.github/workflows/check-pr-commits.yml@e2c7f400d1e85ae65dad552fd425169fbacca4a3

.github/workflows/check-pr-description.yml

@@ -0,0 +1,39 @@
+name: Check PR description
+
+on:
+  merge_group:
+    types:
+      - checks_requested
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - develop
+      - "release-*"
+      - "release/*"
+      - "staging/*"
+
+jobs:
+  check_description:
+    if: ${{ github.event.pull_request.draft != true }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Write PR body to file
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        if: ${{ github.event_name == 'pull_request' }}
+        run: printenv PR_BODY >pr_body.md
+
+      - name: Check PR description differs from template
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          python .github/scripts/check-pr-description.py \
+              --template-file .github/pull_request_template.md \
+              --pr-body-file pr_body.md

.github/workflows/check-pr-title.yml

@@ -0,0 +1,23 @@
+name: Check PR title
+
+on:
+  merge_group:
+    types:
+      - checks_requested
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - develop
+      - "release-*"
+      - "release/*"
+      - "staging/*"
+
+jobs:
+  check_title:
+    if: ${{ github.event.pull_request.draft != true }}
+    uses: XRPLF/actions/.github/workflows/check-pr-title.yml@cba1f0891650baf1a9c88624dc2d72573be2eb81

.github/workflows/clang-format.yml

@@ -1,59 +0,0 @@
-name: clang-format
-
-on: [push, pull_request]
-
-jobs:
-  check:
-    runs-on: ubuntu-24.04
-    env:
-      CLANG_VERSION: 18
-    steps:
-    - uses: actions/checkout@v4
-    - name: Install clang-format
-      run: |
-        codename=$( lsb_release --codename --short )
-        sudo tee /etc/apt/sources.list.d/llvm.list >/dev/null <<EOF
-        deb http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-${CLANG_VERSION} main
-        deb-src http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-${CLANG_VERSION} main
-        EOF
-        wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add
-        sudo apt-get update
-        sudo apt-get install clang-format-${CLANG_VERSION}
-    - name: Format first-party sources
-      run: find include src -type f \( -name '*.cpp' -o -name '*.hpp' -o -name '*.h' -o -name '*.ipp' \) -exec clang-format-${CLANG_VERSION} -i {} +
-    - name: Check for differences
-      id: assert
-      run: |
-        set -o pipefail
-        git diff --exit-code | tee "clang-format.patch"
-    - name: Upload patch
-      if: failure() && steps.assert.outcome == 'failure'
-      uses: actions/upload-artifact@v3
-      continue-on-error: true
-      with:
-        name: clang-format.patch
-        if-no-files-found: ignore
-        path: clang-format.patch
-    - name: What happened?
-      if: failure() && steps.assert.outcome == 'failure'
-      env:
-        PREAMBLE: |
-          If you are reading this, you are looking at a failed Github Actions
-          job.  That means you pushed one or more files that did not conform
-          to the formatting specified in .clang-format. That may be because
-          you neglected to run 'git clang-format' or 'clang-format' before
-          committing, or that your version of clang-format has an
-          incompatibility with the one on this
-          machine, which is:
-        SUGGESTION: |
-
-          To fix it, you can do one of two things:
-          1. Download and apply the patch generated as an artifact of this
-             job to your repo, commit, and push.
-          2. Run 'git-clang-format --extensions cpp,h,hpp,ipp develop'
-             in your repo, commit, and push.
-      run: |
-        echo "${PREAMBLE}"
-        clang-format-${CLANG_VERSION} --version
-        echo "${SUGGESTION}"
-        exit 1

.github/workflows/conflicting-pr.yml

@@ -0,0 +1,25 @@
+name: Label PRs with merge conflicts
+
+on:
+  # So that PRs touching the same files as the push are updated.
+  push:
+  # So that the `dirtyLabel` is removed if conflicts are resolved.
+  # We recommend `pull_request_target` so that github secrets are available.
+  # In `pull_request` we wouldn't be able to change labels of fork PRs.
+  pull_request_target:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if PRs are dirty
+        uses: eps1lon/actions-label-merge-conflict@0273be72a0bbd58fcd71d0d6c02c209b50d1e5e1 # v3.1.0
+        with:
+          dirtyLabel: "PR: has conflicts"
+          repoToken: "${{ secrets.GITHUB_TOKEN }}"
+          commentOnDirty: "This PR has conflicts, please resolve them in order for the PR to be reviewed."
+          commentOnClean: "All conflicts have been resolved. Assigned reviewers can now start or resume their review."

.github/workflows/doxygen.yml

@@ -1,37 +0,0 @@
-name: Build and publish Doxygen documentation
-# To test this workflow, push your changes to your fork's `develop` branch.
-on:
-  push:
-    branches:
-      - develop
-      - doxygen
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-    container: rippleci/rippled-build-ubuntu:aaf5e3e
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: check environment
-        run: |
-          echo ${PATH} | tr ':' '\n'
-          cmake --version
-          doxygen --version
-          env | sort
-      - name: build
-        run: |
-          mkdir build
-          cd build
-          cmake -Donly_docs=TRUE ..
-          cmake --build . --target docs --parallel $(nproc)
-      - name: publish
-        uses: peaceiris/actions-gh-pages@v3
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          publish_dir: build/docs/html

.github/workflows/instrumentation.yml

@@ -1,103 +0,0 @@
-name: instrumentation
-on:
-  pull_request:
-  push:
-    # If the branches list is ever changed, be sure to change it on all
-    # build/test jobs (nix, macos, windows, instrumentation)
-    branches:
-      # Always build the package branches
-      - develop
-      - release
-      - master
-      # Branches that opt-in to running
-      - 'ci/**'
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-
-  # NOTE we are not using dependencies built inside nix because nix is lagging
-  # with compiler versions. Instrumentation requires clang version 16 or later
-
-  instrumentation-build:
-    env:
-      CLANG_RELEASE: 16
-    strategy:
-      fail-fast: false
-    runs-on: [self-hosted, heavy]
-    container: debian:bookworm
-    steps:
-        - name: install prerequisites
-          env:
-            DEBIAN_FRONTEND: noninteractive
-          run: |
-            apt-get update
-            apt-get install --yes --no-install-recommends \
-              clang-${CLANG_RELEASE} clang++-${CLANG_RELEASE} \
-              python3-pip python-is-python3 make cmake git wget
-            apt-get clean
-            update-alternatives --install \
-              /usr/bin/clang clang /usr/bin/clang-${CLANG_RELEASE} 100 \
-              --slave /usr/bin/clang++ clang++ /usr/bin/clang++-${CLANG_RELEASE}
-            update-alternatives --auto clang
-            pip install --no-cache --break-system-packages "conan<2"
-
-        - name: checkout
-          uses: actions/checkout@v4
-
-        - name: prepare environment
-          run: |
-            mkdir ${GITHUB_WORKSPACE}/.build
-            echo "SOURCE_DIR=$GITHUB_WORKSPACE" >> $GITHUB_ENV
-            echo "BUILD_DIR=$GITHUB_WORKSPACE/.build" >> $GITHUB_ENV
-            echo "CC=/usr/bin/clang" >> $GITHUB_ENV
-            echo "CXX=/usr/bin/clang++" >> $GITHUB_ENV
-
-        - name: configure Conan
-          run: |
-            conan profile new --detect default
-            conan profile update settings.compiler=clang default
-            conan profile update settings.compiler.version=${CLANG_RELEASE} default
-            conan profile update settings.compiler.libcxx=libstdc++11 default
-            conan profile update settings.compiler.cppstd=20 default
-            conan profile update options.rocksdb=False default
-            conan profile update \
-              'conf.tools.build:compiler_executables={"c": "/usr/bin/clang", "cpp": "/usr/bin/clang++"}' default
-            conan profile update 'env.CXXFLAGS="-DBOOST_ASIO_DISABLE_CONCEPTS"' default
-            conan profile update 'conf.tools.build:cxxflags+=["-DBOOST_ASIO_DISABLE_CONCEPTS"]' default
-            conan export external/snappy snappy/1.1.10@
-            conan export external/soci soci/4.0.3@
-
-        - name: build dependencies
-          run: |
-            cd ${BUILD_DIR}
-            conan install ${SOURCE_DIR} \
-              --output-folder ${BUILD_DIR} \
-              --install-folder ${BUILD_DIR} \
-              --build missing \
-              --settings build_type=Debug
-
-        - name: build with instrumentation
-          run: |
-            cd ${BUILD_DIR}
-            cmake -S ${SOURCE_DIR} -B ${BUILD_DIR} \
-              -Dvoidstar=ON \
-              -Dtests=ON \
-              -Dxrpld=ON \
-              -DCMAKE_BUILD_TYPE=Debug \
-              -DSECP256K1_BUILD_BENCHMARK=OFF \
-              -DSECP256K1_BUILD_TESTS=OFF \
-              -DSECP256K1_BUILD_EXHAUSTIVE_TESTS=OFF \
-              -DCMAKE_TOOLCHAIN_FILE=${BUILD_DIR}/build/generators/conan_toolchain.cmake
-            cmake --build .  --parallel $(nproc)
-
-        - name: verify instrumentation enabled
-          run: |
-            cd ${BUILD_DIR}
-            ./rippled --version | grep libvoidstar
-
-        - name: run unit tests
-          run: |
-            cd ${BUILD_DIR}
-            ./rippled -u --unittest-jobs $(( $(nproc)/4 ))

.github/workflows/levelization.yml

@@ -1,49 +0,0 @@
-name: levelization
-
-on: [push, pull_request]
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    env:
-      CLANG_VERSION: 10
-    steps:
-    - uses: actions/checkout@v4
-    - name: Check levelization
-      run: Builds/levelization/levelization.sh
-    - name: Check for differences
-      id: assert
-      run: |
-        set -o pipefail
-        git diff --exit-code | tee "levelization.patch"
-    - name: Upload patch
-      if: failure() && steps.assert.outcome == 'failure'
-      uses: actions/upload-artifact@v3
-      continue-on-error: true
-      with:
-        name: levelization.patch
-        if-no-files-found: ignore
-        path: levelization.patch
-    - name: What happened?
-      if: failure() && steps.assert.outcome == 'failure'
-      env:
-        MESSAGE: |
-          If you are reading this, you are looking at a failed Github
-          Actions job. That means you changed the dependency relationships
-          between the modules in rippled. That may be an improvement or a
-          regression. This check doesn't judge.
-
-          A rule of thumb, though, is that if your changes caused
-          something to be removed from loops.txt, that's probably an
-          improvement. If something was added, it's probably a regression.
-
-          To fix it, you can do one of two things:
-          1. Download and apply the patch generated as an artifact of this
-             job to your repo, commit, and push.
-          2. Run './Builds/levelization/levelization.sh' in your repo,
-             commit, and push.
-
-          See Builds/levelization/README.md for more info.
-      run: |
-        echo "${MESSAGE}"
-        exit 1

.github/workflows/libxrpl.yml

@@ -1,88 +0,0 @@
-name: Check libXRPL compatibility with Clio
-env:
-  CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-  CONAN_LOGIN_USERNAME_RIPPLE: ${{ secrets.CONAN_USERNAME }}
-  CONAN_PASSWORD_RIPPLE: ${{ secrets.CONAN_TOKEN }}
-on:
-  pull_request:
-    paths:
-      - 'src/libxrpl/protocol/BuildInfo.cpp'
-      - '.github/workflows/libxrpl.yml'
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  publish:
-    name: Publish libXRPL
-    outputs:
-      outcome: ${{ steps.upload.outputs.outcome }}
-      version: ${{ steps.version.outputs.version }}
-      channel: ${{ steps.channel.outputs.channel }}
-    runs-on: [self-hosted, heavy]
-    container: rippleci/rippled-build-ubuntu:aaf5e3e
-    steps:
-      - name: Wait for essential checks to succeed
-        uses: lewagon/wait-on-check-action@v1.3.4
-        with:
-          ref: ${{ github.event.pull_request.head.sha || github.sha }}
-          running-workflow-name: wait-for-check-regexp
-          check-regexp: '(dependencies|test).*linux.*' # Ignore windows and mac tests but make sure linux passes
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-          wait-interval: 10
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Generate channel
-        id: channel
-        shell: bash
-        run: |
-          echo channel="clio/pr_${{ github.event.pull_request.number }}" | tee ${GITHUB_OUTPUT}
-      - name: Export new package
-        shell: bash
-        run: |
-          conan export . ${{ steps.channel.outputs.channel }}
-      - name: Add Ripple Conan remote
-        shell: bash
-        run: |
-          conan remote list
-          conan remote remove ripple || true
-          # Do not quote the URL. An empty string will be accepted (with a non-fatal warning), but a missing argument will not.
-          conan remote add ripple ${{ env.CONAN_URL }} --insert 0
-      - name: Parse new version
-        id: version
-        shell: bash
-        run: |
-          echo version="$(cat src/libxrpl/protocol/BuildInfo.cpp | grep "versionString =" \
-            | awk -F '"' '{print $2}')" | tee ${GITHUB_OUTPUT}
-      - name: Try to authenticate to Ripple Conan remote
-        id: remote
-        shell: bash
-        run: |
-          # `conan user` implicitly uses the environment variables CONAN_LOGIN_USERNAME_<REMOTE> and CONAN_PASSWORD_<REMOTE>.
-          # https://docs.conan.io/1/reference/commands/misc/user.html#using-environment-variables
-          # https://docs.conan.io/1/reference/env_vars.html#conan-login-username-conan-login-username-remote-name
-          # https://docs.conan.io/1/reference/env_vars.html#conan-password-conan-password-remote-name
-          echo outcome=$(conan user --remote ripple --password >&2 \
-            && echo success || echo failure) | tee ${GITHUB_OUTPUT}
-      - name: Upload new package
-        id: upload
-        if: (steps.remote.outputs.outcome == 'success')
-        shell: bash
-        run: |
-          echo "conan upload version ${{ steps.version.outputs.version }} on channel ${{ steps.channel.outputs.channel }}"
-          echo outcome=$(conan upload xrpl/${{ steps.version.outputs.version }}@${{ steps.channel.outputs.channel }} --remote ripple --confirm >&2 \
-            && echo success || echo failure) | tee ${GITHUB_OUTPUT}
-  notify_clio:
-    name: Notify Clio
-    runs-on: ubuntu-latest
-    needs: publish
-    env:
-      GH_TOKEN: ${{ secrets.CLIO_NOTIFY_TOKEN }}
-    steps:
-      - name: Notify Clio about new version
-        if: (needs.publish.outputs.outcome == 'success')
-        shell: bash
-        run: |
-          gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
-          /repos/xrplf/clio/dispatches -f "event_type=check_libxrpl" \
-          -F "client_payload[version]=${{ needs.publish.outputs.version }}@${{ needs.publish.outputs.channel }}"

.github/workflows/macos.yml

@@ -1,71 +0,0 @@
-name: macos
-on:
-  pull_request:
-  push:
-    # If the branches list is ever changed, be sure to change it on all
-    # build/test jobs (nix, macos, windows, instrumentation)
-    branches:
-      # Always build the package branches
-      - develop
-      - release
-      - master
-      # Branches that opt-in to running
-      - 'ci/**'
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-
-  test:
-    strategy:
-      matrix:
-        platform:
-          - macos
-        generator:
-          - Ninja
-        configuration:
-          - Release
-    runs-on: [self-hosted, macOS]
-    env:
-      # The `build` action requires these variables.
-      build_dir: .build
-      NUM_PROCESSORS: 12
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: install Conan
-        run: |
-          brew install conan@1
-          echo '/opt/homebrew/opt/conan@1/bin' >> $GITHUB_PATH
-      - name: install Ninja
-        if: matrix.generator == 'Ninja'
-        run: brew install ninja
-      - name: check environment
-        run: |
-          env | sort
-          echo ${PATH} | tr ':' '\n'
-          python --version
-          conan --version
-          cmake --version
-      - name: configure Conan
-        run : |
-          conan profile new default --detect || true
-          conan profile update settings.compiler.cppstd=20 default
-          conan profile update 'conf.tools.build:cxxflags+=["-DBOOST_ASIO_DISABLE_CONCEPTS"]' default
-      - name: build dependencies
-        uses: ./.github/actions/dependencies
-        env:
-          CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-          CONAN_LOGIN_USERNAME_RIPPLE: ${{ secrets.CONAN_USERNAME }}
-          CONAN_PASSWORD_RIPPLE: ${{ secrets.CONAN_TOKEN }}
-        with:
-          configuration: ${{ matrix.configuration }}
-      - name: build
-        uses: ./.github/actions/build
-        with:
-          generator: ${{ matrix.generator }}
-          configuration: ${{ matrix.configuration }}
-      - name: test
-        run: |
-          ${build_dir}/rippled --unittest

.github/workflows/nix.yml

@@ -1,284 +0,0 @@
-name: nix
-on:
-  pull_request:
-  push:
-    # If the branches list is ever changed, be sure to change it on all
-    # build/test jobs (nix, macos, windows, instrumentation)
-    branches:
-      # Always build the package branches
-      - develop
-      - release
-      - master
-      # Branches that opt-in to running
-      - 'ci/**'
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-# This workflow has two job matrixes.
-# They can be considered phases because the second matrix ("test")
-# depends on the first ("dependencies").
-#
-# The first phase has a job in the matrix for each combination of
-# variables that affects dependency ABI:
-# platform, compiler, and configuration.
-# It creates a GitHub artifact holding the Conan profile,
-# and builds and caches binaries for all the dependencies.
-# If an Artifactory remote is configured, they are cached there.
-# If not, they are added to the GitHub artifact.
-# GitHub's "cache" action has a size limit (10 GB) that is too small
-# to hold the binaries if they are built locally.
-# We must use the "{upload,download}-artifact" actions instead.
-#
-# The second phase has a job in the matrix for each test configuration.
-# It installs dependency binaries from the cache, whichever was used,
-# and builds and tests rippled.
-
-jobs:
-
-  dependencies:
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - linux
-        compiler:
-          - gcc
-          - clang
-        configuration:
-          - Debug
-          - Release
-        include:
-          - compiler: gcc
-            profile:
-              version: 11
-              cc: /usr/bin/gcc
-              cxx: /usr/bin/g++
-          - compiler: clang
-            profile:
-              version: 14
-              cc: /usr/bin/clang-14
-              cxx: /usr/bin/clang++-14
-    runs-on: [self-hosted, heavy]
-    container: rippleci/rippled-build-ubuntu:aaf5e3e
-    env:
-      build_dir: .build
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: check environment
-        run: |
-          echo ${PATH} | tr ':' '\n'
-          conan --version
-          cmake --version
-          env | sort
-      - name: configure Conan
-        run: |
-          conan profile new default --detect
-          conan profile update settings.compiler.cppstd=20 default
-          conan profile update settings.compiler=${{ matrix.compiler }} default
-          conan profile update settings.compiler.version=${{ matrix.profile.version }} default
-          conan profile update settings.compiler.libcxx=libstdc++11 default
-          conan profile update env.CC=${{ matrix.profile.cc }} default
-          conan profile update env.CXX=${{ matrix.profile.cxx }} default
-          conan profile update conf.tools.build:compiler_executables='{"c": "${{ matrix.profile.cc }}", "cpp": "${{ matrix.profile.cxx }}"}' default
-      - name: archive profile
-        # Create this archive before dependencies are added to the local cache.
-        run: tar -czf conan.tar -C ~/.conan .
-      - name: build dependencies
-        uses: ./.github/actions/dependencies
-        env:
-          CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-          CONAN_LOGIN_USERNAME_RIPPLE: ${{ secrets.CONAN_USERNAME }}
-          CONAN_PASSWORD_RIPPLE: ${{ secrets.CONAN_TOKEN }}
-        with:
-          configuration: ${{ matrix.configuration }}
-      - name: upload archive
-        uses: actions/upload-artifact@v3
-        with:
-          name: ${{ matrix.platform }}-${{ matrix.compiler }}-${{ matrix.configuration }}
-          path: conan.tar
-          if-no-files-found: error
-
-
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - linux
-        compiler:
-          - gcc
-          - clang
-        configuration:
-          - Debug
-          - Release
-        cmake-args:
-          -
-          - "-Dunity=ON"
-    needs: dependencies
-    runs-on: [self-hosted, heavy]
-    container: rippleci/rippled-build-ubuntu:aaf5e3e
-    env:
-      build_dir: .build
-    steps:
-      - name: download cache
-        uses: actions/download-artifact@v3
-        with:
-          name: ${{ matrix.platform }}-${{ matrix.compiler }}-${{ matrix.configuration }}
-      - name: extract cache
-        run: |
-          mkdir -p ~/.conan
-          tar -xzf conan.tar -C ~/.conan
-      - name: check environment
-        run: |
-          env | sort
-          echo ${PATH} | tr ':' '\n'
-          conan --version
-          cmake --version
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: dependencies
-        uses: ./.github/actions/dependencies
-        env:
-          CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-        with:
-          configuration: ${{ matrix.configuration }}
-      - name: build
-        uses: ./.github/actions/build
-        with:
-          generator: Ninja
-          configuration: ${{ matrix.configuration }}
-          cmake-args: ${{ matrix.cmake-args }}
-      - name: test
-        run: |
-          ${build_dir}/rippled --unittest --unittest-jobs $(nproc)
-
-
-  coverage:
-    strategy:
-      fail-fast: false
-      matrix:
-        platform:
-          - linux
-        compiler:
-          - gcc
-        configuration:
-          - Debug
-    needs: dependencies
-    runs-on: [self-hosted, heavy]
-    container: rippleci/rippled-build-ubuntu:aaf5e3e
-    env:
-      build_dir: .build
-    steps:
-      - name: download cache
-        uses: actions/download-artifact@v3
-        with:
-          name: ${{ matrix.platform }}-${{ matrix.compiler }}-${{ matrix.configuration }}
-      - name: extract cache
-        run: |
-          mkdir -p ~/.conan
-          tar -xzf conan.tar -C ~/.conan
-      - name: install gcovr
-        run: pip install "gcovr>=7,<8"
-      - name: check environment
-        run: |
-          echo ${PATH} | tr ':' '\n'
-          conan --version
-          cmake --version
-          gcovr --version
-          env | sort
-          ls ~/.conan
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: dependencies
-        uses: ./.github/actions/dependencies
-        env:
-          CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-        with:
-          configuration: ${{ matrix.configuration }}
-      - name: build
-        uses: ./.github/actions/build
-        with:
-          generator: Ninja
-          configuration: ${{ matrix.configuration }}
-          cmake-args: >-
-            -Dcoverage=ON
-            -Dcoverage_format=xml
-            -DCODE_COVERAGE_VERBOSE=ON
-            -DCMAKE_CXX_FLAGS="-O0"
-            -DCMAKE_C_FLAGS="-O0"
-          cmake-target: coverage
-      - name: move coverage report
-        shell: bash
-        run: |
-          mv "${build_dir}/coverage.xml" ./
-      - name: archive coverage report
-        uses: actions/upload-artifact@v3
-        with:
-          name: coverage.xml
-          path: coverage.xml
-          retention-days: 30
-      - name: upload coverage report
-        uses: wandalen/wretry.action@v1.4.10
-        with:
-          action: codecov/codecov-action@v4.5.0
-          with: |
-            files: coverage.xml
-            fail_ci_if_error: true
-            disable_search: true
-            verbose: true
-            plugin: noop
-            token: ${{ secrets.CODECOV_TOKEN }}
-          attempt_limit: 5
-          attempt_delay: 210000 # in milliseconds
-
-  conan:
-    needs: dependencies
-    runs-on: [self-hosted, heavy]
-    container: rippleci/rippled-build-ubuntu:aaf5e3e
-    env:
-      build_dir: .build
-      configuration: Release
-    steps:
-      - name: download cache
-        uses: actions/download-artifact@v3
-        with:
-          name: linux-gcc-${{ env.configuration }}
-      - name: extract cache
-        run: |
-          mkdir -p ~/.conan
-          tar -xzf conan.tar -C ~/.conan
-      - name: check environment
-        run: |
-          env | sort
-          echo ${PATH} | tr ':' '\n'
-          conan --version
-          cmake --version
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: dependencies
-        uses: ./.github/actions/dependencies
-        env:
-          CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-        with:
-          configuration: ${{ env.configuration }}
-      - name: export
-        run: |
-          version=$(conan inspect --raw version .)
-          reference="xrpl/${version}@local/test"
-          conan remove -f ${reference} || true
-          conan export . local/test
-          echo "reference=${reference}" >> "${GITHUB_ENV}"
-      - name: build
-        run: |
-          cd examples/example
-          mkdir ${build_dir}
-          cd ${build_dir}
-          conan install .. --output-folder . \
-            --require-override ${reference} --build missing
-          cmake .. \
-            -DCMAKE_TOOLCHAIN_FILE:FILEPATH=./build/${configuration}/generators/conan_toolchain.cmake \
-            -DCMAKE_BUILD_TYPE=${configuration}
-          cmake --build .
-          ./example | grep '^[[:digit:]]\+\.[[:digit:]]\+\.[[:digit:]]\+'

.github/workflows/on-pr.yml

@@ -0,0 +1,196 @@
+# This workflow runs all workflows to check, build and test the project on
+# various Linux flavors, as well as on MacOS and Windows, on every push to a
+# user branch. However, it will not run if the pull request is a draft unless it
+# has the 'DraftRunCI' label. For commits to PRs that target a release branch,
+# it also uploads the libxrpl recipe to the Conan remote.
+name: PR
+
+on:
+  merge_group:
+    types:
+      - checks_requested
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  # This job determines whether the rest of the workflow should run. It runs
+  # when the PR is not a draft (which should also cover merge-group) or
+  # has the 'DraftRunCI' label.
+  should-run:
+    if: ${{ !github.event.pull_request.draft || contains(github.event.pull_request.labels.*.name, 'DraftRunCI') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Determine changed files
+        # This step checks whether any files have changed that should
+        # cause the next jobs to run. We do it this way rather than
+        # using `paths` in the `on:` section, because all required
+        # checks must pass, even for changes that do not modify anything
+        # that affects those checks. We would therefore like to make the
+        # checks required only if the job runs, but GitHub does not
+        # support that directly. By always executing the workflow on new
+        # commits and by using the changed-files action below, we ensure
+        # that Github considers any skipped jobs to have passed, and in
+        # turn the required checks as well.
+        id: changes
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
+        with:
+          files: |
+            # These paths are unique to `on-pr.yml`.
+            .github/scripts/levelization/**
+            .github/scripts/otel-naming/**
+            .github/scripts/rename/**
+            .github/workflows/reusable-check-levelization.yml
+            .github/workflows/reusable-check-otel-naming.yml
+            .github/workflows/reusable-check-rename.yml
+            .github/workflows/on-pr.yml
+
+            # Keep the paths below in sync with those in `on-trigger.yml`.
+            .github/actions/build-deps/**
+            .github/actions/generate-version/**
+            .github/actions/setup-conan/**
+            .github/scripts/strategy-matrix/**
+            .github/workflows/reusable-build-test-config.yml
+            .github/workflows/reusable-build-test.yml
+            .github/workflows/reusable-clang-tidy.yml
+            .github/workflows/reusable-package.yml
+            .github/workflows/reusable-strategy-matrix.yml
+            .github/workflows/reusable-test.yml
+            .github/workflows/reusable-upload-recipe.yml
+            .clang-tidy
+            .codecov.yml
+            cfg/**
+            cmake/**
+            conan/**
+            external/**
+            include/**
+            src/**
+            tests/**
+            CMakeLists.txt
+            conanfile.py
+            conan.lock
+            LICENSE.md
+            package/**
+            README.md
+
+      - name: Check whether to run
+        # This step determines whether the rest of the workflow should
+        # run. The rest of the workflow will run if this job runs AND at
+        # least one of:
+        # * Any of the files checked in the `changes` step were modified
+        # * The PR is NOT a draft and is labeled "Ready to merge"
+        # * The workflow is running from the merge queue
+        id: go
+        env:
+          FILES: ${{ steps.changes.outputs.any_changed }}
+          DRAFT: ${{ github.event.pull_request.draft }}
+          READY: ${{ contains(github.event.pull_request.labels.*.name, 'Ready to merge') }}
+          MERGE: ${{ github.event_name == 'merge_group' }}
+        run: |
+          echo "go=${{ (env.DRAFT != 'true' && env.READY == 'true') || env.FILES == 'true' || env.MERGE == 'true' }}" >>"${GITHUB_OUTPUT}"
+          cat "${GITHUB_OUTPUT}"
+    outputs:
+      go: ${{ steps.go.outputs.go == 'true' }}
+
+  check-levelization:
+    needs: should-run
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-check-levelization.yml
+
+  check-otel-naming:
+    needs: should-run
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-check-otel-naming.yml
+
+  check-rename:
+    needs: should-run
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-check-rename.yml
+
+  clang-tidy:
+    needs: should-run
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-clang-tidy.yml
+    permissions:
+      issues: write
+      contents: read
+    with:
+      check_only_changed: true
+      create_issue_on_failure: false
+
+  build-test:
+    needs: should-run
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-build-test.yml
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [linux, macos, windows]
+    with:
+      # Enable ccache only for events targeting the XRPLF repository, since
+      # other accounts will not have access to our remote cache storage.
+      ccache_enabled: ${{ github.repository_owner == 'XRPLF' }}
+      os: ${{ matrix.os }}
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  package:
+    needs: [should-run, build-test]
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-package.yml
+
+  upload-recipe:
+    needs:
+      - should-run
+      - build-test
+    # Only run when committing to a PR that targets a release branch.
+    if: ${{ github.repository == 'XRPLF/rippled' && needs.should-run.outputs.go == 'true' && github.event_name == 'pull_request' && startsWith(github.event.pull_request.base.ref, 'release') }}
+    uses: ./.github/workflows/reusable-upload-recipe.yml
+    secrets:
+      remote_username: ${{ secrets.CONAN_REMOTE_USERNAME }}
+      remote_password: ${{ secrets.CONAN_REMOTE_PASSWORD }}
+
+  notify-clio:
+    needs: upload-recipe
+    runs-on: ubuntu-latest
+    steps:
+      # Notify the Clio repository about the newly proposed release version, so
+      # it can be checked for compatibility before the release is actually made.
+      - name: Notify Clio
+        env:
+          GH_TOKEN: ${{ secrets.CLIO_NOTIFY_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
+              /repos/xrplf/clio/dispatches -f "event_type=check_libxrpl" \
+              -F "client_payload[ref]=${{ needs.upload-recipe.outputs.recipe_ref }}" \
+              -F "client_payload[pr_url]=${PR_URL}"
+
+  passed:
+    if: failure() || cancelled()
+    needs:
+      - check-levelization
+      - check-otel-naming
+      - check-rename
+      - clang-tidy
+      - build-test
+      - package
+      - upload-recipe
+      - notify-clio
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fail
+        run: exit 1

.github/workflows/on-tag.yml

@@ -0,0 +1,42 @@
+# This workflow uploads the libxrpl recipe to the Conan remote and builds
+# release packages when a versioned tag is pushed.
+name: Tag
+
+on:
+  push:
+    tags:
+      - "[0-9]+.[0-9]+.[0-9]*"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  upload-recipe:
+    if: ${{ github.repository == 'XRPLF/rippled' }}
+    uses: ./.github/workflows/reusable-upload-recipe.yml
+    secrets:
+      remote_username: ${{ secrets.CONAN_REMOTE_USERNAME }}
+      remote_password: ${{ secrets.CONAN_REMOTE_PASSWORD }}
+
+  build-test:
+    if: ${{ github.repository == 'XRPLF/rippled' }}
+    uses: ./.github/workflows/reusable-build-test.yml
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [linux]
+    with:
+      ccache_enabled: false
+      os: ${{ matrix.os }}
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  package:
+    if: ${{ github.repository == 'XRPLF/rippled' }}
+    needs: build-test
+    uses: ./.github/workflows/reusable-package.yml

.github/workflows/on-trigger.yml

@@ -0,0 +1,105 @@
+# This workflow runs all workflows to build and test the code on various Linux
+# flavors, as well as on MacOS and Windows, on a scheduled basis, on merge into
+# the 'develop' or 'release*' branches, or when requested manually. Upon pushes
+# to the develop branch it also uploads the libxrpl recipe to the Conan remote.
+name: Trigger
+
+on:
+  push:
+    branches:
+      - "develop"
+      - "release*"
+    paths:
+      # These paths are unique to `on-trigger.yml`.
+      - ".github/workflows/on-trigger.yml"
+
+      # Keep the paths below in sync with those in `on-pr.yml`.
+      - ".github/actions/build-deps/**"
+      - ".github/actions/generate-version/**"
+      - ".github/actions/setup-conan/**"
+      - ".github/scripts/strategy-matrix/**"
+      - ".github/workflows/reusable-build-test-config.yml"
+      - ".github/workflows/reusable-build-test.yml"
+      - ".github/workflows/reusable-clang-tidy.yml"
+      - ".github/workflows/reusable-package.yml"
+      - ".github/workflows/reusable-strategy-matrix.yml"
+      - ".github/workflows/reusable-test.yml"
+      - ".github/workflows/reusable-upload-recipe.yml"
+      - ".clang-tidy"
+      - ".codecov.yml"
+      - "cfg/**"
+      - "cmake/**"
+      - "conan/**"
+      - "external/**"
+      - "include/**"
+      - "src/**"
+      - "tests/**"
+      - "CMakeLists.txt"
+      - "conanfile.py"
+      - "conan.lock"
+      - "LICENSE.md"
+      - "package/**"
+      - "README.md"
+
+  # Run at 06:32 UTC on every day of the week from Monday through Friday. This
+  # will force all dependencies to be rebuilt, which is useful to verify that
+  # all dependencies can be built successfully. Only the dependencies that
+  # are actually missing from the remote will be uploaded.
+  schedule:
+    - cron: "32 6 * * 1-5"
+
+  # Run when manually triggered via the GitHub UI or API.
+  workflow_dispatch:
+
+concurrency:
+  # When a PR is merged into the develop branch it will be assigned a unique
+  # group identifier, so execution will continue even if another PR is merged
+  # while it is still running. In all other cases the group identifier is shared
+  # per branch, so that any in-progress runs are cancelled when a new commit is
+  # pushed.
+  group: ${{ github.workflow }}-${{ github.event_name == 'push' && github.ref == 'refs/heads/develop' && github.sha || github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  clang-tidy:
+    uses: ./.github/workflows/reusable-clang-tidy.yml
+    permissions:
+      issues: write
+      contents: read
+    with:
+      check_only_changed: false
+      create_issue_on_failure: ${{ github.event_name == 'schedule' }}
+
+  build-test:
+    uses: ./.github/workflows/reusable-build-test.yml
+    strategy:
+      fail-fast: ${{ github.event_name == 'merge_group' }}
+      matrix:
+        os: [linux, macos, windows]
+    with:
+      # Enable ccache only for events targeting the XRPLF repository, since
+      # other accounts will not have access to our remote cache storage.
+      # However, we do not enable ccache for events targeting a release branch,
+      # to protect against the rare case that the output produced by ccache is
+      # not identical to a regular compilation.
+      ccache_enabled: ${{ github.repository_owner == 'XRPLF' && !startsWith(github.ref, 'refs/heads/release') }}
+      os: ${{ matrix.os }}
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  upload-recipe:
+    needs: build-test
+    # Only run when pushing to the develop branch.
+    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' && github.ref == 'refs/heads/develop' }}
+    uses: ./.github/workflows/reusable-upload-recipe.yml
+    secrets:
+      remote_username: ${{ secrets.CONAN_REMOTE_USERNAME }}
+      remote_password: ${{ secrets.CONAN_REMOTE_PASSWORD }}
+
+  package:
+    needs: build-test
+    uses: ./.github/workflows/reusable-package.yml

.github/workflows/pre-commit.yml

@@ -0,0 +1,20 @@
+name: Run pre-commit hooks
+
+on:
+  merge_group:
+    types:
+      - checks_requested
+  pull_request:
+  push:
+    branches:
+      - "develop"
+      - "release*"
+  workflow_dispatch:
+
+jobs:
+  # Call the workflow in the XRPLF/actions repo that runs the pre-commit hooks.
+  run-hooks:
+    uses: XRPLF/actions/.github/workflows/pre-commit.yml@312aaab296060ff89d7f798dcab59f019bea6e02
+    with:
+      runs_on: ubuntu-latest
+      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-41ec7c1" }'

.github/workflows/publish-docs.yml

@@ -0,0 +1,94 @@
+# This workflow builds the documentation for the repository, and publishes it to
+# GitHub Pages when changes are merged into the default branch.
+name: Build and publish documentation
+
+on:
+  push:
+    branches:
+      - "develop"
+    paths:
+      - ".github/workflows/publish-docs.yml"
+      - "*.md"
+      - "**/*.md"
+      - "docs/**"
+      - "include/**"
+      - "src/libxrpl/**"
+      - "src/xrpld/**"
+  pull_request:
+    paths:
+      - ".github/workflows/publish-docs.yml"
+      - "*.md"
+      - "**/*.md"
+      - "docs/**"
+      - "include/**"
+      - "src/libxrpl/**"
+      - "src/xrpld/**"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  BUILD_DIR: build
+  # ubuntu-latest has only 2 CPUs for private repositories
+  # https://docs.github.com/en/actions/reference/runners/github-hosted-runners#standard-github-hosted-runners-for--private-repositories
+  NPROC_SUBTRACT: ${{ github.event.repository.visibility == 'public' && '2' || '1' }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-63ffdc3
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Prepare runner
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
+        with:
+          enable_ccache: false
+
+      - name: Get number of processors
+        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
+        id: nproc
+        with:
+          subtract: ${{ env.NPROC_SUBTRACT }}
+
+      - name: Print build environment
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574
+
+      - name: Check Doxygen version
+        run: doxygen --version
+
+      - name: Build documentation
+        env:
+          BUILD_NPROC: ${{ steps.nproc.outputs.nproc }}
+        run: |
+          mkdir -p "${BUILD_DIR}"
+          cd "${BUILD_DIR}"
+          cmake -Donly_docs=ON ..
+          cmake --build . --target docs --parallel ${BUILD_NPROC}
+
+      - name: Create documentation artifact
+        if: ${{ github.event.repository.visibility == 'public' && github.event_name == 'push' }}
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
+        with:
+          path: ${{ env.BUILD_DIR }}/docs/html
+
+  deploy:
+    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
+    environment:
+      name: github-pages
+      url: ${{ steps.deploy.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deploy
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0

.github/workflows/reusable-build-test-config.yml

@@ -0,0 +1,381 @@
+name: Build and test configuration
+
+on:
+  workflow_call:
+    inputs:
+      build_only:
+        description: 'Whether to only build or to build and test the code ("true", "false").'
+        required: true
+        type: boolean
+
+      build_type:
+        description: 'The build type to use ("Debug", "Release").'
+        required: true
+        type: string
+
+      ccache_enabled:
+        description: "Whether to enable ccache."
+        required: false
+        type: boolean
+        default: false
+
+      cmake_args:
+        description: "Additional arguments to pass to CMake."
+        required: false
+        type: string
+        default: ""
+
+      cmake_target:
+        description: "The CMake target to build."
+        required: true
+        type: string
+
+      runs_on:
+        description: Runner to run the job on as a JSON string
+        required: true
+        type: string
+
+      image:
+        description: "The image to run in (leave empty to run natively)"
+        required: true
+        type: string
+
+      config_name:
+        description: "The configuration string (used for naming artifacts and such)."
+        required: true
+        type: string
+
+      nproc_subtract:
+        description: "The number of processors to subtract when calculating parallelism."
+        required: false
+        type: number
+        default: 2
+
+      sanitizers:
+        description: "The sanitizers to enable."
+        required: false
+        type: string
+        default: ""
+
+      compiler:
+        description: 'The compiler to use ("gcc" or "clang"). Leave empty for macOS/Windows (uses system default).'
+        required: false
+        type: string
+        default: ""
+
+    secrets:
+      CODECOV_TOKEN:
+        description: "The Codecov token to use for uploading coverage reports."
+        required: true
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  # Conan installs the generators in the build/generators directory, see the
+  # layout() method in conanfile.py. We then run CMake from the build directory.
+  BUILD_DIR: build
+
+jobs:
+  build-and-test:
+    name: ${{ inputs.config_name }}
+    runs-on: ${{ fromJSON(inputs.runs_on) }}
+    container: ${{ inputs.image != '' && inputs.image || null }}
+    timeout-minutes: ${{ inputs.sanitizers != '' && 360 || 90 }}
+    env:
+      # Use a namespace to keep the objects separate for each configuration.
+      CCACHE_NAMESPACE: ${{ inputs.config_name }}
+      # Ccache supports both Redis and HTTP endpoints.
+      # * For Redis, use the following format: redis://ip:port, see
+      #   https://github.com/ccache/ccache/wiki/Redis-storage. Note that TLS is
+      #   not directly supported by ccache, and requires use of a proxy.
+      # * For HTTP use the following format: http://ip:port/cache when using
+      #   nginx as backend or http://ip:port|layout=bazel when using Bazel
+      #   Remote Cache, see https://github.com/ccache/ccache/wiki/HTTP-storage.
+      #   Note that HTTPS is not directly supported by ccache.
+      CCACHE_REMOTE_ONLY: true
+      CCACHE_REMOTE_STORAGE: http://cache.dev.ripplex.io:8080|layout=bazel
+      # Ignore the creation and modification timestamps on files, since the
+      # header files are copied into separate directories by CMake, which will
+      # otherwise result in cache misses.
+      CCACHE_SLOPPINESS: include_file_ctime,include_file_mtime
+      # Determine if coverage and voidstar should be enabled.
+      COVERAGE_ENABLED: ${{ contains(inputs.cmake_args, '-Dcoverage=ON') }}
+      VOIDSTAR_ENABLED: ${{ contains(inputs.cmake_args, '-Dvoidstar=ON') }}
+      SANITIZERS_ENABLED: ${{ inputs.sanitizers != '' }}
+    steps:
+      - name: Cleanup workspace (macOS and Windows)
+        if: ${{ runner.os == 'macOS' || runner.os == 'Windows' }}
+        uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4
+
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Prepare runner
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
+        with:
+          enable_ccache: ${{ inputs.ccache_enabled }}
+
+      - name: Set ccache log file
+        if: ${{ inputs.ccache_enabled && runner.debug == '1' }}
+        run: echo "CCACHE_LOGFILE=${{ runner.temp }}/ccache.log" >>"${GITHUB_ENV}"
+
+      - name: Print build environment
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574
+
+      - name: Get number of processors
+        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
+        id: nproc
+        with:
+          subtract: ${{ inputs.nproc_subtract }}
+
+      - name: Set compiler environment (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        uses: ./.github/actions/set-compiler-env
+        with:
+          compiler: ${{ inputs.compiler }}
+
+      - name: Setup Conan
+        env:
+          SANITIZERS: ${{ inputs.sanitizers }}
+        uses: ./.github/actions/setup-conan
+
+      - name: Build dependencies
+        uses: ./.github/actions/build-deps
+        with:
+          build_nproc: ${{ steps.nproc.outputs.nproc }}
+          build_type: ${{ inputs.build_type }}
+          # Set the verbosity to "quiet" for Windows to avoid an excessive
+          # amount of logs. For other OSes, the "verbose" logs are more useful.
+          log_verbosity: ${{ runner.os == 'Windows' && 'quiet' || 'verbose' }}
+          sanitizers: ${{ inputs.sanitizers }}
+
+      - name: Configure CMake
+        working-directory: ${{ env.BUILD_DIR }}
+        env:
+          BUILD_TYPE: ${{ inputs.build_type }}
+          CMAKE_ARGS: ${{ inputs.cmake_args }}
+        run: |
+          cmake \
+              -G '${{ runner.os == 'Windows' && 'Visual Studio 17 2022' || 'Ninja' }}' \
+              -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
+              -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
+              ${CMAKE_ARGS} \
+              ..
+
+      - name: Check protocol autogen files are up-to-date
+        working-directory: ${{ env.BUILD_DIR }}
+        env:
+          MESSAGE: |
+
+            The generated protocol wrapper classes are out of date.
+
+            This typically happens when the macro files or generator scripts
+            have changed but the generated files were not regenerated.
+
+            To fix this:
+              1. Run: cmake --build . --target setup_code_gen
+              2. Run: cmake --build . --target code_gen
+              3. Commit and push the regenerated files
+        run: |
+          set -e
+          cmake --build . --target setup_code_gen
+          cmake --build . --target code_gen
+          DIFF=$(git -C .. status --porcelain -- include/xrpl/protocol_autogen src/tests/libxrpl/protocol_autogen)
+          if [ -n "${DIFF}" ]; then
+              echo "::error::Generated protocol files are out of date"
+              git -C .. diff -- include/xrpl/protocol_autogen src/tests/libxrpl/protocol_autogen
+              echo "${MESSAGE}"
+              exit 1
+          fi
+
+      - name: Build the binary
+        working-directory: ${{ env.BUILD_DIR }}
+        env:
+          BUILD_NPROC: ${{ steps.nproc.outputs.nproc }}
+          BUILD_TYPE: ${{ inputs.build_type }}
+          CMAKE_TARGET: ${{ inputs.cmake_target }}
+        run: |
+          cmake \
+              --build . \
+              --config "${BUILD_TYPE}" \
+              --parallel "${BUILD_NPROC}" \
+              --target "${CMAKE_TARGET}"
+
+      # This step is needed to allow running in non-Nix environments
+      - name: Patch binary to use default loader and remove rpath (Linux)
+        if: ${{ runner.os == 'Linux' && env.SANITIZERS_ENABLED == 'false' }}
+        run: |
+          loader="$(/tmp/loader-path.sh)"
+          patchelf --set-interpreter "${loader}" --remove-rpath "${{ env.BUILD_DIR }}/xrpld"
+
+      # We're only running aarch64 Linux builds in Ubuntu-based images, so this is kept simple
+      - name: Install libatomic (Linux aarch64)
+        if: ${{ runner.os == 'Linux' && runner.arch == 'ARM64' }}
+        run: |
+          apt update --yes
+          apt install -y --no-install-recommends \
+              libatomic1
+
+      - name: Show ccache statistics
+        if: ${{ inputs.ccache_enabled }}
+        run: |
+          ccache --show-stats -vv
+          if [ '${{ runner.debug }}' = '1' ]; then
+              cat "${CCACHE_LOGFILE}"
+              curl ${CCACHE_REMOTE_STORAGE%|*}/status || true
+          fi
+
+      - name: Upload the binary (Linux)
+        if: ${{ github.event.repository.visibility == 'public' && runner.os == 'Linux' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: xrpld-${{ inputs.config_name }}
+          path: ${{ env.BUILD_DIR }}/xrpld
+          retention-days: 3
+          if-no-files-found: error
+
+      - name: Upload the test binary (Linux)
+        if: ${{ github.event.repository.visibility == 'public' && runner.os == 'Linux' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: xrpl_tests-${{ inputs.config_name }}
+          path: ${{ env.BUILD_DIR }}/xrpl_tests
+          retention-days: 3
+          if-no-files-found: error
+
+      - name: Export server definitions
+        if: ${{ runner.os != 'Windows' && !inputs.build_only && env.VOIDSTAR_ENABLED != 'true' }}
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          set -o pipefail
+          ./xrpld --definitions | python3 -m json.tool >server_definitions.json
+
+      - name: Upload server definitions
+        if: ${{ github.event.repository.visibility == 'public' && inputs.config_name == 'debian-gcc-release-amd64' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: server-definitions
+          path: ${{ env.BUILD_DIR }}/server_definitions.json
+          retention-days: 3
+          if-no-files-found: error
+
+      - name: Check linking (Linux)
+        if: ${{ runner.os == 'Linux' && env.SANITIZERS_ENABLED == 'false' }}
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          ldd ./xrpld
+          if [ "$(ldd ./xrpld | grep -E '(libstdc\+\+|libgcc)' | wc -l)" -eq 0 ]; then
+              echo 'The binary is statically linked.'
+          else
+              echo 'The binary is dynamically linked.'
+              exit 1
+          fi
+
+      - name: Verify presence of instrumentation (Linux)
+        if: ${{ runner.os == 'Linux' && env.VOIDSTAR_ENABLED == 'true' }}
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          ./xrpld --version | grep libvoidstar
+
+      - name: Set sanitizer options
+        if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }}
+        env:
+          CONFIG_NAME: ${{ inputs.config_name }}
+        run: |
+          ASAN_OPTS="include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-asan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp"
+          if [[ "${CONFIG_NAME}" == *gcc* ]]; then
+              ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0"
+          fi
+          echo "ASAN_OPTIONS=${ASAN_OPTS}" >>${GITHUB_ENV}
+          echo "TSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-tsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >>${GITHUB_ENV}
+          echo "UBSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-ubsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >>${GITHUB_ENV}
+          echo "LSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-lsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >>${GITHUB_ENV}
+
+      - name: Run the separate tests
+        if: ${{ !inputs.build_only }}
+        working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
+        run: ./xrpl_tests
+
+      - name: Run the embedded tests
+        if: ${{ !inputs.build_only }}
+        working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
+        env:
+          BUILD_NPROC: ${{ steps.nproc.outputs.nproc }}
+        run: |
+          set -o pipefail
+          # Coverage builds are slower due to instrumentation; use fewer parallel jobs to avoid flakiness
+          [ "$COVERAGE_ENABLED" = "true" ] && BUILD_NPROC=$((BUILD_NPROC - 2))
+
+          # The resolver/preload workaround is only correct for the ASan build:
+          # a regular build doesn't hit the __dn_expand interceptor bug, and must
+          # NOT have libasan injected. So only preload when xrpld is ASan-built.
+          #
+          # libresolv hosts getaddrinfo's resolver helpers (dn_expand, res_*). Under ASan
+          # these are intercepted via dlsym(RTLD_NEXT, ...), which yields a NULL pointer
+          # and crashes DNS resolution if libresolv isn't loaded. Linking it guarantees
+          # the symbols are present; it's a harmless no-op on glibc >= 2.34 (merged into
+          # libc) and is what the compiler driver already does for sanitizer builds.
+          #   https://github.com/llvm/llvm-project/issues/59007
+          #   https://github.com/google/sanitizers/issues/1592
+          if ldd ./xrpld | grep -q libasan; then
+              PRELOAD="$(gcc -print-file-name=libasan.so):/usr/lib/x86_64-linux-gnu/libresolv.so.2"
+          else
+              PRELOAD=""
+          fi
+
+          LD_PRELOAD="$PRELOAD" ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log
+
+      - name: Show test failure summary
+        if: ${{ failure() && !inputs.build_only }}
+        env:
+          WORKING_DIR: ${{ runner.os == 'Windows' && format('{0}\{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
+        run: |
+          if [ ! -d "${WORKING_DIR}" ]; then
+              echo "Working directory '${WORKING_DIR}' does not exist."
+              exit 0
+          fi
+
+          cd "${WORKING_DIR}"
+
+          if [ ! -f unittest.log ]; then
+              echo "unittest.log not found; embedded tests may not have run."
+              exit 0
+          fi
+
+          if ! grep -E "failed" unittest.log; then
+              echo "Log present but no failure lines found in unittest.log."
+          fi
+      - name: Debug failure (Linux)
+        if: ${{ failure() && runner.os == 'Linux' && !inputs.build_only }}
+        run: |
+          echo "IPv4 local port range:"
+          cat /proc/sys/net/ipv4/ip_local_port_range
+          echo "Netstat:"
+          netstat -an
+
+      - name: Prepare coverage report
+        if: ${{ !inputs.build_only && env.COVERAGE_ENABLED == 'true' }}
+        working-directory: ${{ env.BUILD_DIR }}
+        env:
+          BUILD_NPROC: ${{ steps.nproc.outputs.nproc }}
+          BUILD_TYPE: ${{ inputs.build_type }}
+        run: |
+          cmake \
+              --build . \
+              --config "${BUILD_TYPE}" \
+              --parallel "${BUILD_NPROC}" \
+              --target coverage
+
+      - name: Upload coverage report
+        if: ${{ github.repository == 'XRPLF/rippled' && !inputs.build_only && env.COVERAGE_ENABLED == 'true' }}
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        with:
+          disable_search: true
+          disable_telem: true
+          fail_ci_if_error: true
+          files: ${{ env.BUILD_DIR }}/coverage.xml
+          plugins: noop
+          token: ${{ secrets.CODECOV_TOKEN }}
+          verbose: true

.github/workflows/reusable-build-test.yml

@@ -0,0 +1,54 @@
+# This workflow builds and tests the binary for various configurations.
+name: Build and test
+
+# This workflow can only be triggered by other workflows. Note that the
+# workflow_call event does not support the 'choice' input type, see
+# https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#onworkflow_callinputsinput_idtype,
+# so we use 'string' instead.
+on:
+  workflow_call:
+    inputs:
+      ccache_enabled:
+        description: "Whether to enable ccache."
+        required: false
+        type: boolean
+        default: false
+
+      os:
+        description: 'The operating system to use for the build ("linux", "macos", "windows").'
+        required: true
+        type: string
+
+    secrets:
+      CODECOV_TOKEN:
+        description: "The Codecov token to use for uploading coverage reports."
+        required: true
+
+jobs:
+  # Generate the strategy matrix to be used by the following job.
+  generate-matrix:
+    uses: ./.github/workflows/reusable-strategy-matrix.yml
+    with:
+      os: ${{ inputs.os }}
+
+  # Build and test the binary for each configuration.
+  build-test-config:
+    needs:
+      - generate-matrix
+    uses: ./.github/workflows/reusable-build-test-config.yml
+    strategy:
+      fail-fast: ${{ github.event_name == 'merge_group' }}
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    with:
+      build_only: ${{ matrix.build_only }}
+      build_type: ${{ matrix.build_type }}
+      ccache_enabled: ${{ inputs.ccache_enabled }}
+      cmake_args: ${{ matrix.cmake_args }}
+      cmake_target: ${{ matrix.cmake_target }}
+      runs_on: ${{ toJSON(matrix.architecture.runner) }}
+      image: ${{ matrix.image || '' }}
+      config_name: ${{ matrix.config_name }}
+      sanitizers: ${{ matrix.sanitizers }}
+      compiler: ${{ matrix.compiler || '' }}
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/reusable-check-levelization.yml

@@ -0,0 +1,46 @@
+# This workflow checks if the dependencies between the modules are correctly
+# indexed.
+name: Check levelization
+
+# This workflow can only be triggered by other workflows.
+on: workflow_call
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-levelization
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  levelization:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Check levelization
+        run: python .github/scripts/levelization/generate.py
+      - name: Check for differences
+        env:
+          MESSAGE: |
+
+            The dependency relationships between the modules in xrpld have
+            changed, which may be an improvement or a regression.
+
+            A rule of thumb is that if your changes caused something to be
+            removed from loops.txt, it's probably an improvement, while if
+            something was added, it's probably a regression.
+
+            Run '.github/scripts/levelization/generate.py' in your repo, commit
+            and push the changes. See .github/scripts/levelization/README.md for
+            more info.
+        run: |
+          DIFF=$(git status --porcelain)
+          if [ -n "${DIFF}" ]; then
+              # Print the differences to give the contributor a hint about what to
+              # expect when running levelization on their own machine.
+              git diff
+              echo "${MESSAGE}"
+              exit 1
+          fi

.github/workflows/reusable-check-otel-naming.yml

@@ -0,0 +1,28 @@
+# This workflow checks that OpenTelemetry span-attribute names stay consistent
+# across the code (*SpanNames.h), collector, Tempo, dashboards, and docs.
+# See .github/scripts/otel-naming/check_otel_naming.py and the
+# "Telemetry span attribute naming" section in CONTRIBUTING.md.
+name: Check OTel naming
+
+# This workflow can only be triggered by other workflows.
+on: workflow_call
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-otel-naming
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  otel-naming:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Check OTel naming
+        # The script is stdlib-only and reads only files already in the tree;
+        # it enforces each rule only when the layer it needs is present, so it
+        # works whether telemetry changes land in one PR or several.
+        run: python .github/scripts/otel-naming/check_otel_naming.py

.github/workflows/reusable-check-rename.yml

@@ -0,0 +1,56 @@
+# This workflow checks if the codebase is properly renamed, see more info in
+# .github/scripts/rename/README.md.
+name: Check rename
+
+# This workflow can only be triggered by other workflows.
+on: workflow_call
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-rename
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  rename:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - name: Check definitions
+        run: .github/scripts/rename/definitions.sh .
+      - name: Check copyright notices
+        run: .github/scripts/rename/copyright.sh .
+      - name: Check CMake configs
+        run: .github/scripts/rename/cmake.sh .
+      - name: Check binary name
+        run: .github/scripts/rename/binary.sh .
+      - name: Check namespaces
+        run: .github/scripts/rename/namespace.sh .
+      - name: Check config name
+        run: .github/scripts/rename/config.sh .
+      - name: Check include guards
+        run: .github/scripts/rename/include.sh .
+      - name: Check documentation
+        run: .github/scripts/rename/docs.sh .
+      - name: Check for differences
+        env:
+          MESSAGE: |
+
+            One or more files contain changes that do not adhere to new naming
+            conventions.
+
+            Run the scripts in '.github/scripts/rename/' in your repo, commit
+            and push the changes. See .github/scripts/rename/README.md for
+            more info.
+        run: |
+          DIFF=$(git status --porcelain)
+          if [ -n "${DIFF}" ]; then
+              # Print the differences to give the contributor a hint about what to
+              # expect when running the renaming scripts on their own machine.
+              git diff
+              echo "${MESSAGE}"
+              exit 1
+          fi

.github/workflows/reusable-clang-tidy.yml

@@ -0,0 +1,195 @@
+name: Run clang-tidy on files
+
+on:
+  workflow_call:
+    inputs:
+      check_only_changed:
+        description: "Check only changed files in PR. If false, checks all files in the repository."
+        type: boolean
+        default: false
+      create_issue_on_failure:
+        description: "Whether to create an issue if the check failed"
+        type: boolean
+        default: false
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  BUILD_DIR: build
+  BUILD_TYPE: Debug # Debug so that ASSERTS and such participate in clang-tidy check
+
+  OUTPUT_FILE: clang-tidy-output.txt
+  DIFF_FILE: clang-tidy-git-diff.txt
+  ISSUE_FILE: clang-tidy-issue.md
+
+jobs:
+  determine-files:
+    if: ${{ inputs.check_only_changed }}
+    permissions:
+      contents: read
+    uses: XRPLF/actions/.github/workflows/determine-tidy-files.yml@312aaab296060ff89d7f798dcab59f019bea6e02
+
+  run-clang-tidy:
+    name: Run clang tidy
+    needs: [determine-files]
+    if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.cpp_changed_files != '' || needs.determine-files.outputs.clang_tidy_config_changed == 'true') }}
+    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
+    container: "ghcr.io/xrplf/xrpld/nix-debian:sha-63ffdc3"
+    permissions:
+      contents: read
+      issues: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Prepare runner
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
+        with:
+          enable_ccache: false
+
+      - name: Print build environment
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574
+
+      - name: Get number of processors
+        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
+        id: nproc
+
+      - name: Set compiler environment
+        uses: ./.github/actions/set-compiler-env
+        with:
+          compiler: clang
+
+      - name: Setup Conan
+        uses: ./.github/actions/setup-conan
+
+      - name: Build dependencies
+        uses: ./.github/actions/build-deps
+        with:
+          build_nproc: ${{ steps.nproc.outputs.nproc }}
+          build_type: ${{ env.BUILD_TYPE }}
+          log_verbosity: verbose
+
+      - name: Configure CMake
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          cmake \
+              -G 'Ninja' \
+              -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
+              -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
+              -Dtests=ON \
+              -Dwerr=ON \
+              -Dxrpld=ON \
+              ..
+
+      # clang-tidy needs headers generated from proto files
+      - name: Build libxrpl.libpb
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          ninja -j ${{ steps.nproc.outputs.nproc }} xrpl.libpb
+
+      - name: Run clang tidy
+        id: run_clang_tidy
+        continue-on-error: true
+        env:
+          TARGETS: ${{ (needs.determine-files.outputs.clang_tidy_config_changed != 'true' && inputs.check_only_changed) && needs.determine-files.outputs.cpp_changed_files || 'src tests' }}
+        run: |
+          set -o pipefail
+          run-clang-tidy -j ${{ steps.nproc.outputs.nproc }} -p "${BUILD_DIR}" -quiet -fix -allow-no-checks ${TARGETS} 2>&1 | tee "${OUTPUT_FILE}"
+
+      - name: Print errors
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          sed '/error\||/!d' "${OUTPUT_FILE}"
+
+      - name: Upload clang-tidy output
+        if: ${{ github.event.repository.visibility == 'public' && steps.run_clang_tidy.outcome != 'success' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          path: ${{ env.OUTPUT_FILE }}
+          archive: false
+          retention-days: 30
+
+      - name: Check for changes
+        id: files_changed
+        continue-on-error: true
+        run: |
+          git diff --exit-code
+
+      - name: Fix style
+        if: ${{ steps.files_changed.outcome != 'success' }}
+        run: |
+          pre-commit run --all-files || true
+
+      - name: Generate git diff
+        if: ${{ steps.files_changed.outcome != 'success' }}
+        run: |
+          git diff | tee "${DIFF_FILE}"
+
+      - name: Upload clang-tidy diff output
+        if: ${{ github.event.repository.visibility == 'public' && steps.files_changed.outcome != 'success' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          path: ${{ env.DIFF_FILE }}
+          archive: false
+          retention-days: 30
+
+      - name: Write issue header
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          cat >"${ISSUE_FILE}" <<EOF
+          ## Clang-tidy Check Failed
+
+          ### Clang-tidy Output:
+          \`\`\`
+          EOF
+
+      - name: Append clang-tidy output to issue body (filter for errors and warnings)
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          if [ -f "${OUTPUT_FILE}" ]; then
+              # Extract lines containing 'error:', 'warning:', or 'note:'
+              grep -E '(error:|warning:|note:)' "${OUTPUT_FILE}" >filtered-output.txt || true
+
+              # If filtered output is empty, use original (might be a different error format)
+              if [ ! -s filtered-output.txt ]; then
+                  cp "${OUTPUT_FILE}" filtered-output.txt
+              fi
+
+              # Truncate if too large
+              head -c 60000 filtered-output.txt >>"${ISSUE_FILE}"
+              if [ "$(wc -c <filtered-output.txt)" -gt 60000 ]; then
+                  echo "" >>"${ISSUE_FILE}"
+                  echo "... (output truncated, see artifacts for full output)" >>"${ISSUE_FILE}"
+              fi
+
+              rm filtered-output.txt
+          else
+              echo "No output file found" >>"${ISSUE_FILE}"
+          fi
+
+      - name: Append issue footer
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          cat >>"${ISSUE_FILE}" <<EOF
+          \`\`\`
+
+          ---
+          *This issue was automatically created by the clang-tidy workflow.*
+          EOF
+
+      - name: Create issue
+        if: ${{ steps.run_clang_tidy.outcome != 'success' && inputs.create_issue_on_failure }}
+        uses: XRPLF/actions/create-issue@2b8bc36af85b88bca0dd7bfac2e2dc05f94ad712
+        with:
+          title: "Clang-tidy check failed"
+          body_file: ${{ env.ISSUE_FILE }}
+          labels: "Bug,Clang-tidy"
+          assignees: "godexsoft,mathbunnyru"
+
+      - name: Fail if clang-tidy found issues
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          echo "Clang-tidy check failed!"
+          exit 1

.github/workflows/reusable-package.yml

@@ -0,0 +1,97 @@
+# Build Linux packages (DEB and RPM) from pre-built binary artifacts.
+# Discovers which configurations to package from linux.json (configs in
+# "package_configs") and fans out one job per distro. Only linux/amd64 is
+# supported; the runner is hardcoded in the job below.
+name: Package
+
+on:
+  workflow_call:
+    inputs:
+      pkg_release:
+        description: "Package release number. Increment when repackaging the same executable."
+        required: false
+        type: string
+        default: "1"
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  BUILD_DIR: build
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Generate packaging matrix
+        id: generate
+        working-directory: .github/scripts/strategy-matrix
+        run: ./generate.py --packaging >>"${GITHUB_OUTPUT}"
+
+  generate-version:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          sparse-checkout: |
+            .github/actions/generate-version
+            src/libxrpl/protocol/BuildInfo.cpp
+      - name: Generate version
+        id: version
+        uses: ./.github/actions/generate-version
+
+  package:
+    needs: [generate-matrix, generate-version]
+    if: ${{ github.event.repository.visibility == 'public' }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    name: "${{ matrix.artifact_name }}"
+    permissions:
+      contents: read
+    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
+    container: ${{ matrix.image }}
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Download pre-built binary
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: ${{ env.BUILD_DIR }}
+
+      - name: Make binary executable
+        run: chmod +x "${BUILD_DIR}/xrpld"
+
+      - name: Build package
+        env:
+          PKG_VERSION: ${{ needs.generate-version.outputs.version }}
+          PKG_RELEASE: ${{ inputs.pkg_release }}
+        run: ./package/build_pkg.sh
+
+      - name: Upload package artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ matrix.artifact_name }}-pkg-${{ needs.generate-version.outputs.version }}
+          path: |
+            ${{ env.BUILD_DIR }}/debbuild/*.deb
+            ${{ env.BUILD_DIR }}/debbuild/*.ddeb
+            ${{ env.BUILD_DIR }}/rpmbuild/RPMS/**/*.rpm
+          if-no-files-found: error

.github/workflows/reusable-strategy-matrix.yml

@@ -0,0 +1,39 @@
+name: Generate strategy matrix
+
+on:
+  workflow_call:
+    inputs:
+      os:
+        description: 'The operating system to use for the build ("linux", "macos", "windows", or empty for all).'
+        required: false
+        type: string
+    outputs:
+      matrix:
+        description: "The generated strategy matrix."
+        value: ${{ jobs.generate-matrix.outputs.matrix }}
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.13"
+
+      - name: Generate strategy matrix
+        working-directory: .github/scripts/strategy-matrix
+        id: generate
+        env:
+          GENERATE_CONFIG: ${{ inputs.os != '' && format('--config={0}', inputs.os) || '' }}
+          GENERATE_EVENT: ${{ github.event_name }}
+        run: ./generate.py ${GENERATE_CONFIG} --event="${GENERATE_EVENT}" >>"${GITHUB_OUTPUT}"

.github/workflows/reusable-upload-recipe.yml

@@ -0,0 +1,103 @@
+# This workflow exports the built libxrpl package to the Conan remote.
+name: Upload Conan recipe
+
+# This workflow can only be triggered by other workflows.
+on:
+  workflow_call:
+    inputs:
+      remote_name:
+        description: "The name of the Conan remote to use."
+        required: false
+        type: string
+        default: xrplf
+      remote_url:
+        description: "The URL of the Conan endpoint to use."
+        required: false
+        type: string
+        default: https://conan.ripplex.io
+
+    secrets:
+      remote_username:
+        description: "The username for logging into the Conan remote."
+        required: true
+      remote_password:
+        description: "The password for logging into the Conan remote."
+        required: true
+
+    outputs:
+      recipe_ref:
+        description: "The Conan recipe reference ('name/version') that was uploaded."
+        value: ${{ jobs.upload.outputs.ref }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-upload-recipe
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    container: ghcr.io/xrplf/xrpld/nix-ubuntu:sha-63ffdc3
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Generate build version number
+        id: version
+        uses: ./.github/actions/generate-version
+
+      - name: Set up Conan
+        uses: ./.github/actions/setup-conan
+        with:
+          remote_name: ${{ inputs.remote_name }}
+          remote_url: ${{ inputs.remote_url }}
+
+      - name: Log into Conan remote
+        env:
+          REMOTE_NAME: ${{ inputs.remote_name }}
+          REMOTE_USERNAME: ${{ secrets.remote_username }}
+          REMOTE_PASSWORD: ${{ secrets.remote_password }}
+        run: conan remote login "${REMOTE_NAME}" "${REMOTE_USERNAME}" --password "${REMOTE_PASSWORD}"
+
+      - name: Upload Conan recipe (version)
+        env:
+          REMOTE_NAME: ${{ inputs.remote_name }}
+        run: |
+          conan export . --version=${{ steps.version.outputs.version }}
+          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/${{ steps.version.outputs.version }}
+
+      # When this workflow is triggered by a push event, it will always be when merging into the
+      # 'develop' branch, see on-trigger.yml.
+      - name: Upload Conan recipe (develop)
+        if: ${{ github.event_name == 'push' }}
+        env:
+          REMOTE_NAME: ${{ inputs.remote_name }}
+        run: |
+          conan export . --version=develop
+          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/develop
+
+      # When this workflow is triggered by a pull request event, it will always be when merging into
+      # one of the 'release' branches, see on-pr.yml.
+      - name: Upload Conan recipe (rc)
+        if: ${{ github.event_name == 'pull_request' }}
+        env:
+          REMOTE_NAME: ${{ inputs.remote_name }}
+        run: |
+          conan export . --version=rc
+          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/rc
+
+      # When this workflow is triggered by a push event, it will always be when tagging a final
+      # release, see on-tag.yml.
+      - name: Upload Conan recipe (release)
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
+        env:
+          REMOTE_NAME: ${{ inputs.remote_name }}
+        run: |
+          conan export . --version=release
+          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/release
+
+    outputs:
+      ref: xrpl/${{ steps.version.outputs.version }}

.github/workflows/upload-conan-deps.yml

@@ -0,0 +1,117 @@
+name: Upload Conan Dependencies
+
+on:
+  schedule:
+    - cron: "0 3 * * 2-6"
+  workflow_dispatch:
+    inputs:
+      force_source_build:
+        description: "Force source build of all dependencies"
+        required: false
+        default: false
+        type: boolean
+      force_upload:
+        description: "Force upload of all dependencies"
+        required: false
+        default: false
+        type: boolean
+  pull_request:
+    branches: [develop]
+    paths:
+      # This allows testing changes to the upload workflow in a PR
+      - .github/workflows/upload-conan-deps.yml
+  push:
+    branches: [develop]
+    paths:
+      - .github/workflows/upload-conan-deps.yml
+      - .github/workflows/reusable-strategy-matrix.yml
+      - .github/actions/build-deps/action.yml
+      - .github/actions/setup-conan/action.yml
+      - ".github/scripts/strategy-matrix/**"
+      - conanfile.py
+      - conan.lock
+      - conan/profiles/**
+
+env:
+  CONAN_REMOTE_NAME: xrplf
+  CONAN_REMOTE_URL: https://conan.ripplex.io
+  NPROC_SUBTRACT: 2
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  # Generate the strategy matrix to be used by the following job.
+  generate-matrix:
+    uses: ./.github/workflows/reusable-strategy-matrix.yml
+
+  # Build and upload the dependencies for each configuration.
+  run-upload-conan-deps:
+    needs:
+      - generate-matrix
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    runs-on: ${{ matrix.architecture.runner }}
+    container: ${{ matrix.image || null }}
+    steps:
+      - name: Cleanup workspace (macOS and Windows)
+        if: ${{ runner.os == 'macOS' || runner.os == 'Windows' }}
+        uses: XRPLF/actions/cleanup-workspace@c7d9ce5ebb03c752a354889ecd870cadfc2b1cd4
+
+      - name: Checkout repository
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+
+      - name: Prepare runner
+        uses: XRPLF/actions/prepare-runner@c47daebb2f9db64ffbac71b47d68a661498d5ce8
+        with:
+          enable_ccache: false
+
+      - name: Print build environment
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574
+
+      - name: Get number of processors
+        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
+        id: nproc
+        with:
+          subtract: ${{ env.NPROC_SUBTRACT }}
+
+      - name: Set compiler environment (Linux)
+        if: ${{ runner.os == 'Linux' }}
+        uses: ./.github/actions/set-compiler-env
+        with:
+          compiler: ${{ matrix.compiler }}
+
+      - name: Setup Conan
+        env:
+          SANITIZERS: ${{ matrix.sanitizers }}
+        uses: ./.github/actions/setup-conan
+        with:
+          remote_name: ${{ env.CONAN_REMOTE_NAME }}
+          remote_url: ${{ env.CONAN_REMOTE_URL }}
+
+      - name: Build dependencies
+        uses: ./.github/actions/build-deps
+        with:
+          build_nproc: ${{ steps.nproc.outputs.nproc }}
+          build_type: ${{ matrix.build_type }}
+          force_build: ${{ github.event_name == 'schedule' || github.event.inputs.force_source_build == 'true' }}
+          # Set the verbosity to "quiet" for Windows to avoid an excessive
+          # amount of logs. For other OSes, the "verbose" logs are more useful.
+          log_verbosity: ${{ runner.os == 'Windows' && 'quiet' || 'verbose' }}
+          sanitizers: ${{ matrix.sanitizers }}
+
+      - name: Log into Conan remote
+        if: ${{ github.repository == 'XRPLF/rippled' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
+        run: conan remote login "${CONAN_REMOTE_NAME}" "${{ secrets.CONAN_REMOTE_USERNAME }}" --password "${{ secrets.CONAN_REMOTE_PASSWORD }}"
+
+      - name: Upload Conan packages
+        if: ${{ github.repository == 'XRPLF/rippled' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
+        env:
+          FORCE_OPTION: ${{ github.event.inputs.force_upload == 'true' && '--force' || '' }}
+        run: conan upload "*" --remote="${CONAN_REMOTE_NAME}" --confirm ${FORCE_OPTION}

.github/workflows/windows.yml

@@ -1,91 +0,0 @@
-name: windows
-
-on:
-  pull_request:
-  push:
-    # If the branches list is ever changed, be sure to change it on all
-    # build/test jobs (nix, macos, windows, instrumentation)
-    branches:
-      # Always build the package branches
-      - develop
-      - release
-      - master
-      # Branches that opt-in to running
-      - 'ci/**'
-
-# https://docs.github.com/en/actions/using-jobs/using-concurrency
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
-
-jobs:
-
-  test:
-    strategy:
-      fail-fast: false
-      matrix:
-        generator:
-          - Visual Studio 16 2019
-        configuration:
-          - Release
-          # Github hosted runners tend to hang when running Debug unit tests.
-          # Instead of trying to work around it, disable the Debug job until
-          # something beefier (i.e. a heavy self-hosted runner) becomes
-          # available.
-          # - Debug
-    runs-on: windows-2019
-    env:
-      build_dir: .build
-    steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      - name: choose Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: 3.9
-      - name: learn Python cache directory
-        id: pip-cache
-        shell: bash
-        run: |
-          python -m pip install --upgrade pip
-          echo "dir=$(pip cache dir)" | tee ${GITHUB_OUTPUT}
-      - name: restore Python cache directory
-        uses: actions/cache@v4
-        with:
-            path: ${{ steps.pip-cache.outputs.dir }}
-            key: ${{ runner.os }}-${{ hashFiles('.github/workflows/windows.yml') }}
-      - name: install Conan
-        run: pip install wheel 'conan<2'
-      - name: check environment
-        run: |
-          dir env:
-          $env:PATH -split ';'
-          python --version
-          conan --version
-          cmake --version
-      - name: configure Conan
-        shell: bash
-        run: |
-          conan profile new default --detect
-          conan profile update settings.compiler.cppstd=20 default
-          conan profile update settings.compiler.runtime=MT${{ matrix.configuration == 'Debug' && 'd' || '' }} default
-      - name: build dependencies
-        uses: ./.github/actions/dependencies
-        env:
-          CONAN_URL: http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod
-          CONAN_LOGIN_USERNAME_RIPPLE: ${{ secrets.CONAN_USERNAME }}
-          CONAN_PASSWORD_RIPPLE: ${{ secrets.CONAN_TOKEN }}
-        with:
-          configuration: ${{ matrix.configuration }}
-      - name: build
-        uses: ./.github/actions/build
-        with:
-          generator: '${{ matrix.generator }}'
-          configuration: ${{ matrix.configuration }}
-          # Hard code for now. Move to the matrix if varied options are needed
-          cmake-args: '-Dassert=ON -Dreporting=OFF -Dunity=ON'
-          cmake-target: install
-      - name: test
-        shell: bash
-        run: |
-          ${build_dir}/${{ matrix.configuration }}/rippled --unittest --unittest-jobs $(nproc)

.gitignore

@@ -1,70 +1,52 @@
 # .gitignore
+# cspell: disable
 
-bin/boostbook_catalog.xml
-bin/config.log
-bin/project-cache.jam
-
-# Ignore vim swap files.
-*.swp
-
-# Ignore SCons support files.
-.sconsign.dblite
-
-# Ignore python compiled files.
-*.pyc
-
-# Ignore Macintosh Desktop Services Store files.
+# Macintosh Desktop Services Store files.
 .DS_Store
 
-# Ignore backup/temps
+# Build, intermediate, and temporary artifacts.
 *~
-
-# Ignore object files.
 *.o
-.nih_c
-tags
-TAGS
-GTAGS
-GRTAGS
-GPATH
-bin/rippled
-Debug/*.*
-Release/*.*
+*.pdb
+*.swp
+/.clangd
+Debug/
+Release/
+/.build/
+/.venv/
+/build/
+/db/
+/out.txt
+/Testing/
+/tmp/
+CMakeSettings.json
+CMakeUserPresets.json
 
-# Ignore coverage files.
+# Coverage files.
 *.gcno
 *.gcda
 *.gcov
 
-# Levelization checking
-Builds/levelization/results/rawincludes.txt
-Builds/levelization/results/paths.txt
-Builds/levelization/results/includes/
-Builds/levelization/results/includedby/
+# Profiling data.
+gmon.out
 
-# Ignore tmp directory.
-tmp
+# Levelization data.
+.github/scripts/levelization/results/*
+!.github/scripts/levelization/results/loops.txt
+!.github/scripts/levelization/results/ordering.txt
 
-# Ignore database directory.
-db/
-db/*.db
-db/*.db-*
+# Customized configs.
+/rippled.cfg
+/xrpld.cfg
+/validators.txt
 
-# Ignore debug logs
-debug_log.txt
+# Locally patched Conan recipes
+external/conan-center-index/
 
-# Ignore customized configs
-rippled.cfg
-validators.txt
+# Local conan directory
+.conan
 
-# Doxygen generated documentation output
-HtmlDocumentation
-docs/html_doc
-
-# Xcode user-specific project settings
-# Xcode
-.DS_Store
-/build/
+# XCode IDE.
 *.pbxuser
 !default.pbxuser
 *.mode1v3
@@ -77,38 +59,30 @@ xcuserdata
 profile
 *.moved-aside
 DerivedData
-.idea/
 *.hmap
 
-# Intel Parallel Studio 2013 XE
-My Amplifier XE Results - RippleD
+# JetBrains IDE.
+/.idea/
 
-# Compiler intermediate output
-/out.txt
+# Microsoft Visual Studio IDE.
+/.vs/
+/.vscode/
 
-# Build Log
-rippled-build.log
+# zed IDE.
+/.zed/
 
-# Profiling data
-gmon.out
+# AI tools.
+/.agent
+/.agents
+/.augment
+/.claude
+/CLAUDE.md
 
-Builds/VisualStudio2015/*.db
-Builds/VisualStudio2015/*.user
-Builds/VisualStudio2015/*.opendb
-Builds/VisualStudio2015/*.sdf
+# Python
+__pycache__
 
-# MSVC
-*.pdb
-.vs/
-CMakeSettings.json
-compile_commands.json
-.clangd
-packages
-pkg_out
-pkg
-CMakeUserPresets.json
-bld.rippled/
-.vscode
+# Direnv's directory
+/.direnv
 
-# Suggested in-tree build directory
-/.build/
+# clangd cache
+/.cache

.pre-commit-config.yaml

@@ -1,6 +1,124 @@
-# .pre-commit-config.yaml
+# To run pre-commit hooks, first install pre-commit:
+# - `pip install pre-commit==${PRE_COMMIT_VERSION}`
+#
+# Then, run the following command to install the git hook scripts:
+# - `pre-commit install`
+# You can run all configured hooks against all files with:
+# - `pre-commit run --all-files`
+# To manually run a specific hook, use:
+# - `pre-commit run <hook_id> --all-files`
+# To run the hooks against only the staged files, use:
+# - `pre-commit run`
 repos:
-- repo: https://github.com/pre-commit/mirrors-clang-format
-  rev: v18.1.3
-  hooks:
-  - id: clang-format
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0
+    hooks:
+      - id: check-added-large-files
+        args: [--maxkb=400, --enforce-all]
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-merge-conflict
+        args: [--assume-in-merge]
+
+  - repo: local
+    hooks:
+      - id: clang-tidy
+        name: "clang-tidy (enable with: TIDY=1)"
+        entry: ./bin/pre-commit/clang_tidy_check.py
+        language: python
+        types_or: [c++, c]
+        exclude: ^include/xrpl/protocol_autogen
+        pass_filenames: false # script determines the staged files itself
+      - id: fix-include-style
+        name: fix include style
+        entry: ./bin/pre-commit/fix_include_style.py
+        language: python
+        types_or: [c++, c]
+        exclude: ^include/xrpl/protocol_autogen/(transactions|ledger_entries)/
+
+  - repo: https://github.com/pre-commit/mirrors-clang-format
+    rev: dd18dad857d6133e90bbe478f4f2f22ec0030269 # frozen: v22.1.5
+    hooks:
+      - id: clang-format
+        args: [--style=file]
+        "types_or": [c++, c, proto]
+        exclude: ^include/xrpl/protocol_autogen/(transactions|ledger_entries)/
+
+  - repo: https://github.com/BlankSpruce/gersemi-pre-commit
+    rev: faadd6a9d852369ca94f4d15b2404c967ba8cb01 # frozen: 0.27.6
+    hooks:
+      - id: gersemi
+
+  - repo: https://github.com/rbubley/mirrors-prettier
+    rev: 515f543f5718ebfd6ce22e16708bb32c68ff96e1 # frozen: v3.8.3
+    hooks:
+      - id: prettier
+        args: [--end-of-line=auto]
+
+  - repo: https://github.com/psf/black-pre-commit-mirror
+    rev: 4160603246a6b365d4a2af661c6d71b0a0f50478 # frozen: 26.5.1
+    hooks:
+      - id: black
+
+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: 05c1426671b9237fb5e1444dd63aa5731bec0dfb # frozen: v3.13.1-1
+    hooks:
+      - id: shfmt
+        args: [--write, --indent=4, --case-indent=true]
+
+  - repo: local
+    hooks:
+      - id: format-inline-bash-workflows
+        name: "format `run:` blocks in workflows/actions"
+        entry: ./.github/scripts/format-inline-bash.py
+        language: python
+        files: ^\.github/(workflows|actions)/.*\.ya?ml$
+      - id: format-inline-bash-markdown
+        name: "format ```bash blocks in markdown"
+        entry: ./.github/scripts/format-inline-bash.py
+        language: python
+        files: \.md$
+
+  - repo: https://github.com/streetsidesoftware/cspell-cli
+    rev: 4643f154907327ee0a2c7038f0296e0dd77d9776 # frozen: v10.0.0
+    hooks:
+      - id: cspell # Spell check changed files
+        exclude: |
+          (?x)^(
+              .config/cspell.config.yaml|
+              include/xrpl/protocol_autogen/(transactions|ledger_entries)/.*
+          )$
+      - id: cspell # Spell check the commit message
+        name: check commit message spelling
+        args:
+          - --no-must-find-files
+          - --no-progress
+          - --no-summary
+          - --files
+          - .git/COMMIT_EDITMSG
+        stages: [commit-msg]
+
+  - repo: local
+    hooks:
+      - id: nix-fmt
+        name: Format Nix files
+        entry: |
+          bash -c '
+            if command -v nix &> /dev/null || [ "$GITHUB_ACTIONS" = "true" ]; then
+              nix --extra-experimental-features "nix-command flakes" fmt "$@"
+            else
+              echo "Skipping nix-fmt: nix not installed and not in GitHub Actions"
+              exit 0
+            fi
+          ' --
+        language: system
+        types:
+          - nix
+        pass_filenames: true
+
+exclude: |
+  (?x)^(
+      external/.*|
+      .github/scripts/levelization/results/.*\.txt|
+      src/tests/libxrpl/protocol_autogen/(transactions|ledger_entries)/.*
+  )$

.prettierignore

@@ -0,0 +1 @@
+external

API-CHANGELOG.md

@@ -4,125 +4,186 @@ This changelog is intended to list all updates to the [public API methods](https
 
 For info about how [API versioning](https://xrpl.org/request-formatting.html#api-versioning) works, including examples, please view the [XLS-22d spec](https://github.com/XRPLF/XRPL-Standards/discussions/54). For details about the implementation of API versioning, view the [implementation PR](https://github.com/XRPLF/rippled/pull/3155). API versioning ensures existing integrations and users continue to receive existing behavior, while those that request a higher API version will experience new behavior.
 
