fix: Track tmpfiles-created directories in RPM %files as %ghost

refactor: Update RPM version scheme; remove auto-update script; service hardening
- **RPM version scheme**: pre-releases now use `~` in the `Version` field instead of the `0.<release>.<suffix>` `Release`-field hack. Matches Debian's `~` convention, so RPM and DEB version strings are symmetric. Requires rpm ≥ 4.10 (RHEL 9 ships 4.17). Before/after for a pre-release build: ``` # before xrpld-3.2.0-0.1.rc3+202606011647.d4cb68d5.el9.x86_64.rpm # after (symmetric with DEB) xrpld-3.2.0~rc2+202606010139.7679a310-1.el9.x86_64.rpm xrpld_3.2.0~rc2+202606010139.7679a310-1_amd64.deb ``` - **Auto-update removed**: `update-xrpld`, `update-xrpld.service`, and `update-xrpld.timer` deleted. The `50-xrpld.preset` `disable` line for the timer is dropped too. - **Service hardening** (two new `[Service]` directives in `xrpld.service`): - `CapabilityBoundingSet=CAP_NET_BIND_SERVICE` — drops every Linux capability except `CAP_NET_BIND_SERVICE`, capping the privilege ceiling to least-privilege while still letting operators bind ports <1024 (e.g. WS/HTTPS on 443). - `SystemCallArchitectures=native` — restricts the service to the native syscall ABI, blocking alternate-ABI (32-bit/x32) syscalls used to evade seccomp filtering. - [ ] Build RPM from a pre-release version (e.g. `3.2.0-b1`) and confirm `rpm -qi` shows `Version: 3.2.0~b1`, `Release: 1` - [ ] Confirm `3.2.0~b1` sorts before `3.2.0` via `rpmvercmp` - [ ] Install package and confirm no `update-xrpld*` units appear in `systemctl list-unit-files` - [ ] Confirm `systemctl show xrpld` reflects the new `CapabilityBoundingSet` and `SystemCallArchitectures`
2026-06-04 09:16:47 +00:00 · 2026-06-02 16:55:13 -07:00 · 2026-06-01 14:57:05 -07:00 · 2026-06-01 16:47:01 +00:00 · 2026-06-01 15:29:12 +00:00 · 2026-06-01 15:27:13 +00:00
1866 changed files with 207447 additions and 84054 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -50,20 +50,21 @@ ForEachMacros: [Q_FOREACH, BOOST_FOREACH]
 IncludeBlocks: Regroup
 IncludeCategories:
  - Regex: "^<(test)/"
-    Priority: 0
-  - Regex: "^<(xrpld)/"
    Priority: 1
-  - Regex: "^<(xrpl)/"
+  - Regex: "^<(xrpld)/"
    Priority: 2
-  - Regex: "^<(boost)/"
+  - Regex: "^<(xrpl)/"
    Priority: 3
-  - Regex: "^.*/"
+  - Regex: "^<(boost)/"
    Priority: 4
-  - Regex: '^.*\.h'
+  - Regex: "^.*/"
    Priority: 5
-  - Regex: ".*"
+  - Regex: '^.*\.h'
    Priority: 6
+  - Regex: ".*"
+    Priority: 7
 IncludeIsMainRegex: "$"
+MainIncludeChar: AngleBracket
 IndentCaseLabels: true
 IndentFunctionDeclarationAfterType: false
 IndentRequiresClause: true
--- a/.clang-tidy
+++ b/.clang-tidy
@@ -4,16 +4,19 @@ Checks: "-*,
  bugprone-assert-side-effect,
  bugprone-bad-signal-to-kill-thread,
  bugprone-bool-pointer-implicit-conversion,
+  bugprone-capturing-this-in-member-variable,
  bugprone-casting-through-void,
  bugprone-chained-comparison,
  bugprone-compare-pointer-to-member-virtual-function,
  bugprone-copy-constructor-init,
+  bugprone-crtp-constructor-accessibility,
  bugprone-dangling-handle,
  bugprone-dynamic-static-initializers,
  bugprone-empty-catch,
  bugprone-fold-init-type,
  bugprone-forward-declaration-namespace,
  bugprone-inaccurate-erase,
+  bugprone-inc-dec-in-conditions,
  bugprone-incorrect-enable-if,
  bugprone-incorrect-roundings,
  bugprone-infinite-loop,
@@ -21,6 +24,7 @@ Checks: "-*,
  bugprone-lambda-function-name,
  bugprone-macro-parentheses,
  bugprone-macro-repeated-side-effects,
+  bugprone-misleading-setter-of-reference,
  bugprone-misplaced-operator-in-strlen-in-alloc,
  bugprone-misplaced-pointer-arithmetic-in-alloc,
  bugprone-misplaced-widening-cast,
@@ -30,9 +34,12 @@ Checks: "-*,
  bugprone-multiple-statement-macro,
  bugprone-no-escape,
  bugprone-non-zero-enum-to-bool-conversion,
+  bugprone-optional-value-conversion,
  bugprone-parent-virtual-call,
+  bugprone-pointer-arithmetic-on-polymorphic-object,
  bugprone-posix-return,
  bugprone-redundant-branch-condition,
+  bugprone-reserved-identifier,
  bugprone-return-const-ref-from-parameter,
  bugprone-shared-ptr-array-mismatch,
  bugprone-signal-handler,
@@ -53,149 +60,145 @@ Checks: "-*,
  bugprone-suspicious-realloc-usage,
  bugprone-suspicious-semicolon,
  bugprone-suspicious-string-compare,
+  bugprone-suspicious-stringview-data-usage,
  bugprone-swapped-arguments,
+  bugprone-switch-missing-default-case,
  bugprone-terminating-continue,
  bugprone-throw-keyword-missing,
+  bugprone-too-small-loop-variable,
+  bugprone-unchecked-optional-access,
  bugprone-undefined-memory-manipulation,
  bugprone-undelegated-constructor,
  bugprone-unhandled-exception-at-new,
+  bugprone-unhandled-self-assignment,
  bugprone-unique-ptr-array-mismatch,
  bugprone-unsafe-functions,
  bugprone-unused-local-non-trivial-variable,
+  bugprone-unused-raii,
+  bugprone-unused-return-value,
+  bugprone-use-after-move,
  bugprone-virtual-near-miss,
+  cppcoreguidelines-init-variables,
+  cppcoreguidelines-misleading-capture-default-by-value,
  cppcoreguidelines-no-suspend-with-lock,
+  cppcoreguidelines-pro-type-member-init,
+  cppcoreguidelines-pro-type-static-cast-downcast,
+  cppcoreguidelines-rvalue-reference-param-not-moved,
+  cppcoreguidelines-use-default-member-init,
+  cppcoreguidelines-use-enum-class,
  cppcoreguidelines-virtual-class-destructor,
  hicpp-ignored-remove-result,
+  llvm-namespace-comment,
+  misc-const-correctness,
  misc-definitions-in-headers,
  misc-header-include-cycle,
+  misc-include-cleaner,
  misc-misplaced-const,
+  misc-redundant-expression,
  misc-static-assert,
  misc-throw-by-value-catch-by-reference,
  misc-unused-alias-decls,
  misc-unused-using-decls,
-  readability-duplicate-include,
-  readability-enum-initial-value,
-  readability-misleading-indentation,
-  readability-non-const-parameter,
-  readability-redundant-declaration,
-  readability-reference-to-constructed-temporary,
+  modernize-concat-nested-namespaces,
  modernize-deprecated-headers,
  modernize-make-shared,
  modernize-make-unique,
+  modernize-pass-by-value,
+  modernize-type-traits,
+  modernize-use-designated-initializers,
+  modernize-use-emplace,
+  modernize-use-equals-default,
+  modernize-use-equals-delete,
+  modernize-use-nodiscard,
+  modernize-use-override,
+  modernize-use-ranges,
+  modernize-use-scoped-lock,
+  modernize-use-starts-ends-with,
+  modernize-use-std-numbers,
+  modernize-use-using,
+  performance-faster-string-find,
+  performance-for-range-copy,
  performance-implicit-conversion-in-loop,
+  performance-inefficient-vector-operation,
+  performance-move-const-arg,
  performance-move-constructor-init,
-  performance-trivially-destructible
+  performance-no-automatic-move,
+  performance-trivially-destructible,
+  readability-ambiguous-smartptr-reset-call,
+  readability-avoid-nested-conditional-operator,
+  readability-avoid-return-with-void-value,
+  readability-braces-around-statements,
+  readability-const-return-type,
+  readability-container-contains,
+  readability-container-size-empty,
+  readability-convert-member-functions-to-static,
+  readability-duplicate-include,
+  readability-else-after-return,
+  readability-enum-initial-value,
+  readability-identifier-naming,
+  readability-implicit-bool-conversion,
+  readability-make-member-function-const,
+  readability-math-missing-parentheses,
+  readability-misleading-indentation,
+  readability-non-const-parameter,
+  readability-redundant-casting,
+  readability-redundant-declaration,
+  readability-redundant-inline-specifier,
+  readability-redundant-member-init,
+  readability-redundant-string-init,
+  readability-reference-to-constructed-temporary,
+  readability-simplify-boolean-expr,
+  readability-static-definition-in-anonymous-namespace,
+  readability-suspicious-call-argument,
+  readability-use-std-min-max
  "
 # ---
-# checks that have some issues that need to be resolved:
-#
-# bugprone-crtp-constructor-accessibility,
-# bugprone-inc-dec-in-conditions,
-# bugprone-reserved-identifier,
-# bugprone-move-forwarding-reference,
-# bugprone-switch-missing-default-case,
-# bugprone-suspicious-stringview-data-usage,
-# bugprone-pointer-arithmetic-on-polymorphic-object,
-# bugprone-optional-value-conversion,
-# bugprone-too-small-loop-variable,
-# bugprone-unused-return-value,
-# bugprone-use-after-move,
-# bugprone-unhandled-self-assignment,
-# bugprone-unused-raii,
-#
-# cppcoreguidelines-misleading-capture-default-by-value,
-# cppcoreguidelines-init-variables,
-# cppcoreguidelines-pro-type-member-init,
-# cppcoreguidelines-pro-type-static-cast-downcast,
-# cppcoreguidelines-use-default-member-init,
-# cppcoreguidelines-rvalue-reference-param-not-moved,
-#
-# llvm-namespace-comment,
-# misc-const-correctness,
-# misc-include-cleaner,
-# misc-redundant-expression,
-#
-# readability-avoid-nested-conditional-operator,
-# readability-avoid-return-with-void-value,
-# readability-braces-around-statements,
-# readability-container-contains,
-# readability-container-size-empty,
-# readability-convert-member-functions-to-static,
-# readability-const-return-type,
-# readability-else-after-return,
-# readability-implicit-bool-conversion,
-# readability-inconsistent-declaration-parameter-name,
-# readability-identifier-naming,
-# readability-make-member-function-const,
-# readability-math-missing-parentheses,
-# readability-redundant-inline-specifier,
-# readability-redundant-member-init,
-# readability-redundant-casting,
-# readability-redundant-string-init,
-# readability-simplify-boolean-expr,
-# readability-static-definition-in-anonymous-namespace,
-# readability-suspicious-call-argument,
-# readability-use-std-min-max,
-# readability-static-accessed-through-instance,
-#
-# modernize-concat-nested-namespaces,
-# modernize-pass-by-value,
-# modernize-type-traits,
-# modernize-use-designated-initializers,
-# modernize-use-emplace,
-# modernize-use-equals-default,
-# modernize-use-equals-delete,
-# modernize-use-override,
-# modernize-use-ranges,
-# modernize-use-starts-ends-with,
-# modernize-use-std-numbers,
-# modernize-use-using,
-#
-# performance-faster-string-find,
-# performance-for-range-copy,
-# performance-inefficient-vector-operation,
-# performance-move-const-arg,
-# performance-no-automatic-move,
+# readability-inconsistent-declaration-parameter-name, # in this codebase this check will break a lot of arg names
+# readability-static-accessed-through-instance,        # this check is probably unnecessary. it makes the code less readable
 # ---
-#
+
 CheckOptions:
-  #   readability-braces-around-statements.ShortStatementLines: 2
-  #   readability-identifier-naming.MacroDefinitionCase: UPPER_CASE
-  #   readability-identifier-naming.ClassCase: CamelCase
-  #   readability-identifier-naming.StructCase: CamelCase
-  #   readability-identifier-naming.UnionCase: CamelCase
-  #   readability-identifier-naming.EnumCase: CamelCase
-  #   readability-identifier-naming.EnumConstantCase: CamelCase
-  #   readability-identifier-naming.ScopedEnumConstantCase: CamelCase
-  #   readability-identifier-naming.GlobalConstantCase: UPPER_CASE
-  #   readability-identifier-naming.GlobalConstantPrefix: "k"
-  #   readability-identifier-naming.GlobalVariableCase: CamelCase
-  #   readability-identifier-naming.GlobalVariablePrefix: "g"
-  #   readability-identifier-naming.ConstexprFunctionCase: camelBack
-  #   readability-identifier-naming.ConstexprMethodCase: camelBack
-  #   readability-identifier-naming.ClassMethodCase: camelBack
-  #   readability-identifier-naming.ClassMemberCase: camelBack
-  #   readability-identifier-naming.ClassConstantCase: UPPER_CASE
-  #   readability-identifier-naming.ClassConstantPrefix: "k"
-  #   readability-identifier-naming.StaticConstantCase: UPPER_CASE
-  #   readability-identifier-naming.StaticConstantPrefix: "k"
-  #   readability-identifier-naming.StaticVariableCase: UPPER_CASE
-  #   readability-identifier-naming.StaticVariablePrefix: "k"
-  #   readability-identifier-naming.ConstexprVariableCase: UPPER_CASE
-  #   readability-identifier-naming.ConstexprVariablePrefix: "k"
-  #   readability-identifier-naming.LocalConstantCase: camelBack
-  #   readability-identifier-naming.LocalVariableCase: camelBack
-  #   readability-identifier-naming.TemplateParameterCase: CamelCase
-  #   readability-identifier-naming.ParameterCase: camelBack
-  #   readability-identifier-naming.FunctionCase: camelBack
-  #   readability-identifier-naming.MemberCase: camelBack
-  #   readability-identifier-naming.PrivateMemberSuffix: _
-  #   readability-identifier-naming.ProtectedMemberSuffix: _
-  #   readability-identifier-naming.PublicMemberSuffix: ""
-  #   readability-identifier-naming.FunctionIgnoredRegexp: ".*tag_invoke.*"
  bugprone-unsafe-functions.ReportMoreUnsafeFunctions: true
-#   bugprone-unused-return-value.CheckedReturnTypes: ::std::error_code;::std::error_condition;::std::errc
-#   misc-include-cleaner.IgnoreHeaders: '.*/(detail|impl)/.*;.*(expected|unexpected).*;.*ranges_lower_bound\.h;time.h;stdlib.h;__chrono/.*;fmt/chrono.h;boost/uuid/uuid_hash.hpp'
-#
-# HeaderFilterRegex: '^.*/(src|tests)/.*\.(h|hpp)$'
+  bugprone-unused-return-value.CheckedReturnTypes: ::std::error_code;::std::error_condition;::std::errc
+
+  misc-include-cleaner.IgnoreHeaders: ".*/(detail|impl)/.*;.*fwd\\.h(pp)?;time.h;stdlib.h;sqlite3.h;netinet/in\\.h;sys/resource\\.h;sys/sysinfo\\.h;linux/sysinfo\\.h;__chrono/.*;bits/.*;_abort\\.h;boost/uuid/uuid_hash.hpp;boost/beast/core/flat_buffer\\.hpp;boost/beast/http/field\\.hpp;boost/beast/http/dynamic_body\\.hpp;boost/beast/http/message\\.hpp;boost/beast/http/read\\.hpp;boost/beast/http/write\\.hpp;openssl/obj_mac\\.h"
+
+  readability-braces-around-statements.ShortStatementLines: 2
+  readability-identifier-naming.MacroDefinitionCase: UPPER_CASE
+  readability-identifier-naming.ClassCase: CamelCase
+  readability-identifier-naming.StructCase: CamelCase
+  readability-identifier-naming.UnionCase: CamelCase
+  readability-identifier-naming.EnumCase: CamelCase
+  readability-identifier-naming.EnumConstantCase: CamelCase
+  readability-identifier-naming.ScopedEnumConstantCase: CamelCase
+  readability-identifier-naming.GlobalConstantCase: CamelCase
+  readability-identifier-naming.GlobalConstantPrefix: "k"
+  readability-identifier-naming.GlobalVariableCase: CamelCase
+  readability-identifier-naming.GlobalVariablePrefix: "g"
+  readability-identifier-naming.ConstexprFunctionCase: camelBack
+  readability-identifier-naming.ConstexprMethodCase: camelBack
+  readability-identifier-naming.ClassMethodCase: camelBack
+  readability-identifier-naming.ClassMemberCase: camelBack
+  readability-identifier-naming.ClassConstantCase: CamelCase
+  readability-identifier-naming.ClassConstantPrefix: "k"
+  readability-identifier-naming.StaticConstantCase: CamelCase
+  readability-identifier-naming.StaticConstantPrefix: "k"
+  readability-identifier-naming.StaticVariableCase: camelBack
+  readability-identifier-naming.ConstexprVariableCase: camelBack
+  readability-identifier-naming.LocalConstantCase: camelBack
+  readability-identifier-naming.LocalVariableCase: camelBack
+  readability-identifier-naming.TemplateParameterCase: CamelCase
+  readability-identifier-naming.ParameterCase: camelBack
+  readability-identifier-naming.FunctionCase: camelBack
+  readability-identifier-naming.MemberCase: camelBack
+  readability-identifier-naming.PrivateMemberCase: camelBack
+  readability-identifier-naming.PrivateMemberSuffix: _
+  readability-identifier-naming.ProtectedMemberCase: camelBack
+  readability-identifier-naming.ProtectedMemberSuffix: _
+  readability-identifier-naming.PublicMemberCase: camelBack
+  readability-identifier-naming.PublicMemberSuffix: ""
+  readability-identifier-naming.GlobalFunctionIgnoredRegexp: "^(to_string|hash_append|tuple_hash)$"
+
+HeaderFilterRegex: '^.*/(tests?|xrpl|xrpld)/.*\.(h|hpp|ipp)$'
+ExcludeHeaderFilterRegex: '^.*/protocol_autogen/.*\.(h|hpp)$'
 WarningsAsErrors: "*"
--- a/.gersemi/definitions.cmake
+++ b/.gersemi/definitions.cmake
@@ -51,6 +51,9 @@ endfunction()
 function(add_module parent name)
 endfunction()

+function(setup_protocol_autogen)
+endfunction()
+
 function(target_link_modules parent scope)
 endfunction()