-The API version controls the API behavior you see. This includes what properties you see in responses, what parameters you're permitted to send in requests, and so on. You specify the API version in each of your requests. When a breaking change is introduced to the `rippled` API, a new version is released. To avoid breaking your code, you should set (or increase) your version when you're ready to upgrade.
-
-For a log of breaking changes, see the **API Version [number]** headings. In general, breaking changes are associated with a particular API Version number. For non-breaking changes, scroll to the **XRP Ledger version [x.y.z]** headings. Non-breaking changes are associated with a particular XRP Ledger (`rippled`) release.
-
-## API Version 2
-
-API version 2 is available in `rippled` version 2.0.0 and later. To use this API, clients specify `"api_version" : 2` in each request.
-
-#### Removed methods
-
-In API version 2, the following deprecated methods are no longer available: (https://github.com/XRPLF/rippled/pull/4759)
-
-- `tx_history` - Instead, use other methods such as `account_tx` or `ledger` with the `transactions` field set to `true`.
-- `ledger_header` - Instead, use the `ledger` method.
-
-#### Modifications to JSON transaction element in V2
-
-In API version 2, JSON elements for transaction output have been changed and made consistent for all methods which output transactions. (https://github.com/XRPLF/rippled/pull/4775)
-This helps to unify the JSON serialization format of transactions. (https://github.com/XRPLF/clio/issues/722, https://github.com/XRPLF/rippled/issues/4727)
-
-- JSON transaction element is named `tx_json`
-- Binary transaction element is named `tx_blob`
-- JSON transaction metadata element is named `meta`
-- Binary transaction metadata element is named `meta_blob`
-
-Additionally, these elements are now consistently available next to `tx_json` (i.e. sibling elements), where possible:
-
-- `hash` - Transaction ID. This data was stored inside transaction output in API version 1, but in API version 2 is a sibling element.
-- `ledger_index` - Ledger index (only set on validated ledgers)
-- `ledger_hash` - Ledger hash (only set on closed or validated ledgers)
-- `close_time_iso` - Ledger close time expressed in ISO 8601 time format (only set on validated ledgers)
-- `validated` - Bool element set to `true` if the transaction is in a validated ledger, otherwise `false`
-
-This change affects the following methods:
-
-- `tx` - Transaction data moved into element `tx_json` (was inline inside `result`) or, if binary output was requested, moved from `tx` to `tx_blob`. Renamed binary transaction metadata element (if it was requested) from `meta` to `meta_blob`. Changed location of `hash` and added new elements
-- `account_tx` - Renamed transaction element from `tx` to `tx_json`. Renamed binary transaction metadata element (if it was requested) from `meta` to `meta_blob`. Changed location of `hash` and added new elements
-- `transaction_entry` - Renamed transaction metadata element from `metadata` to `meta`. Changed location of `hash` and added new elements
-- `subscribe` - Renamed transaction element from `transaction` to `tx_json`. Changed location of `hash` and added new elements
-- `sign`, `sign_for`, `submit` and `submit_multisigned` - Changed location of `hash` element.
-
-#### Modification to `Payment` transaction JSON schema
-
-When reading Payments, the `Amount` field should generally **not** be used. Instead, use [delivered_amount](https://xrpl.org/partial-payments.html#the-delivered_amount-field) to see the amount that the Payment delivered. To clarify its meaning, the `Amount` field is being renamed to `DeliverMax`. (https://github.com/XRPLF/rippled/pull/4733)
-
-- In `Payment` transaction type, JSON RPC field `Amount` is renamed to `DeliverMax`. To enable smooth client transition, `Amount` is still handled, as described below: (https://github.com/XRPLF/rippled/pull/4733)
-  - On JSON RPC input (e.g. `submit_multisigned` etc. methods), `Amount` is recognized as an alias to `DeliverMax` for both API version 1 and version 2 clients.
-  - On JSON RPC input, submitting both `Amount` and `DeliverMax` fields is allowed _only_ if they are identical; otherwise such input is rejected with `rpcINVALID_PARAMS` error.
-  - On JSON RPC output (e.g. `subscribe`, `account_tx` etc. methods), `DeliverMax` is present in both API version 1 and version 2.
-  - On JSON RPC output, `Amount` is only present in API version 1 and _not_ in version 2.
-
-#### Modifications to account_info response
-
-- `signer_lists` is returned in the root of the response. (In API version 1, it was nested under `account_data`.) (https://github.com/XRPLF/rippled/pull/3770)
-- When using an invalid `signer_lists` value, the API now returns an "invalidParams" error. (https://github.com/XRPLF/rippled/pull/4585)
-  - (`signer_lists` must be a boolean. In API version 1, strings were accepted and may return a normal response - i.e. as if `signer_lists` were `true`.)
-
-#### Modifications to [account_tx](https://xrpl.org/account_tx.html#account_tx) response
-
-- Using `ledger_index_min`, `ledger_index_max`, and `ledger_index` returns `invalidParams` because if you use `ledger_index_min` or `ledger_index_max`, then it does not make sense to also specify `ledger_index`. In API version 1, no error was returned. (https://github.com/XRPLF/rippled/pull/4571)
-  - The same applies for `ledger_index_min`, `ledger_index_max`, and `ledger_hash`. (https://github.com/XRPLF/rippled/issues/4545#issuecomment-1565065579)
-- Using a `ledger_index_min` or `ledger_index_max` beyond the range of ledgers that the server has:
-  - returns `lgrIdxMalformed` in API version 2. Previously, in API version 1, no error was returned. (https://github.com/XRPLF/rippled/issues/4288)
-- Attempting to use a non-boolean value (such as a string) for the `binary` or `forward` parameters returns `invalidParams` (`rpcINVALID_PARAMS`). Previously, in API version 1, no error was returned. (https://github.com/XRPLF/rippled/pull/4620)
-
-#### Modifications to [noripple_check](https://xrpl.org/noripple_check.html#noripple_check) response
-
-- Attempting to use a non-boolean value (such as a string) for the `transactions` parameter returns `invalidParams` (`rpcINVALID_PARAMS`). Previously, in API version 1, no error was returned. (https://github.com/XRPLF/rippled/pull/4620)
-
-## API Version 1
-
-This version is supported by all `rippled` versions. For WebSocket and HTTP JSON-RPC requests, it is currently the default API version used when no `api_version` is specified.
+The API version controls the API behavior you see. This includes what properties you see in responses, what parameters you're permitted to send in requests, and so on. You specify the API version in each of your requests. When a breaking change is introduced to the `xrpld` API, a new version is released. To avoid breaking your code, you should set (or increase) your version when you're ready to upgrade.
 
 The [commandline](https://xrpl.org/docs/references/http-websocket-apis/api-conventions/request-formatting/#commandline-format) always uses the latest API version. The command line is intended for ad-hoc usage by humans, not programs or automated scripts. The command line is not meant for use in production code.
 
-### Inconsistency: server_info - network_id
+For a log of breaking changes, see the **API Version [number]** headings. In general, breaking changes are associated with a particular API Version number. For non-breaking changes, scroll to the **XRP Ledger version [x.y.z]** headings. Non-breaking changes are associated with a particular XRP Ledger (`xrpld`) release.
 
-The `network_id` field was added in the `server_info` response in version 1.5.0 (2019), but it is not returned in [reporting mode](https://xrpl.org/rippled-server-modes.html#reporting-mode). However, use of reporting mode is now discouraged, in favor of using [Clio](https://github.com/XRPLF/clio) instead.
+## API Version 3 (Beta)
+
+API version 3 is currently a beta API. It requires enabling `[beta_rpc_api]` in the xrpld configuration to use. See [API-VERSION-3.md](API-VERSION-3.md) for the full list of changes in API version 3.
+
+## API Version 2
+
+API version 2 is available in `xrpld` version 2.0.0 and later. See [API-VERSION-2.md](API-VERSION-2.md) for the full list of changes in API version 2.
+
+## API Version 1
+
+This version is supported by all `xrpld` versions. For WebSocket and HTTP JSON-RPC requests, it is currently the default API version used when no `api_version` is specified.
+
+## Unreleased
+
+This section contains changes targeting a future version.
+
+### Additions
+
+- `ledger_entry`, `account_objects`: The `Delegate` ledger entry now includes an optional `DestinationNode` field, which stores the index into the authorized account's owner directory. This field is present on entries created after bidirectional directory tracking was introduced and may appear in RPC responses for those entries. ([#6681](https://github.com/XRPLF/rippled/pull/6681))
+
+- `server_definitions`: Added the following new sections to the response ([#6321](https://github.com/XRPLF/rippled/pull/6321)):
+  - `TRANSACTION_FORMATS`: Describes the fields and their optionality for each transaction type, including common fields shared across all transactions.
+  - `LEDGER_ENTRY_FORMATS`: Describes the fields and their optionality for each ledger entry type, including common fields shared across all ledger entries.
+  - `TRANSACTION_FLAGS`: Maps transaction type names to their supported flags and flag values.
+  - `LEDGER_ENTRY_FLAGS`: Maps ledger entry type names to their flags and flag values.
+  - `ACCOUNT_SET_FLAGS`: Maps AccountSet flag names (asf flags) to their numeric values.
+
+### Bugfixes
+
+- Peer Crawler: The `port` field in `overlay.active[]` now consistently returns an integer instead of a string for outbound peers. [#6318](https://github.com/XRPLF/rippled/pull/6318)
+- `ping`: The `ip` field is no longer returned as an empty string for proxied connections without a forwarded-for header. It is now omitted, consistent with the behavior for identified connections. [#6730](https://github.com/XRPLF/rippled/pull/6730)
+- gRPC `GetLedgerDiff`: Fixed error message that incorrectly said "base ledger not validated" when the desired ledger was not validated. [#6730](https://github.com/XRPLF/rippled/pull/6730)
+- `account_channels`: The `destination_account` field now returns an error if the value is not a string. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `subscribe`: The `taker` field in the `books` array now returns an error if the value is not a string. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `account_info`: The `urlgravatar` field now uses HTTPS instead of HTTP. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `ledger`: The `full`, `accounts`, `transactions`, `expand`, `binary`, `owner_funds`, and `queue` fields now return an error if the value is not a boolean. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `ledger_data`: The `binary` field now returns an error if the value is not a boolean. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `submit`: The `fail_hard` field now returns an error if the value is not a boolean. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `subscribe`: The `taker` field in the `books` array now returns `actMalformed` instead of `badIssuer` if the value is not a valid account. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- Fixed a bug in `Forwarded` HTTP header parsing where the extracted IP address could be incorrect when no comma or semicolon delimiter follows the address. This could cause the server to misidentify a client's IP address when operating behind a reverse proxy. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+
+## XRP Ledger server version 3.1.0
+
+[Version 3.1.0](https://github.com/XRPLF/rippled/releases/tag/3.1.0) was released on Jan 27, 2026.
+
+### Additions in 3.1.0
+
+- `vault_info`: New RPC method to retrieve information about a specific vault (part of XLS-66 Lending Protocol). ([#6156](https://github.com/XRPLF/rippled/pull/6156))
+
+## XRP Ledger server version 3.0.0
+
+[Version 3.0.0](https://github.com/XRPLF/rippled/releases/tag/3.0.0) was released on Dec 9, 2025.
+
+### Additions in 3.0.0
+
+- `ledger_entry`: Supports all ledger entry types with dedicated parsers. ([#5237](https://github.com/XRPLF/rippled/pull/5237))
+- `ledger_entry`: New error codes `entryNotFound` and `unexpectedLedgerType` for more specific error handling. ([#5237](https://github.com/XRPLF/rippled/pull/5237))
+- `ledger_entry`: Improved error messages with more context (e.g., specifying which field is invalid or missing). ([#5237](https://github.com/XRPLF/rippled/pull/5237))
+- `ledger_entry`: Assorted bug fixes in RPC processing. ([#5237](https://github.com/XRPLF/rippled/pull/5237))
+- `simulate`: Supports additional metadata in the response. ([#5754](https://github.com/XRPLF/rippled/pull/5754))
+
+## XRP Ledger server version 2.6.2
+
+[Version 2.6.2](https://github.com/XRPLF/rippled/releases/tag/2.6.2) was released on Nov 19, 2025.
+
+This release contains bug fixes only and no API changes.
+
+## XRP Ledger server version 2.6.1
+
+[Version 2.6.1](https://github.com/XRPLF/rippled/releases/tag/2.6.1) was released on Sep 30, 2025.
+
+This release contains bug fixes only and no API changes.
+
+## XRP Ledger server version 2.6.0
+
+[Version 2.6.0](https://github.com/XRPLF/rippled/releases/tag/2.6.0) was released on Aug 27, 2025.
+
+### Additions in 2.6.0
+
+- `account_info`: Added `allowTrustLineLocking` flag in response. ([#5525](https://github.com/XRPLF/rippled/pull/5525))
+- `ledger`: Removed the type filter from the RPC command. ([#4934](https://github.com/XRPLF/rippled/pull/4934))
+- `subscribe` (`validations` stream): `network_id` is now included. ([#5579](https://github.com/XRPLF/rippled/pull/5579))
+- `subscribe` (`transactions` stream): `nftoken_id`, `nftoken_ids`, and `offer_id` are now included in transaction metadata. ([#5230](https://github.com/XRPLF/rippled/pull/5230))
+
+## XRP Ledger server version 2.5.1
+
+[Version 2.5.1](https://github.com/XRPLF/rippled/releases/tag/2.5.1) was released on Sep 17, 2025.
+
+This release contains bug fixes only and no API changes.
+
+## XRP Ledger server version 2.5.0
+
+[Version 2.5.0](https://github.com/XRPLF/rippled/releases/tag/2.5.0) was released on Jun 24, 2025.
+
+### Additions and bugfixes in 2.5.0
+
+- `tx`: Added `ctid` field to the response and improved error handling. ([#4738](https://github.com/XRPLF/rippled/pull/4738))
+- `ledger_entry`: Improved error messages in `permissioned_domain`. ([#5344](https://github.com/XRPLF/rippled/pull/5344))
+- `simulate`: Improved multi-sign usage. ([#5479](https://github.com/XRPLF/rippled/pull/5479))
+- `channel_authorize`: If `signing_support` is not enabled in the config, the RPC is disabled. ([#5385](https://github.com/XRPLF/rippled/pull/5385))
+- `subscribe` (admin): Removed webhook queue limit to prevent dropping notifications; reduced HTTP timeout from 10 minutes to 30 seconds. ([#5163](https://github.com/XRPLF/rippled/pull/5163))
+- `ledger_data` (gRPC): Fixed crashing issue with some invalid markers. ([#5137](https://github.com/XRPLF/rippled/pull/5137))
+- `account_lines`: Fixed error with `no_ripple` and `no_ripple_peer` sometimes showing up incorrectly. ([#5345](https://github.com/XRPLF/rippled/pull/5345))
+- `account_tx`: Fixed issue with incorrect CTIDs. ([#5408](https://github.com/XRPLF/rippled/pull/5408))
 
 ## XRP Ledger server version 2.4.0
 
-### Addition in 2.4
+[Version 2.4.0](https://github.com/XRPLF/rippled/releases/tag/2.4.0) was released on March 4, 2025.
 
-- `ledger_entry`: `state` is added an alias for `ripple_state`.
+### Additions and bugfixes in 2.4.0
+
+- `simulate`: A new RPC that executes a [dry run of a transaction submission](https://github.com/XRPLF/XRPL-Standards/tree/master/XLS-0069d-simulate#2-rpc-simulate). ([#5069](https://github.com/XRPLF/rippled/pull/5069))
+- Signing methods (`sign`, `sign_for`, `submit`): Autofill fees better, properly handle transactions without a base fee, and autofill the `NetworkID` field. ([#5069](https://github.com/XRPLF/rippled/pull/5069))
+- `ledger_entry`: `state` is added as an alias for `ripple_state`. ([#5199](https://github.com/XRPLF/rippled/pull/5199))
+- `ledger`, `ledger_data`, `account_objects`: Support filtering ledger entry types by their canonical names (case-insensitive). ([#5271](https://github.com/XRPLF/rippled/pull/5271))
+- `validators`: Added new field `validator_list_threshold` in response. ([#5112](https://github.com/XRPLF/rippled/pull/5112))
+- `server_info`: Added git commit hash info on admin connection. ([#5225](https://github.com/XRPLF/rippled/pull/5225))
+- `server_definitions`: Changed larger `UInt` serialized types to `Hash`. ([#5231](https://github.com/XRPLF/rippled/pull/5231))
+
+## XRP Ledger server version 2.3.1
+
+[Version 2.3.1](https://github.com/XRPLF/rippled/releases/tag/2.3.1) was released on Jan 29, 2025.
+
+This release contains bug fixes only and no API changes.
 
 ## XRP Ledger server version 2.3.0
 
-### Breaking change in 2.3
+[Version 2.3.0](https://github.com/XRPLF/rippled/releases/tag/2.3.0) was released on Nov 25, 2024.
 
-- `book_changes`: If the requested ledger version is not available on this node, a `ledgerNotFound` error is returned and the node does not attempt to acquire the ledger from the p2p network (as with other non-admin RPCs).
+### Breaking changes in 2.3.0
 
-Admins can still attempt to retrieve old ledgers with the `ledger_request` RPC.
+- `book_changes`: If the requested ledger version is not available on this node, a `ledgerNotFound` error is returned and the node does not attempt to acquire the ledger from the p2p network (as with other non-admin RPCs). Admins can still attempt to retrieve old ledgers with the `ledger_request` RPC.
 
-### Addition in 2.3
+### Additions and bugfixes in 2.3.0
 
-- `book_changes`: Returns a `validated` field in its response, which was missing in prior versions.
-
-The following additions are non-breaking (because they are purely additive).
-
-- `server_definitions`: A new RPC that generates a `definitions.json`-like output that can be used in XRPL libraries.
-- In `Payment` transactions, `DeliverMax` has been added. This is a replacement for the `Amount` field, which should not be used. Typically, the `delivered_amount` (in transaction metadata) should be used. To ease the transition, `DeliverMax` is present regardless of API version, since adding a field is non-breaking.
-- API version 2 has been moved from beta to supported, meaning that it is generally available (regardless of the `beta_rpc_api` setting).
+- `book_changes`: Returns a `validated` field in its response. ([#5096](https://github.com/XRPLF/rippled/pull/5096))
+- `book_changes`: Accepts shortcut strings (`current`, `closed`, `validated`) for the `ledger_index` parameter. ([#5096](https://github.com/XRPLF/rippled/pull/5096))
+- `server_definitions`: Include `index` in response. ([#5190](https://github.com/XRPLF/rippled/pull/5190))
+- `account_nfts`: Fix issue where unassociated marker would return incorrect results. ([#5045](https://github.com/XRPLF/rippled/pull/5045))
+- `account_objects`: Fix issue where invalid marker would not return an error. ([#5046](https://github.com/XRPLF/rippled/pull/5046))
+- `account_objects`: Disallow filtering by ledger entry types that an account cannot hold. ([#5056](https://github.com/XRPLF/rippled/pull/5056))
+- `tx`: Allow lowercase CTID. ([#5049](https://github.com/XRPLF/rippled/pull/5049))
+- `feature`: Better error handling for invalid values of `feature`. ([#5063](https://github.com/XRPLF/rippled/pull/5063))
 
 ## XRP Ledger server version 2.2.0
 
-The following is a non-breaking addition to the API.
+[Version 2.2.0](https://github.com/XRPLF/rippled/releases/tag/2.2.0) was released on Jun 5, 2024. The following additions are non-breaking (because they are purely additive):
 
-- The `feature` method now has a non-admin mode for users. (It was previously only available to admin connections.) The method returns an updated list of amendments, including their names and other information. ([#4781](https://github.com/XRPLF/rippled/pull/4781))
+- `feature`: Add a non-admin mode for users. (It was previously only available to admin connections.) The method returns an updated list of amendments, including their names and other information. ([#4781](https://github.com/XRPLF/rippled/pull/4781))
+
+## XRP Ledger server version 2.0.1
+
+[Version 2.0.1](https://github.com/XRPLF/rippled/releases/tag/2.0.1) was released on Jan 29, 2024. The following additions are non-breaking:
+
+- `path_find`: Fixes unbounded memory growth. ([#4822](https://github.com/XRPLF/rippled/pull/4822))
+
+## XRP Ledger server version 2.0.0
+
+[Version 2.0.0](https://github.com/XRPLF/rippled/releases/tag/2.0.0) was released on Jan 9, 2024. The following additions are non-breaking (because they are purely additive):
+
+- `server_definitions`: A new RPC that generates a `definitions.json`-like output that can be used in XRPL libraries.
+- In `Payment` transactions, `DeliverMax` has been added. This is a replacement for the `Amount` field, which should not be used. Typically, the `delivered_amount` (in transaction metadata) should be used. To ease the transition, `DeliverMax` is present regardless of API version, since adding a field is non-breaking.
+- API version 2 has been moved from beta to supported, meaning that it is generally available (regardless of the `beta_rpc_api` setting). The full list of changes is in [API-VERSION-2.md](API-VERSION-2.md).
 
 ## XRP Ledger server version 1.12.0
 
-[Version 1.12.0](https://github.com/XRPLF/rippled/releases/tag/1.12.0) was released on Sep 6, 2023. The following additions are non-breaking (because they are purely additive).
+[Version 1.12.0](https://github.com/XRPLF/rippled/releases/tag/1.12.0) was released on Sep 6, 2023. The following additions are non-breaking (because they are purely additive):
 
-- `server_info`: Added `ports`, an array which advertises the RPC and WebSocket ports. This information is also included in the `/crawl` endpoint (which calls `server_info` internally). `grpc` and `peer` ports are also included. (https://github.com/XRPLF/rippled/pull/4427)
+- `server_info`: Added `ports`, an array which advertises the RPC and WebSocket ports. This information is also included in the `/crawl` endpoint (which calls `server_info` internally). `grpc` and `peer` ports are also included. ([#4427](https://github.com/XRPLF/rippled/pull/4427))
   - `ports` contains objects, each containing a `port` for the listening port (a number string), and a `protocol` array listing the supported protocols on that port.
   - This allows crawlers to build a more detailed topology without needing to port-scan nodes.
   - (For peers and other non-admin clients, the info about admin ports is excluded.)
-- Clawback: The following additions are gated by the Clawback amendment (`featureClawback`). (https://github.com/XRPLF/rippled/pull/4553)
-  - Adds an [AccountRoot flag](https://xrpl.org/accountroot.html#accountroot-flags) called `lsfAllowTrustLineClawback` (https://github.com/XRPLF/rippled/pull/4617)
+- Clawback: The following additions are gated by the Clawback amendment (`featureClawback`). ([#4553](https://github.com/XRPLF/rippled/pull/4553))
+  - Adds an [AccountRoot flag](https://xrpl.org/accountroot.html#accountroot-flags) called `lsfAllowTrustLineClawback`. ([#4617](https://github.com/XRPLF/rippled/pull/4617))
     - Adds the corresponding `asfAllowTrustLineClawback` [AccountSet Flag](https://xrpl.org/accountset.html#accountset-flags) as well.
     - Clawback is disabled by default, so if an issuer desires the ability to claw back funds, they must use an `AccountSet` transaction to set the AllowTrustLineClawback flag. They must do this before creating any trust lines, offers, escrows, payment channels, or checks.
   - Adds the [Clawback transaction type](https://github.com/XRPLF/XRPL-Standards/blob/master/XLS-39d-clawback/README.md#331-clawback-transaction), containing these fields:
@@ -157,16 +218,16 @@ The following is a non-breaking addition to the API.
 
 ### Breaking changes in 1.11
 
-- Added the ability to mark amendments as obsolete. For the `feature` admin API, there is a new possible value for the `vetoed` field. (https://github.com/XRPLF/rippled/pull/4291)
+- Added the ability to mark amendments as obsolete. For the `feature` admin API, there is a new possible value for the `vetoed` field. ([#4291](https://github.com/XRPLF/rippled/pull/4291))
   - The value of `vetoed` can now be `true`, `false`, or `"Obsolete"`.
-- Removed the acceptance of seeds or public keys in place of account addresses. (https://github.com/XRPLF/rippled/pull/4404)
+- Removed the acceptance of seeds or public keys in place of account addresses. ([#4404](https://github.com/XRPLF/rippled/pull/4404))
   - This simplifies the API and encourages better security practices (i.e. seeds should never be sent over the network).
-- For the `ledger_data` method, when all entries are filtered out, the `state` field of the response is now an empty list (in other words, an empty array, `[]`). (Previously, it would return `null`.) While this is technically a breaking change, the new behavior is consistent with the documentation, so this is considered only a bug fix. (https://github.com/XRPLF/rippled/pull/4398)
+- For the `ledger_data` method, when all entries are filtered out, the `state` field of the response is now an empty list (in other words, an empty array, `[]`). (Previously, it would return `null`.) While this is technically a breaking change, the new behavior is consistent with the documentation, so this is considered only a bug fix. ([#4398](https://github.com/XRPLF/rippled/pull/4398))
 - If and when the `fixNFTokenRemint` amendment activates, there will be a new AccountRoot field, `FirstNFTSequence`. This field is set to the current account sequence when the account issues their first NFT. If an account has not issued any NFTs, then the field is not set. ([#4406](https://github.com/XRPLF/rippled/pull/4406))
   - There is a new account deletion restriction: an account can only be deleted if `FirstNFTSequence` + `MintedNFTokens` + `256` is less than the current ledger sequence.
   - This is potentially a breaking change if clients have logic for determining whether an account can be deleted.
 - NetworkID
-  - For sidechains and networks with a network ID greater than 1024, there is a new [transaction common field](https://xrpl.org/transaction-common-fields.html), `NetworkID`. (https://github.com/XRPLF/rippled/pull/4370)
+  - For sidechains and networks with a network ID greater than 1024, there is a new [transaction common field](https://xrpl.org/transaction-common-fields.html), `NetworkID`. ([#4370](https://github.com/XRPLF/rippled/pull/4370))
     - This field helps to prevent replay attacks and is now required for chains whose network ID is 1025 or higher.
     - The field must be omitted for Mainnet, so there is no change for Mainnet users.
   - There are three new local error codes:
@@ -176,10 +237,10 @@ The following is a non-breaking addition to the API.
 
 ### Additions and bug fixes in 1.11
 
-- Added `nftoken_id`, `nftoken_ids` and `offer_id` meta fields into NFT `tx` and `account_tx` responses. (https://github.com/XRPLF/rippled/pull/4447)
-- Added an `account_flags` object to the `account_info` method response. (https://github.com/XRPLF/rippled/pull/4459)
-- Added `NFTokenPages` to the `account_objects` RPC. (https://github.com/XRPLF/rippled/pull/4352)
-- Fixed: `marker` returned from the `account_lines` command would not work on subsequent commands. (https://github.com/XRPLF/rippled/pull/4361)
+- Added `nftoken_id`, `nftoken_ids` and `offer_id` meta fields into NFT `tx` and `account_tx` responses. ([#4447](https://github.com/XRPLF/rippled/pull/4447))
+- Added an `account_flags` object to the `account_info` method response. ([#4459](https://github.com/XRPLF/rippled/pull/4459))
+- Added `NFTokenPages` to the `account_objects` RPC. ([#4352](https://github.com/XRPLF/rippled/pull/4352))
+- Fixed: `marker` returned from the `account_lines` command would not work on subsequent commands. ([#4361](https://github.com/XRPLF/rippled/pull/4361))
 
 ## XRP Ledger server version 1.10.0
 

API-VERSION-2.md

@@ -0,0 +1,66 @@
+# API Version 2
+
+API version 2 is available in `xrpld` version 2.0.0 and later. To use this API, clients specify `"api_version" : 2` in each request.
+
+For info about how [API versioning](https://xrpl.org/request-formatting.html#api-versioning) works, including examples, please view the [XLS-22d spec](https://github.com/XRPLF/XRPL-Standards/discussions/54). For details about the implementation of API versioning, view the [implementation PR](https://github.com/XRPLF/rippled/pull/3155). API versioning ensures existing integrations and users continue to receive existing behavior, while those that request a higher API version will experience new behavior.
+
+## Removed methods
+
+In API version 2, the following deprecated methods are no longer available: ([#4759](https://github.com/XRPLF/rippled/pull/4759))
+
+- `tx_history` - Instead, use other methods such as `account_tx` or `ledger` with the `transactions` field set to `true`.
+- `ledger_header` - Instead, use the `ledger` method.
+
+## Modifications to JSON transaction element in API version 2
+
+In API version 2, JSON elements for transaction output have been changed and made consistent for all methods which output transactions. ([#4775](https://github.com/XRPLF/rippled/pull/4775))
+This helps to unify the JSON serialization format of transactions. ([clio#722](https://github.com/XRPLF/clio/issues/722), [#4727](https://github.com/XRPLF/rippled/issues/4727))
+
+- JSON transaction element is named `tx_json`
+- Binary transaction element is named `tx_blob`
+- JSON transaction metadata element is named `meta`
+- Binary transaction metadata element is named `meta_blob`
+
+Additionally, these elements are now consistently available next to `tx_json` (i.e. sibling elements), where possible:
+
+- `hash` - Transaction ID. This data was stored inside transaction output in API version 1, but in API version 2 is a sibling element.
+- `ledger_index` - Ledger index (only set on validated ledgers)
+- `ledger_hash` - Ledger hash (only set on closed or validated ledgers)
+- `close_time_iso` - Ledger close time expressed in ISO 8601 time format (only set on validated ledgers)
+- `validated` - Bool element set to `true` if the transaction is in a validated ledger, otherwise `false`
+
+This change affects the following methods:
+
+- `tx` - Transaction data moved into element `tx_json` (was inline inside `result`) or, if binary output was requested, moved from `tx` to `tx_blob`. Renamed binary transaction metadata element (if it was requested) from `meta` to `meta_blob`. Changed location of `hash` and added new elements
+- `account_tx` - Renamed transaction element from `tx` to `tx_json`. Renamed binary transaction metadata element (if it was requested) from `meta` to `meta_blob`. Changed location of `hash` and added new elements
+- `transaction_entry` - Renamed transaction metadata element from `metadata` to `meta`. Changed location of `hash` and added new elements
+- `subscribe` - Renamed transaction element from `transaction` to `tx_json`. Changed location of `hash` and added new elements
+- `sign`, `sign_for`, `submit` and `submit_multisigned` - Changed location of `hash` element.
+
+## Modifications to `Payment` transaction JSON schema
+
+When reading Payments, the `Amount` field should generally **not** be used. Instead, use [delivered_amount](https://xrpl.org/partial-payments.html#the-delivered_amount-field) to see the amount that the Payment delivered. To clarify its meaning, the `Amount` field is being renamed to `DeliverMax`. ([#4733](https://github.com/XRPLF/rippled/pull/4733))
+
+- In `Payment` transaction type, JSON RPC field `Amount` is renamed to `DeliverMax`. To enable smooth client transition, `Amount` is still handled, as described below: ([#4733](https://github.com/XRPLF/rippled/pull/4733))
+  - On JSON RPC input (e.g. `submit_multisigned` etc. methods), `Amount` is recognized as an alias to `DeliverMax` for both API version 1 and version 2 clients.
+  - On JSON RPC input, submitting both `Amount` and `DeliverMax` fields is allowed _only_ if they are identical; otherwise such input is rejected with `rpcINVALID_PARAMS` error.
+  - On JSON RPC output (e.g. `subscribe`, `account_tx` etc. methods), `DeliverMax` is present in both API version 1 and version 2.
+  - On JSON RPC output, `Amount` is only present in API version 1 and _not_ in version 2.
+
+## Modifications to account_info response
+
+- `signer_lists` is returned in the root of the response. (In API version 1, it was nested under `account_data`.) ([#3770](https://github.com/XRPLF/rippled/pull/3770))
+- When using an invalid `signer_lists` value, the API now returns an "invalidParams" error. ([#4585](https://github.com/XRPLF/rippled/pull/4585))
+  - (`signer_lists` must be a boolean. In API version 1, strings were accepted and may return a normal response - i.e. as if `signer_lists` were `true`.)
+
+## Modifications to [account_tx](https://xrpl.org/account_tx.html#account_tx) response
+
+- Using `ledger_index_min`, `ledger_index_max`, and `ledger_index` returns `invalidParams` because if you use `ledger_index_min` or `ledger_index_max`, then it does not make sense to also specify `ledger_index`. In API version 1, no error was returned. ([#4571](https://github.com/XRPLF/rippled/pull/4571))
+  - The same applies for `ledger_index_min`, `ledger_index_max`, and `ledger_hash`. ([#4545](https://github.com/XRPLF/rippled/issues/4545#issuecomment-1565065579))
+- Using a `ledger_index_min` or `ledger_index_max` beyond the range of ledgers that the server has:
+  - returns `lgrIdxMalformed` in API version 2. Previously, in API version 1, no error was returned. ([#4288](https://github.com/XRPLF/rippled/issues/4288))
+- Attempting to use a non-boolean value (such as a string) for the `binary` or `forward` parameters returns `invalidParams` (`rpcINVALID_PARAMS`). Previously, in API version 1, no error was returned. ([#4620](https://github.com/XRPLF/rippled/pull/4620))
+
+## Modifications to [noripple_check](https://xrpl.org/noripple_check.html#noripple_check) response
+
+- Attempting to use a non-boolean value (such as a string) for the `transactions` parameter returns `invalidParams` (`rpcINVALID_PARAMS`). Previously, in API version 1, no error was returned. ([#4620](https://github.com/XRPLF/rippled/pull/4620))

API-VERSION-3.md

@@ -0,0 +1,27 @@
+# API Version 3
+
+API version 3 is currently a **beta API**. It requires enabling `[beta_rpc_api]` in the xrpld configuration to use. To use this API, clients specify `"api_version" : 3` in each request.
+
+For info about how [API versioning](https://xrpl.org/request-formatting.html#api-versioning) works, including examples, please view the [XLS-22d spec](https://github.com/XRPLF/XRPL-Standards/discussions/54). For details about the implementation of API versioning, view the [implementation PR](https://github.com/XRPLF/rippled/pull/3155). API versioning ensures existing integrations and users continue to receive existing behavior, while those that request a higher API version will experience new behavior.
+
+## Breaking Changes
+
+### Modifications to `amm_info`
+
+The order of error checks has been changed to provide more specific error messages. ([#4924](https://github.com/XRPLF/rippled/pull/4924))
+
+- **Before (API v2)**: When sending an invalid account or asset to `amm_info` while other parameters are not set as expected, the method returns a generic `rpcINVALID_PARAMS` error.
+- **After (API v3)**: The same scenario returns a more specific error: `rpcISSUE_MALFORMED` for malformed assets or `rpcACT_MALFORMED` for malformed accounts.
+
+### Modifications to `ledger_entry`
+
+Added support for string shortcuts to look up fixed-location ledger entries using the `"index"` parameter. ([#5644](https://github.com/XRPLF/rippled/pull/5644))
+
+In API version 3, the following string values can be used with the `"index"` parameter:
+
+- `"index": "amendments"` - Returns the `Amendments` ledger entry
+- `"index": "fee"` - Returns the `FeeSettings` ledger entry
+- `"index": "nunl"` - Returns the `NegativeUNL` ledger entry
+- `"index": "hashes"` - Returns the "short" `LedgerHashes` ledger entry (recent ledger hashes)
+
+These shortcuts are only available in API version 3 and later. In API versions 1 and 2, these string values would result in an error.

BUILD.md

@@ -1,31 +1,31 @@
-| :warning: **WARNING** :warning:
-|---|
+| :warning: **WARNING** :warning:                                                                                                                                                                                                |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
 | These instructions assume you have a C++ development environment ready with Git, Python, Conan, CMake, and a C++ compiler. For help setting one up on Linux, macOS, or Windows, [see this guide](./docs/build/environment.md). |
 
 > These instructions also assume a basic familiarity with Conan and CMake.
-> If you are unfamiliar with Conan,
-> you can read our [crash course](./docs/build/conan.md)
-> or the official [Getting Started][3] walkthrough.
+> If you are unfamiliar with Conan, you can read our
+> [crash course](./docs/build/conan.md) or the official [Getting Started][3]
+> walkthrough.
 
 ## Branches
 
 For a stable release, choose the `master` branch or one of the [tagged
-releases](https://github.com/ripple/rippled/releases).
+releases](https://github.com/XRPLF/rippled/releases).
 
-```
+```bash
 git checkout master
 ```
 
 For the latest release candidate, choose the `release` branch.
 
-```
+```bash
 git checkout release
 ```
 
 For the latest set of untested features, or to contribute, choose the `develop`
 branch.
 
-```
+```bash
 git checkout develop
 ```
 
@@ -33,176 +33,329 @@ git checkout develop
 
 See [System Requirements](https://xrpl.org/system-requirements.html).
 
-Building rippled generally requires git, Python, Conan, CMake, and a C++ compiler. Some guidance on setting up such a [C++ development environment can be found here](./docs/build/environment.md).
+Building xrpld generally requires git, Python, Conan, CMake, and a C++
+compiler. Some guidance on setting up such a [C++ development environment can be
+found here](./docs/build/environment.md).
 
-- [Python 3.7](https://www.python.org/downloads/)
-- [Conan 1.60](https://conan.io/downloads.html)[^1]
-- [CMake 3.16](https://cmake.org/download/)
+- [Python 3.11](https://www.python.org/downloads/), or higher
+- [Conan 2.17](https://conan.io/downloads.html)[^1], or higher
+- [CMake 3.22](https://cmake.org/download/), or higher
 
-[^1]: It is possible to build with Conan 2.x,
-but the instructions are significantly different,
-which is why we are not recommending it yet.
-Notably, the `conan profile update` command is removed in 2.x.
-Profiles must be edited by hand.
+[^1]:
+    It is possible to build with Conan 1.60+, but the instructions are
+    significantly different, which is why we are not recommending it.
 
-`rippled` is written in the C++20 dialect and includes the `<concepts>` header.
-The [minimum compiler versions][2] required are:
+`xrpld` is written in the C++23 dialect and includes the `<concepts>` header.
+The [tested compiler versions][2] are:
 
-| Compiler    | Version |
-|-------------|---------|
-| GCC         | 11      |
-| Clang       | 13      |
-| Apple Clang | 13.1.6  |
-| MSVC        | 19.23   |
+| Compiler    | Version   |
+| ----------- | --------- |
+| GCC         | 15        |
+| Clang       | 22        |
+| Apple Clang | 17        |
+| MSVC        | 19.44[^3] |
 
 ### Linux
 
-The Ubuntu operating system has received the highest level of
-quality assurance, testing, and support.
+The Ubuntu Linux distribution has received the highest level of quality
+assurance, testing, and support. We also support Red Hat and use Debian
+internally.
 
-Here are [sample instructions for setting up a C++ development environment on Linux](./docs/build/environment.md#linux).
+Here are [sample instructions for setting up a C++ development environment on
+Linux](./docs/build/environment.md#linux).
 
 ### Mac
 
-Many rippled engineers use macOS for development.
+Many xrpld engineers use macOS for development.
 
-Here are [sample instructions for setting up a C++ development environment on macOS](./docs/build/environment.md#macos).
+Here are [sample instructions for setting up a C++ development environment on
+macOS](./docs/build/environment.md#macos).
 
 ### Windows
 
-Windows is not recommended for production use at this time.
+Windows is used by some engineers for development only.
 
-- Additionally, 32-bit Windows development is not supported.
-
-[Boost]: https://www.boost.org/
+[^3]: Windows is not recommended for production use.
 
 ## Steps
 
 ### Set Up Conan
 
-After you have a [C++ development environment](./docs/build/environment.md) ready with Git, Python, Conan, CMake, and a C++ compiler, you may need to set up your Conan profile.
+After you have a [C++ development environment](./docs/build/environment.md) ready with Git, Python,
+Conan, CMake, and a C++ compiler, you may need to set up your Conan profile.
 
-These instructions assume a basic familiarity with Conan and CMake.
+These instructions assume a basic familiarity with Conan and CMake. If you are
+unfamiliar with Conan, then please read [this crash course](./docs/build/conan.md) or the official
+[Getting Started][3] walkthrough.
 
-If you are unfamiliar with Conan, then please read [this crash course](./docs/build/conan.md) or the official [Getting Started][3] walkthrough.
+#### Conan lockfile
 
-You'll need at least one Conan profile:
+To achieve reproducible dependencies, we use a [Conan lockfile](https://docs.conan.io/2/tutorial/versioning/lockfiles.html),
+which has to be updated every time dependencies change.
 
-   ```
-   conan profile new default --detect
-   ```
+Please see the [instructions on how to regenerate the lockfile](conan/lockfile/README.md).
 
-Update the compiler settings:
+#### Default profile
 
-   ```
-   conan profile update settings.compiler.cppstd=20 default
-   ```
+We recommend that you import the provided `conan/profiles/default` profile:
 
-Configure Conan (1.x only) to use recipe revisions:
-
-   ```
-   conan config set general.revisions_enabled=1
-   ```
-
-**Linux** developers will commonly have a default Conan [profile][] that compiles
-with GCC and links with libstdc++.
-If you are linking with libstdc++ (see profile setting `compiler.libcxx`),
-then you will need to choose the `libstdc++11` ABI:
-
-   ```
-   conan profile update settings.compiler.libcxx=libstdc++11 default
-   ```
-
-
-Ensure inter-operability between `boost::string_view` and `std::string_view` types:
-
-```
-conan profile update 'conf.tools.build:cxxflags+=["-DBOOST_BEAST_USE_STD_STRING_VIEW"]' default
-conan profile update 'env.CXXFLAGS="-DBOOST_BEAST_USE_STD_STRING_VIEW"' default
+```bash
+conan config install conan/profiles/ -tf $(conan config home)/profiles/
 ```
 
-If you have other flags in the `conf.tools.build` or `env.CXXFLAGS` sections, make sure to retain the existing flags and append the new ones. You can check them with:
-```
-conan profile show default
+You can check your Conan profile by running:
+
+```bash
+conan profile show
 ```
 
+#### Custom profile
 
-**Windows** developers may need to use the x64 native build tools.
-An easy way to do that is to run the shortcut "x64 Native Tools Command
-Prompt" for the version of Visual Studio that you have installed.
+If the default profile does not work for you and you do not yet have a Conan
+profile, you can create one by running:
 
-   Windows developers must also build `rippled` and its dependencies for the x64
-   architecture:
-
-   ```
-   conan profile update settings.arch=x86_64 default
-   ```
-
-### Multiple compilers
-
-When `/usr/bin/g++` exists on a platform, it is the default cpp compiler. This
-default works for some users.
-
-However, if this compiler cannot build rippled or its dependencies, then you can
-install another compiler and set Conan and CMake to use it.
-Update the `conf.tools.build:compiler_executables` setting in order to set the correct variables (`CMAKE_<LANG>_COMPILER`) in the
-generated CMake toolchain file.
-For example, on Ubuntu 20, you may have gcc at `/usr/bin/gcc` and g++ at `/usr/bin/g++`; if that is the case, you can select those compilers with:
-```
-conan profile update 'conf.tools.build:compiler_executables={"c": "/usr/bin/gcc", "cpp": "/usr/bin/g++"}' default
+```bash
+conan profile detect
 ```
 
-Replace `/usr/bin/gcc` and `/usr/bin/g++` with paths to the desired compilers.
+You may need to make changes to the profile to suit your environment. You can
+refer to the provided `conan/profiles/default` profile for inspiration, and you
+may also need to apply the required [tweaks](#conan-profile-tweaks) to this
+default profile.
 
-It should choose the compiler for dependencies as well,
-but not all of them have a Conan recipe that respects this setting (yet).
-For the rest, you can set these environment variables.
-Replace `<path>` with paths to the desired compilers:
+### Patched recipes
 
-- `conan profile update env.CC=<path> default`
-- `conan profile update env.CXX=<path> default`
+Occasionally, we need patched recipes or recipes not present in Conan Center.
+We maintain a fork of the Conan Center Index
+[here](https://github.com/XRPLF/conan-center-index/) containing the modified and newly added recipes.
 
-Export our [Conan recipe for Snappy](./external/snappy).
-It does not explicitly link the C++ standard library,
-which allows you to statically link it with GCC, if you want.
+To ensure our patched recipes are used, you must add our Conan remote at a
+higher index than the default Conan Center remote, so it is consulted first. You
+can do this by running:
 
-   ```
-   # Conan 1.x
-   conan export external/snappy snappy/1.1.10@
-   # Conan 2.x
-   conan export --version 1.1.10 external/snappy
-   ```
+```bash
+conan remote add --index 0 xrplf https://conan.ripplex.io
+```
 
-Export our [Conan recipe for RocksDB](./external/rocksdb).
-It does not override paths to dependencies when building with Visual Studio.
+Alternatively, you can pull our recipes from the repository and export them locally:
 
-   ```
-   # Conan 1.x
-   conan export external/rocksdb rocksdb/6.29.5@
-   # Conan 2.x
-   conan export --version 6.29.5 external/rocksdb
-   ```
+```bash
+# Define which recipes to export.
+recipes=('abseil' 'ed25519' 'mpt-crypto' 'openssl' 'secp256k1' 'snappy' 'soci' 'wasm-xrplf' 'wasmi')
 
-Export our [Conan recipe for SOCI](./external/soci).
-It patches their CMake to correctly import its dependencies.
+# Selectively check out the recipes from our CCI fork.
+cd external
+mkdir -p conan-center-index
+cd conan-center-index
+git init
+git remote add origin git@github.com:XRPLF/conan-center-index.git
+git sparse-checkout init
+for recipe in "${recipes[@]}"; do
+    echo "Checking out recipe '${recipe}'..."
+    git sparse-checkout add recipes/${recipe}
+done
+git fetch origin master
+git checkout master
 
-   ```
-   # Conan 1.x
-   conan export external/soci soci/4.0.3@
-   # Conan 2.x
-   conan export --version 4.0.3 external/soci
-   ```
+./export_all.sh
+cd ../../
+```
 
-Export our [Conan recipe for NuDB](./external/nudb).
-It fixes some source files to add missing `#include`s.
+In the case we switch to a newer version of a dependency that still requires a
+patch or add a new dependency, it will be necessary for you to pull in the changes and re-export the
+updated dependencies with the newer version. However, if we switch to a newer
+version that no longer requires a patch, no action is required on your part, as
+the new recipe will be automatically pulled from the official Conan Center.
 
+> [!NOTE]
+> You might need to add `--lockfile=""` to your `conan install` command
+> to avoid automatic use of the existing `conan.lock` file when you run
+> `conan export` manually on your machine
+>
+> This is not recommended though, as you might end up using different revisions of recipes.
 
-   ```
-   # Conan 1.x
-   conan export external/nudb nudb/2.0.8@
-   # Conan 2.x
-   conan export --version 2.0.8 external/nudb
-   ```
+### Conan profile tweaks
+
+#### Missing compiler version
+
+If you see an error similar to the following after running `conan profile show`:
+
+```text
+ERROR: Invalid setting '17' is not a valid 'settings.compiler.version' value.
+Possible values are ['5.0', '5.1', '6.0', '6.1', '7.0', '7.3', '8.0', '8.1',
+'9.0', '9.1', '10.0', '11.0', '12.0', '13', '13.0', '13.1', '14', '14.0', '15',
+'15.0', '16', '16.0']
+Read "http://docs.conan.io/2/knowledge/faq.html#error-invalid-setting"
+```
+
+you need to add your compiler to the list of compiler versions in
+`$(conan config home)/settings_user.yml`, by adding the required version number(s)
+to the `version` array specific for your compiler. For example:
+
+```yaml
+compiler:
+  apple-clang:
+    version: ["17.0"]
+```
+
+#### Multiple compilers
+
+If you have multiple compilers installed, make sure to select the one to use in
+your default Conan configuration **before** running `conan profile detect`, by
+setting the `CC` and `CXX` environment variables.
+
+For example, if you are running MacOS and have [homebrew
+LLVM@18](https://formulae.brew.sh/formula/llvm@18), and want to use it as a
+compiler in the new Conan profile:
+
+```bash
+export CC=$(brew --prefix llvm@18)/bin/clang
+export CXX=$(brew --prefix llvm@18)/bin/clang++
+conan profile detect
+```
+
+You should also explicitly set the path to the compiler in the profile file,
+which helps to avoid errors when `CC` and/or `CXX` are set and disagree with the
+selected Conan profile. For example:
+
+```text
+[conf]
+tools.build:compiler_executables={'c':'/usr/bin/gcc','cpp':'/usr/bin/g++'}
+```
+
+#### Multiple profiles
+
+You can manage multiple Conan profiles in the directory
+`$(conan config home)/profiles`, for example renaming `default` to a different
+name and then creating a new `default` profile for a different compiler.
+
+#### Select language
+
+The default profile created by Conan will typically select different C++ dialect
+than C++23 used by this project. You should set `23` in the profile line
+starting with `compiler.cppstd=`. For example:
+
+```bash
+sed -i.bak -e 's|^compiler\.cppstd=.*$|compiler.cppstd=23|' $(conan config home)/profiles/default
+```
+
+#### Select standard library in Linux
+
+**Linux** developers will commonly have a default Conan [profile][] that
+compiles with GCC and links with libstdc++. If you are linking with libstdc++
+(see profile setting `compiler.libcxx`), then you will need to choose the
+`libstdc++11` ABI:
+
+```bash
+sed -i.bak -e 's|^compiler\.libcxx=.*$|compiler.libcxx=libstdc++11|' $(conan config home)/profiles/default
+```
+
+#### Select architecture and runtime in Windows
+
+**Windows** developers may need to use the x64 native build tools. An easy way
+to do that is to run the shortcut "x64 Native Tools Command Prompt" for the
+version of Visual Studio that you have installed.
+
+Windows developers must also build `xrpld` and its dependencies for the x64
+architecture:
+
+```bash
+sed -i.bak -e 's|^arch=.*$|arch=x86_64|' $(conan config home)/profiles/default
+```
+
+**Windows** developers also must select static runtime:
+
+```bash
+sed -i.bak -e 's|^compiler\.runtime=.*$|compiler.runtime=static|' $(conan config home)/profiles/default
+```
+
+#### Clang workaround for grpc
+
+If your compiler is clang, version 19 or later, or apple-clang, version 17 or
+later, you may encounter a compilation error while building the `grpc`
+dependency:
+
+```text
+In file included from .../lib/promise/try_seq.h:26:
+.../lib/promise/detail/basic_seq.h:499:38: error: a template argument list is expected after a name prefixed by the template keyword [-Wmissing-template-arg-list-after-template-kw]
+  499 |                     Traits::template CallSeqFactory(f_, *cur_, std::move(arg)));
+      |                                      ^
+```
+
+The workaround for this error is to add two lines to profile:
+
+```text
+[conf]
+tools.build:cxxflags=['-Wno-missing-template-arg-list-after-template-kw']
+```
+
+#### Workaround for gcc 12
+
+If your compiler is gcc, version 12, and you have enabled `werr` option, you may
+encounter a compilation error such as:
+
+```text
+/usr/include/c++/12/bits/char_traits.h:435:56: error: 'void* __builtin_memcpy(void*, const void*, long unsigned int)' accessing 9223372036854775810 or more bytes at offsets [2, 9223372036854775807] and 1 may overlap up to 9223372036854775813 bytes at offset -3 [-Werror=restrict]
+  435 |         return static_cast<char_type*>(__builtin_memcpy(__s1, __s2, __n));
+      |                                        ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
+cc1plus: all warnings being treated as errors
+```
+
+The workaround for this error is to add two lines to your profile:
+
+```text
+[conf]
+tools.build:cxxflags=['-Wno-restrict']
+```
+
+#### Workaround for clang 16
+
+If your compiler is clang, version 16, you may encounter compilation error such
+as:
+
+```text
+In file included from .../boost/beast/websocket/stream.hpp:2857:
+.../boost/beast/websocket/impl/read.hpp:695:17: error: call to 'async_teardown' is ambiguous
+                async_teardown(impl.role, impl.stream(),
+                ^~~~~~~~~~~~~~
+```
+
+The workaround for this error is to add two lines to your profile:
+
+```text
+[conf]
+tools.build:cxxflags=['-DBOOST_ASIO_DISABLE_CONCEPTS']
+```
+
+### Set Up Ccache
+
+To speed up repeated compilations, we recommend that you install
+[ccache](https://ccache.dev), a tool that wraps your compiler so that it can
+cache build objects locally.
+
+#### Linux
+
+You can install it using the package manager, e.g. `sudo apt install ccache`
+(Ubuntu) or `sudo dnf install ccache` (RHEL).
+
+#### macOS
+
+You can install it using Homebrew, i.e. `brew install ccache`.
+
+#### Windows
+
+You can install it using Chocolatey, i.e. `choco install ccache`. If you already
+have Ccache installed, then `choco upgrade ccache` will update it to the latest
+version. However, if you see an error such as:
+
+```
+terminate called after throwing an instance of 'std::bad_alloc'
+      what():  std::bad_alloc
+C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Microsoft\VC\v170\Microsoft.CppCommon.targets(617,5): error MSB6006: "cl.exe" exited with code 3.
+```
+
+then please install a specific version of Ccache that we know works, via: `choco
+install ccache --version 4.11.3 --allow-downgrade`.
 
 ### Build and Test
 
@@ -222,95 +375,107 @@ It fixes some source files to add missing `#include`s.
    the `install-folder` or `-if` option to every `conan install` command
    in the next step.
 
-2. Generate CMake files for every configuration you want to build. 
+2. Use conan to generate CMake files for every configuration you want to build:
 
-    ```
-    conan install .. --output-folder . --build missing --settings build_type=Release
-    conan install .. --output-folder . --build missing --settings build_type=Debug
-    ```
+   ```
+   conan install .. --output-folder . --build missing --settings build_type=Release
+   conan install .. --output-folder . --build missing --settings build_type=Debug
+   ```
 
-    For a single-configuration generator, e.g. `Unix Makefiles` or `Ninja`,
-    you only need to run this command once.
-    For a multi-configuration generator, e.g. `Visual Studio`, you may want to
-    run it more than once.
+   To build Debug, in the next step, be sure to set `-DCMAKE_BUILD_TYPE=Debug`
 
-    Each of these commands should also have a different `build_type` setting.
-    A second command with the same `build_type` setting will overwrite the files
-    generated by the first. You can pass the build type on the command line with
-    `--settings build_type=$BUILD_TYPE` or in the profile itself,
-    under the section `[settings]` with the key `build_type`.
+   For a single-configuration generator, e.g. `Unix Makefiles` or `Ninja`,
+   you only need to run this command once.
+   For a multi-configuration generator, e.g. `Visual Studio`, you may want to
+   run it more than once.
 
-    If you are using a Microsoft Visual C++ compiler,
-    then you will need to ensure consistency between the `build_type` setting
-    and the `compiler.runtime` setting.
-
-    When `build_type` is `Release`, `compiler.runtime` should be `MT`.
-
-    When `build_type` is `Debug`, `compiler.runtime` should be `MTd`.
-
-    ```
-    conan install .. --output-folder . --build missing --settings build_type=Release --settings compiler.runtime=MT
-    conan install .. --output-folder . --build missing --settings build_type=Debug --settings compiler.runtime=MTd
-    ```
+   Each of these commands should also have a different `build_type` setting.
+   A second command with the same `build_type` setting will overwrite the files
+   generated by the first. You can pass the build type on the command line with
+   `--settings build_type=$BUILD_TYPE` or in the profile itself,
+   under the section `[settings]` with the key `build_type`.
 
 3. Configure CMake and pass the toolchain file generated by Conan, located at
    `$OUTPUT_FOLDER/build/generators/conan_toolchain.cmake`.
 
-    Single-config generators:
+   Single-config generators:
 
-    ```
-    cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake -DCMAKE_BUILD_TYPE=Release -Dxrpld=ON -Dtests=ON ..
-    ```
+   Pass the CMake variable [`CMAKE_BUILD_TYPE`][build_type]
+   and make sure it matches the one of the `build_type` settings
+   you chose in the previous step.
 
-    Pass the CMake variable [`CMAKE_BUILD_TYPE`][build_type]
-    and make sure it matches the `build_type` setting you chose in the previous
-    step.
+   For example, to build Debug, in the next command, replace "Release" with "Debug"
 
-    Multi-config generators:
+   ```
+   cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake -DCMAKE_BUILD_TYPE=Release -Dxrpld=ON -Dtests=ON ..
+   ```
 
-    ```
-    cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake -Dxrpld=ON -Dtests=ON  ..
-    ```
+   Multi-config generators:
 
-    **Note:** You can pass build options for `rippled` in this step.
+   ```
+   cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake -Dxrpld=ON -Dtests=ON  ..
+   ```
 
-4. Build `rippled`.
+   **Note:** You can pass build options for `xrpld` in this step.
+
+4. Build `xrpld`.
 
    For a single-configuration generator, it will build whatever configuration
-   you passed for `CMAKE_BUILD_TYPE`. For a multi-configuration generator,
-   you must pass the option `--config` to select the build configuration. 
+   you passed for `CMAKE_BUILD_TYPE`. For a multi-configuration generator, you
+   must pass the option `--config` to select the build configuration.
 
    Single-config generators:
 
    ```
-   cmake --build .
+   cmake --build . --parallel N
    ```
 
    Multi-config generators:
 
    ```
-   cmake --build . --config Release
-   cmake --build . --config Debug
+   cmake --build . --config Release --parallel N
+   cmake --build . --config Debug --parallel N
    ```
 
-5. Test rippled.
+   Replace the `--parallel` parameter N with the desired number of parallel jobs. A common starting point is half of the number of available CPU
+   cores.
+
+5. Test xrpld.
 
    Single-config generators:
 
    ```
-   ./rippled --unittest
+   ./xrpld --unittest --unittest-jobs N
    ```
 
    Multi-config generators:
 
    ```
-   ./Release/rippled --unittest
-   ./Debug/rippled --unittest
+   ./Release/xrpld --unittest --unittest-jobs N
+   ./Debug/xrpld --unittest --unittest-jobs N
    ```
 
-   The location of `rippled` in your build directory depends on your CMake
-   generator. Pass `--help` to see the rest of the command line options.
+   Replace the `--unittest-jobs` parameter N with the desired unit tests
+   concurrency. Recommended setting is half of the number of available CPU
+   cores.
 
+   The location of `xrpld` binary in your build directory depends on your
+   CMake generator. Pass `--help` to see the rest of the command line options.
+
+## Code generation
+
+The protocol wrapper classes in `include/xrpl/protocol_autogen/` are generated
+from macro definition files in `include/xrpl/protocol/detail/`. If you modify
+the macro files (e.g. `transactions.macro`, `ledger_entries.macro`) or the
+generation scripts/templates in `cmake/scripts/codegen/`, you need to regenerate the
+files:
+
+```
+cmake --build . --target setup_code_gen  # create venv and install dependencies (once)
+cmake --build . --target code_gen        # regenerate code
+```
+
+The regenerated files should be committed alongside your changes.
 
 ## Coverage report
 
@@ -328,20 +493,20 @@ Prerequisites for the coverage report:
 
 A coverage report is created when the following steps are completed, in order:
 
-1. `rippled` binary built with instrumentation data, enabled by the `coverage`
+1. `xrpld` binary built with instrumentation data, enabled by the `coverage`
    option mentioned above
-2. completed run of unit tests, which populates coverage capture data
+2. completed one or more run of the unit tests, which populates coverage capture data
 3. completed run of the `gcovr` tool (which internally invokes either `gcov` or `llvm-cov`)
    to assemble both instrumentation data and the coverage capture data into a coverage report
 
-The above steps are automated into a single target `coverage`. The instrumented
-`rippled` binary can also be used for regular development or testing work, at
+The last step of the above is automated into a single target `coverage`. The instrumented
+`xrpld` binary can also be used for regular development or testing work, at
 the cost of extra disk space utilization and a small performance hit
-(to store coverage capture). In case of a spurious failure of unit tests, it is
-possible to re-run the `coverage` target without rebuilding the `rippled` binary
-(since it is simply a dependency of the coverage report target). It is also possible
-to select only specific tests for the purpose of the coverage report, by setting
-the `coverage_test` variable in `cmake`
+(to store coverage capture data). Since `xrpld` binary is simply a dependency of the
+coverage report target, it is possible to re-run the `coverage` target without
+rebuilding the `xrpld` binary. Note, running of the unit tests before the `coverage`
+target is left to the developer. Each such run will append to the coverage data
+collected in the build directory.
 
 The default coverage report format is `html-details`, but the user
 can override it to any of the formats listed in `Builds/CMake/CodeCoverage.cmake`
@@ -350,11 +515,6 @@ to generate more than one format at a time by setting the `coverage_extra_args`
 variable in `cmake`. The specific command line used to run the `gcovr` tool will be
 displayed if the `CODE_COVERAGE_VERBOSE` variable is set.
 
-By default, the code coverage tool runs parallel unit tests with `--unittest-jobs`
- set to the number of available CPU cores. This may cause spurious test
-errors on Apple. Developers can override the number of unit test jobs with
-the `coverage_test_parallelism` variable in `cmake`.
-
 Example use with some cmake variables set:
 
 ```
@@ -367,88 +527,88 @@ cmake --build . --target coverage
 After the `coverage` target is completed, the generated coverage report will be
 stored inside the build directory, as either of:
 
-- file named `coverage.`_extension_ , with a suitable extension for the report format, or
+- file named `coverage.`_extension_, with a suitable extension for the report format, or
 - directory named `coverage`, with the `index.html` and other files inside, for the `html-details` or `html-nested` report formats.
 
+## Sanitizers
+
+To build dependencies and xrpld with sanitizer instrumentation, set the
+`SANITIZERS` environment variable when running `conan install` and use the `sanitizers` profile:
+
+```bash
+export SANITIZERS=address,undefinedbehavior
+
+conan install .. --output-folder . --profile:all sanitizers --build missing --settings build_type=Debug
+```
+
+You can then build and test as usual, with the generated `xrpld` binary containing the sanitizer instrumentation. When you run it, it will report any sanitizer errors it detects in the console output.
+
+See [Sanitizers docs](./docs/build/sanitizers.md) for more details.
 
 ## Options
 
-| Option | Default Value | Description |
-| --- | ---| ---|
-| `assert` | OFF | Enable assertions.
-| `coverage` | OFF | Prepare the coverage report. |
-| `san` | N/A | Enable a sanitizer with Clang. Choices are `thread` and `address`. |
-| `tests` | OFF | Build tests. |
-| `unity` | ON | Configure a unity build. |
-| `xrpld` | OFF | Build the xrpld (`rippled`) application, and not just the libxrpl library. |
-
-[Unity builds][5] may be faster for the first build
-(at the cost of much more memory) since they concatenate sources into fewer
-translation units. Non-unity builds may be faster for incremental builds,
-and can be helpful for detecting `#include` omissions.
+| Option     | Default Value | Description                                                    |
+| ---------- | ------------- | -------------------------------------------------------------- |
+| `assert`   | OFF           | Enable assertions.                                             |
+| `coverage` | OFF           | Prepare the coverage report.                                   |
+| `tests`    | OFF           | Build tests.                                                   |
+| `unity`    | OFF           | Configure a unity build.                                       |
+| `xrpld`    | OFF           | Build the xrpld application, and not just the libxrpl library. |
+| `werr`     | OFF           | Treat compilation warnings as errors                           |
+| `wextra`   | OFF           | Enable additional compilation warnings                         |
 
+[Unity builds][5] may be faster for the first build (at the cost of much more
+memory) since they concatenate sources into fewer translation units. Non-unity
+builds may be faster for incremental builds, and can be helpful for detecting
+`#include` omissions.
 
 ## Troubleshooting
 
-
 ### Conan
 
 After any updates or changes to dependencies, you may need to do the following:
 
 1. Remove your build directory.
-2. Remove the Conan cache:
+2. Remove individual libraries from the Conan cache, e.g.
+
+   ```bash
+   conan remove 'grpc/*'
    ```
-   rm -rf ~/.conan/data
+
+   **or**
+
+   Remove all libraries from Conan cache:
+
+   ```bash
+   conan remove '*'
    ```
-4. Re-run [conan install](#build-and-test).
 
+3. Re-run [conan export](#patched-recipes) if needed.
+4. [Regenerate lockfile](#conan-lockfile).
+5. Re-run [conan install](#build-and-test).
 
-### no std::result_of
+#### ERROR: Package not resolved
 
-If your compiler version is recent enough to have removed `std::result_of` as
-part of C++20, e.g. Apple Clang 15.0, then you might need to add a preprocessor
-definition to your build.
+If you're seeing an error like `ERROR: Package 'snappy/1.1.10' not resolved: Unable to find 'snappy/1.1.10#968fef506ff261592ec30c574d4a7809%1756234314.246' in remotes.`,
+please add `xrplf` remote or re-run `conan export` for [patched recipes](#patched-recipes).
+
+### `protobuf/port_def.inc` file not found
+
+If `cmake --build .` results in an error due to a missing a protobuf file, then
+you might have generated CMake files for a different `build_type` than the
+`CMAKE_BUILD_TYPE` you passed to Conan.
 