--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,16 +1,81 @@
 # This feature requires Git >= 2.24
 # To use it by default in git blame:
 # git config blame.ignoreRevsFile .git-blame-ignore-revs
-50760c693510894ca368e90369b0cc2dabfd07f3
-e2384885f5f630c8f0ffe4bf21a169b433a16858
-241b9ddde9e11beb7480600fd5ed90e1ef109b21
-760f16f56835663d9286bd29294d074de26a7ba6
-0eebe6a5f4246fced516d52b83ec4e7f47373edd
-2189cc950c0cebb89e4e2fa3b2d8817205bf7cef
-b9d007813378ad0ff45660dc07285b823c7e9855
-fe9a5365b8a52d4acc42eb27369247e6f238a4f9
-9a93577314e6a8d4b4a8368cc9d2b15a5d8303e8
-552377c76f55b403a1c876df873a23d780fcc81c
-97f0747e103f13e26e45b731731059b32f7679ac
-b13370ac0d207217354f1fc1c29aef87769fb8a1
+
+# This file is sorted in reverse chronological order, with the most recent commits at the top.
+# The commits listed here are ignored by git blame, which is useful for formatting-only commits that would otherwise obscure the history of changes to a file.
+
+# refactor: Enable clang-tidy `readability-identifier-naming` check (#6571)
+8995564ed6b9e453e144bb663303072a3c1ba305
+# refactor: Enable remaining clang-tidy `cppcoreguidelines` checks (#6538)
+72f4cb097f626b08b02fc3efcb4aa11cb2e7adb8
+# refactor: Rename system name from 'ripple' to 'xrpld' (#6347)
+ffea3977f0b771fe8e43a8f74e4d393d63a7afd8
+# refactor: Update transaction folder structure (#6483)
+5865bd017f777491b4a956f9210be0c4161f5442
+# chore: Use gersemi instead of ancient cmake-format (#6486)
+0c74270b055133a57a497b5c9fc5a75f7647b1f4
+# chore: Apply clang-format width 100 (#6387)
+2c1fad102353e11293e3edde1c043224e7d3e983
+# chore: Set clang-format width to 100 in config file (#6387)
+25cca465538a56cce501477f9e5e2c1c7ea2d84c
+# chore: Set cmake-format width to 100 (#6386)
+469ce9f291a4480c38d4ee3baca5136b2f053cd0
+# refactor: Modularize app/tx (#6228)
+0976b2b68b64972af8e6e7c497900b5bce9fe22f
+# chore: Update clang-format to 21.1.8 (#6352)
+958d8f375453d80bb1aa4c293b5102c045a3e4b4
+# refactor: Replace include guards by '#pragma once' (#6322)
+34ef577604782ca8d6e1c17df8bd7470990a52ff
+# chore: Format all cmake files without comments (#6294)
+fe9c8d568fcf6ac21483024e01f58962dd5c8260
+# chore: Add cmake-format pre-commit hook (#6279)
+a0e09187b9370805d027c611a7e9ff5a0125282a
+# chore: Set ColumnLimit to 120 in clang-format (#6288)
+5f638f55536def0d88b970d1018a465a238e55f4
+# refactor: Fix typos in comments, configure cspell (#6164)
+3c9f5b62525cb1d6ca1153eeb10433db7d7379fd
+# refactor: Rename `rippled.cfg` to `xrpld.cfg` (#6098)
+3d1b3a49b3601a0a7037fa0b19d5df7b5e0e2fc1
+# refactor: Rename `ripple` namespace to `xrpl` (#5982)
+1eb0fdac6543706b4b9ddca57fd4102928a1f871
+# refactor: Rename `rippled` binary to `xrpld` (#5983)
+9eb84a561ef8bb066d89f098bd9b4ac71baed67c
+# refactor: Replaces secp256k1 source by Conan package (#6089)
+813bc4d9491b078bb950f8255f93b02f71320478
+# refactor: Remove unnecessary copyright notices already covered by LICENSE.md (#5929)
+1d42c4f6de6bf01d1286fc7459b17a37a5189e88
+# refactor: Rename `RIPPLE_` and `RIPPLED_` definitions to `XRPL_` (#5821)
+ada83564d894829424b0f4d922b0e737e07abbf7
+# refactor: Modularize shamap and nodestore (#5668)
+8eb233c2ea8ad5a159be73b77f0f5e1496d547ac
+# refactor: Modularise ledger (#5493)
+dc8b37a52448b005153c13a7f046ad494128cf94
+# chore: Update clang-format and prettier with pre-commit (#5709)
+c14ce956adeabe476ad73c18d73103f347c9c613
+# chore: Fix file formatting (#5718)
 896b8c3b54a22b0497cb0d1ce95e1095f9a227ce
+# chore: Reverts formatting changes to external files, adds formatting changes to proto files (#5711)
+b13370ac0d207217354f1fc1c29aef87769fb8a1
+# chore: Run prettier on all files (#5657)
+97f0747e103f13e26e45b731731059b32f7679ac
+# Reformat code with clang-format-18
+552377c76f55b403a1c876df873a23d780fcc81c
+# Recompute loops (#4997)
+d028005aa6319338b0adae1aebf8abe113162960
+# Rewrite includes (#4997)
+1d23148e6dd53957fcb6205c07a5c6cd7b64d50c
+# Rearrange sources (#4997)
+e416ee72ca26fa0c09d2aee1b68bdfb2b7046eed
+# Move CMake directory (#4997)
+2e902dee53aab2a8f27f32971047bb81e022f94f
+# Rewrite includes
+0eebe6a5f4246fced516d52b83ec4e7f47373edd
+# Format formerly .hpp files
+760f16f56835663d9286bd29294d074de26a7ba6
+# Rename .hpp to .h
+241b9ddde9e11beb7480600fd5ed90e1ef109b21
+# Consolidate external libraries
+e2384885f5f630c8f0ffe4bf21a169b433a16858
+# Format first-party source according to .clang-format
+50760c693510894ca368e90369b0cc2dabfd07f3
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,7 +1,7 @@
 ---
 name: Feature Request
-about: Suggest a new feature for the rippled project
-title: "[Title with short description] (Version: [rippled version])"
+about: Suggest a new feature for the xrpld project
+title: "[Title with short description] (Version: [xrpld version])"
 labels: Feature Request
 assignees: ""
 ---
--- a/.github/actions/build-deps/action.yml
+++ b/.github/actions/build-deps/action.yml
@@ -37,12 +37,12 @@ runs:
      run: |
        echo 'Installing dependencies.'
        conan install \
-          --profile ci \
-          --build="${BUILD_OPTION}" \
-          --options:host='&:tests=True' \
-          --options:host='&:xrpld=True' \
-          --settings:all build_type="${BUILD_TYPE}" \
-          --conf:all tools.build:jobs=${BUILD_NPROC} \
-          --conf:all tools.build:verbosity="${LOG_VERBOSITY}" \
-          --conf:all tools.compilation:verbosity="${LOG_VERBOSITY}" \
-          .
+            --profile ci \
+            --build="${BUILD_OPTION}" \
+            --options:host='&:tests=True' \
+            --options:host='&:xrpld=True' \
+            --settings:all build_type="${BUILD_TYPE}" \
+            --conf:all tools.build:jobs=${BUILD_NPROC} \
+            --conf:all tools.build:verbosity="${LOG_VERBOSITY}" \
+            --conf:all tools.compilation:verbosity="${LOG_VERBOSITY}" \
+            .
--- a/.github/actions/generate-version/action.yml
+++ b/.github/actions/generate-version/action.yml
@@ -11,34 +11,34 @@ runs:
  steps:
    # When a tag is pushed, the version is used as-is.
    - name: Generate version for tag event
-      if: ${{ github.event_name == 'tag' }}
+      if: ${{ startsWith(github.ref, 'refs/tags/') }}
      shell: bash
      env:
        VERSION: ${{ github.ref_name }}
-      run: echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
+      run: echo "VERSION=${VERSION}" >>"${GITHUB_ENV}"

    # When a tag is not pushed, then the version (e.g. 1.2.3-b0) is extracted
    # from the BuildInfo.cpp file and the shortened commit hash appended to it.
    # We use a plus sign instead of a hyphen because Conan recipe versions do
    # not support two hyphens.
    - name: Generate version for non-tag event
-      if: ${{ github.event_name != 'tag' }}
+      if: ${{ !startsWith(github.ref, 'refs/tags/') }}
      shell: bash
      run: |
        echo 'Extracting version from BuildInfo.cpp.'
        VERSION="$(cat src/libxrpl/protocol/BuildInfo.cpp | grep "versionString =" | awk -F '"' '{print $2}')"
        if [[ -z "${VERSION}" ]]; then
-          echo 'Unable to extract version from BuildInfo.cpp.'
-          exit 1
+            echo 'Unable to extract version from BuildInfo.cpp.'
+            exit 1
        fi

        echo 'Appending shortened commit hash to version.'
        SHA='${{ github.sha }}'
        VERSION="${VERSION}+${SHA:0:7}"

-        echo "VERSION=${VERSION}" >> "${GITHUB_ENV}"
+        echo "VERSION=${VERSION}" >>"${GITHUB_ENV}"

    - name: Output version
      id: version
      shell: bash
-      run: echo "version=${VERSION}" >> "${GITHUB_OUTPUT}"
+      run: echo "version=${VERSION}" >>"${GITHUB_OUTPUT}"
--- a/.github/actions/print-env/action.yml
+++ b/.github/actions/print-env/action.yml
@@ -1,43 +0,0 @@
-name: Print build environment
-description: "Print environment and some tooling versions"
-
-runs:
-  using: composite
-  steps:
-    - name: Check configuration (Windows)
-      if: ${{ runner.os == 'Windows' }}
-      shell: bash
-      run: |
-        echo 'Checking environment variables.'
-        set
-
-    - name: Check configuration (Linux and macOS)
-      if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
-      shell: bash
-      run: |
-        echo 'Checking path.'
-        echo ${PATH} | tr ':' '\n'
-
-        echo 'Checking environment variables.'
-        env | sort
-
-        echo 'Checking compiler version.'
-        ${{ runner.os == 'Linux' && '${CC}' || 'clang' }} --version
-
-        echo 'Checking Ninja version.'
-        ninja --version
-
-        echo 'Checking nproc version.'
-        nproc --version
-
-    - name: Check configuration (all)
-      shell: bash
-      run: |
-        echo 'Checking Ccache version.'
-        ccache --version
-
-        echo 'Checking CMake version.'
-        cmake --version
-
-        echo 'Checking Conan version.'
-        conan --version
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -33,17 +33,6 @@ updates:
      prefix: "ci: [DEPENDABOT] "
    target-branch: develop

-  - package-ecosystem: github-actions
-    directory: .github/actions/print-env/
-    schedule:
-      interval: weekly
-      day: monday
-      time: "04:00"
-      timezone: Etc/GMT
-    commit-message:
-      prefix: "ci: [DEPENDABOT] "
-    target-branch: develop
-
  - package-ecosystem: github-actions
    directory: .github/actions/setup-conan/
    schedule:
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -29,22 +29,6 @@ If a refactor, how is this better than the previous implementation?
 If there is a spec or design document for this feature, please link it here.
 -->

-### Type of Change
-
-<!--
-Please check [x] relevant options, delete irrelevant ones.
-->
-
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Refactor (non-breaking change that only restructures code)
- [ ] Performance (increase or change in throughput and/or latency)
- [ ] Tests (you added tests for code that already exists, or your new feature included in this PR)
- [ ] Documentation update
- [ ] Chore (no impact to binary, e.g. `.gitignore`, formatting, dropping support for older tooling)
- [ ] Release
-
 ### API Impact

 <!--
--- a/.github/scripts/check-pr-description.py
+++ b/.github/scripts/check-pr-description.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+
+"""
+Checks that a pull request description has been customized from the
+pull_request_template.md. Exits with code 1 if the description is empty
+or identical to the template (ignoring HTML comments and whitespace).
+
+Usage:
+    python check-pr-description.py --template-file TEMPLATE --pr-body-file BODY
+"""
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+
+def normalize(text: str) -> str:
+    """Strip HTML comments, trim lines, and remove blank lines."""
+    # Remove HTML comments (possibly multi-line)
+    text = re.sub(r"<!--.*?-->", "", text, flags=re.DOTALL)
+    # Strip each line and drop empties
+    lines = [line.strip() for line in text.splitlines()]
+    lines = [line for line in lines if line]
+    return "\n".join(lines)
+
+
+def main() -> int:
+    parser = argparse.ArgumentParser(
+        description="Check that a PR description differs from the template."
+    )
+    parser.add_argument(
+        "--template-file",
+        type=Path,
+        required=True,
+        help="Path to the pull request template file.",
+    )
+    parser.add_argument(
+        "--pr-body-file",
+        type=Path,
+        required=True,
+        help="Path to a file containing the PR body text.",
+    )
+    args = parser.parse_args()
+
+    template_path: Path = args.template_file
+    pr_body_path: Path = args.pr_body_file
+
+    if not template_path.is_file():
+        print(f"::error::Template file {template_path} not found")
+        return 1
+
+    if not pr_body_path.is_file():
+        print(f"::error::PR body file {pr_body_path} not found")
+        return 1
+
+    template = template_path.read_text(encoding="utf-8")
+    pr_body = pr_body_path.read_text(encoding="utf-8")
+
+    # Check if the PR body is empty or whitespace-only
+    if not pr_body.strip():
+        print(
+            "::error::PR description is empty. "
+            "Please fill in the pull request template."
+        )
+        return 1
+
+    norm_template = normalize(template)
+    norm_pr_body = normalize(pr_body)
+
+    if norm_pr_body == norm_template:
+        print(
+            "::error::PR description (ignoring HTML comments) is identical"
+            " to the template. Please fill in the details of your change."
+            f"\n\nVisible template content:\n---\n{norm_template}\n---"
+            f"\n\nVisible PR description content:\n---\n{norm_pr_body}\n---"
+        )
+        return 1
+
+    print("PR description has been customized from the template.")
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/.github/scripts/format-inline-bash.py
+++ b/.github/scripts/format-inline-bash.py
@@ -0,0 +1,403 @@
+#!/usr/bin/env python3
+
+"""
+Format embedded shell snippets using the shfmt hook configured in
+.pre-commit-config.yaml.
+
+Two shapes are recognised:
+
+* YAML workflow/action files: literal block-scalar runs (`run: |`) and
+  single-line runs (`run: some command`). A single-line run is upgraded to
+  a `run: |` block scalar if shfmt's output spans multiple lines.
+
+* Markdown files: ``` ```bash ``` fenced code blocks.
+
+Any block that shfmt cannot parse is skipped with a warning on stderr, so
+the file is left untouched and surrounding blocks still get formatted.
+
+For each occurrence the body is dedented, written to a temp .sh file,
+formatted via `pre-commit run shfmt --files <temp>` (falling back to
+`prek`), then re-indented and written back in place.
+
+When invoked without arguments, every .yml/.yaml under .github/ plus every
+.md file in the repo is scanned. When invoked with file arguments (the
+pre-commit case), only those files are processed.
+"""
+
+from __future__ import annotations
+
+import re
+import shutil
+import subprocess
+import sys
+import tempfile
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Union
+
+REPO = Path(__file__).resolve().parents[2]
+
+_HOOK_RUNNER = next((cmd for cmd in ("pre-commit", "prek") if shutil.which(cmd)), None)
+if _HOOK_RUNNER is None:
+    sys.exit("error: neither `pre-commit` nor `prek` found on PATH")
+
+RUN_BLOCK_RE = re.compile(r"^(?P<prefix>[ \t]*(?:- )?)run:[ \t]*\|[+-]?[ \t]*$")
+RUN_INLINE_RE = re.compile(
+    r"^(?P<prefix>[ \t]*(?:- )?)run:[ \t]+" r"(?P<value>(?!\|[+-]?[ \t]*$)\S.*?)[ \t]*$"
+)
+MD_BASH_OPEN_RE = re.compile(r"^(?P<indent>[ ]{0,3})`{3}bash[ \t]*$")
+MD_FENCE_CLOSE_RE = re.compile(r"^[ ]{0,3}`{3,}[ \t]*$")
+
+
+@dataclass(frozen=True)
+class BlockRun:
+    """A `run: |` block scalar; `body_start:body_end` slices into `lines`."""
+
+    body_start: int
+    body_end: int
+    body_indent: int
+
+
+@dataclass(frozen=True)
+class InlineRun:
+    """A single-line `run: value` at `line_idx`."""
+
+    line_idx: int
+    prefix: str
+    value: str
+
+
+@dataclass(frozen=True)
+class MdBashBlock:
+    """A markdown ``` ```bash ``` fenced code block.
+
+    `body_start:body_end` slices into the file's lines; `open_line_idx`
+    points at the opening fence line.
+    """
+
+    open_line_idx: int
+    body_start: int
+    body_end: int
+    body_indent: int
+
+
+RunItem = Union[BlockRun, InlineRun]
+
+
+def _scan_block_body(
+    lines: list[str], body_start: int, run_col: int
+) -> tuple[int | None, int]:
+    """Locate the body of a `run: |` block scalar starting at `body_start`.
+
+    Returns `(body_indent, scan_end)`. `scan_end` is the line index where the
+    outer scanner should resume. `body_indent` is `None` when no body is
+    present (the scalar is empty, or the next non-blank line has indent
+    `<= run_col`).
+    """
+    body_indent: int | None = None
+    scan_end = len(lines)
+    for idx in range(body_start, len(lines)):
+        line = lines[idx]
+        if line.strip() == "":
+            continue
+        indent = len(line) - len(line.lstrip(" "))
+        if body_indent is None:
+            if indent > run_col:
+                body_indent = indent
+            else:
+                scan_end = idx
+                break
+        elif indent < body_indent:
+            scan_end = idx
+            break
+    if body_indent is not None:
+        while scan_end > body_start and lines[scan_end - 1].strip() == "":
+            scan_end -= 1
+        if scan_end <= body_start:
+            body_indent = None
+    return body_indent, scan_end
+
+
+def find_run_blocks(lines: list[str]) -> list[RunItem]:
+    """Return run items in document order."""
+    items: list[RunItem] = []
+    line_idx = 0
+    while line_idx < len(lines):
+        line = lines[line_idx]
+        if block_match := RUN_BLOCK_RE.match(line):
+            run_col = len(block_match.group("prefix"))
+            body_start = line_idx + 1
+            body_indent, scan_end = _scan_block_body(lines, body_start, run_col)
+            if body_indent is not None:
+                items.append(
+                    BlockRun(
+                        body_start=body_start,
+                        body_end=scan_end,
+                        body_indent=body_indent,
+                    )
+                )
+            line_idx = scan_end
+            continue
+        if inline_match := RUN_INLINE_RE.match(line):
+            items.append(
+                InlineRun(
+                    line_idx=line_idx,
+                    prefix=inline_match.group("prefix"),
+                    value=inline_match.group("value"),
+                )
+            )
+        line_idx += 1
+    return items
+
+
+def find_md_bash_blocks(lines: list[str]) -> list[MdBashBlock]:
+    """Return ``` ```bash ``` fenced code blocks in document order."""
+    blocks: list[MdBashBlock] = []
+    line_idx = 0
+    while line_idx < len(lines):
+        open_match = MD_BASH_OPEN_RE.match(lines[line_idx])
+        if not open_match:
+            line_idx += 1
+            continue
+        body_start = line_idx + 1
+        close_idx = next(
+            (
+                j
+                for j in range(body_start, len(lines))
+                if MD_FENCE_CLOSE_RE.match(lines[j])
+            ),
+            None,
+        )
+        if close_idx is None:
+            line_idx = body_start
+            continue
+        body = lines[body_start:close_idx]
+        non_blank = [b for b in body if b.strip()]
+        body_indent = (
+            min(len(b) - len(b.lstrip(" ")) for b in non_blank)
+            if non_blank
+            else len(open_match.group("indent"))
+        )
+        blocks.append(
+            MdBashBlock(
+                open_line_idx=line_idx,
+                body_start=body_start,
+                body_end=close_idx,
+                body_indent=body_indent,
+            )
+        )
+        line_idx = close_idx + 1
+    return blocks
+
+
+def dedent(lines: list[str], n: int) -> list[str]:
+    pad = " " * n
+    return [
+        (
+            ""
+            if line.strip() == ""
+            else (line[n:] if line.startswith(pad) else line.lstrip(" "))
+        )
+        for line in lines
+    ]
+
+
+def reindent(lines: list[str], n: int) -> list[str]:
+    pad = " " * n
+    return [pad + line if line else "" for line in lines]
+
+
+_SHFMT_ERR_RE = re.compile(r"\.sh:\d+:\d+:\s")
+_GHA_EXPR_RE = re.compile(r"\$\{\{.*?\}\}", re.DOTALL)
+_GHA_PLACEHOLDER_RE = re.compile(r"__GHA_EXPR_(\d+)__")
+
+
+def _encode_gha_exprs(text: str) -> tuple[str, list[str]]:
+    """Replace `${{ ... }}` expressions with bash-safe placeholder identifiers."""
+    exprs: list[str] = []
+
+    def repl(match: re.Match[str]) -> str:
+        exprs.append(match.group(0))
+        return f"__GHA_EXPR_{len(exprs) - 1}__"
+
+    return _GHA_EXPR_RE.sub(repl, text), exprs
+
+
+def _decode_gha_exprs(text: str, exprs: list[str]) -> str:
+    """Restore `${{ ... }}` expressions from placeholder identifiers."""
+    return _GHA_PLACEHOLDER_RE.sub(lambda m: exprs[int(m.group(1))], text)
+
+
+def shfmt_via_hook(tmp_path: Path) -> tuple[bool, str]:
+    # `${{ ... }}` is not valid shell, so swap it for a placeholder identifier
+    # that shfmt can parse, then restore it after formatting.
+    encoded, exprs = _encode_gha_exprs(tmp_path.read_text())
+    if exprs:
+        tmp_path.write_text(encoded)
+    res = subprocess.run(
+        [_HOOK_RUNNER, "run", "shfmt", "--files", str(tmp_path)],
+        cwd=REPO,
+        capture_output=True,
+        text=True,
+    )
+    output = res.stdout + res.stderr
+    # shfmt emits parse errors as "<path>:<line>:<col>: <message>".
+    parse_err = bool(_SHFMT_ERR_RE.search(output))
+    # A non-zero exit that is neither a parse error nor pre-commit's "I had
+    # to modify files" signal means the hook itself failed to run (missing
+    # binary, install failure, bad config, ...). Surface that loudly rather
+    # than silently treating it as a no-op.
+    if (
+        res.returncode != 0
+        and not parse_err
+        and "files were modified by this hook" not in output
+    ):
+        sys.exit(
+            f"error: `{_HOOK_RUNNER} run shfmt` failed with exit {res.returncode}:\n{output}"
+        )
+    if exprs and not parse_err:
+        tmp_path.write_text(_decode_gha_exprs(tmp_path.read_text(), exprs))
+    return not parse_err, output
+
+
+def _skip(path: Path, where: int, kind: str, output: str) -> None:
+    print(
+        f"  shfmt could not parse {kind} at {path}:{where + 1} — skipped",
+        file=sys.stderr,
+    )
+    print(f"    {output.strip()}", file=sys.stderr)
+
+
+def process_yaml_file(path: Path, tmp_path: Path) -> int:
+    text = path.read_text()
+    had_nl = text.endswith("\n")
+    lines = text.split("\n")
+    if had_nl:
+        lines = lines[:-1]
+    items = find_run_blocks(lines)
+    if not items:
+        return 0
+    changed = 0
+    # Process in reverse so earlier indices remain valid as we splice.
+    for item in reversed(items):
+        if isinstance(item, BlockRun):
+            body = lines[item.body_start : item.body_end]
+            tmp_path.write_text("\n".join(dedent(body, item.body_indent)) + "\n")
+            ok, output = shfmt_via_hook(tmp_path)
+            if not ok:
+                _skip(path, item.body_start, "block", output)
+                continue
+            formatted = tmp_path.read_text().rstrip("\n")
+            new_body = reindent(formatted.split("\n"), item.body_indent)
+            if new_body != body:
+                lines[item.body_start : item.body_end] = new_body
+                changed += 1
+        else:
+            tmp_path.write_text(item.value + "\n")
+            ok, output = shfmt_via_hook(tmp_path)
+            if not ok:
+                _skip(path, item.line_idx, "inline run", output)
+                continue
+            formatted = tmp_path.read_text().rstrip("\n")
+            if formatted == item.value:
+                continue
+            formatted_lines = formatted.split("\n")
+            if len(formatted_lines) == 1:
+                lines[item.line_idx] = f"{item.prefix}run: {formatted}"
+            else:
+                body_indent = len(item.prefix) + 2
+                lines[item.line_idx : item.line_idx + 1] = [
+                    f"{item.prefix}run: |",
+                    *reindent(formatted_lines, body_indent),
+                ]
+            changed += 1
+    new_text = "\n".join(lines) + ("\n" if had_nl else "")
+    if new_text != text:
+        path.write_text(new_text)
+    return changed
+
+
+def process_md_file(path: Path, tmp_path: Path) -> int:
+    text = path.read_text()
+    had_nl = text.endswith("\n")
+    lines = text.split("\n")
+    if had_nl:
+        lines = lines[:-1]
+    blocks = find_md_bash_blocks(lines)
+    if not blocks:
+        return 0
+    changed = 0
+    for block in reversed(blocks):
+        body = lines[block.body_start : block.body_end]
+        tmp_path.write_text("\n".join(dedent(body, block.body_indent)) + "\n")
+        ok, output = shfmt_via_hook(tmp_path)
+        if not ok:
+            _skip(path, block.open_line_idx, "```bash block", output)
+            continue
+        formatted = tmp_path.read_text().rstrip("\n")
+        formatted_lines = formatted.split("\n") if formatted else []
+        new_body = reindent(formatted_lines, block.body_indent)
+        if new_body != body:
+            lines[block.body_start : block.body_end] = new_body
+            changed += 1
+    new_text = "\n".join(lines) + ("\n" if had_nl else "")
+    if new_text != text:
+        path.write_text(new_text)
+    return changed
+
+
+def process_file(path: Path, tmp_path: Path) -> int:
+    if path.suffix in (".yml", ".yaml"):
+        return process_yaml_file(path, tmp_path)
+    if path.suffix == ".md":
+        return process_md_file(path, tmp_path)
+    return 0
+
+
+def gather_files(argv: list[str]) -> list[Path]:
+    """Return YAML workflow/action files and markdown files that we should
+    process — either the paths in `argv` or, when `argv` is empty, every
+    such file in the repo (skipping `external/`)."""
+    if argv:
+        candidates: list[Path] = [
+            (REPO / a).resolve() if not Path(a).is_absolute() else Path(a) for a in argv
+        ]
+    else:
+        gh = REPO / ".github"
+        candidates = [
+            *gh.rglob("*.yml"),
+            *gh.rglob("*.yaml"),
+            *(
+                p
+                for p in REPO.rglob("*.md")
+                if "external" not in p.relative_to(REPO).parts
+            ),
+        ]
+    return sorted(
+        p
+        for p in candidates
+        if p.exists()
+        and (
+            (p.suffix in (".yml", ".yaml") and ".github" in p.parts)
+            or p.suffix == ".md"
+        )
+    )
+
+
+def main(argv: list[str]) -> int:
+    files = gather_files(argv)
+    if not files:
+        return 0
+    with tempfile.TemporaryDirectory(prefix="format-inline-bash-") as tmpdir:
+        tmp_path = Path(tmpdir) / "shfmt.sh"
+        total = 0
+        for f in files:
+            n = process_file(f, tmp_path)
+            if n:
+                print(f"{f.relative_to(REPO)}: reformatted {n} block(s)")
+                total += n
+        return 1 if total else 0
+
+
+if __name__ == "__main__":
+    sys.exit(main(sys.argv[1:]))
--- a/.github/scripts/levelization/README.md
+++ b/.github/scripts/levelization/README.md
@@ -1,14 +1,14 @@
 # Levelization

-Levelization is the term used to describe efforts to prevent rippled from
+Levelization is the term used to describe efforts to prevent xrpld from
 having or creating cyclic dependencies.

-rippled code is organized into directories under `src/xrpld`, `src/libxrpl` (and
+xrpld code is organized into directories under `src/xrpld`, `src/libxrpl` (and
 `src/test`) representing modules. The modules are intended to be
 organized into "tiers" or "levels" such that a module from one level can
 only include code from lower levels. Additionally, a module
 in one level should never include code in an `impl` or `detail` folder of any level
-other than it's own.
+other than its own.

 The codebase is split into two main areas:

@@ -22,7 +22,7 @@ levelization violations they find (by moving files or individual
 classes). At the very least, don't make things worse.

 The table below summarizes the _desired_ division of modules, based on the current
-state of the rippled code. The levels are numbered from
+state of the xrpld code. The levels are numbered from
 the bottom up with the lower level, lower numbered, more independent
 modules listed first, and the higher level, higher numbered modules with
 more dependencies listed later.
@@ -70,12 +70,12 @@ that `test` code should _never_ be included in `xrpl` or `xrpld` code.)

 ## Validation

-The [levelization](generate.sh) script takes no parameters,
+The [levelization](generate.py) script takes no parameters,
 reads no environment variables, and can be run from any directory,
-as long as it is in the expected location in the rippled repo.
+as long as it is in the expected location in the xrpld repo.
 It can be run at any time from within a checked out repo, and will
 do an analysis of all the `#include`s in
-the rippled source. The only caveat is that it runs much slower
+the xrpld source. The only caveat is that it runs much slower
 under Windows than in Linux. It hasn't yet been tested under MacOS.
 It generates many files of [results](results):

@@ -104,7 +104,7 @@ It generates many files of [results](results):
  Github Actions workflow to test that levelization loops haven't
  changed. Unfortunately, if changes are detected, it can't tell if
  they are improvements or not, so if you have resolved any issues or
-  done anything else to improve levelization, run `levelization.sh`,
+  done anything else to improve levelization, run `generate.py`,
  and commit the updated results.

 The `loops.txt` and `ordering.txt` files relate the modules
@@ -128,7 +128,7 @@ The committed files hide the detailed values intentionally, to
 prevent false alarms and merging issues, and because it's easy to
 get those details locally.

-1. Run `levelization.sh`
+1. Run `generate.py`
 2. Grep the modules in `paths.txt`.
   - For example, if a cycle is found `A ~= B`, simply `grep -w
 A .github/scripts/levelization/results/paths.txt | grep -w B`
--- a/.github/scripts/levelization/generate.py
+++ b/.github/scripts/levelization/generate.py
@@ -0,0 +1,335 @@
+#!/usr/bin/env python3
+
+"""
+Usage: generate.py
+This script takes no parameters, and can be called from any directory in the file system.
+"""
+
+import os
+import re
+import subprocess
+import sys
+from collections import defaultdict
+from pathlib import Path
+from typing import Dict, List, Tuple, Set, Optional
+
+# Compile regex patterns once at module level
+INCLUDE_PATTERN = re.compile(r"^\s*#include.*/.*\.h")
+INCLUDE_PATH_PATTERN = re.compile(r'[<"]([^>"]+)[>"]')
+
+
+def dictionary_sort_key(s: str) -> str:
+    """
+    Create a sort key that mimics 'sort -d' (dictionary order).
+    Dictionary order only considers blanks and alphanumeric characters.
+    This means punctuation like '.' is ignored during sorting.
+    """
+    # Keep only alphanumeric characters and spaces
+    return "".join(c for c in s if c.isalnum() or c.isspace())
+
+
+def get_level(file_path: str) -> str:
+    """
+    Extract the level from a file path (second and third directory components).
+    Equivalent to bash: cut -d/ -f 2,3
+
+    Examples:
+        src/xrpld/app/main.cpp -> xrpld.app
+        src/libxrpl/protocol/STObject.cpp -> libxrpl.protocol
+        include/xrpl/basics/base_uint.h -> xrpl.basics
+    """
+    parts = file_path.split("/")
+
+    # Get fields 2 and 3 (indices 1 and 2 in 0-based indexing)
+    if len(parts) >= 3:
+        level = f"{parts[1]}/{parts[2]}"
+    elif len(parts) >= 2:
+        level = f"{parts[1]}/toplevel"
+    else:
+        level = file_path
+
+    # If the "level" indicates a file, cut off the filename
+    if "." in level.split("/")[-1]:  # Avoid Path object creation
+        # Use the "toplevel" label as a workaround for `sort`
+        # inconsistencies between different utility versions
+        level = level.rsplit("/", 1)[0] + "/toplevel"
+
+    return level.replace("/", ".")
+
+
+def extract_include_level(include_line: str) -> Optional[str]:
+    """
+    Extract the include path from an #include directive.
+    Gets the first two directory components from the include path.
+    Equivalent to bash: cut -d/ -f 1,2
+
+    Examples:
+        #include <xrpl/basics/base_uint.h> -> xrpl.basics
+        #include "xrpld/app/main/Application.h" -> xrpld.app
+    """
+    # Remove everything before the quote or angle bracket
+    match = INCLUDE_PATH_PATTERN.search(include_line)
+    if not match:
+        return None
+
+    include_path = match.group(1)
+    parts = include_path.split("/")
+
+    # Get first two fields (indices 0 and 1)
+    if len(parts) >= 2:
+        include_level = f"{parts[0]}/{parts[1]}"
+    else:
+        include_level = include_path
+
+    # If the "includelevel" indicates a file, cut off the filename
+    if "." in include_level.split("/")[-1]:  # Avoid Path object creation
+        include_level = include_level.rsplit("/", 1)[0] + "/toplevel"
+
+    return include_level.replace("/", ".")
+
+
+def find_repository_directories(
+    start_path: Path, depth_limit: int = 10
+) -> Tuple[Path, List[Path]]:
+    """
+    Find the repository root by looking for src or include folders.
+    Walks up the directory tree from the start path.
+    """
+    current = start_path.resolve()
+
+    # Walk up the directory tree
+    for _ in range(depth_limit):  # Limit search depth to prevent infinite loops
+        src_path = current / "src"
+        include_path = current / "include"
+        # Check if this directory has src or include folders
+        has_src = src_path.exists()
+        has_include = include_path.exists()
+
+        if has_src or has_include:
+            return current, [src_path, include_path]
+
+        # Move up one level
+        parent = current.parent
+        if parent == current:  # Reached filesystem root
+            break
+        current = parent
+
+    # If we couldn't find it, raise an error
+    raise RuntimeError(
+        "Could not find repository root. "
+        "Expected to find a directory containing 'src' and/or 'include' folders."
+    )
+
+
+def main():
+    # Change to the script's directory
+    script_dir = Path(__file__).parent.resolve()
+    os.chdir(script_dir)
+
+    # Clean up and create results directory.
+    results_dir = script_dir / "results"
+    if results_dir.exists():
+        import shutil
+
+        shutil.rmtree(results_dir)
+    results_dir.mkdir()
+
+    # Find the repository root by searching for src and include directories.
+    try:
+        repo_root, scan_dirs = find_repository_directories(script_dir)
+
+        print(f"Found repository root: {repo_root}")
+        print(f"Scanning directories:")
+        for scan_dir in scan_dirs:
+            print(f"  - {scan_dir.relative_to(repo_root)}")
+    except RuntimeError as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    print("\nScanning for raw includes...")
+    # Find all #include directives
+    raw_includes: List[Tuple[str, str]] = []
+    rawincludes_file = results_dir / "rawincludes.txt"
+
+    # Write to file as we go to avoid storing everything in memory.
+    with open(rawincludes_file, "w", buffering=8192) as raw_f:
+        for dir_path in scan_dirs:
+            print(f"  Scanning {dir_path.relative_to(repo_root)}...")
+
+            for file_path in dir_path.rglob("*"):
+                if not file_path.is_file():
+                    continue
+
+                try:
+                    rel_path_str = str(file_path.relative_to(repo_root))
+
+                    # Read file with a large buffer for performance.
+                    with open(
+                        file_path,
+                        "r",
+                        encoding="utf-8",
+                        errors="ignore",
+                        buffering=8192,
+                    ) as f:
+                        for line in f:
+                            # Quick check before regex
+                            if "#include" not in line or "boost" in line:
+                                continue
+
+                            if INCLUDE_PATTERN.match(line):
+                                line_stripped = line.strip()
+                                entry = f"{rel_path_str}:{line_stripped}\n"
+                                print(entry, end="")
+                                raw_f.write(entry)
+                                raw_includes.append((rel_path_str, line_stripped))
+                except Exception as e:
+                    print(f"Error reading {file_path}: {e}", file=sys.stderr)
+
+    # Build levelization paths and count directly (no need to sort first).
+    print("Build levelization paths")
+    path_counts: Dict[Tuple[str, str], int] = defaultdict(int)
+
+    for file_path, include_line in raw_includes:
+        include_level = extract_include_level(include_line)
+        if not include_level:
+            continue
+
+        level = get_level(file_path)
+        if level != include_level:
+            path_counts[(level, include_level)] += 1
+
+    # Sort and deduplicate paths (using dictionary order like bash 'sort -d').
+    print("Sort and deduplicate paths")
+
+    paths_file = results_dir / "paths.txt"
+    with open(paths_file, "w") as f:
+        # Sort using dictionary order: only alphanumeric and spaces matter
+        sorted_items = sorted(
+            path_counts.items(),
+            key=lambda x: (dictionary_sort_key(x[0][0]), dictionary_sort_key(x[0][1])),
+        )
+        for (level, include_level), count in sorted_items:
+            line = f"{count:7} {level} {include_level}\n"
+            print(line.rstrip())
+            f.write(line)
+
+    # Split into flat-file database
+    print("Split into flat-file database")
+    includes_dir = results_dir / "includes"
+    included_by_dir = results_dir / "included_by"
+    includes_dir.mkdir()
+    included_by_dir.mkdir()
+
+    # Batch writes by grouping data first to avoid repeated file opens.
+    includes_data: Dict[str, List[Tuple[str, int]]] = defaultdict(list)
+    included_by_data: Dict[str, List[Tuple[str, int]]] = defaultdict(list)
+
+    # Process in sorted order to match bash script behaviour (dictionary order).
+    sorted_items = sorted(
+        path_counts.items(),
+        key=lambda x: (dictionary_sort_key(x[0][0]), dictionary_sort_key(x[0][1])),
+    )
+    for (level, include_level), count in sorted_items:
+        includes_data[level].append((include_level, count))
+        included_by_data[include_level].append((level, count))
+
+    # Write all includes files in sorted order (dictionary order).
+    for level in sorted(includes_data.keys(), key=dictionary_sort_key):
+        entries = includes_data[level]
+        with open(includes_dir / level, "w") as f:
+            for include_level, count in entries:
+                line = f"{include_level} {count}\n"
+                print(line.rstrip())
+                f.write(line)
+
+    # Write all included_by files in sorted order (dictionary order).
+    for include_level in sorted(included_by_data.keys(), key=dictionary_sort_key):
+        entries = included_by_data[include_level]
+        with open(included_by_dir / include_level, "w") as f:
+            for level, count in entries:
+                line = f"{level} {count}\n"
+                print(line.rstrip())
+                f.write(line)
+
+    # Search for loops
+    print("Search for loops")
+    loops_file = results_dir / "loops.txt"
+    ordering_file = results_dir / "ordering.txt"
+
+    loops_found: Set[Tuple[str, str]] = set()
+
+    # Pre-load all include files into memory to avoid repeated I/O.
+    # This is the biggest optimisation - we were reading files repeatedly in nested loops.
+    # Use list of tuples to preserve file order.
+    includes_cache: Dict[str, List[Tuple[str, int]]] = {}
+    includes_lookup: Dict[str, Dict[str, int]] = {}  # For fast lookup
+
+    # Note: bash script uses 'for source in *' which uses standard glob sorting,
+    # NOT dictionary order. So we use standard sorted() here, not dictionary_sort_key.
+    for include_file in sorted(includes_dir.iterdir(), key=lambda p: p.name):
+        if not include_file.is_file():
+            continue
+
+        includes_cache[include_file.name] = []
+        includes_lookup[include_file.name] = {}
+        with open(include_file, "r") as f:
+            for line in f:
+                parts = line.strip().split()
+                if len(parts) >= 2:
+                    include_name = parts[0]
+                    include_count = int(parts[1])
+                    includes_cache[include_file.name].append(
+                        (include_name, include_count)
+                    )
+                    includes_lookup[include_file.name][include_name] = include_count
+
+    with open(loops_file, "w", buffering=8192) as loops_f, open(
+        ordering_file, "w", buffering=8192
+    ) as ordering_f:
+
+        # Use standard sorting to match bash glob expansion 'for source in *'.
+        for source in sorted(includes_cache.keys()):
+            source_includes = includes_cache[source]
+
+            for include, include_freq in source_includes:
+                # Check if include file exists and references source
+                if include not in includes_lookup:
+                    continue
+
+                source_freq = includes_lookup[include].get(source)
+
+                if source_freq is not None:
+                    # Found a loop
+                    loop_key = tuple(sorted([source, include]))
+                    if loop_key in loops_found:
+                        continue
+                    loops_found.add(loop_key)
+
+                    loops_f.write(f"Loop: {source} {include}\n")
+
+                    # If the counts are close, indicate that the two modules are
+                    # on the same level, though they shouldn't be.
+                    diff = include_freq - source_freq
+                    if diff > 3:
+                        loops_f.write(f"  {source} > {include}\n\n")
+                    elif diff < -3:
+                        loops_f.write(f"  {include} > {source}\n\n")
+                    elif source_freq == include_freq:
+                        loops_f.write(f"  {include} == {source}\n\n")
+                    else:
+                        loops_f.write(f"  {include} ~= {source}\n\n")
+                else:
+                    ordering_f.write(f"{source} > {include}\n")
+
+    # Print results
+    print("\nOrdering:")
+    with open(ordering_file, "r") as f:
+        print(f.read(), end="")
+
+    print("\nLoops:")
+    with open(loops_file, "r") as f:
+        print(f.read(), end="")
+
+
+if __name__ == "__main__":
+    main()
--- a/.github/scripts/levelization/generate.sh
+++ b/.github/scripts/levelization/generate.sh
@@ -1,130 +0,0 @@
-#!/bin/bash
-
-# Usage: generate.sh
-# This script takes no parameters, reads no environment variables,
-# and can be run from any directory, as long as it is in the expected
-# location in the repo.
-
-pushd $( dirname $0 )
-
-if [ -v PS1 ]
-then
-  # if the shell is interactive, clean up any flotsam before analyzing
-  git clean -ix
-fi
-
-# Ensure all sorting is ASCII-order consistently across platforms.
-export LANG=C
-
-rm -rfv results
-mkdir results
-includes="$( pwd )/results/rawincludes.txt"
-pushd ../../..
-echo Raw includes:
-grep -r '^[ ]*#include.*/.*\.h' include src | \
-    grep -v boost | tee ${includes}
-popd
-pushd results
-
-oldifs=${IFS}
-IFS=:
-mkdir includes
-mkdir included_by
-echo Build levelization paths
-exec 3< ${includes} # open rawincludes.txt for input
-while read -r -u 3 file include
-do
-    level=$( echo ${file} | cut -d/ -f 2,3 )
-    # If the "level" indicates a file, cut off the filename
-    if [[ "${level##*.}" != "${level}" ]]
-    then
-        # Use the "toplevel" label as a workaround for `sort`
-        # inconsistencies between different utility versions
-        level="$( dirname ${level} )/toplevel"
-    fi
-    level=$( echo ${level} | tr '/' '.' )
-
-    includelevel=$( echo ${include} | sed 's/.*["<]//; s/[">].*//' | \
-        cut -d/ -f 1,2 )
-    if [[ "${includelevel##*.}" != "${includelevel}" ]]
-    then
-        # Use the "toplevel" label as a workaround for `sort`
-        # inconsistencies between different utility versions
-        includelevel="$( dirname ${includelevel} )/toplevel"
-    fi
-    includelevel=$( echo ${includelevel} | tr '/' '.' )
-
-    if [[ "$level" != "$includelevel" ]]
-    then
-        echo $level $includelevel | tee -a paths.txt
-    fi
-done
-echo Sort and deduplicate paths
-sort -ds paths.txt | uniq -c | tee sortedpaths.txt
-mv sortedpaths.txt paths.txt
-exec 3>&- #close fd 3
-IFS=${oldifs}
-unset oldifs
-
-echo Split into flat-file database
-exec 4<paths.txt # open paths.txt for input
-while read -r -u 4 count level include
-do
-    echo ${include} ${count} | tee -a includes/${level}
-    echo ${level} ${count} | tee -a included_by/${include}
-done
-exec 4>&- #close fd 4
-
-loops="$( pwd )/loops.txt"
-ordering="$( pwd )/ordering.txt"
-pushd includes
-echo Search for loops
-# Redirect stdout to a file
-exec 4>&1
-exec 1>"${loops}"
-for source in *
-do
-  if [[ -f "$source" ]]
-  then
-    exec 5<"${source}" # open for input
-    while read -r -u 5 include includefreq
-    do
-      if [[ -f $include ]]
-      then
-        if grep -q -w $source $include
-        then
-          if grep -q -w "Loop: $include $source" "${loops}"
-          then
-            continue
-          fi
-          sourcefreq=$( grep -w $source $include | cut -d\  -f2 )
-          echo "Loop: $source $include"
-          # If the counts are close, indicate that the two modules are
-          # on the same level, though they shouldn't be
-          if [[ $(( $includefreq - $sourcefreq )) -gt 3 ]]
-          then
-              echo -e "  $source > $include\n"
-          elif [[ $(( $sourcefreq - $includefreq )) -gt 3 ]]
-          then
-              echo -e "  $include > $source\n"
-          elif [[ $sourcefreq -eq $includefreq ]]
-          then
-              echo -e "  $include == $source\n"
-          else
-              echo -e "  $include ~= $source\n"
-          fi
-        else
-          echo "$source > $include" >> "${ordering}"
-        fi
-      fi
-    done
-    exec 5>&- #close fd 5
-  fi
-done
-exec 1>&4 #close fd 1
-exec 4>&- #close fd 4
-cat "${ordering}"
-cat "${loops}"
-popd
-popd
-popd
--- a/.github/scripts/levelization/results/loops.txt
+++ b/.github/scripts/levelization/results/loops.txt
@@ -2,19 +2,19 @@ Loop: test.jtx test.toplevel
  test.toplevel > test.jtx