 ```
-conan profile update 'options.boost:extra_b2_flags="define=BOOST_ASIO_HAS_STD_INVOKE_RESULT"' default
-conan profile update 'env.CFLAGS="-DBOOST_ASIO_HAS_STD_INVOKE_RESULT"' default
-conan profile update 'env.CXXFLAGS="-DBOOST_ASIO_HAS_STD_INVOKE_RESULT"' default
-conan profile update 'conf.tools.build:cflags+=["-DBOOST_ASIO_HAS_STD_INVOKE_RESULT"]' default
-conan profile update 'conf.tools.build:cxxflags+=["-DBOOST_ASIO_HAS_STD_INVOKE_RESULT"]' default
+/xrpld/.build/pb-xrpl.libpb/xrpl/proto/xrpl.pb.h:10:10: fatal error: 'google/protobuf/port_def.inc' file not found
+   10 | #include <google/protobuf/port_def.inc>
+      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+1 error generated.
 ```
 
+For example, if you want to build Debug:
 
-### call to 'async_teardown' is ambiguous
-
-If you are compiling with an early version of Clang 16, then you might hit
-a [regression][6] when compiling C++20 that manifests as an [error in a Boost
-header][7]. You can workaround it by adding this preprocessor definition:
-
-```
-conan profile update 'env.CXXFLAGS="-DBOOST_ASIO_DISABLE_CONCEPTS"' default
-conan profile update 'conf.tools.build:cxxflags+=["-DBOOST_ASIO_DISABLE_CONCEPTS"]' default
-```
-
-
-### recompile with -fPIC
-
-If you get a linker error suggesting that you recompile Boost with
-position-independent code, such as:
-
-```
-/usr/bin/ld.gold: error: /home/username/.conan/data/boost/1.77.0/_/_/package/.../lib/libboost_container.a(alloc_lib.o):
-  requires unsupported dynamic reloc 11; recompile with -fPIC
-```
-
-Conan most likely downloaded a bad binary distribution of the dependency.
-This seems to be a [bug][1] in Conan just for Boost 1.77.0 compiled with GCC
-for Linux. The solution is to build the dependency locally by passing
-`--build boost` when calling `conan install`.
-
-```
-conan install --build boost ...
-```
-
+1. For conan install, pass `--settings build_type=Debug`
+2. For cmake, pass `-DCMAKE_BUILD_TYPE=Debug`
 
 ## Add a Dependency
 
@@ -456,16 +616,15 @@ If you want to experiment with a new package, follow these steps:
 
 1. Search for the package on [Conan Center](https://conan.io/center/).
 2. Modify [`conanfile.py`](./conanfile.py):
-    - Add a version of the package to the `requires` property.
-    - Change any default options for the package by adding them to the
-    `default_options` property (with syntax `'$package:$option': $value`).
+   - Add a version of the package to the `requires` property.
+   - Change any default options for the package by adding them to the
+     `default_options` property (with syntax `'$package:$option': $value`).
 3. Modify [`CMakeLists.txt`](./CMakeLists.txt):
-    - Add a call to `find_package($package REQUIRED)`.
-    - Link a library from the package to the target `ripple_libs`
-    (search for the existing call to `target_link_libraries(ripple_libs INTERFACE ...)`).
+   - Add a call to `find_package($package REQUIRED)`.
+   - Link a library from the package to the target `xrpl_libs`
+     (search for the existing call to `target_link_libraries(xrpl_libs INTERFACE ...)`).
 4. Start coding! Don't forget to include whatever headers you need from the package.
 
-
 [1]: https://github.com/conan-io/conan-center-index/issues/13168
 [2]: https://en.cppreference.com/w/cpp/compiler_support/20
 [3]: https://docs.conan.io/en/latest/getting_started.html

Builds/levelization/README.md

@@ -1,114 +0,0 @@
-# Levelization
-
-Levelization is the term used to describe efforts to prevent rippled from
-having or creating cyclic dependencies.
-
-rippled code is organized into directories under `src/rippled` (and
-`src/test`) representing modules. The modules are intended to be
-organized into "tiers" or "levels" such that a module from one level can
-only include code from lower levels. Additionally, a module
-in one level should never include code in an `impl` folder of any level
-other than it's own.
-
-Unfortunately, over time, enforcement of levelization has been
-inconsistent, so the current state of the code doesn't necessarily
-reflect these rules. Whenever possible, developers should refactor any
-levelization violations they find (by moving files or individual
-classes). At the very least, don't make things worse.
-
-The table below summarizes the _desired_ division of modules, based on the
-state of the rippled code when it was created. The levels are numbered from
-the bottom up with the lower level, lower numbered, more independent
-modules listed first, and the higher level, higher numbered modules with
-more dependencies listed later.
-
-**tl;dr:** The modules listed first are more independent than the modules
-listed later.
-
-| Level / Tier | Module(s)                                     |
-|--------------|-----------------------------------------------|
-| 01           | ripple/beast ripple/unity
-| 02           | ripple/basics
-| 03           | ripple/json ripple/crypto
-| 04           | ripple/protocol
-| 05           | ripple/core ripple/conditions ripple/consensus ripple/resource ripple/server
-| 06           | ripple/peerfinder ripple/ledger ripple/nodestore ripple/net
-| 07           | ripple/shamap ripple/overlay
-| 08           | ripple/app
-| 09           | ripple/rpc
-| 10           | ripple/perflog
-| 11           | test/jtx test/beast test/csf
-| 12           | test/unit_test
-| 13           | test/crypto test/conditions test/json test/resource test/shamap test/peerfinder test/basics test/overlay
-| 14           | test
-| 15           | test/net test/protocol test/ledger test/consensus test/core test/server test/nodestore
-| 16           | test/rpc test/app
-
-(Note that `test` levelization is *much* less important and *much* less
-strictly enforced than `ripple` levelization, other than the requirement
-that `test` code should *never* be included in `ripple` code.)
-
-## Validation
-
-The [levelization.sh](levelization.sh) script takes no parameters,
-reads no environment variables, and can be run from any directory,
-as long as it is in the expected location in the rippled repo.
-It can be run at any time from within a checked out repo, and will
-do an analysis of all the `#include`s in
-the rippled source. The only caveat is that it runs much slower
-under Windows than in Linux. It hasn't yet been tested under MacOS.
-It generates many files of [results](results):
-
-* `rawincludes.txt`: The raw dump of the `#includes`
-* `paths.txt`: A second dump grouping the source module
-  to the destination module, deduped, and with frequency counts.
-* `includes/`: A directory where each file represents a module and
-  contains a list of modules and counts that the module _includes_.
-* `includedby/`: Similar to `includes/`, but the other way around. Each
-  file represents a module and contains a list of modules and counts
-  that _include_ the module.
-* [`loops.txt`](results/loops.txt): A list of direct loops detected
-  between modules as they actually exist, as opposed to how they are
-  desired as described above. In a perfect repo, this file will be
-  empty.
-  This file is committed to the repo, and is used by the [levelization
-  Github workflow](../../.github/workflows/levelization.yml) to validate
-  that nothing changed.
-* [`ordering.txt`](results/ordering.txt): A list showing relationships
-  between modules where there are no loops as they actually exist, as
-  opposed to how they are desired as described above.
-  This file is committed to the repo, and is used by the [levelization
-  Github workflow](../../.github/workflows/levelization.yml) to validate
-  that nothing changed.
-* [`levelization.yml`](../../.github/workflows/levelization.yml)
-  Github Actions workflow to test that levelization loops haven't
-  changed.  Unfortunately, if changes are detected, it can't tell if
-  they are improvements or not, so if you have resolved any issues or
-  done anything else to improve levelization, run `levelization.sh`,
-  and commit the updated results.
-
-The  `loops.txt` and `ordering.txt` files relate the modules
-using comparison signs, which indicate the number of times each
-module is included in the other.
-
-* `A > B` means that A should probably be at a higher level than B,
-  because B is included in A significantly more than A is included in B.
-  These results can be included in both `loops.txt` and `ordering.txt`.
-  Because `ordering.txt`only includes relationships where B is not
-  included in A at all, it will only include these types of results.
-* `A ~= B` means that A and B are included in each other a different
-  number of times, but the values are so close that the script can't
-  definitively say that one should be above the other. These results
-  will only be included in `loops.txt`.
-* `A == B` means that A and B include each other the same number of
-  times, so the script has no clue which should be higher. These results
-  will only be included in `loops.txt`.
-
-The committed files hide the detailed values intentionally, to
-prevent false alarms and merging issues, and because it's easy to
-get those details locally.
-
-1. Run `levelization.sh`
-2. Grep the modules in `paths.txt`.
-   * For example, if a cycle is found `A ~= B`, simply `grep -w
-     A Builds/levelization/results/paths.txt | grep -w B`

Builds/levelization/levelization.sh

@@ -1,130 +0,0 @@
-#!/bin/bash
-
-# Usage: levelization.sh
-# This script takes no parameters, reads no environment variables,
-# and can be run from any directory, as long as it is in the expected
-# location in the repo.
-
-pushd $( dirname $0 )
-
-if [ -v PS1 ]
-then
-  # if the shell is interactive, clean up any flotsam before analyzing
-  git clean -ix
-fi
-
-# Ensure all sorting is ASCII-order consistently across platforms.
-export LANG=C
-
-rm -rfv results
-mkdir results
-includes="$( pwd )/results/rawincludes.txt"
-pushd ../..
-echo Raw includes:
-grep -r '#include.*/.*\.h' include src | \
-    grep -v boost | tee ${includes}
-popd
-pushd results
-
-oldifs=${IFS}
-IFS=:
-mkdir includes
-mkdir includedby
-echo Build levelization paths
-exec 3< ${includes} # open rawincludes.txt for input
-while read -r -u 3 file include
-do
-    level=$( echo ${file} | cut -d/ -f 2,3 )
-    # If the "level" indicates a file, cut off the filename
-    if [[ "${level##*.}" != "${level}" ]]
-    then
-        # Use the "toplevel" label as a workaround for `sort`
-        # inconsistencies between different utility versions
-        level="$( dirname ${level} )/toplevel"
-    fi
-    level=$( echo ${level} | tr '/' '.' )
-
-    includelevel=$( echo ${include} | sed 's/.*["<]//; s/[">].*//' | \
-        cut -d/ -f 1,2 )
-    if [[ "${includelevel##*.}" != "${includelevel}" ]]
-    then
-        # Use the "toplevel" label as a workaround for `sort`
-        # inconsistencies between different utility versions
-        includelevel="$( dirname ${includelevel} )/toplevel"
-    fi
-    includelevel=$( echo ${includelevel} | tr '/' '.' )
-
-    if [[ "$level" != "$includelevel" ]]
-    then
-        echo $level $includelevel | tee -a paths.txt
-    fi
-done
-echo Sort and dedup paths
-sort -ds paths.txt | uniq -c | tee sortedpaths.txt
-mv sortedpaths.txt paths.txt
-exec 3>&- #close fd 3
-IFS=${oldifs}
-unset oldifs
-
-echo Split into flat-file database
-exec 4<paths.txt # open paths.txt for input
-while read -r -u 4 count level include
-do
-    echo ${include} ${count} | tee -a includes/${level}
-    echo ${level} ${count} | tee -a includedby/${include}
-done
-exec 4>&- #close fd 4
-
-loops="$( pwd )/loops.txt"
-ordering="$( pwd )/ordering.txt"
-pushd includes
-echo Search for loops
-# Redirect stdout to a file
-exec 4>&1
-exec 1>"${loops}"
-for source in *
-do
-  if [[ -f "$source" ]]
-  then
-    exec 5<"${source}" # open for input
-    while read -r -u 5 include includefreq
-    do
-      if [[ -f $include ]]
-      then
-        if grep -q -w $source $include
-        then
-          if grep -q -w "Loop: $include $source" "${loops}"
-          then
-            continue
-          fi
-          sourcefreq=$( grep -w $source $include | cut -d\  -f2 )
-          echo "Loop: $source $include"
-          # If the counts are close, indicate that the two modules are
-          # on the same level, though they shouldn't be
-          if [[ $(( $includefreq - $sourcefreq )) -gt 3 ]]
-          then
-              echo -e "  $source > $include\n"
-          elif [[ $(( $sourcefreq - $includefreq )) -gt 3 ]]
-          then
-              echo -e "  $include > $source\n"
-          elif [[ $sourcefreq -eq $includefreq ]]
-          then
-              echo -e "  $include == $source\n"
-          else
-              echo -e "  $include ~= $source\n"
-          fi
-        else
-          echo "$source > $include" >> "${ordering}"
-        fi
-      fi
-    done
-    exec 5>&- #close fd 5
-  fi
-done
-exec 1>&4 #close fd 1
-exec 4>&- #close fd 4
-cat "${ordering}"
-cat "${loops}"
-popd
-popd
-popd

Builds/levelization/results/loops.txt

@@ -1,42 +0,0 @@
-Loop: test.jtx test.toplevel
-  test.toplevel > test.jtx
-
-Loop: test.jtx test.unit_test
-  test.unit_test == test.jtx
-
-Loop: xrpld.app xrpld.core
-  xrpld.app > xrpld.core
-
-Loop: xrpld.app xrpld.ledger
-  xrpld.app > xrpld.ledger
-
-Loop: xrpld.app xrpld.net
-  xrpld.app > xrpld.net
-
-Loop: xrpld.app xrpld.overlay
-  xrpld.overlay == xrpld.app
-
-Loop: xrpld.app xrpld.peerfinder
-  xrpld.app > xrpld.peerfinder
-
-Loop: xrpld.app xrpld.rpc
-  xrpld.rpc > xrpld.app
-
-Loop: xrpld.app xrpld.shamap
-  xrpld.app > xrpld.shamap
-
-Loop: xrpld.core xrpld.net
-  xrpld.net > xrpld.core
-
-Loop: xrpld.core xrpld.perflog
-  xrpld.perflog == xrpld.core
-
-Loop: xrpld.net xrpld.rpc
-  xrpld.rpc ~= xrpld.net
-
-Loop: xrpld.overlay xrpld.rpc
-  xrpld.rpc ~= xrpld.overlay
-
-Loop: xrpld.perflog xrpld.rpc
-  xrpld.rpc ~= xrpld.perflog
-

Builds/levelization/results/ordering.txt

@@ -1,195 +0,0 @@
-libxrpl.basics > xrpl.basics
-libxrpl.crypto > xrpl.basics
-libxrpl.json > xrpl.basics
-libxrpl.json > xrpl.json
-libxrpl.protocol > xrpl.basics
-libxrpl.protocol > xrpl.json
-libxrpl.protocol > xrpl.protocol
-libxrpl.resource > xrpl.basics
-libxrpl.resource > xrpl.resource
-libxrpl.server > xrpl.basics
-libxrpl.server > xrpl.json
-libxrpl.server > xrpl.protocol
-libxrpl.server > xrpl.server
-test.app > test.jtx
-test.app > test.rpc
-test.app > test.toplevel
-test.app > test.unit_test
-test.app > xrpl.basics
-test.app > xrpld.app
-test.app > xrpld.core
-test.app > xrpld.ledger
-test.app > xrpld.overlay
-test.app > xrpld.rpc
-test.app > xrpl.json
-test.app > xrpl.protocol
-test.app > xrpl.resource
-test.basics > test.jtx
-test.basics > test.unit_test
-test.basics > xrpl.basics
-test.basics > xrpld.perflog
-test.basics > xrpld.rpc
-test.basics > xrpl.json
-test.basics > xrpl.protocol
-test.beast > xrpl.basics
-test.conditions > xrpl.basics
-test.conditions > xrpld.conditions
-test.consensus > test.csf
-test.consensus > test.toplevel
-test.consensus > test.unit_test
-test.consensus > xrpl.basics
-test.consensus > xrpld.app
-test.consensus > xrpld.consensus
-test.consensus > xrpld.ledger
-test.core > test.jtx
-test.core > test.toplevel
-test.core > test.unit_test
-test.core > xrpl.basics
-test.core > xrpld.core
-test.core > xrpld.perflog
-test.core > xrpl.json
-test.core > xrpl.server
-test.csf > xrpl.basics
-test.csf > xrpld.consensus
-test.csf > xrpl.json
-test.csf > xrpl.protocol
-test.json > test.jtx
-test.json > xrpl.json
-test.jtx > xrpl.basics
-test.jtx > xrpld.app
-test.jtx > xrpld.consensus
-test.jtx > xrpld.core
-test.jtx > xrpld.ledger
-test.jtx > xrpld.net
-test.jtx > xrpld.rpc
-test.jtx > xrpl.json
-test.jtx > xrpl.protocol
-test.jtx > xrpl.resource
-test.jtx > xrpl.server
-test.ledger > test.jtx
-test.ledger > test.toplevel
-test.ledger > xrpl.basics
-test.ledger > xrpld.app
-test.ledger > xrpld.core
-test.ledger > xrpld.ledger
-test.ledger > xrpl.protocol
-test.nodestore > test.jtx
-test.nodestore > test.toplevel
-test.nodestore > test.unit_test
-test.nodestore > xrpl.basics
-test.nodestore > xrpld.core
-test.nodestore > xrpld.nodestore
-test.nodestore > xrpld.unity
-test.overlay > test.jtx
-test.overlay > test.unit_test
-test.overlay > xrpl.basics
-test.overlay > xrpld.app
-test.overlay > xrpld.overlay
-test.overlay > xrpld.peerfinder
-test.overlay > xrpld.shamap
-test.overlay > xrpl.protocol
-test.peerfinder > test.beast
-test.peerfinder > test.unit_test
-test.peerfinder > xrpl.basics
-test.peerfinder > xrpld.core
-test.peerfinder > xrpld.peerfinder
-test.peerfinder > xrpl.protocol
-test.protocol > test.toplevel
-test.protocol > xrpl.basics
-test.protocol > xrpl.json
-test.protocol > xrpl.protocol
-test.resource > test.unit_test
-test.resource > xrpl.basics
-test.resource > xrpl.resource
-test.rpc > test.jtx
-test.rpc > test.toplevel
-test.rpc > xrpl.basics
-test.rpc > xrpld.app
-test.rpc > xrpld.core
-test.rpc > xrpld.net
-test.rpc > xrpld.overlay
-test.rpc > xrpld.rpc
-test.rpc > xrpl.json
-test.rpc > xrpl.protocol
-test.rpc > xrpl.resource
-test.server > test.jtx
-test.server > test.toplevel
-test.server > test.unit_test
-test.server > xrpl.basics
-test.server > xrpld.app
-test.server > xrpld.core
-test.server > xrpld.rpc
-test.server > xrpl.json
-test.server > xrpl.server
-test.shamap > test.unit_test
-test.shamap > xrpl.basics
-test.shamap > xrpld.nodestore
-test.shamap > xrpld.shamap
-test.shamap > xrpl.protocol
-test.toplevel > test.csf
-test.toplevel > xrpl.json
-test.unit_test > xrpl.basics
-xrpl.json > xrpl.basics
-xrpl.protocol > xrpl.basics
-xrpl.protocol > xrpl.json
-xrpl.resource > xrpl.basics
-xrpl.resource > xrpl.json
-xrpl.resource > xrpl.protocol
-xrpl.server > xrpl.basics
-xrpl.server > xrpl.json
-xrpl.server > xrpl.protocol
-xrpld.app > test.unit_test
-xrpld.app > xrpl.basics
-xrpld.app > xrpld.conditions
-xrpld.app > xrpld.consensus
-xrpld.app > xrpld.nodestore
-xrpld.app > xrpld.perflog
-xrpld.app > xrpl.json
-xrpld.app > xrpl.protocol
-xrpld.app > xrpl.resource
-xrpld.conditions > xrpl.basics
-xrpld.conditions > xrpl.protocol
-xrpld.consensus > xrpl.basics
-xrpld.consensus > xrpl.json
-xrpld.consensus > xrpl.protocol
-xrpld.core > xrpl.basics
-xrpld.core > xrpl.json
-xrpld.core > xrpl.protocol
-xrpld.ledger > xrpl.basics
-xrpld.ledger > xrpld.core
-xrpld.ledger > xrpl.json
-xrpld.ledger > xrpl.protocol
-xrpld.net > xrpl.basics
-xrpld.net > xrpl.json
-xrpld.net > xrpl.protocol
-xrpld.net > xrpl.resource
-xrpld.nodestore > xrpl.basics
-xrpld.nodestore > xrpld.core
-xrpld.nodestore > xrpld.unity
-xrpld.nodestore > xrpl.json
-xrpld.nodestore > xrpl.protocol
-xrpld.overlay > xrpl.basics
-xrpld.overlay > xrpld.core
-xrpld.overlay > xrpld.peerfinder
-xrpld.overlay > xrpld.perflog
-xrpld.overlay > xrpl.json
-xrpld.overlay > xrpl.protocol
-xrpld.overlay > xrpl.resource
-xrpld.overlay > xrpl.server
-xrpld.peerfinder > xrpl.basics
-xrpld.peerfinder > xrpld.core
-xrpld.peerfinder > xrpl.protocol
-xrpld.perflog > xrpl.basics
-xrpld.perflog > xrpl.json
-xrpld.perflog > xrpl.protocol
-xrpld.rpc > xrpl.basics
-xrpld.rpc > xrpld.core
-xrpld.rpc > xrpld.ledger
-xrpld.rpc > xrpld.nodestore
-xrpld.rpc > xrpl.json
-xrpld.rpc > xrpl.protocol
-xrpld.rpc > xrpl.resource
-xrpld.rpc > xrpl.server
-xrpld.shamap > xrpl.basics
-xrpld.shamap > xrpld.nodestore
-xrpld.shamap > xrpl.protocol

CMakeLists.txt

@@ -1,139 +1,155 @@
 cmake_minimum_required(VERSION 3.16)
 
 if(POLICY CMP0074)
-  cmake_policy(SET CMP0074 NEW)
+    cmake_policy(SET CMP0074 NEW)
 endif()
 if(POLICY CMP0077)
-  cmake_policy(SET CMP0077 NEW)
+    cmake_policy(SET CMP0077 NEW)
 endif()
 
 # Fix "unrecognized escape" issues when passing CMAKE_MODULE_PATH on Windows.
-file(TO_CMAKE_PATH "${CMAKE_MODULE_PATH}" CMAKE_MODULE_PATH)
+if(DEFINED CMAKE_MODULE_PATH)
+    file(TO_CMAKE_PATH "${CMAKE_MODULE_PATH}" CMAKE_MODULE_PATH)
+endif()
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
 
 project(xrpl)
 set(CMAKE_CXX_EXTENSIONS OFF)
-set(CMAKE_CXX_STANDARD 20)
+set(CMAKE_CXX_STANDARD 23)
 set(CMAKE_CXX_STANDARD_REQUIRED ON)
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
 
-set(Boost_NO_BOOST_CMAKE ON)
+include(CompilationEnv)
 
-# make GIT_COMMIT_HASH define available to all sources
-find_package(Git)
-if(Git_FOUND)
-    execute_process(COMMAND ${GIT_EXECUTABLE} --git-dir=${CMAKE_CURRENT_SOURCE_DIR}/.git describe --always --abbrev=40
-        OUTPUT_STRIP_TRAILING_WHITESPACE OUTPUT_VARIABLE gch)
-    if(gch)
-        set(GIT_COMMIT_HASH "${gch}")
-        message(STATUS gch: ${GIT_COMMIT_HASH})
-        add_definitions(-DGIT_COMMIT_HASH="${GIT_COMMIT_HASH}")
-    endif()
-endif() #git
+if(is_gcc)
+    # GCC-specific fixes
+    add_compile_options(-Wno-unknown-pragmas -Wno-subobject-linkage)
+    # -Wno-subobject-linkage can be removed when we upgrade GCC version to at least 13.3
+elseif(is_clang)
+    # Clang-specific fixes
+    add_compile_options(-Wno-unknown-warning-option) # Ignore unknown warning options
+elseif(is_msvc)
+    # MSVC-specific fixes
+    add_compile_options(/wd4068) # Ignore unknown pragmas
+endif()
+
+# Enable ccache to speed up builds.
+include(Ccache)
 
 if(thread_safety_analysis)
-  add_compile_options(-Wthread-safety -D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS -DRIPPLE_ENABLE_THREAD_SAFETY_ANNOTATIONS)
-  add_compile_options("-stdlib=libc++")
-  add_link_options("-stdlib=libc++")
+    add_compile_options(
+        -Wthread-safety
+        -D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS
+        -DXRPL_ENABLE_THREAD_SAFETY_ANNOTATIONS
+    )
+    add_compile_options("-stdlib=libc++")
+    add_link_options("-stdlib=libc++")
 endif()
 
-include (CheckCXXCompilerFlag)
-include (FetchContent)
-include (ExternalProject)
-include (CMakeFuncs) # must come *after* ExternalProject b/c it overrides one function in EP
-if (target)
-  message (FATAL_ERROR "The target option has been removed - use native cmake options to control build")
-endif ()
+include(CheckCXXCompilerFlag)
+include(FetchContent)
+include(ExternalProject)
+include(CMakeFuncs) # must come *after* ExternalProject b/c it overrides one function in EP
+if(target)
+    message(
+        FATAL_ERROR
+        "The target option has been removed - use native cmake options to control build"
+    )
+endif()
 
-include(RippledSanity)
-include(RippledVersion)
-include(RippledSettings)
-# this check has to remain in the top-level cmake
-# because of the early return statement
-if (packages_only)
-  if (NOT TARGET rpm)
-    message (FATAL_ERROR "packages_only requested, but targets were not created - is docker installed?")
-  endif()
-  return ()
-endif ()
-include(RippledCompiler)
-include(RippledInterface)
+include(XrplSanity)
+include(XrplVersion)
+include(XrplSettings)
+# this check has to remain in the top-level cmake because of the early return statement
+if(packages_only)
+    if(NOT TARGET rpm)
+        message(
+            FATAL_ERROR
+            "packages_only requested, but targets were not created - is docker installed?"
+        )
+    endif()
+    return()
+endif()
+include(XrplCompiler)
+include(XrplSanitizers)
+include(XrplInterface)
 
 option(only_docs "Include only the docs target?" FALSE)
-include(RippledDocs)
+include(XrplDocs)
 if(only_docs)
-  return()
+    return()
 endif()
 
-###
-
 include(deps/Boost)
-find_package(OpenSSL 1.1.1 REQUIRED)
-set_target_properties(OpenSSL::SSL PROPERTIES
-  INTERFACE_COMPILE_DEFINITIONS OPENSSL_NO_SSL2
-)
-set(SECP256K1_INSTALL TRUE)
-add_subdirectory(external/secp256k1)
-add_library(secp256k1::secp256k1 ALIAS secp256k1)
-add_subdirectory(external/ed25519-donna)
+
 add_subdirectory(external/antithesis-sdk)
+find_package(date REQUIRED)
+find_package(ed25519 REQUIRED)
 find_package(gRPC REQUIRED)
-find_package(lz4 REQUIRED)
-# Target names with :: are not allowed in a generator expression.
-# We need to pull the include directories and imported location properties
-# from separate targets.
 find_package(LibArchive REQUIRED)
+find_package(lz4 REQUIRED)
+find_package(nudb REQUIRED)
+find_package(OpenSSL REQUIRED)
+find_package(secp256k1 REQUIRED)
 find_package(SOCI REQUIRED)
 find_package(SQLite3 REQUIRED)
+find_package(xxHash REQUIRED)
 
-# https://conan.io/center/recipes/wasmedge?version=0.9.0
-option(wasmedge "Enable WASM" ON)
-if(wasmedge)
-  find_package(wasmedge REQUIRED)
-  set_target_properties(wasmedge::wasmedge PROPERTIES
-    INTERFACE_COMPILE_DEFINITIONS RIPPLE_WASMEDGE_AVAILABLE=1
-  )
-  target_link_libraries(ripple_libs INTERFACE wasmedge::wasmedge)
-  # include(deps/WasmEdge)
-endif()
+target_link_libraries(
+    xrpl_libs
+    INTERFACE
+        ed25519::ed25519
+        lz4::lz4
+        OpenSSL::Crypto
+        OpenSSL::SSL
+        secp256k1::secp256k1
+        soci::soci
+        SQLite::SQLite3
+)
 
 option(rocksdb "Enable RocksDB" ON)
 if(rocksdb)
-  find_package(RocksDB REQUIRED)
-  set_target_properties(RocksDB::rocksdb PROPERTIES
-    INTERFACE_COMPILE_DEFINITIONS RIPPLE_ROCKSDB_AVAILABLE=1
-  )
-  target_link_libraries(ripple_libs INTERFACE RocksDB::rocksdb)
+    find_package(RocksDB REQUIRED)
+    set_target_properties(
+        RocksDB::rocksdb
+        PROPERTIES INTERFACE_COMPILE_DEFINITIONS XRPL_ROCKSDB_AVAILABLE=1
+    )
+    target_link_libraries(xrpl_libs INTERFACE RocksDB::rocksdb)
 endif()
 
-find_package(nudb REQUIRED)
-find_package(date REQUIRED)
-find_package(xxHash REQUIRED)
-
-target_link_libraries(ripple_libs INTERFACE
-  ed25519::ed25519
-  lz4::lz4
-  OpenSSL::Crypto
-  OpenSSL::SSL
-  secp256k1::secp256k1
-  soci::soci
-  SQLite::SQLite3
-)
+# OpenTelemetry distributed tracing (optional).
+# When ON, links against opentelemetry-cpp and defines XRPL_ENABLE_TELEMETRY
+# so that SpanGuard factory methods produce real OTel spans.
+# When OFF (default), all tracing code compiles to no-ops with zero overhead.
+# Enable via: conan install -o telemetry=True, or cmake -Dtelemetry=ON.
+option(telemetry "Enable OpenTelemetry tracing" ON)
+if(telemetry)
+    find_package(opentelemetry-cpp CONFIG REQUIRED)
+    add_compile_definitions(XRPL_ENABLE_TELEMETRY)
+    message(STATUS "OpenTelemetry tracing enabled")
+endif()
 
 # Work around changes to Conan recipe for now.
 if(TARGET nudb::core)
-  set(nudb nudb::core)
+    set(nudb nudb::core)
 elseif(TARGET NuDB::nudb)
-  set(nudb NuDB::nudb)
+    set(nudb NuDB::nudb)
 else()
-  message(FATAL_ERROR "unknown nudb target")
+    message(FATAL_ERROR "unknown nudb target")
 endif()
-target_link_libraries(ripple_libs INTERFACE ${nudb})
+target_link_libraries(xrpl_libs INTERFACE ${nudb})
 
 if(coverage)
-  include(RippledCov)
+    include(XrplCov)
 endif()
 
-set(PROJECT_EXPORT_SET RippleExports)
-include(RippledCore)
-include(RippledInstall)
-include(RippledValidatorKeys)
+include(XrplCore)
+include(XrplProtocolAutogen)
+include(XrplInstall)
+include(XrplPackaging)
+include(XrplValidatorKeys)
+
+if(tests)
+    include(CTest)
+    add_subdirectory(src/tests/libxrpl)
+endif()

LICENSE.md

@@ -1,7 +1,7 @@
-ISC License 
+ISC License
 
 Copyright (c) 2011, Arthur Britto, David Schwartz, Jed McCaleb, Vinnie Falco, Bob Way, Eric Lombrozo, Nikolaos D. Bougalis, Howard Hinnant.
-Copyright (c) 2012-2020, the XRP Ledger developers.
+Copyright (c) 2012-present, the XRP Ledger developers.
 
 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
@@ -14,4 +14,3 @@ ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-

OpenTelemetryPlan/00-tracing-fundamentals.md

@@ -0,0 +1,565 @@
+# Distributed Tracing Fundamentals
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Next**: [Architecture Analysis](./01-architecture-analysis.md)
+
+---
+
+## What is Distributed Tracing?
+
+Distributed tracing is a method for tracking data objects as they flow through distributed systems. In a network like XRP Ledger, a single transaction touches multiple independent nodes—each with no shared memory or logging. Distributed tracing connects these dots.
+
+**Without tracing:** You see isolated logs on each node with no way to correlate them.
+
+**With tracing:** You see the complete journey of a transaction or an event across all nodes it touched.
+
+---
+
+## Actors and Actions at a Glance
+
+### Actors
+
+| Who (Plain English)                            | Technical Term  |
+| ---------------------------------------------- | --------------- |
+| A single unit of work being tracked            | Span            |
+| The complete journey of a request              | Trace           |
+| Data that links spans across services          | Trace Context   |
+| Code that creates spans and propagates context | Instrumentation |
+| Service that receives and processes traces     | Collector       |
+| Storage and visualization system               | Backend (Tempo) |
+| Decision logic for which traces to keep        | Sampler         |
+
+### Actions
+
+| What Happens (Plain English)            | Technical Term          |
+| --------------------------------------- | ----------------------- |
+| Start tracking a new operation          | Create a Span           |
+| Connect a child operation to its parent | Set `parent_span_id`    |
+| Group all related operations together   | Share a `trace_id`      |
+| Pass tracking data between services     | Context Propagation     |
+| Decide whether to record a trace        | Sampling (Head or Tail) |
+| Send completed traces to storage        | Export (OTLP)           |
+
+---
+
+## Core Concepts
+
+### 1. Trace
+
+A **trace** represents the entire journey of a request through the system. It has a unique `trace_id` that stays constant across all nodes.
+
+```
+Trace ID: abc123
+├── Node A: received transaction
+├── Node B: relayed transaction
+├── Node C: included in consensus
+└── Node D: applied to ledger
+```
+
+### 2. Span
+
+A **span** represents a single unit of work within a trace. Each span has:
+
+| Attribute        | Description                      | Example                    |
+| ---------------- | -------------------------------- | -------------------------- |
+| `trace_id`       | Identifies the trace             | `event123`                 |
+| `span_id`        | Unique identifier                | `span456`                  |
+| `parent_span_id` | Parent span (if any)             | `p_span123`                |
+| `name`           | Operation name                   | `rpc.submit`               |
+| `start_time`     | When work began (local time)     | `2024-01-15T10:30:00Z`     |
+| `end_time`       | When work completed (local time) | `2024-01-15T10:30:00.050Z` |
+| `attributes`     | Key-value metadata               | `tx_hash=ABC...`           |
+| `status`         | OK, ERROR MSG                    | `OK`                       |
+
+### 3. Trace Context
+
+**Trace context** is the data that propagates between services to link spans together. It contains:
+
+- `trace_id` - The trace this span belongs to
+- `span_id` - The current span (becomes parent for child spans)
+- `trace_flags` - Sampling decisions
+
+---
+
+## How Spans Form a Trace
+
+Spans have parent-child relationships forming a tree structure:
+
+```mermaid
+flowchart TB
+    subgraph trace["Trace: abc123"]
+        A["tx.submit<br/>span_id: 001<br/>50ms"] --> B["tx.validate<br/>span_id: 002<br/>5ms"]
+        A --> C["tx.relay<br/>span_id: 003<br/>10ms"]
+        A --> D["tx.apply<br/>span_id: 004<br/>30ms"]
+        D --> E["ledger.update<br/>span_id: 005<br/>20ms"]
+    end
+
+    style A fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style B fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style C fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style D fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style E fill:#bf360c,stroke:#8c2809,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **tx.submit (blue, root)**: The top-level span representing the entire transaction submission; all other spans are its descendants.
+- **tx.validate, tx.relay, tx.apply (green)**: Direct children of tx.submit, representing the three main stages -- validation, relay to peers, and application to the ledger.
+- **ledger.update (red)**: A grandchild span nested under tx.apply, representing the actual ledger state mutation triggered by applying the transaction.
+- **Arrows (parent to child)**: Each arrow indicates a parent-child span relationship where the parent's completion depends on the child finishing.
+
+The same trace visualized as a **timeline (Gantt chart)**:
+
+```
+Time →   0ms    10ms    20ms    30ms    40ms    50ms
+         ├───────────────────────────────────────────┤
+tx.submit│▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓│
+         ├─────┤
+tx.valid │▓▓▓▓▓│
+         │     ├──────────┤
+tx.relay │     │▓▓▓▓▓▓▓▓▓▓│
+         │               ├────────────────────────────┤
+tx.apply │               │▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓│
+         │                         ├──────────────────┤
+ledger   │                         │▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓│
+```
+
+---
+
+## Span Relationships
+
+Spans don't always form simple parent-child trees. Distributed tracing defines several relationship types to capture different causal patterns:
+
+### 1. Parent-Child (ChildOf)
+
+The default relationship. The parent span **depends on** or **contains** the child span. The child runs within the scope of the parent.
+
+```
+tx.submit (parent)
+├── tx.validate (child)     ← parent waits for this
+├── tx.relay (child)        ← parent waits for this
+└── tx.apply (child)        ← parent waits for this
+```
+
+**When to use:** Synchronous calls, nested operations, any case where the parent's completion depends on the child.
+
+### 2. Follows-From
+
+A causal relationship where the first span **triggers** the second, but does **not wait** for it. The originator fires and moves on.
+
+```
+Time →
+
+tx.receive [=======]
+                     ↓ triggers (follows-from)
+              tx.relay   [===========]   ← runs independently
+```
+
+**When to use:** Asynchronous jobs, queued work, fire-and-forget patterns. For example, a node receives a transaction and queues it for relay — the relay span _follows from_ the receive span but the receiver doesn't wait for relaying to complete.
+
+> **OpenTracing** defined `FollowsFrom` as a first-class reference type alongside `ChildOf`.
+> **OpenTelemetry** represents this using **Span Links** with descriptive attributes instead (see below).
+
+### 3. Span Links (Cross-Trace and Non-Hierarchical)
+
+Links connect spans that are **causally related but not in a parent-child hierarchy**. Unlike parent-child, links can cross trace boundaries.
+
+```
+Trace A                          Trace B
+──────                           ──────
+batch.schedule                   batch.execute
+├─ item.enqueue (span X)    ┌──► process.item
+├─ item.enqueue (span Y) ───┤    (links to X, Y, Z)
+├─ item.enqueue (span Z)    └──►
+```
+
+**Use cases:**
+
+| Pattern              | Description                                                                 |
+| -------------------- | --------------------------------------------------------------------------- |
+| **Batch processing** | A batch span links back to all individual spans that contributed to it      |
+| **Fan-in**           | An aggregation span links to the multiple producer spans it merges          |
+| **Fan-out**          | Multiple downstream spans link back to the single span that triggered them  |
+| **Async handoff**    | A deferred job links back to the request that queued it (follows-from)      |
+| **Cross-trace**      | Correlating spans across independent traces (e.g., retries, related events) |
+
+**Link structure:** Each link carries the target span's context plus optional attributes:
+
+```
+Link {
+    trace_id:   <target trace>
+    span_id:    <target span>
+    attributes: { "link.description": "triggered by batch scheduler" }
+}
+```
+
+### Relationship Summary
+
+```mermaid
+flowchart LR
+    subgraph parent_child["Parent-Child"]
+        direction TB
+        P["Parent"] --> C["Child"]
+    end
+
+    subgraph follows_from["Follows-From"]
+        direction TB
+        A["Span A"] -.->|triggers| B["Span B"]
+    end
+
+    subgraph links["Span Links"]
+        direction TB
+        X["Span X\n(Trace 1)"] -.-|link| Y["Span Y\n(Trace 2)"]
+    end
+
+    parent_child ~~~ follows_from ~~~ links
+
+    style P fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style C fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style A fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style B fill:#bf360c,stroke:#8c2809,color:#ffffff
+    style X fill:#4a148c,stroke:#38006b,color:#ffffff
+    style Y fill:#4a148c,stroke:#38006b,color:#ffffff
+```
+
+| Relationship     | Same Trace? | Dependency?                | OTel Mechanism    |
+| ---------------- | ----------- | -------------------------- | ----------------- |
+| **Parent-Child** | Yes         | Parent depends on child    | `parent_span_id`  |
+| **Follows-From** | Usually     | Causal but no dependency   | Link + attributes |
+| **Span Link**    | Either      | Correlation, no dependency | Link + attributes |
+
+---
+
+## Trace ID Generation
+
+A `trace_id` is a 128-bit (16-byte) identifier that groups all spans belonging to one logical operation. How it's generated determines how easily you can find and correlate traces later.
+
+### General Approaches
+
+#### 1. Random (W3C Default)
+
+Generate a random 128-bit ID when a trace starts. Standard approach for most services.
+
+```
+trace_id = random_128_bits()
+```
+
+| Pros                        | Cons                                          |
+| --------------------------- | --------------------------------------------- |
+| Simple, standard            | No natural correlation to domain events       |
+| Guaranteed unique per trace | If propagation is lost, trace is broken       |
+| Works with all OTel tooling | "Find trace for TX abc" requires index lookup |
+
+#### 2. Deterministic (Derived from Domain Data)
+
+Compute the trace_id from a hash of a natural identifier. Every node independently derives the **same** trace_id for the same event.
+
+```
+trace_id = SHA-256(domain_identifier)[0:16]   // truncate to 128 bits
+```
+
+| Pros                                                | Cons                                                       |
+| --------------------------------------------------- | ---------------------------------------------------------- |
+| Propagation-resilient — same ID computed everywhere | Same event processed twice (retry) shares trace_id         |
+| Natural search — domain ID maps directly to trace   | Non-standard (tooling assumes random)                      |
+| No coordination needed between nodes                | 256→128 bit truncation (collision risk negligible at ~2⁶⁴) |
+
+#### 3. Hybrid (Deterministic Prefix + Random Suffix)
+
+First 8 bytes derived from domain data, last 8 bytes random.
+
+```
+trace_id = SHA-256(domain_identifier)[0:8] || random_64_bits()
+```
+
+| Pros                                        | Cons                                     |
+| ------------------------------------------- | ---------------------------------------- |
+| Prefix search: "find all traces for TX abc" | Must propagate to maintain full trace_id |
+| Unique per processing instance              | More complex generation logic            |
+| Retries get distinct trace_ids              | Partial correlation only (prefix match)  |
+
+### XRPL Workflow Analysis
+
+XRPL has a unique advantage: its core workflows produce **globally unique 256-bit hashes** that are known on every node. This makes deterministic trace_id generation practical in ways most systems can't achieve.
+
+#### Natural Identifiers by Workflow
+
+| Workflow            | Natural Identifier                | Size       | Known at Start?               | Same on All Nodes?               |
+| ------------------- | --------------------------------- | ---------- | ----------------------------- | -------------------------------- |
+| **Transaction**     | Transaction hash (`tid_`)         | 256-bit    | Yes — computed before signing | Yes — hash of canonical tx data  |
+| **Consensus round** | Previous ledger hash + ledger seq | 256+32 bit | Yes — known when round opens  | Yes — all validators agree       |
+| **Validation**      | Ledger hash being validated       | 256-bit    | Yes — from consensus result   | Yes — same closed ledger         |
+| **Ledger catch-up** | Target ledger hash                | 256-bit    | Yes — we know what to fetch   | Yes — identifies ledger globally |
+
+#### Where These Identifiers Live in Code
+
+```
+Transaction:     STTx::getTransactionID()     → uint256 tid_
+                 TMTransaction::rawTransaction → recompute hash from bytes
+
+Consensus:       ConsensusProposal::prevLedger_ → uint256 (previous ledger hash)
+                 ConsensusProposal::position_   → uint256 (TxSet hash)
+                 LedgerHeader::seq              → uint32_t (ledger sequence)
+
+Validation:      STValidation::getLedgerHash()  → uint256
+                 STValidation::getNodeID()      → NodeID (160-bit)
+
+Ledger fetch:    InboundLedger constructor      → uint256 hash, uint32_t seq
+                 TMGetLedger::ledgerHash        → bytes (uint256)
+```
+
+### Recommended Strategy: Workflow-Scoped Deterministic
+
+Each workflow type derives its trace_id from its natural domain identifier:
+
+```
+Transaction trace:   trace_id = SHA-256("tx"    || tx_hash)[0:16]
+Consensus trace:     trace_id = SHA-256("cons"  || prev_ledger_hash || ledger_seq)[0:16]
+Ledger catch-up:     trace_id = SHA-256("fetch" || target_ledger_hash)[0:16]
+```
+
+The string prefix (`"tx"`, `"cons"`, `"fetch"`) prevents collisions between workflows that might share underlying hashes.
+
+**Why this works for XRPL:**
+
+1. **Propagation-resilient** — Even if a P2P message drops trace context, every node independently computes the same trace_id from the same tx_hash or ledger_hash. Spans still correlate.
+
+2. **Zero-cost search** — "Show me the trace for transaction ABC" becomes a direct lookup: compute `SHA-256("tx" || ABC)[0:16]` and query. No secondary index needed.
+
+3. **Cross-workflow linking via Span Links** — A consensus trace links to individual transaction traces. A validation span links to the consensus trace. This connects the full picture without forcing everything into one giant trace.
+
+### Cross-Workflow Correlation
+
+Each workflow gets its own trace. Span Links tie them together:
+
+```mermaid
+flowchart TB
+    subgraph tx_trace["Transaction Trace"]
+        direction LR
+        Tn["trace_id = f(tx_hash)"]:::note --> T1["tx.receive"] --> T2["tx.validate"] --> T3["tx.relay"]
+    end
+
+    subgraph cons_trace["Consensus Trace"]
+        direction LR
+        Cn["trace_id = f(prev_ledger, seq)"]:::note --> C1["cons.open"] --> C2["cons.propose"] --> C3["cons.accept"]
+    end
+
+    subgraph val_trace["Validation"]
+        direction LR
+        Vn["spans within consensus trace"]:::note --> V1["val.create"] --> V2["val.broadcast"]
+    end
+
+    subgraph fetch_trace["Catch-Up Trace"]
+        direction LR
+        Fn["trace_id = f(ledger_hash)"]:::note --> F1["fetch.request"] --> F2["fetch.receive"] --> F3["fetch.apply"]
+    end
+
+    C1 -.-|"span link\n(tx traces)"| T3
+    C3 --> V1
+    F1 -.-|"span link\n(target ledger)"| C3
+
+    classDef note fill:none,stroke:#888,stroke-dasharray:5 5,color:#333,font-style:italic
+    style T1 fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style T2 fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style T3 fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style C1 fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style C2 fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style C3 fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style V1 fill:#bf360c,stroke:#8c2809,color:#ffffff
+    style V2 fill:#bf360c,stroke:#8c2809,color:#ffffff
+    style F1 fill:#4a148c,stroke:#38006b,color:#ffffff
+    style F2 fill:#4a148c,stroke:#38006b,color:#ffffff
+    style F3 fill:#4a148c,stroke:#38006b,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **Transaction Trace (blue)**: An independent trace whose `trace_id` is deterministically derived from the transaction hash. Contains receive, validate, and relay spans.
+- **Consensus Trace (green)**: An independent trace whose `trace_id` is derived from the previous ledger hash and sequence number. Covers the open, propose, and accept phases.
+- **Validation (red)**: Validation spans live within the consensus trace (not a separate trace). They are created after the accept phase completes.
+- **Catch-Up Trace (purple)**: An independent trace for ledger acquisition, derived from the target ledger hash. Used when a node is behind and fetching missing ledgers.
+- **Dotted arrows (span links)**: Cross-trace correlations. Consensus links to transaction traces it included; catch-up links to the consensus trace that produced the target ledger.
+- **Solid arrow (C3 to V1)**: A parent-child relationship -- validation spans are direct children of the consensus accept span within the same trace.
+
+**How a query flows:**
+
+```
+"Why was TX abc slow?"
+  1. Compute trace_id = SHA-256("tx" || abc)[0:16]
+  2. Find transaction trace → see it was included in consensus round N
+  3. Follow span link → consensus trace for round N
+  4. See which phase was slow (propose? accept?)
+  5. If a node was catching up, follow link → catch-up trace
+```
+
+### Trade-offs to Consider
+
+| Concern                       | Mitigation                                                                                                                    |
+| ----------------------------- | ----------------------------------------------------------------------------------------------------------------------------- |
+| **Retries get same trace_id** | Add `attempt` attribute to root span; spans have unique span_ids and timestamps                                               |
+| **256→128 bit truncation**    | Birthday-bound collision at ~2⁶⁴ operations — negligible for XRPL's throughput                                                |
+| **Non-standard generation**   | OTel spec allows any 16-byte non-zero value; tooling works on the hex string                                                  |
+| **Hash computation cost**     | SHA-256 is ~0.3μs per call; XRPL already computes these hashes for other purposes                                             |
+| **Late-binding identifiers**  | Ledger hash isn't known until after consensus — validation spans use ledger_seq as fallback, then link to the consensus trace |
+
+---
+
+## Distributed Traces Across Nodes
+
+In distributed systems like xrpld, traces span **multiple independent nodes**. The trace context must be propagated in network messages:
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant NodeA as Node A
+    participant NodeB as Node B
+    participant NodeC as Node C
+
+    Client->>NodeA: Submit TX<br/>(no trace context)
+
+    Note over NodeA: Creates new trace<br/>trace_id: abc123<br/>span: tx.receive
+
+    NodeA->>NodeB: Relay TX<br/>(trace_id: abc123, parent: 001)
+
+    Note over NodeB: Creates child span<br/>span: tx.relay<br/>parent_span_id: 001
+
+    NodeA->>NodeC: Relay TX<br/>(trace_id: abc123, parent: 001)
+
+    Note over NodeC: Creates child span<br/>span: tx.relay<br/>parent_span_id: 001
+
+    Note over NodeA,NodeC: All spans share trace_id: abc123<br/>enabling correlation across nodes
+```
+
+**Reading the diagram:**
+
+- **Client**: The external entity that submits a transaction. It does not carry trace context -- the trace originates at the first node.
+- **Node A**: The entry point that creates a new trace (trace_id: abc123) and the root span `tx.receive`. It relays the transaction to peers with trace context attached.
+- **Node B and Node C**: Peer nodes that receive the relayed transaction along with the propagated trace context. Each creates a child span under Node A's span, preserving the same `trace_id`.
+- **Arrows with trace context**: The relay messages carry `trace_id` and `parent_span_id`, allowing each downstream node to link its spans back to the originating span on Node A.
+
+---
+
+## Context Propagation
+
+For traces to work across nodes, **trace context must be propagated** in messages.
+
+### What's in the Context (~26 bytes)
+
+| Field         | Size     | Description                                             |
+| ------------- | -------- | ------------------------------------------------------- |
+| `trace_id`    | 16 bytes | Identifies the entire trace (constant across all nodes) |
+| `span_id`     | 8 bytes  | The sender's current span (becomes parent on receiver)  |
+| `trace_flags` | 1 byte   | Sampling decision (bit 0 = sampled; bits 1-7 reserved)  |
+| `trace_state` | variable | Optional vendor-specific data (typically omitted)       |
+
+### How span_id Changes at Each Hop
+
+Only **one** `span_id` travels in the context - the sender's current span. Each node:
+
+1. Extracts the received `span_id` and uses it as the `parent_span_id`
+2. Creates a **new** `span_id` for its own span
+3. Sends its own `span_id` as the parent when forwarding
+
+```
+Node A                      Node B                      Node C
+──────                      ──────                      ──────
+
+Span AAA                    Span BBB                    Span CCC
+   │                           │                           │
+   ▼                           ▼                           ▼
+Context out:                Context out:                Context out:
+├─ trace_id: abc123         ├─ trace_id: abc123         ├─ trace_id: abc123
+├─ span_id: AAA ──────────► ├─ span_id: BBB ──────────► ├─ span_id: CCC ──────►
+└─ flags: 01                └─ flags: 01                └─ flags: 01
+                               │                           │
+                          parent = AAA               parent = BBB
+```
+
+The `trace_id` stays constant, but `span_id` **changes at every hop** to maintain the parent-child chain.
+
+### Propagation Formats
+
+There are two patterns:
+
+### HTTP/RPC Headers (W3C Trace Context)
+
+```
+traceparent: 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-01
+             │  │                                │                │
+             │  │                                │                └── Flags (sampled)
+             │  │                                └── Parent span ID (16 hex)
+             │  └── Trace ID (32 hex)
+             └── Version
+```
+
+### Protocol Buffers (xrpld P2P messages)
+
+xrpld P2P messages such as `TMTransaction` carry the trace context in two added byte fields alongside the existing payload: `trace_parent` holds the W3C traceparent (`trace_id`, `span_id`, and `trace_flags`), and `trace_state` holds the optional W3C tracestate. Together they propagate the trace across the P2P boundary so a receiving node can attach its spans to the sender's span.
+
+---
+
+## Sampling
+
+Not every trace needs to be recorded. **Sampling** reduces overhead:
+
+### Head Sampling (at trace start)
+
+```
+Request arrives → Random N% chance → Record or skip entire trace
+```
+
+- ✅ Low overhead
+- ❌ May miss interesting traces
+
+> **xrpld note**: xrpld intentionally fixes head sampling at 100% (sample
+> everything) and does not expose a configurable ratio. A per-node ratio
+> would let different nodes make divergent keep/drop decisions for the same
+> distributed trace, producing broken/partial traces. xrpld uses a
+> `ParentBased` sampler so spans with a remote parent honor the upstream
+> decision. Volume reduction is delegated to collector-side tail sampling.
+
+### Tail Sampling (after trace completes)
+
+```
+Trace completes → Collector evaluates:
+                  - Error? → KEEP
+                  - Slow? → KEEP
+                  - Normal? → Sample 10%
+```
+
+- ✅ Never loses important traces
+- ❌ Higher memory usage at collector
+
+---
+
+## Key Benefits for xrpld
+
+| Challenge                          | How Tracing Helps                        |
+| ---------------------------------- | ---------------------------------------- |
+| "Where is my transaction?"         | Follow trace across all nodes it touched |
+| "Why was consensus slow?"          | See timing breakdown of each phase       |
+| "Which node is the bottleneck?"    | Compare span durations across nodes      |
+| "What happened during the outage?" | Correlate errors across the network      |
+
+---
+
+## Glossary
+
+| Term                 | Definition                                                          |
+| -------------------- | ------------------------------------------------------------------- |
+| **Trace**            | Complete journey of a request, identified by `trace_id`             |
+| **Span**             | Single operation within a trace                                     |
+| **Parent-Child**     | Span relationship where the parent depends on the child             |
+| **Follows-From**     | Causal relationship where originator doesn't wait for the result    |
+| **Span Link**        | Non-hierarchical connection between spans, possibly across traces   |
+| **Deterministic ID** | Trace ID derived from domain data (e.g., tx_hash) instead of random |
+| **Context**          | Data propagated between services (`trace_id`, `span_id`, flags)     |
+| **Instrumentation**  | Code that creates spans and propagates context                      |
+| **Collector**        | Service that receives, processes, and exports traces                |
+| **Backend**          | Storage/visualization system (Tempo)                                |
+| **Head Sampling**    | Sampling decision at trace start                                    |
+| **Tail Sampling**    | Sampling decision after trace completes                             |
+
+---
+
+_Next: [Architecture Analysis](./01-architecture-analysis.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/01-architecture-analysis.md

@@ -0,0 +1,467 @@
+# Architecture Analysis
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Design Decisions](./02-design-decisions.md) | [Implementation Strategy](./03-implementation-strategy.md)
+
+---
+
+## 1.1 Current xrpld Architecture Overview
+
+> **WS** = WebSocket | **UNL** = Unique Node List | **TxQ** = Transaction Queue | **StatsD** = Statistics Daemon
+
+The xrpld node software consists of several interconnected components that need instrumentation for distributed tracing:
+
+```mermaid
+flowchart TB
+    subgraph xrpld["xrpld Node"]
+        subgraph services["Core Services"]
+            RPC["RPC Server<br/>(HTTP/WS/gRPC)"]
+            Overlay["Overlay<br/>(P2P Network)"]
+            Consensus["Consensus<br/>(RCLConsensus)"]
+            ValidatorList["ValidatorList<br/>(UNL Mgmt)"]
+        end
+
+        JobQueue["JobQueue<br/>(Thread Pool)"]
+
+        subgraph processing["Processing Layer"]
+            NetworkOPs["NetworkOPs<br/>(Tx Processing)"]
+            LedgerMaster["LedgerMaster<br/>(Ledger Mgmt)"]
+            NodeStore["NodeStore<br/>(Database)"]
+            InboundLedgers["InboundLedgers<br/>(Ledger Sync)"]
+        end
+
+        subgraph appservices["Application Services"]
+            PathFind["PathFinding<br/>(Payment Paths)"]
+            TxQ["TxQ<br/>(Fee Escalation)"]
+            LoadMgr["LoadManager<br/>(Fee/Load)"]
+        end
+
+        subgraph observability["Existing Observability"]
+            PerfLog["PerfLog<br/>(JSON)"]
+            Insight["Insight<br/>(StatsD)"]
+            Logging["Logging<br/>(Journal)"]
+        end
+
+        services --> JobQueue
+        JobQueue --> processing
+        JobQueue --> appservices
+    end
+
+    style xrpld fill:#424242,stroke:#212121,color:#ffffff
+    style services fill:#1565c0,stroke:#0d47a1,color:#ffffff
+    style processing fill:#2e7d32,stroke:#1b5e20,color:#ffffff
+    style appservices fill:#6a1b9a,stroke:#4a148c,color:#ffffff
+    style observability fill:#e65100,stroke:#bf360c,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **Core Services (blue)**: The entry points into xrpld -- RPC Server handles client requests, Overlay manages peer-to-peer networking, Consensus drives agreement, and ValidatorList manages trusted validators.
+- **JobQueue (center)**: The asynchronous thread pool that decouples Core Services from the Processing and Application layers. All work flows through it.
+- **Processing Layer (green)**: Core business logic -- NetworkOPs processes transactions, LedgerMaster manages ledger state, NodeStore handles persistence, and InboundLedgers synchronizes missing data.
+- **Application Services (purple)**: Higher-level features -- PathFinding computes payment routes, TxQ manages fee-based queuing, and LoadManager tracks server load.
+- **Existing Observability (orange)**: The current monitoring stack (PerfLog, Insight, Journal logging) that OpenTelemetry will complement, not replace.
+- **Arrows (Services to JobQueue to layers)**: Work originates at Core Services, is enqueued onto the JobQueue, and dispatched to Processing or Application layers for execution.
+
+---
+
+## 1.1.1 Actors and Actions
+
+### Actors
+
+| Who (Plain English)                       | Technical Term             |
+| ----------------------------------------- | -------------------------- |
+| Network node running XRPL software        | xrpld node                 |
+| External client submitting requests       | RPC Client                 |
+| Network neighbor sharing data             | Peer (PeerImp)             |
+| Request handler for client queries        | RPC Server (ServerHandler) |
+| Command executor for specific RPC methods | RPCHandler                 |
+| Agreement process between nodes           | Consensus (RCLConsensus)   |
+| Transaction processing coordinator        | NetworkOPs                 |
+| Background task scheduler                 | JobQueue                   |
+| Ledger state manager                      | LedgerMaster               |
+| Payment route calculator                  | PathFinding (Pathfinder)   |
+| Transaction waiting room                  | TxQ (Transaction Queue)    |
+| Fee adjustment system                     | LoadManager                |
+| Trusted validator list manager            | ValidatorList              |
+| Protocol upgrade tracker                  | AmendmentTable             |
+| Ledger state hash tree                    | SHAMap                     |
+| Persistent key-value storage              | NodeStore                  |
+
+### Actions
+
+| What Happens (Plain English)                   | Technical Term         |
+| ---------------------------------------------- | ---------------------- |
+| Client sends a request to a node               | `rpc.request`          |
+| Node executes a specific RPC command           | `rpc.command.*`        |
+| Node receives a transaction from a peer        | `tx.receive`           |
+| Node checks if a transaction is valid          | `tx.validate`          |
+| Node forwards a transaction to neighbors       | `tx.relay`             |
+| Nodes agree on which transactions to include   | `consensus.round`      |
+| Consensus progresses through phases            | `consensus.phase.*`    |
+| Node builds a new confirmed ledger             | `ledger.build`         |
+| Node fetches missing ledger data from peers    | `ledger.acquire`       |
+| Node computes payment routes                   | `pathfind.compute`     |
+| Node queues a transaction for later processing | `txq.enqueue`          |
+| Node increases fees due to high load           | `fee.escalate`         |
+| Node fetches the latest trusted validator list | `validator.list.fetch` |
+| Node votes on a protocol amendment             | `amendment.vote`       |
+| Node synchronizes state tree data              | `shamap.sync`          |
+
+---
+
+## 1.2 Key Components for Instrumentation
+
+> **TxQ** = Transaction Queue | **UNL** = Unique Node List
+
+| Component          | Location                                   | Purpose                  | Trace Value                      |
+| ------------------ | ------------------------------------------ | ------------------------ | -------------------------------- |
+| **Overlay**        | `src/xrpld/overlay/`                       | P2P communication        | Message propagation timing       |
+| **PeerImp**        | `src/xrpld/overlay/detail/PeerImp.cpp`     | Individual peer handling | Per-peer latency                 |
+| **RCLConsensus**   | `src/xrpld/app/consensus/RCLConsensus.cpp` | Consensus algorithm      | Round timing, phase analysis     |
+| **NetworkOPs**     | `src/xrpld/app/misc/NetworkOPs.cpp`        | Transaction processing   | Tx lifecycle tracking            |
+| **ServerHandler**  | `src/xrpld/rpc/detail/ServerHandler.cpp`   | RPC entry point          | Request latency                  |
+| **RPCHandler**     | `src/xrpld/rpc/detail/RPCHandler.cpp`      | Command execution        | Per-command timing               |
+| **JobQueue**       | `src/xrpl/core/JobQueue.h`                 | Async task execution     | Queue wait times                 |
+| **PathFinding**    | `src/xrpld/app/paths/`                     | Payment path computation | Path latency, cache hits         |
+| **TxQ**            | `src/xrpld/app/misc/TxQ.cpp`               | Transaction queue/fees   | Queue depth, eviction rates      |
+| **LoadManager**    | `src/xrpld/app/main/LoadManager.cpp`       | Fee escalation/load      | Fee levels, load factors         |
+| **InboundLedgers** | `src/xrpld/app/ledger/InboundLedgers.cpp`  | Ledger acquisition       | Sync time, peer reliability      |
+| **ValidatorList**  | `src/xrpld/app/misc/ValidatorList.cpp`     | UNL management           | List freshness, fetch failures   |
+| **AmendmentTable** | `src/xrpld/app/misc/AmendmentTable.cpp`    | Protocol amendments      | Voting status, activation events |
+| **SHAMap**         | `src/xrpld/shamap/`                        | State hash tree          | Sync speed, missing nodes        |
+
+---
+
+## 1.3 Transaction Flow Diagram
+
+Transaction flow spans multiple nodes in the network. Each node creates linked spans to form a distributed trace:
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant PeerA as Peer A (Receive)
+    participant PeerB as Peer B (Relay)
+    participant PeerC as Peer C (Validate)
+
+    Client->>PeerA: 1. Submit TX
+
+    rect rgb(230, 245, 255)
+        Note over PeerA: tx.receive SPAN START
+        PeerA->>PeerA: HashRouter Deduplication
+        PeerA->>PeerA: tx.validate (child span)
+    end
+
+    PeerA->>PeerB: 2. Relay TX (with trace ctx)
+
+    rect rgb(230, 245, 255)
+        Note over PeerB: tx.receive (linked span)
+    end
+
+    PeerB->>PeerC: 3. Relay TX
+
+    rect rgb(230, 245, 255)
+        Note over PeerC: tx.receive (linked span)
+        PeerC->>PeerC: tx.process
+    end
+
+    Note over Client,PeerC: DISTRIBUTED TRACE (same trace_id: abc123)
+```
+
+**Reading the diagram:**
+
+- **Client**: The external entity that submits a transaction to Peer A. It has no trace context -- the trace starts at the first node.
+- **Peer A (Receive)**: The entry node that creates the root span `tx.receive`, runs HashRouter deduplication to avoid processing duplicates, and creates a child `tx.validate` span.
+- **Peer A to Peer B arrow**: The relay message carries trace context (trace_id + parent span_id), enabling Peer B to create a linked span under the same trace.
+- **Peer B (Relay)**: Receives the transaction and trace context, creates a `tx.receive` span linked to Peer A's trace, then relays onward.
+- **Peer C (Validate)**: Final hop in this example. Creates a linked `tx.receive` span and runs `tx.process` to fully process the transaction.
+- **Blue rectangles**: Highlight the span boundaries on each node, showing where instrumentation creates and closes spans.
+
+### Trace Structure
+
+```
+trace_id: abc123
+├── span: tx.receive (Peer A)
+│   ├── span: tx.validate
+│   └── span: tx.relay
+├── span: tx.receive (Peer B) [parent: Peer A]
+│   └── span: tx.relay
+└── span: tx.receive (Peer C) [parent: Peer B]
+    └── span: tx.process
+```
+
+---
+
+## 1.4 Consensus Round Flow
+
+Consensus rounds are multi-phase operations that benefit significantly from tracing:
+
+```mermaid
+flowchart TB
+    subgraph round["consensus.round (root span)"]
+        attrs["Attributes:<br/>ledger_seq = 12345678<br/>consensus_mode = proposing<br/>proposers = 35"]
+
+        subgraph open["consensus.phase.open"]
+            open_desc["Duration: ~3s<br/>Waiting for transactions"]
+        end
+
+        subgraph establish["consensus.phase.establish"]
+            est_attrs["proposals_received = 28<br/>disputes_resolved = 3"]
+            est_children["├── consensus.proposal.receive (×28)<br/>├── consensus.proposal.send (×1)<br/>└── consensus.dispute.resolve (×3)"]
+        end
+
+        subgraph accept["consensus.phase.accept"]
+            acc_attrs["transactions_applied = 150<br/>ledger_hash = DEF456..."]
+            acc_children["├── ledger.build<br/>└── ledger.validate"]
+        end
+
+        attrs --> open
+        open --> establish
+        establish --> accept
+    end
+
+    style round fill:#f57f17,stroke:#e65100,color:#ffffff
+    style open fill:#1565c0,stroke:#0d47a1,color:#ffffff
+    style establish fill:#2e7d32,stroke:#1b5e20,color:#ffffff
+    style accept fill:#c2185b,stroke:#880e4f,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **consensus.round (orange, root span)**: The top-level span encompassing the entire consensus round, with attributes like ledger sequence, mode, and proposer count.
+- **consensus.phase.open (blue)**: The first phase where the node waits (~3s) to collect incoming transactions before proposing.
+- **consensus.phase.establish (green)**: The negotiation phase where validators exchange proposals, resolve disputes, and converge on a transaction set. Child spans track each proposal received/sent and each dispute resolved.
+- **consensus.phase.accept (pink)**: The final phase where the agreed transaction set is applied, a new ledger is built, and the ledger is validated. Child spans cover `ledger.build` and `ledger.validate`.
+- **Arrows (open to establish to accept)**: The sequential flow through the three consensus phases. Each phase must complete before the next begins.
+
+---
+
+## 1.5 RPC Request Flow
+
+> **WS** = WebSocket
+
+RPC requests support W3C Trace Context headers for distributed tracing across services:
+
+```mermaid
+flowchart TB
+    subgraph request["rpc.request (root span)"]
+        http["HTTP Request — POST /<br/>traceparent:<br/>00-abc123...-def456...-01"]
+
+        attrs["Attributes:<br/>http.method = POST<br/>net.peer.ip = 192.168.1.100<br/>command = submit"]
+
+        subgraph enqueue["jobqueue.enqueue"]
+            job_attr["job_type = jtCLIENT_RPC"]
+        end
+
+        subgraph command["rpc.command.submit"]
+            cmd_attrs["version = 2<br/>rpc_role = user"]
+            cmd_children["├── tx.deserialize<br/>├── tx.validate_local<br/>└── tx.submit_to_network"]
+        end
+
+        response["Response: 200 OK<br/>Duration: 45ms"]
+
+        http --> attrs
+        attrs --> enqueue
+        enqueue --> command
+        command --> response
+    end
+
+    style request fill:#2e7d32,stroke:#1b5e20,color:#ffffff
+    style enqueue fill:#1565c0,stroke:#0d47a1,color:#ffffff
+    style command fill:#e65100,stroke:#bf360c,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **rpc.request (green, root span)**: The outermost span representing the full RPC request lifecycle, from HTTP receipt to response. Carries the W3C `traceparent` header for distributed tracing.
+- **HTTP Request node**: Shows the incoming POST request with its `traceparent` header and extracted attributes (method, peer IP, command name).
+- **jobqueue.enqueue (blue)**: The span covering the asynchronous handoff from the RPC thread to the JobQueue worker thread. The trace context is preserved across this async boundary.
+- **rpc.command.submit (orange)**: The span for the actual command execution, with child spans for deserialization, local validation, and network submission.
+- **Response node**: The final output with HTTP status and total duration, marking the end of the root span.
+- **Arrows (top to bottom)**: The sequential processing pipeline -- receive request, extract attributes, enqueue job, execute command, return response.
+
+---
+
+## 1.6 Key Trace Points
+
+> **TxQ** = Transaction Queue
+
+The following table identifies priority instrumentation points across the codebase:
+
+| Category        | Span Name              | File                   | Method                  | Priority |
+| --------------- | ---------------------- | ---------------------- | ----------------------- | -------- |
+| **Transaction** | `tx.receive`           | `PeerImp.cpp`          | `handleTransaction()`   | High     |
+| **Transaction** | `tx.validate`          | `NetworkOPs.cpp`       | `processTransaction()`  | High     |
+| **Transaction** | `tx.process`           | `NetworkOPs.cpp`       | `doTransactionSync()`   | High     |
+| **Transaction** | `tx.relay`             | `OverlayImpl.cpp`      | `relay()`               | Medium   |
+| **Consensus**   | `consensus.round`      | `RCLConsensus.cpp`     | `startRound()`          | High     |
+| **Consensus**   | `consensus.phase.*`    | `Consensus.h`          | `timerEntry()`          | High     |
+| **Consensus**   | `consensus.proposal.*` | `RCLConsensus.cpp`     | `peerProposal()`        | Medium   |
+| **RPC**         | `rpc.request`          | `ServerHandler.cpp`    | `onRequest()`           | High     |
+| **RPC**         | `rpc.command.*`        | `RPCHandler.cpp`       | `doCommand()`           | High     |
+| **Peer**        | `peer.connect`         | `OverlayImpl.cpp`      | `onHandoff()`           | Low      |
+| **Peer**        | `peer.message.*`       | `PeerImp.cpp`          | `onMessage()`           | Low      |
+| **Ledger**      | `ledger.acquire`       | `InboundLedgers.cpp`   | `acquire()`             | Medium   |
+| **Ledger**      | `ledger.build`         | `RCLConsensus.cpp`     | `buildLCL()`            | High     |
+| **PathFinding** | `pathfind.request`     | `PathRequest.cpp`      | `doUpdate()`            | High     |
+| **PathFinding** | `pathfind.compute`     | `Pathfinder.cpp`       | `findPaths()`           | High     |
+| **TxQ**         | `txq.enqueue`          | `TxQ.cpp`              | `apply()`               | High     |
+| **TxQ**         | `txq.apply`            | `TxQ.cpp`              | `processClosedLedger()` | High     |
+| **Fee**         | `fee.escalate`         | `LoadManager.cpp`      | `raiseLocalFee()`       | Medium   |
+| **Ledger**      | `ledger.replay`        | `LedgerReplayer.h`     | `replay()`              | Medium   |
+| **Ledger**      | `ledger.delta`         | `LedgerDeltaAcquire.h` | `processData()`         | Medium   |
+| **Validator**   | `validator.list.fetch` | `ValidatorList.cpp`    | `verify()`              | Medium   |
+| **Validator**   | `validator.manifest`   | `Manifest.cpp`         | `applyManifest()`       | Low      |
+| **Amendment**   | `amendment.vote`       | `AmendmentTable.cpp`   | `doVoting()`            | Low      |
+| **SHAMap**      | `shamap.sync`          | `SHAMap.cpp`           | `fetchRoot()`           | Medium   |
+
+---
+
+## 1.7 Instrumentation Priority
+
+> **TxQ** = Transaction Queue
+
+```mermaid
+quadrantChart
+    title Instrumentation Priority Matrix
+    x-axis Low Complexity --> High Complexity
+    y-axis Low Value --> High Value
+    quadrant-1 Implement First
+    quadrant-2 Plan Carefully
+    quadrant-3 Quick Wins
+    quadrant-4 Consider Later
+
+    RPC Tracing: [0.2, 0.92]
+    Transaction Tracing: [0.55, 0.88]
+    Consensus Tracing: [0.78, 0.82]
+    PathFinding: [0.38, 0.75]
+    TxQ and Fees: [0.25, 0.65]
+    Ledger Sync: [0.62, 0.58]
+    Peer Message Tracing: [0.35, 0.25]
+    JobQueue Tracing: [0.2, 0.48]
+    Validator Mgmt: [0.48, 0.42]
+    Amendment Tracking: [0.15, 0.32]
+    SHAMap Operations: [0.72, 0.45]
+```
+
+---
+
+## 1.8 Observable Outcomes
+
+> **TxQ** = Transaction Queue | **UNL** = Unique Node List
+
+After implementing OpenTelemetry, operators and developers will gain visibility into the following:
+
+### 1.8.1 What You Will See: Traces
+
+| Trace Type                 | Description                                                                                 | Example Query in Grafana/Tempo                  |
+| -------------------------- | ------------------------------------------------------------------------------------------- | ----------------------------------------------- |
+| **Transaction Lifecycle**  | Full journey from RPC submission through validation, relay, consensus, and ledger inclusion | `{service.name="xrpld" && tx_hash="ABC123..."}` |
+| **Cross-Node Propagation** | Transaction path across multiple xrpld nodes with timing                                    | `{relay_count > 0}`                             |
+| **Consensus Rounds**       | Complete round with all phases (open, establish, accept)                                    | `{span.name=~"consensus.round.*"}`              |
+| **RPC Request Processing** | Individual command execution with timing breakdown                                          | `{command="account_info"}`                      |
+| **Ledger Acquisition**     | Peer-to-peer ledger data requests and responses                                             | `{span.name="ledger.acquire"}`                  |
+| **PathFinding Latency**    | Path computation time and cache effectiveness for payment RPCs                              | `{span.name="pathfind.compute"}`                |
+| **TxQ Behavior**           | Queue depth, eviction patterns, fee escalation during congestion                            | `{span.name=~"txq.*"}`                          |
+| **Ledger Sync**            | Full acquisition timeline including delta and transaction fetches                           | `{span.name=~"ledger.acquire.*"}`               |
+| **Validator Health**       | UNL fetch success, manifest updates, stale list detection                                   | `{span.name=~"validator.*"}`                    |
+
+### 1.8.2 What You Will See: Metrics (Derived from Traces)
+
+| Metric                        | Description                             | Dashboard Panel             |
+| ----------------------------- | --------------------------------------- | --------------------------- |
+| **RPC Latency (p50/p95/p99)** | Response time distribution per command  | Heatmap by command          |
+| **Transaction Throughput**    | Transactions processed per second       | Time series graph           |
+| **Consensus Round Duration**  | Time to complete consensus phases       | Histogram                   |
+| **Cross-Node Latency**        | Time for transaction to reach N nodes   | Line chart with percentiles |
+| **Error Rate**                | Failed transactions/RPC calls by type   | Stacked bar chart           |
+| **PathFinding Latency**       | Path computation time per currency pair | Heatmap by currency         |
+| **TxQ Depth**                 | Queued transactions over time           | Time series with thresholds |
+| **Fee Escalation Level**      | Current fee multiplier                  | Gauge with alert thresholds |
+| **Ledger Sync Duration**      | Time to acquire missing ledgers         | Histogram                   |
+
+### 1.8.3 Concrete Dashboard Examples
+
+**Transaction Trace View (Tempo):**
+
+```
+┌────────────────────────────────────────────────────────────────────────────────┐
+│ Trace: abc123... (Transaction Submission)                    Duration: 847ms   │
+├────────────────────────────────────────────────────────────────────────────────┤
+│ ├── rpc.request [ServerHandler]                              ████░░░░░░  45ms  │
+│ │   └── rpc.command.submit [RPCHandler]                      ████░░░░░░  42ms  │
+│ │       └── tx.receive [NetworkOPs]                          ███░░░░░░░  35ms  │
+│ │           ├── tx.validate [TxQ]                            █░░░░░░░░░   8ms  │
+│ │           └── tx.relay [Overlay]                           ██░░░░░░░░  15ms  │
+│ │               ├── tx.receive [Node-B]                      █████░░░░░  52ms  │
+│ │               │   └── tx.relay [Node-B]                    ██░░░░░░░░  18ms  │
+│ │               └── tx.receive [Node-C]                      ██████░░░░  65ms  │
+│ └── consensus.round [RCLConsensus]                           ████████░░ 720ms  │
+│     ├── consensus.phase.open                                 ██░░░░░░░░ 180ms  │
+│     ├── consensus.phase.establish                            █████░░░░░ 480ms  │
+│     └── consensus.phase.accept                               █░░░░░░░░░  60ms  │
+└────────────────────────────────────────────────────────────────────────────────┘
+```
+
+**RPC Performance Dashboard Panel:**
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│ RPC Command Latency (Last 1 Hour)                           │
+├─────────────────────────────────────────────────────────────┤
+│ Command          │ p50    │ p95    │ p99    │ Errors │ Rate │
+│──────────────────┼────────┼────────┼────────┼────────┼──────│
+│ account_info     │  12ms  │  45ms  │  89ms  │  0.1%  │ 150/s│
+│ submit           │  35ms  │ 120ms  │ 250ms  │  2.3%  │  45/s│
+│ ledger           │   8ms  │  25ms  │  55ms  │  0.0%  │  80/s│
+│ tx               │  15ms  │  50ms  │ 100ms  │  0.5%  │  60/s│
+│ server_info      │   5ms  │  12ms  │  20ms  │  0.0%  │ 200/s│
+└─────────────────────────────────────────────────────────────┘
+```
+
+**Consensus Health Dashboard Panel:**
+
+```mermaid
+---
+config:
+    xyChart:
+        width: 1200
+        height: 400
+        plotReservedSpacePercent: 50
+        chartOrientation: vertical
+    themeVariables:
+        xyChart:
+            plotColorPalette: "#3498db"
+---
+xychart-beta
+    title "Consensus Round Duration (Last 24 Hours)"
+    x-axis "Time of Day (Hours)" [0, 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24]
+    y-axis "Duration (seconds)" 1 --> 5
+    line [2.1, 2.4, 2.8, 3.2, 3.8, 4.3, 4.5, 5.0, 4.7, 4.0, 3.2, 2.6, 2.0]
+```
+
+### 1.8.4 Operator Actionable Insights
+
+| Scenario                  | What You'll See                                                              | Action                                           |
+| ------------------------- | ---------------------------------------------------------------------------- | ------------------------------------------------ |
+| **Slow RPC**              | Span showing which phase is slow (parsing, execution, serialization)         | Optimize specific code path                      |
+| **Transaction Stuck**     | Trace stops at validation; error attribute shows reason                      | Fix transaction parameters                       |
+| **Consensus Delay**       | Phase.establish taking too long; proposer attribute shows missing validators | Investigate network connectivity                 |
+| **Memory Spike**          | Large batch of spans correlating with memory increase                        | Tune batch_size or sampling                      |
+| **Network Partition**     | Traces missing cross-node links for specific peer                            | Check peer connectivity                          |
+| **Path Computation Slow** | pathfind.compute span shows high latency; cache miss rate in attributes      | Warm the RippleLineCache, check order book depth |
+| **TxQ Full**              | txq.enqueue spans show evictions; fee.escalate spans increasing              | Monitor fee levels, alert operators              |
+| **Ledger Sync Stalled**   | ledger.acquire spans timing out; peer reliability attributes show issues     | Check peer connectivity, add trusted peers       |
+| **UNL Stale**             | validator.list.fetch spans failing; last_update attribute aging              | Verify validator site URLs, check DNS            |
+
+### 1.8.5 Developer Debugging Workflow
+
+1. **Find Transaction**: Query by `tx_hash` to get full trace
+2. **Identify Bottleneck**: Look at span durations to find slowest component
+3. **Check Attributes**: Review `validity`, `rpc_status` for errors
+4. **Correlate Logs**: Use `trace_id` to find related PerfLog entries
+5. **Compare Nodes**: Filter by `service.instance.id` to compare behavior across nodes
+
+---
+
+_Next: [Design Decisions](./02-design-decisions.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/02-design-decisions.md

@@ -0,0 +1,662 @@
+# Design Decisions
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Architecture Analysis](./01-architecture-analysis.md)
+
+---
+
+## 2.1 OpenTelemetry Components
+
+> **OTLP** = OpenTelemetry Protocol
+
+### 2.1.1 SDK Selection
+
+**Primary Choice**: OpenTelemetry C++ SDK (`opentelemetry-cpp`)
+
+| Component                               | Purpose                | Required                  |
+| --------------------------------------- | ---------------------- | ------------------------- |
+| `opentelemetry-cpp::api`                | Tracing API headers    | Yes                       |
+| `opentelemetry-cpp::sdk`                | SDK implementation     | Yes                       |
+| `opentelemetry-cpp::ext`                | Extensions (exporters) | Yes                       |
+| `opentelemetry-cpp::otlp_http_exporter` | OTLP/HTTP export       | Yes (shipped in Phase 1b) |
+| `opentelemetry-cpp::otlp_grpc_exporter` | OTLP/gRPC export       | Future (not yet wired up) |
+
+### 2.1.2 Instrumentation Strategy
+
+**Manual Instrumentation** (recommended):
+
+| Approach   | Pros                                                            | Cons                                                    |
+| ---------- | --------------------------------------------------------------- | ------------------------------------------------------- |
+| **Manual** | Precise control, optimized placement, xrpld-specific attributes | More development effort                                 |
+| **Auto**   | Less code, automatic coverage                                   | Less control, potential overhead, limited customization |
+
+---
+
+## 2.2 Exporter Configuration
+
+> **OTLP** = OpenTelemetry Protocol
+
+```mermaid
+flowchart TB
+    subgraph nodes["xrpld Nodes"]
+        node1["xrpld<br/>Node 1"]
+        node2["xrpld<br/>Node 2"]
+        node3["xrpld<br/>Node 3"]
+    end
+
+    collector["OpenTelemetry<br/>Collector<br/>(sidecar or standalone)"]
+
+    subgraph backends["Observability Backends"]
+        tempo["Tempo"]
+        elastic["Elastic<br/>APM"]
+    end
+
+    node1 -->|"OTLP/HTTP<br/>:4318"| collector
+    node2 -->|"OTLP/HTTP<br/>:4318"| collector
+    node3 -->|"OTLP/HTTP<br/>:4318"| collector
+
+    collector --> tempo
+    collector --> elastic
+
+    style nodes fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style backends fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style collector fill:#bf360c,stroke:#8c2809,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **xrpld Nodes (blue)**: The source of telemetry data. Each xrpld node exports spans via OTLP/HTTP on port 4318 (the only exporter shipped in Phase 1b).
+- **OpenTelemetry Collector (red)**: The central aggregation point that receives spans from all nodes. Can run as a sidecar (per-node) or standalone (shared). Handles batching, filtering, and routing.
+- **Observability Backends (green)**: The storage and visualization destinations. Tempo is the recommended backend for both development and production, and Elastic APM is an alternative. The Collector routes to one or more backends.
+- **Arrows (nodes to collector to backends)**: The data pipeline -- spans flow from nodes to the Collector over HTTP, then the Collector fans out to the configured backends.
+
+### 2.2.1 OTLP/HTTP (Shipped in Phase 1b)
+
+OTLP/HTTP is the only exporter wired up in Phase 1b. It is configured via
+`OtlpHttpExporterOptions` with the collector traces endpoint
+(`http://localhost:4318/v1/traces` by default) and a JSON content type
+(binary protobuf is also available).
+
+### 2.2.2 OTLP/gRPC (Future Work — Planned Upgrade)
+
+OTLP/gRPC is planned as a future upgrade from the HTTP exporter. The gRPC
+transport offers lower per-span overhead and tighter back-pressure semantics
+than HTTP/JSON, making it attractive for production deployments once the HTTP
+path is validated in earlier phases.
+
+Required to land this upgrade:
+
+1. Add `opentelemetry-cpp::otlp_grpc_exporter` to the Conan recipe (the
+   dependency already exists but is not linked in Phase 1b builds).
+2. Extend `TelemetryConfig.cpp` to parse an `exporter` key (`otlp_http`
+   default, `otlp_grpc` opt-in) and a gRPC endpoint override.
+3. In `Telemetry::start()` branch on the parsed exporter type and construct
+   either `OtlpHttpExporterFactory::Create(httpOpts)` or
+   `OtlpGrpcExporterFactory::Create(grpcOpts)` accordingly.
+4. Update the runbook and dashboards to document the alternate port and TLS
+   settings.
+
+When wired up, the gRPC path will use `OtlpGrpcExporterOptions` configured with
+the collector endpoint (host on port 4317), TLS credentials enabled, and a CA
+certificate path.
+
+Until that work lands, `OtlpGrpcExporterOptions` is **not** used by any code
+path in Phase 1b through Phase 5.
+
+---
+
+## 2.3 Span Naming Conventions
+
+> **TxQ** = Transaction Queue | **UNL** = Unique Node List | **WS** = WebSocket
+
+### 2.3.1 Naming Schema
+
+```
+<component>.<operation>[.<sub-operation>]
+```
+
+**Examples**:
+
+- `tx.receive` - Transaction received from peer
+- `consensus.phase.establish` - Consensus establish phase
+- `rpc.command.server_info` - server_info RPC command
+
+### 2.3.2 Complete Span Catalog
+
+| Span name                      | Description                             |
+| ------------------------------ | --------------------------------------- |
+| `tx.receive`                   | Transaction received from network       |
+| `tx.validate`                  | Transaction signature/format validation |
+| `tx.process`                   | Full transaction processing             |
+| `tx.relay`                     | Transaction relay to peers              |
+| `tx.apply`                     | Apply transaction to ledger             |
+| `consensus.round`              | Complete consensus round                |
+| `consensus.phase.open`         | Open phase - collecting transactions    |
+| `consensus.phase.establish`    | Establish phase - reaching agreement    |
+| `consensus.phase.accept`       | Accept phase - applying consensus       |
+| `consensus.proposal.receive`   | Receive peer proposal                   |
+| `consensus.proposal.send`      | Send our proposal                       |
+| `consensus.validation.receive` | Receive peer validation                 |
+| `consensus.validation.send`    | Send our validation                     |
+| `rpc.request`                  | HTTP/WebSocket request handling         |
+| `rpc.command.*`                | Specific RPC command (dynamic)          |
+| `peer.connect`                 | Peer connection establishment           |
+| `peer.disconnect`              | Peer disconnection                      |
+| `peer.message.send`            | Send protocol message                   |
+| `peer.message.receive`         | Receive protocol message                |
+| `ledger.acquire`               | Ledger acquisition from network         |
+| `ledger.build`                 | Build new ledger                        |
+| `ledger.validate`              | Ledger validation                       |
+| `ledger.close`                 | Close ledger                            |
+| `ledger.replay`                | Ledger replay executed                  |
+| `ledger.delta`                 | Delta-based ledger acquired             |
+| `pathfind.request`             | Path request initiated                  |
+| `pathfind.compute`             | Path computation executed               |
+| `txq.enqueue`                  | Transaction queued                      |
+| `txq.apply`                    | Queued transaction applied              |
+| `fee.escalate`                 | Fee escalation triggered                |
+| `validator.list.fetch`         | UNL list fetched                        |
+| `validator.manifest`           | Manifest update processed               |
+| `amendment.vote`               | Amendment voting executed               |
+| `shamap.sync`                  | State tree synchronization              |
+| `job.enqueue`                  | Job added to queue                      |
+| `job.execute`                  | Job execution                           |
+
+### 2.3.3 Attribute Naming Conventions
+
+Span **names** follow §2.3.1 (dotted `<component>.<operation>`). Span
+**attribute keys** follow the rules below. The constants in the `*SpanNames.h`
+headers are the single source of truth; the collector, Tempo, the Grafana
+dashboards, and the runbook all consume these exact keys, so every layer must
+agree with the code. A CI check enforces this end to end.
+
+1. **Per-span unique attribute** → bare field name, allowed when the field is
+   recorded by a single span/workflow so the span name already supplies the
+   domain (e.g. `command`, `version`, `local` on `rpc.command`).
+2. **Shared attribute (same concept on more than one span)** → ONE key, reused
+   verbatim on every span that records it; the span name tells the occurrences
+   apart, so no per-emitter prefix is added. Name it by the field's meaning: a
+   property of a domain object keeps that object's bare field name (`ledger_hash`,
+   `ledger_seq`, `tx_hash`, `peer_id`, `full_validation`); a field already
+   qualified by a sub-kind keeps that qualifier on every emitter (`proposal_trusted`
+   on both `consensus.proposal.receive` and `peer.proposal.receive`;
+   `validation_trusted` likewise). Defined once in the base `SpanNames.h`
+   `namespace attr` block and re-exported (`using`) by each domain header.
+3. **Collision qualifier** → `<domain>_<field>`, only when a bare name would
+   collide with a DIFFERENT concept in the shared spanmetrics label space or with
+   the OTel-reserved `status` key (e.g. `rpc_status`, `grpc_status`,
+   `consensus_state`, `consensus_round`, `consensus_mode`). This disambiguates
+   distinct concepts that share a word; it is NOT used to tag the same concept
+   with its emitting workflow — that is rule 2 (one shared name).
+4. **Resource attribute** → dotted `xrpl.<subsystem>.<field>`, reserved ONLY
+   for process/network identity set once at startup (`xrpl.network.id`,
+   `xrpl.network.type`). Span attributes are never dotted in the `xrpl.` form —
+   it blurs the resource/span scope boundary and parses awkwardly in TraceQL.
+5. **Span names** use `<subsystem>[.<component>]` (dotted, per §2.3.1). Only
+   attribute _keys_ follow rules 1–4.
+
+Standard OpenTelemetry semantic-convention keys keep their canonical dotted
+form (e.g. `service.*` resource attributes, `http.*` span attributes); the
+"no dotted form" rule applies to xrpl-custom keys only.
+
+The same rules are recorded in `CONTRIBUTING.md` (the permanent home, since
+`OpenTelemetryPlan/` is removed once the rollout completes). The attribute
+examples in §2.4 below follow these rules.
+
+---
+
+## 2.4 Attribute Schema
+
+> **TxQ** = Transaction Queue | **UNL** = Unique Node List | **OTLP** = OpenTelemetry Protocol
+
+### 2.4.1 Resource Attributes (Set Once at Startup)
+
+Resource attributes identify the process and are set once at startup. They use
+the standard OpenTelemetry semantic conventions plus custom dotted `xrpl.*`
+keys (the dotted form is reserved for resource scope per §2.3.3).
+
+| Key                   | Type / value                                               | Description                    |
+| --------------------- | ---------------------------------------------------------- | ------------------------------ |
+| `service.name`        | `"xrpld"`                                                  | Standard `SERVICE_NAME`        |
+| `service.version`     | `BuildInfo::getVersionString()`                            | Standard `SERVICE_VERSION`     |
+| `service.instance.id` | node public key (base58)                                   | Standard `SERVICE_INSTANCE_ID` |
+| `xrpl.network.id`     | network id (e.g. 0 for mainnet)                            | Network identifier             |
+| `xrpl.network.type`   | `"mainnet"` \| `"testnet"` \| `"devnet"` \| `"standalone"` | Network kind                   |
+| `xrpl.node.type`      | `"validator"` \| `"stock"` \| `"reporting"`                | Node role                      |
+| `xrpl.node.cluster`   | cluster name                                               | Cluster name, if clustered     |
+
+### 2.4.2 Span Attributes by Category
+
+> Span attribute keys use the underscore form from §2.3.3 (shared/qualified
+> keys are `<domain>_<field>`; per-span unique keys are bare). The dotted form
+> is reserved for the resource attributes in §2.4.1 above. This catalog lists
+> the planned attribute set by category; the exact emitted key for each
+> implemented span is defined by the `*SpanNames.h` constants, which are the
+> single source of truth where the two differ.
+
+#### Transaction Attributes
+
+| Key            | Type   | Description                           |
+| -------------- | ------ | ------------------------------------- |
+| `tx_hash`      | string | Transaction hash (hex)                |
+| `tx_type`      | string | `"Payment"`, `"OfferCreate"`, etc.    |
+| `tx_account`   | string | Source account (redacted in prod)     |
+| `tx_sequence`  | int64  | Account sequence number               |
+| `tx_fee`       | int64  | Fee in drops                          |
+| `tx_result`    | string | `"tesSUCCESS"`, `"tecPATH_DRY"`, etc. |
+| `ledger_index` | int64  | Ledger containing transaction         |
+
+#### Consensus Attributes
+
+| Key                  | Type    | Description                         |
+| -------------------- | ------- | ----------------------------------- |
+| `consensus_round`    | int64   | Round number                        |
+| `consensus_phase`    | string  | `"open"`, `"establish"`, `"accept"` |
+| `consensus_mode`     | string  | `"proposing"`, `"observing"`, etc.  |
+| `proposers`          | int64   | Number of proposers                 |
+| `prev_ledger_prefix` | string  | Previous ledger hash prefix         |
+| `ledger_seq`         | int64   | Ledger sequence                     |
+| `tx_count`           | int64   | Transactions in consensus set       |
+| `round_time_ms`      | float64 | Round duration                      |
+
+Establish-phase gap fill and cross-node correlation attributes (Phase 4a):
+
+| Key                   | Type   | Description                                               |
+| --------------------- | ------ | --------------------------------------------------------- |
+| `consensus_round_id`  | int64  | Consensus round number                                    |
+| `consensus_ledger_id` | string | `previousLedger.id()` — shared across nodes               |
+| `trace_strategy`      | string | `"deterministic"` or `"attribute"`                        |
+| `converge_percent`    | int64  | Convergence % (0-100+)                                    |
+| `establish_count`     | int64  | Number of establish iterations                            |
+| `disputes_count`      | int64  | Active disputed transactions                              |
+| `agree_count`         | int64  | Peers that agree (haveConsensus)                          |
+| `disagree_count`      | int64  | Peers that disagree                                       |
+| `threshold_percent`   | int64  | Close-time consensus threshold (`avCT_CONSENSUS_PCT`=75%) |
+| `consensus_result`    | string | `"yes"`, `"no"`, `"moved_on"`, `"expired"`                |
+| `mode_old`            | string | Previous consensus mode                                   |
+| `mode_new`            | string | New consensus mode                                        |
+
+#### RPC Attributes
+
+| Key        | Type   | Description                                           |
+| ---------- | ------ | ----------------------------------------------------- |
+| `command`  | string | Command name (per-span unique on `rpc.command`)       |
+| `version`  | int64  | API version                                           |
+| `rpc_role` | string | `"admin"` or `"user"` (qualified — `role` is generic) |
+| `params`   | string | Sanitized parameters (optional)                       |
+
+#### Peer & Message Attributes
+
+| Key                  | Type    | Description                |
+| -------------------- | ------- | -------------------------- |
+| `peer_id`            | string  | Peer public key (base58)   |
+| `peer_address`       | string  | IP:port                    |
+| `peer_latency_ms`    | float64 | Measured latency           |
+| `peer_cluster`       | string  | Cluster name if clustered  |
+| `message_type`       | string  | Protocol message type name |
+| `message_size_bytes` | int64   | Message size               |
+| `message_compressed` | bool    | Whether compressed         |
+
+#### Ledger & Job Attributes
+
+| Key               | Type    | Description           |
+| ----------------- | ------- | --------------------- |
+| `ledger_hash`     | string  | Ledger hash           |
+| `ledger_index`    | int64   | Ledger sequence/index |
+| `close_time`      | int64   | Close time (epoch)    |
+| `ledger_tx_count` | int64   | Transaction count     |
+| `job_type`        | string  | Job type name         |
+| `job_queue_ms`    | float64 | Time spent in queue   |
+| `job_worker`      | int64   | Worker thread ID      |
+
+#### PathFinding Attributes
+
+| Key                        | Type   | Description               |
+| -------------------------- | ------ | ------------------------- |
+| `pathfind_source_currency` | string | Source currency code      |
+| `pathfind_dest_currency`   | string | Destination currency code |
+| `pathfind_path_count`      | int64  | Number of paths found     |
+| `pathfind_cache_hit`       | bool   | RippleLineCache hit       |
+
+#### TxQ Attributes
+
+| Key                   | Type   | Description                 |
+| --------------------- | ------ | --------------------------- |
+| `txq_queue_depth`     | int64  | Current queue depth         |
+| `txq_fee_level`       | int64  | Fee level of transaction    |
+| `txq_eviction_reason` | string | Why transaction was evicted |
+
+#### Fee Attributes
+
+| Key                    | Type  | Description               |
+| ---------------------- | ----- | ------------------------- |
+| `fee_load_factor`      | int64 | Current load factor       |
+| `fee_escalation_level` | int64 | Fee escalation multiplier |
+
+#### Validator Attributes
+
+| Key                      | Type  | Description               |
+| ------------------------ | ----- | ------------------------- |
+| `validator_list_size`    | int64 | UNL size                  |
+| `validator_list_age_sec` | int64 | Seconds since last update |
+
+#### Amendment Attributes
+
+| Key                | Type   | Description                            |
+| ------------------ | ------ | -------------------------------------- |
+| `amendment_name`   | string | Amendment name                         |
+| `amendment_status` | string | `"enabled"`, `"vetoed"`, `"supported"` |
+
+#### SHAMap Attributes
+
+| Key                    | Type    | Description                                   |
+| ---------------------- | ------- | --------------------------------------------- |
+| `shamap_type`          | string  | `"transaction"`, `"state"`, `"account_state"` |
+| `shamap_missing_nodes` | int64   | Number of missing nodes during sync           |
+| `shamap_duration_ms`   | float64 | Sync duration                                 |
+
+### 2.4.3 Data Collection Summary
+
+The following table summarizes what data is collected by category:
+
+| Category        | Attributes Collected                                                                                             | Purpose                      |
+| --------------- | ---------------------------------------------------------------------------------------------------------------- | ---------------------------- |
+| **Transaction** | `tx_hash`, `tx_type`, `tx_result`, `tx_fee`, `ledger_index`                                                      | Trace transaction lifecycle  |
+| **Consensus**   | `consensus_round`, `consensus_phase`, `consensus_mode`, `proposers`, `round_time_ms`                             | Analyze consensus timing     |
+| **RPC**         | `command`, `version`, `rpc_status`, `duration_ms`                                                                | Monitor RPC performance      |
+| **Peer**        | `peer_id` (public key), `peer_latency_ms`, `message_type`, `message_size_bytes`                                  | Network topology analysis    |
+| **Ledger**      | `ledger_hash`, `ledger_index`, `close_time`, `ledger_tx_count`                                                   | Ledger progression tracking  |
+| **Job**         | `job_type`, `job_queue_ms`, `job_worker`                                                                         | JobQueue performance         |
+| **PathFinding** | `pathfind_fast`, `pathfind_search_level`, `pathfind_num_paths`, `pathfind_ledger_index`, `pathfind_num_requests` | Payment path analysis        |
+| **TxQ**         | `txq_queue_depth`, `txq_fee_level`, `txq_eviction_reason`                                                        | Queue depth and fee tracking |
+| **Fee**         | `fee_load_factor`, `fee_escalation_level`                                                                        | Fee escalation monitoring    |
+| **Validator**   | `validator_list_size`, `validator_list_age_sec`                                                                  | UNL health monitoring        |
+| **Amendment**   | `amendment_name`, `amendment_status`                                                                             | Protocol upgrade tracking    |
+| **SHAMap**      | `shamap_type`, `shamap_missing_nodes`, `shamap_duration_ms`                                                      | State tree sync performance  |
+
+### 2.4.4 Privacy & Sensitive Data Policy
+
+> **PII** = Personally Identifiable Information
+
+OpenTelemetry instrumentation is designed to collect **operational metadata only**, never sensitive content.
+
+#### Data NOT Collected
+
+The following data is explicitly **excluded** from telemetry collection:
+
+| Excluded Data           | Reason                                    |
+| ----------------------- | ----------------------------------------- |
+| **Private Keys**        | Never exposed; not relevant to tracing    |
+| **Account Balances**    | Financial data; privacy sensitive         |
+| **Transaction Amounts** | Financial data; privacy sensitive         |
+| **Raw TX Payloads**     | May contain sensitive memo/data fields    |
+| **Personal Data**       | No PII collected                          |
+| **IP Addresses**        | Configurable; excluded by default in prod |
+
+#### Privacy Protection Mechanisms
+
+| Mechanism                     | Description                                                               |
+| ----------------------------- | ------------------------------------------------------------------------- |
+| **Account Hashing**           | `tx_account` is hashed at collector level before storage                  |
+| **Configurable Redaction**    | Sensitive fields can be excluded via `[telemetry]` config section         |
+| **Sampling**                  | Only 10% of traces recorded by default, reducing data exposure            |
+| **Local Control**             | Node operators have full control over what gets exported                  |
+| **No Raw Payloads**           | Transaction content is never recorded, only metadata (hash, type, result) |
+| **Collector-Level Filtering** | Additional redaction/hashing can be configured at OTel Collector          |
+
+#### Collector-Level Data Protection
+
+The OpenTelemetry Collector can be configured (via an `attributes` processor)
+to hash or redact sensitive attributes before export — for example, hashing
+`tx_account`, deleting `peer_address` to drop IP addresses, and deleting
+`params` to redact request parameters.
+
+#### Configuration Options for Privacy
+
+In `xrpld.cfg`, operators control data collection granularity through the
+`[telemetry]` section. Besides `enabled`, per-component toggles
+(`trace_transactions`, `trace_consensus`, `trace_rpc`, `trace_peer` — the last
+often disabled due to high volume) select which spans are emitted, and
+redaction flags (`redact_account` to hash account addresses, `redact_peer_address`
+to remove peer IP addresses) control SDK-level redaction before export.
+
+> **Note**: The `redact_account` configuration in `xrpld.cfg` controls SDK-level redaction before export, while collector-level filtering (see [Collector-Level Data Protection](#collector-level-data-protection) above) provides an additional defense-in-depth layer. Both can operate independently.
+
+> **Key Principle**: Telemetry collects **operational metadata** (timing, counts, hashes) — never **sensitive content** (keys, balances, amounts, raw payloads).
+
+> **See also**: [Securing the OTel Pipeline](./secure-OTel.md) covers transport-level protection for telemetry leaving the node — mTLS to the collector and validation of incoming peer trace context. Privacy controls in this section keep sensitive data out of spans; the security doc keeps the spans themselves out of untrusted hands.
+
+---
+
+## 2.5 Context Propagation Design
+
+> **WS** = WebSocket
+
+### 2.5.0 Deterministic Trace ID Strategy
+
+Both transaction and consensus tracing use **deterministic trace IDs** derived from
+a globally known hash, so all nodes handling the same workflow independently produce
+spans under the same `trace_id`. This is combined with protobuf `span_id` propagation
+for parent-child relay ordering when available.
+
+#### Transactions — `trace_id = txHash[0:16]`
+
+Every node that handles a transaction knows its `txID` (the `uint256` transaction
+hash). The first 16 bytes of this hash are used as the OTel `trace_id`:
+
+```
+uint256 txHash:  A1B2C3D4 E5F6A7B8 C9D0E1F2 A3B4C5D6  E7F8A9B0 C1D2E3F4 A5B6C7D8 E9F0A1B2
+                 |---------- trace_id (16 bytes) ---------|  (remaining 16 bytes unused)
+```
+
+Each node generates a **random 8-byte `span_id`** so its span is unique within the
+shared trace. When protobuf `TraceContext` is present in the incoming `TMTransaction`,
+the sender's `span_id` is extracted and used as the parent — preserving the relay
+chain as a parent-child tree. When absent (older peers, first hop from client), the
+span appears as a root in the same trace — correlation is preserved, only the tree
+structure degrades.
+
+```
+Node A (submitter)        Node B (relay)          Node C (relay)
+trace_id: A1B2...         trace_id: A1B2...       trace_id: A1B2...
+span_id:  1234 (random)   span_id:  5678 (random) span_id:  9ABC (random)
+parent:   (none)          parent:   1234 (proto)   parent:   5678 (proto)
+                               ↑                        ↑
+                       protobuf propagation      protobuf propagation
+```
+
+If protobuf propagation fails at Node B (old peer):
+
+```
+Node A                    Node B (old peer)       Node C
+trace_id: A1B2...         trace_id: A1B2...       trace_id: A1B2...
+span_id:  1234            span_id:  5678          span_id:  9ABC
+parent:   (none)          parent:   (none)        parent:   5678 (proto)
+                          ↑ no parent, but same trace_id — still grouped
+```
+
+#### Consensus — `trace_id = prevLedgerHash[0:16]`
+
+All validators in the same consensus round share the same `previousLedger.id()`.
+The first 16 bytes are used as trace_id. See [Phase 4a implementation status](./06-implementation-phases.md)
+and `createDeterministicContext()` in `RCLConsensus.cpp` for the implementation.
+
+Switchable via `consensus_trace_strategy` config:
+`"deterministic"` (default) or `"attribute"` (random trace_id, correlation via attribute queries).
+
+#### Why Not Random IDs with Propagation Only?
+
+Random trace IDs require **unbroken context propagation** across every hop. In a
+mixed-version network (common during upgrades), older peers silently drop the
+`trace_context` protobuf field. The trace splits and downstream spans become
+impossible to find. Deterministic IDs make correlation **propagation-resilient** — the trace
+backend groups all spans for the same transaction/round regardless of whether
+propagation succeeded.
+
+#### Why Keep Protobuf Propagation?
+
+Deterministic trace IDs alone provide correlation (all spans grouped) but not
+**causality** (which node relayed to which). Protobuf `span_id` propagation adds
+parent-child ordering that shows the exact relay path. The two mechanisms complement
+each other:
+
+| Mechanism                    | Provides                    | Fails when                             |
+| ---------------------------- | --------------------------- | -------------------------------------- |
+| Deterministic trace_id       | Cross-node correlation      | Never (hash is always known)           |
+| Protobuf span_id propagation | Parent-child relay ordering | Older peer drops `trace_context` field |
+
+#### Implementation Reference
+
+The utility function `createDeterministicTxContext(uint256 const& txHash)` follows
+the same pattern as `createDeterministicContext(uint256 const& ledgerId)` in
+`RCLConsensus.cpp`. See [Phase 3 Task 3.9](./Phase3_taskList.md) for the full spec.
+
+### 2.5.1 Propagation Boundaries
+
+```mermaid
+flowchart TB
+    subgraph http["HTTP/WebSocket (RPC)"]
+        w3c["W3C Trace Context Headers:<br/>traceparent:<br/>00-trace_id-span_id-flags<br/>tracestate: xrpld=..."]
+    end
+
+    subgraph protobuf["Protocol Buffers (P2P)"]
+        proto["message TraceContext {<br/>  bytes trace_id = 1;  // 16 bytes<br/>  bytes span_id = 2;   // 8 bytes<br/>  uint32 trace_flags = 3;<br/>  string trace_state = 4;<br/>}"]
+    end
+
+    subgraph jobqueue["JobQueue (Internal Async)"]
+        job["Context captured at job creation,<br/>restored at execution<br/><br/>class Job {<br/>  otel::context::Context<br/>    traceContext_;<br/>};"]
+    end
+
+    style http fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style protobuf fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style jobqueue fill:#bf360c,stroke:#8c2809,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **HTTP/WebSocket - RPC (blue)**: For client-facing RPC requests, trace context is propagated using the W3C `traceparent` header. This is the standard approach and works with any OTel-compatible client.
+- **Protocol Buffers - P2P (green)**: For peer-to-peer messages between xrpld nodes, trace context is embedded as a protobuf `TraceContext` message carrying trace_id, span_id, flags, and optional trace_state.
+- **JobQueue - Internal Async (red)**: For asynchronous work within a single node, the OTel context is captured when a job is created and restored when the job executes on a worker thread. This bridges the async gap so spans remain linked.
+
+---
+
+## 2.6 Integration with Existing Observability
+
+> **OTLP** = OpenTelemetry Protocol | **WS** = WebSocket
+
+### 2.6.1 Existing Frameworks Comparison
+
+xrpld already has two observability mechanisms. OpenTelemetry complements (not replaces) them:
+
+| Aspect                | PerfLog                       | Beast Insight (StatsD)       | OpenTelemetry             |
+| --------------------- | ----------------------------- | ---------------------------- | ------------------------- |
+| **Type**              | Logging                       | Metrics                      | Distributed Tracing       |
+| **Data**              | JSON log entries              | Counters, gauges, histograms | Spans with context        |
+| **Scope**             | Single node                   | Single node                  | **Cross-node**            |
+| **Output**            | `perf.log` file               | StatsD server                | OTLP Collector            |
+| **Question answered** | "What happened on this node?" | "How many? How fast?"        | "What was the journey?"   |
+| **Correlation**       | By timestamp                  | By metric name               | By `trace_id`             |
+| **Overhead**          | Low (file I/O)                | Low (UDP packets)            | Low-Medium (configurable) |
+
+### 2.6.2 What Each Framework Does Best
+
+#### PerfLog
+
+- **Purpose**: Detailed local event logging for RPC and job execution
+- **Strengths**:
+  - Rich JSON output with timing data
+  - Already integrated in RPC handlers
+  - File-based, no external dependencies
+- **Limitations**:
+  - Single-node only (no cross-node correlation)
+  - No parent-child relationships between events
+  - Manual log parsing required
+
+A PerfLog entry is a JSON object with fields such as `time`, `method`,
+`duration_us`, and `result`.
+
+#### Beast Insight (StatsD)
+
+- **Purpose**: Real-time metrics for monitoring dashboards
+- **Strengths**:
+  - Aggregated metrics (counters, gauges, histograms)
+  - Low overhead (UDP, fire-and-forget)
+  - Good for alerting thresholds
+- **Limitations**:
+  - No request-level detail
+  - No causal relationships
+  - Single-node perspective
+
+In xrpld, Beast Insight is used through `increment` (counters), `gauge`
+(point-in-time values), and `timing` (durations) calls.
+
+#### OpenTelemetry (NEW)
+
+- **Purpose**: Distributed request tracing across nodes
+- **Strengths**:
+  - **Cross-node correlation** via `trace_id`
+  - Parent-child span relationships
+  - Rich attributes per span
+  - Industry standard (CNCF)
+- **Limitations**:
+  - Requires collector infrastructure
+  - Higher complexity than logging
+
+A span is created via `startSpan` (e.g. `"tx.relay"`), annotated with
+attributes such as `tx_hash` and `peer_id`, and is automatically linked to its
+parent through the active context.
+
+### 2.6.3 When to Use Each
+
+| Scenario                                | PerfLog    | StatsD | OpenTelemetry |
+| --------------------------------------- | ---------- | ------ | ------------- |
+| "How many TXs per second?"              | ❌         | ✅     | ✅            |
+| "What's the p99 RPC latency?"           | ❌         | ✅     | ✅            |
+| "Why was this specific TX slow?"        | ⚠️ partial | ❌     | ✅            |
+| "Which node delayed consensus?"         | ❌         | ❌     | ✅            |
+| "What happened on node X at time T?"    | ✅         | ❌     | ✅            |
+| "Show me the TX journey across 5 nodes" | ❌         | ❌     | ✅            |
+
+### 2.6.4 Coexistence Strategy
+
+```mermaid
+flowchart TB
+    subgraph xrpld["xrpld Process"]
+        perflog["PerfLog<br/>(JSON to file)"]
+        insight["Beast Insight<br/>(StatsD)"]
+        otel["OpenTelemetry<br/>(Tracing)"]
+    end
+
+    perflog --> perffile["perf.log"]
+    insight --> statsd["StatsD Server"]
+    otel --> collector["OTLP Collector"]
+
+    perffile --> grafana["Grafana<br/>(Unified UI)"]
+    statsd --> grafana
+    collector --> grafana
+
+    style xrpld fill:#212121,stroke:#0a0a0a,color:#ffffff
+    style grafana fill:#bf360c,stroke:#8c2809,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **xrpld Process (dark gray)**: The single xrpld node running all three observability frameworks side by side. Each framework operates independently with no interference.
+- **PerfLog to perf.log**: PerfLog writes JSON-formatted event logs to a local file. Grafana can ingest these via Loki or a file-based datasource.
+- **Beast Insight to StatsD Server**: Insight sends aggregated metrics (counters, gauges) over UDP to a StatsD server. Grafana reads from StatsD-compatible backends like Graphite or Prometheus (via StatsD exporter).
+- **OpenTelemetry to OTLP Collector**: OTel exports spans over OTLP/gRPC to a Collector, which then forwards to a trace backend (Tempo).
+- **Grafana (red, unified UI)**: All three data streams converge in Grafana, enabling operators to correlate logs, metrics, and traces in a single dashboard.
+
+### 2.6.5 Correlation with PerfLog
+
+Trace IDs can be correlated with existing PerfLog entries for comprehensive
+debugging. The design is for `RPCHandler.cpp` to start an `rpc.command.<method>`
+span alongside the existing PerfLog `rpcStart`/`rpcFinish`/`rpcError` calls,
+extract the span's `trace_id` (when valid), and eventually stamp it onto the
+PerfLog entry (a planned `setTraceId` hook) so logs and traces share a key. The
+span status is set to OK on success or to error (recording the exception) on
+failure.
+
+---
+
+_Previous: [Architecture Analysis](./01-architecture-analysis.md)_ | _Next: [Implementation Strategy](./03-implementation-strategy.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/03-implementation-strategy.md

@@ -0,0 +1,472 @@
+# Implementation Strategy
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Configuration Reference](./05-configuration-reference.md)
+
+---
+
+## 3.1 Directory Structure
+
+The telemetry implementation follows xrpld's existing code organization pattern:
+
+```
+include/xrpl/
+├── telemetry/
+│   ├── Telemetry.h              # Main telemetry interface (global singleton)
+│   ├── TelemetryConfig.h        # Configuration structures
+│   ├── TraceContext.h           # Context propagation utilities
+│   ├── SpanGuard.h              # RAII span management with factory methods + discard()
+│   ├── DiscardFlag.h            # Thread-local discard flag
+│   └── SpanAttributes.h         # Attribute helper functions
+
+src/libxrpl/
+├── telemetry/
+│   ├── Telemetry.cpp            # Implementation + FilteringSpanProcessor
+│   ├── TelemetryConfig.cpp      # Config parsing
+│   ├── TraceContext.cpp         # Context serialization
+│   └── NullTelemetry.cpp        # No-op implementation
+```
+
+---
+
+## 3.2 Implementation Approach
+
+<div align="center">
+
+```mermaid
+%%{init: {'flowchart': {'nodeSpacing': 20, 'rankSpacing': 30}}}%%
+flowchart TB
+    subgraph phase1["Phase 1: Core"]
+        direction LR
+        sdk["SDK Integration"] ~~~ interface["Telemetry Interface"] ~~~ config["Configuration"]
+    end
+
+    subgraph phase2["Phase 2: RPC"]
+        direction LR
+        http["HTTP Context"] ~~~ rpc["RPC Handlers"]
+    end
+
+    subgraph phase3["Phase 3: P2P"]
+        direction LR
+        proto["Protobuf Context"] ~~~ tx["Transaction Relay"]
+    end
+
+    subgraph phase4["Phase 4: Consensus"]
+        direction LR
+        consensus["Consensus Rounds"] ~~~ proposals["Proposals"]
+    end
+
+    phase1 --> phase2 --> phase3 --> phase4
+
+    style phase1 fill:#1565c0,stroke:#0d47a1,color:#ffffff
+    style phase2 fill:#2e7d32,stroke:#1b5e20,color:#ffffff
+    style phase3 fill:#e65100,stroke:#bf360c,color:#ffffff
+    style phase4 fill:#c2185b,stroke:#880e4f,color:#ffffff
+```
+
+</div>
+
+### Key Principles
+
+1. **Minimal Intrusion**: Instrumentation should not alter existing control flow
+2. **Zero-Cost When Disabled**: Use compile-time flags and no-op implementations
+3. **Backward Compatibility**: Protocol Buffer extensions use high field numbers
+4. **Graceful Degradation**: Tracing failures must not affect node operation
+
+---
+
+## 3.3 Performance Overhead Summary
+
+> **OTLP** = OpenTelemetry Protocol
+
+| Metric        | Overhead   | Notes                                            |
+| ------------- | ---------- | ------------------------------------------------ |
+| CPU           | 1-3%       | Of per-transaction CPU cost (~200μs baseline)    |
+| Memory        | ~10 MB     | SDK statics + batch buffer + worker thread stack |
+| Network       | 10-50 KB/s | Compressed OTLP export to collector              |
+| Latency (p99) | <2%        | With proper sampling configuration               |
+
+---
+
+## 3.4 Detailed CPU Overhead Analysis
+
+### 3.4.1 Per-Operation Costs
+
+> **Note on hardware assumptions**: The costs below are based on the official OTel C++ SDK CI benchmarks
+> (969 runs on GitHub Actions 2-core shared runners). On production server hardware (3+ GHz Xeon),
+> expect costs at the **lower end** of each range (~30-50% improvement over CI hardware).
+
+| Operation             | Time (ns) | Frequency              | Impact     |
+| --------------------- | --------- | ---------------------- | ---------- |
+| Span creation         | 500-1000  | Every traced operation | Low        |
+| Span end              | 100-200   | Every traced operation | Low        |
+| SetAttribute (string) | 80-120    | 3-5 per span           | Low        |
+| SetAttribute (int)    | 40-60     | 2-3 per span           | Negligible |
+| AddEvent              | 100-200   | 0-2 per span           | Low        |
+| Context injection     | 150-250   | Per outgoing message   | Low        |
+| Context extraction    | 100-180   | Per incoming message   | Low        |
+| GetCurrent context    | 10-20     | Thread-local access    | Negligible |
+
+**Source**: Span creation based on OTel C++ SDK `BM_SpanCreation` benchmark (AlwaysOnSampler +
+SimpleSpanProcessor + InMemoryExporter), median ~1,000 ns on CI hardware. AddEvent includes
+timestamp read + string copy + vector push + mutex acquisition. Context injection/extraction
+confirmed by `BM_SpanCreationWithScope` benchmark delta (~160 ns).
+
+### 3.4.2 Transaction Processing Overhead
+
+<div align="center">
+
+```mermaid
+%%{init: {'pie': {'textPosition': 0.75}}}%%
+pie showData
+    "tx.receive (1400ns)" : 1400
+    "tx.validate (1200ns)" : 1200
+    "tx.relay (1200ns)" : 1200
+    "Context inject (200ns)" : 200
+```
+
+**Transaction Tracing Overhead (~4.0μs total)**
+
+</div>
+
+**Overhead percentage**: 4.0 μs / 200 μs (avg tx processing) = **~2.0%**
+
+> **Breakdown**: Each span (tx.receive, tx.validate, tx.relay) costs ~1,000 ns for creation plus
+> ~200-400 ns for 3-5 attribute sets. Context injection is ~200 ns (confirmed by benchmarks).
+> On production hardware, expect ~2.6 μs total (~1.3% overhead) due to faster span creation (~500-600 ns).
+
+### 3.4.3 Consensus Round Overhead
+
+| Operation              | Count | Cost (ns) | Total      |
+| ---------------------- | ----- | --------- | ---------- |
+| consensus.round span   | 1     | ~1200     | ~1.2 μs    |
+| consensus.phase spans  | 3     | ~1100     | ~3.3 μs    |
+| proposal.receive spans | ~20   | ~1100     | ~22 μs     |
+| proposal.send spans    | ~3    | ~1100     | ~3.3 μs    |
+| Context operations     | ~30   | ~200      | ~6 μs      |
+| **TOTAL**              |       |           | **~36 μs** |
+
+> **Why higher**: Each span costs ~1,000 ns creation + ~100-200 ns for 1-2 attributes, totaling ~1,100-1,200 ns.
+> Context operations remain ~200 ns (confirmed by benchmarks). On production hardware, expect ~24 μs total.
+
+**Overhead percentage**: 36 μs / 3s (typical round) = **~0.001%** (negligible)
+
+### 3.4.4 RPC Request Overhead
+
+| Operation        | Cost (ns)    |
+| ---------------- | ------------ |
+| rpc.request span | ~1200        |
+| rpc.command span | ~1100        |
+| Context extract  | ~250         |
+| Context inject   | ~200         |
+| **TOTAL**        | **~2.75 μs** |
+
+> **Why higher**: Each span costs ~1,000 ns creation + ~100-200 ns for attributes (command name,
+> version, role). Context extract/inject costs are confirmed by OTel C++ benchmarks.
+
+- Fast RPC (1ms): 2.75 μs / 1ms = **~0.275%**
+- Slow RPC (100ms): 2.75 μs / 100ms = **~0.003%**
+
+---
+
+## 3.5 Memory Overhead Analysis
+
+> **OTLP** = OpenTelemetry Protocol
+
+### 3.5.1 Static Memory
+
+| Component                            | Size        | Allocated  |
+| ------------------------------------ | ----------- | ---------- |
+| TracerProvider singleton             | ~64 KB      | At startup |
+| BatchSpanProcessor (circular buffer) | ~16 KB      | At startup |
+| BatchSpanProcessor (worker thread)   | ~8 MB       | At startup |
+| OTLP exporter (gRPC channel init)    | ~256 KB     | At startup |
+| Propagator registry                  | ~8 KB       | At startup |
+| **Total static**                     | **~8.3 MB** |            |
+
+> **Why higher than earlier estimate**: The BatchSpanProcessor's circular buffer itself is only ~16 KB
+> (2049 x 8-byte `AtomicUniquePtr` entries), but it spawns a dedicated worker thread whose default
+> stack size on Linux is ~8 MB. The OTLP gRPC exporter allocates memory for channel stubs and TLS
+> initialization. The worker thread stack dominates the static footprint.
+
+### 3.5.2 Dynamic Memory
+
+| Component            | Size per unit  | Max units  | Peak            |
+| -------------------- | -------------- | ---------- | --------------- |
+| Active span          | ~500-800 bytes | 1000       | ~500-800 KB     |
+| Queued span (export) | ~500 bytes     | 2048       | ~1 MB           |
+| Attribute storage    | ~80 bytes      | 5 per span | Included        |
+| Context storage      | ~64 bytes      | Per thread | ~6.4 KB         |
+| **Total dynamic**    |                |            | **~1.5-1.8 MB** |
+
+> **Why active spans are larger**: An active `Span` object includes the wrapper (~88 bytes: shared_ptr,
+> mutex, unique_ptr to Recordable) plus `SpanData` (~250 bytes: SpanContext, timestamps, name, status,
+> empty containers) plus attribute storage (~200-500 bytes for 3-5 string attributes in a `std::map`).
+> Source: `sdk/src/trace/span.h` and `sdk/include/opentelemetry/sdk/trace/span_data.h`.
+> Queued spans release the wrapper, keeping only `SpanData` + attributes (~500 bytes).
+
+### 3.5.3 Memory Growth Characteristics
+
+```mermaid
+---
+config:
+    xyChart:
+        width: 700
+        height: 400
+---
+xychart-beta
+    title "Memory Usage vs Span Rate (bounded by queue limit)"
+    x-axis "Spans/second" [0, 200, 400, 600, 800, 1000]
+    y-axis "Memory (MB)" 0 --> 12
+    line [8.5, 9.2, 9.6, 9.9, 10.0, 10.0]
+```
+
+**Notes**:
+
+- Memory increases with span rate but **plateaus at queue capacity** (default 2048 spans)
+- Batch export prevents unbounded growth
+- At queue limit, oldest spans are dropped (not blocked)
+- Maximum memory is bounded: ~8.3 MB static (dominated by worker thread stack) + 2048 queued spans x ~500 bytes (~1 MB) + active spans (~0.8 MB) ≈ **~10 MB ceiling**
+- The worker thread stack (~8 MB) is virtual memory; actual RSS depends on stack usage (typically much less)
+
+### 3.5.4 Performance Data Sources
+
+The overhead estimates in Sections 3.3-3.5 are derived from the following sources:
+
+| Source                                           | What it covers                                        | URL                                                                                                                                        |
+| ------------------------------------------------ | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
+| OTel C++ SDK CI benchmarks (969 runs)            | Span creation, context activation, sampler overhead   | [Benchmark Dashboard](https://open-telemetry.github.io/opentelemetry-cpp/benchmarks/)                                                      |
+| `api/test/trace/span_benchmark.cc`               | API-level span creation (~22 ns no-op)                | [Source](https://github.com/open-telemetry/opentelemetry-cpp/blob/main/api/test/trace/span_benchmark.cc)                                   |
+| `sdk/test/trace/sampler_benchmark.cc`            | SDK span creation with samplers (~1,000 ns AlwaysOn)  | [Source](https://github.com/open-telemetry/opentelemetry-cpp/blob/main/sdk/test/trace/sampler_benchmark.cc)                                |
+| `sdk/include/.../span_data.h`                    | SpanData memory layout (~250 bytes base)              | [Source](https://github.com/open-telemetry/opentelemetry-cpp/blob/main/sdk/include/opentelemetry/sdk/trace/span_data.h)                    |
+| `sdk/src/trace/span.h`                           | Span wrapper memory layout (~88 bytes)                | [Source](https://github.com/open-telemetry/opentelemetry-cpp/blob/main/sdk/src/trace/span.h)                                               |
+| `sdk/include/.../batch_span_processor_options.h` | Default queue size (2048), batch size (512)           | [Source](https://github.com/open-telemetry/opentelemetry-cpp/blob/main/sdk/include/opentelemetry/sdk/trace/batch_span_processor_options.h) |
+| `sdk/include/.../circular_buffer.h`              | CircularBuffer implementation (AtomicUniquePtr array) | [Source](https://github.com/open-telemetry/opentelemetry-cpp/blob/main/sdk/include/opentelemetry/sdk/common/circular_buffer.h)             |
+| OTLP proto definition                            | Serialized span size estimation                       | [Proto](https://github.com/open-telemetry/opentelemetry-proto/blob/main/opentelemetry/proto/trace/v1/trace.proto)                          |
+
+---
+
+## 3.6 Network Overhead Analysis
+
+### 3.6.1 Export Bandwidth
+
+> **Bytes per span**: Estimates use ~500 bytes/span (conservative upper bound). OTLP protobuf analysis
+> shows a typical span with 3-5 string attributes serializes to ~200-300 bytes raw; with gzip
+> compression (~60-70% of raw) and batching (amortized headers), ~350 bytes/span is more realistic.
+> The table uses the conservative estimate for capacity planning.
+
+| Sampling Rate | Spans/sec | Bandwidth | Notes            |
+| ------------- | --------- | --------- | ---------------- |
+| 100%          | ~500      | ~250 KB/s | Development only |
+| 10%           | ~50       | ~25 KB/s  | Staging          |
+| 1%            | ~5        | ~2.5 KB/s | Production       |
+| Error-only    | ~1        | ~0.5 KB/s | Minimal overhead |
+
+### 3.6.2 Trace Context Propagation
+
+| Message Type           | Context Size | Messages/sec | Overhead    |
+| ---------------------- | ------------ | ------------ | ----------- |
+| TMTransaction          | 25 bytes     | ~100         | ~2.5 KB/s   |
+| TMProposeSet           | 25 bytes     | ~10          | ~250 B/s    |
+| TMValidation           | 25 bytes     | ~50          | ~1.25 KB/s  |
+| **Total P2P overhead** |              |              | **~4 KB/s** |
+
+---
+
+## 3.7 Optimization Strategies
+
+### 3.7.1 Sampling Strategies
+
+#### Tail Sampling
+
+```mermaid
+flowchart TD
+    trace["New Trace"]
+
+    trace --> errors{"Is Error?"}
+    errors -->|Yes| sample["SAMPLE"]
+    errors -->|No| consensus{"Is Consensus?"}
+
+    consensus -->|Yes| sample
+    consensus -->|No| slow{"Is Slow?"}
+
+    slow -->|Yes| sample
+    slow -->|No| prob{"Random < 10%?"}
+
+    prob -->|Yes| sample
+    prob -->|No| drop["DROP"]
+
+    style sample fill:#4caf50,stroke:#388e3c,color:#fff
+    style drop fill:#f44336,stroke:#c62828,color:#fff
+```
+
+### 3.7.2 Batch Tuning Recommendations
+
+| Environment        | Batch Size | Batch Delay | Max Queue |
+| ------------------ | ---------- | ----------- | --------- |
+| Low-latency        | 128        | 1000ms      | 512       |
+| High-throughput    | 1024       | 10000ms     | 8192      |
+| Memory-constrained | 256        | 2000ms      | 512       |
+
+### 3.7.3 Conditional Instrumentation
+
+Instrumentation is gated on two levels. A compile-time feature flag (`XRPL_ENABLE_TELEMETRY`) reduces the trace macros to no-ops when telemetry is built out, so disabled builds carry zero cost. At runtime, per-component guards (e.g. `shouldTracePeer()`) skip span creation for components whose tracing is turned off, incurring no overhead beyond a single boolean check.
+
+---
+
+## 3.8 Links to Detailed Documentation
+
+- **[Configuration Reference](./05-configuration-reference.md)**: Configuration options and collector setup
+- **[Implementation Phases](./06-implementation-phases.md)**: Detailed timeline and milestones
+
+---
+
+## 3.9 Code Intrusiveness Assessment
+
+> **TxQ** = Transaction Queue
+
+This section provides a detailed assessment of how intrusive the OpenTelemetry integration is to the existing xrpld codebase.
+
+### 3.9.1 Files Modified Summary
+
+| Component             | Files Modified | Lines Added | Lines Changed | Architectural Impact |
+| --------------------- | -------------- | ----------- | ------------- | -------------------- |
+| **Core Telemetry**    | 7 new files    | ~800        | 0             | None (new module)    |
+| **Application Init**  | 2 files        | ~30         | ~5            | Minimal              |
+| **RPC Layer**         | 3 files        | ~80         | ~20           | Minimal              |
+| **Transaction Relay** | 4 files        | ~120        | ~40           | Low                  |
+| **Consensus**         | 3 files        | ~100        | ~30           | Low-Medium           |
+| **Protocol Buffers**  | 1 file         | ~25         | 0             | Low                  |
+| **CMake/Build**       | 3 files        | ~50         | ~10           | Minimal              |
+| **PathFinding**       | 2              | ~80         | ~5            | Minimal              |
+| **TxQ/Fee**           | 2              | ~60         | ~5            | Minimal              |
+| **Validator/Amend**   | 3              | ~40         | ~5            | Minimal              |
+| **Total**             | **~27 files**  | **~1,490**  | **~120**      | **Low**              |
+
+### 3.9.2 Detailed File Impact
+
+```mermaid
+pie title Code Changes by Component
+    "New Telemetry Module" : 800
+    "Transaction Relay" : 160
+    "Consensus" : 130
+    "RPC Layer" : 100
+    "PathFinding" : 80
+    "TxQ/Fee" : 60
+    "Validator/Amendment" : 40
+    "Application Init" : 35
+    "Protocol Buffers" : 25
+    "Build System" : 60
+```
+
+#### New Files (No Impact on Existing Code)
+
+| File                                        | Lines | Purpose                                               |
+| ------------------------------------------- | ----- | ----------------------------------------------------- |
+| `include/xrpl/telemetry/Telemetry.h`        | ~160  | Main interface (global singleton)                     |
+| `include/xrpl/telemetry/SpanGuard.h`        | ~250  | RAII wrapper + factory methods + discard + no-op stub |
+| `include/xrpl/telemetry/DiscardFlag.h`      | ~28   | Thread-local discard flag                             |
+| `include/xrpl/telemetry/TraceContext.h`     | ~80   | Context propagation                                   |
+| `src/libxrpl/telemetry/Telemetry.cpp`       | ~400  | Implementation + FilteringSpanProcessor               |
+| `src/libxrpl/telemetry/TelemetryConfig.cpp` | ~60   | Config parsing                                        |
+| `src/libxrpl/telemetry/NullTelemetry.cpp`   | ~40   | No-op implementation                                  |
+
+#### Modified Files (Existing Xrpld Code)
+
+| File                                              | Lines Added | Lines Changed | Risk Level |
+| ------------------------------------------------- | ----------- | ------------- | ---------- |
+| `src/xrpld/app/main/Application.cpp`              | ~15         | ~3            | Low        |
+| `include/xrpl/core/ServiceRegistry.h`             | ~5          | ~2            | Low        |
+| `src/xrpld/rpc/detail/ServerHandler.cpp`          | ~40         | ~10           | Low        |
+| `src/xrpld/rpc/handlers/*.cpp`                    | ~30         | ~8            | Low        |
+| `src/xrpld/overlay/detail/PeerImp.cpp`            | ~60         | ~15           | Medium     |
+| `src/xrpld/overlay/detail/OverlayImpl.cpp`        | ~30         | ~10           | Medium     |
+| `src/xrpld/app/consensus/RCLConsensus.cpp`        | ~50         | ~15           | Medium     |
+| `src/xrpld/app/consensus/RCLConsensusAdaptor.cpp` | ~40         | ~12           | Medium     |
+| `src/xrpld/core/JobQueue.cpp`                     | ~20         | ~5            | Low        |
+| `src/xrpld/app/paths/PathRequest.cpp`             | ~40         | ~3            | Low        |
+| `src/xrpld/app/paths/Pathfinder.cpp`              | ~40         | ~2            | Low        |
+| `src/xrpld/app/misc/TxQ.cpp`                      | ~40         | ~3            | Low        |
+| `src/xrpld/app/main/LoadManager.cpp`              | ~20         | ~2            | Low        |
+| `src/xrpld/app/misc/ValidatorList.cpp`            | ~20         | ~2            | Low        |
+| `src/xrpld/app/misc/AmendmentTable.cpp`           | ~10         | ~2            | Low        |
+| `src/xrpld/app/misc/Manifest.cpp`                 | ~10         | ~1            | Low        |
+| `src/xrpld/shamap/SHAMap.cpp`                     | ~20         | ~3            | Low        |
+| `src/xrpld/overlay/detail/ripple.proto`           | ~25         | 0             | Low        |
+| `CMakeLists.txt`                                  | ~40         | ~8            | Low        |
+| `cmake/FindOpenTelemetry.cmake`                   | ~50         | 0             | None (new) |
+
+### 3.9.3 Risk Assessment by Component
+
+<div align="center">
+
+**Do First** ↖ ↗ **Plan Carefully**
+
+```mermaid
+quadrantChart
+    title Code Intrusiveness Risk Matrix
+    x-axis Low Risk --> High Risk
+    y-axis Low Value --> High Value
+
+    RPC Tracing: [0.2, 0.55]
+    Transaction Relay: [0.55, 0.85]
+    Consensus Tracing: [0.75, 0.92]
+    Peer Message Tracing: [0.85, 0.35]
+    JobQueue Context: [0.3, 0.42]
+    Ledger Acquisition: [0.48, 0.65]
+    PathFinding: [0.38, 0.72]
+    TxQ and Fees: [0.25, 0.62]
+    Validator Mgmt: [0.15, 0.35]
+```
+
+**Optional** ↙ ↘ **Avoid**
+
+</div>
+
+#### Risk Level Definitions
+
+| Risk Level | Definition                                                       | Mitigation                         |
+| ---------- | ---------------------------------------------------------------- | ---------------------------------- |
+| **Low**    | Additive changes only; no modification to existing logic         | Standard code review               |
+| **Medium** | Minor modifications to existing functions; clear boundaries      | Comprehensive unit tests           |
+| **High**   | Changes to core logic or data structures; potential side effects | Integration tests + staged rollout |
+
+### 3.9.4 Architectural Impact Assessment
+
+| Aspect               | Impact  | Justification                                                                    |
+| -------------------- | ------- | -------------------------------------------------------------------------------- |
+| **Data Flow**        | Minimal | Read-only instrumentation; no modification to consensus or transaction data flow |
+| **Threading Model**  | Minimal | Context propagation uses thread-local storage (standard OTel pattern)            |
+| **Memory Model**     | Low     | Bounded queues prevent unbounded growth; RAII ensures cleanup                    |
+| **Network Protocol** | Low     | Optional fields in protobuf (high field numbers); backward compatible            |
+| **Configuration**    | None    | New config section; existing configs unaffected                                  |
+| **Build System**     | Low     | Optional CMake flag; builds work without OpenTelemetry                           |
+| **Dependencies**     | Low     | OpenTelemetry SDK is optional; null implementation when disabled                 |
+
+### 3.9.5 Backward Compatibility
+
+| Compatibility   | Status  | Notes                                                 |
+| --------------- | ------- | ----------------------------------------------------- |
+| **Config File** | ✅ Full | New `[telemetry]` section is optional                 |
+| **Protocol**    | ✅ Full | Optional protobuf fields with high field numbers      |
+| **Build**       | ✅ Full | `XRPL_ENABLE_TELEMETRY=OFF` produces identical binary |
+| **Runtime**     | ✅ Full | `enabled=0` produces zero overhead                    |
+| **API**         | ✅ Full | No changes to public RPC or P2P APIs                  |
+
+### 3.9.6 Rollback Strategy
+
+If issues are discovered after deployment:
+
+1. **Immediate**: Set `enabled=0` in config and restart (zero code change)
+2. **Quick**: Rebuild with `XRPL_ENABLE_TELEMETRY=OFF`
+3. **Complete**: Revert telemetry commits (clean separation makes this easy)
+
+### 3.9.7 Code Change Examples
+
+**Minimal RPC Instrumentation (Low Intrusiveness):** Instrumenting an RPC handler adds roughly 3-4 lines: one macro to start the span and one or two `setAttribute` calls (command name, status). The span ends automatically via RAII, so the existing control flow — process the request, send the result — is untouched.
+
+**Consensus Instrumentation (Medium Intrusiveness):** Consensus is slightly more intrusive because child spans in later phase transitions need the round's context. Beyond the span-start and attribute macros, this requires storing the active context in a new member variable (`currentRoundContext_`) at round start. The existing round logic itself remains unchanged.
+
+---
+
+_Previous: [Design Decisions](./02-design-decisions.md)_ | _Next: [Configuration Reference](./05-configuration-reference.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/05-configuration-reference.md

@@ -0,0 +1,270 @@
+# Configuration Reference
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Implementation Phases](./06-implementation-phases.md)
+
+---
+
+## 5.1 xrpld Configuration
+
+> **OTLP** = OpenTelemetry Protocol | **TxQ** = Transaction Queue
+
+### 5.1.1 Configuration File Section
+
+The authoritative `[telemetry]` example lives in `cfg/xrpld-example.cfg`. Telemetry is disabled by default (`enabled=0`); enabling it turns on distributed tracing for transaction flow, consensus, and RPC calls, with traces exported to an OpenTelemetry Collector over OTLP. Head sampling is intentionally fixed at 1.0 (sample everything) and is not configurable — per-node head-sampling would produce broken/partial distributed traces, so volume reduction is delegated to the collector's tail sampling (see Section 7.4.2). The full option reference follows.
+
+### 5.1.2 Configuration Options Summary
+
+| Option                     | Type   | Default                           | Description                                                                                                |
+| -------------------------- | ------ | --------------------------------- | ---------------------------------------------------------------------------------------------------------- |
+| `enabled`                  | bool   | `false`                           | Enable/disable telemetry                                                                                   |
+| `endpoint`                 | string | `http://localhost:4318/v1/traces` | OTLP/HTTP collector endpoint                                                                               |
+| `use_tls`                  | bool   | `false`                           | Enable TLS for exporter connection                                                                         |
+| `tls_ca_cert`              | string | `""`                              | Path to CA certificate file                                                                                |
+| `tls_client_cert`          | string | `""`                              | Path to node's client certificate (PEM) for mutual TLS; empty = one-way TLS                                |
+| `tls_client_key`           | string | `""`                              | Path to private key (PEM) for `tls_client_cert`; required when it is set                                   |
+| `batch_size`               | uint   | `512`                             | Spans per export batch                                                                                     |
+| `batch_delay_ms`           | uint   | `5000`                            | Max delay before sending batch (ms)                                                                        |
+| `max_queue_size`           | uint   | `2048`                            | Maximum queued spans                                                                                       |
+| `trace_transactions`       | bool   | `true`                            | Enable transaction tracing                                                                                 |
+| `trace_consensus`          | bool   | `true`                            | Enable consensus tracing                                                                                   |
+| `trace_rpc`                | bool   | `true`                            | Enable RPC tracing                                                                                         |
+| `trace_peer`               | bool   | `true`                            | Enable peer message tracing (high volume)                                                                  |
+| `trace_ledger`             | bool   | `true`                            | Enable ledger tracing                                                                                      |
+| `tx_trace_strategy`        | string | `"deterministic"`                 | TX trace ID strategy: `"deterministic"` (trace_id = txHash[0:16]) or `"attribute"` (random)                |
+| `consensus_trace_strategy` | string | `"deterministic"`                 | Consensus trace ID strategy: `"deterministic"` (trace_id = prevLedgerHash[0:16]) or `"attribute"` (random) |
+| `service_name`             | string | `"xrpld"`                         | Service name for traces                                                                                    |
+| `service_instance_id`      | string | `<node_pubkey>`                   | Instance identifier                                                                                        |
+
+**Planned (not yet implemented)**: the following options appear in the design
+documents but are not parsed by `TelemetryConfig.cpp` in Phase 1b and later
+phases. They will be added as the corresponding subsystems are instrumented:
+
+| Option            | Planned Phase | Purpose                                  |
+| ----------------- | ------------- | ---------------------------------------- |
+| `exporter`        | Future        | Select between OTLP/HTTP and OTLP/gRPC   |
+| `trace_pathfind`  | Phase 2       | Path computation tracing toggle          |
+| `trace_txq`       | Phase 3       | Transaction queue tracing toggle         |
+| `trace_validator` | Future        | Validator list / manifest update tracing |
+| `trace_amendment` | Future        | Amendment voting tracing                 |
+
+---
+
+## 5.2 Configuration Parser
+
+> **TxQ** = Transaction Queue
+
+The parser `setupTelemetry()` in `src/libxrpl/telemetry/TelemetryConfig.cpp` reads the `[telemetry]` `Section` and populates a `Telemetry::Setup` struct, applying the defaults listed in Section 5.1.2 via `section.value_or(...)`. It derives `serviceInstanceId` from the node public key when not overridden, selects the exporter endpoint default by exporter type, and leaves the sampling ratio at its fixed 1.0 default (not read from config — see Section 7.4.2).
+
+---
+
+## 5.3 Application Integration
+
+### 5.3.1 ApplicationImp Changes
+
+> **Deferred identity**: The node public key (`nodeIdentity_`) is not
+> available during `ApplicationImp`'s member initializer list — it is
+> resolved later in `setup()`. The `Telemetry` object is therefore
+> constructed with an empty `serviceInstanceId` and patched via
+> `setServiceInstanceId()` once `setup()` has called `getNodeIdentity()`.
+
+`ApplicationImp` (in `src/xrpld/app/main/Application.cpp`) owns a `std::unique_ptr<telemetry::Telemetry> telemetry_`. It is built in the member initializer list via `makeTelemetry(setupTelemetry(...))` with an empty `serviceInstanceId`, then patched in `setup()` by calling `setServiceInstanceId()` with the Base58 node public key (unless the user supplied a custom `service_instance_id`). `start()` and `run()` forward to `telemetry_->start()` / `telemetry_->stop()`, and `getTelemetry()` returns the owned instance.
+
+### 5.3.2 ServiceRegistry Interface Addition
+
+`include/xrpl/core/ServiceRegistry.h` gains a pure-virtual `telemetry::Telemetry& getTelemetry()` (with a forward declaration of `telemetry::Telemetry`), giving every component a uniform accessor for the tracing subsystem.
+
+> **Note:** `Application` extends `ServiceRegistry`, so `getTelemetry()` is
+> available on both. Components that hold a `ServiceRegistry&` (e.g.
+> `NetworkOPsImp`) call `registry_.get().getTelemetry()`. Components that
+> still hold an `Application&` (e.g. `ServerHandler`, `PeerImp`,
+> `RCLConsensusAdaptor`) call `app_.getTelemetry()` directly.
+
+---
+
+## 5.4 CMake Integration
+
+> **OTLP** = OpenTelemetry Protocol
+
+### 5.4.1 Find OpenTelemetry Module
+
+A `cmake/FindOpenTelemetry.cmake` module locates the OpenTelemetry C++ SDK. It first tries `find_package(opentelemetry-cpp CONFIG)`, aliasing the imported targets `OpenTelemetry::api`, `OpenTelemetry::sdk`, and `OpenTelemetry::otlp_grpc_exporter`, and falls back to `pkg-config` when no CMake config package is present.
+
+### 5.4.2 CMakeLists.txt Changes
+
+The top-level `CMakeLists.txt` adds an `XRPL_ENABLE_TELEMETRY` option (default `OFF`). When enabled, it runs `find_package(OpenTelemetry REQUIRED)`, defines the `XRPL_ENABLE_TELEMETRY` compile flag, and builds the `xrpl_telemetry` library from the real telemetry sources linked against the OpenTelemetry targets; when disabled, it builds the same target from a no-op `NullTelemetry.cpp` so call sites compile unchanged.
+
+---
+
+## 5.5 OpenTelemetry Collector Configuration
+
+> **OTLP** = OpenTelemetry Protocol | **APM** = Application Performance Monitoring
+
+> **Production hardening**: The configurations in this section are starting points. For production deployments where xrpld ships telemetry across a network to a centrally-hosted collector, see [Securing the OTel Pipeline](./secure-OTel.md) for the required mTLS receiver config, NetworkPolicy, and peer trace-context validation.
+
+The authoritative collector config lives in the repo at `docker/telemetry/otel-collector-config.yaml` (with Tempo backend config in `docker/telemetry/tempo.yaml`). The sections below summarize the development and production shapes of that pipeline.
+
+### 5.5.1 Development Configuration
+
+The development collector enables an OTLP receiver on both gRPC (`0.0.0.0:4317`) and HTTP (`0.0.0.0:4318`), a single `batch` processor (1s timeout, batch size 100), and two exporters: a `logging` exporter for console debugging and `otlp/tempo` (insecure) for trace visualization. The single `traces` pipeline wires receiver → batch → both exporters.
+
+### 5.5.2 Production Configuration
+
+The production collector adds TLS on the OTLP gRPC receiver and a richer processor chain: a `memory_limiter` (OOM guard), `batch` (5s timeout, size 512), `tail_sampling`, and an `attributes` processor that hashes sensitive fields (e.g. `tx_account`) and stamps `deployment.environment`. Tail sampling keeps all `ERROR` traces, slow consensus rounds (>5s) and slow RPC requests (>1s), and probabilistically samples the remainder at 10%. Exporters target Grafana Tempo (TLS) and Elastic APM; `health_check` and `zpages` extensions are enabled for operability.
+
+---
+
+## 5.6 Docker Compose Development Environment
+
+> **OTLP** = OpenTelemetry Protocol
+
+The authoritative development stack lives in the repo at `docker/telemetry/docker-compose.yml`. It brings up four services on a shared `xrpld-telemetry` network: an `otel-collector` (otel/opentelemetry-collector-contrib) exposing OTLP gRPC `4317`, OTLP HTTP `4318`, and health check `13133`; `tempo` for trace storage/visualization; `grafana` with provisioned datasources and dashboards (anonymous admin enabled); and an optional `prometheus` for metric correlation.
+
+---
+
+## 5.7 Configuration Architecture
+
+> **OTLP** = OpenTelemetry Protocol
+
+```mermaid
+flowchart TB
+    subgraph config["Configuration Sources"]
+        cfgFile["xrpld.cfg<br/>[telemetry] section"]
+        cmake["CMake<br/>XRPL_ENABLE_TELEMETRY"]
+    end
+
+    subgraph init["Initialization"]
+        parse["setupTelemetry()"]
+        factory["makeTelemetry()"]
+    end
+
+    subgraph runtime["Runtime Components"]
+        tracer["TracerProvider"]
+        exporter["OTLP Exporter"]
+        processor["BatchProcessor"]
+    end
+
+    subgraph collector["Collector Pipeline"]
+        recv["Receivers"]
+        proc["Processors"]
+        exp["Exporters"]
+    end
+
+    cfgFile --> parse
+    cmake -->|"compile flag"| parse
+    parse --> factory
+    factory --> tracer
+    tracer --> processor
+    processor --> exporter
+    exporter -->|"OTLP"| recv
+    recv --> proc
+    proc --> exp
+
+    style config fill:#e3f2fd,stroke:#1976d2
+    style runtime fill:#e8f5e9,stroke:#388e3c
+    style collector fill:#fff3e0,stroke:#ff9800
+```
+
+**Reading the diagram:**
+
+- **Configuration Sources**: `xrpld.cfg` provides runtime settings (endpoint, sampling) while the CMake flag controls whether telemetry is compiled in at all.
+- **Initialization**: `setupTelemetry()` parses config values, then `makeTelemetry()` constructs the provider, processor, and exporter objects.
+- **Runtime Components**: The `TracerProvider` creates spans, the `BatchProcessor` buffers them, and the `OTLP Exporter` serializes and sends them over the wire.
+- **OTLP arrow to Collector**: Trace data leaves the xrpld process via OTLP (gRPC or HTTP) and enters the external Collector pipeline.
+- **Collector Pipeline**: `Receivers` ingest OTLP data, `Processors` apply sampling/filtering/enrichment, and `Exporters` forward traces to storage backends (Tempo, etc.).
+
+---
+
+## 5.8 Grafana Integration
+
+> **APM** = Application Performance Monitoring
+
+Step-by-step instructions for integrating xrpld traces with Grafana.
+
+### 5.8.1 Data Source Configuration
+
+#### Tempo (Recommended)
+
+A Tempo datasource (`grafana/provisioning/datasources/tempo.yaml`, provisioned from `docker/telemetry/grafana/`) points at `http://tempo:3200` and enables `tracesToLogs` (linking to Loki on `service.name`/`tx_hash` and mapping `trace_id` → `traceID`), `serviceMap` against Prometheus, the node graph, and Loki search.
+
+#### Elastic APM
+
+Alternatively, an Elasticsearch datasource (`grafana/provisioning/datasources/elastic-apm.yaml`) of type `elasticsearch` points at `http://elasticsearch:9200` against the `apm-*` index, using `@timestamp` as the time field and mapping the log message/level fields.