 Loop: test.jtx test.unit_test
-  test.unit_test == test.jtx
+  test.unit_test ~= test.jtx

 Loop: xrpld.app xrpld.overlay
-  xrpld.overlay ~= xrpld.app
+  xrpld.app > xrpld.overlay

 Loop: xrpld.app xrpld.peerfinder
-  xrpld.peerfinder == xrpld.app
+  xrpld.peerfinder ~= xrpld.app

 Loop: xrpld.app xrpld.rpc
  xrpld.rpc > xrpld.app

 Loop: xrpld.app xrpld.shamap
-  xrpld.shamap ~= xrpld.app
+  xrpld.shamap > xrpld.app

 Loop: xrpld.overlay xrpld.rpc
  xrpld.rpc ~= xrpld.overlay
--- a/.github/scripts/levelization/results/ordering.txt
+++ b/.github/scripts/levelization/results/ordering.txt
@@ -3,13 +3,17 @@ libxrpl.conditions > xrpl.basics
 libxrpl.conditions > xrpl.conditions
 libxrpl.core > xrpl.basics
 libxrpl.core > xrpl.core
+libxrpl.core > xrpl.json
 libxrpl.crypto > xrpl.basics
 libxrpl.json > xrpl.basics
 libxrpl.json > xrpl.json
 libxrpl.ledger > xrpl.basics
 libxrpl.ledger > xrpl.json
 libxrpl.ledger > xrpl.ledger
+libxrpl.ledger > xrpl.nodestore
 libxrpl.ledger > xrpl.protocol
+libxrpl.ledger > xrpl.server
+libxrpl.ledger > xrpl.shamap
 libxrpl.net > xrpl.basics
 libxrpl.net > xrpl.net
 libxrpl.nodestore > xrpl.basics
@@ -20,16 +24,21 @@ libxrpl.protocol > xrpl.basics
 libxrpl.protocol > xrpl.json
 libxrpl.protocol > xrpl.protocol
 libxrpl.rdb > xrpl.basics
+libxrpl.rdb > xrpl.core
 libxrpl.rdb > xrpl.rdb
 libxrpl.resource > xrpl.basics
 libxrpl.resource > xrpl.json
+libxrpl.resource > xrpl.protocol
 libxrpl.resource > xrpl.resource
 libxrpl.server > xrpl.basics
+libxrpl.server > xrpl.core
 libxrpl.server > xrpl.json
 libxrpl.server > xrpl.protocol
 libxrpl.server > xrpl.rdb
+libxrpl.server > xrpl.resource
 libxrpl.server > xrpl.server
 libxrpl.shamap > xrpl.basics
+libxrpl.shamap > xrpl.nodestore
 libxrpl.shamap > xrpl.protocol
 libxrpl.shamap > xrpl.shamap
 libxrpl.tx > xrpl.basics
@@ -41,12 +50,11 @@ libxrpl.tx > xrpl.protocol
 libxrpl.tx > xrpl.server
 libxrpl.tx > xrpl.tx
 test.app > test.jtx
-test.app > test.rpc
-test.app > test.toplevel
 test.app > test.unit_test
 test.app > xrpl.basics
 test.app > xrpl.core
 test.app > xrpld.app
+test.app > xrpld.consensus
 test.app > xrpld.core
 test.app > xrpld.overlay
 test.app > xrpld.rpc
@@ -54,9 +62,9 @@ test.app > xrpl.json
 test.app > xrpl.ledger
 test.app > xrpl.nodestore
 test.app > xrpl.protocol
-test.app > xrpl.rdb
 test.app > xrpl.resource
 test.app > xrpl.server
+test.app > xrpl.shamap
 test.app > xrpl.tx
 test.basics > test.jtx
 test.basics > test.unit_test
@@ -69,26 +77,29 @@ test.beast > xrpl.basics
 test.conditions > xrpl.basics
 test.conditions > xrpl.conditions
 test.consensus > test.csf
+test.consensus > test.jtx
 test.consensus > test.toplevel
 test.consensus > test.unit_test
 test.consensus > xrpl.basics
 test.consensus > xrpld.app
 test.consensus > xrpld.consensus
-test.consensus > xrpl.json
 test.consensus > xrpl.ledger
+test.consensus > xrpl.protocol
+test.consensus > xrpl.shamap
 test.consensus > xrpl.tx
 test.core > test.jtx
-test.core > test.toplevel
 test.core > test.unit_test
 test.core > xrpl.basics
 test.core > xrpl.core
 test.core > xrpld.core
 test.core > xrpl.json
+test.core > xrpl.protocol
 test.core > xrpl.rdb
 test.core > xrpl.server
 test.csf > xrpl.basics
 test.csf > xrpld.consensus
 test.csf > xrpl.json
+test.csf > xrpl.ledger
 test.csf > xrpl.protocol
 test.json > test.jtx
 test.json > xrpl.json
@@ -105,27 +116,32 @@ test.jtx > xrpl.resource
 test.jtx > xrpl.server
 test.jtx > xrpl.tx
 test.ledger > test.jtx
-test.ledger > test.toplevel
 test.ledger > xrpl.basics
+test.ledger > xrpl.core
 test.ledger > xrpld.app
 test.ledger > xrpld.core
+test.ledger > xrpl.json
 test.ledger > xrpl.ledger
 test.ledger > xrpl.protocol
 test.nodestore > test.jtx
-test.nodestore > test.toplevel
 test.nodestore > test.unit_test
 test.nodestore > xrpl.basics
+test.nodestore > xrpld.core
 test.nodestore > xrpl.nodestore
+test.nodestore > xrpl.protocol
 test.nodestore > xrpl.rdb
 test.overlay > test.jtx
-test.overlay > test.toplevel
 test.overlay > test.unit_test
 test.overlay > xrpl.basics
 test.overlay > xrpld.app
+test.overlay > xrpld.core
 test.overlay > xrpld.overlay
 test.overlay > xrpld.peerfinder
+test.overlay > xrpl.json
 test.overlay > xrpl.nodestore
 test.overlay > xrpl.protocol
+test.overlay > xrpl.resource
+test.overlay > xrpl.server
 test.overlay > xrpl.shamap
 test.peerfinder > test.beast
 test.peerfinder > test.unit_test
@@ -133,7 +149,8 @@ test.peerfinder > xrpl.basics
 test.peerfinder > xrpld.core
 test.peerfinder > xrpld.peerfinder
 test.peerfinder > xrpl.protocol
-test.protocol > test.toplevel
+test.protocol > test.jtx
+test.protocol > test.unit_test
 test.protocol > xrpl.basics
 test.protocol > xrpl.json
 test.protocol > xrpl.protocol
@@ -141,7 +158,6 @@ test.resource > test.unit_test
 test.resource > xrpl.basics
 test.resource > xrpl.resource
 test.rpc > test.jtx
-test.rpc > test.toplevel
 test.rpc > xrpl.basics
 test.rpc > xrpl.core
 test.rpc > xrpld.app
@@ -155,13 +171,12 @@ test.rpc > xrpl.resource
 test.rpc > xrpl.server
 test.rpc > xrpl.tx
 test.server > test.jtx
-test.server > test.toplevel
 test.server > test.unit_test
 test.server > xrpl.basics
 test.server > xrpld.app
 test.server > xrpld.core
-test.server > xrpld.rpc
 test.server > xrpl.json
+test.server > xrpl.protocol
 test.server > xrpl.server
 test.shamap > test.unit_test
 test.shamap > xrpl.basics
@@ -171,14 +186,22 @@ test.shamap > xrpl.shamap
 test.toplevel > test.csf
 test.toplevel > xrpl.json
 test.unit_test > xrpl.basics
+test.unit_test > xrpl.protocol
 tests.libxrpl > xrpl.basics
+tests.libxrpl > xrpl.core
 tests.libxrpl > xrpl.json
+tests.libxrpl > xrpl.ledger
 tests.libxrpl > xrpl.net
+tests.libxrpl > xrpl.nodestore
+tests.libxrpl > xrpl.protocol
+tests.libxrpl > xrpl.protocol_autogen
+tests.libxrpl > xrpl.server
+tests.libxrpl > xrpl.shamap
+tests.libxrpl > xrpl.tx
 xrpl.conditions > xrpl.basics
 xrpl.conditions > xrpl.protocol
 xrpl.core > xrpl.basics
 xrpl.core > xrpl.json
-xrpl.core > xrpl.ledger
 xrpl.core > xrpl.protocol
 xrpl.json > xrpl.basics
 xrpl.ledger > xrpl.basics
@@ -190,6 +213,8 @@ xrpl.nodestore > xrpl.basics
 xrpl.nodestore > xrpl.protocol
 xrpl.protocol > xrpl.basics
 xrpl.protocol > xrpl.json
+xrpl.protocol_autogen > xrpl.json
+xrpl.protocol_autogen > xrpl.protocol
 xrpl.rdb > xrpl.basics
 xrpl.rdb > xrpl.core
 xrpl.rdb > xrpl.protocol
@@ -227,22 +252,24 @@ xrpld.app > xrpl.shamap
 xrpld.app > xrpl.tx
 xrpld.consensus > xrpl.basics
 xrpld.consensus > xrpl.json
+xrpld.consensus > xrpl.ledger
 xrpld.consensus > xrpl.protocol
 xrpld.core > xrpl.basics
 xrpld.core > xrpl.core
-xrpld.core > xrpl.json
 xrpld.core > xrpl.net
 xrpld.core > xrpl.protocol
 xrpld.core > xrpl.rdb
 xrpld.overlay > xrpl.basics
 xrpld.overlay > xrpl.core
+xrpld.overlay > xrpld.consensus
 xrpld.overlay > xrpld.core
 xrpld.overlay > xrpld.peerfinder
 xrpld.overlay > xrpl.json
+xrpld.overlay > xrpl.ledger
 xrpld.overlay > xrpl.protocol
-xrpld.overlay > xrpl.rdb
 xrpld.overlay > xrpl.resource
 xrpld.overlay > xrpl.server
+xrpld.overlay > xrpl.shamap
 xrpld.overlay > xrpl.tx
 xrpld.peerfinder > xrpl.basics
 xrpld.peerfinder > xrpld.core
@@ -252,6 +279,7 @@ xrpld.perflog > xrpl.basics
 xrpld.perflog > xrpl.core
 xrpld.perflog > xrpld.rpc
 xrpld.perflog > xrpl.json
+xrpld.perflog > xrpl.protocol
 xrpld.rpc > xrpl.basics
 xrpld.rpc > xrpl.core
 xrpld.rpc > xrpld.core
@@ -263,5 +291,9 @@ xrpld.rpc > xrpl.protocol
 xrpld.rpc > xrpl.rdb
 xrpld.rpc > xrpl.resource
 xrpld.rpc > xrpl.server
+xrpld.rpc > xrpl.shamap
 xrpld.rpc > xrpl.tx
+xrpld.shamap > xrpl.basics
+xrpld.shamap > xrpld.core
+xrpld.shamap > xrpl.protocol
 xrpld.shamap > xrpl.shamap
--- a/.github/scripts/rename/README.md
+++ b/.github/scripts/rename/README.md
@@ -34,6 +34,8 @@ run from the repository root.
 6. `.github/scripts/rename/config.sh`: This script will rename the config from
   `rippled.cfg` to `xrpld.cfg`, and updating the code accordingly. The old
   filename will still be accepted.
+7. `.github/scripts/rename/docs.sh`: This script will rename any lingering
+   references of `ripple(d)` to `xrpl(d)` in code, comments, and documentation.

 You can run all these scripts from the repository root as follows:

@@ -44,4 +46,5 @@ You can run all these scripts from the repository root as follows:
 ./.github/scripts/rename/binary.sh .
 ./.github/scripts/rename/namespace.sh .
 ./.github/scripts/rename/config.sh .
+./.github/scripts/rename/docs.sh .
 ```
--- a/.github/scripts/rename/binary.sh
+++ b/.github/scripts/rename/binary.sh
@@ -6,11 +6,11 @@ set -e
 # On MacOS, ensure that GNU sed is installed and available as `gsed`.
 SED_COMMAND=sed
 if [[ "${OSTYPE}" == 'darwin'* ]]; then
-  if ! command -v gsed &> /dev/null; then
-      echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
-      exit 1
-  fi
-  SED_COMMAND=gsed
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
 fi

 # This script changes the binary name from `rippled` to `xrpld`, and reverses
@@ -29,7 +29,7 @@ if [ ! -d "${DIRECTORY}" ]; then
    echo "Error: Directory '${DIRECTORY}' does not exist."
    exit 1
 fi
-pushd ${DIRECTORY}
+pushd "${DIRECTORY}"

 # Remove the binary name override added by the cmake.sh script.
 ${SED_COMMAND} -z -i -E 's@\s+# For the time being.+"rippled"\)@@' cmake/XrplCore.cmake
@@ -49,6 +49,7 @@ ${SED_COMMAND} -i -E 's@ripple/xrpld@XRPLF/rippled@g' BUILD.md
 ${SED_COMMAND} -i -E 's@XRPLF/xrpld@XRPLF/rippled@g' BUILD.md
 ${SED_COMMAND} -i -E 's@xrpld \(`xrpld`\)@xrpld@g' BUILD.md
 ${SED_COMMAND} -i -E 's@XRPLF/xrpld@XRPLF/rippled@g' CONTRIBUTING.md
+${SED_COMMAND} -i -E 's@XRPLF/xrpld@XRPLF/rippled@g' docs/build/install.md

 popd
 echo "Processing complete."
--- a/.github/scripts/rename/cmake.sh
+++ b/.github/scripts/rename/cmake.sh
@@ -8,16 +8,16 @@ set -e
 SED_COMMAND=sed
 HEAD_COMMAND=head
 if [[ "${OSTYPE}" == 'darwin'* ]]; then
-  if ! command -v gsed &> /dev/null; then
-      echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
-      exit 1
-  fi
-  SED_COMMAND=gsed
-  if ! command -v ghead &> /dev/null; then
-      echo "Error: ghead is not installed. Please install it using 'brew install coreutils'."
-      exit 1
-  fi
-  HEAD_COMMAND=ghead
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+    if ! command -v ghead &>/dev/null; then
+        echo "Error: ghead is not installed. Please install it using 'brew install coreutils'."
+        exit 1
+    fi
+    HEAD_COMMAND=ghead
 fi

 # This script renames CMake files from `RippleXXX.cmake` or `RippledXXX.cmake`
@@ -38,16 +38,16 @@ if [ ! -d "${DIRECTORY}" ]; then
    echo "Error: Directory '${DIRECTORY}' does not exist."
    exit 1
 fi
-pushd ${DIRECTORY}
+pushd "${DIRECTORY}"

 # Rename the files.
 find cmake -type f -name 'Rippled*.cmake' -exec bash -c 'mv "${1}" "${1/Rippled/Xrpl}"' - {} \;
 find cmake -type f -name 'Ripple*.cmake' -exec bash -c 'mv "${1}" "${1/Ripple/Xrpl}"' - {} \;
 if [ -e cmake/xrpl_add_test.cmake ]; then
-  mv cmake/xrpl_add_test.cmake cmake/XrplAddTest.cmake
+    mv cmake/xrpl_add_test.cmake cmake/XrplAddTest.cmake
 fi
 if [ -e include/xrpl/proto/ripple.proto ]; then
-  mv include/xrpl/proto/ripple.proto include/xrpl/proto/xrpl.proto
+    mv include/xrpl/proto/ripple.proto include/xrpl/proto/xrpl.proto
 fi

 # Rename inside the files.
@@ -71,14 +71,14 @@ ${SED_COMMAND} -i 's@xrpl/validator-keys-tool@ripple/validator-keys-tool@' cmake
 # Ensure the name of the binary and config remain 'rippled' for now.
 ${SED_COMMAND} -i -E 's/xrpld(-example)?\.cfg/rippled\1.cfg/g' cmake/XrplInstall.cmake
 if grep -q '"xrpld"' cmake/XrplCore.cmake; then
-  # The script has been rerun, so just restore the name of the binary.
-  ${SED_COMMAND} -i 's/"xrpld"/"rippled"/' cmake/XrplCore.cmake
+    # The script has been rerun, so just restore the name of the binary.
+    ${SED_COMMAND} -i 's/"xrpld"/"rippled"/' cmake/XrplCore.cmake
 elif ! grep -q '"rippled"' cmake/XrplCore.cmake; then
-  ${HEAD_COMMAND} -n -1 cmake/XrplCore.cmake > cmake.tmp
-  echo '  # For the time being, we will keep the name of the binary as it was.' >> cmake.tmp
-  echo '  set_target_properties(xrpld PROPERTIES OUTPUT_NAME "rippled")' >> cmake.tmp
-  tail -1 cmake/XrplCore.cmake >> cmake.tmp
-  mv cmake.tmp cmake/XrplCore.cmake
+    ${HEAD_COMMAND} -n -1 cmake/XrplCore.cmake >cmake.tmp
+    echo '  # For the time being, we will keep the name of the binary as it was.' >>cmake.tmp
+    echo '  set_target_properties(xrpld PROPERTIES OUTPUT_NAME "rippled")' >>cmake.tmp
+    tail -1 cmake/XrplCore.cmake >>cmake.tmp
+    mv cmake.tmp cmake/XrplCore.cmake
 fi

 # Restore the symlink from 'xrpld' to 'rippled'.
--- a/.github/scripts/rename/config.sh
+++ b/.github/scripts/rename/config.sh
@@ -6,11 +6,11 @@ set -e
 # On MacOS, ensure that GNU sed is installed and available as `gsed`.
 SED_COMMAND=sed
 if [[ "${OSTYPE}" == 'darwin'* ]]; then
-  if ! command -v gsed &> /dev/null; then
-      echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
-      exit 1
-  fi
-  SED_COMMAND=gsed
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
 fi

 # This script renames the config from `rippled.cfg` to `xrpld.cfg`, and updates
@@ -28,42 +28,41 @@ if [ ! -d "${DIRECTORY}" ]; then
    echo "Error: Directory '${DIRECTORY}' does not exist."
    exit 1
 fi
-pushd ${DIRECTORY}
+pushd "${DIRECTORY}"

 # Add the xrpld.cfg to the .gitignore.
 if ! grep -q 'xrpld.cfg' .gitignore; then
-  ${SED_COMMAND} -i '/rippled.cfg/a\
+    ${SED_COMMAND} -i '/rippled.cfg/a\
 /xrpld.cfg' .gitignore
 fi

 # Rename the files.
 if [ -e rippled.cfg ]; then
-  mv rippled.cfg xrpld.cfg
+    mv rippled.cfg xrpld.cfg
 fi
 if [ -e cfg/rippled-example.cfg ]; then
-  mv cfg/rippled-example.cfg cfg/xrpld-example.cfg
+    mv cfg/rippled-example.cfg cfg/xrpld-example.cfg
 fi

 # Rename inside the files.
 DIRECTORIES=("cfg" "cmake" "include" "src")
 for DIRECTORY in "${DIRECTORIES[@]}"; do
-  echo "Processing directory: ${DIRECTORY}"
+    echo "Processing directory: ${DIRECTORY}"

-  find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.cmake" -o -name "*.txt" -o -name "*.cfg" -o -name "*.md" \) | while read -r FILE; do
-      echo "Processing file: ${FILE}"
-      ${SED_COMMAND} -i -E 's/rippled(-example)?[ .]cfg/xrpld\1.cfg/g' "${FILE}"
-  done
+    find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.cmake" -o -name "*.txt" -o -name "*.cfg" -o -name "*.md" \) | while read -r FILE; do
+        echo "Processing file: ${FILE}"
+        ${SED_COMMAND} -i -E 's/rippled(-example)?[ .]cfg/xrpld\1.cfg/g' "${FILE}"
+        ${SED_COMMAND} -i 's/rippleConfig/xrpldConfig/g' "${FILE}"
+    done
 done
 ${SED_COMMAND} -i 's/rippled/xrpld/g' cfg/xrpld-example.cfg
 ${SED_COMMAND} -i 's/rippled/xrpld/g' src/test/core/Config_test.cpp
 ${SED_COMMAND} -i 's/ripplevalidators/xrplvalidators/g' src/test/core/Config_test.cpp # cspell: disable-line
-${SED_COMMAND} -i 's/rippleConfig/xrpldConfig/g' src/test/core/Config_test.cpp
 ${SED_COMMAND} -i 's@ripple/@xrpld/@g' src/test/core/Config_test.cpp
 ${SED_COMMAND} -i 's/Rippled/File/g' src/test/core/Config_test.cpp

-
 # Restore the old config file name in the code that maintains support for now.
-${SED_COMMAND} -i 's/configLegacyName = "xrpld.cfg"/configLegacyName = "rippled.cfg"/g' src/xrpld/core/detail/Config.cpp
+${SED_COMMAND} -i 's/kConfigLegacyName = "xrpld.cfg"/kConfigLegacyName = "rippled.cfg"/g' src/xrpld/core/detail/Config.cpp

 # Restore an URL.
 ${SED_COMMAND} -i 's/connect-your-xrpld-to-the-xrp-test-net.html/connect-your-rippled-to-the-xrp-test-net.html/g' cfg/xrpld-example.cfg
--- a/.github/scripts/rename/copyright.sh
+++ b/.github/scripts/rename/copyright.sh
@@ -6,11 +6,11 @@ set -e
 # On MacOS, ensure that GNU sed is installed and available as `gsed`.
 SED_COMMAND=sed
 if [[ "${OSTYPE}" == 'darwin'* ]]; then
-  if ! command -v gsed &> /dev/null; then
-      echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
-      exit 1
-  fi
-  SED_COMMAND=gsed
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
 fi

 # This script removes superfluous copyright notices in source and header files
@@ -31,7 +31,7 @@ if [ ! -d "${DIRECTORY}" ]; then
    echo "Error: Directory '${DIRECTORY}' does not exist."
    exit 1
 fi
-pushd ${DIRECTORY}
+pushd "${DIRECTORY}"

 # Prevent sed and echo from removing newlines and tabs in string literals by
 # temporarily replacing them with placeholders. This only affects one file.
@@ -43,56 +43,56 @@ ${SED_COMMAND} -i -E "s@\\\t@${PLACEHOLDER_TAB}@g" src/test/rpc/ValidatorInfo_te
 # Process the include/ and src/ directories.
 DIRECTORIES=("include" "src")
 for DIRECTORY in "${DIRECTORIES[@]}"; do
-  echo "Processing directory: ${DIRECTORY}"
+    echo "Processing directory: ${DIRECTORY}"

-  find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.macro" \) | while read -r FILE; do
-      echo "Processing file: ${FILE}"
-      # Handle the cases where the copyright notice is enclosed in /* ... */
-      # and usually surrounded by //---- and //======.
-      ${SED_COMMAND} -z -i -E 's@^//-------+\n+@@' "${FILE}"
-      ${SED_COMMAND} -z -i -E 's@^.*Copyright.+(Ripple|Bougalis|Falco|Hinnant|Null|Ritchford|XRPLF).+PERFORMANCE OF THIS SOFTWARE\.\n\*/\n+@@' "${FILE}" # cspell: ignore Bougalis Falco Hinnant Ritchford
-      ${SED_COMMAND} -z -i -E 's@^//=======+\n+@@' "${FILE}"
+    find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.macro" \) | while read -r FILE; do
+        echo "Processing file: ${FILE}"
+        # Handle the cases where the copyright notice is enclosed in /* ... */
+        # and usually surrounded by //---- and //======.
+        ${SED_COMMAND} -z -i -E 's@^//-------+\n+@@' "${FILE}"
+        ${SED_COMMAND} -z -i -E 's@^.*Copyright.+(Ripple|Bougalis|Falco|Hinnant|Null|Ritchford|XRPLF).+PERFORMANCE OF THIS SOFTWARE\.\n\*/\n+@@' "${FILE}" # cspell: ignore Bougalis Falco Hinnant Ritchford
+        ${SED_COMMAND} -z -i -E 's@^//=======+\n+@@' "${FILE}"

-      # Handle the cases where the copyright notice is commented out with //.
-      ${SED_COMMAND} -z -i -E 's@^//\n// Copyright.+Falco \(vinnie dot falco at gmail dot com\)\n//\n+@@' "${FILE}" # cspell: ignore Vinnie Falco
-  done
+        # Handle the cases where the copyright notice is commented out with //.
+        ${SED_COMMAND} -z -i -E 's@^//\n// Copyright.+Falco \(vinnie dot falco at gmail dot com\)\n//\n+@@' "${FILE}" # cspell: ignore Vinnie Falco
+    done
 done

 # Restore copyright notices that were removed from specific files, without
 # restoring the verbiage that is already present in LICENSE.md. Ensure that if
 # the script is run multiple times, duplicate notices are not added.
 if ! grep -q 'Raw Material Software' include/xrpl/beast/core/CurrentThreadName.h; then
-  echo -e "// Portions of this file are from JUCE (http://www.juce.com).\n// Copyright (c) 2013 - Raw Material Software Ltd.\n// Please visit http://www.juce.com\n\n$(cat include/xrpl/beast/core/CurrentThreadName.h)" > include/xrpl/beast/core/CurrentThreadName.h
+    echo -e "// Portions of this file are from JUCE (http://www.juce.com).\n// Copyright (c) 2013 - Raw Material Software Ltd.\n// Please visit http://www.juce.com\n\n$(cat include/xrpl/beast/core/CurrentThreadName.h)" >include/xrpl/beast/core/CurrentThreadName.h
 fi
 if ! grep -q 'Dev Null' src/test/app/NetworkID_test.cpp; then
-  echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/app/NetworkID_test.cpp)" > src/test/app/NetworkID_test.cpp
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/app/NetworkID_test.cpp)" >src/test/app/NetworkID_test.cpp
 fi
 if ! grep -q 'Dev Null' src/test/app/tx/apply_test.cpp; then
-  echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/app/tx/apply_test.cpp)" > src/test/app/tx/apply_test.cpp
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/app/tx/apply_test.cpp)" >src/test/app/tx/apply_test.cpp
 fi
 if ! grep -q 'Dev Null' src/test/rpc/ManifestRPC_test.cpp; then
-  echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/rpc/ManifestRPC_test.cpp)" > src/test/rpc/ManifestRPC_test.cpp
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/rpc/ManifestRPC_test.cpp)" >src/test/rpc/ManifestRPC_test.cpp
 fi
 if ! grep -q 'Dev Null' src/test/rpc/ValidatorInfo_test.cpp; then
-  echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/rpc/ValidatorInfo_test.cpp)" > src/test/rpc/ValidatorInfo_test.cpp
+    echo -e "// Copyright (c) 2020 Dev Null Productions\n\n$(cat src/test/rpc/ValidatorInfo_test.cpp)" >src/test/rpc/ValidatorInfo_test.cpp
 fi
-if ! grep -q 'Dev Null' src/xrpld/rpc/handlers/DoManifest.cpp; then
-  echo -e "// Copyright (c) 2019 Dev Null Productions\n\n$(cat src/xrpld/rpc/handlers/DoManifest.cpp)" > src/xrpld/rpc/handlers/DoManifest.cpp
+if ! grep -q 'Dev Null' src/xrpld/rpc/handlers/server_info/Manifest.cpp; then
+    echo -e "// Copyright (c) 2019 Dev Null Productions\n\n$(cat src/xrpld/rpc/handlers/server_info/Manifest.cpp)" >src/xrpld/rpc/handlers/server_info/Manifest.cpp
 fi
-if ! grep -q 'Dev Null' src/xrpld/rpc/handlers/ValidatorInfo.cpp; then
-  echo -e "// Copyright (c) 2019 Dev Null Productions\n\n$(cat src/xrpld/rpc/handlers/ValidatorInfo.cpp)" > src/xrpld/rpc/handlers/ValidatorInfo.cpp
+if ! grep -q 'Dev Null' src/xrpld/rpc/handlers/admin/status/ValidatorInfo.cpp; then
+    echo -e "// Copyright (c) 2019 Dev Null Productions\n\n$(cat src/xrpld/rpc/handlers/admin/status/ValidatorInfo.cpp)" >src/xrpld/rpc/handlers/admin/status/ValidatorInfo.cpp
 fi
 if ! grep -q 'Bougalis' include/xrpl/basics/SlabAllocator.h; then
-  echo -e "// Copyright (c) 2022, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/SlabAllocator.h)" > include/xrpl/basics/SlabAllocator.h # cspell: ignore Nikolaos Bougalis nikb
+    echo -e "// Copyright (c) 2022, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/SlabAllocator.h)" >include/xrpl/basics/SlabAllocator.h # cspell: ignore Nikolaos Bougalis nikb
 fi
 if ! grep -q 'Bougalis' include/xrpl/basics/spinlock.h; then
-  echo -e "// Copyright (c) 2022, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/spinlock.h)" > include/xrpl/basics/spinlock.h # cspell: ignore Nikolaos Bougalis nikb
+    echo -e "// Copyright (c) 2022, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/spinlock.h)" >include/xrpl/basics/spinlock.h # cspell: ignore Nikolaos Bougalis nikb
 fi
 if ! grep -q 'Bougalis' include/xrpl/basics/tagged_integer.h; then
-  echo -e "// Copyright (c) 2014, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/tagged_integer.h)" > include/xrpl/basics/tagged_integer.h # cspell: ignore Nikolaos Bougalis nikb
+    echo -e "// Copyright (c) 2014, Nikolaos D. Bougalis <nikb@bougalis.net>\n\n$(cat include/xrpl/basics/tagged_integer.h)" >include/xrpl/basics/tagged_integer.h # cspell: ignore Nikolaos Bougalis nikb
 fi
 if ! grep -q 'Ritchford' include/xrpl/beast/utility/Zero.h; then
-  echo -e "// Copyright (c) 2014, Tom Ritchford <tom@swirly.com>\n\n$(cat include/xrpl/beast/utility/Zero.h)" > include/xrpl/beast/utility/Zero.h # cspell: ignore Ritchford
+    echo -e "// Copyright (c) 2014, Tom Ritchford <tom@swirly.com>\n\n$(cat include/xrpl/beast/utility/Zero.h)" >include/xrpl/beast/utility/Zero.h # cspell: ignore Ritchford
 fi

 # Restore newlines and tabs in string literals in the affected file.
--- a/.github/scripts/rename/definitions.sh
+++ b/.github/scripts/rename/definitions.sh
@@ -6,11 +6,11 @@ set -e
 # On MacOS, ensure that GNU sed is installed and available as `gsed`.
 SED_COMMAND=sed
 if [[ "${OSTYPE}" == 'darwin'* ]]; then
-  if ! command -v gsed &> /dev/null; then
-      echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
-      exit 1
-  fi
-  SED_COMMAND=gsed
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
 fi

 # This script renames definitions, such as include guards, in this project.
--- a/.github/scripts/rename/docs.sh
+++ b/.github/scripts/rename/docs.sh
@@ -0,0 +1,96 @@
+#!/bin/bash
+
+# Exit the script as soon as an error occurs.
+set -e
+
+# On MacOS, ensure that GNU sed is installed and available as `gsed`.
+SED_COMMAND=sed
+if [[ "${OSTYPE}" == 'darwin'* ]]; then
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
+fi
+
+# This script renames all remaining references to `ripple` and `rippled` to
+# `xrpl` and `xrpld`, respectively, in code, comments, and documentation.
+# Usage: .github/scripts/rename/docs.sh <repository directory>
+
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <repository directory>"
+    exit 1
+fi
+
+DIRECTORY=$1
+echo "Processing directory: ${DIRECTORY}"
+if [ ! -d "${DIRECTORY}" ]; then
+    echo "Error: Directory '${DIRECTORY}' does not exist."
+    exit 1
+fi
+pushd "${DIRECTORY}"
+
+find . -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.txt" -o -name "*.cfg" -o -name "*.md" -o -name "*.proto" \) -not -path "./.github/scripts/*" | while read -r FILE; do
+    echo "Processing file: ${FILE}"
+    ${SED_COMMAND} -i 's/rippleLockEscrowMPT/lockEscrowMPT/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippleUnlockEscrowMPT/unlockEscrowMPT/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippleCredit/directSendNoFee/g' "${FILE}"
+    ${SED_COMMAND} -i 's/rippleSend/directSendNoLimit/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's@([^/+-])rippled@\1xrpld@g' "${FILE}"
+    ${SED_COMMAND} -i -E 's@([^/+-])Rippled@\1Xrpld@g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/^rippled/xrpld/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/^Rippled/Xrpld/g' "${FILE}"
+    # cspell: disable
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (a|A)ddress/XRPL address/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (a|A)ccount/XRPL account/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (a|A)lgorithm/XRPL algorithm/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (c|C)lient/XRPL client/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (c|C)luster/XRPL cluster/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (c|C)onsensus/XRPL consensus/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (d|D)efault/XRPL default/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (e|E)poch/XRPL epoch/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (f|F)eature/XRPL feature/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (n|N)etwork/XRPL network/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (p|P)ayment/XRPL payment/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (p|P)rotocol/XRPL protocol/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (r|R)epository/XRPL repository/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple RPC/XRPL RPC/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (s|S)erialization/XRPL serialization/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (s|S)erver/XRPL server/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (s|S)pecific/XRPL specific/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple Source/XRPL Source/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (t|T)imestamp/XRPL timestamp/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple uses the consensus/XRPL uses the consensus/g' "${FILE}"
+    ${SED_COMMAND} -i -E 's/(r|R)ipple (v|V)alidator/XRPL validator/g' "${FILE}"
+    # cspell: enable
+    ${SED_COMMAND} -i 's/RippleLib/XrplLib/g' "${FILE}"
+    ${SED_COMMAND} -i 's/ripple-lib/XrplLib/g' "${FILE}"
+    ${SED_COMMAND} -i 's@opt/ripple/@opt/xrpld/@g' "${FILE}"
+    ${SED_COMMAND} -i 's@src/ripple/@src/xrpld/@g' "${FILE}"
+    ${SED_COMMAND} -i 's@ripple/app/@xrpld/app/@g' "${FILE}"
+    ${SED_COMMAND} -i 's@github.com/ripple/rippled@github.com/XRPLF/rippled@g' "${FILE}"
+    ${SED_COMMAND} -i 's/\ba xrpl/an xrpl/g' "${FILE}"
+    ${SED_COMMAND} -i 's/\ba XRPL/an XRPL/g' "${FILE}"
+done
+${SED_COMMAND} -i 's/ripple_libs/xrpl_libs/' BUILD.md
+${SED_COMMAND} -i 's/Ripple integrators/XRPL developers/' README.md
+${SED_COMMAND} -i 's/sanitizer-configuration-for-rippled/sanitizer-configuration-for-xrpld/' docs/build/sanitizers.md
+${SED_COMMAND} -i 's/rippled/xrpld/g' .github/scripts/levelization/README.md
+${SED_COMMAND} -i 's/rippled/xrpld/g' .github/scripts/strategy-matrix/generate.py
+${SED_COMMAND} -i 's@/rippled@/xrpld@g' docs/build/install.md
+${SED_COMMAND} -i 's@github.com/XRPLF/xrpld@github.com/XRPLF/rippled@g' docs/build/install.md
+${SED_COMMAND} -i 's/rippled/xrpld/g' docs/Doxyfile
+${SED_COMMAND} -i 's/ripple_basics/basics/' include/xrpl/basics/CountedObject.h
+${SED_COMMAND} -i 's/<ripple/<xrpl/' include/xrpl/protocol/AccountID.h
+${SED_COMMAND} -i 's/Ripple:/the XRPL:/g' include/xrpl/protocol/SecretKey.h
+${SED_COMMAND} -i 's/Ripple:/the XRPL:/g' include/xrpl/protocol/Seed.h
+${SED_COMMAND} -i 's/ripple/xrpl/g' src/test/README.md
+${SED_COMMAND} -i 's/www.ripple.com/www.xrpl.org/g' src/test/protocol/Seed_test.cpp
+
+# Restore specific changes.
+${SED_COMMAND} -i 's@b5efcc/src/xrpld@b5efcc/src/ripple@' include/xrpl/protocol/README.md
+${SED_COMMAND} -i 's/dbPrefix_ = "xrpldb"/dbPrefix_ = "rippledb"/' src/xrpld/app/misc/SHAMapStoreImp.h # cspell: disable-line
+${SED_COMMAND} -i 's/kConfigLegacyName = "xrpld.cfg"/kConfigLegacyName = "rippled.cfg"/' src/xrpld/core/detail/Config.cpp
+
+popd
+echo "Renaming complete."
--- a/.github/scripts/rename/include.sh
+++ b/.github/scripts/rename/include.sh
@@ -23,8 +23,8 @@ fi
 find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" \) | while read -r FILE; do
    echo "Processing file: ${FILE}"
    if grep -q "#ifndef XRPL_" "${FILE}"; then
-      echo "Please replace all include guards by #pragma once."
-      exit 1
+        echo "Please replace all include guards by #pragma once."
+        exit 1
    fi
 done
 echo "Checking complete."
--- a/.github/scripts/rename/namespace.sh
+++ b/.github/scripts/rename/namespace.sh
@@ -6,11 +6,11 @@ set -e
 # On MacOS, ensure that GNU sed is installed and available as `gsed`.
 SED_COMMAND=sed
 if [[ "${OSTYPE}" == 'darwin'* ]]; then