+
+### 5.8.2 Dashboard Provisioning
+
+A dashboard provider (`grafana/provisioning/dashboards/dashboards.yaml`) loads the `xrpld` dashboard folder from disk (`/var/lib/grafana/dashboards/rippled`), polling for changes every 30s with deletion disabled.
+
+### 5.8.3 Example Dashboard: RPC Performance
+
+An example `xrpld RPC Performance` dashboard (uid `xrpld-rpc-performance`) sourced from Tempo via TraceQL provides four panels: RPC latency by command (heatmap), RPC error rate by command (timeseries), the top 10 slowest RPC commands by average duration (table), and a recent-traces table.
+
+### 5.8.4 Example Dashboard: Transaction Tracing
+
+An example `xrpld Transaction Tracing` dashboard (uid `xrpld-tx-tracing`) over Tempo provides three panels: transaction throughput (`tx.receive` rate, stat), cross-node relay count (average `span.relay_count` on `tx.relay`, timeseries), and a table of transaction validation errors (`tx.validate` with `status.code=error`).
+
+### 5.8.5 TraceQL Query Examples
+
+Common queries for xrpld traces:
+
+```
+# Find all traces for a specific transaction hash
+{resource.service.name="xrpld" && span.tx_hash="ABC123..."}
+
+# Find slow RPC commands (>100ms)
+{resource.service.name="xrpld" && name=~"rpc.command.*"} | duration > 100ms
+
+# Find consensus rounds taking >5 seconds
+{resource.service.name="xrpld" && name="consensus.round"} | duration > 5s
+
+# Find failed transactions with error details
+{resource.service.name="xrpld" && name="tx.validate" && status.code=error}
+
+# Find transactions relayed to many peers
+{resource.service.name="xrpld" && name="tx.relay"} | span.relay_count > 10
+
+# Compare latency across nodes
+{resource.service.name="xrpld" && name="rpc.command.account_info"} | avg(duration) by (resource.service.instance.id)
+```
+
+### 5.8.6 Correlation with PerfLog
+
+To correlate OpenTelemetry traces with existing PerfLog data:
+
+**Step 1: Configure Loki to ingest PerfLog**
+
+Configure a Promtail scrape job (`promtail-config.yaml`) that tails `/var/log/rippled/perf*.log`, parses each JSON line, and promotes `trace_id`, `ledger_seq`, and `tx_hash` to Loki labels.
+
+**Step 2: Add trace_id to PerfLog entries**
+
+Modify PerfLog so its JSON output includes a `trace_id` field whenever a valid span is active: fetch the current span from the OpenTelemetry runtime context, and if its context is valid, render the trace ID as a 32-character lowercase hex string into the log entry.
+
+**Step 3: Configure Grafana trace-to-logs link**
+
+In the Tempo datasource, set the `tracesToLogs` derived field to link to Loki on the `trace_id` and `tx_hash` tags, with `filterByTraceID: true`.
+
+### 5.8.7 Correlation with Insight/StatsD Metrics
+
+To correlate traces with existing Beast Insight metrics:
+
+**Step 1: Export Insight metrics to Prometheus**
+
+Add a Prometheus scrape job (`prometheus.yaml`) named `xrpld-statsd` targeting the StatsD exporter at `statsd-exporter:9102`.
+
+**Step 2: Add exemplars to metrics**
+
+The OpenTelemetry SDK automatically adds exemplars (trace IDs) to metrics when using the Prometheus exporter, linking metric spikes to specific traces.
+
+**Step 3: Configure Grafana metric-to-trace link**
+
+In the Prometheus datasource, set `exemplarTraceIdDestinations` to map the `trace_id` exemplar to the Tempo datasource.
+
+**Step 4: Dashboard panel with exemplars**
+
+Add a timeseries panel over Prometheus (e.g. `histogram_quantile(0.99, rate(xrpld_rpc_duration_seconds_bucket[5m]))`) with `exemplar: true` enabled.
+
+This allows clicking on metric data points to jump directly to the related trace.
+
+---
+
+_Previous: [Implementation Strategy](./03-implementation-strategy.md)_ | _Next: [Implementation Phases](./06-implementation-phases.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/06-implementation-phases.md

@@ -0,0 +1,741 @@
+# Implementation Phases
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Configuration Reference](./05-configuration-reference.md) | [Observability Backends](./07-observability-backends.md)
+
+---
+
+## 6.1 Phase Overview
+
+> **TxQ** = Transaction Queue
+
+```mermaid
+gantt
+    title OpenTelemetry Implementation Timeline
+    dateFormat  YYYY-MM-DD
+    axisFormat  Week %W
+
+    section Phase 1
+    Core Infrastructure        :p1, 2024-01-01, 2w
+    SDK Integration           :p1a, 2024-01-01, 4d
+    Telemetry Interface       :p1b, after p1a, 3d
+    Configuration & CMake     :p1c, after p1b, 3d
+    Unit Tests                :p1d, after p1c, 2d
+    Buffer & Integration      :p1e, after p1d, 2d
+
+    section Phase 2
+    RPC Tracing               :p2, after p1, 2w
+    HTTP Context Extraction   :p2a, after p1, 2d
+    RPC Handler Instrumentation :p2b, after p2a, 4d
+    PathFinding Instrumentation :p2f, after p2b, 2d
+    TxQ Instrumentation       :p2g, after p2f, 2d
+    WebSocket Support         :p2c, after p2g, 2d
+    Integration Tests         :p2d, after p2c, 2d
+    Buffer & Review           :p2e, after p2d, 4d
+
+    section Phase 3
+    Transaction Tracing       :p3, after p2, 2w
+    Protocol Buffer Extension :p3a, after p2, 2d
+    PeerImp Instrumentation   :p3b, after p3a, 3d
+    Fee Escalation Instrumentation :p3f, after p3b, 2d
+    Relay Context Propagation :p3c, after p3f, 3d
+    Multi-node Tests          :p3d, after p3c, 2d
+    Buffer & Review           :p3e, after p3d, 4d
+
+    section Phase 4
+    Consensus Tracing         :p4, after p3, 2w
+    Consensus Round Spans     :p4a, after p3, 3d
+    Proposal Handling         :p4b, after p4a, 3d
+    Establish Phase (4a)      :p4f, after p4b, 3d
+    Validation Tests          :p4c, after p4f, 4d
+    Buffer & Review           :p4e, after p4c, 4d
+
+    section Phase 5
+    Documentation & Deploy    :p5, after p4, 1w
+```
+
+---
+
+## 6.2 Phase 1: Core Infrastructure (Weeks 1-2)
+
+**Objective**: Establish foundational telemetry infrastructure
+
+### Tasks
+
+| Task | Description                                           |
+| ---- | ----------------------------------------------------- |
+| 1.1  | Add OpenTelemetry C++ SDK to Conan/CMake              |
+| 1.2  | Implement `Telemetry` interface and factory           |
+| 1.3  | Implement `SpanGuard` RAII wrapper                    |
+| 1.4  | Implement configuration parser                        |
+| 1.5  | Integrate into `ApplicationImp`                       |
+| 1.6  | Add conditional compilation (`XRPL_ENABLE_TELEMETRY`) |
+| 1.7  | Create `NullTelemetry` no-op implementation           |
+| 1.8  | Unit tests for core infrastructure                    |
+
+### Exit Criteria
+
+- [ ] OpenTelemetry SDK compiles and links
+- [ ] Telemetry can be enabled/disabled via config
+- [ ] Basic span creation works
+- [ ] No performance regression when disabled
+- [ ] Unit tests passing
+
+---
+
+## 6.3 Phase 2: RPC Tracing (Weeks 3-4)
+
+> **TxQ** = Transaction Queue
+
+**Objective**: Complete tracing for all RPC operations
+
+### Tasks
+
+| Task | Description                                                                |
+| ---- | -------------------------------------------------------------------------- |
+| 2.1  | Implement W3C Trace Context HTTP header extraction                         |
+| 2.2  | Instrument `ServerHandler::onRequest()`                                    |
+| 2.3  | Instrument `RPCHandler::doCommand()`                                       |
+| 2.4  | Add RPC-specific attributes                                                |
+| 2.5  | Instrument WebSocket handler                                               |
+| 2.6  | PathFinding instrumentation (`pathfind.request`, `pathfind.compute` spans) |
+| 2.7  | TxQ instrumentation (`txq.enqueue`, `txq.apply` spans)                     |
+| 2.8  | Integration tests for RPC tracing                                          |
+| 2.9  | Performance benchmarks                                                     |
+| 2.10 | Documentation                                                              |
+
+### Exit Criteria
+
+- [ ] All RPC commands traced
+- [ ] Trace context propagates from HTTP headers
+- [ ] WebSocket and HTTP both instrumented
+- [ ] <1ms overhead per RPC call
+- [ ] Integration tests passing
+
+---
+
+## 6.4 Phase 3: Transaction Tracing (Weeks 5-6)
+
+**Objective**: Trace transaction lifecycle across network with deterministic cross-node correlation
+
+### Tasks
+
+| Task | Description                                                    |
+| ---- | -------------------------------------------------------------- |
+| 3.1  | Define `TraceContext` Protocol Buffer message                  |
+| 3.2  | Implement protobuf context serialization                       |
+| 3.3  | Instrument `PeerImp::handleTransaction()`                      |
+| 3.4  | Instrument `NetworkOPs::submitTransaction()`                   |
+| 3.5  | Instrument HashRouter integration                              |
+| 3.6  | Fee escalation instrumentation (`fee.escalate` span)           |
+| 3.7  | Implement relay context propagation                            |
+| 3.8  | Integration tests (multi-node)                                 |
+| 3.9  | Deterministic transaction trace ID (`trace_id = txHash[0:16]`) |
+| 3.10 | Performance benchmarks                                         |
+
+### Deterministic Trace ID (Task 3.9)
+
+Transaction spans use **deterministic trace IDs** derived from the transaction hash:
+`trace_id = txHash[0:16]`. All nodes handling the same transaction independently
+produce spans under the same trace_id. Protobuf `span_id` propagation (Task 3.7)
+additionally provides parent-child relay ordering when available. See
+[02-design-decisions.md §2.5.0](./02-design-decisions.md) for the design rationale
+and [Phase3_taskList.md Task 3.9](./Phase3_taskList.md) for the full implementation spec.
+
+### Exit Criteria
+
+- [ ] Transaction traces span across nodes
+- [ ] Trace context in Protocol Buffer messages
+- [ ] HashRouter deduplication visible in traces
+- [ ] Multi-node integration tests passing
+- [ ] <5% overhead on transaction throughput
+- [ ] Deterministic trace_id: all nodes produce same trace_id for same transaction
+- [ ] Protobuf span_id propagation preserves parent-child ordering when available
+
+---
+
+## 6.5 Phase 4: Consensus Tracing (Weeks 7-8)
+
+**Objective**: Full observability into consensus rounds
+
+### Tasks
+
+| Task | Description                                    | Status             |
+| ---- | ---------------------------------------------- | ------------------ |
+| 4.1  | Instrument `RCLConsensusAdaptor::startRound()` | ✅ Done (via 4a.2) |
+| 4.2  | Instrument phase transitions                   | ✅ Done            |
+| 4.3  | Instrument proposal handling                   | ✅ Done            |
+| 4.4  | Instrument validation handling                 | ✅ Done            |
+| 4.5  | Add consensus-specific attributes              | ✅ Done            |
+| 4.6  | Correlate with transaction traces              | ✅ Done            |
+| 4.7  | Build verification and testing                 | ✅ Done            |
+| 4.8  | Validation span enrichment (ext. dashboard)    | ❌ Not done        |
+
+**Note**: The original plan doc listed tasks 4.7-4.11 as "Validator list tracing",
+"Amendment voting tracing", "SHAMap sync tracing", "Multi-validator integration tests",
+and "Performance validation". These were descoped and replaced by the tasklist's 4.7
+(build verification) and 4.8 (validation span enrichment). Validator, amendment, and
+SHAMap tracing are not implemented.
+
+### Spans Produced
+
+| Span Name                   | Location           | Attributes                                                                                                                                                                                                       |
+| --------------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `consensus.phase.open`      | `Consensus.h`      | _(none)_                                                                                                                                                                                                         |
+| `consensus.proposal.send`   | `RCLConsensus.cpp` | `consensus_round`                                                                                                                                                                                                |
+| `consensus.ledger_close`    | `RCLConsensus.cpp` | `ledger_seq`, `consensus_mode`                                                                                                                                                                                   |
+| `consensus.accept`          | `RCLConsensus.cpp` | `proposers`, `round_time_ms`, `quorum`                                                                                                                                                                           |
+| `consensus.accept.apply`    | `RCLConsensus.cpp` | `close_time`, `close_time_correct`, `close_resolution_ms`, `consensus_state`, `proposing`, `round_time_ms`, `ledger_seq`, `parent_close_time`, `close_time_self`, `close_time_vote_bins`, `resolution_direction` |
+| `consensus.validation.send` | `RCLConsensus.cpp` | `ledger_seq`, `proposing`                                                                                                                                                                                        |
+
+### Exit Criteria
+
+- [x] Complete consensus round traces
+- [x] Phase transitions visible (open, establish, close, accept)
+- [x] Proposals and validations traced — send and receive; relay deferred to Phase 4b
+- [x] Close time agreement tracked (per `avCT_CONSENSUS_PCT`)
+- [x] No impact on consensus timing
+- [ ] Multi-validator test network validated
+- [x] Transaction-consensus correlation (Task 4.6) — `tx.included` events in doAccept
+- [ ] Validation span enrichment (Task 4.8) — not implemented
+
+### Implementation Status — Phase 4a Complete
+
+Phase 4a (establish-phase gap fill & cross-node correlation) adds:
+
+- **Deterministic trace ID** derived from `previousLedger.id()` so all validators
+  in the same round share the same `trace_id` (switchable via
+  `consensus_trace_strategy` config: `"deterministic"` or `"attribute"`).
+  See [Configuration Reference](./05-configuration-reference.md) for full
+  configuration options.
+- **Round lifecycle spans**: `consensus.round` with round-to-round span links.
+- **Establish phase**: `consensus.establish`, `consensus.update_positions` (with
+  `dispute.resolve` events), `consensus.check` (with threshold tracking).
+- **Mode changes**: `consensus.mode_change` spans.
+- **Validation**: `consensus.validation.send` with span link to round span
+  (thread-safe cross-thread access via `roundSpanContext_` snapshot).
+- **Separation of concerns**: telemetry extracted to private helpers
+  (`startRoundTracing`, `createValidationSpan`, `startEstablishTracing`,
+  `updateEstablishTracing`, `endEstablishTracing`).
+
+See [Phase4_taskList.md](./Phase4_taskList.md) for the full spec and implementation notes.
+
+---
+
+## 6.5a Phase 4a: Establish-Phase Gap Fill & Cross-Node Correlation
+
+**Objective**: Fill tracing gaps in the establish phase and establish cross-node
+correlation using deterministic trace IDs derived from `previousLedger.id()`.
+
+**Approach**: Direct instrumentation in `Consensus.h` and `RCLConsensus.cpp`.
+All spans use `SpanGuard` factory methods (`span()`, `hashSpan()`, `linkedSpan()`)
+with `TraceCategory::Consensus` gating. No macros used — all tracing via direct
+`SpanGuard` API calls.
+
+### Tasks
+
+| Task | Description                                      | Effort | Risk   | Status                   |
+| ---- | ------------------------------------------------ | ------ | ------ | ------------------------ |
+| 4a.0 | Prerequisites: extend SpanGuard & Telemetry APIs | 1d     | Medium | ✅ Done (no macros)      |
+| 4a.1 | Adaptor `getTelemetry()` method                  | 0.5d   | Low    | ⏭️ Skipped (not needed)  |
+| 4a.2 | Switchable round span with deterministic traceID | 2d     | High   | ✅ Done                  |
+| 4a.3 | Span members in `Consensus.h`                    | 0.5d   | Medium | ✅ Done (with deviation) |
+| 4a.4 | Instrument `phaseEstablish()`                    | 1d     | Medium | ✅ Done                  |
+| 4a.5 | Instrument `updateOurPositions()`                | 1d     | Medium | ✅ Done                  |
+| 4a.6 | Instrument `haveConsensus()` (thresholds)        | 1d     | Medium | ✅ Done                  |
+| 4a.7 | Instrument mode changes                          | 0.5d   | Low    | ✅ Done                  |
+| 4a.8 | Reparent existing spans under round              | 0.5d   | Low    | ✅ Done                  |
+| 4a.9 | Build verification and testing                   | 1d     | Low    | ✅ Done                  |
+
+**Total Effort**: 9 days
+
+### Spans Produced
+
+| Span Name                    | Location           | Key Attributes (actually set)                                                                                                 |
+| ---------------------------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------- |
+| `consensus.round`            | `RCLConsensus.cpp` | `consensus_round_id`, `consensus_ledger_id`, `ledger_seq`, `consensus_mode`, `trace_strategy`                                 |
+| `consensus.establish`        | `Consensus.h`      | `converge_percent`, `establish_count`, `proposers`                                                                            |
+| `consensus.update_positions` | `Consensus.h`      | `converge_percent`, `proposers`, `have_close_time_consensus`, `close_time_threshold`, `disputes_count`, `avalanche_threshold` |
+| `consensus.check`            | `Consensus.h`      | `agree_count`, `disagree_count`, `converge_percent`, `have_close_time_consensus`, `threshold_percent`, `consensus_result`     |
+| `consensus.mode_change`      | `RCLConsensus.cpp` | `mode_old`, `mode_new`                                                                                                        |
+
+### Exit Criteria
+
+- [x] Establish phase internals traced (establish, update_positions, check spans)
+- [x] Establish phase fully traced — `disputes_count`, `avalanche_threshold`, dispute `yays`/`nays` all implemented
+- [x] Cross-node correlation works via deterministic trace_id
+- [x] Strategy switchable via config (`deterministic` / `attribute`)
+- [x] Consecutive rounds linked via follows-from spans
+- [x] Build passes with telemetry ON and OFF
+- [x] No impact on consensus timing
+
+See [Phase4_taskList.md](./Phase4_taskList.md) for full task details.
+
+---
+
+## 6.5b Phase 4b: Cross-Node Propagation (Future)
+
+**Objective**: Wire `TraceContextPropagator` for P2P messages (proposals,
+validations) to enable true distributed tracing between nodes.
+
+**Status**: Design documented, NOT implemented. Protobuf fields (field 1001)
+and `TraceContextPropagator` free functions exist. Wiring deferred until Phase 4a is
+validated in a multi-node environment.
+
+**Prerequisites**: Phase 4a complete and validated.
+
+See [Phase4_taskList.md § Phase 4b](./Phase4_taskList.md) for full design.
+
+---
+
+## 6.6 Phase 5: Documentation & Deployment (Week 9)
+
+**Objective**: Production readiness
+
+### Tasks
+
+| Task | Description                   | Status              |
+| ---- | ----------------------------- | ------------------- |
+| 5.1  | Operator runbook              | Complete            |
+| 5.2  | Grafana dashboards            | Complete            |
+| 5.3  | Alert definitions             | Deferred — post-MVP |
+| 5.4  | Collector deployment examples | Complete            |
+| 5.5  | Developer documentation       | Complete            |
+| 5.6  | Training materials            | Deferred — post-MVP |
+| 5.7  | Final integration testing     | Complete            |
+
+---
+
+## 6.7 Phase 6: StatsD Metrics Integration (Week 10)
+
+**Objective**: Bridge xrpld's existing `beast::insight` StatsD metrics into the OpenTelemetry collection pipeline, exposing 300+ pre-existing metrics alongside span-derived RED metrics in Prometheus/Grafana.
+
+### Background
+
+xrpld has a mature metrics framework (`beast::insight`) that emits StatsD-format metrics over UDP. These metrics cover node health, peer networking, RPC performance, job queue, and overlay traffic — data that **does not** overlap with the span-based instrumentation from Phases 1-5. By adding a StatsD receiver to the OTel Collector, both metric sources converge in Prometheus.
+
+### Metric Inventory
+
+| Category        | Group              | Type          | Count      | Key Metrics                                            |
+| --------------- | ------------------ | ------------- | ---------- | ------------------------------------------------------ |
+| Node State      | `State_Accounting` | Gauge         | 10         | `*_duration`, `*_transitions` per operating mode       |
+| Ledger          | `LedgerMaster`     | Gauge         | 2          | `Validated_Ledger_Age`, `Published_Ledger_Age`         |
+| Ledger Fetch    | —                  | Counter       | 1          | `ledger_fetches`                                       |
+| Ledger History  | `ledger.history`   | Counter       | 1          | `mismatch`                                             |
+| RPC             | `rpc`              | Counter+Event | 3          | `requests`, `time` (histogram), `size` (histogram)     |
+| Job Queue       | —                  | Gauge+Event   | 1 + 2×N    | `job_count`, per-job `{name}` and `{name}_q`           |
+| Peer Finder     | `Peer_Finder`      | Gauge         | 2          | `Active_Inbound_Peers`, `Active_Outbound_Peers`        |
+| Overlay         | `Overlay`          | Gauge         | 1          | `Peer_Disconnects`                                     |
+| Overlay Traffic | per-category       | Gauge         | 4×57 = 228 | `Bytes_In/Out`, `Messages_In/Out` per traffic category |
+| Pathfinding     | —                  | Event         | 2          | `pathfind_fast`, `pathfind_full` (histograms)          |
+| I/O             | —                  | Event         | 1          | `ios_latency` (histogram)                              |
+| Resource Mgr    | —                  | Meter         | 2          | `warn`, `drop` (rate counters)                         |
+| Caches          | per-cache          | Gauge         | 2×N        | `{cache}.size`, `{cache}.hit_rate`                     |
+
+**Total**: ~255+ unique metrics (plus dynamic job-type and cache metrics)
+
+### Tasks
+
+| Task | Description                                                                                                     |
+| ---- | --------------------------------------------------------------------------------------------------------------- |
+| 6.1  | **DEFERRED** Fix Meter wire format (`\|m` → `\|c`) in StatsDCollector.cpp — breaking change, tracked separately |
+| 6.2  | Add `statsd` receiver to OTel Collector config                                                                  |
+| 6.3  | Expose UDP port 8125 in docker-compose.yml                                                                      |
+| 6.4  | Add `[insight]` config to integration test node configs                                                         |
+| 6.5  | Create "Node Health" Grafana dashboard (16 panels)                                                              |
+| 6.6  | Create "Network Traffic" Grafana dashboard (10 panels)                                                          |
+| 6.7  | Create "RPC & Pathfinding (StatsD)" Grafana dashboard (8 panels)                                                |
+| 6.8  | Update integration test to verify StatsD metrics in Prometheus                                                  |
+| 6.9  | Update TESTING.md and telemetry-runbook.md                                                                      |
+
+### Wire Format Fix (Task 6.1) — DEFERRED
+
+The `StatsDMeterImpl` in `StatsDCollector.cpp` sends metrics with `|m` suffix, which is non-standard StatsD. The OTel StatsD receiver silently drops these. Fix: change `|m` to `|c` (counter), which is semantically correct since meters are increment-only counters. Only 2 metrics are affected (`warn`, `drop` in Resource Manager).
+
+**Status**: Deferred as a separate change — this is a breaking change for any StatsD backend that previously consumed the custom `|m` type. The Resource Warnings and Resource Drops dashboard panels will show no data until this fix is applied.
+
+### New Grafana Dashboards
+
+**Node Health** (`statsd-node-health.json`, uid: `xrpld-statsd-node-health`):
+
+- Validated/Published Ledger Age, Operating Mode Duration/Transitions, I/O Latency, Job Queue Depth, Ledger Fetch Rate, Ledger History Mismatches, Key Jobs Execution/Dequeue Time, FullBelowCache Size/Hit Rate, Ledger Publish Gap, State Duration Rate, All Jobs Detail
+
+**Network Traffic** (`statsd-network-traffic.json`, uid: `xrpld-statsd-network`):
+
+- Active Inbound/Outbound Peers, Peer Disconnects, Total Bytes/Messages In/Out, Transaction/Proposal/Validation Traffic, Top Traffic Categories, Duplicate Traffic, All Traffic Categories Detail
+
+**RPC & Pathfinding (StatsD)** (`statsd-rpc-pathfinding.json`, uid: `xrpld-statsd-rpc`):
+
+- RPC Request Rate, Response Time p95/p50, Response Size p95/p50, Pathfinding Fast/Full Duration, Resource Warnings/Drops, Response Time Heatmap
+
+### Exit Criteria
+
+- [ ] StatsD metrics visible in Prometheus (`curl localhost:9090/api/v1/query?query=xrpld_LedgerMaster_Validated_Ledger_Age`)
+- [ ] All 3 new Grafana dashboards load without errors
+- [ ] Integration test verifies at least core StatsD metrics (ledger age, peer counts, RPC requests)
+- [ ] ~~Meter metrics (`warn`, `drop`) flow correctly after `|m` → `|c` fix~~ — DEFERRED (breaking change, tracked separately)
+
+---
+
+## 6.8 Risk Assessment
+
+```mermaid
+quadrantChart
+    title Risk Assessment Matrix
+    x-axis Low Impact --> High Impact
+    y-axis Low Likelihood --> High Likelihood
+    quadrant-1 Mitigate Immediately
+    quadrant-2 Plan Mitigation
+    quadrant-3 Accept Risk
+    quadrant-4 Monitor Closely
+
+    SDK Compat: [0.2, 0.18]
+    Protocol Chg: [0.75, 0.72]
+    Perf Overhead: [0.58, 0.42]
+    Context Prop: [0.4, 0.55]
+    Memory Leaks: [0.85, 0.25]
+```
+
+### Risk Details
+
+| Risk                                 | Likelihood | Impact | Mitigation                              |
+| ------------------------------------ | ---------- | ------ | --------------------------------------- |
+| Protocol changes break compatibility | Medium     | High   | Use high field numbers, optional fields |
+| Performance overhead unacceptable    | Medium     | Medium | Sampling, conditional compilation       |
+| Context propagation complexity       | Medium     | Medium | Phased rollout, extensive testing       |
+| SDK compatibility issues             | Low        | Medium | Pin SDK version, fallback to no-op      |
+| Memory leaks in long-running nodes   | Low        | High   | Memory profiling, bounded queues        |
+
+---
+
+## 6.9 Success Metrics
+
+| Metric                   | Target                                                         | Measurement           |
+| ------------------------ | -------------------------------------------------------------- | --------------------- |
+| Trace coverage           | >95% of transaction code paths (independent of sampling ratio) | Sampling verification |
+| CPU overhead             | <3%                                                            | Benchmark tests       |
+| Memory overhead          | <10 MB                                                         | Memory profiling      |
+| Latency impact (p99)     | <2%                                                            | Performance tests     |
+| Trace completeness       | >99% spans with required attrs                                 | Validation script     |
+| Cross-node trace linkage | >90% of multi-hop transactions                                 | Integration tests     |
+
+---
+
+## 6.10 Quick Wins and Crawl-Walk-Run Strategy
+
+> **TxQ** = Transaction Queue
+
+This section outlines a prioritized approach to maximize ROI with minimal initial investment.
+
+### 6.10.1 Crawl-Walk-Run Overview
+
+<div align="center">
+
+```mermaid
+flowchart TB
+    subgraph crawl["🐢 CRAWL (Week 1-2)"]
+        direction LR
+        c1[Core SDK Setup] ~~~ c2[RPC Tracing Only] ~~~ c3[PathFinding + TxQ Tracing] ~~~ c4[Single Node]
+    end
+
+    subgraph walk["🚶 WALK (Week 3-5)"]
+        direction LR
+        w1[Transaction Tracing] ~~~ w2[Fee Escalation Tracing] ~~~ w3[Cross-Node Context] ~~~ w4[Basic Dashboards]
+    end
+
+    subgraph run["🏃 RUN (Week 6-9)"]
+        direction LR
+        r1[Consensus Tracing] ~~~ r2[Establish Phase<br/>& Cross-Node Correlation] ~~~ r3[StatsD Integration] ~~~ r4[Production Deploy]
+    end
+
+    crawl --> walk --> run
+
+    style crawl fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style walk fill:#bf360c,stroke:#8c2809,color:#fff
+    style run fill:#0d47a1,stroke:#082f6a,color:#fff
+    style c1 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style c2 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style c3 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style c4 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style w1 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style w2 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style w3 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style w4 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style r1 fill:#0d47a1,stroke:#082f6a,color:#fff
+    style r2 fill:#0d47a1,stroke:#082f6a,color:#fff
+    style r3 fill:#0d47a1,stroke:#082f6a,color:#fff
+    style r4 fill:#0d47a1,stroke:#082f6a,color:#fff
+```
+
+</div>
+
+**Reading the diagram:**
+
+- **CRAWL (Weeks 1-2)**: Minimal investment -- set up the SDK, instrument RPC and PathFinding/TxQ handlers, and verify on a single node. Delivers immediate latency visibility.
+- **WALK (Weeks 3-5)**: Expand to transaction lifecycle tracing, fee escalation, cross-node context propagation, and basic Grafana dashboards. This is where distributed tracing starts working.
+- **RUN (Weeks 6-9)**: Full consensus instrumentation, establish-phase gap fill, cross-node correlation, StatsD integration, and production deployment with sampling and alerting.
+- **Arrows (crawl → walk → run)**: Each phase builds on the prior one; you cannot skip ahead because later phases depend on infrastructure established earlier.
+
+### 6.10.2 Quick Wins (Immediate Value)
+
+| Quick Win                      | Value  | When to Deploy |
+| ------------------------------ | ------ | -------------- |
+| **RPC Command Tracing**        | High   | Week 2         |
+| **RPC Latency Histograms**     | High   | Week 2         |
+| **Error Rate Dashboard**       | Medium | Week 2         |
+| **Transaction Submit Tracing** | High   | Week 3         |
+| **Consensus Round Duration**   | Medium | Week 6         |
+
+### 6.10.3 CRAWL Phase (Weeks 1-2)
+
+**Goal**: Get basic tracing working with minimal code changes.
+
+**What You Get**:
+
+- RPC request/response traces for all commands
+- Latency breakdown per RPC command
+- PathFinding and TxQ tracing (directly impacts RPC latency)
+- Error visibility with stack traces
+- Basic Grafana dashboard
+
+**Code Changes**: ~15 lines in `ServerHandler.cpp`, ~40 lines in new telemetry module
+
+**Why Start Here**:
+
+- RPC is the lowest-risk, highest-visibility component
+- PathFinding and TxQ are RPC-adjacent and directly affect latency
+- Immediate value for debugging client issues
+- No cross-node complexity
+- Single file modification to existing code
+
+### 6.10.4 WALK Phase (Weeks 3-5)
+
+**Goal**: Add transaction lifecycle tracing across nodes.
+
+**What You Get**:
+
+- End-to-end transaction traces from submit to relay
+- Fee escalation tracing within the transaction pipeline
+- Cross-node correlation (see transaction path)
+- HashRouter deduplication visibility
+- Relay latency metrics
+
+**Code Changes**: ~120 lines across 4 files, plus protobuf extension
+
+**Why Do This Second**:
+
+- Builds on RPC tracing (transactions submitted via RPC)
+- Fee escalation is integral to the transaction processing pipeline
+- Moderate complexity (requires context propagation)
+- High value for debugging transaction issues
+
+### 6.10.5 RUN Phase (Weeks 6-9)
+
+**Goal**: Full observability including consensus.
+
+**What You Get**:
+
+- Complete consensus round visibility
+- Phase transition timing
+- Validator proposal tracking
+- ~~Validator list and manifest tracing~~ — descoped
+- ~~Amendment voting tracing~~ — descoped
+- ~~SHAMap sync tracing~~ — descoped
+- Full end-to-end traces (client → RPC → TX → consensus → ledger) — partial (tx-consensus correlation not yet done)
+
+**Code Changes**: ~100 lines across 3 consensus files
+
+**Why Do This Last**:
+
+- Highest complexity (consensus is critical path)
+- Validator, amendment, and SHAMap components were descoped (lower priority)
+- Requires thorough testing
+- Lower relative value (consensus issues are rarer)
+
+### 6.10.6 ROI Prioritization Matrix
+
+```mermaid
+quadrantChart
+    title Implementation ROI Matrix
+    x-axis Low Effort --> High Effort
+    y-axis Low Value --> High Value
+    quadrant-1 Quick Wins - Do First
+    quadrant-2 Major Projects - Plan Carefully
+    quadrant-3 Nice to Have - Optional
+    quadrant-4 Time Sinks - Avoid
+
+    RPC Tracing: [0.15, 0.92]
+    TX Submit Trace: [0.3, 0.78]
+    TX Relay Trace: [0.5, 0.88]
+    Consensus Trace: [0.72, 0.72]
+    Peer Msg Trace: [0.85, 0.3]
+    Ledger Acquire: [0.55, 0.52]
+```
+
+---
+
+## 6.11 Definition of Done
+
+> **TxQ** = Transaction Queue | **HA** = High Availability
+
+Clear, measurable criteria for each phase.
+
+### 6.11.1 Phase 1: Core Infrastructure
+
+| Criterion       | Measurement                                                | Target                       |
+| --------------- | ---------------------------------------------------------- | ---------------------------- |
+| SDK Integration | `cmake --build` succeeds with `-DXRPL_ENABLE_TELEMETRY=ON` | ✅ Compiles                  |
+| Runtime Toggle  | `enabled=0` produces zero overhead                         | <0.1% CPU difference         |
+| Span Creation   | Unit test creates and exports span                         | Span appears in Tempo        |
+| Configuration   | All config options parsed correctly                        | Config validation tests pass |
+| Documentation   | Developer guide exists                                     | PR approved                  |
+
+**Definition of Done**: All criteria met, PR merged, no regressions in CI.
+
+### 6.11.2 Phase 2: RPC Tracing
+
+| Criterion          | Measurement                        | Target                     |
+| ------------------ | ---------------------------------- | -------------------------- |
+| Coverage           | All RPC commands instrumented      | 100% of commands           |
+| Context Extraction | traceparent header propagates      | Integration test passes    |
+| Attributes         | Command, status, duration recorded | Validation script confirms |
+| Performance        | RPC latency overhead               | <1ms p99                   |
+| Dashboard          | Grafana dashboard deployed         | Screenshot in docs         |
+
+**Definition of Done**: RPC traces visible in Tempo for all commands, dashboard shows latency distribution.
+
+### 6.11.3 Phase 3: Transaction Tracing
+
+| Criterion             | Measurement                                       | Target                                                   |
+| --------------------- | ------------------------------------------------- | -------------------------------------------------------- |
+| Local Trace           | Submit → validate → TxQ traced                    | Single-node test passes                                  |
+| Cross-Node            | Context propagates via protobuf                   | Multi-node test passes                                   |
+| Deterministic TraceID | Same trace_id on all nodes for same tx            | Multi-node test: query by txHash[0:16] returns all spans |
+| Relay Ordering        | Protobuf span_id propagation creates parent-child | Tempo trace tree shows relay chain                       |
+| Graceful Degradation  | Old peer drops trace_context                      | Spans still grouped by deterministic trace_id            |
+| Relay Visibility      | relay_count attribute correct                     | Spot check 100 txs                                       |
+| HashRouter            | Deduplication visible in trace                    | Duplicate txs show suppressed=true                       |
+| Performance           | TX throughput overhead                            | <5% degradation                                          |
+
+**Definition of Done**: Transaction traces span 3+ nodes in test network with deterministic trace_id correlation, parent-child ordering via protobuf propagation, and performance within bounds.
+
+### 6.11.4 Phase 4: Consensus Tracing
+
+| Criterion            | Measurement                   | Target                    |
+| -------------------- | ----------------------------- | ------------------------- |
+| Round Tracing        | startRound creates root span  | Unit test passes          |
+| Phase Visibility     | All phases have child spans   | Integration test confirms |
+| Proposer Attribution | Proposer ID in attributes     | Spot check 50 rounds      |
+| Timing Accuracy      | Phase durations match PerfLog | <5% variance              |
+| No Consensus Impact  | Round timing unchanged        | Performance test passes   |
+
+**Definition of Done**: Consensus rounds fully traceable, no impact on consensus timing.
+
+### 6.11.5 Phase 5: Production Deployment
+
+| Criterion    | Measurement                  | Target                     |
+| ------------ | ---------------------------- | -------------------------- |
+| Collector HA | Multiple collectors deployed | No single point of failure |
+| Sampling     | Tail sampling configured     | 10% base + errors + slow   |
+| Retention    | Data retained per policy     | 7 days hot, 30 days warm   |
+| Alerting     | Alerts configured            | Error spike, high latency  |
+| Runbook      | Operator documentation       | Approved by ops team       |
+| Training     | Team trained                 | Session completed          |
+
+**Definition of Done**: Telemetry running in production, operators trained, alerts active.
+
+### 6.11.6 Success Metrics Summary
+
+| Phase   | Primary Metric         | Secondary Metric            | Deadline      |
+| ------- | ---------------------- | --------------------------- | ------------- |
+| Phase 1 | SDK compiles and runs  | Zero overhead when disabled | End of Week 2 |
+| Phase 2 | 100% RPC coverage      | <1ms latency overhead       | End of Week 4 |
+| Phase 3 | Cross-node traces work | <5% throughput impact       | End of Week 6 |
+| Phase 4 | Consensus fully traced | No consensus timing impact  | End of Week 8 |
+| Phase 5 | Production deployment  | Operators trained           | End of Week 9 |
+
+---
+
+## 6.12 Recommended Implementation Order
+
+Based on ROI analysis, implement in this exact order:
+
+```mermaid
+flowchart TB
+    subgraph week1["Week 1"]
+        t1[1. OpenTelemetry SDK<br/>Conan/CMake integration]
+        t2[2. Telemetry interface<br/>SpanGuard, config]
+    end
+
+    subgraph week2["Week 2"]
+        t3[3. RPC ServerHandler<br/>instrumentation]
+        t4[4. Basic Tempo setup<br/>for testing]
+    end
+
+    subgraph week3["Week 3"]
+        t5[5. Transaction submit<br/>tracing]
+        t6[6. Grafana dashboard<br/>v1]
+    end
+
+    subgraph week4["Week 4"]
+        t7[7. Protobuf context<br/>extension]
+        t8[8. PeerImp tx.relay<br/>instrumentation]
+    end
+
+    subgraph week5["Week 5"]
+        t9[9. Multi-node<br/>integration tests]
+        t10[10. Performance<br/>benchmarks]
+    end
+
+    subgraph week6_8["Weeks 6-8"]
+        t11[11. Consensus<br/>instrumentation]
+        t12[12. Full integration<br/>testing]
+    end
+
+    subgraph week9["Week 9"]
+        t13[13. Production<br/>deployment]
+        t14[14. Documentation<br/>& training]
+    end
+
+    t1 --> t2 --> t3 --> t4
+    t4 --> t5 --> t6
+    t6 --> t7 --> t8
+    t8 --> t9 --> t10
+    t10 --> t11 --> t12
+    t12 --> t13 --> t14
+
+    style week1 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style week2 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style week3 fill:#bf360c,stroke:#8c2809,color:#fff
+    style week4 fill:#bf360c,stroke:#8c2809,color:#fff
+    style week5 fill:#bf360c,stroke:#8c2809,color:#fff
+    style week6_8 fill:#0d47a1,stroke:#082f6a,color:#fff
+    style week9 fill:#4a148c,stroke:#2e0d57,color:#fff
+    style t1 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style t2 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style t3 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style t4 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style t5 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style t6 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style t7 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style t8 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style t9 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style t10 fill:#ffe0b2,stroke:#ffcc80,color:#1e293b
+    style t11 fill:#0d47a1,stroke:#082f6a,color:#fff
+    style t12 fill:#0d47a1,stroke:#082f6a,color:#fff
+    style t13 fill:#4a148c,stroke:#2e0d57,color:#fff
+    style t14 fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+**Reading the diagram:**
+
+- **Week 1 (tasks 1-2)**: Foundation work -- integrate the OpenTelemetry SDK via Conan/CMake and build the `Telemetry` interface with `SpanGuard` and config parsing.
+- **Week 2 (tasks 3-4)**: First observable output -- instrument `ServerHandler` for RPC tracing and stand up Tempo so developers can see traces immediately.
+- **Weeks 3-5 (tasks 5-10)**: Transaction lifecycle -- add submit tracing, build the first Grafana dashboard, extend protobuf for cross-node context, instrument `PeerImp` relay, then validate with multi-node integration tests and performance benchmarks.
+- **Weeks 6-8 (tasks 11-12)**: Consensus deep-dive -- instrument consensus rounds and phases, then run full integration testing across all instrumented paths.
+- **Week 9 (tasks 13-14)**: Go-live -- deploy to production with sampling/alerting configured, and deliver documentation and operator training.
+- **Arrow chain (t1 → ... → t14)**: Strict sequential dependency; each task's output is a prerequisite for the next.
+
+---
+
+_Previous: [Configuration Reference](./05-configuration-reference.md)_ | _Next: [Observability Backends](./07-observability-backends.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/07-observability-backends.md

@@ -0,0 +1,404 @@
+# Observability Backend Recommendations
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Implementation Phases](./06-implementation-phases.md) | [Appendix](./08-appendix.md)
+
+---
+
+## 7.1 Development/Testing Backends
+
+> **OTLP** = OpenTelemetry Protocol
+
+| Backend    | Pros                                | Cons                   | Use Case            |
+| ---------- | ----------------------------------- | ---------------------- | ------------------- |
+| **Tempo**  | Cost-effective, Grafana integration | Requires Grafana stack | Local dev, CI, Prod |
+| **Zipkin** | Simple, lightweight                 | Basic features         | Quick prototyping   |
+
+### Quick Start with Tempo
+
+```bash
+# Start Tempo with OTLP support
+docker run -d --name tempo \
+    -p 3200:3200 \
+    -p 4317:4317 \
+    -p 4318:4318 \
+    grafana/tempo:2.6.1
+```
+
+---
+
+## 7.2 Production Backends
+
+> **APM** = Application Performance Monitoring
+
+| Backend           | Pros                                      | Cons                   | Use Case                    |
+| ----------------- | ----------------------------------------- | ---------------------- | --------------------------- |
+| **Grafana Tempo** | Cost-effective, Grafana integration       | Requires Grafana stack | Most production deployments |
+| **Elastic APM**   | Full observability stack, log correlation | Resource intensive     | Existing Elastic users      |
+| **Honeycomb**     | Excellent query, high cardinality         | SaaS cost              | Deep debugging needs        |
+| **Datadog APM**   | Full platform, easy setup                 | SaaS cost              | Enterprise with budget      |
+
+### Backend Selection Flowchart
+
+```mermaid
+flowchart TD
+    start[Select Backend] --> budget{Budget<br/>Constraints?}
+
+    budget -->|Yes| oss[Open Source]
+    budget -->|No| saas{Prefer<br/>SaaS?}
+
+    oss --> existing{Existing<br/>Stack?}
+    existing -->|Grafana| tempo[Grafana Tempo]
+    existing -->|Elastic| elastic[Elastic APM]
+    existing -->|None| tempo
+
+    saas -->|Yes| enterprise{Enterprise<br/>Support?}
+    saas -->|No| oss
+
+    enterprise -->|Yes| datadog[Datadog APM]
+    enterprise -->|No| honeycomb[Honeycomb]
+
+    tempo --> final[Configure Collector]
+    elastic --> final
+    honeycomb --> final
+    datadog --> final
+
+    style start fill:#0f172a,stroke:#020617,color:#fff
+    style budget fill:#334155,stroke:#1e293b,color:#fff
+    style oss fill:#1e293b,stroke:#0f172a,color:#fff
+    style existing fill:#334155,stroke:#1e293b,color:#fff
+    style saas fill:#334155,stroke:#1e293b,color:#fff
+    style enterprise fill:#334155,stroke:#1e293b,color:#fff
+    style final fill:#0f172a,stroke:#020617,color:#fff
+    style tempo fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style elastic fill:#bf360c,stroke:#8c2809,color:#fff
+    style honeycomb fill:#0d47a1,stroke:#082f6a,color:#fff
+    style datadog fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+**Reading the diagram:**
+
+- **Budget Constraints? (Yes)**: Leads to open-source options. If you already run Grafana or Elastic, pick the matching backend; otherwise default to Grafana Tempo.
+- **Budget Constraints? (No) → Prefer SaaS?**: If you want a managed service, choose between Datadog (enterprise support) and Honeycomb (developer-focused). If not, fall back to open-source.
+- **Terminal nodes (Tempo / Elastic / Honeycomb / Datadog)**: Each represents a concrete backend choice, all of which feed into the same final step.
+- **Configure Collector**: Regardless of backend, you always finish by configuring the OTel Collector to export to your chosen destination.
+
+---
+
+## 7.3 Recommended Production Architecture
+
+> **OTLP** = OpenTelemetry Protocol | **APM** = Application Performance Monitoring | **HA** = High Availability
+
+```mermaid
+flowchart TB
+    subgraph validators["Validator Nodes"]
+        v1[xrpld<br/>Validator 1]
+        v2[xrpld<br/>Validator 2]
+    end
+
+    subgraph stock["Stock Nodes"]
+        s1[xrpld<br/>Stock 1]
+        s2[xrpld<br/>Stock 2]
+    end
+
+    subgraph collector["OTel Collector Cluster"]
+        c1[Collector<br/>DC1]
+        c2[Collector<br/>DC2]
+    end
+
+    subgraph backends["Storage Backends"]
+        tempo[(Grafana<br/>Tempo)]
+        elastic[(Elastic<br/>APM)]
+        archive[(S3/GCS<br/>Archive)]
+    end
+
+    subgraph ui["Visualization"]
+        grafana[Grafana<br/>Dashboards]
+    end
+
+    v1 -->|OTLP| c1
+    v2 -->|OTLP| c1
+    s1 -->|OTLP| c2
+    s2 -->|OTLP| c2
+
+    c1 --> tempo
+    c1 --> elastic
+    c2 --> tempo
+    c2 --> archive
+
+    tempo --> grafana
+    elastic --> grafana
+
+    %% Note: simplified single-collector-per-DC topology shown for clarity
+
+    style validators fill:#b71c1c,stroke:#7f1d1d,color:#ffffff
+    style stock fill:#0d47a1,stroke:#082f6a,color:#ffffff
+    style collector fill:#bf360c,stroke:#8c2809,color:#ffffff
+    style backends fill:#1b5e20,stroke:#0d3d14,color:#ffffff
+    style ui fill:#4a148c,stroke:#2e0d57,color:#ffffff
+```
+
+**Reading the diagram:**
+
+- **Validator / Stock Nodes**: All xrpld nodes emit trace data via OTLP. Validators and stock nodes are grouped separately because they may reside in different network zones.
+- **Collector Cluster (DC1, DC2)**: Regional collectors receive OTLP from nodes in their datacenter, apply processing (sampling, enrichment), and fan out to multiple backends.
+- **Storage Backends**: Tempo and Elastic provide queryable trace storage; S3/GCS Archive provides long-term cold storage for compliance or post-incident analysis.
+- **Grafana Dashboards**: The single visualization layer that queries both Tempo and Elastic, giving operators a unified view of all traces.
+- **Data flow direction**: Nodes → Collectors → Storage → Grafana. Each arrow represents a network hop; minimizing collector-to-backend hops reduces latency.
+
+> **Note**: Production deployments should use multiple collector instances behind a load balancer for high availability. The diagram shows a simplified single-collector topology for clarity.
+
+---
+
+## 7.4 Architecture Considerations
+
+### 7.4.1 Collector Placement
+
+| Strategy      | Description          | Pros                     | Cons                    |
+| ------------- | -------------------- | ------------------------ | ----------------------- |
+| **Sidecar**   | Collector per node   | Isolation, simple config | Resource overhead       |
+| **DaemonSet** | Collector per host   | Shared resources         | Complexity              |
+| **Gateway**   | Central collector(s) | Centralized processing   | Single point of failure |
+
+**Recommendation**: Use **Gateway** pattern with regional collectors for xrpld networks:
+
+- One collector cluster per datacenter/region
+- Tail-based sampling at collector level
+- Multiple export destinations for redundancy
+
+### 7.4.2 Sampling Strategy
+
+```mermaid
+flowchart LR
+    subgraph head["Head Sampling (Node)"]
+        hs[Node-level head sampling<br/>fixed at 100%<br/>not configurable]
+    end
+
+    subgraph tail["Tail Sampling (Collector)"]
+        ts1[Keep all errors]
+        ts2[Keep slow >5s]
+        ts3[Keep 10% rest]
+    end
+
+    head --> tail
+
+    ts1 --> final[Final Traces]
+    ts2 --> final
+    ts3 --> final
+
+    style head fill:#0d47a1,stroke:#082f6a,color:#fff
+    style tail fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style hs fill:#0d47a1,stroke:#082f6a,color:#fff
+    style ts1 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style ts2 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style ts3 fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style final fill:#bf360c,stroke:#8c2809,color:#fff
+```
+
+**Reading the diagram:**
+
+- **Head Sampling (Node)**: xrpld pins head sampling at 100% (sample everything) and does not expose a configurable ratio. This is intentional: a per-node ratio would let different nodes make divergent keep/drop decisions for the same distributed trace, producing broken/partial traces. xrpld uses a `ParentBased` sampler so spans inheriting a remote parent honor the upstream decision. Volume reduction is delegated to the collector's tail sampling.
+- **Tail Sampling (Collector)**: The second filter -- the collector inspects completed traces and applies rules: keep all errors, keep anything slower than 5 seconds, and keep 10% of the remainder.
+- **Arrow head → tail**: All head-sampled traces flow to the collector, where tail sampling further reduces volume while preserving the most valuable data.
+- **Final Traces**: The output after both sampling stages; this is what gets stored and queried. The two-stage approach balances cost with debuggability.
+
+### 7.4.3 Data Retention
+
+| Environment | Hot Storage | Warm Storage | Cold Archive |
+| ----------- | ----------- | ------------ | ------------ |
+| Development | 24 hours    | N/A          | N/A          |
+| Staging     | 7 days      | N/A          | N/A          |
+| Production  | 7 days      | 30 days      | many years   |
+
+---
+
+## 7.5 Integration Checklist
+
+- [ ] Choose primary backend (Tempo recommended for cost/features)
+- [ ] Deploy collector cluster with high availability
+- [ ] Configure tail-based sampling for error/latency traces
+- [ ] Set up Grafana dashboards for trace visualization
+- [ ] Configure alerts for trace anomalies
+- [ ] Establish data retention policies
+- [ ] Test trace correlation with logs and metrics
+
+---
+
+## 7.6 Grafana Dashboard Examples
+
+Pre-built dashboards for xrpld observability.
+
+### 7.6.1 Consensus Health Dashboard
+
+A Tempo-backed dashboard (uid `xrpld-consensus-health`) with four panels, all driven by TraceQL:
+
+- **Consensus Round Duration** (timeseries, ms): average `consensus.round` span duration per node instance, with yellow/red thresholds at 4s/5s.
+- **Phase Duration Breakdown** (barchart): average duration of `consensus.phase.*` spans grouped by span name.
+- **Proposers per Round** (stat): average of the `span.proposers` attribute on `consensus.round` spans.
+- **Recent Slow Rounds (>5s)** (table): `consensus.round` spans filtered to `duration > 5s`.
+
+The underlying TraceQL queries are listed in section 7.7.3 and used throughout this doc.
+
+### 7.6.2 Node Overview Dashboard
+
+A Tempo-backed dashboard (uid `xrpld-node-overview`) with four panels:
+
+- **Active Nodes** (stat): count of distinct `resource.service.instance.id` values seen for the `xrpld` service.
+- **Total Transactions (1h)** (stat): count of `tx.receive` spans.
+- **Error Rate** (gauge, percent): ratio of `status.code=error` spans to all spans, with yellow/red thresholds at 1%/5%.
+- **Service Map** (nodeGraph): Tempo-generated service dependency graph.
+
+### 7.6.3 Alert Rules
+
+Grafana provisions three TraceQL-based alert rules (group `xrpld-tracing-alerts`, evaluated every 1m) against the Tempo datasource:
+
+- **Consensus Round Slow** (warning, `for: 5m`): fires when average `consensus.round` duration exceeds 5s.
+
+  ```
+  {resource.service.name="xrpld" && name="consensus.round"} | avg(duration) > 5s
+  ```
+
+- **RPC Error Rate Spike** (critical, `for: 2m`): fires when the error rate across `rpc.command.*` spans exceeds 5%.
+
+  ```
+  {resource.service.name="xrpld" && name=~"rpc.command.*" && status.code=error} | rate() > 0.05
+  ```
+
+- **Transaction Throughput Drop** (warning, `for: 10m`): fires when the `tx.receive` span rate falls below 10/s.
+
+  ```
+  {resource.service.name="xrpld" && name="tx.receive"} | rate() < 10
+  ```
+
+> **Note**: The first two rules use TraceQL aggregates (`avg(duration)`, `rate()`), which require Tempo 2.3+ with TraceQL metrics enabled. Verify aggregate query support in your Tempo version before provisioning.
+
+---
+
+## 7.7 PerfLog and Insight Correlation
+
+> **OTLP** = OpenTelemetry Protocol
+
+How to correlate OpenTelemetry traces with existing xrpld observability.
+
+### 7.7.1 Correlation Architecture
+
+```mermaid
+flowchart TB
+    subgraph xrpld["xrpld Node"]
+        otel[OpenTelemetry<br/>Spans]
+        perflog[PerfLog<br/>JSON Logs]
+        insight[Beast Insight<br/>StatsD Metrics]
+    end
+
+    subgraph collectors["Data Collection"]
+        otelc[OTel Collector]
+        promtail[Promtail/Fluentd]
+        statsd[StatsD Exporter]
+    end
+
+    subgraph storage["Storage"]
+        tempo[(Tempo)]
+        loki[(Loki)]
+        prom[(Prometheus)]
+    end
+
+    subgraph grafana["Grafana"]
+        traces[Trace View]
+        logs[Log View]
+        metrics[Metrics View]
+        corr[Correlation<br/>Panel]
+    end
+
+    otel -->|OTLP| otelc --> tempo
+    perflog -->|JSON| promtail --> loki
+    insight -->|StatsD| statsd --> prom
+
+    tempo --> traces
+    loki --> logs
+    prom --> metrics
+
+    traces --> corr
+    logs --> corr
+    metrics --> corr
+
+    style xrpld fill:#0d47a1,stroke:#082f6a,color:#fff
+    style collectors fill:#bf360c,stroke:#8c2809,color:#fff
+    style storage fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style grafana fill:#4a148c,stroke:#2e0d57,color:#fff
+    style otel fill:#0d47a1,stroke:#082f6a,color:#fff
+    style perflog fill:#0d47a1,stroke:#082f6a,color:#fff
+    style insight fill:#0d47a1,stroke:#082f6a,color:#fff
+    style otelc fill:#bf360c,stroke:#8c2809,color:#fff
+    style promtail fill:#bf360c,stroke:#8c2809,color:#fff
+    style statsd fill:#bf360c,stroke:#8c2809,color:#fff
+    style tempo fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style loki fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style prom fill:#1b5e20,stroke:#0d3d14,color:#fff
+    style traces fill:#4a148c,stroke:#2e0d57,color:#fff
+    style logs fill:#4a148c,stroke:#2e0d57,color:#fff
+    style metrics fill:#4a148c,stroke:#2e0d57,color:#fff
+    style corr fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+**Reading the diagram:**
+
+- **xrpld Node (three sources)**: A single node emits three independent data streams -- OpenTelemetry spans, PerfLog JSON logs, and Beast Insight StatsD metrics.
+- **Data Collection layer**: Each stream has its own collector -- OTel Collector for spans, Promtail/Fluentd for logs, and a StatsD exporter for metrics. They operate independently.
+- **Storage layer (Tempo, Loki, Prometheus)**: Each data type lands in a purpose-built store optimized for its query patterns (trace search, log grep, metric aggregation).
+- **Grafana Correlation Panel**: The key integration point -- Grafana queries all three stores and links them via shared fields (`trace_id`, `tx_hash`, `ledger_seq`), enabling a single-pane debugging experience.
+
+### 7.7.2 Correlation Fields
+
+| Source      | Field               | Link To       | Purpose                    |
+| ----------- | ------------------- | ------------- | -------------------------- |
+| **Trace**   | `trace_id`          | Logs          | Find log entries for trace |
+| **Trace**   | `tx_hash`           | Logs, Metrics | Find TX-related data       |
+| **Trace**   | `ledger_seq`        | Logs          | Find ledger-related logs   |
+| **PerfLog** | `trace_id` (new)    | Traces        | Jump to trace from log     |
+| **PerfLog** | `ledger_seq`        | Traces        | Find consensus trace       |
+| **Insight** | `exemplar.trace_id` | Traces        | Jump from metric spike     |
+
+### 7.7.3 Example: Debugging a Slow Transaction
+
+**Step 1: Find the trace**
+
+```
+# In Grafana Explore with Tempo
+{resource.service.name="xrpld" && span.tx_hash="ABC123..."}
+```
+
+**Step 2: Get the trace_id from the trace view**
+
+```
+Trace ID: 4bf92f3577b34da6a3ce929d0e0e4736
+```
+
+**Step 3: Find related PerfLog entries**
+
+```
+# In Grafana Explore with Loki
+{job="xrpld"} |= "4bf92f3577b34da6a3ce929d0e0e4736"
+```
+
+**Step 4: Check Insight metrics for the time window**
+
+```
+# In Grafana with Prometheus
+rate(xrpld_tx_applied_total[1m])
+  @ timestamp_from_trace
+```
+
+### 7.7.4 Unified Dashboard Example
+
+A single dashboard (uid `xrpld-unified`) that ties traces, metrics, and logs together across the Tempo, Prometheus, and Loki datasources:
+
+- **Transaction Latency (Traces)** (timeseries, Tempo): `histogram_over_time(duration)` of `tx.receive` spans.
+- **Transaction Rate (Metrics)** (timeseries, Prometheus): `rate(xrpld_tx_received_total[5m])` per instance, with a data link that opens the matching `tx.receive` traces in Tempo.
+- **Recent Logs** (logs, Loki): `{job="xrpld"} | json`.
+- **Trace Search** (table, Tempo): all `xrpld` traces, with per-row data links on `traceID` that jump to the trace in Tempo and to the correlated logs in Loki (`{job="xrpld"} |= "<traceID>"`).
+
+The cross-datasource data links are what make this a single-pane debugging view; the correlation fields they rely on are listed in section 7.7.2.
+
+---
+
+_Previous: [Implementation Phases](./06-implementation-phases.md)_ | _Next: [Appendix](./08-appendix.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/08-appendix.md

@@ -0,0 +1,200 @@
+# Appendix
+
+> **Parent Document**: [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)
+> **Related**: [Observability Backends](./07-observability-backends.md)
+
+---
+
+## 8.1 Glossary
+
+> **OTLP** = OpenTelemetry Protocol | **TxQ** = Transaction Queue
+
+| Term                  | Definition                                                 |
+| --------------------- | ---------------------------------------------------------- |
+| **Span**              | A unit of work with start/end time, name, and attributes   |
+| **Trace**             | A collection of spans representing a complete request flow |
+| **Trace ID**          | 128-bit unique identifier for a trace                      |
+| **Span ID**           | 64-bit unique identifier for a span within a trace         |
+| **Context**           | Carrier for trace/span IDs across boundaries               |
+| **Propagator**        | Component that injects/extracts context                    |
+| **Sampler**           | Decides which traces to record                             |
+| **Exporter**          | Sends spans to backend                                     |
+| **Collector**         | Receives, processes, and forwards telemetry                |
+| **OTLP**              | OpenTelemetry Protocol (wire format)                       |
+| **W3C Trace Context** | Standard HTTP headers for trace propagation                |
+| **Baggage**           | Key-value pairs propagated across service boundaries       |
+| **Resource**          | Entity producing telemetry (service, host, etc.)           |
+| **Instrumentation**   | Code that creates telemetry data                           |
+
+### xrpld-Specific Terms
+
+| Term              | Definition                                                    |
+| ----------------- | ------------------------------------------------------------- |
+| **Overlay**       | P2P network layer managing peer connections                   |
+| **Consensus**     | XRP Ledger consensus algorithm (RCL)                          |
+| **Proposal**      | Validator's suggested transaction set for a ledger            |
+| **Validation**    | Validator's signature on a closed ledger                      |
+| **HashRouter**    | Component for transaction deduplication                       |
+| **JobQueue**      | Thread pool for asynchronous task execution                   |
+| **PerfLog**       | Existing performance logging system in xrpld                  |
+| **Beast Insight** | Existing metrics framework in xrpld                           |
+| **PathFinding**   | Payment path computation engine for cross-currency payments   |
+| **TxQ**           | Transaction queue managing fee-based prioritization           |
+| **LoadManager**   | Dynamic fee escalation based on network load                  |
+| **SHAMap**        | SHA-256 hash-based map (Merkle trie variant) for ledger state |
+
+---
+
+## 8.2 Span Hierarchy Visualization
+
+> **TxQ** = Transaction Queue
+
+```mermaid
+flowchart TB
+    subgraph trace["Trace: Transaction Lifecycle"]
+        rpc["rpc.request<br/>(entry point)"]
+        validate["tx.validate"]
+        relay["tx.relay<br/>(parent span)"]
+
+        subgraph peers["Peer Spans"]
+            p1["peer.send<br/>Peer A"]
+            p2["peer.send<br/>Peer B"]
+            p3["peer.send<br/>Peer C"]
+        end
+
+        subgraph pathfinding["PathFinding Spans"]
+            pathfind["pathfind.request"]
+            pathcomp["pathfind.compute"]
+        end
+
+        consensus["consensus.round"]
+        apply["tx.apply"]
+
+        subgraph txqueue["TxQ Spans"]
+            txq["txq.enqueue"]
+            txqApply["txq.apply"]
+        end
+
+        feeCalc["fee.escalate"]
+    end
+
+    subgraph validators["Validator Spans"]
+        valFetch["validator.list.fetch"]
+        valManifest["validator.manifest"]
+    end
+
+    rpc --> validate
+    rpc --> pathfind
+    pathfind --> pathcomp
+    validate --> relay
+    relay --> p1
+    relay --> p2
+    relay --> p3
+    p1 -.->|"context propagation"| consensus
+    consensus --> apply
+    apply --> txq
+    txq --> txqApply
+    txq --> feeCalc
+
+    style trace fill:#0f172a,stroke:#020617,color:#fff
+    style peers fill:#1e3a8a,stroke:#172554,color:#fff
+    style pathfinding fill:#134e4a,stroke:#0f766e,color:#fff
+    style txqueue fill:#064e3b,stroke:#047857,color:#fff
+    style validators fill:#4c1d95,stroke:#6d28d9,color:#fff
+    style rpc fill:#1d4ed8,stroke:#1e40af,color:#fff
+    style validate fill:#047857,stroke:#064e3b,color:#fff
+    style relay fill:#047857,stroke:#064e3b,color:#fff
+    style p1 fill:#0e7490,stroke:#155e75,color:#fff
+    style p2 fill:#0e7490,stroke:#155e75,color:#fff
+    style p3 fill:#0e7490,stroke:#155e75,color:#fff
+    style consensus fill:#fef3c7,stroke:#fde68a,color:#1e293b
+    style apply fill:#047857,stroke:#064e3b,color:#fff
+    style pathfind fill:#0e7490,stroke:#155e75,color:#fff
+    style pathcomp fill:#0e7490,stroke:#155e75,color:#fff
+    style txq fill:#047857,stroke:#064e3b,color:#fff
+    style txqApply fill:#047857,stroke:#064e3b,color:#fff
+    style feeCalc fill:#047857,stroke:#064e3b,color:#fff
+    style valFetch fill:#6d28d9,stroke:#4c1d95,color:#fff
+    style valManifest fill:#6d28d9,stroke:#4c1d95,color:#fff
+```
+
+**Reading the diagram:**
+
+- **rpc.request (blue, top)**: The entry point — every traced transaction starts as an RPC call; this root span is the parent of all downstream work.
+- **tx.validate and pathfind.request (green/teal, first fork)**: The RPC request fans out into transaction validation and, for cross-currency payments, a PathFinding branch (`pathfind.request` -> `pathfind.compute`).
+- **tx.relay -> Peer Spans (teal, middle)**: After validation, the transaction is relayed to peers A, B, and C in parallel; each `peer.send` is a sibling child span showing fan-out across the network.
+- **context propagation (dashed arrow)**: The dotted line from `peer.send Peer A` to `consensus.round` represents the trace context crossing a node boundary — the receiving validator picks up the same `trace_id` and continues the trace.
+- **consensus.round -> tx.apply -> TxQ Spans (green, lower)**: Once consensus accepts the transaction, it is applied to the ledger; the TxQ spans (`txq.enqueue`, `txq.apply`, `fee.escalate`) capture queue depth and fee escalation behavior.
+- **Validator Spans (purple, detached)**: `validator.list.fetch` and `validator.manifest` are independent workflows for UNL management — they run on their own traces and are linked to consensus via Span Links, not parent-child relationships.
+
+---
+
+## 8.3 References
+
+> **OTLP** = OpenTelemetry Protocol
+
+### OpenTelemetry Resources
+
+1. [OpenTelemetry C++ SDK](https://github.com/open-telemetry/opentelemetry-cpp)
+2. [OpenTelemetry Specification](https://opentelemetry.io/docs/specs/otel/)
+3. [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/)
+4. [OTLP Protocol Specification](https://opentelemetry.io/docs/specs/otlp/)
+
+### Standards
+
+5. [W3C Trace Context](https://www.w3.org/TR/trace-context/)
+6. [W3C Baggage](https://www.w3.org/TR/baggage/)
+7. [Protocol Buffers](https://protobuf.dev/)
+
+### xrpld Resources
+
+8. [xrpld Source Code](https://github.com/XRPLF/rippled)
+9. [XRP Ledger Documentation](https://xrpl.org/docs/)
+10. [xrpld Overlay README](https://github.com/XRPLF/rippled/blob/develop/src/xrpld/overlay/README.md)
+11. [xrpld RPC README](https://github.com/XRPLF/rippled/blob/develop/src/xrpld/rpc/README.md)
+12. [xrpld Consensus README](https://github.com/XRPLF/rippled/blob/develop/src/xrpld/app/consensus/README.md)
+
+---
+
+## 8.4 Version History
+
+| Version | Date       | Author | Changes                                                        |
+| ------- | ---------- | ------ | -------------------------------------------------------------- |
+| 1.0     | 2026-02-12 | -      | Initial implementation plan                                    |
+| 1.1     | 2026-02-13 | -      | Refactored into modular documents                              |
+| 1.2     | 2026-03-24 | -      | Review fixes: accuracy corrections, cross-document consistency |
+
+---
+
+## 8.5 Document Index
+
+### Plan Documents
+
+| Document                                                             | Description                                        |
+| -------------------------------------------------------------------- | -------------------------------------------------- |
+| [OpenTelemetryPlan.md](./OpenTelemetryPlan.md)                       | Master overview and executive summary              |
+| [00-tracing-fundamentals.md](./00-tracing-fundamentals.md)           | Distributed tracing concepts and OTel primer       |
+| [01-architecture-analysis.md](./01-architecture-analysis.md)         | xrpld architecture and trace points                |
+| [02-design-decisions.md](./02-design-decisions.md)                   | SDK selection, exporters, span conventions         |
+| [03-implementation-strategy.md](./03-implementation-strategy.md)     | Directory structure, performance analysis          |
+| [05-configuration-reference.md](./05-configuration-reference.md)     | xrpld config, CMake, Collector configs             |
+| [06-implementation-phases.md](./06-implementation-phases.md)         | Timeline, tasks, risks, success metrics            |
+| [07-observability-backends.md](./07-observability-backends.md)       | Backend selection and architecture                 |
+| [08-appendix.md](./08-appendix.md)                                   | Glossary, references, version history              |
+| [secure-OTel.md](./secure-OTel.md)                                   | Threat model and hardening (mTLS, peer validation) |
+| [09-data-collection-reference.md](./09-data-collection-reference.md) | Span/metric/dashboard inventory                    |
+
+### Task Lists
+
+| Document                                                                   | Description                                         |
+| -------------------------------------------------------------------------- | --------------------------------------------------- |
+| [Phase2_taskList.md](./Phase2_taskList.md)                                 | RPC layer trace instrumentation                     |
+| [Phase3_taskList.md](./Phase3_taskList.md)                                 | Peer overlay & consensus tracing                    |
+| [Phase4_taskList.md](./Phase4_taskList.md)                                 | Transaction lifecycle tracing                       |
+| [Phase5_taskList.md](./Phase5_taskList.md)                                 | Ledger processing & advanced tracing                |
+| [Phase5_IntegrationTest_taskList.md](./Phase5_IntegrationTest_taskList.md) | Observability stack integration tests               |
+| [presentation.md](./presentation.md)                                       | Presentation slides for OpenTelemetry plan overview |
+
+---
+
+_Previous: [Observability Backends](./07-observability-backends.md)_ | _Back to: [Overview](./OpenTelemetryPlan.md)_

OpenTelemetryPlan/09-data-collection-reference.md

@@ -0,0 +1,775 @@
+# Observability Data Collection Reference
+
+> **Audience**: Developers and operators. This is the single source of truth for all telemetry data collected by xrpld's observability stack.
+>
+> **Related docs**: [docs/telemetry-runbook.md](../docs/telemetry-runbook.md) (operator runbook with alerting and troubleshooting) | [03-implementation-strategy.md](./03-implementation-strategy.md) (code structure and performance optimization) | [04-code-samples.md](./04-code-samples.md) (C++ instrumentation examples)
+
+## Data Flow Overview
+
+```mermaid
+graph LR
+    subgraph xrpldNode["xrpld Node"]
+        A["Trace Macros<br/>XRPL_TRACE_SPAN<br/>(OTLP/HTTP exporter)"]
+        B["beast::insight<br/>StatsD metrics<br/>(UDP sender)"]
+    end
+
+    subgraph collector["OTel Collector  :4317 / :4318 / :8125"]
+        direction TB
+        R1["OTLP Receiver<br/>:4317 gRPC  |  :4318 HTTP"]
+        R2["StatsD Receiver<br/>:8125 UDP"]
+        BP["Batch Processor<br/>timeout 1s, batch 100"]
+        SM["SpanMetrics Connector<br/>derives RED metrics<br/>from trace spans"]
+
+        R1 --> BP
+        BP --> SM
+    end
+
+    subgraph backends["Trace Backend"]
+        D["Grafana Tempo  :3200<br/>TraceQL search &<br/>S3/GCS long-term storage"]
+    end
+
+    subgraph metrics["Metrics Stack"]
+        E["Prometheus  :9090<br/>scrapes :8889<br/>span-derived + StatsD metrics"]
+    end
+
+    subgraph viz["Visualization"]
+        F["Grafana  :3000<br/>10 dashboards"]
+    end
+
+    A -->|"OTLP/HTTP :4318<br/>(traces + attributes)"| R1
+    B -->|"UDP :8125<br/>(gauges, counters, timers)"| R2
+
+    BP -->|"OTLP/gRPC :4317"| D
+
+    SM -->|"span_calls_total<br/>span_duration_ms<br/>(6 dimension labels)"| E
+    R2 -->|"xrpld_* gauges<br/>xrpld_* counters<br/>xrpld_* summaries"| E
+
+    E -->|"Prometheus<br/>data source"| F
+    D -->|"Tempo<br/>data source"| F
+
+    style A fill:#4a90d9,color:#fff,stroke:#2a6db5
+    style B fill:#d9534f,color:#fff,stroke:#b52d2d
+    style R1 fill:#5cb85c,color:#fff,stroke:#3d8b3d
+    style R2 fill:#5cb85c,color:#fff,stroke:#3d8b3d
+    style BP fill:#449d44,color:#fff,stroke:#2d6e2d
+    style SM fill:#449d44,color:#fff,stroke:#2d6e2d
+    style D fill:#f0ad4e,color:#000,stroke:#c78c2e
+    style E fill:#f0ad4e,color:#000,stroke:#c78c2e
+    style F fill:#5bc0de,color:#000,stroke:#3aa8c1
+    style xrpldNode fill:#1a2633,color:#ccc,stroke:#4a90d9
+    style collector fill:#1a3320,color:#ccc,stroke:#5cb85c
+    style backends fill:#332a1a,color:#ccc,stroke:#f0ad4e
+    style metrics fill:#332a1a,color:#ccc,stroke:#f0ad4e
+    style viz fill:#1a2d33,color:#ccc,stroke:#5bc0de
+```
+
+There are two independent telemetry pipelines entering a single **OTel Collector**:
+
+1. **OpenTelemetry Traces** — Distributed spans with attributes, exported via OTLP/HTTP (:4318) to the collector's **OTLP Receiver**. The **Batch Processor** groups spans (1s timeout, batch size 100) before forwarding to trace backends. The **SpanMetrics Connector** derives RED metrics (rate, errors, duration) from every span and feeds them into the metrics pipeline.
+2. **beast::insight StatsD** — System-level gauges, counters, and timers emitted as StatsD UDP packets to port :8125, ingested by the collector's **StatsD Receiver**, and exported alongside span-derived metrics to Prometheus.
+
+**Trace backend** — The collector exports traces via OTLP/gRPC to:
+
+- **Grafana Tempo** — Preferred trace backend. Supports TraceQL queries at `:3200`, S3/GCS object storage for cost-effective long-term trace retention, and integrates natively with Grafana.
+
+> **Further reading**: [00-tracing-fundamentals.md](./00-tracing-fundamentals.md) for core OpenTelemetry concepts (traces, spans, context propagation, sampling). [07-observability-backends.md](./07-observability-backends.md) for production backend selection, collector placement, and sampling strategies.
+
+---
+
+## 1. OpenTelemetry Spans
+
+### 1.1 Complete Span Inventory (35 spans)
+
+> **See also**: [02-design-decisions.md §2.3](./02-design-decisions.md#23-span-naming-conventions) for naming conventions and the full span catalog with rationale. [04-code-samples.md §4.6](./04-code-samples.md#46-span-flow-visualization) for span flow diagrams.
+
+#### RPC Spans
+
+Controlled by `trace_rpc=1` in `[telemetry]` config.
+
+| Span Name            | Parent             | Source File       | Description                                                              |
+| -------------------- | ------------------ | ----------------- | ------------------------------------------------------------------------ |
+| `rpc.http_request`   | —                  | ServerHandler.cpp | Top-level HTTP RPC request entry point                                   |
+| `rpc.process`        | `rpc.http_request` | ServerHandler.cpp | RPC processing pipeline                                                  |
+| `rpc.ws_message`     | —                  | ServerHandler.cpp | WebSocket message handling                                               |
+| `rpc.ws_upgrade`     | —                  | ServerHandler.cpp | WebSocket upgrade handshake (error path)                                 |
+| `rpc.command.<name>` | `rpc.process`      | RPCHandler.cpp    | Per-command span (e.g., `rpc.command.server_info`, `rpc.command.ledger`) |
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"rpc.http_request|rpc.command.*"}`
+
+**Grafana dashboard**: _RPC Performance_ (`xrpld-rpc-perf`)
+
+#### Transaction Spans
+
+Controlled by `trace_transactions=1` in `[telemetry]` config.
+
+| Span Name       | Parent         | Source File     | Description                                                       |
+| --------------- | -------------- | --------------- | ----------------------------------------------------------------- |
+| `tx.process`    | —              | NetworkOPs.cpp  | Transaction submission entry point (local or peer-relayed)        |
+| `tx.receive`    | —              | PeerImp.cpp     | Raw transaction received from peer overlay (before deduplication) |
+| `tx.apply`      | `ledger.build` | BuildLedger.cpp | Transaction set applied to new ledger during consensus            |
+| `tx.preflight`  | —              | applySteps.cpp  | Stateless checks stage (`stage=preflight`)                        |
+| `tx.preclaim`   | —              | applySteps.cpp  | Ledger-aware checks stage before fee claim (`stage=preclaim`)     |
+| `tx.transactor` | —              | Transactor.cpp  | Apply stage — the transactor runs (`stage=apply`)                 |
+
+The three apply-pipeline spans share a deterministic `trace_id` derived from
+`txID[0:16]`, so preflight, preclaim, and transactor for one transaction group
+under a single trace even though they run sequentially and often on different
+threads. A transaction that hard-fails preflight or preclaim never reaches the
+later spans — the `stage` attribute identifies where it stopped.
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"tx.process|tx.receive"}`
+or, for the apply pipeline: `{resource.service.name="xrpld" && name=~"tx.preflight|tx.preclaim|tx.transactor"}`
+
+**Grafana dashboard**: _Transaction Overview_ (`xrpld-transactions`)
+
+#### PathFind Spans
+
+Controlled by `trace_rpc=1` in `[telemetry]` config (pathfinding spans fire within RPC request handling).
+
+| Span Name             | Parent             | Source File      | Description                                              |
+| --------------------- | ------------------ | ---------------- | -------------------------------------------------------- |
+| `pathfind.request`    | `rpc.command.*`    | PathRequests.cpp | RPC entry for path_find / ripple_path_find               |
+| `pathfind.compute`    | `pathfind.request` | PathRequest.cpp  | Single path computation (doUpdate)                       |
+| `pathfind.update_all` | —                  | PathRequests.cpp | Async recomputation of all active path requests on close |
+| `pathfind.discover`   | `pathfind.compute` | Pathfinder.cpp   | Graph exploration phase (Pathfinder::find)               |
+| `pathfind.rank`       | `pathfind.compute` | Pathfinder.cpp   | Path ranking and selection phase                         |
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"pathfind.*"}`
+
+**Grafana dashboard**: _RPC & Pathfinding (StatsD)_ (`xrpld-statsd-rpc`) for StatsD timers; span-derived metrics via _RPC Performance_ (`xrpld-rpc-perf`)
+
+#### TxQ Spans
+
+Controlled by `trace_transactions=1` in `[telemetry]` config.
+
+| Span Name          | Parent        | Source File | Description                                          |
+| ------------------ | ------------- | ----------- | ---------------------------------------------------- |
+| `txq.enqueue`      | `tx.process`  | TxQ.cpp     | Queue admission decision (apply/queue/reject)        |
+| `txq.apply_direct` | `txq.enqueue` | TxQ.cpp     | Direct application attempt (bypassing queue)         |
+| `txq.batch_clear`  | `txq.enqueue` | TxQ.cpp     | Batch clear of account's queued transactions         |
+| `txq.accept`       | —             | TxQ.cpp     | Ledger-close accept loop (drain queued transactions) |
+| `txq.accept.tx`    | `txq.accept`  | TxQ.cpp     | Per-transaction apply within accept loop             |
+| `txq.cleanup`      | —             | TxQ.cpp     | Post-close cleanup (expire old transactions)         |
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"txq.*"}`
+
+**Grafana dashboard**: _Transaction Overview_ (`xrpld-transactions`)
+
+#### gRPC Spans
+
+Controlled by `trace_rpc=1` in `[telemetry]` config.
+
+| Span Name      | Parent | Source File    | Description                                                                   |
+| -------------- | ------ | -------------- | ----------------------------------------------------------------------------- |
+| `grpc.request` | —      | GRPCServer.cpp | Single gRPC request (GetLedger, GetLedgerData, GetLedgerDiff, GetLedgerEntry) |
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name="grpc.request"}`
+
+#### Consensus Spans
+
+Controlled by `trace_consensus=1` in `[telemetry]` config.
+
+| Span Name                    | Parent            | Source File      | Description                                           |
+| ---------------------------- | ----------------- | ---------------- | ----------------------------------------------------- |
+| `consensus.round`            | —                 | RCLConsensus.cpp | Top-level round span (deterministic trace ID)         |
+| `consensus.proposal.send`    | `consensus.round` | RCLConsensus.cpp | Node broadcasts its transaction set proposal          |
+| `consensus.ledger_close`     | `consensus.round` | RCLConsensus.cpp | Ledger close event triggered by consensus             |
+| `consensus.establish`        | `consensus.round` | Consensus.h      | Establish phase — convergence loop                    |
+| `consensus.update_positions` | `consensus.round` | Consensus.h      | Update positions during establish phase               |
+| `consensus.check`            | `consensus.round` | Consensus.h      | Check for consensus agreement                         |
+| `consensus.accept`           | `consensus.round` | RCLConsensus.cpp | Consensus accepts a ledger (round complete)           |
+| `consensus.accept.apply`     | `consensus.round` | RCLConsensus.cpp | Ledger application with close time details            |
+| `consensus.validation.send`  | `consensus.round` | RCLConsensus.cpp | Validation message sent after ledger accepted         |
+| `consensus.mode_change`      | `consensus.round` | RCLConsensus.cpp | Consensus mode transition (e.g., tracking->proposing) |
+
+> **Note**: `toDisplayString(ConsensusMode)` (in `ConsensusTypes.h`) provides Title Case display names for mode attribute values: `"Proposing"`, `"Observing"`, `"Wrong Ledger"`, `"Switched Ledger"`. This is separate from `to_string()` which returns stable log-format strings.
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"consensus.*"}`
+
+**Grafana dashboard**: _Consensus Health_ (`xrpld-consensus`)
+
+#### Ledger Spans
+
+Controlled by `trace_ledger=1` in `[telemetry]` config.
+
+| Span Name         | Parent | Source File      | Description                                    |
+| ----------------- | ------ | ---------------- | ---------------------------------------------- |
+| `ledger.build`    | —      | BuildLedger.cpp  | Build new ledger from accepted transaction set |
+| `ledger.validate` | —      | LedgerMaster.cpp | Ledger promoted to validated status            |
+| `ledger.store`    | —      | LedgerMaster.cpp | Ledger stored to database/history              |
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"ledger.*"}`
+
+**Grafana dashboard**: _Ledger Operations_ (`xrpld-ledger-ops`)
+
+#### Peer Spans
+
+Controlled by `trace_peer` in `[telemetry]` config. **Enabled by default** (high volume).
+
+| Span Name                 | Parent | Source File | Description                           |
+| ------------------------- | ------ | ----------- | ------------------------------------- |
+| `peer.proposal.receive`   | —      | PeerImp.cpp | Consensus proposal received from peer |
+| `peer.validation.receive` | —      | PeerImp.cpp | Validation message received from peer |
+
+**Where to find**: Tempo → TraceQL: `{resource.service.name="xrpld" && name=~"peer.*"}`
+
+**Grafana dashboard**: _Peer Network_ (`xrpld-peer-net`)
+
+---
+
+### 1.2 Complete Attribute Inventory (81 attributes)
+
+> **See also**: [02-design-decisions.md §2.4.2](./02-design-decisions.md#242-span-attributes-by-category) for attribute design rationale and privacy considerations.
+
+Every span can carry key-value attributes that provide context for filtering and aggregation.
+
+#### RPC Attributes
+
+| Attribute              | Type   | Set On          | Description                                      |
+| ---------------------- | ------ | --------------- | ------------------------------------------------ |
+| `command`              | string | `rpc.command.*` | RPC command name (e.g., `server_info`, `ledger`) |
+| `version`              | int64  | `rpc.command.*` | API version number                               |
+| `rpc_role`             | string | `rpc.command.*` | Caller role: `"admin"` or `"user"`               |
+| `rpc_status`           | string | `rpc.command.*` | Result: `"success"` or `"error"`                 |
+| `request_payload_size` | int64  | `rpc.command.*` | Request payload size in bytes                    |
+
+**Tempo query**: `{span.command="server_info"}` to find all `server_info` calls.
+
+**Prometheus label**: `xrpl_rpc_command` (dots converted to underscores by SpanMetrics).
+
+#### Transaction Attributes
+
+| Attribute           | Type    | Set On                                         | Description                                                           |
+| ------------------- | ------- | ---------------------------------------------- | --------------------------------------------------------------------- |
+| `xrpl.tx.hash`      | string  | `tx.process`, `tx.receive`                     | Transaction hash (hex-encoded)                                        |
+| `local`             | boolean | `tx.process`                                   | `true` if locally submitted, `false` if peer-relayed                  |
+| `path`              | string  | `tx.process`                                   | Submission path: `"sync"` or `"async"`                                |
+| `suppressed`        | boolean | `tx.receive`                                   | `true` if transaction was suppressed (duplicate)                      |
+| `tx_status`         | string  | `tx.receive`                                   | Transaction status (e.g., `"known_bad"`)                              |
+| `xrpl.peer.id`      | int64   | `tx.receive`                                   | Peer identifier (also set on peer spans)                              |
+| `xrpl.peer.version` | string  | `tx.receive`                                   | Peer protocol version string                                          |
+| `stage`             | string  | `tx.preflight`, `tx.preclaim`, `tx.transactor` | Apply-pipeline stage: `preflight`, `preclaim`, or `apply`             |
+| `tx_type`           | string  | `tx.preflight`, `tx.preclaim`, `tx.transactor` | Transaction type name (e.g., `Payment`)                               |
+| `ter_result`        | string  | `tx.preflight`, `tx.preclaim`, `tx.transactor` | Engine result token for that stage (e.g., `tesSUCCESS`, `terPRE_SEQ`) |
+| `applied`           | boolean | `tx.transactor`                                | `true` if the transaction was applied to the ledger                   |
+
+**Tempo query**: `{span.xrpl.tx.hash="<hash>"}` to trace a specific transaction across nodes.
+
+**Prometheus label**: `xrpl_tx_local` (used as SpanMetrics dimension).
+
+#### PathFind Attributes
+
+| Attribute                    | Type    | Set On                | Description                                     |
+| ---------------------------- | ------- | --------------------- | ----------------------------------------------- |
+| `source_account`             | string  | `pathfind.request`    | Source account address                          |
+| `dest_account`               | string  | `pathfind.request`    | Destination account address                     |
+| `fast`                       | boolean | `pathfind.compute`    | Whether this is a fast (non-full) pathfind      |
+| `search_level`               | int64   | `pathfind.compute`    | Search depth level                              |
+| `num_complete_paths`         | int64   | `pathfind.compute`    | Number of complete paths found                  |
+| `num_paths`                  | int64   | `pathfind.compute`    | Total number of paths explored                  |
+| `num_requests`               | int64   | `pathfind.update_all` | Number of active path requests being recomputed |
+| `xrpl.pathfind.ledger_index` | int64   | `pathfind.update_all` | Ledger index used for recomputation             |
+
+**Tempo query**: `{span.source_account="rHb9..."}` to find pathfind requests from a specific account.
+
+#### TxQ Attributes
+
+| Attribute            | Type    | Set On                         | Description                                                |
+| -------------------- | ------- | ------------------------------ | ---------------------------------------------------------- |
+| `xrpl.tx.hash`       | string  | `txq.enqueue`, `txq.accept.tx` | Transaction hash in the queue                              |
+| `txq_status`         | string  | `txq.enqueue`                  | Queue result: `"queued"`, `"applied_direct"`, `"rejected"` |
+| `fee_level_paid`     | int64   | `txq.enqueue`                  | Fee level paid by the transaction                          |
+| `required_fee_level` | int64   | `txq.enqueue`                  | Minimum fee level required for queue admission             |
+| `queue_size`         | int64   | `txq.accept`                   | Queue depth at start of accept                             |
+| `ledger_changed`     | boolean | `txq.accept`                   | Whether the open ledger changed since last accept          |
+| `xrpl.ledger.seq`    | int64   | `txq.cleanup`                  | Ledger sequence for cleanup                                |
+| `expired_count`      | int64   | `txq.cleanup`                  | Number of expired transactions removed                     |
+| `ter_code`           | string  | `txq.accept.tx`                | Transaction engine result code                             |
+| `retries_remaining`  | int64   | `txq.accept.tx`                | Remaining retry attempts for this transaction              |
+| `num_cleared`        | int64   | `txq.batch_clear`              | Number of transactions cleared in batch                    |
+
+**Tempo query**: `{span.txq_status="rejected"}` to find rejected queue attempts.
+
+#### gRPC Attributes
+
+| Attribute    | Type   | Set On         | Description                                                  |
+| ------------ | ------ | -------------- | ------------------------------------------------------------ |
+| `method`     | string | `grpc.request` | gRPC method name (e.g., `GetLedger`, `GetLedgerData`)        |
+| `rpc_role`   | string | `grpc.request` | Caller role: `"admin"` or `"user"`                           |
+| `rpc_status` | string | `grpc.request` | Result: `"success"`, `"error"`, `"resource_exhausted"`, etc. |
+
+**Tempo query**: `{span.method="GetLedger"}` to find gRPC ledger requests.
+
+#### Consensus Attributes
+
+| Attribute                   | Type    | Set On                                                                                                                 | Description                                                           |
+| --------------------------- | ------- | ---------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------- |
+| `xrpl.consensus.ledger_id`  | string  | `consensus.round`                                                                                                      | Previous ledger hash (used for deterministic trace ID)                |
+| `xrpl.ledger.seq`           | int64   | `consensus.round`, `consensus.ledger_close`, `consensus.accept`, `consensus.validation.send`, `consensus.accept.apply` | Ledger sequence number                                                |
+| `xrpl.consensus.mode`       | string  | `consensus.round`, `consensus.proposal.send`, `consensus.ledger_close`                                                 | Node mode via `toDisplayString()`: `"Proposing"`, `"Observing"`, etc. |
+| `xrpl.consensus.round`      | int64   | `consensus.proposal.send`                                                                                              | Consensus round number                                                |
+| `proposers`                 | int64   | `consensus.proposal.send`, `consensus.accept`                                                                          | Number of proposers in the round                                      |
+| `round_time_ms`             | int64   | `consensus.accept`, `consensus.accept.apply`                                                                           | Total consensus round duration in milliseconds                        |
+| `proposing`                 | boolean | `consensus.validation.send`                                                                                            | Whether this node was a proposer                                      |
+| `consensus_state`           | string  | `consensus.accept.apply`                                                                                               | Consensus outcome: `"finished"` or `"moved_on"`                       |
+| `close_time`                | int64   | `consensus.accept.apply`                                                                                               | Agreed-upon ledger close time (epoch seconds)                         |
+| `close_time_correct`        | boolean | `consensus.accept.apply`                                                                                               | Whether validators reached agreement on close time                    |
+| `close_resolution_ms`       | int64   | `consensus.accept.apply`                                                                                               | Close time rounding granularity in milliseconds                       |
+| `parent_close_time`         | int64   | `consensus.accept.apply`                                                                                               | Parent ledger's close time (epoch seconds)                            |
+| `close_time_self`           | int64   | `consensus.accept.apply`                                                                                               | This node's proposed close time                                       |
+| `close_time_vote_bins`      | string  | `consensus.accept.apply`                                                                                               | Histogram of close time votes from validators                         |
+| `resolution_direction`      | string  | `consensus.accept.apply`                                                                                               | Resolution change: `"increased"`, `"decreased"`, or `"unchanged"`     |
+| `converge_percent`          | int64   | `consensus.establish`                                                                                                  | Convergence percentage threshold                                      |
+| `establish_count`           | int64   | `consensus.establish`                                                                                                  | Number of establish iterations completed                              |
+| `proposers_agreed`          | int64   | `consensus.establish`                                                                                                  | Number of proposers that agreed on this round                         |
+| `avalanche_threshold`       | int64   | `consensus.update_positions`                                                                                           | Avalanche threshold for dispute resolution                            |
+| `close_time_threshold`      | int64   | `consensus.update_positions`                                                                                           | Close time agreement threshold                                        |
+| `have_close_time_consensus` | boolean | `consensus.update_positions`                                                                                           | Whether close time consensus has been reached                         |
+| `agree_count`               | int64   | `consensus.check`                                                                                                      | Number of proposers that agree with our position                      |
+| `disagree_count`            | int64   | `consensus.check`                                                                                                      | Number of proposers that disagree with our position                   |
+| `threshold_percent`         | int64   | `consensus.check`                                                                                                      | Required agreement threshold percentage                               |
+| `consensus_result`          | string  | `consensus.check`                                                                                                      | Check result: `"yes"`, `"no"`, or `"expired"`                         |
+| `quorum`                    | int64   | `consensus.check`                                                                                                      | Required quorum for validation                                        |
+| `validation_count`          | int64   | `consensus.check`                                                                                                      | Number of validations received                                        |
+| `trace_strategy`            | string  | `consensus.round`                                                                                                      | Trace sampling strategy used for this round                           |
+| `xrpl.consensus.round_id`   | string  | `consensus.round`                                                                                                      | Deterministic round identifier                                        |
+| `xrpl.consensus.mode.old`   | string  | `consensus.mode_change`                                                                                                | Previous consensus mode                                               |
+| `xrpl.consensus.mode.new`   | string  | `consensus.mode_change`                                                                                                | New consensus mode                                                    |
+| `xrpl.tx.id`                | string  | `consensus.update_positions`                                                                                           | Disputed transaction ID                                               |
+| `dispute_our_vote`          | boolean | `consensus.update_positions`                                                                                           | Our vote on the disputed transaction                                  |
+| `dispute_yays`              | int64   | `consensus.update_positions`                                                                                           | Number of proposers voting to include                                 |
+| `dispute_nays`              | int64   | `consensus.update_positions`                                                                                           | Number of proposers voting to exclude                                 |
+
+**Tempo query**: `{span.xrpl.consensus.mode="Proposing"}` to find rounds where node was proposing.
+
+**Prometheus label**: `xrpl_consensus_mode` (used as SpanMetrics dimension).
+
+#### Ledger Attributes
+
+| Attribute             | Type    | Set On                                                        | Description                                      |
+| --------------------- | ------- | ------------------------------------------------------------- | ------------------------------------------------ |
+| `xrpl.ledger.seq`     | int64   | `ledger.build`, `ledger.validate`, `ledger.store`, `tx.apply` | Ledger sequence number                           |
+| `close_time`          | int64   | `ledger.build`                                                | Ledger close time (epoch seconds)                |
+| `close_time_correct`  | boolean | `ledger.build`                                                | Whether close time was agreed upon by validators |
+| `close_resolution_ms` | int64   | `ledger.build`                                                | Close time rounding granularity in milliseconds  |
+| `tx_count`            | int64   | `ledger.build`, `tx.apply`                                    | Transactions in the ledger                       |
+| `tx_failed`           | int64   | `ledger.build`, `tx.apply`                                    | Failed transactions in the ledger                |
+| `validations`         | int64   | `ledger.validate`                                             | Number of validations received for this ledger   |
+
+**Tempo query**: `{span.xrpl.ledger.seq=12345}` to find all spans for a specific ledger.
+
+#### Peer Attributes
+
+| Attribute            | Type    | Set On                                                           | Description                                          |
+| -------------------- | ------- | ---------------------------------------------------------------- | ---------------------------------------------------- |
+| `xrpl.peer.id`       | int64   | `tx.receive`, `peer.proposal.receive`, `peer.validation.receive` | Peer identifier                                      |
+| `proposal_trusted`   | boolean | `peer.proposal.receive`                                          | Whether the proposal came from a trusted validator   |
+| `xrpl.ledger.hash`   | string  | `peer.validation.receive`                                        | Ledger hash the validation refers to                 |
+| `validation_full`    | boolean | `peer.validation.receive`                                        | Whether this is a full (not partial) validation      |
+| `validation_trusted` | boolean | `peer.validation.receive`                                        | Whether the validation came from a trusted validator |
+
+**Prometheus labels**: `xrpl_peer_proposal_trusted`, `xrpl_peer_validation_trusted` (SpanMetrics dimensions).
+
+---
+
+### 1.3 SpanMetrics — Derived Prometheus Metrics
+
+> **See also**: [01-architecture-analysis.md](./01-architecture-analysis.md) §1.8.2 for how span-derived metrics map to operational insights.
+
+The OTel Collector's SpanMetrics connector automatically generates RED (Rate, Errors, Duration) metrics from every span. No custom metrics code in xrpld is needed.
+
+| Prometheus Metric                                  | Type      | Description                                                                    |
+| -------------------------------------------------- | --------- | ------------------------------------------------------------------------------ |
+| `traces_span_metrics_calls_total`                  | Counter   | Total span invocations                                                         |
+| `traces_span_metrics_duration_milliseconds_bucket` | Histogram | Latency distribution (buckets: 1, 5, 10, 25, 50, 100, 250, 500, 1000, 5000 ms) |
+| `traces_span_metrics_duration_milliseconds_count`  | Histogram | Observation count                                                              |
+| `traces_span_metrics_duration_milliseconds_sum`    | Histogram | Cumulative latency                                                             |
+
+**Standard labels on every metric**: `span_name`, `status_code`, `service_name`, `span_kind`
+
+**Additional dimension labels** (configured in `otel-collector-config.yaml`):
+
+| Span Attribute        | Prometheus Label               | Applies To                                     |
+| --------------------- | ------------------------------ | ---------------------------------------------- |
+| `command`             | `xrpl_rpc_command`             | `rpc.command.*`                                |
+| `rpc_status`          | `xrpl_rpc_status`              | `rpc.command.*`                                |
+| `xrpl.consensus.mode` | `xrpl_consensus_mode`          | `consensus.ledger_close`                       |
+| `local`               | `xrpl_tx_local`                | `tx.process`                                   |
+| `proposal_trusted`    | `xrpl_peer_proposal_trusted`   | `peer.proposal.receive`                        |
+| `validation_trusted`  | `xrpl_peer_validation_trusted` | `peer.validation.receive`                      |
+| `stage`               | `stage`                        | `tx.preflight`, `tx.preclaim`, `tx.transactor` |
+
+The `stage` dimension (3 values: `preflight`, `preclaim`, `apply`) turns the
+apply-pipeline spans into per-stage RED metrics with no native instruments — the
+_Transaction Overview_ dashboard charts rate, p95 latency, and failure rate by stage.
+
+> **Sampling caveat**: xrpld head sampling is fixed at 1.0 (every trace is
+> recorded), so span-derived metrics are not undercounted at the node. If the
+> collector is configured with tail sampling, span-derived metrics reflect only
+> the retained traces, whereas native StatsD/meter metrics do not sample.
+> Account for any collector-side tail sampling when reading absolute stage rates.
+
+**Where to query**: Prometheus → `traces_span_metrics_calls_total{span_name="rpc.command.server_info"}`
+
+---
+
+## 2. StatsD Metrics (beast::insight)
+
+> **See also**: [02-design-decisions.md](./02-design-decisions.md) for the beast::insight coexistence design. [06-implementation-phases.md](./06-implementation-phases.md) for the Phase 6 metric inventory.
+
+These are system-level metrics emitted by xrpld's `beast::insight` framework via StatsD UDP. They cover operational data that doesn't map to individual trace spans.
+
+### Configuration
+
+```ini
+[insight]
+server=statsd
+address=127.0.0.1:8125
+prefix=xrpld
+```
+
+> **Note**: The `prefix` value is user-configurable — all metric names in the tables below assume `prefix=xrpld` (matching the integration test and Grafana dashboards). If you change the prefix, replace `xrpld_` with `{your_prefix}_` in all PromQL queries.
+
+### 2.1 Gauges
+
+| Prometheus Metric                                 | Source File           | Description                              | Typical Range                   |
+| ------------------------------------------------- | --------------------- | ---------------------------------------- | ------------------------------- |
+| `xrpld_LedgerMaster_Validated_Ledger_Age`         | LedgerMaster.h        | Seconds since last validated ledger      | 0–10 (healthy), >30 (stale)     |
+| `xrpld_LedgerMaster_Published_Ledger_Age`         | LedgerMaster.h        | Seconds since last published ledger      | 0–10 (healthy)                  |
+| `xrpld_State_Accounting_Disconnected_duration`    | NetworkOPs.cpp        | Cumulative seconds in Disconnected state | Monotonic                       |
+| `xrpld_State_Accounting_Connected_duration`       | NetworkOPs.cpp        | Cumulative seconds in Connected state    | Monotonic                       |
+| `xrpld_State_Accounting_Syncing_duration`         | NetworkOPs.cpp        | Cumulative seconds in Syncing state      | Monotonic                       |
+| `xrpld_State_Accounting_Tracking_duration`        | NetworkOPs.cpp        | Cumulative seconds in Tracking state     | Monotonic                       |
+| `xrpld_State_Accounting_Full_duration`            | NetworkOPs.cpp        | Cumulative seconds in Full state         | Monotonic (should dominate)     |
+| `xrpld_State_Accounting_Disconnected_transitions` | NetworkOPs.cpp        | Count of transitions to Disconnected     | Low                             |
+| `xrpld_State_Accounting_Connected_transitions`    | NetworkOPs.cpp        | Count of transitions to Connected        | Low                             |
+| `xrpld_State_Accounting_Syncing_transitions`      | NetworkOPs.cpp        | Count of transitions to Syncing          | Low                             |
+| `xrpld_State_Accounting_Tracking_transitions`     | NetworkOPs.cpp        | Count of transitions to Tracking         | Low                             |
+| `xrpld_State_Accounting_Full_transitions`         | NetworkOPs.cpp        | Count of transitions to Full             | Low (should be 1 after startup) |
+| `xrpld_Peer_Finder_Active_Inbound_Peers`          | PeerfinderManager.cpp | Active inbound peer connections          | 0–85                            |
+| `xrpld_Peer_Finder_Active_Outbound_Peers`         | PeerfinderManager.cpp | Active outbound peer connections         | 10–21                           |
+| `xrpld_Overlay_Peer_Disconnects`                  | OverlayImpl.cpp       | Cumulative peer disconnection count      | Low growth                      |
+| `xrpld_job_count`                                 | JobQueue.cpp          | Current job queue depth                  | 0–100 (healthy)                 |
+| `xrpld_Node_family_full_below_cache_size`         | TaggedCache.h         | FullBelowCache entry count               | Varies                          |
+| `xrpld_Node_family_full_below_cache_hit_rate`     | TaggedCache.h         | FullBelowCache hit rate percentage       | 0–100                           |
+
+**Grafana dashboard**: _Node Health (StatsD)_ (`xrpld-statsd-node-health`)
+
+### 2.2 Counters
+
+| Prometheus Metric               | Source File        | Description                                   |
+| ------------------------------- | ------------------ | --------------------------------------------- |
+| `xrpld_rpc_requests`            | ServerHandler.cpp  | Total RPC requests received                   |
+| `xrpld_ledger_fetches`          | InboundLedgers.cpp | Inbound ledger fetch attempts                 |
+| `xrpld_ledger_history_mismatch` | LedgerHistory.cpp  | Ledger hash mismatches detected               |
+| `xrpld_warn`                    | Logic.h            | Resource manager warnings issued              |
+| `xrpld_drop`                    | Logic.h            | Resource manager drops (connections rejected) |
+
+**Note**: `xrpld_warn` and `xrpld_drop` use non-standard StatsD meter type (`|m`). The OTel StatsD receiver only recognizes `|c`, `|g`, `|ms`, `|h`, `|s` — these metrics may be silently dropped. See Known Issues below.
+
+**Grafana dashboard**: _RPC & Pathfinding (StatsD)_ (`xrpld-statsd-rpc`)
+
+### 2.3 Histograms (from StatsD timers)
+
+| Prometheus Metric     | Source File       | Unit  | Description                    |
+| --------------------- | ----------------- | ----- | ------------------------------ |
+| `xrpld_rpc_time`      | ServerHandler.cpp | ms    | RPC response time distribution |
+| `xrpld_rpc_size`      | ServerHandler.cpp | bytes | RPC response size distribution |
+| `xrpld_ios_latency`   | Application.cpp   | ms    | I/O service loop latency       |
+| `xrpld_pathfind_fast` | PathRequests.h    | ms    | Fast pathfinding duration      |
+| `xrpld_pathfind_full` | PathRequests.h    | ms    | Full pathfinding duration      |
+
+Quantiles collected: 0th, 50th, 90th, 95th, 99th, 100th percentile.
+
+**Grafana dashboards**: _Node Health_ (`ios_latency`), _RPC & Pathfinding_ (`rpc_time`, `rpc_size`, `pathfind_*`)
+
+### 2.4 Overlay Traffic Metrics
+
+For each of the 45+ overlay traffic categories (defined in `TrafficCount.h`), four gauges are emitted:
+
+- `xrpld_{category}_Bytes_In`
+- `xrpld_{category}_Bytes_Out`
+- `xrpld_{category}_Messages_In`
+- `xrpld_{category}_Messages_Out`
+
+**Key categories**:
+
+| Category                                                          | Description                |
+| ----------------------------------------------------------------- | -------------------------- |
+| `total`                                                           | All traffic aggregated     |
+| `overhead` / `overhead_overlay`                                   | Protocol overhead          |
+| `transactions` / `transactions_duplicate`                         | Transaction relay          |
+| `proposals` / `proposals_untrusted` / `proposals_duplicate`       | Consensus proposals        |
+| `validations` / `validations_untrusted` / `validations_duplicate` | Consensus validations      |
+| `ledger_data_get` / `ledger_data_share`                           | Ledger data exchange       |
+| `ledger_data_Transaction_Node_get/share`                          | Transaction node data      |
+| `ledger_data_Account_State_Node_get/share`                        | Account state node data    |
+| `ledger_data_Transaction_Set_candidate_get/share`                 | Transaction set candidates |
+| `getObject` / `haveTxSet` / `ledgerData`                          | Object requests            |
+| `ping` / `status`                                                 | Keepalive and status       |
+| `set_get`                                                         | Set requests               |
+
+**Grafana dashboards**: _Network Traffic_ (`xrpld-statsd-network`), _Overlay Traffic Detail_ (`xrpld-statsd-overlay-detail`), _Ledger Data & Sync_ (`xrpld-statsd-ledger-sync`)
+
+### 2.5 Per-Job Timer Events
+
+For each of the 36 non-special job types (defined in `JobTypes.h`), two StatsD timer events are emitted:
+
+- `xrpld_{jobName}` — execution duration
+- `xrpld_{jobName}_q` — dequeue wait time
+
+These produce summary metrics with quantiles (0th, 50th, 90th, 95th, 99th, 100th).
+
+**Key job types** (most operationally relevant):
+
+| Job Name            | Source Enum      | Description                   |
+| ------------------- | ---------------- | ----------------------------- |
+| `acceptLedger`      | `jtACCEPT`       | Consensus round acceptance    |
+| `advanceLedger`     | `jtADVANCE`      | Ledger advancement            |
+| `transaction`       | `jtTRANSACTION`  | Transaction processing        |
+| `writeObjects`      | `jtWRITE`        | Database object writes        |
+| `publishNewLedger`  | `jtPUBLEDGER`    | New ledger publication        |
+| `trustedValidation` | `jtVALIDATION_t` | Trusted validation processing |
+| `trustedProposal`   | `jtPROPOSAL_t`   | Trusted proposal processing   |
+| `clientRPC`         | `jtCLIENT_RPC`   | Client RPC request handling   |
+| `heartbeat`         | `jtNETOP_TIMER`  | Network heartbeat timer       |
+| `sweep`             | `jtSWEEP`        | Cache sweep / cleanup         |
+| `ledgerData`        | `jtLEDGER_DATA`  | Ledger data processing        |
+
+Special job types (`limit=0`: `peerCommand`, `diskAccess`, `processTransaction`, `orderBookSetup`, `pathFind`, `nodeRead`, `nodeWrite`, `generic`, `SyncReadNode`, `AsyncReadNode`, `WriteNode`) do **not** emit timer events.
+
+**Grafana dashboard**: _Node Health (StatsD)_ (`xrpld-statsd-node-health`) — Key Jobs and All Jobs panels
+
+---
+
+## 3. Grafana Dashboard Reference
+
+> **See also**: [05-configuration-reference.md](./05-configuration-reference.md) §5.8 for Grafana data source provisioning (Tempo, Prometheus) and TraceQL query examples.
+
+### 3.1 Span-Derived Dashboards (5)
+
+| Dashboard            | UID                  | Data Source              | Key Panels                                                                                                                                                                                               |
+| -------------------- | -------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| RPC Performance      | `xrpld-rpc-perf`     | Prometheus (SpanMetrics) | Request rate by command, p95 latency by command, error rate, heatmap, top commands                                                                                                                       |
+| Transaction Overview | `xrpld-transactions` | Prometheus (SpanMetrics) | Processing rate, latency p95/p50, local vs relay split, apply duration, heatmap                                                                                                                          |
+| Consensus Health     | `xrpld-consensus`    | Prometheus (SpanMetrics) | Round duration p95/p50, proposals rate, close duration, mode timeline, heatmap, close time correctness, resolution direction, close time drift, resolution change timeline, close time vote distribution |
+| Ledger Operations    | `xrpld-ledger-ops`   | Prometheus (SpanMetrics) | Build rate, build duration, validation rate, store rate, build vs close comparison                                                                                                                       |
+| Peer Network         | `xrpld-peer-net`     | Prometheus (SpanMetrics) | Proposal receive rate, validation receive rate, trusted vs untrusted breakdown                                                                                                                           |
+
+### 3.2 StatsD Dashboards (5)
+
+| Dashboard              | UID                           | Data Source         | Key Panels                                                                                                                                         |
+| ---------------------- | ----------------------------- | ------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Node Health            | `xrpld-statsd-node-health`    | Prometheus (StatsD) | Ledger age, operating mode, I/O latency, job queue, fetch rate, key/all jobs execution time, cache size/hit rate, publish gap, state duration rate |
+| Network Traffic        | `xrpld-statsd-network`        | Prometheus (StatsD) | Active peers, disconnects, bytes in/out, messages in/out, traffic by category, duplicate traffic, all traffic categories detail                    |
+| RPC & Pathfinding      | `xrpld-statsd-rpc`            | Prometheus (StatsD) | RPC rate, response time/size, pathfinding duration, resource warnings/drops                                                                        |
+| Overlay Traffic Detail | `xrpld-statsd-overlay-detail` | Prometheus (StatsD) | Squelch, overhead, validator lists, set get/share, have/requested tx, proof paths                                                                  |
+| Ledger Data & Sync     | `xrpld-statsd-ledger-sync`    | Prometheus (StatsD) | Ledger data exchange, legacy ledger share/get, getobject by type, traffic heatmap                                                                  |
+
+### 3.3 Consensus Close-Time Panels
+
+The Consensus Health dashboard includes 5 close-time panels added in Phase 4:
+
+| Panel                        | Metric / Attribute                | Description                                                              |
+| ---------------------------- | --------------------------------- | ------------------------------------------------------------------------ |
+| Close Time Correctness       | `close_time_correct`              | Percentage of rounds with agreed-upon close time                         |
+| Resolution Direction         | `resolution_direction`            | Rate of resolution increases, decreases, and unchanged per time interval |
+| Close Time Drift             | `close_time` vs `close_time_self` | Difference between agreed close time and node's own proposed close time  |
+| Resolution Change Timeline   | `close_resolution_ms`             | Close time resolution granularity over time                              |
+| Close Time Vote Distribution | `close_time_vote_bins`            | Histogram of validator close time votes per round                        |
+
+**Template variables** (Consensus Health dashboard):
+
+| Variable                | Source Attribute                      | Description                                                              |
+| ----------------------- | ------------------------------------- | ------------------------------------------------------------------------ |
+| `$node`                 | `exported_instance`                   | Filter by xrpld node instance                                            |
+| `$close_time_correct`   | `xrpl_consensus_close_time_correct`   | Filter by close time correctness (`true` / `false`)                      |
+| `$resolution_direction` | `xrpl_consensus_resolution_direction` | Filter by resolution direction (`increased` / `decreased` / `unchanged`) |
+
+### 3.4 Accessing the Dashboards
+
+1. Open Grafana at **http://localhost:3000**
+2. Navigate to **Dashboards → xrpld** folder
+3. All 10 dashboards are auto-provisioned from `docker/telemetry/grafana/dashboards/`
+
+---
+
+## 4. Tempo Trace Search Guide
+
+> **See also**: [08-appendix.md](./08-appendix.md) §8.2 for span hierarchy visualizations. [05-configuration-reference.md](./05-configuration-reference.md) §5.8.5 for TraceQL query examples.
+
+### Finding Traces by Type
+
+| What to Find             | Tempo TraceQL Query                                                            |
+| ------------------------ | ------------------------------------------------------------------------------ |
+| All RPC calls            | `{resource.service.name="xrpld" && name="rpc.http_request"}`                   |
+| Specific RPC command     | `{resource.service.name="xrpld" && name="rpc.command.server_info"}`            |
+| Slow RPC calls           | `{resource.service.name="xrpld" && name=~"rpc.command.*"} \| duration > 100ms` |
+| Failed RPC calls         | `{span.rpc_status="error"}`                                                    |
+| Specific transaction     | `{span.xrpl.tx.hash="<hex_hash>"}`                                             |
+| Local transactions only  | `{span.local=true}`                                                            |
+| Consensus rounds         | `{resource.service.name="xrpld" && name="consensus.accept"}`                   |
+| Rounds by mode           | `{span.xrpl.consensus.mode="proposing"}`                                       |
+| Specific ledger          | `{span.xrpl.ledger.seq=12345}`                                                 |
+| Peer proposals (trusted) | `{span.proposal_trusted=true}`                                                 |
+
+### Trace Structure
+
+A typical RPC trace shows the span hierarchy:
+
+```
+rpc.http_request (ServerHandler)
+  └── rpc.process (ServerHandler)
+       └── rpc.command.server_info (RPCHandler)
+```
+
+A consensus round groups child spans under a deterministic trace ID:
+
+```
+consensus.round               (top-level, deterministic trace ID from ledger hash)
+  ├── consensus.ledger_close        (close event)
+  ├── consensus.proposal.send       (broadcast proposal)
+  ├── consensus.establish           (convergence loop)
+  │     ├── consensus.update_positions  (update disputes)
+  │     └── consensus.check             (check agreement)
+  ├── consensus.accept              (accept result)
+  ├── consensus.accept.apply        (apply with close time details)
+  ├── consensus.validation.send     (send validation)
+  └── consensus.mode_change         (mode transition, if any)
+ledger.build                  (build new ledger)
+  └── tx.apply                (apply transaction set)
+ledger.validate               (promote to validated)
+ledger.store                  (persist to DB)
+```
+
+---
+
+## 5. Prometheus Query Examples
+
+> **See also**: [05-configuration-reference.md](./05-configuration-reference.md) §5.8.7 for correlating Prometheus StatsD metrics with trace-derived metrics.
+
+### Span-Derived Metrics
+
+```promql
+# RPC request rate by command (last 5 minutes)
+sum by (xrpl_rpc_command) (rate(traces_span_metrics_calls_total{span_name=~"rpc.command.*"}[5m]))
+
+# RPC p95 latency by command
+histogram_quantile(0.95, sum by (le, xrpl_rpc_command) (rate(traces_span_metrics_duration_milliseconds_bucket{span_name=~"rpc.command.*"}[5m])))
+
+# Consensus round duration p95
+histogram_quantile(0.95, sum by (le) (rate(traces_span_metrics_duration_milliseconds_bucket{span_name="consensus.accept"}[5m])))
+
+# Transaction processing rate (local vs relay)
+sum by (xrpl_tx_local) (rate(traces_span_metrics_calls_total{span_name="tx.process"}[5m]))
+
+# Trusted vs untrusted proposal rate
+sum by (xrpl_peer_proposal_trusted) (rate(traces_span_metrics_calls_total{span_name="peer.proposal.receive"}[5m]))
+```
+
+### StatsD Metrics
+
+```promql
+# Validated ledger age (should be < 10s)
+xrpld_LedgerMaster_Validated_Ledger_Age
+
+# Active peer count
+xrpld_Peer_Finder_Active_Inbound_Peers + xrpld_Peer_Finder_Active_Outbound_Peers
+
+# RPC response time p95
+histogram_quantile(0.95, xrpld_rpc_time_bucket)
+
+# Total network bytes in (rate)
+rate(xrpld_total_Bytes_In[5m])
+
+# Operating mode (should be "Full" after startup)
+xrpld_State_Accounting_Full_duration
+```
+
+---
+
+## 6. SpanNames Header File Inventory
+
+All span names and attributes are defined as compile-time constants in colocated `SpanNames.h` headers. Each header lives next to its subsystem's implementation.
+
+| Header File                                     | Subsystem     | Span Count | Attribute Count | Notes                                       |
+| ----------------------------------------------- | ------------- | ---------- | --------------- | ------------------------------------------- |
+| `src/xrpld/rpc/detail/RpcSpanNames.h`           | RPC (HTTP/WS) | 5          | 5               | Includes `rpc.ws_upgrade` error path        |
+| `src/xrpld/rpc/detail/PathFindSpanNames.h`      | PathFind      | 5          | 8               | Covers one-shot and subscription paths      |
+| `src/xrpld/app/main/GrpcSpanNames.h`            | gRPC          | 1          | 3               | Flat single-span structure per request      |
+| `src/xrpld/app/misc/TxSpanNames.h`              | Transaction   | 2          | 7               | Includes peer context attributes            |
+| `src/xrpld/app/misc/detail/TxQSpanNames.h`      | TxQ           | 6          | 11              | Queue lifecycle: enqueue through cleanup    |
+| `src/xrpld/app/consensus/ConsensusSpanNames.h`  | Consensus     | 10         | 35              | Deterministic trace IDs, close-time details |
+| `src/xrpld/app/ledger/detail/LedgerSpanNames.h` | Ledger        | 4          | 7               | Build, store, validate, tx.apply            |
+| `src/xrpld/overlay/detail/PeerSpanNames.h`      | Peer Overlay  | 2          | 5               | Proposal and validation receive             |
+
+> **Design convention**: SpanNames headers are colocated with their subsystem classes rather than centralized in `telemetry/`. See [memory/feedback_span-names-colocation.md](../.claude/memory/feedback_span-names-colocation.md) for rationale.
+
+---
+
+## 7. Known Issues
+
+| Issue                                                              | Impact                                           | Status                                                               |
+| ------------------------------------------------------------------ | ------------------------------------------------ | -------------------------------------------------------------------- |
+| `warn` and `drop` metrics use non-standard StatsD `\|m` meter type | Metrics silently dropped by OTel StatsD receiver | Phase 6 Task 6.1 — needs `\|m` → `\|c` change in StatsDCollector.cpp |
+| `xrpld_job_count` may not emit in standalone mode                  | Missing from Prometheus in some test configs     | Requires active job queue activity                                   |
+| `xrpld_rpc_requests` depends on `[insight]` config                 | Zero series if StatsD not configured             | Requires `[insight] server=statsd` in xrpld.cfg                      |
+| Peer tracing enabled by default                                    | `peer.*` spans emit unless `trace_peer=0`        | High volume — set `trace_peer=0` to opt out on busy mainnet nodes    |
+
+---
+
+## 8. Privacy and Data Collection
+
+The telemetry system is designed with privacy in mind:
+
+- **No private keys** are ever included in spans or metrics
+- **No account balances** or financial data is traced
+- **Transaction hashes** are included (public on-ledger data) but not transaction contents
+- **Peer IDs** are internal identifiers, not IP addresses
+- **All telemetry is opt-in** — disabled by default at build time (`-Dtelemetry=OFF`)
+- **Sampling** — head sampling is fixed at 1.0 (sample everything); reduce data volume with collector-side tail sampling
+- **Data stays local** — the default stack sends data to `localhost` only
+
+---
+
+## 9. Configuration Quick Reference
+
+> **Full reference**: [05-configuration-reference.md](./05-configuration-reference.md) §5.1 for all `[telemetry]` options with defaults, the config parser implementation, and collector YAML configurations (dev and production).
+
+### Minimal Setup (development)
+
+```ini
+[telemetry]
+enabled=1
+
+[insight]
+server=statsd
+address=127.0.0.1:8125
+prefix=xrpld
+```
+
+### Production Setup
+
+```ini
+[telemetry]
+enabled=1
+endpoint=http://otel-collector:4318/v1/traces
+trace_peer=0
+batch_size=1024
+max_queue_size=4096
+
+[insight]
+server=statsd
+address=otel-collector:8125
+prefix=xrpld
+```
+
+### Trace Category Toggle
+
+| Config Key           | Default | Controls                     |
+| -------------------- | ------- | ---------------------------- |
+| `trace_rpc`          | `1`     | `rpc.*` spans                |
+| `trace_transactions` | `1`     | `tx.*` spans                 |
+| `trace_consensus`    | `1`     | `consensus.*` spans          |
+| `trace_ledger`       | `1`     | `ledger.*` spans             |
+| `trace_peer`         | `1`     | `peer.*` spans (high volume) |

OpenTelemetryPlan/OpenTelemetryPlan.md

@@ -0,0 +1,223 @@
+# [OpenTelemetry](00-tracing-fundamentals.md) Distributed Tracing Implementation Plan for xrpld (xrpld)
+
+## Executive Summary
+
+> **OTLP** = OpenTelemetry Protocol
+
+This document provides a comprehensive implementation plan for integrating OpenTelemetry distributed tracing into the xrpld XRP Ledger node software. The plan addresses the unique challenges of a decentralized peer-to-peer system where trace context must propagate across network boundaries between independent nodes.
+
+### Key Benefits
+
+- **End-to-end transaction visibility**: Track transactions from submission through consensus to ledger inclusion
+- **Consensus round analysis**: Understand timing and behavior of consensus phases across validators
+- **RPC performance insights**: Identify slow handlers and optimize response times
+- **Network topology understanding**: Visualize message propagation patterns between peers
+- **Incident debugging**: Correlate events across distributed nodes during issues
+
+### Estimated Performance Overhead
+
+| Metric        | Overhead   | Notes                               |
+| ------------- | ---------- | ----------------------------------- |
+| CPU           | 1-3%       | Span creation and attribute setting |
+| Memory        | 2-5 MB     | Batch buffer for pending spans      |
+| Network       | 10-50 KB/s | Compressed OTLP export to collector |
+| Latency (p99) | <2%        | With proper sampling configuration  |
+
+---
+
+## Document Structure
+
+This implementation plan is organized into modular documents for easier navigation:
+
+<div align="center">
+
+```mermaid
+flowchart TB
+    overview["📋 OpenTelemetryPlan.md<br/>(This Document)"]
+
+    subgraph fundamentals["Fundamentals"]
+        fund["00-tracing-fundamentals.md"]
+    end
+
+    subgraph analysis["Analysis & Design"]
+        arch["01-architecture-analysis.md"]
+        design["02-design-decisions.md"]
+    end
+
+    subgraph impl["Implementation"]
+        strategy["03-implementation-strategy.md"]
+        config["05-configuration-reference.md"]
+    end
+
+    subgraph deploy["Deployment & Planning"]
+        phases["06-implementation-phases.md"]
+        backends["07-observability-backends.md"]
+        appendix["08-appendix.md"]
+        secure["secure-OTel.md"]
+        dataref["09-data-collection-reference.md"]
+    end
+
+    overview --> fundamentals
+    overview --> analysis
+    overview --> impl
+    overview --> deploy
+
+    fund --> arch
+    arch --> design
+    design --> strategy
+    strategy --> config
+    config --> phases
+    phases --> backends
+    backends --> appendix
+    backends --> secure
+    appendix --> dataref
+
+    style overview fill:#1b5e20,stroke:#0d3d14,color:#fff,stroke-width:2px
+    style fundamentals fill:#00695c,stroke:#004d40,color:#fff
+    style fund fill:#00695c,stroke:#004d40,color:#fff
+    style analysis fill:#0d47a1,stroke:#082f6a,color:#fff
+    style impl fill:#bf360c,stroke:#8c2809,color:#fff
+    style deploy fill:#4a148c,stroke:#2e0d57,color:#fff
+    style arch fill:#0d47a1,stroke:#082f6a,color:#fff
+    style design fill:#0d47a1,stroke:#082f6a,color:#fff
+    style strategy fill:#bf360c,stroke:#8c2809,color:#fff
+    style config fill:#bf360c,stroke:#8c2809,color:#fff
+    style phases fill:#4a148c,stroke:#2e0d57,color:#fff
+    style backends fill:#4a148c,stroke:#2e0d57,color:#fff
+    style appendix fill:#4a148c,stroke:#2e0d57,color:#fff
+    style secure fill:#4a148c,stroke:#2e0d57,color:#fff
+    style dataref fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+</div>
+
+---
+
+## Table of Contents
+
+| Section | Document                                                       | Description                                                            |
+| ------- | -------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| **0**   | [Tracing Fundamentals](./00-tracing-fundamentals.md)           | Distributed tracing concepts, span relationships, context propagation  |
+| **1**   | [Architecture Analysis](./01-architecture-analysis.md)         | xrpld component analysis, trace points, instrumentation priorities     |
+| **2**   | [Design Decisions](./02-design-decisions.md)                   | SDK selection, exporters, span naming, attributes, context propagation |
+| **3**   | [Implementation Strategy](./03-implementation-strategy.md)     | Directory structure, key principles, performance optimization          |
+| **5**   | [Configuration Reference](./05-configuration-reference.md)     | xrpld config, CMake integration, Collector configurations              |
+| **6**   | [Implementation Phases](./06-implementation-phases.md)         | 5-phase timeline, tasks, risks, success metrics                        |
+| **7**   | [Observability Backends](./07-observability-backends.md)       | Backend selection guide and production architecture                    |
+| **8**   | [Appendix](./08-appendix.md)                                   | Glossary, references, version history                                  |
+| **9**   | [Data Collection Reference](./09-data-collection-reference.md) | Complete inventory of spans, attributes, metrics, and dashboards       |
+| **Sec** | [Securing the OTel Pipeline](./secure-OTel.md)                 | Threat model and hardening (mTLS, peer trace-context validation)       |
+
+---
+
+## 0. Tracing Fundamentals
+
+This document introduces distributed tracing concepts for readers unfamiliar with the domain. It covers what traces and spans are, how parent-child and follows-from relationships model causality, how context propagates across service boundaries, and how sampling controls data volume. It also maps these concepts to xrpld-specific scenarios like transaction relay and consensus.
+
+➡️ **[Read Tracing Fundamentals](./00-tracing-fundamentals.md)**
+
+---
+
+## 1. Architecture Analysis
+
+> **WS** = WebSocket | **TxQ** = Transaction Queue
+
+The xrpld node consists of several key components that require instrumentation for comprehensive distributed tracing. The main areas include the RPC server (HTTP/WebSocket), Overlay P2P network, Consensus mechanism (RCLConsensus), JobQueue for async task execution, PathFinding, Transaction Queue (TxQ), fee escalation (LoadManager), ledger acquisition, validator management, and existing observability infrastructure (PerfLog, Insight/StatsD, Journal logging).
+
+Key trace points span across transaction submission via RPC, peer-to-peer message propagation, consensus round execution, ledger building, path computation, transaction queue behavior, fee escalation, and validator health. The implementation prioritizes high-value, low-risk components first: RPC handlers provide immediate value with minimal risk, while consensus tracing requires careful implementation to avoid timing impacts.
+
+➡️ **[Read full Architecture Analysis](./01-architecture-analysis.md)**
+
+---
+
+## 2. Design Decisions
+
+> **OTLP** = OpenTelemetry Protocol | **CNCF** = Cloud Native Computing Foundation
+
+The OpenTelemetry C++ SDK is selected for its CNCF backing, active development, and native performance characteristics. Traces are exported via OTLP/gRPC (primary) or OTLP/HTTP (fallback) to an OpenTelemetry Collector, which provides flexible routing and sampling.
+
+Span naming follows a hierarchical `<component>.<operation>` convention (e.g., `rpc.submit`, `tx.relay`, `consensus.round`). Context propagation uses W3C Trace Context headers for HTTP and embedded Protocol Buffer fields for P2P messages. The implementation coexists with existing PerfLog and Insight observability systems through correlation IDs.
+
+**Data Collection & Privacy**: Telemetry collects only operational metadata (timing, counts, hashes) — never sensitive content (private keys, balances, amounts, raw payloads). Privacy protection includes account hashing, configurable redaction, sampling, and collector-level filtering. Node operators retain full control over telemetry configuration.
+
+➡️ **[Read full Design Decisions](./02-design-decisions.md)**
+
+---
+
+## 3. Implementation Strategy
+
+The telemetry code is organized under `include/xrpl/telemetry/` for headers and `src/libxrpl/telemetry/` for implementation. Key principles include RAII-based span management via `SpanGuard` (with `discard()` for dropping unwanted spans), a `FilteringSpanProcessor` that intercepts `OnEnd()` to prevent discarded spans from entering the export pipeline, conditional compilation with `XRPL_ENABLE_TELEMETRY`, and minimal runtime overhead through batch processing and efficient sampling.
+
+Performance optimization strategies include head sampling fixed at 100% (intentionally not configurable, so trace keep/drop decisions stay coherent across nodes), tail-based sampling at the collector for errors and slow traces to reduce volume, batch export to reduce network overhead, and conditional instrumentation that compiles to no-ops when disabled.
+
+➡️ **[Read full Implementation Strategy](./03-implementation-strategy.md)**
+
+---
+
+## 5. Configuration Reference
+
+> **OTLP** = OpenTelemetry Protocol | **APM** = Application Performance Monitoring
+
+Configuration is handled through the `[telemetry]` section in `xrpld.cfg` with options for enabling/disabling, exporter selection, endpoint configuration, sampling ratios, and component-level filtering. CMake integration includes a `XRPL_ENABLE_TELEMETRY` option for compile-time control.
+
+OpenTelemetry Collector configurations are provided for development and production (with tail-based sampling, Tempo, and Elastic APM). Docker Compose examples enable quick local development environment setup.
+
+➡️ **[View full Configuration Reference](./05-configuration-reference.md)**
+
+---
+
+## 6. Implementation Phases
+
+The implementation spans 9 weeks across 5 phases:
+
+| Phase | Duration  | Focus               | Key Deliverables                                    |
+| ----- | --------- | ------------------- | --------------------------------------------------- |
+| 1     | Weeks 1-2 | Core Infrastructure | SDK integration, Telemetry interface, Configuration |
+| 2     | Weeks 3-4 | RPC Tracing         | HTTP context extraction, Handler instrumentation    |
+| 3     | Weeks 5-6 | Transaction Tracing | Protocol Buffer context, Relay propagation          |
+| 4     | Weeks 7-8 | Consensus Tracing   | Round spans, Proposal/validation tracing            |
+| 5     | Week 9    | Documentation       | Runbook, Dashboards, Training                       |
+
+**Total Effort**: 47 person-days (2 developers working in parallel)
+
+➡️ **[View full Implementation Phases](./06-implementation-phases.md)**
+
+---
+
+## 7. Observability Backends
+
+> **APM** = Application Performance Monitoring | **GCS** = Google Cloud Storage
+
+Grafana Tempo is recommended for all environments due to its cost-effectiveness and Grafana integration, while Elastic APM is ideal for organizations with existing Elastic infrastructure.
+
+The recommended production architecture uses a gateway collector pattern with regional collectors performing tail-based sampling, routing traces to multiple backends (Tempo for primary storage, Elastic for log correlation, S3/GCS for long-term archive).
+
+➡️ **[View Observability Backend Recommendations](./07-observability-backends.md)**
+
+---
+
+## 8. Appendix
+
+The appendix contains a glossary of OpenTelemetry and xrpld-specific terms, references to external documentation and specifications, version history for this implementation plan, and a complete document index.
+
+➡️ **[View Appendix](./08-appendix.md)**
+
+---
+
+## 9. Data Collection Reference
+
+A single-source-of-truth reference documenting every piece of telemetry data collected by xrpld. Covers all 16 OpenTelemetry spans with their 22 attributes, all StatsD metrics (gauges, counters, histograms, overlay traffic), SpanMetrics-derived Prometheus metrics, and all 10 Grafana dashboards. Includes Jaeger search guides and Prometheus query examples.
+
+➡️ **[View Data Collection Reference](./09-data-collection-reference.md)**
+
+---
+
+## Securing the OTel Pipeline
+
+Threat model and hardening guidance for production deployments where xrpld nodes ship telemetry to a centrally-hosted collector across an untrusted network. Covers the two attack surfaces (collector ingress and peer trace-context spoofing) and the chosen defenses: mTLS as primary collector auth, NetworkPolicy as defense-in-depth, and source-side validation plus per-peer rate limiting for the `protocol::TraceContext` field on peer messages.
+
+➡️ **[View Securing the OTel Pipeline](./secure-OTel.md)**
+
+---
+
+_This document provides a comprehensive implementation plan for integrating OpenTelemetry distributed tracing into the xrpld XRP Ledger node software. For detailed information on any section, follow the links to the corresponding sub-documents._

OpenTelemetryPlan/Phase2_taskList.md

@@ -0,0 +1,239 @@
+# Phase 2: RPC Tracing Completion Task List
+
+> **Goal**: Complete RPC tracing coverage with unit tests, Grafana search filters, PathFind instrumentation, and config hardening. Build on the Phase 1c SpanGuard factory foundation to achieve production-quality RPC observability.
+>
+> **Scope**: Unit tests for core telemetry, Grafana Tempo search filters, PathFind RPC tracing, config validation (`std::clamp`).
+>
+> **Branch**: `pratik/otel-phase2-rpc-tracing` (from `pratik/otel-phase1c-rpc-integration`)
+
+### Related Plan Documents
+
+| Document                                                     | Relevance                                                     |
+| ------------------------------------------------------------ | ------------------------------------------------------------- |
+| [04-code-samples.md](./04-code-samples.md)                   | TraceContextPropagator (§4.4.2), RPC instrumentation (§4.5.3) |
+| [02-design-decisions.md](./02-design-decisions.md)           | W3C Trace Context (§2.5), span attributes (§2.4.2)            |
+| [06-implementation-phases.md](./06-implementation-phases.md) | Phase 2 tasks (§6.3), definition of done (§6.11.2)            |
+
+---
+
+## Task 2.1: W3C Trace Context HTTP Header Extraction
+
+**Status**: DEFERRED → Phase 3
+
+**Reason**: W3C context propagation (`traceparent`/`tracestate` headers) requires a consumer — in Phase 2, RPC spans are entirely local to the node. Phase 3 introduces cross-node transaction tracing via protobuf context propagation, which is the first use case for extracted trace context. Implementing it here without a consumer would be dead code.
+
+**Implemented in**: `pratik/otel-phase3-tx-tracing` — `TraceContextPropagator.h/.cpp`
+
+---
+
+## Task 2.2: Per-Category Span Creation
+
+**Status**: COMPLETE (superseded by Phase 1c design)
+
+**Original plan**: Add `XRPL_TRACE_PEER` and `XRPL_TRACE_LEDGER` macros.
+
+**Actual implementation**: Phase 1c replaced all tracing macros with the `SpanGuard::span(TraceCategory, prefix, name)` factory pattern. The `TraceCategory` enum (`Rpc`, `Transactions`, `Consensus`, `Peer`, `Ledger`) serves the same conditional-creation purpose without macros. No separate task needed — the factory already supports all categories.
+
+---
+
+## Task 2.3: Add shouldTraceLedger() to Telemetry Interface
+
+**Objective**: The `Setup` struct has a `traceLedger` field but there's no corresponding virtual method. Add it for interface completeness.
+
+**What to do**:
+
+- Edit `include/xrpl/telemetry/Telemetry.h`:
+  - Add `virtual bool shouldTraceLedger() const = 0;`
+
+- Update all implementations:
+  - `src/libxrpl/telemetry/Telemetry.cpp` (TelemetryImpl, NullTelemetryOtel)
+  - `src/libxrpl/telemetry/NullTelemetry.cpp` (NullTelemetry)
+
+**Key modified files**:
+
+- `include/xrpl/telemetry/Telemetry.h`
+- `src/libxrpl/telemetry/Telemetry.cpp`
+- `src/libxrpl/telemetry/NullTelemetry.cpp`
+
+---
+
+## Task 2.4: Unit Tests for Core Telemetry Infrastructure
+
+**Status**: COMPLETE
+
+**Objective**: Add unit tests for the core telemetry abstractions to validate correctness and catch regressions.
+
+**Implemented**:
+
+- `src/tests/libxrpl/telemetry/TelemetryConfig.cpp`:
+  - Test Setup defaults (all fields have correct initial values)
+  - Test `setupTelemetry` config parser (empty section, full section, edge cases)
+  - Test `samplingRatio` clamping (values outside 0.0-1.0)
+
+- `src/tests/libxrpl/telemetry/SpanGuardFactory.cpp`:
+  - Test null guard methods are safe (setAttribute, setOk, setError, addEvent on null)
+  - Test category span returns null when telemetry disabled
+  - Test child/linked span null when no parent context
+  - Test move construction transfers ownership
+  - Test recordException safe on null guard
+  - Test discard() safe on null guard
+
+- `src/tests/libxrpl/telemetry/main.cpp` — GTest runner
+- `src/tests/libxrpl/CMakeLists.txt` — test target with optional OTel linking
+
+---
+
+## Task 2.5: Enhance RPC Span Attributes
+
+**Status**: DEFERRED (low priority)
+
+**Reason**: The high-value attributes (`command`, `version`, `role`, `status`) are already set by Phase 1c. The remaining HTTP transport-level attributes (`http.method`, `net.peer.ip`, `http.status_code`) provide limited additional insight since:
+
+- `http.method` is always POST for JSON-RPC
+- `net.peer.ip` is debug-level info available in logs
+- `duration_ms` is redundant with span duration (OTel captures start/end time natively)
+
+These can be added later if dashboard queries specifically need them. The node health attributes (Task 2.8) provide far more operational value and were prioritized instead.
+
+---
+
+## Task 2.6: Build Verification and Performance Baseline
+
+**Objective**: Verify the build succeeds with and without telemetry, and establish a performance baseline.
+
+**What to do**:
+
+1. Build with `telemetry=ON` and verify no compilation errors
+2. Build with `telemetry=OFF` and verify no regressions
+3. Run existing unit tests to verify no breakage
+4. Document any build issues in lessons.md
+
+**Verification Checklist**:
+
+- [ ] `conan install . --build=missing -o telemetry=True` succeeds
+- [ ] `cmake --preset default -Dtelemetry=ON` configures correctly
+- [ ] Build succeeds with telemetry ON
+- [ ] Build succeeds with telemetry OFF
+- [ ] Existing tests pass with telemetry ON
+- [ ] Existing tests pass with telemetry OFF
+
+---
+
+## Task 2.8: RPC Span Attribute Enrichment — Node Health Context
+
+**Status**: DROPPED.
+
+Node health (`amendment_blocked`, `server_state`) is not part of the telemetry surface. Operators consume the same data via the existing `server_info` / `server_state` RPC commands, so duplicating it on traces adds storage and cardinality cost without new value. The OTel C++ SDK 1.18.0 also does not support runtime updates to the resource, ruling out resource-level emission of these dynamic-by-nature flags.
+
+---
+
+## Task 2.9: PathFind RPC Instrumentation
+
+**Status**: COMPLETE
+
+**Objective**: Trace the path_find and ripple_path_find RPC handlers to capture request latency and computation cost.
+
+**Spans added**:
+
+- `pathfind.request` — wraps `doPathFind()` and `doRipplePathFind()` RPC handlers
+- `pathfind.compute` — wraps `PathRequest::doUpdate()` (`pathfind_fast` attr)
+- `pathfind.update_all` — wraps `PathRequestManager::updateAll()` on ledger close (`pathfind_ledger_index`, `pathfind_num_requests` attrs; emitted only when active subscriptions exist)
+- `pathfind.discover` — wraps the entire per-source-asset loop in `PathRequest::findPaths()` (`pathfind_search_level`, `pathfind_num_paths` attrs). One span per RPC call instead of N (one per source asset). Trade-off: per-asset breakdown is lost; storage and cardinality bounded.
+
+**Attribute namespacing**: All pathfind attributes use the `pathfind_*` underscore form per the Phase 1c naming-spec rule 5.
+
+**New file**: `src/xrpld/rpc/detail/PathFindSpanNames.h`
+
+**Modified files**:
+
+- `src/xrpld/rpc/handlers/orderbook/PathFind.cpp`
+- `src/xrpld/rpc/handlers/orderbook/RipplePathFind.cpp`
+- `src/xrpld/rpc/detail/PathRequest.cpp`
+- `src/xrpld/rpc/detail/PathRequestManager.cpp`
+- `src/xrpld/rpc/detail/Pathfinder.cpp`
+
+---
+
+## Task 2.10: RPC and PathFind Span Attribute Gap Fill
+
+**Status**: COMPLETE
+
+**Objective**: Wire up workflow-identifying attributes that enable filtering and grouping traces by request characteristics without drilling into child spans.
+
+**Attributes added**:
+
+| Span                | Attribute                    | Type   | Source                            |
+| ------------------- | ---------------------------- | ------ | --------------------------------- |
+| `rpc.http_request`  | `request_payload_size`       | int64  | `request.body().size()`           |
+| `rpc.process`       | `is_batch`                   | bool   | `method == "batch"` check         |
+| `rpc.process`       | `batch_size`                 | int64  | `params.size()` (only when batch) |
+| `rpc.ws_message`    | `command`                    | string | `jv[command]` or `jv[method]`     |
+| `rpc.command.*`     | `load_type`                  | string | `context.loadType.label()`        |
+| `pathfind.compute`  | `pathfind_dest_amount`       | string | `saDstAmount_.getFullText()`      |
+| `pathfind.compute`  | `pathfind_dest_currency`     | string | `to_string(saDstAmount_.asset())` |
+| `pathfind.discover` | `pathfind_num_source_assets` | int64  | `sourceAssets.size()`             |
+
+**New attr keys**: `RpcSpanNames.h` (`isBatch`, `batchSize`, `loadType`), `PathFindSpanNames.h` (`destAmount`, `destCurrency`, `numSourceAssets`).
+
+**Modified files**:
+
+- `src/xrpld/rpc/detail/RpcSpanNames.h`
+- `src/xrpld/rpc/detail/PathFindSpanNames.h`
+- `src/xrpld/rpc/detail/ServerHandler.cpp`
+- `src/xrpld/rpc/detail/RPCHandler.cpp`
+- `src/xrpld/rpc/detail/PathRequest.cpp`
+
+---
+
+## Summary
+
+| Task | Description                                 | Status              | Notes                                                     |
+| ---- | ------------------------------------------- | ------------------- | --------------------------------------------------------- |
+| 2.1  | W3C Trace Context header extraction         | Deferred → Phase 3  | No consumer in Phase 2; needs cross-node tracing          |
+| 2.2  | Per-category span creation                  | Complete (Phase 1c) | Superseded by TraceCategory enum + SpanGuard              |
+| 2.3  | Add shouldTraceLedger() interface method    | Complete (Phase 1c) | Delivered in Phase 1c base branch                         |
+| 2.4  | Unit tests for core telemetry               | Complete            | TelemetryConfig + SpanGuardFactory tests                  |
+| 2.5  | Enhanced RPC span attributes (HTTP-level)   | Deferred            | Low value; span duration covers timing natively           |
+| 2.6  | Build verification and performance baseline | Complete            | Verified in CI on Phase 1c                                |
+| 2.7  | Grafana Tempo search filters                | Complete            | rpc-command, rpc-status, rpc-role filters                 |
+| 2.8  | RPC span attribute enrichment (node health) | Dropped             | Available via `server_info`/`server_state` RPC            |
+| 2.9  | PathFind RPC instrumentation                | Complete            | request, compute, update_all, discover                    |
+| 2.10 | RPC/PathFind span attribute gap fill        | Complete            | Batch detection, payload size, load cost, pathfind params |
+
+**Delivered in this branch**: Tasks 2.4, 2.7, 2.9, 2.10.
+**Deferred with rationale**: Tasks 2.1 (→Phase 3), 2.5 (low priority).
+**Dropped**: Task 2.8 (node health not duplicated on traces).
+**Superseded**: Task 2.2 (Phase 1c SpanGuard factory covers this).
+
+---
+
+## Known Issues / Future Work
+
+### Thread safety of TelemetryImpl::stop() vs startSpan()
+
+`TelemetryImpl::stop()` resets `sdkProvider_` (a `std::shared_ptr`) without