-  if ! command -v gsed &> /dev/null; then
-      echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
-      exit 1
-  fi
-  SED_COMMAND=gsed
+    if ! command -v gsed &>/dev/null; then
+        echo "Error: gsed is not installed. Please install it using 'brew install gnu-sed'."
+        exit 1
+    fi
+    SED_COMMAND=gsed
 fi

 # This script renames the `ripple` namespace to `xrpl` in this project.
@@ -31,18 +31,19 @@ if [ ! -d "${DIRECTORY}" ]; then
    echo "Error: Directory '${DIRECTORY}' does not exist."
    exit 1
 fi
-pushd ${DIRECTORY}
+pushd "${DIRECTORY}"

 DIRECTORIES=("include" "src" "tests")
 for DIRECTORY in "${DIRECTORIES[@]}"; do
-  echo "Processing directory: ${DIRECTORY}"
+    echo "Processing directory: ${DIRECTORY}"

-  find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" \) | while read -r FILE; do
-      echo "Processing file: ${FILE}"
-      ${SED_COMMAND} -i 's/namespace ripple/namespace xrpl/g' "${FILE}"
-      ${SED_COMMAND} -i 's/ripple::/xrpl::/g' "${FILE}"
-      ${SED_COMMAND} -i -E 's/(BEAST_DEFINE_TESTSUITE.+)ripple(.+)/\1xrpl\2/g' "${FILE}"
-  done
+    find "${DIRECTORY}" -type f \( -name "*.h" -o -name "*.hpp" -o -name "*.ipp" -o -name "*.cpp" -o -name "*.macro" \) | while read -r FILE; do
+        echo "Processing file: ${FILE}"
+        ${SED_COMMAND} -i 's/namespace ripple/namespace xrpl/g' "${FILE}"
+        ${SED_COMMAND} -i 's/ripple::/xrpl::/g' "${FILE}"
+        ${SED_COMMAND} -i 's/"ripple:/"xrpl::/g' "${FILE}"
+        ${SED_COMMAND} -i -E 's/(BEAST_DEFINE_TESTSUITE.+)ripple(.+)/\1xrpl\2/g' "${FILE}"
+    done
 done

 # Special case for NuDBFactory that has ripple twice in the test suite name.
--- a/.github/scripts/strategy-matrix/generate.py
+++ b/.github/scripts/strategy-matrix/generate.py
@@ -32,7 +32,32 @@ We will further set additional CMake arguments as follows:
 """


-def generate_strategy_matrix(all: bool, config: Config) -> list:
+def build_config_name(os_entry: dict[str, str], platform: str, build_type: str) -> str:
+    parts = [os_entry["distro_name"]]
+    for key in ("distro_version", "compiler_name", "compiler_version"):
+        if value := os_entry[key]:
+            parts.append(value)
+    parts.append("arm64" if "arm64" in platform else "amd64")
+    parts.append(build_type.lower())
+    return "-".join(parts)
+
+
+def generate_packaging_matrix(config: Config) -> list[dict]:
+    """Emit one entry per os entry with `package: true`. Architecture is
+    hardcoded to linux/amd64 here (and the runner is hardcoded at the
+    workflow level) until arm64 packaging is ready.
+    """
+    return [
+        {
+            "artifact_name": f"xrpld-{build_config_name(os, 'linux/amd64', 'Release')}",
+            "os": os,
+        }
+        for os in config.os
+        if os.get("package", False)
+    ]
+
+
+def generate_strategy_matrix(all: bool, config: Config) -> list[dict]:
    configurations = []
    for architecture, os, build_type, cmake_args in itertools.product(
        config.architecture, config.os, config.build_type, config.cmake_args
@@ -51,34 +76,35 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
        # Only generate a subset of configurations in PRs.
        if not all:
            # Debian:
-            # - Bookworm using GCC 13: Release on linux/amd64, set the reference
-            #   fee to 500.
-            # - Bookworm using GCC 15: Debug on linux/amd64, enable code
-            #   coverage (which will be done below).
-            # - Bookworm using Clang 16: Debug on linux/arm64, enable voidstar.
+            # - Bookworm using GCC 13: Debug on linux/amd64, set the reference
+            #   fee to 500 and enable code coverage (which will be done below).
+            # - Bookworm using GCC 15: Debug on linux/amd64, enable Address and
+            #   UB sanitizers (which will be done below).
+            # - Bookworm using Clang 16: Debug on linux/amd64, enable voidstar.
            # - Bookworm using Clang 17: Release on linux/amd64, set the
            #   reference fee to 1000.
-            # - Bookworm using Clang 20: Debug on linux/amd64.
+            # - Bookworm using Clang 20: Debug on linux/amd64, enable Address
+            #   and UB sanitizers (which will be done below).
            if os["distro_name"] == "debian":
                skip = True
                if os["distro_version"] == "bookworm":
                    if (
                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-13"
-                        and build_type == "Release"
+                        and build_type == "Debug"
                        and architecture["platform"] == "linux/amd64"
                    ):
                        cmake_args = f"-DUNIT_TEST_REFERENCE_FEE=500 {cmake_args}"
                        skip = False
                    if (
                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
-                        and build_type == "Debug"
+                        and build_type == "Release"
                        and architecture["platform"] == "linux/amd64"
                    ):
                        skip = False
                    if (
                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-16"
                        and build_type == "Debug"
-                        and architecture["platform"] == "linux/arm64"
+                        and architecture["platform"] == "linux/amd64"
                    ):
                        cmake_args = f"-Dvoidstar=ON {cmake_args}"
                        skip = False
@@ -89,8 +115,9 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
                    ):
                        cmake_args = f"-DUNIT_TEST_REFERENCE_FEE=1000 {cmake_args}"
                        skip = False
+                elif os["distro_version"] == "trixie":
                    if (
-                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-20"
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "clang-22"
                        and build_type == "Debug"
                        and architecture["platform"] == "linux/amd64"
                    ):
@@ -99,14 +126,15 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
                    continue

            # RHEL:
-            # - 9 using GCC 12: Debug on linux/amd64.
+            # - 9 using GCC 12: Debug and Release on linux/amd64
+            #   (Release is required for RPM packaging).
            # - 10 using Clang: Release on linux/amd64.
            if os["distro_name"] == "rhel":
                skip = True
                if os["distro_version"] == "9":
                    if (
                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
-                        and build_type == "Debug"
+                        and build_type in ["Debug", "Release"]
                        and architecture["platform"] == "linux/amd64"
                    ):
                        skip = False
@@ -121,7 +149,8 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
                    continue

            # Ubuntu:
-            # - Jammy using GCC 12: Debug on linux/arm64.
+            # - Jammy using GCC 12: Debug on linux/arm64, Release on
+            #   linux/amd64 (Release is required for DEB packaging).
            # - Noble using GCC 14: Release on linux/amd64.
            # - Noble using Clang 18: Debug on linux/amd64.
            # - Noble using Clang 19: Release on linux/arm64.
@@ -134,6 +163,12 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
                        and architecture["platform"] == "linux/arm64"
                    ):
                        skip = False
+                    if (
+                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-12"
+                        and build_type == "Release"
+                        and architecture["platform"] == "linux/amd64"
+                    ):
+                        skip = False
                elif os["distro_version"] == "noble":
                    if (
                        f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-14"
@@ -187,17 +222,18 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:

        # We skip all clang 20+ on arm64 due to Boost build error.
        if (
-            f"{os['compiler_name']}-{os['compiler_version']}"
-            in ["clang-20", "clang-21"]
+            os["compiler_name"] == "clang"
+            and os["compiler_version"].isdigit()
+            and int(os["compiler_version"]) >= 20
            and architecture["platform"] == "linux/arm64"
        ):
            continue

-        # Enable code coverage for Debian Bookworm using GCC 15 in Debug on
-        # linux/amd64
+        # Enable code coverage for Debian Bookworm using GCC 13 in Debug on
+        # linux/amd64.
        if (
            f"{os['distro_name']}-{os['distro_version']}" == "debian-bookworm"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-13"
            and build_type == "Debug"
            and architecture["platform"] == "linux/amd64"
        ):
@@ -215,17 +251,7 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:

        # Generate a unique name for the configuration, e.g. macos-arm64-debug
        # or debian-bookworm-gcc-12-amd64-release.
-        config_name = os["distro_name"]
-        if (n := os["distro_version"]) != "":
-            config_name += f"-{n}"
-        if (n := os["compiler_name"]) != "":
-            config_name += f"-{n}"
-        if (n := os["compiler_version"]) != "":
-            config_name += f"-{n}"
-        config_name += (
-            f"-{architecture['platform'][architecture['platform'].find('/')+1:]}"
-        )
-        config_name += f"-{build_type.lower()}"
+        config_name = build_config_name(os, architecture["platform"], build_type)
        if "-Dcoverage=ON" in cmake_args:
            config_name += "-coverage"
        if "-Dunity=ON" in cmake_args:
@@ -234,23 +260,39 @@ def generate_strategy_matrix(all: bool, config: Config) -> list:
        # Add the configuration to the list, with the most unique fields first,
        # so that they are easier to identify in the GitHub Actions UI, as long
        # names get truncated.
-        # Add Address and Thread (both coupled with UB) sanitizers for specific bookworm distros.
-        # GCC-Asan rippled-embedded tests are failing because of https://github.com/google/sanitizers/issues/856
+        # Add Address and UB sanitizers as separate configurations for specific
+        # bookworm distros. Thread sanitizer is currently disabled (see below).
+        # GCC-Asan xrpld-embedded tests are failing because of https://github.com/google/sanitizers/issues/856
        if (
            os["distro_version"] == "bookworm"
-            and f"{os['compiler_name']}-{os['compiler_version']}" == "clang-20"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "gcc-15"
+        ) or (
+            os["distro_version"] == "trixie"
+            and f"{os['compiler_name']}-{os['compiler_version']}" == "clang-22"
        ):
-            # Add ASAN + UBSAN configuration.
+            # Add ASAN and UBSAN configurations for both gcc-15 and clang-22
            configurations.append(
                {
-                    "config_name": config_name + "-asan-ubsan",
+                    "config_name": config_name + "-asan",
                    "cmake_args": cmake_args,
                    "cmake_target": cmake_target,
                    "build_only": build_only,
                    "build_type": build_type,
                    "os": os,
                    "architecture": architecture,
-                    "sanitizers": "address,undefinedbehavior",
+                    "sanitizers": "address",
+                }
+            )
+            configurations.append(
+                {
+                    "config_name": config_name + "-ubsan",
+                    "cmake_args": cmake_args,
+                    "cmake_target": cmake_target,
+                    "build_only": build_only,
+                    "build_type": build_type,
+                    "os": os,
+                    "architecture": architecture,
+                    "sanitizers": "undefinedbehavior",
                }
            )
            # TSAN is deactivated due to seg faults with latest compilers.
@@ -313,10 +355,19 @@ if __name__ == "__main__":
        required=False,
        type=Path,
    )
+    parser.add_argument(
+        "-p",
+        "--packaging",
+        help="Emit the packaging matrix (derived from the 'package' field on os entries) instead of the build/test matrix.",
+        action="store_true",
+    )
    args = parser.parse_args()

    matrix = []
-    if args.config is None or args.config == "":
+    if args.packaging:
+        config_path = args.config if args.config else THIS_DIR / "linux.json"
+        matrix += generate_packaging_matrix(read_config(config_path))
+    elif args.config is None or args.config == "":
        matrix += generate_strategy_matrix(
            args.all, read_config(THIS_DIR / "linux.json")
        )
--- a/.github/scripts/strategy-matrix/linux.json
+++ b/.github/scripts/strategy-matrix/linux.json
@@ -15,196 +15,205 @@
      "distro_version": "bookworm",
      "compiler_name": "gcc",
      "compiler_version": "12",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "gcc",
      "compiler_version": "13",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "gcc",
      "compiler_version": "14",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "gcc",
      "compiler_version": "15",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "clang",
      "compiler_version": "16",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "clang",
      "compiler_version": "17",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "clang",
      "compiler_version": "18",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "clang",
      "compiler_version": "19",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "bookworm",
      "compiler_name": "clang",
      "compiler_version": "20",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "trixie",
      "compiler_name": "gcc",
      "compiler_version": "14",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "trixie",
      "compiler_name": "gcc",
      "compiler_version": "15",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "trixie",
      "compiler_name": "clang",
      "compiler_version": "20",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "debian",
      "distro_version": "trixie",
      "compiler_name": "clang",
      "compiler_version": "21",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
+    },
+    {
+      "distro_name": "debian",
+      "distro_version": "trixie",
+      "compiler_name": "clang",
+      "compiler_version": "22",
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "8",
      "compiler_name": "gcc",
      "compiler_version": "14",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "8",
      "compiler_name": "clang",
      "compiler_version": "any",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "9",
      "compiler_name": "gcc",
      "compiler_version": "12",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9",
+      "package": true
    },
    {
      "distro_name": "rhel",
      "distro_version": "9",
      "compiler_name": "gcc",
      "compiler_version": "13",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "9",
      "compiler_name": "gcc",
      "compiler_version": "14",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "9",
      "compiler_name": "clang",
      "compiler_version": "any",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "10",
      "compiler_name": "gcc",
      "compiler_version": "14",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "rhel",
      "distro_version": "10",
      "compiler_name": "clang",
      "compiler_version": "any",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "jammy",
      "compiler_name": "gcc",
      "compiler_version": "12",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9",
+      "package": true
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "noble",
      "compiler_name": "gcc",
      "compiler_version": "13",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "noble",
      "compiler_name": "gcc",
      "compiler_version": "14",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "noble",
      "compiler_name": "clang",
      "compiler_version": "16",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "noble",
      "compiler_name": "clang",
      "compiler_version": "17",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "noble",
      "compiler_name": "clang",
      "compiler_version": "18",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    },
    {
      "distro_name": "ubuntu",
      "distro_version": "noble",
      "compiler_name": "clang",
      "compiler_version": "19",
-      "image_sha": "ab4d1f0"
+      "image_sha": "4c086b9"
    }
  ],
  "build_type": ["Debug", "Release"],
--- a/.github/workflows/build-nix-image.yml
+++ b/.github/workflows/build-nix-image.yml
@@ -0,0 +1,109 @@
+name: Build Nix Docker image
+
+on:
+  push:
+    branches:
+      - develop
+    paths:
+      - ".github/workflows/build-nix-image.yml"
+      - ".github/workflows/reusable-build-docker-image.yml"
+      - "docker/**"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  pull_request:
+    paths:
+      - ".github/workflows/build-nix-image.yml"
+      - ".github/workflows/reusable-build-docker-image.yml"
+      - "docker/**"
+      - "flake.nix"
+      - "flake.lock"
+      - "nix/**"
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    name: Build ${{ matrix.distro.name }} (${{ matrix.target.platform }})
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        # The base images are the oldest supported version of each distro
+        # that we want to build images for.
+        distro:
+          - name: nixos
+            base_image: nixos/nix:latest
+          - name: ubuntu
+            base_image: ubuntu:20.04
+          - name: rhel
+            base_image: registry.access.redhat.com/ubi9/ubi:latest
+          - name: debian
+            base_image: debian:bookworm
+        target:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    uses: ./.github/workflows/reusable-build-docker-image.yml
+    with:
+      image_name: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro.name }}
+      dockerfile: docker/nix.Dockerfile
+      base_image: ${{ matrix.distro.base_image }}
+      platform: ${{ matrix.target.platform }}
+      runner: ${{ matrix.target.runner }}
+      push: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
+
+  merge:
+    name: Merge ${{ matrix.distro }} manifest
+    needs: build
+    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [nixos, ubuntu, rhel, debian]
+    env:
+      IMAGE_NAME: ghcr.io/xrplf/xrpld/nix-${{ matrix.distro }}
+
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=raw,value=latest
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create multi-arch manifests
+        run: |
+          for tag in $(jq -cr '.tags[]' <<<"$DOCKER_METADATA_OUTPUT_JSON"); do
+              docker buildx imagetools create -t "$tag" "${tag}-amd64" "${tag}-arm64"
+          done
+
+      - name: Inspect image
+        run: |
+          docker buildx imagetools inspect "${IMAGE_NAME}:${{ steps.meta.outputs.version }}"
--- a/.github/workflows/check-pr-commits.yml
+++ b/.github/workflows/check-pr-commits.yml
@@ -0,0 +1,13 @@
+name: Check PR commits
+
+on:
+  pull_request_target:
+
+# The action needs to have write permissions to post comments on the PR.
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  check_commits:
+    uses: XRPLF/actions/.github/workflows/check-pr-commits.yml@e2c7f400d1e85ae65dad552fd425169fbacca4a3
--- a/.github/workflows/check-pr-description.yml
+++ b/.github/workflows/check-pr-description.yml
@@ -0,0 +1,39 @@
+name: Check PR description
+
+on:
+  merge_group:
+    types:
+      - checks_requested
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - develop
+      - "release-*"
+      - "release/*"
+      - "staging/*"
+
+jobs:
+  check_description:
+    if: ${{ github.event.pull_request.draft != true }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Write PR body to file
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        if: ${{ github.event_name == 'pull_request' }}
+        run: printenv PR_BODY >pr_body.md
+
+      - name: Check PR description differs from template
+        if: ${{ github.event_name == 'pull_request' }}
+        run: |
+          python .github/scripts/check-pr-description.py \
+              --template-file .github/pull_request_template.md \
+              --pr-body-file pr_body.md
--- a/.github/workflows/check-pr-title.yml
+++ b/.github/workflows/check-pr-title.yml
@@ -1,10 +1,23 @@
 name: Check PR title

 on:
+  merge_group:
+    types:
+      - checks_requested
  pull_request:
-    types: [opened, edited, reopened, synchronize]
-    branches: [develop]
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+      - ready_for_review
+    branches:
+      - develop
+      - "release-*"
+      - "release/*"
+      - "staging/*"

 jobs:
  check_title:
-    uses: XRPLF/actions/.github/workflows/check-pr-title.yml@943eb8277e8f4b010fde0c826ce4154c36c39509
+    if: ${{ github.event.pull_request.draft != true }}
+    uses: XRPLF/actions/.github/workflows/check-pr-title.yml@cba1f0891650baf1a9c88624dc2d72573be2eb81
--- a/.github/workflows/conflicting-pr.yml
+++ b/.github/workflows/conflicting-pr.yml
@@ -0,0 +1,25 @@