+synchronization. `getTracer()` reads the same member from RPC handler threads.
+This is a data race if any thread calls `startSpan()` concurrently with `stop()`.
+
+**Current mitigation**: `Application::stop()` shuts down `serverHandler_`,
+`overlay_`, and `jobQueue_` before calling `telemetry_->stop()`, so no callers
+remain. See comments in `Telemetry.cpp:stop()` and `Application.cpp`.
+
+**TODO**: Add an `std::atomic<bool> stopped_` flag checked in `getTracer()` to
+make this robust against future shutdown order changes.
+
+### Macro incompatibility: XRPL_TRACE_SPAN vs XRPL_TRACE_SET_ATTR
+
+`XRPL_TRACE_SPAN` and `XRPL_TRACE_SPAN_KIND` declare `_xrpl_guard_` as a bare
+`SpanGuard`, but `XRPL_TRACE_SET_ATTR` and `XRPL_TRACE_EXCEPTION` call
+`_xrpl_guard_.has_value()` which requires `std::optional<SpanGuard>`. Using
+`XRPL_TRACE_SPAN` followed by `XRPL_TRACE_SET_ATTR` in the same scope would
+fail to compile.
+
+**Current mitigation**: No call site currently uses `XRPL_TRACE_SPAN` — all
+production code uses the conditional macros (`XRPL_TRACE_RPC`, `XRPL_TRACE_TX`,
+etc.) which correctly wrap the guard in `std::optional`.
+
+**TODO**: Either make `XRPL_TRACE_SPAN`/`XRPL_TRACE_SPAN_KIND` also wrap in
+`std::optional`, or document that `XRPL_TRACE_SET_ATTR` is only compatible with
+the conditional macros.

OpenTelemetryPlan/Phase3_taskList.md

@@ -0,0 +1,542 @@
+# Phase 3: Transaction Tracing Task List
+
+> **Goal**: Trace the full transaction lifecycle from RPC submission through peer relay, including cross-node context propagation via Protocol Buffer extensions. This is the WALK phase that demonstrates true distributed tracing.
+>
+> **Scope**: Protocol Buffer `TraceContext` message, context serialization, PeerImp transaction instrumentation, NetworkOPs processing instrumentation, HashRouter visibility, and multi-node relay context propagation.
+>
+> **Branch**: `pratik/otel-phase3-tx-tracing` (from `pratik/otel-phase2-rpc-tracing`)
+
+### Related Plan Documents
+
+| Document                                                     | Relevance                                                                                        |
+| ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------ |
+| [04-code-samples.md](./04-code-samples.md)                   | TraceContext protobuf (§4.4.1), PeerImp instrumentation (§4.5.1), context serialization (§4.4.2) |
+| [01-architecture-analysis.md](./01-architecture-analysis.md) | Transaction flow (§1.3), key trace points (§1.6)                                                 |
+| [06-implementation-phases.md](./06-implementation-phases.md) | Phase 3 tasks (§6.4), definition of done (§6.11.3)                                               |
+| [02-design-decisions.md](./02-design-decisions.md)           | Context propagation design (§2.5), attribute schema (§2.4.3)                                     |
+
+---
+
+## Task 3.1: Define TraceContext Protocol Buffer Message
+
+**Objective**: Add trace context fields to the P2P protocol messages so trace IDs can propagate across nodes.
+
+**What to do**:
+
+- Edit `include/xrpl/proto/xrpl.proto` (or `src/xrpld/proto/ripple.proto`, wherever the proto is):
+  - Add `TraceContext` message definition:
+    ```protobuf
+    message TraceContext {
+        bytes trace_id = 1;      // 16-byte trace identifier
+        bytes span_id = 2;       // 8-byte span identifier
+        uint32 trace_flags = 3;  // bit 0 = sampled
+        string trace_state = 4;  // W3C tracestate value
+    }
+    ```
+  - Add `optional TraceContext trace_context = 1001;` to:
+    - `TMTransaction`
+    - `TMProposeSet` (for Phase 4 use)
+    - `TMValidation` (for Phase 4 use)
+  - Use high field numbers (1001+) to avoid conflicts with existing fields
+
+- Regenerate protobuf C++ code
+
+**Key modified files**:
+
+- `include/xrpl/proto/xrpl.proto` (or equivalent)
+
+**Reference**:
+
+- [04-code-samples.md §4.4.1](./04-code-samples.md) — TraceContext message definition
+- [02-design-decisions.md §2.5.2](./02-design-decisions.md) — Protocol buffer context propagation design
+
+---
+
+## Task 3.2: Implement Protobuf Context Serialization
+
+**Objective**: Create utilities to serialize/deserialize OTel trace context to/from protobuf `TraceContext` messages.
+
+**What to do**:
+
+- Create `include/xrpl/telemetry/TraceContextPropagator.h` (extend from Phase 2 if exists, or add protobuf methods):
+  - Add protobuf-specific methods:
+    - `static Context extractFromProtobuf(protocol::TraceContext const& proto)` — reconstruct OTel context from protobuf fields
+    - `static void injectToProtobuf(Context const& ctx, protocol::TraceContext& proto)` — serialize current span context into protobuf fields
+  - Both methods guard behind `#ifdef XRPL_ENABLE_TELEMETRY`
+
+- Create/extend `src/libxrpl/telemetry/TraceContextPropagator.cpp`:
+  - Implement extraction: read trace_id (16 bytes), span_id (8 bytes), trace_flags from protobuf, construct `SpanContext`, wrap in `Context`
+  - Implement injection: get current span from context, serialize its TraceId, SpanId, and TraceFlags into protobuf fields
+
+**Key new/modified files**:
+
+- `include/xrpl/telemetry/TraceContextPropagator.h`
+- `src/libxrpl/telemetry/TraceContextPropagator.cpp`
+
+**Reference**:
+
+- [04-code-samples.md §4.4.2](./04-code-samples.md) — Full extract/inject implementation
+
+---
+
+## Task 3.3: Instrument PeerImp Transaction Handling
+
+**Objective**: Add trace spans to the peer-level transaction receive and relay path.
+
+**What to do**:
+
+- Edit `src/xrpld/overlay/detail/PeerImp.cpp`:
+  - In `onMessage(TMTransaction)` / `handleTransaction()`:
+    - Extract parent trace context from incoming `TMTransaction::trace_context` field (if present)
+    - Create `tx.receive` span as child of extracted context (or new root if none)
+    - Set attributes: `tx_hash`, `peer_id`, `tx_status`
+    - On HashRouter suppression (duplicate): set `suppressed=true`, add `tx.duplicate` event
+    - Wrap validation call with child span `tx.validate`
+    - Wrap relay with `tx.relay` span
+  - When relaying to peers:
+    - Inject current trace context into outgoing `TMTransaction::trace_context`
+    - Set `relay_count` attribute
+
+- Use `SpanGuard::span(TraceCategory::Transactions, "tx", "receive")` factory
+  (Phase 1c replaced macros with the SpanGuard factory pattern)
+
+**Key modified files**:
+
+- `src/xrpld/overlay/detail/PeerImp.cpp`
+
+**Reference**:
+
+- [04-code-samples.md §4.5.1](./04-code-samples.md) — Full PeerImp instrumentation example
+- [01-architecture-analysis.md §1.3](./01-architecture-analysis.md) — Transaction flow diagram
+- [01-architecture-analysis.md §1.6](./01-architecture-analysis.md) — tx.receive trace point
+
+---
+
+## Task 3.4: Instrument NetworkOPs Transaction Processing
+
+**Objective**: Trace the transaction processing pipeline in NetworkOPs, covering both sync and async paths.
+
+**What to do**:
+
+- Edit `src/xrpld/app/misc/NetworkOPs.cpp`:
+  - In `processTransaction()`:
+    - Create `tx.process` span
+    - Set attributes: `tx_hash`, `tx_type`, `local` (whether from RPC or peer)
+    - Record whether sync or async path is taken
+
+  - In `doTransactionAsync()`:
+    - Capture parent context before queuing
+    - Create `tx.queue` span with queue depth attribute
+    - Add event when transaction is dequeued for processing
+
+  - In `doTransactionSync()`:
+    - Create `tx.process_sync` span
+    - Record result (applied, queued, rejected)
+
+**Key modified files**:
+
+- `src/xrpld/app/misc/NetworkOPs.cpp`
+
+**Reference**:
+
+- [01-architecture-analysis.md §1.6](./01-architecture-analysis.md) — tx.validate and tx.process trace points
+- [02-design-decisions.md §2.4.3](./02-design-decisions.md) — Transaction attribute schema
+
+---
+
+## Task 3.5: Instrument HashRouter for Dedup Visibility
+
+**Objective**: Make transaction deduplication visible in traces by recording HashRouter decisions as span attributes/events.
+
+**What to do**:
+
+- Edit `src/xrpld/overlay/detail/PeerImp.cpp` (in handleTransaction):
+  - After calling `HashRouter::shouldProcess()` or `addSuppressionPeer()`:
+    - Record `suppressed` attribute (true/false)
+    - Record `tx_flags` showing current HashRouter state (SAVED, TRUSTED, etc.)
+    - Add `tx.first_seen` or `tx.duplicate` event
+
+- This is NOT a modification to HashRouter itself — just recording its decisions as span attributes in the existing PeerImp instrumentation from Task 3.3.
+
+**Key modified files**:
+
+- `src/xrpld/overlay/detail/PeerImp.cpp` (same changes as 3.3, logically grouped)
+
+---
+
+## Task 3.6: Context Propagation in Transaction Relay
+
+**Status**: COMPLETE
+
+**Objective**: Ensure trace context flows correctly when transactions are relayed between peers, creating linked spans across nodes.
+
+**What was done**:
+
+- **TX send side**: `NetworkOPs::apply()` now injects the tx.process span's trace
+  context into the outgoing `TMTransaction` protobuf before relay, using
+  `telemetry::injectSpanContext()`. The receiving node's `txReceiveSpan()` (already
+  wired in PeerImp) extracts the parent span_id and creates the tx.receive span
+  as a child of the sender's tx.process span.
+
+- **Proposal send/receive**: `RCLConsensus::Adaptor::propose()` injects the
+  current thread's active span context into the `TMProposeSet` protobuf via
+  `telemetry::injectToProtobuf()`. PeerImp creates a
+  `consensus.proposal.receive` span that extracts the sender's trace context
+  as parent (via `ConsensusReceiveTracing.h`).
+
+- **Validation send/receive**: `RCLConsensus::Adaptor::validate()` injects
+  the current thread's active span context into the `TMValidation` protobuf.
+  PeerImp creates a `consensus.validation.receive` span that extracts the
+  sender's trace context as parent.
+
+- **Edge cases**: Missing trace context (older peers) degrades gracefully to
+  standalone spans. Invalid/corrupted context is treated as absent. Trace
+  flags are propagated and respected.
+
+**New infrastructure**:
+
+- `SpanGuard::getTraceBytes()` — extracts raw trace_id/span_id/trace_flags
+  from a span without exposing OTel types. Safe to call from any thread.
+- `PropagationHelpers.h` — `injectSpanContext(SpanGuard&, proto)` bridge
+  between SpanGuard and protobuf TraceContext.
+- `TraceContextPropagator.h` — `injectToProtobuf(ctx, proto)` for
+  same-thread injection via OTel RuntimeContext (used in propose/validate).
+- `ConsensusReceiveTracing.h` — `proposalReceiveSpan()` and
+  `validationReceiveSpan()` helper functions that create receive spans with
+  optional parent context extraction from incoming protobuf messages.
+
+**Key modified files**:
+
+- `src/xrpld/app/misc/NetworkOPs.cpp` — tx relay injection
+- `src/xrpld/app/consensus/RCLConsensus.cpp` — proposal/validation send injection
+- `src/xrpld/overlay/detail/PeerImp.cpp` — proposal/validation receive spans
+- `include/xrpl/telemetry/SpanGuard.h` — `TraceBytes` struct, `getTraceBytes()`
+- `src/libxrpl/telemetry/SpanGuard.cpp` — `getTraceBytes()` implementation
+- `src/xrpld/telemetry/PropagationHelpers.h` — inject helpers (new file)
+- `src/xrpld/telemetry/ConsensusReceiveTracing.h` — receive span helpers (new file)
+
+**Reference**:
+
+- [02-design-decisions.md §2.5](./02-design-decisions.md) — Context propagation design
+- [04-code-samples.md §4.5.1](./04-code-samples.md) — Relay context injection pattern
+
+---
+
+## Task 3.7: Build Verification and Testing
+
+**Objective**: Verify all Phase 3 changes compile and work correctly.
+
+**What to do**:
+
+1. Build with `telemetry=ON` — verify no compilation errors
+2. Build with `telemetry=OFF` — verify no regressions
+3. Run existing unit tests
+4. Verify protobuf regeneration produces correct C++ code
+5. Document any issues encountered
+
+**Verification Checklist**:
+
+- [ ] Protobuf changes generate valid C++
+- [ ] Build succeeds with telemetry ON
+- [ ] Build succeeds with telemetry OFF
+- [ ] Existing tests pass
+- [ ] No undefined symbols from new telemetry calls
+
+---
+
+## Task 3.8: Transaction Span Peer Version Attribute
+
+> **Source**: [External Dashboard Parity](../docs/superpowers/specs/2026-03-30-external-dashboard-parity-design.md) — adds peer version context inspired by the community [xrpl-validator-dashboard](https://github.com/realgrapedrop/xrpl-validator-dashboard).
+>
+> **Upstream**: Phase 2 (RPC span infrastructure must exist).
+> **Downstream**: Phase 10 (validation checks for this attribute).
+
+**Objective**: Add the relaying peer's xrpld version to `tx.receive` spans so operators can correlate transaction issues with peer version mismatches during network upgrades.
+
+**What to do**:
+
+- Edit `src/xrpld/overlay/detail/PeerImp.cpp`:
+  - In the `tx.receive` span block (after existing `peer_id` setAttribute call):
+    - Add `peer_version` (string) — from `this->getVersion()`
+    - Only set if `getVersion()` returns a non-empty string (avoid empty-string attributes)
+
+**New span attribute**:
+
+| Attribute      | Type   | Source               | Example         |
+| -------------- | ------ | -------------------- | --------------- |
+| `peer_version` | string | `peer->getVersion()` | `"xrpld-2.4.0"` |
+
+**Rationale**: Transaction relay is where version mismatches cause subtle serialization or validation bugs. Tracing "this tx came from a v2.3.0 peer" helps diagnose compatibility issues. The community dashboard tracks peer versions externally; this brings version awareness into the trace itself.
+
+**Key modified files**:
+
+- `src/xrpld/overlay/detail/PeerImp.cpp`
+
+**Exit Criteria**:
+
+- [ ] `tx.receive` spans carry `peer_version` attribute with a non-empty version string
+- [ ] Attribute is omitted (not set to empty string) when `getVersion()` returns empty
+- [ ] Attribute visible in Jaeger span detail view
+
+---
+
+## Task 3.9: Deterministic Transaction Trace ID
+
+> **Upstream**: Task 3.2 (protobuf serialization), Task 3.3 (PeerImp span exists).
+> **Downstream**: Phase 10 (workload validation can query by tx hash directly).
+> **Pattern**: Mirrors the consensus deterministic trace ID in Phase 4a
+> (`createDeterministicContext` in `RCLConsensus.cpp`), adapted for transactions.
+
+**Objective**: Derive the trace_id for transaction spans deterministically from the
+transaction hash so that all nodes handling the same transaction independently produce
+spans under the same trace_id — regardless of whether protobuf context propagation
+succeeds.
+
+**Why**: The current approach creates spans with random trace_ids and relies entirely
+on protobuf `TraceContext` propagation to link them. If any hop in the relay chain
+drops the context (older peers, message corruption, mixed-version networks), the trace
+splits and downstream spans become impossible to find. With deterministic trace_ids,
+correlation is guaranteed because every node derives the same trace_id from the same
+`txID`.
+
+**Approach — deterministic trace_id + protobuf span_id propagation**:
+
+1. Derive `trace_id = txHash[0:16]` (first 16 bytes of the 32-byte transaction hash).
+2. Generate a random 8-byte `span_id` per node (each node's span is unique within
+   the shared trace).
+3. Create the span under this deterministic context as parent.
+4. **Additionally**, if protobuf `TraceContext` is present in the incoming
+   `TMTransaction` message, extract the sender's `span_id` and use it as the span's
+   parent — this preserves parent-child ordering in the trace tree.
+5. If protobuf context is absent (older peer, first hop), the span still has the
+   correct deterministic `trace_id` — it appears as a sibling root in the same trace
+   rather than being lost.
+
+This gives the best of both worlds: guaranteed cross-node correlation via deterministic
+`trace_id`, plus parent-child relay ordering via protobuf `span_id` when available.
+
+**What to do**:
+
+- Create `createDeterministicTxContext(uint256 const& txHash)` utility function:
+  - Location: shared header or file-local in `PeerImp.cpp` and `NetworkOPs.cpp`
+    (or a shared telemetry utility if both need it).
+  - Pattern: identical to `createDeterministicContext(uint256 const& ledgerId)` in
+    `RCLConsensus.cpp` — take `txHash[0:16]` as trace_id, random span_id via
+    `default_prng()`, sampled flag set, `remote=false`.
+  - Guard behind `#ifdef XRPL_ENABLE_TELEMETRY`.
+
+  ```cpp
+  opentelemetry::context::Context
+  createDeterministicTxContext(uint256 const& txHash)
+  {
+      namespace trace = opentelemetry::trace;
+
+      // First 16 bytes of the 32-byte tx hash as trace ID.
+      trace::TraceId traceId(
+          opentelemetry::nostd::span<uint8_t const, 16>(txHash.data(), 16));
+
+      // Random span_id so each node's span is unique within the trace.
+      uint8_t spanIdBytes[8];
+      auto const rval = default_prng()();
+      std::memcpy(spanIdBytes, &rval, sizeof(spanIdBytes));
+      trace::SpanId spanId(
+          opentelemetry::nostd::span<uint8_t const, 8>(spanIdBytes, 8));
+
+      trace::SpanContext syntheticCtx(
+          traceId, spanId, trace::TraceFlags(1), /* remote = */ false);
+
+      return opentelemetry::context::Context{}.SetValue(
+          trace::kSpanKey,
+          opentelemetry::nostd::shared_ptr<trace::Span>(
+              new trace::DefaultSpan(syntheticCtx)));
+  }
+  ```
+
+- Edit `src/xrpld/overlay/detail/PeerImp.cpp` — restructure `handleTransaction()`:
+  - **Move span creation after deserialization** (txID must be known first):
+    1. Deserialize `STTx` and get `txID` (existing code at line ~1382).
+    2. Create deterministic parent context: `auto detCtx = createDeterministicTxContext(txID)`.
+    3. If `m->has_trace_context()`: extract protobuf context via `extractFromProtobuf()`,
+       **combine** with deterministic trace_id — use the protobuf span_id as parent
+       to preserve relay ordering, but override trace_id with the deterministic one.
+    4. If no protobuf context: create span under `detCtx` directly.
+    5. Set all existing attributes (`hash`, `peerId`, `peerVersion`, `suppressed`, etc.).
+
+  - **Combining deterministic trace_id with protobuf parent span_id**:
+    When both are available, construct a synthetic `SpanContext` with:
+    - `trace_id` = `txHash[0:16]` (deterministic)
+    - `span_id` = extracted from protobuf (sender's span_id → becomes parent)
+    - `trace_flags` = from protobuf
+    - `remote` = true (came from another node)
+
+    ```cpp
+    // Pseudo-code for the combined context:
+    auto detTraceId = trace::TraceId(txHash.data(), 16);
+    auto remoteSpanId = /* from extractFromProtobuf */;
+    auto remoteFlags = /* from extractFromProtobuf */;
+
+    trace::SpanContext combinedCtx(
+        detTraceId, remoteSpanId, remoteFlags, /* remote = */ true);
+    // Use as parent context for the new span.
+    ```
+
+- Edit `src/xrpld/app/misc/NetworkOPs.cpp` — update `processTransaction()`:
+  - `transaction->getID()` is already available at the top of the function.
+  - Create deterministic parent context from `txID`.
+  - Create `tx.process` span under this context.
+  - No protobuf context to extract here (NetworkOPs is intra-node), so
+    deterministic context alone is sufficient.
+
+- Add `trace_strategy` attribute to spans:
+  - Add `inline constexpr auto traceStrategy = "trace_strategy";`
+    to `TxSpanNames.h`.
+  - Set on each tx span: `span.setAttribute(tx_span::attr::traceStrategy, "deterministic")`.
+
+**Key new/modified files**:
+
+- `src/xrpld/overlay/detail/PeerImp.cpp` — restructured span creation
+- `src/xrpld/app/misc/NetworkOPs.cpp` — deterministic context for tx.process
+- `src/xrpld/app/misc/TxSpanNames.h` — new `traceStrategy` attribute constant
+- New or shared utility for `createDeterministicTxContext()` (location TBD: could be
+  a shared header like `include/xrpl/telemetry/DeterministicContext.h`, or file-local
+  if only used in two places)
+
+**Interaction with existing tasks**:
+
+- **Task 3.3 (PeerImp instrumentation)**: The span creation in `handleTransaction()`
+  must be restructured — the span currently starts before `txID` is known. This task
+  moves it after deserialization.
+- **Task 3.6 (Relay context propagation)**: Protobuf injection at the relay site
+  remains the same — `injectToProtobuf()` serializes the current span's `span_id`.
+  The receiver extracts it and combines with the deterministic `trace_id`.
+- **Phase 4a (Consensus deterministic trace ID)**: This task follows the same pattern.
+  Consider extracting a shared utility (e.g., `createDeterministicContext(uint256)`)
+  that both consensus and transaction tracing use.
+
+**Exit Criteria**:
+
+- [ ] `tx.receive` and `tx.process` spans have deterministic trace_id = `txHash[0:16]`
+- [ ] All nodes handling the same transaction produce spans under the same trace_id
+- [x] Protobuf `span_id` propagation still works when available (parent-child ordering)
+- [ ] Missing protobuf context (old peer) degrades gracefully to sibling spans, not lost traces
+- [ ] `trace_strategy` attribute set to `"deterministic"` on all tx spans
+- [ ] Trace queryable by tx hash (truncate hash → trace_id → direct lookup in Tempo)
+
+**Deliverables implemented (not in original plan)**:
+
+- **`SpanGuard::txSpan()` factory method** (`include/xrpl/telemetry/SpanGuard.h`):
+  Two overloads for creating transaction spans with deterministic trace IDs:
+  - `txSpan(category, group, name, txHash)` — standalone span (deterministic
+    trace_id from `txHash[0:16]`, no parent span_id).
+  - `txSpan(category, group, name, txHash, parentCtx)` — child span (deterministic
+    trace_id combined with protobuf-extracted parent span_id for relay ordering).
+
+- **`TxTracing.h` helper functions** (`src/xrpld/overlay/detail/TxTracing.h`):
+  File-local helpers that wrap `SpanGuard::txSpan()` for the two main PeerImp call
+  sites:
+  - `txReceiveSpan(txHash, parentCtx)` — creates `tx.receive` span with
+    deterministic trace_id and optional protobuf parent context.
+  - `txProcessSpan(txHash)` — creates `tx.process` span with deterministic
+    trace_id only (no protobuf parent, used intra-node).
+  - **Note**: `TxTracing.h` includes `xrpl.pb.h` unconditionally (outside
+    `#ifdef XRPL_ENABLE_TELEMETRY`) because `protocol::TMTransaction` appears in
+    the function signatures regardless of telemetry build mode.
+
+---
+
+## Task 3.10: TxQ Instrumentation
+
+**Status**: COMPLETE
+
+**Objective**: Trace the transaction queue lifecycle — enqueue decisions, direct apply, batch clear, ledger-close accept loop, per-tx apply, and cleanup.
+
+**Spans added**:
+
+- `txq.enqueue` — wraps `TxQ::apply()` with tx_hash attribute
+- `txq.apply_direct` — wraps `TxQ::tryDirectApply()` fast-path
+- `txq.batch_clear` — wraps `TxQ::tryClearAccountQueueUpThruTx()`
+- `txq.accept` — wraps `TxQ::accept()` ledger-close dequeue with queue_size attr
+- `txq.accept_tx` — per-tx span inside accept loop with tx_hash, ter_code,
+  retries_remaining attributes
+- `txq.cleanup` — wraps `TxQ::processClosedLedger()` with ledger_seq attribute
+
+**New file**: `src/xrpld/app/misc/detail/TxQSpanNames.h`
+
+**Modified file**: `src/xrpld/app/misc/detail/TxQ.cpp`
+
+---
+
+## Task 3.11: TX and TxQ Span Attribute Gap Fill
+
+**Status**: COMPLETE
+
+**Objective**: Add workflow-identifying attributes to transaction spans so operators can filter by transaction type and see outcomes without off-chain correlation.
+
+**Attributes added**:
+
+| Span              | Attribute            | Type   | Source                                                              |
+| ----------------- | -------------------- | ------ | ------------------------------------------------------------------- |
+| `tx.process`      | `tx_type`            | string | `TxFormats::getInstance().findByType(stx->getTxnType())->getName()` |
+| `tx.process`      | `fee`                | int64  | `stx->getFieldAmount(sfFee).xrp().drops()`                          |
+| `tx.process`      | `sequence`           | int64  | `stx->getSeqProxy().value()`                                        |
+| `tx.process`      | `ter_result`         | string | `transToken(e.result)` (set after batch application)                |
+| `tx.process`      | `applied`            | bool   | `e.applied` (set after batch application)                           |
+| `tx.receive`      | `tx_type`            | string | `TxFormats::getInstance().findByType(stx->getTxnType())->getName()` |
+| `txq.enqueue`     | `tx_type`            | string | same pattern as above                                               |
+| `txq.enqueue`     | `txq_status`         | string | `queued` / `applied_direct` / `applied` / `rejected`                |
+| `txq.enqueue`     | `fee_level_paid`     | int64  | `getFeeLevelPaid(view, *tx).value()`                                |
+| `txq.enqueue`     | `required_fee_level` | int64  | `getRequiredFeeLevel(...).value()`                                  |
+| `txq.batch_clear` | `num_cleared`        | int64  | queued txs cleared ahead of the applying tx                         |
+| `txq.cleanup`     | `expired_count`      | int64  | entries dropped for passed `LastLedgerSequence`                     |
+| `txq.accept_tx`   | `txq_status`         | string | `applied` / `failed` / `retried`                                    |
+| `txq.accept`      | `ledger_changed`     | bool   | set at end of accept loop                                           |
+
+**New attr keys**: `TxSpanNames.h` (`txType`, `fee`, `sequence`, `terResult`, `applied`), `TxQSpanNames.h` (`txType`).
+
+**Modified files**:
+
+- `src/xrpld/app/misc/TxSpanNames.h`
+- `src/xrpld/app/misc/detail/TxQSpanNames.h`
+- `src/xrpld/app/misc/NetworkOPs.cpp`
+- `src/xrpld/overlay/detail/PeerImp.cpp`
+- `src/xrpld/app/misc/detail/TxQ.cpp`
+
+---
+
+## Summary
+
+| Task | Description                         | New Files | Modified Files | Depends On |
+| ---- | ----------------------------------- | --------- | -------------- | ---------- |
+| 3.1  | TraceContext protobuf message       | 0         | 1              | Phase 2    |
+| 3.2  | Protobuf context serialization      | 1-2       | 0              | 3.1        |
+| 3.3  | PeerImp transaction instrumentation | 0         | 1              | 3.2        |
+| 3.4  | NetworkOPs transaction processing   | 0         | 1              | Phase 2    |
+| 3.5  | HashRouter dedup visibility         | 0         | 1              | 3.3        |
+| 3.6  | Relay context propagation           | 0         | 1-2            | 3.3, 3.5   |
+| 3.7  | Build verification and testing      | 0         | 0              | 3.1-3.6    |
+| 3.8  | TX span peer version attribute      | 0         | 1              | 3.3        |
+| 3.9  | Deterministic transaction trace ID  | 0-1       | 3              | 3.2, 3.3   |
+| 3.10 | TxQ instrumentation (6 spans)       | 1         | 1              | 3.4        |
+| 3.11 | TX/TxQ span attribute gap fill      | 0         | 5              | 3.3, 3.10  |
+
+**Parallel work**: Tasks 3.1 and 3.4 can start in parallel. Task 3.2 depends on 3.1. Tasks 3.3 and 3.5 depend on 3.2. Task 3.6 depends on 3.3 and 3.5. Task 3.8 depends on 3.3 (span must exist). Task 3.9 depends on 3.2 and 3.3. Task 3.10 depends on 3.4 (tx.process span must exist).
+
+**Exit Criteria** (from [06-implementation-phases.md §6.11.3](./06-implementation-phases.md)):
+
+- [x] Transaction traces span across nodes
+- [x] Trace context in Protocol Buffer messages
+- [ ] HashRouter deduplication visible in traces
+- [ ] <5% overhead on transaction throughput
+- [x] Deterministic trace_id: same trace_id for same tx across all nodes
+- [x] Protobuf span_id propagation preserves parent-child ordering when available
+
+---
+
+## Known Issues / Future Work
+
+### Unused trace_state proto field
+
+The `TraceContext.trace_state` field (field 4) in `xrpl.proto` is reserved for
+W3C `tracestate` vendor-specific key-value pairs but is not read or written by
+`TraceContextPropagator`. Wire it when cross-vendor trace propagation is needed.
+No wire cost since proto `optional` fields are zero-cost when absent.

OpenTelemetryPlan/Phase4_taskList.md

@@ -0,0 +1,940 @@
+# Phase 4: Consensus Tracing Task List
+
+> **Goal**: Full observability into consensus rounds — track round lifecycle, phase transitions, proposal handling, and validation. This is the RUN phase that completes the distributed tracing story.
+>
+> **Scope**: RCLConsensus instrumentation for round starts, phase transitions (open/establish/accept), proposal send/receive, validation handling, and correlation with transaction traces from Phase 3.
+>
+> **Branch**: `pratik/otel-phase4-consensus-tracing` (from `pratik/otel-phase3-tx-tracing`)
+
+> **Note on attribute names**: the `xrpl.<domain>.<field>` keys shown below are
+> written in the older dotted form for readability — it mirrors how the fully
+> qualified attribute reads in a Tempo trace view. The implemented keys follow
+> the convention in [CONTRIBUTING.md](../CONTRIBUTING.md#telemetry-span-attribute-naming)
+> (underscore form, e.g. `consensus_round`, `consensus_mode`); the
+> `*SpanNames.h` constants are the single source of truth.
+
+### Related Plan Documents
+
+| Document                                                     | Relevance                                                   |
+| ------------------------------------------------------------ | ----------------------------------------------------------- |
+| [04-code-samples.md](./04-code-samples.md)                   | Consensus instrumentation (§4.5.2), consensus span patterns |
+| [01-architecture-analysis.md](./01-architecture-analysis.md) | Consensus round flow (§1.4), key trace points (§1.6)        |
+| [06-implementation-phases.md](./06-implementation-phases.md) | Phase 4 tasks (§6.5), definition of done (§6.11.4)          |
+| [02-design-decisions.md](./02-design-decisions.md)           | Consensus attribute schema (§2.4.4)                         |
+
+---
+
+## Task 4.1: Instrument Consensus Round Start ✅
+
+**Objective**: Create a root span for each consensus round that captures the round's key parameters.
+
+**Status**: DONE (implemented via Task 4a.2 `startRoundTracing()` helper).
+
+**What was done**:
+
+- `RCLConsensus::Adaptor::startRoundTracing()` creates `consensus.round` span
+  via `SpanGuard::hashSpan()` (deterministic) or `SpanGuard::span()` (attribute strategy)
+- Attributes set: `xrpl.consensus.ledger_id`, `xrpl.ledger.seq`,
+  `xrpl.consensus.mode`, `trace_strategy`, `xrpl.consensus.round_id`
+- Round span stored as `roundSpan_` member in `RCLConsensus::Adaptor`
+- `roundSpanContext_` snapshot captured for cross-thread span linking
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+- `src/xrpld/app/consensus/RCLConsensus.h` (span and context members)
+
+**Reference**:
+
+- [04-code-samples.md §4.5.2](./04-code-samples.md) — startRound instrumentation example
+- [01-architecture-analysis.md §1.4](./01-architecture-analysis.md) — Consensus round flow
+
+---
+
+## Task 4.2: Instrument Phase Transitions ✅
+
+**Objective**: Create child spans for each consensus phase (open, establish, accept) to show timing breakdown.
+
+**Status**: DONE. All consensus phases are now instrumented:
+
+- `consensus.establish` — created in `Consensus.h::startEstablishTracing()`
+- `consensus.ledger_close` — created in `RCLConsensus.cpp::onClose()`
+- `consensus.accept` / `consensus.accept.apply` — created in `onAccept()` / `doAccept()`
+- `consensus.phase.open` — `openSpan_` member in `Consensus.h`, created in `startRoundInternal()`, ended in `closeLedger()`
+
+**Design notes**:
+
+- `phase` attribute — phases are distinguished by span names instead
+- `phase.enter` / `phase.exit` events — not added (span start/end serves this purpose)
+- `phase_duration_ms` attribute — not set (span duration captures this)
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+- `src/xrpld/consensus/Consensus.h` (template-level establish phase tracking)
+
+**Reference**:
+
+- [04-code-samples.md §4.5.2](./04-code-samples.md) — phaseTransition instrumentation
+
+---
+
+## Task 4.3: Instrument Proposal Handling ✅
+
+**Objective**: Trace proposal send and receive to show validator coordination.
+
+**Status**: DONE. Both send and receive paths are instrumented.
+
+**What was done**:
+
+- In `Adaptor::propose()`:
+  - Creates `consensus.proposal.send` span via `SpanGuard::span()`
+  - Sets `xrpl.consensus.round` attribute
+
+- In `PeerImp::onMessage(TMProposeSet)`:
+  - Creates `consensus.proposal.receive` span
+  - Sets `trusted` attribute (bool)
+
+**Not implemented** (deferred to Phase 4b — cross-node propagation):
+
+- `consensus.proposal.relay` span in `share(RCLCxPeerPos)` — requires trace context injection
+- Trace context injection/extraction for `TMProposeSet::trace_context`
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+
+**Reference**:
+
+- [04-code-samples.md §4.5.2](./04-code-samples.md) — peerProposal instrumentation
+- [02-design-decisions.md §2.4.4](./02-design-decisions.md) — Consensus attribute schema
+
+---
+
+## Task 4.4: Instrument Validation Handling ✅
+
+**Objective**: Trace validation send and receive to show ledger validation flow.
+
+**Status**: DONE. Both send and receive paths are instrumented.
+
+**What was done**:
+
+- In `Adaptor::validate()` (called from `doAccept()`):
+  - Creates `consensus.validation.send` span via `Adaptor::createValidationSpan()`
+  - Uses `SpanGuard::linkedSpan()` to create a follows-from link to the round span
+  - Thread-safe: uses `roundSpanContext_` snapshot (captured on consensus thread,
+    read on jtACCEPT thread)
+  - Sets `xrpl.ledger.seq` and `proposing` attributes
+
+- In `PeerImp::onMessage(TMValidation)`:
+  - Creates `consensus.validation.receive` span
+  - Sets `trusted` attribute (bool)
+  - Sets `xrpl.ledger.seq` attribute
+
+**Not implemented** (deferred to Phase 4b — cross-node propagation):
+
+- Validated ledger hash, signing time attributes on send span (see Task 4.8)
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+
+---
+
+## Task 4.5: Add Consensus-Specific Attributes ✅
+
+**Objective**: Enrich consensus spans with detailed attributes for debugging and analysis.
+
+**Status**: DONE. All core attributes are set across various spans, including the previously missing `tx_count` and `disputes_count`.
+
+**Implemented attributes** (across various spans):
+
+- `xrpl.ledger.seq` — on `consensus.round`, `consensus.accept.apply`
+- `xrpl.consensus.round` — on `consensus.proposal.send`
+- `xrpl.consensus.mode` — on `consensus.round`, `consensus.ledger_close`
+- `proposers` — on `consensus.accept`, `consensus.establish`, `consensus.update_positions`
+- `converge_percent` — on `consensus.establish`, `consensus.update_positions`, `consensus.check`
+- `tx_count` — on `consensus.accept.apply` span (in `doAccept()`)
+- `disputes_count` — on `consensus.update_positions` span (in `updateOurPositions()`)
+
+**Design notes**:
+
+- `phase` — phases distinguished by span names instead
+- `phase_duration_ms` — span duration captures this
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+- `src/xrpld/consensus/Consensus.h`
+
+---
+
+## Task 4.6: Correlate Transaction and Consensus Traces ✅
+
+**Objective**: Link transaction traces from Phase 3 with consensus traces so you can follow a transaction from submission through consensus into the ledger.
+
+**Status**: DONE. Transaction-consensus correlation implemented via `tx.included` events in `doAccept()`.
+
+**What was done**:
+
+- In `doAccept()` (RCLConsensus.cpp):
+  - Records `tx.included` events on the `consensus.accept.apply` span for each transaction in the accepted set
+  - Each event includes `xrpl.tx.id` attribute with the transaction hash
+  - This links consensus traces to individual transactions
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+
+---
+
+## Task 4.7: Build Verification and Testing ✅
+
+**Objective**: Verify all Phase 4 changes compile and don't affect consensus timing.
+
+**What to do**:
+
+1. Build with `telemetry=ON` — verify no compilation errors
+2. Build with `telemetry=OFF` — verify no regressions (critical for consensus code)
+3. Run existing consensus-related unit tests
+4. Verify that `SpanGuard` factory methods compile to no-ops when disabled
+5. Check that no consensus-critical code paths are affected by instrumentation overhead
+
+**Verification Checklist**:
+
+- [x] Build succeeds with telemetry ON
+- [x] Build succeeds with telemetry OFF
+- [x] Existing consensus tests pass
+- [x] `SpanGuard` no-op implementation prevents overhead when telemetry is OFF
+- [x] Phase timing instrumentation doesn't use blocking operations
+
+---
+
+## Task 4.8: Consensus Validation Span Enrichment — NOT DONE
+
+> **Source**: [External Dashboard Parity](../docs/superpowers/specs/2026-03-30-external-dashboard-parity-design.md) — adds validation agreement context inspired by the community [xrpl-validator-dashboard](https://github.com/realgrapedrop/xrpl-validator-dashboard).
+>
+> **Upstream**: Phase 4 tasks 4.1-4.4 (span creation must exist).
+> **Downstream**: Phase 7 (ValidationTracker reads these attributes), Phase 10 (validation checks).
+
+**Objective**: Add ledger hash, validation type, and quorum data to consensus validation spans on both send and receive paths. This enables trace-level validation agreement analysis — filter by ledger hash to see which validators agreed for a given ledger.
+
+**Status**: Not implemented. None of the enrichment attributes are set. The `consensus.validation.send` span only has `ledger.seq` and `proposing`. The `consensus.accept` span has `quorum` set to `result.proposers` (not the actual validator quorum from `app_.validators().quorum()`). No `PeerImp.cpp` changes were made.
+
+**What to do**:
+
+- Edit `src/xrpld/app/consensus/RCLConsensus.cpp`:
+  - On the `consensus.validation.send` span (in `validate()` / `doAccept()`):
+    - Add `xrpl.validation.ledger_hash` (string) — the ledger hash being validated
+    - Add `xrpl.validation.full` (bool) — whether this is a full validation (not partial)
+  - On the `consensus.accept` span (in `onAccept()`):
+    - Add `validation_quorum` (int64) — from `app_.validators().quorum()`
+    - Add `proposers_validated` (int64) — from `result.proposers`
+
+- Edit `src/xrpld/overlay/detail/PeerImp.cpp`:
+  - On the `peer.validation.receive` span:
+    - Add `xrpl.peer.validation.ledger_hash` (string) — from deserialized `STValidation` object
+    - Add `xrpl.peer.validation.full` (bool) — from `STValidation` flags
+
+**New span attributes**:
+
+| Span                        | Attribute                          | Type   | Source                            |
+| --------------------------- | ---------------------------------- | ------ | --------------------------------- |
+| `consensus.validation.send` | `xrpl.validation.ledger_hash`      | string | Ledger hash from validate() args  |
+| `consensus.validation.send` | `xrpl.validation.full`             | bool   | Full vs partial validation        |
+| `peer.validation.receive`   | `xrpl.peer.validation.ledger_hash` | string | From STValidation deserialization |
+| `peer.validation.receive`   | `xrpl.peer.validation.full`        | bool   | From STValidation flags           |
+| `consensus.accept`          | `validation_quorum`                | int64  | `app_.validators().quorum()`      |
+| `consensus.accept`          | `proposers_validated`              | int64  | `result.proposers`                |
+
+**Rationale**: The external dashboard's most valuable feature is validation agreement tracking. By recording the ledger hash on both outgoing and incoming validation spans, we create the raw data for agreement analysis at the trace level. Example Tempo query:
+
+```
+{name="consensus.validation.send"} | xrpl.validation.ledger_hash = "A1B2C3..."
+```
+
+Phase 7's `ValidationTracker` builds metric-level aggregation (1h/24h agreement %) on top of this data.
+
+**Key modified files (not yet modified)**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+- `src/xrpld/overlay/detail/PeerImp.cpp`
+
+**Exit Criteria**:
+
+- [x] `consensus.validation.send` spans carry `ledger_hash` and `full_validation`
+- [ ] `peer.validation.receive` spans carry `xrpl.peer.validation.ledger_hash` and `xrpl.peer.validation.full`
+- [ ] `consensus.accept` spans carry `validation_quorum` and `proposers_validated`
+- [x] Ledger hash attributes match between send and receive for the same ledger
+- [ ] No impact on consensus performance
+
+---
+
+## Task 4.9: Consensus Span Attribute Gap Fill
+
+**Status**: COMPLETE
+
+**Objective**: Add workflow-critical attributes to consensus spans that enable operators to understand consensus outcomes, identify bow-out proposals, and correlate validations to specific ledgers.
+
+**Attributes added**:
+
+| Span                        | Attribute         | Type   | Source                                |
+| --------------------------- | ----------------- | ------ | ------------------------------------- |
+| `consensus.proposal.send`   | `is_bow_out`      | bool   | `proposal.isBowOut()`                 |
+| `consensus.accept`          | `consensus_state` | string | `result.state` (yes/moved_on/expired) |
+| `consensus.accept`          | `disputes_count`  | int64  | `result.disputes.size()`              |
+| `consensus.validation.send` | `ledger_hash`     | string | `ledger.ledger->header().hash`        |
+
+**New attr keys**: `ConsensusSpanNames.h` (`isBowOut`, `ledgerHash`).
+
+**Modified files**:
+
+- `src/xrpld/consensus/ConsensusSpanNames.h`
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+
+---
+
+## Summary
+
+| Task | Description                                 | Status      | New Files | Modified Files | Depends On    |
+| ---- | ------------------------------------------- | ----------- | --------- | -------------- | ------------- |
+| 4.1  | Consensus round start instrumentation       | ✅ Done     | 0         | 2              | Phase 3       |
+| 4.2  | Phase transition instrumentation            | ✅ Done     | 0         | 1-2            | 4.1           |
+| 4.3  | Proposal handling instrumentation           | ✅ Done     | 0         | 2              | 4.1           |
+| 4.4  | Validation handling instrumentation         | ✅ Done     | 0         | 2              | 4.1           |
+| 4.5  | Consensus-specific attributes               | ✅ Done     | 0         | 2              | 4.2, 4.3, 4.4 |
+| 4.6  | Transaction-consensus correlation           | ✅ Done     | 0         | 1              | 4.2, Phase 3  |
+| 4.7  | Build verification and testing              | ✅ Done     | 0         | 0              | 4.1-4.6       |
+| 4.8  | Validation span enrichment (ext. dashboard) | ❌ Not done | 0         | 2              | 4.4           |
+| 4.9  | Consensus span attribute gap fill           | ✅ Done     | 0         | 2              | 4.1-4.5       |
+
+**Parallel work**: Tasks 4.2, 4.3, and 4.4 can run in parallel after 4.1 is complete. Task 4.5 depends on all three. Task 4.6 depends on 4.2 and Phase 3. Task 4.8 depends on 4.4 (validation spans must exist).
+
+### Implemented Spans
+
+| Span Name                   | Method                             | Key Attributes                                                                                                                                                                                                        |
+| --------------------------- | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `consensus.proposal.send`   | `Adaptor::propose`                 | `xrpl.consensus.round`, `is_bow_out`                                                                                                                                                                                  |
+| `consensus.ledger_close`    | `Adaptor::onClose`                 | `xrpl.ledger.seq`, `xrpl.consensus.mode`                                                                                                                                                                              |
+| `consensus.accept`          | `Adaptor::onAccept`                | `proposers`, `round_time_ms`, `quorum`, `disputes_count`, `consensus_state`                                                                                                                                           |
+| `consensus.accept.apply`    | `Adaptor::doAccept`                | `close_time`, `close_time_correct`, `close_resolution_ms`, `consensus_state`, `proposing`, `round_time_ms`, `xrpl.ledger.seq`, `parent_close_time`, `close_time_self`, `close_time_vote_bins`, `resolution_direction` |
+| `consensus.validation.send` | `Adaptor::onAccept` (via validate) | `proposing`, `ledger_hash`, `ledger_seq`, `full_validation`, `validation_sign_time`                                                                                                                                   |
+
+#### Close Time Attributes (consensus.accept.apply)
+
+The `consensus.accept.apply` span captures ledger close time agreement details
+driven by `avCT_CONSENSUS_PCT` (75% validator agreement threshold):
+
+- **`close_time`** — Agreed-upon ledger close time (epoch seconds). When validators disagree (`consensusCloseTime == epoch`), this is synthetically set to `prevCloseTime + 1s`.
+- **`close_time_correct`** — `true` if validators reached agreement, `false` if they "agreed to disagree" (close time forced to prev+1s).
+- **`close_resolution_ms`** — Rounding granularity for close time (starts at 30s, decreases as ledger interval stabilizes).
+- **`consensus_state`** — `"finished"` (normal) or `"moved_on"` (consensus failed, adopted best available).
+- **`proposing`** — Whether this node was proposing.
+- **`round_time_ms`** — Total consensus round duration.
+- **`parent_close_time`** — Previous ledger's close time (epoch seconds). Enables computing close-time deltas across consecutive rounds without correlating separate spans.
+- **`close_time_self`** — This node's own proposed close time before consensus voting.
+- **`close_time_vote_bins`** — Number of distinct close-time vote bins from peer proposals. Higher values indicate less agreement among validators.
+- **`resolution_direction`** — Whether close-time resolution `"increased"` (coarser), `"decreased"` (finer), or stayed `"unchanged"` relative to the previous ledger.
+
+**Exit Criteria** (from [06-implementation-phases.md §6.11.4](./06-implementation-phases.md)):
+
+- [x] Complete consensus round traces
+- [x] Phase transitions visible (open, establish, close, accept)
+- [x] Proposals and validations traced — send and receive; relay deferred to Phase 4b
+- [x] Close time agreement tracked (per `avCT_CONSENSUS_PCT`)
+- [x] No impact on consensus timing
+- [x] Transaction-consensus correlation (Task 4.6) — `tx.included` events in doAccept
+- [ ] Validation span enrichment (Task 4.8) — not implemented
+
+---
+
+# Phase 4a: Establish-Phase Gap Fill & Cross-Node Correlation
+
+> **Goal**: Fill tracing gaps in the consensus establish phase (disputes, convergence,
+> threshold escalation, mode changes) and establish cross-node correlation using a
+> deterministic shared trace ID derived from `previousLedger.id()`.
+>
+> **Approach**: Direct instrumentation in `Consensus.h` and `RCLConsensus.cpp`.
+> All spans use `SpanGuard` factory methods (`span()`, `hashSpan()`, `linkedSpan()`)
+> with `TraceCategory::Consensus` gating. Long-lived spans (round, establish) are
+> stored as `std::optional<SpanGuard>` class members. Short-lived scoped spans
+> (update_positions, check) are local variables. No macros are used — all tracing
+> is via direct `SpanGuard` API calls. `SpanGuard` compiles to no-ops when
+> telemetry is disabled.
+>
+> **Branch**: `pratik/otel-phase4-consensus-tracing`
+
+## Design: Switchable Correlation Strategy
+
+Two strategies for cross-node trace correlation, switchable via config:
+
+### Strategy A — Deterministic Trace ID (Default)
+
+Derive `trace_id = SHA256(previousLedger.id())[0:16]` so all nodes in the same
+consensus round share the same trace_id without P2P context propagation.
+
+- **Pros**: All nodes appear in the same trace in Tempo/Jaeger automatically.
+  No collector-side post-processing needed.
+- **Cons**: Overrides OTel's random trace_id generation; requires custom
+  `IdGenerator` or manual span context construction.
+
+### Strategy B — Attribute-Based Correlation
+
+Use normal random trace_id but attach `xrpl.consensus.ledger_id` as an attribute
+on every consensus span. Correlation happens at query time via Tempo/Grafana
+`by attribute` queries.
+
+- **Pros**: Standard OTel trace_id semantics; no SDK customization.
+- **Cons**: Cross-node correlation requires query-time joins, not automatic.
+
+### Config
+
+```ini
+[telemetry]
+# "deterministic" (default) or "attribute"
+consensus_trace_strategy=deterministic
+```
+
+The C++ API to query this at runtime is `Telemetry::getConsensusTraceStrategy()`,
+which returns a `std::string const&` (`"deterministic"` or `"attribute"`).
+
+### Implementation
+
+In `RCLConsensus::Adaptor::startRound()`:
+
+- If `deterministic`:
+  1. Compute `trace_id_bytes = SHA256(prevLedgerID)[0:16]`
+  2. Construct `opentelemetry::trace::TraceId(trace_id_bytes)`
+  3. Create a synthetic `SpanContext` with this trace_id and a random span_id:
+     ```cpp
+     auto traceId = opentelemetry::trace::TraceId(trace_id_bytes);
+     auto spanId  = opentelemetry::trace::SpanId(random_8_bytes);
+     auto syntheticCtx = opentelemetry::trace::SpanContext(
+         traceId, spanId, opentelemetry::trace::TraceFlags(1), false);
+     ```
+  4. Wrap in `opentelemetry::context::Context` via
+     `opentelemetry::trace::SetSpan(context, syntheticSpan)`
+  5. Call `startSpan("consensus.round", parentContext)` so the new span
+     inherits the deterministic trace_id.
+- If `attribute`: start a normal `consensus.round` span, set
+  `xrpl.consensus.ledger_id = previousLedger.id()` as attribute.
+
+Both strategies always set `xrpl.consensus.round_id` (round number) and
+`xrpl.consensus.ledger_id` (previous ledger hash) as attributes.
+
+---
+
+## Design: Span Hierarchy
+
+```
+consensus.round  (root — created in RCLConsensus::startRound, closed at accept)
+│   link → previous round's SpanContext (follows-from)
+│
+├── consensus.establish  (phaseEstablish → acceptance, in Consensus.h)
+│   ├── consensus.update_positions  (each updateOurPositions call)
+│   │   └── consensus.dispute.resolve  (per-tx dispute resolution event)
+│   ├── consensus.check  (each haveConsensus call)
+│   └── consensus.mode_change  (short-lived span in adaptor on mode transition)
+│
+├── consensus.accept  (existing onAccept span — reparented under round)
+│
+└── consensus.validation.send  (existing — reparented, follows-from link to round)
+```
+
+### Span Links (follows-from relationships)
+
+| Link Source                               | Link Target                | Rationale                                                                      |
+| ----------------------------------------- | -------------------------- | ------------------------------------------------------------------------------ |
+| `consensus.round` (N+1)                   | `consensus.round` (N)      | Causal chain: round N+1 exists because round N accepted                        |
+| `consensus.validation.send`               | `consensus.round`          | Validation follows from the round that produced it; may outlive the round span |
+| _(Phase 4b)_ Received proposal processing | Sender's `consensus.round` | Cross-node causal link via P2P context propagation                             |
+
+---
+
+## Task 4a.0: Prerequisites — Extend SpanGuard and Telemetry APIs ✅
+
+**Objective**: Add missing API surface needed by later tasks.
+
+**Status**: Done, but implemented differently than originally planned. The macro-based
+approach (`XRPL_TRACE_CONSENSUS`, `XRPL_TRACE_ADD_EVENT`, `XRPL_TRACE_SET_ATTR`) was
+**not used**. Instead, all consensus tracing uses `SpanGuard` factory methods and
+direct method calls, which is cleaner and avoids macro control-flow issues.
+
+**What was done**:
+
+1. **`SpanGuard::addEvent()` with attributes** — implemented as planned:
+
+   ```cpp
+   using EventAttribute = std::pair<std::string_view, std::string_view>;
+
+   void addEvent(std::string_view name,
+       std::initializer_list<EventAttribute> attrs);
+   ```
+
+   Callers pass plain `string_view` pairs; the implementation converts internally.
+
+   ```cpp
+   // Actual usage in Consensus.h::updateOurPositions():
+   span.addEvent(
+       "dispute.resolve",
+       {{consensus::span::attr::txId, to_string(txId)},
+        {consensus::span::attr::disputeOurVote, dispute.getOurVote() ? "yes" : "no"}});
+   ```
+
+2. **Span link support** — implemented via `SpanGuard::linkedSpan()` static factory
+   instead of a `Telemetry::startSpan()` overload:
+
+   ```cpp
+   static SpanGuard linkedSpan(
+       std::string_view name, SpanContext const& linkTarget);
+   ```
+
+3. **No macros added** — `TracingInstrumentation.h` was not created. The `XRPL_TRACE_CONSENSUS`,
+   `XRPL_TRACE_ADD_EVENT`, and `XRPL_TRACE_SET_ATTR` macros from the original plan were
+   not implemented. All consensus tracing uses direct `SpanGuard` API:
+   - `SpanGuard::span()` — create scoped spans
+   - `SpanGuard::hashSpan()` — create spans with deterministic trace IDs
+   - `SpanGuard::linkedSpan()` — create spans with follows-from links
+   - `span.setAttribute()` — set attributes directly
+   - `span.addEvent()` — add events directly
+
+**Key modified files**:
+
+- `include/xrpl/telemetry/SpanGuard.h` — `addEvent()` overload, `EventAttribute` type alias
+- `src/libxrpl/telemetry/SpanGuard.cpp` — `addEvent()` implementation
+
+---
+
+## Task 4a.1: Adaptor `getTelemetry()` Method — NOT DONE (Not Needed)
+
+**Objective**: Give `Consensus.h` access to the telemetry subsystem without
+coupling the generic template to OTel headers.
+
+**Status**: Not implemented as specified. The `getTelemetry()` adaptor method was
+not needed because `SpanGuard::span()` is a static factory method that internally
+checks telemetry state via the global `Telemetry` singleton. `Consensus.h` creates
+spans by calling `SpanGuard::span(TraceCategory::Consensus, ...)` directly, without
+needing adaptor access. Only `RCLConsensus::Adaptor` uses `app_.getTelemetry()`
+directly (for `getConsensusTraceStrategy()` in `startRoundTracing()`).
+
+**Key insight**: The `XRPL_TRACE_*` macro approach would have required
+`adaptor_.getTelemetry()`. Since macros were not used, this task became unnecessary.
+
+---
+
+## Task 4a.2: Switchable Round Span with Deterministic Trace ID ✅
+
+**Objective**: Create a `consensus.round` root span in `startRound()` that uses
+the switchable correlation strategy. Store span context as a member for child
+spans in `Consensus.h`.
+
+**Status**: Done. Implemented in `Adaptor::startRoundTracing()`.
+
+**What was done**:
+
+- `RCLConsensus::Adaptor::startRoundTracing()` helper:
+  - Reads `consensus_trace_strategy` via `app_.getTelemetry().getConsensusTraceStrategy()`
+  - **Deterministic**: uses `SpanGuard::hashSpan()` with `prevLgr.id()` data
+  - **Attribute**: uses `SpanGuard::span(TraceCategory::Consensus, seg::consensus, "round")`
+  - Sets attributes: `xrpl.consensus.ledger_id`, `xrpl.ledger.seq`, `xrpl.consensus.mode`, `trace_strategy`, `xrpl.consensus.round_id`
+  - Captures `roundSpanContext_` snapshot for cross-thread span linking
+  - Saves `prevRoundContext_` from previous round for follows-from links
+
+- **`SpanGuard::hashSpan()` factory**: encapsulates deterministic trace ID logic:
+
+  ```cpp
+  static SpanGuard hashSpan(
+      TraceCategory cat, std::string_view name,
+      std::uint8_t const* hashData, std::size_t hashSize);
+  ```
+
+  Derives `trace_id = hashData[0:16]` so all nodes in the same round share
+  the same trace_id. Compiles to no-op when telemetry is disabled.
+
+- `consensus_trace_strategy` config parsed in `TelemetryConfig.cpp`,
+  stored in `Telemetry::Setup`, accessible via `Telemetry::getConsensusTraceStrategy()`
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp` — `startRoundTracing()` implementation
+- `src/xrpld/app/consensus/ConsensusSpanNames.h` — **(new)** compile-time span name and attribute key constants
+- `include/xrpl/telemetry/Telemetry.h` — `consensusTraceStrategy` in Setup, `getConsensusTraceStrategy()`
+- `src/libxrpl/telemetry/TelemetryConfig.cpp` — parse new config option
+
+---
+
+## Task 4a.3: Span Members in `Consensus.h` ✅
+
+**Objective**: Add span storage to the `Consensus` class so that spans created
+in `startRound()` (adaptor) are accessible from `phaseEstablish()`,
+`updateOurPositions()`, and `haveConsensus()` (template methods).
+
+**Status**: Done with documented plan deviation.
+
+**What was done**:
+
+- `establishSpan_` added to `Consensus` private members (as planned):
+
+  ```cpp
+  std::optional<xrpl::telemetry::SpanGuard> establishSpan_;
+  ```
+
+- **Plan deviation**: `roundSpan_`, `prevRoundContext_`, and `roundSpanContext_`
+  are stored in `RCLConsensus::Adaptor` (not `Consensus.h`) because the adaptor
+  has access to telemetry config for the deterministic trace ID strategy.
+
+- **No `#ifdef XRPL_ENABLE_TELEMETRY` guards**: Members use `std::optional<SpanGuard>`
+  and `SpanContext` which have no-op implementations when telemetry is disabled,
+  so `#ifdef` guards are unnecessary. The members are always present in the class
+  layout but incur negligible overhead.
+
+- Includes added unconditionally to `Consensus.h`:
+  ```cpp
+  #include <xrpl/telemetry/SpanGuard.h>
+  #include <xrpld/app/consensus/ConsensusSpanNames.h>
+  ```
+  No `TracingInstrumentation.h` include (file doesn't exist; macros not used).
+
+**Key modified files**:
+
+- `src/xrpld/consensus/Consensus.h`
+- `src/xrpld/app/consensus/RCLConsensus.h` (round span and context members)
+
+---
+
+## Task 4a.4: Instrument `phaseEstablish()` ✅
+
+**Objective**: Create `consensus.establish` span wrapping the establish phase,
+with attributes for convergence progress.
+
+**Status**: Done. Implemented via three private helpers in `Consensus.h`.
+
+**What was done**:
+
+- `startEstablishTracing()` — creates `consensus.establish` span via
+  `SpanGuard::span(TraceCategory::Consensus, seg::consensus, "establish")`.
+  Called once at start of establish phase. No `#ifdef` guards needed —
+  `SpanGuard::span()` returns a no-op guard when telemetry is disabled.
+
+- `updateEstablishTracing()` — sets attributes on each `phaseEstablish()` call:
+  - `converge_percent` — `convergePercent_`
+  - `establish_count` — `establishCounter_`
+  - `proposers` — `currPeerPositions_.size()`
+
+- `endEstablishTracing()` — calls `establishSpan_.reset()` on phase exit.
+
+**Key modified files**:
+
+- `src/xrpld/consensus/Consensus.h` — `phaseEstablish()` method + 3 helper methods
+
+---
+
+## Task 4a.5: Instrument `updateOurPositions()` ✅
+
+**Objective**: Trace each position update cycle including dispute resolution
+details.
+
+**Status**: DONE. Span, dispute events with yays/nays, and disputes_count attribute are all implemented.
+
+**What was done**:
+
+- Creates `consensus.update_positions` scoped span via
+  `SpanGuard::span(TraceCategory::Consensus, seg::consensus, "update_positions")`:
+
+  ```cpp
+  auto span = SpanGuard::span(TraceCategory::Consensus, seg::consensus, "update_positions");
+  ```
+
+- Attributes set:
+  - `converge_percent` — current convergence
+  - `proposers` — `currPeerPositions_.size()`
+  - `have_close_time_consensus` — close time consensus state
+  - `close_time_threshold` — `avCT_CONSENSUS_PCT`
+  - `disputes_count` — number of active disputes
+
+- Dispute events recorded via direct `span.addEvent()` call with yays/nays:
+  ```cpp
+  span.addEvent(
+      "dispute.resolve",
+      {{consensus::span::attr::txId, to_string(txId)},
+       {consensus::span::attr::disputeOurVote, dispute.getOurVote() ? "yes" : "no"},
+       {consensus::span::attr::disputeYays, std::to_string(dispute.getYays())},
+       {consensus::span::attr::disputeNays, std::to_string(dispute.getNays())}});
+  ```
+
+**Not implemented**:
+
+- `proposers_agreed` / `proposers_total` attributes — not set
+
+**Key modified files**:
+
+- `src/xrpld/consensus/Consensus.h` — `updateOurPositions()` method
+- `src/xrpld/consensus/DisputedTx.h` — added `getYays()` / `getNays()` (currently unused)
+
+---
+
+## Task 4a.6: Instrument `haveConsensus()` (Threshold & Convergence) ✅
+
+**Objective**: Trace consensus checking including threshold escalation.
+
+**Status**: DONE. The `consensus.check` span is created with all planned attributes
+including the avalanche threshold.
+
+**What was done**:
+
+- Creates `consensus.check` scoped span via
+  `SpanGuard::span(TraceCategory::Consensus, seg::consensus, "check")`:
+
+  ```cpp
+  auto span = SpanGuard::span(TraceCategory::Consensus, seg::consensus, "check");
+  ```
+
+- Attributes set:
+  - `agree_count` — peers that agree with our position
+  - `disagree_count` — peers that disagree
+  - `converge_percent` — convergence percentage
+  - `have_close_time_consensus` — close time consensus state
+  - `threshold_percent` — set to `avCT_CONSENSUS_PCT` (75%)
+  - `consensus_result` — "yes", "no", or "moved_on"
+  - `avalanche_threshold` — the escalated weight from `getNeededWeight()` on the `consensus.update_positions` span
+
+**Key modified files**:
+
+- `src/xrpld/consensus/Consensus.h` — `haveConsensus()` method
+
+---
+
+## Task 4a.7: Instrument Mode Changes ✅
+
+**Objective**: Trace consensus mode transitions (proposing ↔ observing,
+wrongLedger, switchedLedger).
+
+**Status**: Done.
+
+**What was done**:
+
+- In `RCLConsensus::Adaptor::onModeChange()`, creates a scoped span via direct
+  `SpanGuard::span()` call:
+
+  ```cpp
+  auto span = telemetry::SpanGuard::span(
+      telemetry::TraceCategory::Consensus, telemetry::seg::consensus, "mode_change");
+  span.setAttribute(consensus::span::attr::modeOld, to_string(before).c_str());   // "mode_old"
+  span.setAttribute(consensus::span::attr::modeNew, to_string(after).c_str());   // "mode_new"
+  ```
+
+- `MonitoredMode::set()` in `Consensus.h` calls `adaptor_.onModeChange(before, after)`.
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp` — `onModeChange()`
+
+---
+
+## Task 4a.8: Reparent Existing Spans Under Round ✅
+
+**Objective**: Make existing consensus spans (`consensus.accept`,
+`consensus.accept.apply`, `consensus.validation.send`) children of the
+`consensus.round` root span instead of being standalone.
+
+**Status**: DONE. All three spans are now parented under the round span.
+
+**What was done**:
+
+- `consensus.validation.send` uses `SpanGuard::linkedSpan()` to create a
+  follows-from link to `roundSpanContext_`. This is thread-safe because
+  `roundSpanContext_` is a lightweight `SpanContext` snapshot captured on the
+  consensus thread and read on the jtACCEPT worker thread.
+
+- `consensus.accept` and `consensus.accept.apply` now use
+  `SpanGuard::childSpan(name, roundSpanContext_)` instead of `SpanGuard::span()`
+  to explicitly parent under the round span context. This solves the cross-thread
+  parenting problem:
+  - `doAccept()` runs on the jtACCEPT worker thread (not the consensus thread)
+  - `childSpan()` explicitly passes the parent context, bypassing OTel's
+    thread-local context propagation
+
+**Key modified files**:
+
+- `src/xrpld/app/consensus/RCLConsensus.cpp`
+
+---
+
+## Task 4a.9: Build Verification and Testing ✅
+
+**Objective**: Verify all Phase 4a changes compile cleanly with telemetry ON
+and OFF, and don't affect consensus timing.
+
+**What to do**:
+
+1. Build with `telemetry=ON` — verify no compilation errors
+2. Build with `telemetry=OFF` — verify `SpanGuard` compiles to no-ops
+3. Run existing consensus unit tests
+4. Verify `SpanGuard` / `SpanContext` members have negligible overhead when disabled
+5. Run `pccl` pre-commit checks
+
+**Verification Checklist**:
+
+- [x] Build succeeds with telemetry ON
+- [x] Build succeeds with telemetry OFF
+- [x] Existing consensus tests pass
+- [x] `SpanGuard` no-op path verified (no `#ifdef` needed — disabled at runtime)
+- [x] No new virtual calls in hot consensus paths
+- [x] `pccl` passes
+
+---
+
+## Phase 4a Summary
+
+| Task | Description                                      | Status                   | New Files | Modified Files | Depends On |
+| ---- | ------------------------------------------------ | ------------------------ | --------- | -------------- | ---------- |
+| 4a.0 | Prerequisites: extend SpanGuard & Telemetry APIs | ✅ Done (no macros)      | 0         | 2              | Phase 4    |
+| 4a.1 | Adaptor `getTelemetry()` method                  | ⏭️ Skipped (not needed)  | 0         | 0              | Phase 4    |
+| 4a.2 | Switchable round span with deterministic traceID | ✅ Done                  | 1         | 3              | 4a.0       |
+| 4a.3 | Span members in `Consensus.h`                    | ✅ Done (with deviation) | 0         | 2              | —          |
+| 4a.4 | Instrument `phaseEstablish()`                    | ✅ Done                  | 0         | 1              | 4a.3       |
+| 4a.5 | Instrument `updateOurPositions()`                | ✅ Done                  | 0         | 2              | 4a.0, 4a.3 |
+| 4a.6 | Instrument `haveConsensus()` (thresholds)        | ✅ Done                  | 0         | 1              | 4a.3       |
+| 4a.7 | Instrument mode changes                          | ✅ Done                  | 0         | 1              | —          |
+| 4a.8 | Reparent existing spans under round              | ✅ Done                  | 0         | 1              | 4a.0, 4a.2 |
+| 4a.9 | Build verification and testing                   | ✅ Done                  | 0         | 0              | 4a.0-4a.8  |
+
+**Parallel work**: Tasks 4a.0 and 4a.1 can run in parallel. Tasks 4a.4, 4a.5, 4a.6, and 4a.7 can run in parallel after 4a.3 (and 4a.0 for 4a.5).
+
+### New Spans (Phase 4a)
+
+| Span Name                    | Location           | Key Attributes (actually set)                                                                                                 |
+| ---------------------------- | ------------------ | ----------------------------------------------------------------------------------------------------------------------------- |
+| `consensus.round`            | `RCLConsensus.cpp` | `xrpl.consensus.round_id`, `xrpl.consensus.ledger_id`, `xrpl.ledger.seq`, `xrpl.consensus.mode`, `trace_strategy`             |
+| `consensus.establish`        | `Consensus.h`      | `converge_percent`, `establish_count`, `proposers`                                                                            |
+| `consensus.update_positions` | `Consensus.h`      | `converge_percent`, `proposers`, `have_close_time_consensus`, `close_time_threshold`, `disputes_count`, `avalanche_threshold` |
+| `consensus.check`            | `Consensus.h`      | `agree_count`, `disagree_count`, `converge_percent`, `have_close_time_consensus`, `threshold_percent`, `consensus_result`     |
+| `consensus.mode_change`      | `RCLConsensus.cpp` | `mode_old`, `mode_new`                                                                                                        |
+
+### New Events (Phase 4a)
+
+| Event Name        | Parent Span                  | Attributes (actually set)                                        |
+| ----------------- | ---------------------------- | ---------------------------------------------------------------- |
+| `dispute.resolve` | `consensus.update_positions` | `xrpl.tx.id`, `dispute_our_vote`, `dispute_yays`, `dispute_nays` |
+| `tx.included`     | `consensus.accept.apply`     | `xrpl.tx.id`                                                     |
+
+### New Attributes (Phase 4a)
+
+```cpp
+// Round-level (on consensus.round) — ALL IMPLEMENTED
+"xrpl.consensus.round_id"             = int64    // Consensus round number
+"xrpl.consensus.ledger_id"            = string   // previousLedger.id() hash
+"trace_strategy"                       = string   // "deterministic" or "attribute"
+
+// Establish-level — IMPLEMENTED
+"converge_percent"                     = int64    // Convergence % (0-100+)
+"establish_count"                      = int64    // Number of establish iterations
+"agree_count"                          = int64    // Peers that agree (haveConsensus)
+"disagree_count"                       = int64    // Peers that disagree
+"threshold_percent"                    = int64    // Current threshold (avCT_CONSENSUS_PCT = 75%)
+"consensus_result"                     = string   // "yes", "no", "moved_on"
+"have_close_time_consensus"            = bool     // Close time consensus reached
+"close_time_threshold"                 = int64    // Close time voting threshold
+
+// Establish-level — IMPLEMENTED
+"disputes_count"                       = int64    // Active disputes (on update_positions)
+"avalanche_threshold"                  = int64    // Escalated weight (on update_positions)
+
+// Establish-level — NOT IMPLEMENTED
+// "proposers_agreed"                  = int64    // Peers agreeing with us — not set
+// "proposers_total"                   = int64    // Total peer positions — not set (not defined)
+
+// Mode change — ALL IMPLEMENTED
+"mode_old"                             = string   // Previous mode
+"mode_new"                             = string   // New mode
+```
+
+### Implementation Notes
+
+- **No macros**: The planned `XRPL_TRACE_CONSENSUS`, `XRPL_TRACE_ADD_EVENT`, and
+  `XRPL_TRACE_SET_ATTR` macros were not implemented. All consensus tracing uses
+  `SpanGuard` factory methods (`span()`, `hashSpan()`, `linkedSpan()`) and direct
+  method calls (`setAttribute()`, `addEvent()`). This avoids macro control-flow
+  issues and is cleaner than the planned approach.
+- **Separation of concerns**: All non-trivial telemetry code extracted to private
+  helpers (`startRoundTracing`, `createValidationSpan`, `startEstablishTracing`,
+  `updateEstablishTracing`, `endEstablishTracing`). Business logic methods contain
+  single-line calls to these helpers.
+- **Thread safety**: `createValidationSpan()` runs on the jtACCEPT worker thread.
+  Instead of accessing `roundSpan_` across threads, a `roundSpanContext_` snapshot
+  (lightweight `SpanContext` value type) is captured on the consensus thread in
+  `startRoundTracing()` and read by `createValidationSpan()`. The job queue
+  provides the happens-before guarantee.
+- **No `#ifdef` guards**: Span members use `std::optional<SpanGuard>` and `SpanContext`
+  which have no-op implementations when telemetry is disabled. No `#ifdef XRPL_ENABLE_TELEMETRY`
+  guards needed around members or includes.
+- **No `getTelemetry()` adaptor method**: `SpanGuard::span()` is a static factory that
+  internally checks telemetry state, so `Consensus.h` doesn't need adaptor access
+  for span creation. Only `RCLConsensus::Adaptor` accesses `app_.getTelemetry()` directly.
+- **Config validation**: `consensus_trace_strategy` is validated to be either
+  `"deterministic"` or `"attribute"`, falling back to `"deterministic"` for
+  unrecognised values.
+- **Plan deviation**: `roundSpan_` is stored in `RCLConsensus::Adaptor` (not
+  `Consensus.h`) because the adaptor has access to telemetry config and can
+  implement the deterministic trace ID strategy. `establishSpan_` is correctly
+  in `Consensus.h` as planned.
+
+---
+
+# Phase 4b: Cross-Node Propagation (Future — Documentation Only)
+
+> **Goal**: Wire `TraceContextPropagator` for P2P messages so that proposals
+> and validations carry trace context between nodes. This enables true
+> distributed tracing where a proposal sent by Node A creates a child span
+> on Node B.
+>
+> **Status**: NOT IMPLEMENTED. The protobuf fields and propagator class exist
+> but are not wired. This section documents the design for future work.
+
+## Architecture
+
+```
+Node A (proposing)                         Node B (receiving)
+─────────────────                         ──────────────────
+consensus.round                           consensus.round
+├── propose()                             ├── peerProposal()
+│   └── TraceContextPropagator            │   └── TraceContextPropagator
+│       ::injectToProtobuf(               │       ::extractFromProtobuf(
+│           TMProposeSet.trace_context)   │           TMProposeSet.trace_context)
+│                                         │   └── span link → Node A's context
+└── validate()                            └── onValidation()
+    └── inject into TMValidation              └── extract from TMValidation
+```
+
+## Wiring Points
+
+| Message         | Inject Location                    | Extract Location                    | Protobuf Field             |
+| --------------- | ---------------------------------- | ----------------------------------- | -------------------------- |
+| `TMProposeSet`  | `Adaptor::propose()`               | `PeerImp::onMessage(TMProposeSet)`  | field 1001: `TraceContext` |
+| `TMValidation`  | `Adaptor::validate()`              | `PeerImp::onMessage(TMValidation)`  | field 1001: `TraceContext` |
+| `TMTransaction` | `NetworkOPs::processTransaction()` | `PeerImp::onMessage(TMTransaction)` | field 1001: `TraceContext` |
+
+## Span Link Semantics
+
+Received messages use **span links** (follows-from), NOT parent-child:
+
+- The receiver's processing span links to the sender's context
+- This preserves each node's independent trace tree
+- Cross-node correlation visible via linked traces in Tempo/Jaeger
+
+## Interaction with Deterministic Trace ID (Strategy A)
+
+When using deterministic trace_id (Phase 4a default), cross-node spans already
+share the same trace_id. P2P propagation adds **span-level** linking:
+
+- Without propagation: spans from different nodes appear in the same trace
+  (same trace_id) but without parent-child or follows-from relationships.
+- With propagation: spans have explicit links showing which proposal/validation
+  from Node A caused processing on Node B.
+
+## Prerequisites
+
+- Phase 4a (this task list) — establish phase tracing must be in place
+- `TraceContextPropagator` free functions (already exist in
+  `include/xrpl/telemetry/TraceContextPropagator.h`)
+- Protobuf `TraceContext` message (already exists, field 1001)

OpenTelemetryPlan/Phase5_IntegrationTest_taskList.md

@@ -0,0 +1,221 @@
+# Phase 5: Integration Test Task List
+
+> **Goal**: End-to-end verification of the complete telemetry pipeline using a
+> 6-node consensus network. Proves that RPC, transaction, and consensus spans
+> flow through the observability stack (otel-collector, Tempo, Prometheus,
+> Grafana) under realistic conditions.
+>
+> **Scope**: Integration test script, manual testing plan, 6-node local network
+> setup, Tempo/Prometheus/Grafana verification.
+>
+> **Branch**: `pratik/otel-phase5-docs-deployment`
+
+### Related Plan Documents
+
+| Document                                                         | Relevance                                  |
+| ---------------------------------------------------------------- | ------------------------------------------ |
+| [07-observability-backends.md](./07-observability-backends.md)   | Tempo, Grafana, Prometheus setup           |
+| [05-configuration-reference.md](./05-configuration-reference.md) | Collector config, Docker Compose           |
+| [06-implementation-phases.md](./06-implementation-phases.md)     | Phase 5 tasks, definition of done          |
+| [Phase5_taskList.md](./Phase5_taskList.md)                       | Phase 5 main task list (5.6 = integration) |
+
+---
+
+## Task IT.1: Create Integration Test Script
+
+**Objective**: Automated bash script that stands up a 6-node xrpld network
+with telemetry, exercises all span categories, and verifies data in
+Tempo/Prometheus.
+
+**What to do**:
+
+- Create `docker/telemetry/integration-test.sh`:
+  - Prerequisites check (docker, xrpld binary, curl, jq)
+  - Start observability stack via `docker compose`
+  - Generate 6 validator key pairs via temp standalone xrpld
+  - Generate 6 node configs + shared `validators.txt`
+  - Start 6 xrpld nodes in consensus mode (`--start`, no `-a`)
+  - Wait for all nodes to reach `"proposing"` state (120s timeout)
+
+**Key new file**: `docker/telemetry/integration-test.sh`
+
+**Verification**:
+
+- [ ] Script starts without errors
+- [ ] All 6 nodes reach "proposing" state
+- [ ] Observability stack is healthy (otel-collector, Tempo, Prometheus, Grafana)
+
+---
+
+## Task IT.2: RPC Span Verification (Phase 2)
+
+**Objective**: Verify RPC spans flow through the telemetry pipeline.
+
+**What to do**:
+
+- Send `server_info`, `server_state`, `ledger` RPCs to node1 (port 5005)
+- Wait for batch export (5s)
+- Query Tempo API for:
+  - `rpc.request` spans (ServerHandler::onRequest)
+  - `rpc.process` spans (ServerHandler::processRequest)
+  - `rpc.command.server_info` spans (callMethod)
+  - `rpc.command.server_state` spans (callMethod)
+  - `rpc.command.ledger` spans (callMethod)
+- Verify `command` attribute present on `rpc.command.*` spans
+
+**Verification**:
+
+- [ ] Tempo shows `rpc.request` traces
+- [ ] Tempo shows `rpc.process` traces
+- [ ] Tempo shows `rpc.command.*` traces with correct attributes
+
+---
+
+## Task IT.3: Transaction Span Verification (Phase 3)
+
+**Objective**: Verify transaction spans flow through the telemetry pipeline.
+
+**What to do**:
+
+- Get genesis account sequence via `account_info` RPC
+- Submit Payment transaction using genesis seed (`snoPBrXtMeMyMHUVTgbuqAfg1SUTb`)
+- Wait for consensus inclusion (10s)
+- Query Tempo API for:
+  - `tx.process` spans (NetworkOPsImp::processTransaction) on submitting node
+  - `tx.receive` spans (PeerImp::handleTransaction) on peer nodes
+- Verify `xrpl.tx.hash` attribute on `tx.process` spans
+- Verify `xrpl.peer.id` attribute on `tx.receive` spans
+
+**Verification**:
+
+- [ ] Tempo shows `tx.process` traces with `xrpl.tx.hash`
+- [ ] Tempo shows `tx.receive` traces with `xrpl.peer.id`
+
+---
+
+## Task IT.4: Consensus Span Verification (Phase 4)
+
+**Objective**: Verify consensus spans flow through the telemetry pipeline.
+
+**What to do**:
+
+- Consensus runs automatically in 6-node network
+- Query Tempo API for:
+  - `consensus.proposal.send` (Adaptor::propose)
+  - `consensus.ledger_close` (Adaptor::onClose)
+  - `consensus.accept` (Adaptor::onAccept)
+  - `consensus.validation.send` (Adaptor::validate)
+- Verify attributes:
+  - `xrpl.consensus.mode` on `consensus.ledger_close`
+  - `xrpl.consensus.proposers` on `consensus.accept`
+  - `xrpl.consensus.ledger.seq` on `consensus.validation.send`
+
+**Verification**:
+
+- [ ] Tempo shows `consensus.ledger_close` traces with `xrpl.consensus.mode`
+- [ ] Tempo shows `consensus.accept` traces with `xrpl.consensus.proposers`
+- [ ] Tempo shows `consensus.proposal.send` traces
+- [ ] Tempo shows `consensus.validation.send` traces
+
+---
+
+## Task IT.5: Spanmetrics Verification (Phase 5)
+
+**Objective**: Verify spanmetrics connector derives RED metrics from spans.
+
+**What to do**:
+
+- Query Prometheus for `traces_span_metrics_calls_total`
+- Query Prometheus for `traces_span_metrics_duration_milliseconds_count`
+- Verify Grafana loads at `http://localhost:3000`
+
+**Verification**:
+
+- [ ] Prometheus returns non-empty results for `traces_span_metrics_calls_total`
+- [ ] Prometheus returns non-empty results for duration histogram
+- [ ] Grafana UI accessible with dashboards visible
+
+---
+
+## Task IT.6: Manual Testing Plan
+
+**Objective**: Document how to run tests manually for future reference.
+
+**What to do**:
+
+- Create `docker/telemetry/TESTING.md` with:
+  - Prerequisites section
+  - Single-node standalone test (quick verification)
+  - 6-node consensus test (full verification)
+  - Expected span catalog (all 12 span names with attributes)
+  - Verification queries (Tempo API, Prometheus API)
+  - Troubleshooting guide
+
+**Key new file**: `docker/telemetry/TESTING.md`
+
+**Verification**:
+
+- [ ] Document covers both single-node and multi-node testing
+- [ ] All 12 span names documented with source file and attributes
+- [ ] Troubleshooting section covers common failure modes
+
+---
+
+## Task IT.7: Run and Verify
+
+**Objective**: Execute the integration test and validate results.
+
+**What to do**:
+
+- Run `docker/telemetry/integration-test.sh` locally
+- Debug any failures
+- Leave stack running for manual verification
+- Share URLs:
+  - Tempo: `http://localhost:3200`
+  - Grafana: `http://localhost:3000`
+  - Prometheus: `http://localhost:9090`
+
+**Verification**:
+
+- [ ] Script completes with all checks passing
+- [ ] Tempo UI shows xrpld service with all expected span names
+- [ ] Grafana dashboards load and show data
+
+---
+
+## Task IT.8: Commit
+
+**Objective**: Commit all new files to Phase 5 branch.
+
+**What to do**:
+
+- Run `pcc` (pre-commit checks)
+- Commit 3 new files to `pratik/otel-phase5-docs-deployment`
+
+**Verification**:
+
+- [ ] `pcc` passes
+- [ ] Commit created on Phase 5 branch
+
+---
+
+## Summary
+
+| Task | Description                   | New Files | Depends On |
+| ---- | ----------------------------- | --------- | ---------- |
+| IT.1 | Integration test script       | 1         | Phase 5    |
+| IT.2 | RPC span verification         | 0         | IT.1       |
+| IT.3 | Transaction span verification | 0         | IT.1       |
+| IT.4 | Consensus span verification   | 0         | IT.1       |
+| IT.5 | Spanmetrics verification      | 0         | IT.1       |
+| IT.6 | Manual testing plan           | 1         | --         |
+| IT.7 | Run and verify                | 0         | IT.1-IT.6  |
+| IT.8 | Commit                        | 0         | IT.7       |
+
+**Exit Criteria**:
+
+- [ ] All 6 xrpld nodes reach "proposing" state
+- [ ] All 11 expected span names visible in Tempo
+- [ ] Spanmetrics available in Prometheus
+- [ ] Grafana dashboards show data
+- [ ] Manual testing plan document complete

OpenTelemetryPlan/Phase5_taskList.md

@@ -0,0 +1,250 @@
+# Phase 5: Documentation & Deployment Task List
+
+> **Goal**: Production readiness — Grafana dashboards, spanmetrics pipeline, operator runbook, alert definitions, and final integration testing. This phase ensures the telemetry system is useful and maintainable in production.
+>
+> **Scope**: Grafana dashboard definitions, OTel Collector spanmetrics connector, Prometheus integration, alert rules, operator documentation, and production-ready Docker Compose stack.
+>
+> **Branch**: `pratik/otel-phase5-docs-deployment` (from `pratik/otel-phase4-consensus-tracing`)
+
+> **Note on attribute names**: the `xrpl.<domain>.<field>` keys shown below
+> (including the collector spanmetrics dimension examples) are written in the
+> older dotted form for readability — it mirrors how the fully qualified
+> attribute reads in a Tempo trace view. The implemented keys follow the
+> convention in [CONTRIBUTING.md](../CONTRIBUTING.md#telemetry-span-attribute-naming)
+> (underscore form, e.g. `command`, `rpc_status`); the `*SpanNames.h` constants
+> are the single source of truth, and the real collector dimensions must use
+> those exact underscore keys (the CI naming check enforces this).
+
+### Related Plan Documents
+
+| Document                                                         | Relevance                                                                  |
+| ---------------------------------------------------------------- | -------------------------------------------------------------------------- |
+| [07-observability-backends.md](./07-observability-backends.md)   | Tempo setup (§7.1), Grafana dashboards (§7.6), alerts (§7.6.3)             |
+| [05-configuration-reference.md](./05-configuration-reference.md) | Collector config (§5.5), production config (§5.5.2), Docker Compose (§5.6) |
+| [06-implementation-phases.md](./06-implementation-phases.md)     | Phase 5 tasks (§6.6), definition of done (§6.11.5)                         |
+
+---
+
+## Task 5.1: Add Spanmetrics Connector to OTel Collector
+
+**Objective**: Derive RED metrics (Rate, Errors, Duration) from trace spans automatically, enabling Grafana time-series dashboards.
+
+**What to do**:
+
+- Edit `docker/telemetry/otel-collector-config.yaml`:
+  - Add `spanmetrics` connector:
+    ```yaml
+    connectors:
+      spanmetrics:
+        histogram:
+          explicit:
+            buckets: [1ms, 5ms, 10ms, 25ms, 50ms, 100ms, 250ms, 500ms, 1s, 5s]
+        dimensions:
+          - name: command
+          - name: rpc_status
+          - name: consensus_phase
+          - name: tx_type
+    ```
+  - Add `prometheus` exporter:
+    ```yaml
+    exporters:
+      prometheus:
+        endpoint: 0.0.0.0:8889
+    ```
+  - Wire the pipeline:
+    ```yaml
+    service:
+      pipelines:
+        traces:
+          receivers: [otlp]
+          processors: [batch]
+          exporters: [debug, otlp/tempo, spanmetrics]
+        metrics:
+          receivers: [spanmetrics]
+          exporters: [prometheus]
+    ```
+
+- Edit `docker/telemetry/docker-compose.yml`:
+  - Expose port `8889` on the collector for Prometheus scraping
+  - Add Prometheus service
+  - Add Prometheus as Grafana datasource
+
+**Key modified files**:
+
+- `docker/telemetry/otel-collector-config.yaml`
+- `docker/telemetry/docker-compose.yml`
+
+**Key new files**:
+
+- `docker/telemetry/prometheus.yml` (Prometheus scrape config)
+- `docker/telemetry/grafana/provisioning/datasources/prometheus.yaml`
+
+**Reference**:
+
+- [POC_taskList.md §Next Steps](./POC_taskList.md) — Metrics pipeline for Grafana dashboards
+
+---
+
+## Task 5.2: Create Grafana Dashboards
+
+**Objective**: Provide pre-built Grafana dashboards for RPC performance, transaction lifecycle, and consensus health.
+
+**What to do**:
+
+- Create `docker/telemetry/grafana/provisioning/dashboards/dashboards.yaml` (provisioning config)
+- Create dashboard JSON files:
+  1. **RPC Performance Dashboard** (`rpc-performance.json`):
+     - RPC request latency (p50/p95/p99) by command — histogram panel
+     - RPC throughput (requests/sec) by command — time series
+     - RPC error rate by command — bar gauge
+     - Top slowest RPC commands — table
+
+  2. **Transaction Overview Dashboard** (`transaction-overview.json`):
+     - Transaction processing rate — time series
+     - Transaction latency distribution — histogram
+     - Suppression rate (duplicates) — stat panel
+     - Transaction processing path (sync vs async) — pie chart
+
+  3. **Consensus Health Dashboard** (`consensus-health.json`):
+     - Consensus round duration — time series
+     - Phase duration breakdown (open/establish/accept) — stacked bar
+     - Proposals sent/received per round — stat panel
+     - Consensus mode distribution (proposing/observing) — pie chart
+
+- Store dashboards in `docker/telemetry/grafana/dashboards/`
+
+**Key new files**:
+
+- `docker/telemetry/grafana/provisioning/dashboards/dashboards.yaml`
+- `docker/telemetry/grafana/dashboards/rpc-performance.json`
+- `docker/telemetry/grafana/dashboards/transaction-overview.json`
+- `docker/telemetry/grafana/dashboards/consensus-health.json`
+
+**Reference**:
+
+- [07-observability-backends.md §7.6](./07-observability-backends.md) — Grafana dashboard specifications
+- [01-architecture-analysis.md §1.8.3](./01-architecture-analysis.md) — Dashboard panel examples
+
+---
+
+## Task 5.3: Define Alert Rules
+
+**Objective**: Create alert definitions for key telemetry anomalies.
+
+**What to do**:
+
+- Create `docker/telemetry/grafana/provisioning/alerting/alerts.yaml`:
+  - **RPC Latency Alert**: p99 latency > 1s for any command over 5 minutes
+  - **RPC Error Rate Alert**: Error rate > 5% for any command over 5 minutes
+  - **Consensus Duration Alert**: Round duration > 10s (warn), > 30s (critical)
+  - **Transaction Processing Alert**: Processing rate drops below threshold
+  - **Telemetry Pipeline Health**: No spans received for > 2 minutes
+
+**Key new files**:
+
+- `docker/telemetry/grafana/provisioning/alerting/alerts.yaml`
+
+**Reference**:
+
+- [07-observability-backends.md §7.6.3](./07-observability-backends.md) — Alert rule definitions
+
+---
+
+## Task 5.4: Production Collector Configuration
+
+**Objective**: Create a production-ready OTel Collector configuration with tail-based sampling and resource limits.
+
+**What to do**:
+
+- Create `docker/telemetry/otel-collector-config-production.yaml`:
+  - Tail-based sampling policy:
+    - Always sample errors and slow traces
+    - 10% base sampling rate for normal traces
+    - Always sample first trace for each unique RPC command
+  - Resource limits:
+    - Memory limiter processor (80% of available memory)
+    - Queued retry for export failures
+  - TLS configuration for production endpoints
+  - Health check endpoint
+
+**Key new files**:
+
+- `docker/telemetry/otel-collector-config-production.yaml`
+
+**Reference**:
+
+- [05-configuration-reference.md §5.5.2](./05-configuration-reference.md) — Production collector config
+
+---
+
+## Task 5.5: Operator Runbook
+
+**Objective**: Create operator documentation for managing the telemetry system in production.
+
+**What to do**:
+
+- Create `docs/telemetry-runbook.md`:
+  - **Setup**: How to enable telemetry in xrpld
+  - **Configuration**: All config options with descriptions
+  - **Collector Deployment**: Docker Compose vs. Kubernetes vs. bare metal
+  - **Troubleshooting**: Common issues and resolutions
+    - No traces appearing
+    - High memory usage from telemetry
+    - Collector connection failures
+    - Sampling configuration tuning
+  - **Performance Tuning**: Batch size, queue size, sampling ratio guidelines
+  - **Upgrading**: How to upgrade OTel SDK and Collector versions
+
+**Key new files**:
+
+- `docs/telemetry-runbook.md`
+
+---
+
+## Task 5.6: Final Integration Testing
+
+**Objective**: Validate the complete telemetry stack end-to-end.
+
+**What to do**:
+
+1. Start full Docker stack (Collector, Tempo, Grafana, Prometheus)
+2. Build xrpld with `telemetry=ON`
+3. Run in standalone mode with telemetry enabled
+4. Generate RPC traffic and verify traces in Tempo
+5. Verify dashboards populate in Grafana
+6. Verify alerts trigger correctly
+7. Test telemetry OFF path (no regressions)
+8. Run full test suite
+
+**Verification Checklist**:
+
+- [ ] Docker stack starts without errors
+- [ ] Traces appear in Tempo with correct hierarchy
+- [ ] Grafana dashboards show metrics derived from spans
+- [ ] Prometheus scrapes spanmetrics successfully
+- [ ] Alerts can be triggered by simulated conditions
+- [ ] Build succeeds with telemetry ON and OFF
+- [ ] Full test suite passes
+
+---
+
+## Summary
+
+| Task | Description                        | New Files | Modified Files | Depends On |
+| ---- | ---------------------------------- | --------- | -------------- | ---------- |
+| 5.1  | Spanmetrics connector + Prometheus | 2         | 2              | Phase 4    |
+| 5.2  | Grafana dashboards                 | 4         | 0              | 5.1        |
+| 5.3  | Alert definitions                  | 1         | 0              | 5.1        |
+| 5.4  | Production collector config        | 1         | 0              | Phase 4    |
+| 5.5  | Operator runbook                   | 1         | 0              | Phase 4    |
+| 5.6  | Final integration testing          | 0         | 0              | 5.1-5.5    |
+
+**Parallel work**: Tasks 5.1, 5.4, and 5.5 can run in parallel. Tasks 5.2 and 5.3 depend on 5.1. Task 5.6 depends on all others.
+
+**Exit Criteria** (from [06-implementation-phases.md §6.11.5](./06-implementation-phases.md)):
+
+- [ ] Dashboards deployed and showing data
+- [ ] Alerts configured and tested
+- [ ] Operator documentation complete
+- [ ] Production collector config ready
+- [ ] Full test suite passes

OpenTelemetryPlan/presentation.md

@@ -0,0 +1,673 @@
+# OpenTelemetry Distributed Tracing for xrpld
+
+---
+
+## Slide 1: Introduction
+
+> **CNCF** = Cloud Native Computing Foundation
+
+### What is OpenTelemetry?
+
+OpenTelemetry is an open-source, CNCF-backed observability framework for distributed tracing, metrics, and logs.
+
+### Why OpenTelemetry for xrpld?
+
+- **End-to-End Transaction Visibility**: Track transactions from submission → consensus → ledger inclusion
+- **Cross-Node Correlation**: Follow requests across multiple independent nodes using a unique `trace_id`
+- **Consensus Round Analysis**: Understand timing and behavior across validators
+- **Incident Debugging**: Correlate events across distributed nodes during issues
+
+```mermaid
+flowchart LR
+    A["Node A<br/>tx.receive<br/>trace_id: abc123"] --> B["Node B<br/>tx.relay<br/>trace_id: abc123"] --> C["Node C<br/>tx.validate<br/>trace_id: abc123"] --> D["Node D<br/>ledger.apply<br/>trace_id: abc123"]
+
+    style A fill:#1565c0,stroke:#0d47a1,color:#fff
+    style B fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style C fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style D fill:#e65100,stroke:#bf360c,color:#fff
+```
+
+**Reading the diagram:**
+
+- **Node A (blue, leftmost)**: The originating node that first receives the transaction and assigns a new `trace_id: abc123`; this ID becomes the correlation key for the entire distributed trace.
+- **Node B and Node C (green, middle)**: Relay and validation nodes — each creates its own span but carries the same `trace_id`, so their work is linked to the original submission without any central coordinator.
+- **Node D (orange, rightmost)**: The final node that applies the transaction to the ledger; the trace now spans the full lifecycle from submission to ledger inclusion.
+- **Left-to-right flow**: The horizontal progression shows the real-world message path — a transaction hops from node to node, and the shared `trace_id` stitches all hops into a single queryable trace.
+
+> **Trace ID: abc123** — All nodes share the same trace, enabling cross-node correlation.
+
+---
+
+## Slide 2: OpenTelemetry vs Open Source Alternatives
+
+> **CNCF** = Cloud Native Computing Foundation
+
+| Feature             | OpenTelemetry    | Jaeger           | Zipkin             | SkyWalking | Pinpoint   | Prometheus |
+| ------------------- | ---------------- | ---------------- | ------------------ | ---------- | ---------- | ---------- |
+| **Tracing**         | YES              | YES              | YES                | YES        | YES        | NO         |
+| **Metrics**         | YES              | NO               | NO                 | YES        | YES        | YES        |
+| **Logs**            | YES              | NO               | NO                 | YES        | NO         | NO         |
+| **C++ SDK**         | YES Official     | YES (Deprecated) | YES (Unmaintained) | NO         | NO         | YES        |
+| **Vendor Neutral**  | YES Primary goal | NO               | NO                 | NO         | NO         | NO         |
+| **Instrumentation** | Manual + Auto    | Manual           | Manual             | Auto-first | Auto-first | Manual     |
+| **Backend**         | Any (exporters)  | Self             | Self               | Self       | Self       | Self       |
+| **CNCF Status**     | Incubating       | Graduated        | NO                 | Incubating | NO         | Graduated  |
+
+> **Why OpenTelemetry?** It's the only actively maintained, full-featured C++ option with vendor neutrality — allowing export to Tempo, Prometheus, Grafana, or any commercial backend without changing instrumentation.
+
+---
+
+## Slide 3: Adoption Scope — Traces Only (Current Plan)
+
+OpenTelemetry supports three signal types: **Traces**, **Metrics**, and **Logs**. xrpld already captures metrics (StatsD via Beast Insight) and logs (Journal/PerfLog). The question is: how much of OTel do we adopt?
+
+> **Scenario A**: Add distributed tracing. Keep StatsD for metrics and Journal for logs.
+
+```mermaid
+flowchart LR
+    subgraph xrpld["xrpld Process"]
+        direction TB
+        OTel["OTel SDK<br/>(Traces)"]
+        Insight["Beast Insight<br/>(StatsD Metrics)"]
+        Journal["Journal + PerfLog<br/>(Logging)"]
+    end
+
+    OTel -->|"OTLP"| Collector["OTel Collector"]
+    Insight -->|"UDP"| StatsD["StatsD Server"]
+    Journal -->|"File I/O"| LogFile["perf.log / debug.log"]
+
+    Collector --> Tempo["Tempo"]
+    StatsD --> Graphite["Graphite / Grafana"]
+    LogFile --> Loki["Loki (optional)"]
+
+    style xrpld fill:#424242,stroke:#212121,color:#fff
+    style OTel fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style Insight fill:#1565c0,stroke:#0d47a1,color:#fff
+    style Journal fill:#e65100,stroke:#bf360c,color:#fff
+    style Collector fill:#2e7d32,stroke:#1b5e20,color:#fff
+```
+
+| Aspect                         | Details                                                                                                         |
+| ------------------------------ | --------------------------------------------------------------------------------------------------------------- |
+| **What changes for operators** | Deploy OTel Collector + trace backend. Existing StatsD and log pipelines stay as-is.                            |
+| **Codebase impact**            | New `Telemetry` module (~1500 LOC). Beast Insight and Journal untouched.                                        |
+| **New capabilities**           | Cross-node trace correlation, span-based debugging, request lifecycle visibility.                               |
+| **What we still can't do**     | Correlate metrics with specific traces natively. StatsD metrics remain fire-and-forget with no trace exemplars. |
+| **Maintenance burden**         | Three separate observability systems to maintain (OTel + StatsD + Journal).                                     |
+| **Risk**                       | Lowest — additive change, no existing systems disturbed.                                                        |
+
+---
+
+## Slide 4: Future Adoption — Metrics & Logs via OTel
+
+### Scenario B: + OTel Metrics (Replace StatsD)
+
+> Migrate StatsD to OTel Metrics API, exposing Prometheus-compatible metrics. Remove Beast Insight.
+
+```mermaid
+flowchart LR
+    subgraph xrpld["xrpld Process"]
+        direction TB
+        OTel["OTel SDK<br/>(Traces + Metrics)"]
+        Journal["Journal + PerfLog<br/>(Logging)"]
+    end
+
+    OTel -->|"OTLP"| Collector["OTel Collector"]
+    Journal -->|"File I/O"| LogFile["perf.log / debug.log"]
+
+    Collector --> Tempo["Tempo<br/>(Traces)"]
+    Collector --> Prom["Prometheus<br/>(Metrics)"]
+    LogFile --> Loki["Loki (optional)"]
+
+    style xrpld fill:#424242,stroke:#212121,color:#fff
+    style OTel fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style Journal fill:#e65100,stroke:#bf360c,color:#fff
+    style Collector fill:#2e7d32,stroke:#1b5e20,color:#fff
+```
+
+- **Better metrics?** Yes — Prometheus gives native histograms (p50/p95/p99), multi-dimensional labels, and exemplars linking metric spikes to traces.
+- **Codebase**: Remove `Beast::Insight` + `StatsDCollector` (~2000 LOC). Single SDK for traces and metrics.
+- **Operator effort**: Rewrite dashboards from StatsD/Graphite queries to PromQL. Run both in parallel during transition.
+- **Risk**: Medium — operators must migrate monitoring infrastructure.
+
+### Scenario C: + OTel Logs (Full Stack)
+
+> Also replace Journal logging with OTel Logs API. Single SDK for everything.
+
+```mermaid
+flowchart LR
+    subgraph xrpld["xrpld Process"]
+        OTel["OTel SDK<br/>(Traces + Metrics + Logs)"]
+    end
+
+    OTel -->|"OTLP"| Collector["OTel Collector"]
+
+    Collector --> Tempo["Tempo<br/>(Traces)"]
+    Collector --> Prom["Prometheus<br/>(Metrics)"]
+    Collector --> Loki["Loki / Elastic<br/>(Logs)"]
+
+    style xrpld fill:#424242,stroke:#212121,color:#fff
+    style OTel fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style Collector fill:#2e7d32,stroke:#1b5e20,color:#fff
+```
+
+- **Structured logging**: OTel Logs API outputs structured records with `trace_id`, `span_id`, severity, and attributes by design.
+- **Full correlation**: Every log line carries `trace_id`. Click trace → see logs. Click metric spike → see trace → see logs.
+- **Codebase**: Remove Beast Insight (~2000 LOC) + simplify Journal/PerfLog (~3000 LOC). One dependency instead of three.
+- **Risk**: Highest — `beast::Journal` is deeply embedded in every component. Large refactor. OTel C++ Logs API is newer (stable since v1.11, less battle-tested).
+
+### Recommendation
+
+```mermaid
+flowchart LR
+    A["Phase 1<br/><b>Traces Only</b><br/>(Current Plan)"] --> B["Phase 2<br/><b>+ Metrics</b><br/>(Replace StatsD)"] --> C["Phase 3<br/><b>+ Logs</b><br/>(Full OTel)"]
+
+    style A fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style B fill:#1565c0,stroke:#0d47a1,color:#fff
+    style C fill:#e65100,stroke:#bf360c,color:#fff
+```
+
+| Phase                | Signal    | Strategy                                                       | Risk   |
+| -------------------- | --------- | -------------------------------------------------------------- | ------ |
+| **Phase 1** (now)    | Traces    | Add OTel traces. Keep StatsD and Journal. Prove value.         | Low    |
+| **Phase 2** (future) | + Metrics | Migrate StatsD → Prometheus via OTel. Remove Beast Insight.    | Medium |
+| **Phase 3** (future) | + Logs    | Adopt OTel Logs API. Align with structured logging initiative. | High   |
+
+> **Key Takeaway**: Start with traces (unique value, lowest risk), then incrementally adopt metrics and logs as the OTel infrastructure proves itself.
+
+---
+
+## Slide 5: Comparison with xrpld's Existing Solutions
+
+### Current Observability Stack
+
+| Aspect                | PerfLog (JSON)        | StatsD (Metrics)      | OpenTelemetry (NEW)         |
+| --------------------- | --------------------- | --------------------- | --------------------------- |
+| **Type**              | Logging               | Metrics               | Distributed Tracing         |
+| **Scope**             | Single node           | Single node           | **Cross-node**              |
+| **Data**              | JSON log entries      | Counters, gauges      | Spans with context          |
+| **Correlation**       | By timestamp          | By metric name        | By `trace_id`               |
+| **Overhead**          | Low (file I/O)        | Low (UDP)             | Low-Medium (configurable)   |
+| **Question Answered** | "What happened here?" | "How many? How fast?" | **"What was the journey?"** |
+
+### Use Case Matrix
+
+| Scenario                         | PerfLog | StatsD | OpenTelemetry |
+| -------------------------------- | ------- | ------ | ------------- |
+| "How many TXs per second?"       | ❌      | ✅     | ❌            |
+| "Why was this specific TX slow?" | ⚠️      | ❌     | ✅            |
+| "Which node delayed consensus?"  | ❌      | ❌     | ✅            |
+| "Show TX journey across 5 nodes" | ❌      | ❌     | ✅            |
+
+> **Key Insight**: In the **traces-only** approach (Phase 1), OpenTelemetry **complements** existing systems. In future phases, OTel metrics and logs could **replace** StatsD and Journal respectively — see Slides 3-4 for the full adoption roadmap.
+
+---
+
+## Slide 6: Architecture
+
+> **OTLP** = OpenTelemetry Protocol | **WS** = WebSocket
+
+### High-Level Integration Architecture
+
+```mermaid
+flowchart TB
+    subgraph xrpld["xrpld Node"]
+        subgraph services["Core Services"]
+            direction LR
+            RPC["RPC Server<br/>(HTTP/WS)"] ~~~ Overlay["Overlay<br/>(P2P Network)"] ~~~ Consensus["Consensus<br/>(RCLConsensus)"]
+        end
+
+        Telemetry["Telemetry Module<br/>(OpenTelemetry SDK)"]
+
+        services --> Telemetry
+    end
+
+    Telemetry -->|OTLP/gRPC| Collector["OTel Collector"]
+
+    Collector --> Tempo["Grafana Tempo"]
+    Collector --> Elastic["Elastic APM"]
+
+    style xrpld fill:#424242,stroke:#212121,color:#fff
+    style services fill:#1565c0,stroke:#0d47a1,color:#fff
+    style Telemetry fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style Collector fill:#e65100,stroke:#bf360c,color:#fff
+```
+
+**Reading the diagram:**
+
+- **Core Services (blue, top)**: RPC Server, Overlay, and Consensus are the three primary components that generate trace data — they represent the entry points for client requests, peer messages, and consensus rounds respectively.
+- **Telemetry Module (green, middle)**: The OpenTelemetry SDK sits below the core services and receives span data from all three; it acts as a single collection point within the xrpld process.
+- **OTel Collector (orange, center)**: An external process that receives spans over OTLP/gRPC from the Telemetry Module; it decouples xrpld from backend choices and handles batching, sampling, and routing.
+- **Backends (bottom row)**: Tempo and Elastic APM are interchangeable — the Collector fans out to any combination, so operators can switch backends without modifying xrpld code.
+- **Top-to-bottom flow**: Data flows from instrumented code down through the SDK, out over the network to the Collector, and finally into storage/visualization backends.
+
+### Context Propagation
+
+```mermaid
+sequenceDiagram
+    participant Client
+    participant NodeA as Node A
+    participant NodeB as Node B
+
+    Client->>NodeA: Submit TX (no context)
+    Note over NodeA: Creates trace_id: abc123<br/>span: tx.receive
+    NodeA->>NodeB: Relay TX<br/>(traceparent: abc123)
+    Note over NodeB: Links to trace_id: abc123<br/>span: tx.relay
+```
+
+- **HTTP/RPC**: W3C Trace Context headers (`traceparent`)
+- **P2P Messages**: Protocol Buffer extension fields
+
+---
+
+## Slide 7: Implementation Plan
+
+### 5-Phase Rollout (9 Weeks)
+
+> **Note**: Dates shown are relative to project start, not calendar dates.
+
+```mermaid
+gantt
+    title Implementation Timeline
+    dateFormat  YYYY-MM-DD
+    axisFormat  Week %W
+
+    section Phase 1
+    Core Infrastructure    :p1, 2024-01-01, 2w
+
+    section Phase 2
+    RPC Tracing           :p2, after p1, 2w
+
+    section Phase 3
+    Transaction Tracing   :p3, after p2, 2w
+
+    section Phase 4
+    Consensus Tracing     :p4, after p3, 2w
+
+    section Phase 5
+    Documentation         :p5, after p4, 1w
+```
+
+### Phase Details
+
+| Phase | Focus               | Key Deliverables                             | Effort  |
+| ----- | ------------------- | -------------------------------------------- | ------- |
+| 1     | Core Infrastructure | SDK integration, Telemetry interface, Config | 10 days |
+| 2     | RPC Tracing         | HTTP context extraction, Handler spans       | 10 days |
+| 3     | Transaction Tracing | Protobuf context, P2P relay propagation      | 10 days |
+| 4     | Consensus Tracing   | Round spans, Proposal/validation tracing     | 10 days |
+| 5     | Documentation       | Runbook, Dashboards, Training                | 7 days  |
+
+**Total Effort**: ~47 developer-days (2 developers)
+
+> **Future Phases** (not in current scope): After traces are stable, OTel metrics can replace StatsD (~3 weeks), and OTel logs can replace Journal (~4 weeks, aligned with structured logging initiative). See Slides 3-4 for the full adoption roadmap.
+
+---
+
+## Slide 8: Performance Overhead
+
+> **OTLP** = OpenTelemetry Protocol
+
+### Estimated System Impact
+
+| Metric            | Overhead   | Notes                                            |
+| ----------------- | ---------- | ------------------------------------------------ |
+| **CPU**           | 1-3%       | Span creation and attribute setting              |
+| **Memory**        | ~10 MB     | SDK statics + batch buffer + worker thread stack |
+| **Network**       | 10-50 KB/s | Compressed OTLP export to collector              |
+| **Latency (p99)** | <2%        | With proper sampling configuration               |
+
+#### How We Arrived at These Numbers
+
+**Assumptions (XRPL mainnet baseline)**:
+
+| Parameter                 | Value                  | Source                                                                                              |
+| ------------------------- | ---------------------- | --------------------------------------------------------------------------------------------------- |
+| Transaction throughput    | ~25 TPS (peaks to ~50) | Mainnet average                                                                                     |
+| Default peers per node    | 21                     | `peerfinder/detail/Tuning.h` (`defaultMaxPeers`)                                                    |
+| Consensus round frequency | ~1 round / 3-4 seconds | `ConsensusParms.h` (`ledgerMIN_CONSENSUS=1950ms`)                                                   |
+| Proposers per round       | ~20-35                 | Mainnet UNL size                                                                                    |
+| P2P message rate          | ~160 msgs/sec          | See message breakdown below                                                                         |
+| Avg TX processing time    | ~200 μs                | Profiled baseline                                                                                   |
+| Single span creation cost | 500-1000 ns            | OTel C++ SDK benchmarks (see [3.5.4](./03-implementation-strategy.md#354-performance-data-sources)) |
+
+**P2P message breakdown** (per node, mainnet):
+
+| Message Type  | Rate         | Derivation                                                            |
+| ------------- | ------------ | --------------------------------------------------------------------- |
+| TMTransaction | ~100/sec     | ~25 TPS × ~4 relay hops per TX, deduplicated by HashRouter            |
+| TMValidation  | ~50/sec      | ~35 validators × ~1 validation/3s round ≈ ~12/sec, plus relay fan-out |
+| TMProposeSet  | ~10/sec      | ~35 proposers / 3s round ≈ ~12/round, clustered in establish phase    |
+| **Total**     | **~160/sec** | **Only traced message types counted**                                 |
+
+**CPU (1-3%) — Calculation**:
+
+Per-transaction tracing cost breakdown:
+
+| Operation                                       | Cost        | Notes                                      |
+| ----------------------------------------------- | ----------- | ------------------------------------------ |
+| `tx.receive` span (create + end + 4 attributes) | ~1400 ns    | ~1000ns create + ~200ns end + 4×50ns attrs |
+| `tx.validate` span                              | ~1200 ns    | ~1000ns create + ~200ns for 2 attributes   |
+| `tx.relay` span                                 | ~1200 ns    | ~1000ns create + ~200ns for 2 attributes   |
+| Context injection into P2P message              | ~200 ns     | Serialize trace_id + span_id into protobuf |
+| **Total per TX**                                | **~4.0 μs** |                                            |
+
+> **CPU overhead**: 4.0 μs / 200 μs baseline = **~2.0% per transaction**. Under high load with consensus + RPC spans overlapping, reaches ~3%. Consensus itself adds only ~36 μs per 3-second round (~0.001%), so the TX path dominates. On production server hardware (3+ GHz Xeon), span creation drops to ~500-600 ns, bringing per-TX cost to ~2.6 μs (~1.3%). See [Section 3.5.4](./03-implementation-strategy.md#354-performance-data-sources) for benchmark sources.
+
+**Memory (~10 MB) — Calculation**:
+
+| Component                                     | Size               | Notes                                 |
+| --------------------------------------------- | ------------------ | ------------------------------------- |
+| TracerProvider + Exporter (gRPC channel init) | ~320 KB            | Allocated once at startup             |
+| BatchSpanProcessor (circular buffer)          | ~16 KB             | 2049 × 8-byte AtomicUniquePtr entries |
+| BatchSpanProcessor (worker thread stack)      | ~8 MB              | Default Linux thread stack size       |
+| Active spans (in-flight, max ~1000)           | ~500-800 KB        | ~500-800 bytes/span × 1000 concurrent |
+| Export queue (batch buffer, max 2048 spans)   | ~1 MB              | ~500 bytes/span × 2048 queue depth    |
+| Thread-local context storage (~100 threads)   | ~6.4 KB            | ~64 bytes/thread                      |
+| **Total**                                     | **~10 MB ceiling** |                                       |
+
+> Memory plateaus once the export queue fills — the `max_queue_size=2048` config bounds growth.
+> The worker thread stack (~8 MB) dominates the static footprint but is virtual memory; actual RSS
+> depends on stack usage (typically much less). Active spans are larger than originally estimated
+> (~500-800 bytes) because the OTel SDK `Span` object includes a mutex (~40 bytes), `SpanData`
+> recordable (~250 bytes base), and `std::map`-based attribute storage (~200-500 bytes for 3-5
+> string attributes). See [Section 3.5.4](./03-implementation-strategy.md#354-performance-data-sources) for source references.
+
+**Network (10-50 KB/s) — Calculation**:
+
+Two sources of network overhead:
+
+**(A) OTLP span export to Collector:**
+
+| Sampling Rate              | Effective Spans/sec | Avg Span Size (compressed) | Bandwidth    |
+| -------------------------- | ------------------- | -------------------------- | ------------ |
+| 100% (dev only)            | ~500                | ~500 bytes                 | ~250 KB/s    |
+| **10% (recommended prod)** | **~50**             | **~500 bytes**             | **~25 KB/s** |
+| 1% (minimal)               | ~5                  | ~500 bytes                 | ~2.5 KB/s    |
+
+> The ~500 spans/sec at 100% comes from: ~100 TX spans + ~160 P2P context spans + ~23 consensus spans/round + ~50 RPC spans = ~500/sec. OTLP protobuf with gzip compression yields ~500 bytes/span average.
+
+**(B) P2P trace context overhead** (added to existing messages, always-on regardless of sampling):
+
+| Message Type  | Rate     | Context Size | Bandwidth     |
+| ------------- | -------- | ------------ | ------------- |
+| TMTransaction | ~100/sec | 29 bytes     | ~2.9 KB/s     |
+| TMValidation  | ~50/sec  | 29 bytes     | ~1.5 KB/s     |
+| TMProposeSet  | ~10/sec  | 29 bytes     | ~0.3 KB/s     |
+| **Total P2P** |          |              | **~4.7 KB/s** |
+
+> **Combined**: 25 KB/s (OTLP export at 10%) + 5 KB/s (P2P context) ≈ **~30 KB/s typical**. The 10-50 KB/s range covers 10-20% sampling under normal to peak mainnet load.
+
+**Latency (<2%) — Calculation**:
+
+| Path                           | Tracing Cost | Baseline | Overhead |
+| ------------------------------ | ------------ | -------- | -------- |
+| Fast RPC (e.g., `server_info`) | 2.75 μs      | ~1 ms    | 0.275%   |
+| Slow RPC (e.g., `path_find`)   | 2.75 μs      | ~100 ms  | 0.003%   |
+| Transaction processing         | 4.0 μs       | ~200 μs  | 2.0%     |
+| Consensus round                | 36 μs        | ~3 sec   | 0.001%   |
+
+> At p99, even the worst case (TX processing at 2.0%) is within the 1-3% range. RPC and consensus overhead are negligible. On production hardware, TX overhead drops to ~1.3%.
+
+### Per-Message Overhead (Context Propagation)
+
+Each P2P message carries trace context with the following overhead:
+
+| Field         | Size          | Description                               |
+| ------------- | ------------- | ----------------------------------------- |
+| `trace_id`    | 16 bytes      | Unique identifier for the entire trace    |
+| `span_id`     | 8 bytes       | Current span (becomes parent on receiver) |
+| `trace_flags` | 1 byte        | Sampling decision flags                   |
+| `trace_state` | 0-4 bytes     | Optional vendor-specific data             |
+| **Total**     | **~29 bytes** | **Added per traced P2P message**          |
+
+```mermaid
+flowchart LR
+    subgraph msg["P2P Message with Trace Context"]
+        A["Original Message<br/>(variable size)"] --> B["+ TraceContext<br/>(~29 bytes)"]
+    end
+
+    subgraph breakdown["Context Breakdown"]
+        C["trace_id<br/>16 bytes"]
+        D["span_id<br/>8 bytes"]
+        E["flags<br/>1 byte"]
+        F["state<br/>0-4 bytes"]
+    end
+
+    B --> breakdown
+
+    style A fill:#424242,stroke:#212121,color:#fff
+    style B fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style C fill:#1565c0,stroke:#0d47a1,color:#fff
+    style D fill:#1565c0,stroke:#0d47a1,color:#fff
+    style E fill:#e65100,stroke:#bf360c,color:#fff
+    style F fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+**Reading the diagram:**
+
+- **Original Message (gray, left)**: The existing P2P message payload of variable size — this is unchanged; trace context is appended, never modifying the original data.
+- **+ TraceContext (green, right of message)**: The additional 29-byte context block attached to each traced message; the arrow from the original message shows it is a pure addition.
+- **Context Breakdown (right subgraph)**: The four fields — `trace_id` (16 bytes), `span_id` (8 bytes), `flags` (1 byte), and `state` (0-4 bytes) — show exactly what is added and their individual sizes.
+- **Color coding**: Blue fields (`trace_id`, `span_id`) are the core identifiers required for trace correlation; orange (`flags`) controls sampling decisions; purple (`state`) is optional vendor data typically omitted.
+
+> **Note**: 29 bytes represents ~1-6% overhead depending on message size (500B simple TX to 5KB proposal), which is acceptable for the observability benefits provided.
+
+### Mitigation Strategies
+
+```mermaid
+flowchart LR
+    A["Head Sampling<br/>10% default"] --> B["Tail Sampling<br/>Keep errors/slow"] --> C["Batch Export<br/>Reduce I/O"] --> D["Conditional Compile<br/>XRPL_ENABLE_TELEMETRY"]
+
+    style A fill:#1565c0,stroke:#0d47a1,color:#fff
+    style B fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style C fill:#e65100,stroke:#bf360c,color:#fff
+    style D fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+> For a detailed explanation of head vs. tail sampling, see Slide 9.
+
+### Kill Switches (Rollback Options)
+
+1. **Config Disable**: Set `enabled=0` in config → instant disable, no restart needed for sampling
+2. **Rebuild**: Compile with `XRPL_ENABLE_TELEMETRY=OFF` → zero overhead (no-op)
+3. **Full Revert**: Clean separation allows easy commit reversion
+
+---
+
+## Slide 9: Sampling Strategies — Head vs. Tail
+
+> Sampling controls **which traces are recorded and exported**. Without sampling, every operation generates a trace — at 500+ spans/sec, this overwhelms storage and network. Sampling lets you keep the signal, discard the noise.
+
+### Head Sampling (Decision at Start)
+
+The sampling decision is made **when a trace begins**, before any work is done. A random number is generated; if it falls within the configured ratio, the entire trace is recorded. Otherwise, the trace is silently dropped.
+
+```mermaid
+flowchart LR
+    A["New Request<br/>Arrives"] --> B{"Random < 10%?"}
+    B -->|"Yes (1 in 10)"| C["Record Entire Trace<br/>(all spans)"]
+    B -->|"No (9 in 10)"| D["Drop Entire Trace<br/>(zero overhead)"]
+
+    style C fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style D fill:#c62828,stroke:#8c2809,color:#fff
+    style B fill:#1565c0,stroke:#0d47a1,color:#fff
+```
+
+| Aspect                        | Details                                                                                                                                                                                                  |
+| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Where it runs**             | Inside xrpld (SDK-level). Configured via `sampling_ratio` in `xrpld.cfg`.                                                                                                                                |
+| **When the decision happens** | At trace creation time — before the first span is even populated.                                                                                                                                        |
+| **How it works**              | `sampling_ratio=0.1` means each trace has a 10% probability of being recorded. Dropped traces incur near-zero overhead (no spans created, no attributes set, no export).                                 |
+| **Propagation**               | Once a trace is sampled, the `trace_flags` field (1 byte in the context header) tells downstream nodes to also sample it. Unsampled traces propagate `trace_flags=0`, so downstream nodes skip them too. |
+| **Pros**                      | Lowest overhead. Simple to configure. Predictable resource usage.                                                                                                                                        |
+| **Cons**                      | **Blind** — it doesn't know if the trace will be interesting. A rare error or slow consensus round has only a 10% chance of being captured.                                                              |
+| **Best for**                  | High-volume, steady-state traffic where most traces look similar (e.g., routine RPC requests).                                                                                                           |
+
+**xrpld configuration**:
+
+```ini
+[telemetry]
+# Record 10% of traces (recommended for production)
+sampling_ratio=0.1
+```
+
+### Tail Sampling (Decision at End)
+
+The sampling decision is made **after the trace completes**, based on its actual content — was it slow? Did it error? Was it a consensus round? This requires buffering complete traces before deciding.
+
+```mermaid
+flowchart TB
+    A["All Traces<br/>Buffered (100%)"] --> B["OTel Collector<br/>Evaluates Rules"]
+
+    B --> C{"Error?"}
+    C -->|Yes| K["KEEP"]
+
+    C -->|No| D{"Slow?<br/>(>5s consensus,<br/>>1s RPC)"}
+    D -->|Yes| K
+
+    D -->|No| E{"Random < 10%?"}
+    E -->|Yes| K
+    E -->|No| F["DROP"]
+
+    style K fill:#2e7d32,stroke:#1b5e20,color:#fff
+    style F fill:#c62828,stroke:#8c2809,color:#fff
+    style B fill:#1565c0,stroke:#0d47a1,color:#fff
+    style C fill:#e65100,stroke:#bf360c,color:#fff
+    style D fill:#e65100,stroke:#bf360c,color:#fff
+    style E fill:#4a148c,stroke:#2e0d57,color:#fff
+```
+
+| Aspect                        | Details                                                                                                                                                                                                 |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Where it runs**             | In the **OTel Collector** (external process), not inside xrpld. xrpld exports 100% of traces; the Collector decides what to keep.                                                                       |
+| **When the decision happens** | After the Collector has received all spans for a trace (waits `decision_wait=10s` for stragglers).                                                                                                      |
+| **How it works**              | Policy rules evaluate the completed trace: keep all errors, keep slow operations above a threshold, keep all consensus rounds, then probabilistically sample the rest at 10%.                           |
+| **Pros**                      | **Never misses important traces**. Errors, slow requests, and consensus anomalies are always captured regardless of probability.                                                                        |
+| **Cons**                      | Higher resource usage — xrpld must export 100% of spans to the Collector, which buffers them in memory before deciding. The Collector needs more RAM (configured via `num_traces` and `decision_wait`). |
+| **Best for**                  | Production troubleshooting where you can't afford to miss errors or anomalies.                                                                                                                          |
+
+**Collector configuration** (tail sampling rules for xrpld):
+
+```yaml
+processors:
+  tail_sampling:
+    decision_wait: 10s # Wait for all spans in a trace
+    num_traces: 100000 # Buffer up to 100K concurrent traces
+    policies:
+      - name: errors # Always keep error traces
+        type: status_code
+        status_code: { status_codes: [ERROR] }
+
+      - name: slow-consensus # Keep consensus rounds >5s
+        type: latency
+        latency: { threshold_ms: 5000 }
+
+      - name: slow-rpc # Keep slow RPC requests >1s
+        type: latency
+        latency: { threshold_ms: 1000 }
+
+      - name: probabilistic # Sample 10% of everything else
+        type: probabilistic
+        probabilistic: { sampling_percentage: 10 }
+```
+
+### Head vs. Tail — Side-by-Side
+
+|                               | Head Sampling                            | Tail Sampling                                    |
+| ----------------------------- | ---------------------------------------- | ------------------------------------------------ |
+| **Decision point**            | Trace start (inside xrpld)               | Trace end (in OTel Collector)                    |
+| **Knows trace content?**      | No (random coin flip)                    | Yes (evaluates completed trace)                  |
+| **Overhead on xrpld**         | Lowest (dropped traces = no-op)          | Higher (must export 100% to Collector)           |
+| **Collector resource usage**  | Low (receives only sampled traces)       | Higher (buffers all traces before deciding)      |
+| **Captures all errors?**      | No (only if trace was randomly selected) | **Yes** (error policy catches them)              |
+| **Captures slow operations?** | No (random)                              | **Yes** (latency policy catches them)            |
+| **Configuration**             | `xrpld.cfg`: `sampling_ratio=0.1`        | `otel-collector.yaml`: `tail_sampling` processor |
+| **Best for**                  | High-throughput steady-state             | Troubleshooting & anomaly detection              |
+
+### Recommended Strategy for xrpld
+
+Use **both** in a layered approach:
+
+```mermaid
+flowchart LR
+    subgraph xrpld["xrpld (Head Sampling)"]
+        HS["sampling_ratio=1.0<br/>(export everything)"]
+    end
+
+    subgraph collector["OTel Collector (Tail Sampling)"]
+        TS["Keep: errors + slow + 10% random<br/>Drop: routine traces"]
+    end
+
+    subgraph storage["Backend Storage"]
+        ST["Only interesting traces<br/>stored long-term"]
+    end
+
+    xrpld -->|"100% of spans"| collector -->|"~15-20% kept"| storage
+
+    style xrpld fill:#424242,stroke:#212121,color:#fff
+    style collector fill:#1565c0,stroke:#0d47a1,color:#fff
+    style storage fill:#2e7d32,stroke:#1b5e20,color:#fff
+```
+
+> **Why this works**: xrpld exports everything (no blind drops), the Collector applies intelligent filtering (keep errors/slow/anomalies, sample the rest), and only ~15-20% of traces reach storage. If Collector resource usage becomes a concern, add head sampling at `sampling_ratio=0.5` to halve the export volume while still giving the Collector enough data for good tail-sampling decisions.
+
+---
+
+## Slide 10: Data Collection & Privacy
+
+### What Data is Collected
+
+| Category        | Attributes Collected                                                                                                 | Purpose                     |
+| --------------- | -------------------------------------------------------------------------------------------------------------------- | --------------------------- |
+| **Transaction** | `tx_hash`, `tx_type`, `tx_result`, `tx_fee`, `ledger_index`                                                          | Trace transaction lifecycle |
+| **Consensus**   | `consensus_round`, `consensus_phase`, `consensus_mode`, `proposers` (count of proposing validators), `round_time_ms` | Analyze consensus timing    |
+| **RPC**         | `command`, `version`, `rpc_status`, `duration_ms`                                                                    | Monitor RPC performance     |
+| **Peer**        | `peer_id`(public key), `peer_latency_ms`, `message_type`, `message_size_bytes`                                       | Network topology analysis   |
+| **Ledger**      | `ledger_hash`, `ledger_index`, `close_time`, `ledger_tx_count`                                                       | Ledger progression tracking |
+| **Job**         | `job_type`, `job_queue_ms`, `job_worker`                                                                             | JobQueue performance        |
+
+### What is NOT Collected (Privacy Guarantees)
+
+```mermaid
+flowchart LR
+    subgraph notCollected["❌ NOT Collected"]
+        direction LR
+        A["Private Keys"] ~~~ B["Account Balances"] ~~~ C["Transaction Amounts"]
+    end
+
+    subgraph alsoNot["❌ Also Excluded"]
+        direction LR
+        D["IP Addresses<br/>(configurable)"] ~~~ E["Personal Data"] ~~~ F["Raw TX Payloads"]
+    end
+
+    style A fill:#c62828,stroke:#8c2809,color:#fff
+    style B fill:#c62828,stroke:#8c2809,color:#fff
+    style C fill:#c62828,stroke:#8c2809,color:#fff
+    style D fill:#c62828,stroke:#8c2809,color:#fff
+    style E fill:#c62828,stroke:#8c2809,color:#fff
+    style F fill:#c62828,stroke:#8c2809,color:#fff
+```
+
+**Reading the diagram:**
+
+- **NOT Collected (top row, red)**: Private Keys, Account Balances, and Transaction Amounts are explicitly excluded — these are financial/security-sensitive fields that telemetry never touches.
+- **Also Excluded (bottom row, red)**: IP Addresses (configurable per deployment), Personal Data, and Raw TX Payloads are also excluded — these protect operator and user privacy.
+- **All-red styling**: Every box is styled in red to visually reinforce that these are hard exclusions, not optional — the telemetry system has no code path to collect any of these fields.
+- **Two-row layout**: The split between "NOT Collected" and "Also Excluded" distinguishes between financial data (top) and operational/personal data (bottom), making the privacy boundaries clear to auditors.
+
+### Privacy Protection Mechanisms
+
+| Mechanism                  | Description                                               |
+| -------------------------- | --------------------------------------------------------- |
+| **Account Hashing**        | `tx_account` is hashed at collector level before storage  |
+| **Configurable Redaction** | Sensitive fields can be excluded via config               |
+| **Sampling**               | Only 10% of traces recorded by default (reduces exposure) |
+| **Local Control**          | Node operators control what gets exported                 |
+| **No Raw Payloads**        | Transaction content is never recorded, only metadata      |
+
+> **Key Principle**: Telemetry collects **operational metadata** (timing, counts, hashes) — never **sensitive content** (keys, balances, amounts).
+
+---
+
+_End of Presentation_

OpenTelemetryPlan/secure-OTel.md

@@ -0,0 +1,239 @@
+# Securing OpenTelemetry Against Trace Context Spoofing
+
+> **Part of**: [OpenTelemetry Implementation Plan](./OpenTelemetryPlan.md) — see also [Design Decisions § Privacy](./02-design-decisions.md#244-privacy--sensitive-data-policy) (what we don't collect) and [Configuration Reference § 5.5](./05-configuration-reference.md#55-opentelemetry-collector-configuration) (collector base config).
+
+Trace context spoofing (or poisoning) occurs when untrusted actors inject tampered or stale trace IDs into your system. If these requests are processed, the spans are appended to historical trace buckets, stretching trace durations, ruining p99 latency metrics, and breaking Grafana dashboards.
+
+This guide outlines two categories of defense: mitigating tampered contexts and locking down the OpenTelemetry (OTel) Collector to trusted clients only.
+
+---
+
+## Part 1: Mitigating Tampered Trace Contexts
+
+### 1. Perimeter Defense: Strip Headers at the API Gateway
+
+The most effective way to prevent spoofing from external sources is to treat your API Gateway (Envoy, NGINX, AWS ALB) as a hard boundary. Strip incoming W3C tracing headers (`traceparent`, `tracestate`) from public traffic so the gateway is forced to generate a fresh, legitimate `trace_id`.
+
+**NGINX Example (Stripping Headers):**
+
+```nginx
+server {
+    listen 80;
+
+    location {
+        # Clear out untrusted incoming trace headers
+        proxy_set_header traceparent "";
+        proxy_set_header tracestate "";
+
+        proxy_pass http://backend_service;
+    }
+}
+```
+
+### **2. Timestamp-Anchored Trace IDs and OTTL Filtering**
+
+If you use a custom trace ID generator that embeds a timestamp in the first few bytes (like AWS X-Ray or UUIDv7), you can use the OTel Collector's OpenTelemetry Transform Language (OTTL) to detect anomalies.
+**Collector Configuration (Conceptual OTTL Filter):**
+
+```yaml
+processors:
+  filter/stale_traces:
+    error_mode: ignore
+    traces:
+      span:
+        # Example: Drop spans where the start time is significantly different
+        # from an expected parameter or embedded timestamp logic.
+        # Note: Standard W3C trace IDs do not contain timestamps by default.
+        - 'Keep out-of-bounds spans: time.sub(start_time, now()) > duration("1h")'
+```
+
+## **Part 2: Restricting Access to the OTel Collector**
+
+Locking down the Collector ensures that only authenticated, trusted clients can submit telemetry data.
+
+### **Approach A: Network Layer Security (Kubernetes Network Policies)**
+
+Ensure your Collector is not exposed to the public internet. If running in Kubernetes, use a NetworkPolicy to restrict ingress traffic to specific namespaces.
+**Kubernetes NetworkPolicy Example:**
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-internal-otel
+  namespace: observability
+spec:
+  podSelector:
+    matchLabels:
+      app: opentelemetry-collector
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              environment: production
+      ports:
+        - protocol: TCP
+          port: 4317 # gRPC
+        - protocol: TCP
+          port: 4318 # HTTP
+```
+
+### **Approach B: Transport Layer Security (Mutual TLS / mTLS)**
+
+Require clients to present a valid cryptographic certificate to connect to the Collector.
+**Collector Configuration (mTLS):**
+
+```yaml
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+        tls:
+          client_ca_file: /certs/client_ca.pem # CA that signs trusted client certs
+          cert_file: /certs/collector.pem
+          key_file: /certs/collector.key
+          auth_type: require_and_verify_client_cert # Rejects unauthorized clients
+```
+
+### **Approach C: Application Layer Authentication (Basic Auth Extension)**
+
+Use the Collector's extension system to require an API key or Basic Auth credentials.
+**Collector Configuration (Basic Auth):**
+
+```yaml
+extensions:
+  basicauth/collector:
+    htpasswd:
+      inline: |
+        # username:trusted-client, password:SecurePassword123
+        trusted-client:$apr1$4v8p76o6$DMTX5Wv6uOmrFAZp2X1N1.
+
+receivers:
+  otlp:
+    protocols:
+      grpc:
+        endpoint: 0.0.0.0:4317
+        auth:
+          authenticator: basicauth/collector
+
+processors:
+  batch:
+
+exporters:
+  otlp:
+    endpoint: my-backend-storage:4317
+
+service:
+  extensions: [basicauth/collector]
+  pipelines:
+    traces:
+      receivers: [otlp]
+      processors: [batch]
+      exporters: [otlp]
+```
+
+**Client Setup (Environment Variables):**
+Developers must pass the authentication header using the standard OTel SDK environment variables:
+
+```bash
+# Base64 encoded "trusted-client:SecurePassword123"
+export OTEL_EXPORTER_OTLP_HEADERS="Authorization=Basic dHJ1c3RlZC1jbGllbnQ6U2VjdXJlUGFzc3dvcmQxMjM="
+```
+
+---
+
+Available routes to build on top of: https://github.com/XRPLF/rippled/pull/6425#discussion_r3234751995
+
+---
+
+# Analysis: Applying the Guide to xrpld
+
+The guide above is written for HTTP-fronted web services. xrpld is a P2P node daemon, so the threat model and the applicable defenses differ. This section captures how each approach maps to xrpld and the chosen direction.
+
+## Threat Model
+
+xrpld has **two distinct attack surfaces**, not one. The original guide conflates them under "trace context spoofing"; for xrpld they need separate defenses.
+
+| Surface                                   | Attacker                                                 | Vector                                                                                                                                                                                     | Defense                                       |
+| ----------------------------------------- | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------- |
+| **Collector ingress** (xrpld → collector) | Anyone who can reach `4317`/`4318` on the collector host | Forged OTLP traffic, telemetry exfiltration, DoS on collector                                                                                                                              | mTLS + network policy                         |
+| **Peer trace context** (peer → xrpld)     | Malicious peer in the XRPL overlay                       | Crafted `protocol::TraceContext` field inside peer protobuf messages (TMTransaction, consensus, etc.) — used to forge `trace_id`/`span_id`, pollute p99, attach spans to historical traces | Validate + rate-limit at the receive boundary |
+
+**Deployment context:** Across-network. xrpld nodes (potentially run by external operators or in different DCs) ship telemetry to a centrally-hosted collector across an untrusted network. The collector is NOT on the same host or private VPC as every node.
+
+```
+                ┌── peer (untrusted) ── TMTransaction{trace_context} ──▶ xrpld
+                │                                                            │
+                │                                              [validate + rate-limit]
+                │                                                            │
+                │                                                            ▼
+                │                                                     SpanGuard (clean)
+                │                                                            │
+                │                                                            │ OTLP/gRPC
+                │                                                            │ + mTLS
+                │                                                            ▼
+                └─────────────────────────────────────────  [require_and_verify_client_cert]
+                                                                  OTel Collector
+                                                              (in private subnet, NetPol)
+```
+
+## Part 1 Applicability — Peer Trace-Context Validation
+
+The guide's NGINX header stripping and OTTL stale-span filtering target HTTP gateways and post-hoc cleanup. Neither fits xrpld directly:
+
+- **NGINX header stripping** — N/A. There is no HTTP gateway between peers and xrpld; trace context arrives inside protobuf peer messages (`protocol::TraceContext`), not as W3C `traceparent` headers. See [src/xrpld/telemetry/PropagationHelpers.h](../src/xrpld/telemetry/PropagationHelpers.h).
+- **OTTL stale-span filtering** — Weak fit. Post-hoc cleanup at the collector loses peer identity (you can't tell _which_ peer poisoned the trace). Validation at the receive site is stronger.
+
+**xrpld-specific Part 1 mitigations:**
+
+1. **Validate extracted context at the boundary** in [src/xrpld/telemetry/ConsensusReceiveTracing.h](../src/xrpld/telemetry/ConsensusReceiveTracing.h) and any other peer-message receive site. Reject if `trace_id` is all-zero, wrong length, or fails W3C format checks. Treat invalid context as "no propagated context" — start a fresh span — rather than dropping the message.
+2. **Per-peer sample rate limiting** so a hostile peer cannot flood the collector with spans bearing a fabricated `trace_id`. Use probabilistic sampling on the receive path keyed by peer identity.
+
+## Part 2 — Comparison of Collector Hardening Approaches
+
+Evaluated for the across-network deployment shape:
+
+| Approach                        | Across-network fit                                                                                                                                                                                                                                                                            | Cost                                                                 | Verdict                            |
+| ------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------- |
+| **A. NetworkPolicy / firewall** | Necessary baseline (don't expose `4317`/`4318` to the internet), but insufficient on its own when traffic genuinely crosses networks — you cannot NetworkPolicy the public internet.                                                                                                          | Cheap.                                                               | **Defense-in-depth, not primary.** |
+| **B. mTLS**                     | Strongest fit. Every xrpld node holds a client cert; collector verifies with `require_and_verify_client_cert`. Encrypts in transit (raw OTLP over the internet leaks transaction patterns and validator identity). Compromised node = revoke one cert, no shared secret to rotate everywhere. | Cert issuance + rotation pipeline.                                   | **Primary.**                       |
+| **C. Basic Auth**               | Worst shape for this topology. Single shared password across all xrpld nodes — one leaked node config compromises the whole fleet. Doesn't encrypt; you'd need TLS underneath anyway, at which point you're 80% of the way to mTLS.                                                           | Cheap to set up, expensive to operate (rotation across N operators). | **Skip.**                          |
+
+## Decision
+
+**Primary defense:** mTLS (Approach B) on the collector's OTLP receivers, with `auth_type: require_and_verify_client_cert`.
+
+**Defense-in-depth:** NetworkPolicy / firewall rules (Approach A) so `4317`/`4318` are never reachable from outside the expected operator subnets even if mTLS were misconfigured.
+
+**Skipped:** Basic Auth (Approach C) — wrong shape for an across-network, multi-operator topology.
+
+**Plus xrpld-specific Part 1 work:** trace-context validation and per-peer rate limiting at peer-message receive sites.
+
+## Decisions Made
+
+| Decision             | Choice                           | Rationale                                                                                                                                                                                                                                                     |
+| -------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Cert source for mTLS | **Reuse XRPL node identity key** | One identity per node, no separate PKI to operate. Fits XRPL's existing trust model; requires small CA tooling step to derive/sign the OTel client cert from the node key.                                                                                    |
+| Part 1 scope         | **Include in this spec**         | Collector hardening and peer trace-context validation share one threat model. Coherent design doc; can still be split into multiple PRs at implementation.                                                                                                    |
+| Dev impact           | **Production-only**              | Local `docker/telemetry/docker-compose.yml` keeps `insecure: true` and no auth for fast iteration. Only production deployment manifests gain mTLS. Accepted risk: minor dev/prod drift, mitigated by integration tests against a TLS-enabled collector in CI. |
+
+## Out of Scope
+
+- NGINX/Envoy header stripping (no HTTP gateway in front of xrpld-to-collector traffic).
+- OTTL stale-span filtering at the collector (weaker than source validation; loses peer identity).
+- Local development docker-compose hardening.
+- Telemetry backend (Tempo) hardening — separate concern, downstream of the collector.
+
+## Next Step
+
+Write this up as a design doc with full sections covering:
+
+1. Threat model & architecture (this section, expanded)
+2. Collector hardening — mTLS config, NetworkPolicy
+3. Cert pipeline — deriving OTel client cert from XRPL node key
+4. Peer trace-context validation — receive-site checks in `ConsensusReceiveTracing.h`
+5. Per-peer span rate limiting
+6. Testing & rollout

README.md

@@ -1,69 +1,71 @@
+[![codecov](https://codecov.io/gh/XRPLF/rippled/graph/badge.svg?token=WyFr5ajq3O)](https://codecov.io/gh/XRPLF/rippled)
+
 # The XRP Ledger
 
 The [XRP Ledger](https://xrpl.org/) is a decentralized cryptographic ledger powered by a network of peer-to-peer nodes. The XRP Ledger uses a novel Byzantine Fault Tolerant consensus algorithm to settle and record transactions in a secure distributed database without a central operator.
 
 ## XRP
-[XRP](https://xrpl.org/xrp.html) is a public, counterparty-free asset native to the XRP Ledger, and is designed to bridge the many different currencies in use worldwide. XRP is traded on the open-market and is available for anyone to access. The XRP Ledger was created in 2012 with a finite supply of 100 billion units of XRP.
 
-## rippled
-The server software that powers the XRP Ledger is called `rippled` and is available in this repository under the permissive [ISC open-source license](LICENSE.md). The `rippled` server software is written primarily in C++ and runs on a variety of platforms. The `rippled` server software can run in several modes depending on its [configuration](https://xrpl.org/rippled-server-modes.html).
+[XRP](https://xrpl.org/xrp.html) is a public, counterparty-free crypto-asset native to the XRP Ledger, and is designed as a gas token for network services and to bridge different currencies. XRP is traded on the open-market and is available for anyone to access. The XRP Ledger was created in 2012 with a finite supply of 100 billion units of XRP.
 
-If you are interested in running an **API Server** (including a **Full History Server**), take a look at [Clio](https://github.com/XRPLF/clio). (rippled Reporting Mode has been replaced by Clio.)
+## xrpld
+
+The server software that powers the XRP Ledger is called `xrpld` and is available in this repository under the permissive [ISC open-source license](LICENSE.md). The `xrpld` server software is written primarily in C++ and runs on a variety of platforms. The `xrpld` server software can run in several modes depending on its [configuration](https://xrpl.org/rippled-server-modes.html).
+
+If you are interested in running an **API Server** (including a **Full History Server**), take a look at [Clio](https://github.com/XRPLF/clio). (xrpld Reporting Mode has been replaced by Clio.)
 
 ### Build from Source
 
-* [Read the build instructions in `BUILD.md`](BUILD.md)
-* If you encounter any issues, please [open an issue](https://github.com/XRPLF/rippled/issues)
+- [Read the build instructions in `BUILD.md`](BUILD.md)
+- If you encounter any issues, please [open an issue](https://github.com/XRPLF/rippled/issues)
 
 ## Key Features of the XRP Ledger
 
 - **[Censorship-Resistant Transaction Processing][]:** No single party decides which transactions succeed or fail, and no one can "roll back" a transaction after it completes. As long as those who choose to participate in the network keep it healthy, they can settle transactions in seconds.
 - **[Fast, Efficient Consensus Algorithm][]:** The XRP Ledger's consensus algorithm settles transactions in 4 to 5 seconds, processing at a throughput of up to 1500 transactions per second. These properties put XRP at least an order of magnitude ahead of other top digital assets.
-- **[Finite XRP Supply][]:** When the XRP Ledger began, 100 billion XRP were created, and no more XRP will ever be created. The available supply of XRP decreases slowly over time as small amounts are destroyed to pay transaction costs.
-- **[Responsible Software Governance][]:** A team of full-time, world-class developers at Ripple maintain and continually improve the XRP Ledger's underlying software with contributions from the open-source community. Ripple acts as a steward for the technology and an advocate for its interests, and builds constructive relationships with governments and financial institutions worldwide.
+- **[Finite XRP Supply][]:** When the XRP Ledger began, 100 billion XRP were created, and no more XRP will ever be created. The available supply of XRP decreases slowly over time as small amounts are destroyed to pay transaction fees.
+- **[Responsible Software Governance][]:** A team of full-time developers at Ripple & other organizations maintain and continually improve the XRP Ledger's underlying software with contributions from the open-source community. Ripple acts as a steward for the technology and an advocate for its interests.
 - **[Secure, Adaptable Cryptography][]:** The XRP Ledger relies on industry standard digital signature systems like ECDSA (the same scheme used by Bitcoin) but also supports modern, efficient algorithms like Ed25519. The extensible nature of the XRP Ledger's software makes it possible to add and disable algorithms as the state of the art in cryptography advances.
-- **[Modern Features for Smart Contracts][]:** Features like Escrow, Checks, and Payment Channels support cutting-edge financial applications including the [Interledger Protocol](https://interledger.org/). This toolbox of advanced features comes with safety features like a process for amending the network and separate checks against invariant constraints.
+- **[Modern Features][]:** Features like Escrow, Checks, and Payment Channels support financial applications atop of the XRP Ledger. This toolbox of advanced features comes with safety features like a process for amending the network and separate checks against invariant constraints.
 - **[On-Ledger Decentralized Exchange][]:** In addition to all the features that make XRP useful on its own, the XRP Ledger also has a fully-functional accounting system for tracking and trading obligations denominated in any way users want, and an exchange built into the protocol. The XRP Ledger can settle long, cross-currency payment paths and exchanges of multiple currencies in atomic transactions, bridging gaps of trust with XRP.
 
-[Censorship-Resistant Transaction Processing]: https://xrpl.org/xrp-ledger-overview.html#censorship-resistant-transaction-processing
-[Fast, Efficient Consensus Algorithm]: https://xrpl.org/xrp-ledger-overview.html#fast-efficient-consensus-algorithm
-[Finite XRP Supply]: https://xrpl.org/xrp-ledger-overview.html#finite-xrp-supply
-[Responsible Software Governance]: https://xrpl.org/xrp-ledger-overview.html#responsible-software-governance
-[Secure, Adaptable Cryptography]: https://xrpl.org/xrp-ledger-overview.html#secure-adaptable-cryptography
-[Modern Features for Smart Contracts]: https://xrpl.org/xrp-ledger-overview.html#modern-features-for-smart-contracts
-[On-Ledger Decentralized Exchange]: https://xrpl.org/xrp-ledger-overview.html#on-ledger-decentralized-exchange
-
+[Censorship-Resistant Transaction Processing]: https://xrpl.org/transaction-censorship-detection.html#transaction-censorship-detection
+[Fast, Efficient Consensus Algorithm]: https://xrpl.org/consensus-research.html#consensus-research
+[Finite XRP Supply]: https://xrpl.org/what-is-xrp.html
+[Responsible Software Governance]: https://xrpl.org/contribute-code.html#contribute-code-to-the-xrp-ledger
+[Secure, Adaptable Cryptography]: https://xrpl.org/cryptographic-keys.html#cryptographic-keys
+[Modern Features]: https://xrpl.org/use-specialized-payment-types.html
+[On-Ledger Decentralized Exchange]: https://xrpl.org/decentralized-exchange.html#decentralized-exchange
 
 ## Source Code
 
 Here are some good places to start learning the source code:
 
-- Read the markdown files in the source tree: `src/ripple/**/*.md`.
-- Read [the levelization document](./Builds/levelization) to get an idea of the internal dependency graph.
+- Read the markdown files in the source tree: `src/xrpld/**/*.md`.
+- Read [the levelization document](.github/scripts/levelization) to get an idea of the internal dependency graph.
 - In the big picture, the `main` function constructs an `ApplicationImp` object, which implements the `Application` virtual interface. Almost every component in the application takes an `Application&` parameter in its constructor, typically named `app` and stored as a member variable `app_`. This allows most components to depend on any other component.
 
 ### Repository Contents
 
-| Folder     | Contents                                         |
-|:-----------|:-------------------------------------------------|
-| `./bin`    | Scripts and data files for Ripple integrators.   |
-| `./Builds` | Platform-specific guides for building `rippled`. |
-| `./docs`   | Source documentation files and doxygen config.   |
-| `./cfg`    | Example configuration files.                     |
-| `./src`    | Source code.                                     |
+| Folder     | Contents                                       |
+| :--------- | :--------------------------------------------- |
+| `./bin`    | Scripts and data files for XRPL developers.    |
+| `./Builds` | Platform-specific guides for building `xrpld`. |
+| `./docs`   | Source documentation files and doxygen config. |
+| `./cfg`    | Example configuration files.                   |
+| `./src`    | Source code.                                   |
 
 Some of the directories under `src` are external repositories included using
 git-subtree. See those directories' README files for more details.
 
-
 ## Additional Documentation
 
-* [XRP Ledger Dev Portal](https://xrpl.org/)
-* [Setup and Installation](https://xrpl.org/install-rippled.html)
-* [Source Documentation (Doxygen)](https://xrplf.github.io/rippled/)
+- [XRP Ledger Dev Portal](https://xrpl.org/)
+- [Setup and Installation](https://xrpl.org/install-rippled.html)
+- [Source Documentation (Doxygen)](https://xrplf.github.io/rippled/)
 
 ## See Also
 
-* [Clio API Server for the XRP Ledger](https://github.com/XRPLF/clio)
-* [Mailing List for Release Announcements](https://groups.google.com/g/ripple-server)
-* [Learn more about the XRP Ledger (YouTube)](https://www.youtube.com/playlist?list=PLJQ55Tj1hIVZtJ_JdTvSum2qMTsedWkNi)
+- [Clio API Server for the XRP Ledger](https://github.com/XRPLF/clio)
+- [Mailing List for Release Announcements](https://groups.google.com/g/ripple-server)
+- [Learn more about the XRP Ledger (YouTube)](https://www.youtube.com/playlist?list=PLJQ55Tj1hIVZtJ_JdTvSum2qMTsedWkNi)