+name: Label PRs with merge conflicts
+
+on:
+  # So that PRs touching the same files as the push are updated.
+  push:
+  # So that the `dirtyLabel` is removed if conflicts are resolved.
+  # We recommend `pull_request_target` so that github secrets are available.
+  # In `pull_request` we wouldn't be able to change labels of fork PRs.
+  pull_request_target:
+    types: [synchronize]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if PRs are dirty
+        uses: eps1lon/actions-label-merge-conflict@0273be72a0bbd58fcd71d0d6c02c209b50d1e5e1 # v3.1.0
+        with:
+          dirtyLabel: "PR: has conflicts"
+          repoToken: "${{ secrets.GITHUB_TOKEN }}"
+          commentOnDirty: "This PR has conflicts, please resolve them in order for the PR to be reviewed."
+          commentOnClean: "All conflicts have been resolved. Assigned reviewers can now start or resume their review."
--- a/.github/workflows/on-pr.yml
+++ b/.github/workflows/on-pr.yml
@@ -46,7 +46,7 @@ jobs:
        # that Github considers any skipped jobs to have passed, and in
        # turn the required checks as well.
        id: changes
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
        with:
          files: |
            # These paths are unique to `on-pr.yml`.
@@ -58,20 +58,19 @@ jobs:

            # Keep the paths below in sync with those in `on-trigger.yml`.
            .github/actions/build-deps/**
-            .github/actions/build-test/**
            .github/actions/generate-version/**
            .github/actions/setup-conan/**
            .github/scripts/strategy-matrix/**
-            .github/workflows/reusable-build.yml
            .github/workflows/reusable-build-test-config.yml
            .github/workflows/reusable-build-test.yml
            .github/workflows/reusable-clang-tidy.yml
-            .github/workflows/reusable-clang-tidy-files.yml
+            .github/workflows/reusable-package.yml
            .github/workflows/reusable-strategy-matrix.yml
            .github/workflows/reusable-test.yml
            .github/workflows/reusable-upload-recipe.yml
            .clang-tidy
            .codecov.yml
+            cfg/**
            cmake/**
            conan/**
            external/**
@@ -81,6 +80,10 @@ jobs:
            CMakeLists.txt
            conanfile.py
            conan.lock
+            LICENSE.md
+            package/**
+            README.md
+
      - name: Check whether to run
        # This step determines whether the rest of the workflow should
        # run. The rest of the workflow will run if this job runs AND at
@@ -95,7 +98,7 @@ jobs:
          READY: ${{ contains(github.event.pull_request.labels.*.name, 'Ready to merge') }}
          MERGE: ${{ github.event_name == 'merge_group' }}
        run: |
-          echo "go=${{ (env.DRAFT != 'true' && env.READY == 'true') || env.FILES == 'true' || env.MERGE == 'true' }}" >> "${GITHUB_OUTPUT}"
+          echo "go=${{ (env.DRAFT != 'true' && env.READY == 'true') || env.FILES == 'true' || env.MERGE == 'true' }}" >>"${GITHUB_OUTPUT}"
          cat "${GITHUB_OUTPUT}"
    outputs:
      go: ${{ steps.go.outputs.go == 'true' }}
@@ -137,13 +140,17 @@ jobs:
    secrets:
      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

+  package:
+    needs: [should-run, build-test]
+    if: ${{ needs.should-run.outputs.go == 'true' }}
+    uses: ./.github/workflows/reusable-package.yml
+
  upload-recipe:
    needs:
      - should-run
      - build-test
-    # Only run when committing to a PR that targets a release branch in the
-    # XRPLF repository.
-    if: ${{ github.repository_owner == 'XRPLF' && needs.should-run.outputs.go == 'true' && startsWith(github.ref, 'refs/heads/release') }}
+    # Only run when committing to a PR that targets a release branch.
+    if: ${{ github.repository == 'XRPLF/rippled' && needs.should-run.outputs.go == 'true' && github.event_name == 'pull_request' && startsWith(github.event.pull_request.base.ref, 'release') }}
    uses: ./.github/workflows/reusable-upload-recipe.yml
    secrets:
      remote_username: ${{ secrets.CONAN_REMOTE_USERNAME }}
@@ -161,9 +168,9 @@ jobs:
          PR_URL: ${{ github.event.pull_request.html_url }}
        run: |
          gh api --method POST -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \
-          /repos/xrplf/clio/dispatches -f "event_type=check_libxrpl" \
-          -F "client_payload[ref]=${{ needs.upload-recipe.outputs.recipe_ref }}" \
-          -F "client_payload[pr_url]=${PR_URL}"
+              /repos/xrplf/clio/dispatches -f "event_type=check_libxrpl" \
+              -F "client_payload[ref]=${{ needs.upload-recipe.outputs.recipe_ref }}" \
+              -F "client_payload[pr_url]=${PR_URL}"

  passed:
    if: failure() || cancelled()
@@ -172,9 +179,10 @@ jobs:
      - check-rename
      - clang-tidy
      - build-test
+      - package
      - upload-recipe
      - notify-clio
    runs-on: ubuntu-latest
    steps:
      - name: Fail
-        run: false
+        run: exit 1
--- a/.github/workflows/on-tag.yml
+++ b/.github/workflows/on-tag.yml
@@ -1,11 +1,11 @@
-# This workflow uploads the libxrpl recipe to the Conan remote when a versioned
-# tag is pushed.
+# This workflow uploads the libxrpl recipe to the Conan remote and builds
+# release packages when a versioned tag is pushed.
 name: Tag

 on:
  push:
    tags:
-      - "v*"
+      - "[0-9]+.[0-9]+.[0-9]*"

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
@@ -17,9 +17,27 @@ defaults:

 jobs:
  upload-recipe:
-    # Only run when a tag is pushed to the XRPLF repository.
-    if: ${{ github.repository_owner == 'XRPLF' }}
+    if: ${{ github.repository == 'XRPLF/rippled' }}
    uses: ./.github/workflows/reusable-upload-recipe.yml
    secrets:
      remote_username: ${{ secrets.CONAN_REMOTE_USERNAME }}
      remote_password: ${{ secrets.CONAN_REMOTE_PASSWORD }}
+
+  build-test:
+    if: ${{ github.repository == 'XRPLF/rippled' }}
+    uses: ./.github/workflows/reusable-build-test.yml
+    strategy:
+      fail-fast: true
+      matrix:
+        os: [linux]
+    with:
+      ccache_enabled: false
+      os: ${{ matrix.os }}
+      strategy_matrix: minimal
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  package:
+    if: ${{ github.repository == 'XRPLF/rippled' }}
+    needs: build-test
+    uses: ./.github/workflows/reusable-package.yml
--- a/.github/workflows/on-trigger.yml
+++ b/.github/workflows/on-trigger.yml
@@ -15,20 +15,19 @@ on:

      # Keep the paths below in sync with those in `on-pr.yml`.
      - ".github/actions/build-deps/**"
-      - ".github/actions/build-test/**"
      - ".github/actions/generate-version/**"
      - ".github/actions/setup-conan/**"
      - ".github/scripts/strategy-matrix/**"
-      - ".github/workflows/reusable-build.yml"
      - ".github/workflows/reusable-build-test-config.yml"
      - ".github/workflows/reusable-build-test.yml"
      - ".github/workflows/reusable-clang-tidy.yml"
-      - ".github/workflows/reusable-clang-tidy-files.yml"
+      - ".github/workflows/reusable-package.yml"
      - ".github/workflows/reusable-strategy-matrix.yml"
      - ".github/workflows/reusable-test.yml"
      - ".github/workflows/reusable-upload-recipe.yml"
      - ".clang-tidy"
      - ".codecov.yml"
+      - "cfg/**"
      - "cmake/**"
      - "conan/**"
      - "external/**"
@@ -38,6 +37,9 @@ on:
      - "CMakeLists.txt"
      - "conanfile.py"
      - "conan.lock"
+      - "LICENSE.md"
+      - "package/**"
+      - "README.md"

  # Run at 06:32 UTC on every day of the week from Monday through Friday. This
  # will force all dependencies to be rebuilt, which is useful to verify that
@@ -92,9 +94,13 @@ jobs:

  upload-recipe:
    needs: build-test
-    # Only run when pushing to the develop branch in the XRPLF repository.
-    if: ${{ github.repository_owner == 'XRPLF' && github.event_name == 'push' && github.ref == 'refs/heads/develop' }}
+    # Only run when pushing to the develop branch.
+    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' && github.ref == 'refs/heads/develop' }}
    uses: ./.github/workflows/reusable-upload-recipe.yml
    secrets:
      remote_username: ${{ secrets.CONAN_REMOTE_USERNAME }}
      remote_password: ${{ secrets.CONAN_REMOTE_PASSWORD }}
+
+  package:
+    needs: build-test
+    uses: ./.github/workflows/reusable-package.yml
--- a/.github/workflows/pre-commit.yml
+++ b/.github/workflows/pre-commit.yml
@@ -1,6 +1,9 @@
 name: Run pre-commit hooks

 on:
+  merge_group:
+    types:
+      - checks_requested
  pull_request:
  push:
    branches:
@@ -11,7 +14,7 @@ on:
 jobs:
  # Call the workflow in the XRPLF/actions repo that runs the pre-commit hooks.
  run-hooks:
-    uses: XRPLF/actions/.github/workflows/pre-commit.yml@56de1bdf19639e009639a50b8d17c28ca954f267
+    uses: XRPLF/actions/.github/workflows/pre-commit.yml@cba1f0891650baf1a9c88624dc2d72573be2eb81
    with:
      runs_on: ubuntu-latest
      container: '{ "image": "ghcr.io/xrplf/ci/tools-rippled-pre-commit:sha-41ec7c1" }'
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -6,7 +6,6 @@ on:
  push:
    branches:
      - "develop"
-      - "release*"
    paths:
      - ".github/workflows/publish-docs.yml"
      - "*.md"
@@ -37,7 +36,7 @@ env:
  BUILD_DIR: build
  # ubuntu-latest has only 2 CPUs for private repositories
  # https://docs.github.com/en/actions/reference/runners/github-hosted-runners#standard-github-hosted-runners-for--private-repositories
-  NPROC_SUBTRACT: ${{ github.event.repository.private && '1' || '2' }}
+  NPROC_SUBTRACT: ${{ github.event.repository.visibility == 'public' && '2' || '1' }}

 jobs:
  build:
@@ -48,7 +47,7 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d
+        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
        with:
          enable_ccache: false

@@ -82,13 +81,13 @@ jobs:
          cmake --build . --target docs --parallel ${BUILD_NPROC}

      - name: Create documentation artifact
-        if: ${{ github.event_name == 'push' }}
-        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0
+        if: ${{ github.event.repository.visibility == 'public' && github.event_name == 'push' }}
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
        with:
          path: ${{ env.BUILD_DIR }}/docs/html

  deploy:
-    if: ${{ github.event_name == 'push' }}
+    if: ${{ github.repository == 'XRPLF/rippled' && github.event_name == 'push' }}
    needs: build
    runs-on: ubuntu-latest
    permissions:
@@ -100,4 +99,4 @@ jobs:
    steps:
      - name: Deploy to GitHub Pages
        id: deploy
-        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
--- a/.github/workflows/reusable-build-docker-image.yml
+++ b/.github/workflows/reusable-build-docker-image.yml
@@ -0,0 +1,89 @@
+# Build a single-platform Docker image. On push, the image is pushed to
+# GHCR with arch-suffixed tags (e.g. `:latest-amd64`, `:sha-abc-amd64`)
+# so the calling workflow can stitch per-arch builds into a multi-arch
+# manifest without needing to pass digests around.
+name: Reusable build Docker image (single platform)
+
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        description: "Full image name without tag (e.g. 'ghcr.io/xrplf/xrpld/nix-ubuntu')"
+        required: true
+        type: string
+      dockerfile:
+        description: "Path to the Dockerfile, relative to the repository root"
+        required: true
+        type: string
+      base_image:
+        description: "Value passed to the Dockerfile as the BASE_IMAGE build arg"
+        required: true
+        type: string
+      platform:
+        description: "Docker platform string, e.g. linux/amd64"
+        required: true
+        type: string
+      runner:
+        description: "GitHub Actions runner label to build on"
+        required: true
+        type: string
+      push:
+        description: "Whether to push the image to GHCR"
+        required: true
+        type: boolean
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  build:
+    name: Build (${{ inputs.platform }})
+    runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Determine arch
+        id: vars
+        env:
+          PLATFORM: ${{ inputs.platform }}
+        run: |
+          echo "arch=${PLATFORM##*/}" >>$GITHUB_OUTPUT
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+
+      - name: Login to GitHub Container Registry
+        if: inputs.push
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        with:
+          images: ${{ inputs.image_name }}
+          tags: |
+            type=sha,prefix=sha-,format=short
+            type=raw,value=latest
+          flavor: |
+            suffix=-${{ steps.vars.outputs.arch }},onlatest=true
+
+      - name: Build and push
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        with:
+          context: .
+          file: ${{ inputs.dockerfile }}
+          platforms: ${{ inputs.platform }}
+          push: ${{ inputs.push }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: BASE_IMAGE=${{ inputs.base_image }}
--- a/.github/workflows/reusable-build-test-config.yml
+++ b/.github/workflows/reusable-build-test-config.yml
@@ -76,7 +76,7 @@ jobs:
    name: ${{ inputs.config_name }}
    runs-on: ${{ fromJSON(inputs.runs_on) }}
    container: ${{ inputs.image != '' && inputs.image || null }}
-    timeout-minutes: 60
+    timeout-minutes: ${{ inputs.sanitizers != '' && 360 || 60 }}
    env:
      # Use a namespace to keep the objects separate for each configuration.
      CCACHE_NAMESPACE: ${{ inputs.config_name }}
@@ -107,16 +107,16 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d
+        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
        with:
          enable_ccache: ${{ inputs.ccache_enabled }}

      - name: Set ccache log file
        if: ${{ inputs.ccache_enabled && runner.debug == '1' }}
-        run: echo "CCACHE_LOGFILE=${{ runner.temp }}/ccache.log" >> "${GITHUB_ENV}"
+        run: echo "CCACHE_LOGFILE=${{ runner.temp }}/ccache.log" >>"${GITHUB_ENV}"

      - name: Print build environment
-        uses: ./.github/actions/print-env
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574

      - name: Get number of processors
        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
@@ -143,15 +143,40 @@ jobs:
        working-directory: ${{ env.BUILD_DIR }}
        env:
          BUILD_TYPE: ${{ inputs.build_type }}
-          SANITIZERS: ${{ inputs.sanitizers }}
          CMAKE_ARGS: ${{ inputs.cmake_args }}
        run: |
          cmake \
-            -G '${{ runner.os == 'Windows' && 'Visual Studio 17 2022' || 'Ninja' }}' \
-            -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
-            -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
-            ${CMAKE_ARGS} \
-            ..
+              -G '${{ runner.os == 'Windows' && 'Visual Studio 17 2022' || 'Ninja' }}' \
+              -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
+              -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
+              ${CMAKE_ARGS} \
+              ..
+
+      - name: Check protocol autogen files are up-to-date
+        working-directory: ${{ env.BUILD_DIR }}
+        env:
+          MESSAGE: |
+
+            The generated protocol wrapper classes are out of date.
+
+            This typically happens when the macro files or generator scripts
+            have changed but the generated files were not regenerated.
+
+            To fix this:
+              1. Run: cmake --build . --target setup_code_gen
+              2. Run: cmake --build . --target code_gen
+              3. Commit and push the regenerated files
+        run: |
+          set -e
+          cmake --build . --target setup_code_gen
+          cmake --build . --target code_gen
+          DIFF=$(git -C .. status --porcelain -- include/xrpl/protocol_autogen src/tests/libxrpl/protocol_autogen)
+          if [ -n "${DIFF}" ]; then
+              echo "::error::Generated protocol files are out of date"
+              git -C .. diff -- include/xrpl/protocol_autogen src/tests/libxrpl/protocol_autogen
+              echo "${MESSAGE}"
+              exit 1
+          fi

      - name: Build the binary
        working-directory: ${{ env.BUILD_DIR }}
@@ -161,39 +186,55 @@ jobs:
          CMAKE_TARGET: ${{ inputs.cmake_target }}
        run: |
          cmake \
-            --build . \
-            --config "${BUILD_TYPE}" \
-            --parallel "${BUILD_NPROC}" \
-            --target "${CMAKE_TARGET}"
+              --build . \
+              --config "${BUILD_TYPE}" \
+              --parallel "${BUILD_NPROC}" \
+              --target "${CMAKE_TARGET}"

      - name: Show ccache statistics
        if: ${{ inputs.ccache_enabled }}
        run: |
          ccache --show-stats -vv
          if [ '${{ runner.debug }}' = '1' ]; then
-            cat "${CCACHE_LOGFILE}"
-            curl ${CCACHE_REMOTE_STORAGE%|*}/status || true
+              cat "${CCACHE_LOGFILE}"
+              curl ${CCACHE_REMOTE_STORAGE%|*}/status || true
          fi

      - name: Upload the binary (Linux)
-        if: ${{ github.repository_owner == 'XRPLF' && runner.os == 'Linux' }}
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        if: ${{ github.event.repository.visibility == 'public' && runner.os == 'Linux' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: xrpld-${{ inputs.config_name }}
          path: ${{ env.BUILD_DIR }}/xrpld
          retention-days: 3
          if-no-files-found: error

+      - name: Export server definitions
+        if: ${{ runner.os != 'Windows' && !inputs.build_only && env.VOIDSTAR_ENABLED != 'true' }}
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          set -o pipefail
+          ./xrpld --definitions | python3 -m json.tool >server_definitions.json
+
+      - name: Upload server definitions
+        if: ${{ github.event.repository.visibility == 'public' && inputs.config_name == 'debian-bookworm-gcc-13-amd64-release' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: server-definitions
+          path: ${{ env.BUILD_DIR }}/server_definitions.json
+          retention-days: 3
+          if-no-files-found: error
+
      - name: Check linking (Linux)
        if: ${{ runner.os == 'Linux' && env.SANITIZERS_ENABLED == 'false' }}
        working-directory: ${{ env.BUILD_DIR }}
        run: |
          ldd ./xrpld
          if [ "$(ldd ./xrpld | grep -E '(libstdc\+\+|libgcc)' | wc -l)" -eq 0 ]; then
-            echo 'The binary is statically linked.'
+              echo 'The binary is statically linked.'
          else
-            echo 'The binary is dynamically linked.'
-            exit 1
+              echo 'The binary is dynamically linked.'
+              exit 1
          fi

      - name: Verify presence of instrumentation (Linux)
@@ -204,11 +245,17 @@ jobs:

      - name: Set sanitizer options
        if: ${{ !inputs.build_only && env.SANITIZERS_ENABLED == 'true' }}
+        env:
+          CONFIG_NAME: ${{ inputs.config_name }}
        run: |
-          echo "ASAN_OPTIONS=print_stacktrace=1:detect_container_overflow=0:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp" >> ${GITHUB_ENV}
-          echo "TSAN_OPTIONS=second_deadlock_stack=1:halt_on_error=0:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >> ${GITHUB_ENV}
-          echo "UBSAN_OPTIONS=suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >> ${GITHUB_ENV}
-          echo "LSAN_OPTIONS=suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >> ${GITHUB_ENV}
+          ASAN_OPTS="include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-asan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/asan.supp"
+          if [[ "${CONFIG_NAME}" == *gcc* ]]; then
+              ASAN_OPTS="${ASAN_OPTS}:alloc_dealloc_mismatch=0"
+          fi
+          echo "ASAN_OPTIONS=${ASAN_OPTS}" >>${GITHUB_ENV}
+          echo "TSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-tsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/tsan.supp" >>${GITHUB_ENV}
+          echo "UBSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-ubsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/ubsan.supp" >>${GITHUB_ENV}
+          echo "LSAN_OPTIONS=include=${GITHUB_WORKSPACE}/sanitizers/suppressions/runtime-lsan-options.txt:suppressions=${GITHUB_WORKSPACE}/sanitizers/suppressions/lsan.supp" >>${GITHUB_ENV}

      - name: Run the separate tests
        if: ${{ !inputs.build_only }}
@@ -219,9 +266,9 @@ jobs:
          PARALLELISM: ${{ runner.os == 'Windows' && '1' || steps.nproc.outputs.nproc }}
        run: |
          ctest \
-            --output-on-failure \
-            -C "${BUILD_TYPE}" \
-            -j "${PARALLELISM}"
+              --output-on-failure \
+              -C "${BUILD_TYPE}" \
+              -j "${PARALLELISM}"

      - name: Run the embedded tests
        if: ${{ !inputs.build_only }}
@@ -230,19 +277,29 @@ jobs:
          BUILD_NPROC: ${{ steps.nproc.outputs.nproc }}
        run: |
          set -o pipefail
+          # Coverage builds are slower due to instrumentation; use fewer parallel jobs to avoid flakiness
+          [ "$COVERAGE_ENABLED" = "true" ] && BUILD_NPROC=$((BUILD_NPROC - 2))
          ./xrpld --unittest --unittest-jobs "${BUILD_NPROC}" 2>&1 | tee unittest.log

      - name: Show test failure summary
        if: ${{ failure() && !inputs.build_only }}
-        working-directory: ${{ runner.os == 'Windows' && format('{0}/{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
+        env:
+          WORKING_DIR: ${{ runner.os == 'Windows' && format('{0}\{1}', env.BUILD_DIR, inputs.build_type) || env.BUILD_DIR }}
        run: |
+          if [ ! -d "${WORKING_DIR}" ]; then
+              echo "Working directory '${WORKING_DIR}' does not exist."
+              exit 0
+          fi
+
+          cd "${WORKING_DIR}"
+
          if [ ! -f unittest.log ]; then
-            echo "unittest.log not found; embedded tests may not have run."
-            exit 0
+              echo "unittest.log not found; embedded tests may not have run."
+              exit 0
          fi

          if ! grep -E "failed" unittest.log; then
-            echo "Log present but no failure lines found in unittest.log."
+              echo "Log present but no failure lines found in unittest.log."
          fi
      - name: Debug failure (Linux)
        if: ${{ failure() && runner.os == 'Linux' && !inputs.build_only }}
@@ -260,14 +317,14 @@ jobs:
          BUILD_TYPE: ${{ inputs.build_type }}
        run: |
          cmake \
-            --build . \
-            --config "${BUILD_TYPE}" \
-            --parallel "${BUILD_NPROC}" \
-            --target coverage
+              --build . \
+              --config "${BUILD_TYPE}" \
+              --parallel "${BUILD_NPROC}" \
+              --target coverage

      - name: Upload coverage report
-        if: ${{ github.repository_owner == 'XRPLF' && !inputs.build_only && env.COVERAGE_ENABLED == 'true' }}
-        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        if: ${{ github.repository == 'XRPLF/rippled' && !inputs.build_only && env.COVERAGE_ENABLED == 'true' }}
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
        with:
          disable_search: true
          disable_telem: true
--- a/.github/workflows/reusable-check-levelization.yml
+++ b/.github/workflows/reusable-check-levelization.yml
@@ -20,7 +20,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Check levelization
-        run: .github/scripts/levelization/generate.sh
+        run: python .github/scripts/levelization/generate.py
      - name: Check for differences
        env:
          MESSAGE: |
@@ -32,15 +32,15 @@ jobs:
            removed from loops.txt, it's probably an improvement, while if
            something was added, it's probably a regression.

-            Run '.github/scripts/levelization/generate.sh' in your repo, commit
+            Run '.github/scripts/levelization/generate.py' in your repo, commit
            and push the changes. See .github/scripts/levelization/README.md for
            more info.
        run: |
          DIFF=$(git status --porcelain)
          if [ -n "${DIFF}" ]; then
-            # Print the differences to give the contributor a hint about what to
-            # expect when running levelization on their own machine.
-            git diff
-            echo "${MESSAGE}"
-            exit 1
+              # Print the differences to give the contributor a hint about what to
+              # expect when running levelization on their own machine.
+              git diff
+              echo "${MESSAGE}"
+              exit 1
          fi
--- a/.github/workflows/reusable-check-rename.yml
+++ b/.github/workflows/reusable-check-rename.yml
@@ -33,6 +33,8 @@ jobs:
        run: .github/scripts/rename/config.sh .
      - name: Check include guards
        run: .github/scripts/rename/include.sh .
+      - name: Check documentation
+        run: .github/scripts/rename/docs.sh .
      - name: Check for differences
        env:
          MESSAGE: |
@@ -46,9 +48,9 @@ jobs:
        run: |
          DIFF=$(git status --porcelain)
          if [ -n "${DIFF}" ]; then
-            # Print the differences to give the contributor a hint about what to
-            # expect when running the renaming scripts on their own machine.
-            git diff
-            echo "${MESSAGE}"
-            exit 1
+              # Print the differences to give the contributor a hint about what to
+              # expect when running the renaming scripts on their own machine.
+              git diff
+              echo "${MESSAGE}"
+              exit 1
          fi
--- a/.github/workflows/reusable-clang-tidy-files.yml
+++ b/.github/workflows/reusable-clang-tidy-files.yml
@@ -1,162 +0,0 @@
-name: Run clang-tidy on files
-
-on:
-  workflow_call:
-    inputs:
-      files:
-        description: "List of files to check (empty means check all files)"
-        type: string
-        default: ""
-      create_issue_on_failure:
-        description: "Whether to create an issue if the check failed"
-        type: boolean
-        default: false
-
-defaults:
-  run:
-    shell: bash
-
-env:
-  # Conan installs the generators in the build/generators directory, see the
-  # layout() method in conanfile.py. We then run CMake from the build directory.
-  BUILD_DIR: build
-  BUILD_TYPE: Release
-
-jobs:
-  run-clang-tidy:
-    name: Run clang tidy
-    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
-    container: "ghcr.io/xrplf/ci/debian-trixie:clang-21-sha-53033a2"
-    permissions:
-      issues: write
-      contents: read
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-
-      - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d
-        with:
-          enable_ccache: false
-
-      - name: Print build environment
-        uses: ./.github/actions/print-env
-
-      - name: Get number of processors
-        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
-        id: nproc
-
-      - name: Setup Conan
-        uses: ./.github/actions/setup-conan
-
-      - name: Build dependencies
-        uses: ./.github/actions/build-deps
-        with:
-          build_nproc: ${{ steps.nproc.outputs.nproc }}
-          build_type: ${{ env.BUILD_TYPE }}
-          log_verbosity: verbose
-
-      - name: Configure CMake
-        working-directory: ${{ env.BUILD_DIR }}
-        run: |
-          cmake \
-            -G 'Ninja' \
-            -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
-            -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
-            -Dtests=ON \
-            -Dwerr=ON \
-            -Dxrpld=ON \
-            ..
-
-      # clang-tidy needs headers generated from proto files
-      - name: Build libxrpl.libpb
-        working-directory: ${{ env.BUILD_DIR }}
-        run: |
-          ninja -j ${{ steps.nproc.outputs.nproc }} xrpl.libpb
-
-      - name: Run clang tidy
-        id: run_clang_tidy
-        continue-on-error: true
-        env:
-          TARGETS: ${{ inputs.files != '' && inputs.files || 'src tests' }}
-        run: |
-          run-clang-tidy -j ${{ steps.nproc.outputs.nproc }} -p "${BUILD_DIR}" ${TARGETS} 2>&1 | tee clang-tidy-output.txt
-
-      - name: Upload clang-tidy output
-        if: steps.run_clang_tidy.outcome != 'success'
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: clang-tidy-results
-          path: clang-tidy-output.txt
-          retention-days: 30
-
-      - name: Create an issue
-        if: steps.run_clang_tidy.outcome != 'success' && inputs.create_issue_on_failure
-        id: create_issue
-        shell: bash
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          # Prepare issue body with clang-tidy output
-          cat > issue.md <<EOF
-          ## Clang-tidy Check Failed
-
-          **Workflow:** ${{ github.workflow }}
-          **Run ID:** ${{ github.run_id }}
-          **Commit:** ${{ github.sha }}
-          **Branch/Ref:** ${{ github.ref }}
-          **Triggered by:** ${{ github.actor }}
-
-          ### Clang-tidy Output:
-          \`\`\`
-          EOF
-
-          # Append clang-tidy output (filter for errors and warnings)
-          if [ -f clang-tidy-output.txt ]; then
-            # Extract lines containing 'error:', 'warning:', or 'note:'
-            grep -E '(error:|warning:|note:)' clang-tidy-output.txt > filtered-output.txt || true
-
-            # If filtered output is empty, use original (might be a different error format)
-            if [ ! -s filtered-output.txt ]; then
-              cp clang-tidy-output.txt filtered-output.txt
-            fi
-
-            # Truncate if too large
-            head -c 60000 filtered-output.txt >> issue.md
-            if [ "$(wc -c < filtered-output.txt)" -gt 60000 ]; then
-              echo "" >> issue.md
-              echo "... (output truncated, see artifacts for full output)" >> issue.md
-            fi
-
-            rm filtered-output.txt
-          else
-            echo "No output file found" >> issue.md
-          fi
-
-          cat >> issue.md <<EOF
-          \`\`\`
-
-          **Workflow run:** ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-
-          ---
-          *This issue was automatically created by the clang-tidy workflow.*
-          EOF
-
-          # Create the issue
-          gh issue create \
-            --label "Bug,Clang-tidy" \
-            --title "Clang-tidy check failed" \
-            --body-file ./issue.md \
-            > create_issue.log
-
-          created_issue="$(sed 's|.*/||' create_issue.log)"
-          echo "created_issue=$created_issue" >> $GITHUB_OUTPUT
-          echo "Created issue #$created_issue"
-
-          rm -f create_issue.log issue.md clang-tidy-output.txt
-
-      - name: Fail the workflow if clang-tidy failed
-        if: steps.run_clang_tidy.outcome != 'success'
-        run: |
-          echo "Clang-tidy check failed!"
-          exit 1
--- a/.github/workflows/reusable-clang-tidy.yml
+++ b/.github/workflows/reusable-clang-tidy.yml
@@ -1,4 +1,4 @@
-name: Clang-tidy check
+name: Run clang-tidy on files

 on:
  workflow_call:
@@ -16,40 +16,175 @@ defaults:
  run:
    shell: bash

+env:
+  BUILD_DIR: build
+  BUILD_TYPE: Debug # Debug so that ASSERTS and such participate in clang-tidy check
+
+  OUTPUT_FILE: clang-tidy-output.txt
+  DIFF_FILE: clang-tidy-git-diff.txt
+  ISSUE_FILE: clang-tidy-issue.md
+
 jobs:
  determine-files:
-    name: Determine files to check
    if: ${{ inputs.check_only_changed }}
-    runs-on: ubuntu-latest
-    outputs:
-      clang_tidy_config_changed: ${{ steps.changed_clang_tidy.outputs.any_changed }}
-      any_cpp_changed: ${{ steps.changed_files.outputs.any_changed }}
-      all_changed_files: ${{ steps.changed_files.outputs.all_changed_files }}
+    permissions:
+      contents: read
+    uses: XRPLF/actions/.github/workflows/determine-tidy-files.yml@224f3c48d3014d082a1129237b8291ff0b0a331f
+
+  run-clang-tidy:
+    name: Run clang tidy
+    needs: [determine-files]
+    if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.cpp_changed_files != '' || needs.determine-files.outputs.clang_tidy_config_changed == 'true') }}
+    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
+    container: "ghcr.io/xrplf/ci/debian-trixie:clang-21-sha-53033a2"
+    permissions:
+      contents: read
+      issues: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Get changed C++ files
-        id: changed_files
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+      - name: Prepare runner
+        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
        with:
-          files: |
-            **/*.cpp
-            **/*.h
-            **/*.ipp
-          separator: " "
+          enable_ccache: false

-      - name: Get changed clang-tidy configuration
-        id: changed_clang_tidy
-        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+      - name: Print build environment
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574
+
+      - name: Get number of processors
+        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
+        id: nproc
+
+      - name: Setup Conan
+        uses: ./.github/actions/setup-conan
+
+      - name: Build dependencies
+        uses: ./.github/actions/build-deps
        with:
-          files: |
-            .clang-tidy
+          build_nproc: ${{ steps.nproc.outputs.nproc }}
+          build_type: ${{ env.BUILD_TYPE }}
+          log_verbosity: verbose

-  run-clang-tidy:
-    needs: [determine-files]
-    if: ${{ always() && !cancelled() && (!inputs.check_only_changed || needs.determine-files.outputs.any_cpp_changed == 'true' || needs.determine-files.outputs.clang_tidy_config_changed == 'true') }}
-    uses: ./.github/workflows/reusable-clang-tidy-files.yml
-    with:
-      files: ${{ (needs.determine-files.outputs.clang_tidy_config_changed == 'true' && '') || (inputs.check_only_changed && needs.determine-files.outputs.all_changed_files || '') }}
-      create_issue_on_failure: ${{ inputs.create_issue_on_failure }}
+      - name: Configure CMake
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          cmake \
+              -G 'Ninja' \
+              -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
+              -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \
+              -Dtests=ON \
+              -Dwerr=ON \
+              -Dxrpld=ON \
+              ..
+
+      # clang-tidy needs headers generated from proto files
+      - name: Build libxrpl.libpb
+        working-directory: ${{ env.BUILD_DIR }}
+        run: |
+          ninja -j ${{ steps.nproc.outputs.nproc }} xrpl.libpb
+
+      - name: Run clang tidy
+        id: run_clang_tidy
+        continue-on-error: true
+        env:
+          TARGETS: ${{ (needs.determine-files.outputs.clang_tidy_config_changed != 'true' && inputs.check_only_changed) && needs.determine-files.outputs.cpp_changed_files || 'src tests' }}
+        run: |
+          set -o pipefail
+          run-clang-tidy -j ${{ steps.nproc.outputs.nproc }} -p "${BUILD_DIR}" -quiet -fix -allow-no-checks ${TARGETS} 2>&1 | tee "${OUTPUT_FILE}"
+
+      - name: Print errors
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          sed '/error\||/!d' "${OUTPUT_FILE}"
+
+      - name: Upload clang-tidy output
+        if: ${{ github.event.repository.visibility == 'public' && steps.run_clang_tidy.outcome != 'success' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          path: ${{ env.OUTPUT_FILE }}
+          archive: false
+          retention-days: 30
+
+      - name: Check for changes
+        id: files_changed
+        continue-on-error: true
+        run: |
+          git diff --exit-code
+
+      - name: Fix style
+        if: ${{ steps.files_changed.outcome != 'success' }}
+        run: |
+          pre-commit run --all-files || true
+
+      - name: Generate git diff
+        if: ${{ steps.files_changed.outcome != 'success' }}
+        run: |
+          git diff | tee "${DIFF_FILE}"
+
+      - name: Upload clang-tidy diff output
+        if: ${{ github.event.repository.visibility == 'public' && steps.files_changed.outcome != 'success' }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          path: ${{ env.DIFF_FILE }}
+          archive: false
+          retention-days: 30
+
+      - name: Write issue header
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          cat >"${ISSUE_FILE}" <<EOF
+          ## Clang-tidy Check Failed
+
+          ### Clang-tidy Output:
+          \`\`\`
+          EOF
+
+      - name: Append clang-tidy output to issue body (filter for errors and warnings)
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          if [ -f "${OUTPUT_FILE}" ]; then
+              # Extract lines containing 'error:', 'warning:', or 'note:'
+              grep -E '(error:|warning:|note:)' "${OUTPUT_FILE}" >filtered-output.txt || true
+
+              # If filtered output is empty, use original (might be a different error format)
+              if [ ! -s filtered-output.txt ]; then
+                  cp "${OUTPUT_FILE}" filtered-output.txt
+              fi
+
+              # Truncate if too large
+              head -c 60000 filtered-output.txt >>"${ISSUE_FILE}"
+              if [ "$(wc -c <filtered-output.txt)" -gt 60000 ]; then
+                  echo "" >>"${ISSUE_FILE}"
+                  echo "... (output truncated, see artifacts for full output)" >>"${ISSUE_FILE}"
+              fi
+
+              rm filtered-output.txt
+          else
+              echo "No output file found" >>"${ISSUE_FILE}"
+          fi
+
+      - name: Append issue footer
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          cat >>"${ISSUE_FILE}" <<EOF
+          \`\`\`
+
+          ---
+          *This issue was automatically created by the clang-tidy workflow.*
+          EOF
+
+      - name: Create issue
+        if: ${{ steps.run_clang_tidy.outcome != 'success' && inputs.create_issue_on_failure }}
+        uses: XRPLF/actions/create-issue@2b8bc36af85b88bca0dd7bfac2e2dc05f94ad712
+        with:
+          title: "Clang-tidy check failed"
+          body_file: ${{ env.ISSUE_FILE }}
+          labels: "Bug,Clang-tidy"
+          assignees: "godexsoft,mathbunnyru"
+
+      - name: Fail if clang-tidy found issues
+        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
+        run: |
+          echo "Clang-tidy check failed!"
+          exit 1
--- a/.github/workflows/reusable-package.yml
+++ b/.github/workflows/reusable-package.yml
@@ -0,0 +1,99 @@
+# Build Linux packages (DEB and RPM) from pre-built binary artifacts.
+# Discovers which configurations to package from linux.json (os entries
+# with "package": true) and fans out one job per entry. Today only
+# linux/amd64 is emitted; the architecture is hardcoded both here
+# (runner) and in generate.py.
+name: Package
+
+on:
+  workflow_call:
+    inputs:
+      pkg_release:
+        description: "Package release number. Increment when repackaging the same executable."
+        required: false
+        type: string
+        default: "1"
+
+defaults:
+  run:
+    shell: bash
+
+env:
+  BUILD_DIR: build
+
+jobs:
+  generate-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.generate.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: 3.13
+
+      - name: Generate packaging matrix
+        id: generate
+        working-directory: .github/scripts/strategy-matrix
+        run: |
+          ./generate.py --packaging --config=linux.json >>"${GITHUB_OUTPUT}"
+
+  generate-version:
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          sparse-checkout: |
+            .github/actions/generate-version
+            src/libxrpl/protocol/BuildInfo.cpp
+      - name: Generate version
+        id: version
+        uses: ./.github/actions/generate-version
+
+  package:
+    needs: [generate-matrix, generate-version]
+    if: ${{ github.event.repository.visibility == 'public' }}
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.generate-matrix.outputs.matrix) }}
+    name: "${{ matrix.artifact_name }}"
+    permissions:
+      contents: read
+    runs-on: ["self-hosted", "Linux", "X64", "heavy"]
+    container: ${{ format('ghcr.io/xrplf/ci/{0}-{1}:{2}-{3}-sha-{4}', matrix.os.distro_name, matrix.os.distro_version, matrix.os.compiler_name, matrix.os.compiler_version, matrix.os.image_sha) }}
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Download pre-built binary
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: ${{ matrix.artifact_name }}
+          path: ${{ env.BUILD_DIR }}
+
+      - name: Make binary executable
+        run: chmod +x "${BUILD_DIR}/xrpld"
+
+      - name: Build package
+        env:
+          PKG_VERSION: ${{ needs.generate-version.outputs.version }}
+          PKG_RELEASE: ${{ inputs.pkg_release }}
+        run: ./package/build_pkg.sh
+
+      - name: Upload package artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ matrix.artifact_name }}-pkg-${{ needs.generate-version.outputs.version }}
+          path: |
+            ${{ env.BUILD_DIR }}/debbuild/*.deb
+            ${{ env.BUILD_DIR }}/debbuild/*.ddeb
+            ${{ env.BUILD_DIR }}/rpmbuild/RPMS/**/*.rpm
+          if-no-files-found: error
--- a/.github/workflows/reusable-strategy-matrix.yml
+++ b/.github/workflows/reusable-strategy-matrix.yml
@@ -42,4 +42,4 @@ jobs:
        env:
          GENERATE_CONFIG: ${{ inputs.os != '' && format('--config={0}.json', inputs.os) || '' }}
          GENERATE_OPTION: ${{ inputs.strategy_matrix == 'all' && '--all' || '' }}
-        run: ./generate.py ${GENERATE_OPTION} ${GENERATE_CONFIG} >> "${GITHUB_OUTPUT}"
+        run: ./generate.py ${GENERATE_OPTION} ${GENERATE_CONFIG} >>"${GITHUB_OUTPUT}"
--- a/.github/workflows/reusable-upload-recipe.yml
+++ b/.github/workflows/reusable-upload-recipe.yml
@@ -69,24 +69,30 @@ jobs:
          conan export . --version=${{ steps.version.outputs.version }}
          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/${{ steps.version.outputs.version }}

+      # When this workflow is triggered by a push event, it will always be when merging into the
+      # 'develop' branch, see on-trigger.yml.
      - name: Upload Conan recipe (develop)
-        if: ${{ github.ref == 'refs/heads/develop' }}
+        if: ${{ github.event_name == 'push' }}
        env:
          REMOTE_NAME: ${{ inputs.remote_name }}
        run: |
          conan export . --version=develop
          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/develop

+      # When this workflow is triggered by a pull request event, it will always be when merging into
+      # one of the 'release' branches, see on-pr.yml.
      - name: Upload Conan recipe (rc)
-        if: ${{ startsWith(github.ref, 'refs/heads/release') }}
+        if: ${{ github.event_name == 'pull_request' }}
        env:
          REMOTE_NAME: ${{ inputs.remote_name }}
        run: |
          conan export . --version=rc
          conan upload --confirm --check --remote="${REMOTE_NAME}" xrpl/rc

+      # When this workflow is triggered by a push event, it will always be when tagging a final
+      # release, see on-tag.yml.
      - name: Upload Conan recipe (release)
-        if: ${{ github.event_name == 'tag' }}
+        if: ${{ startsWith(github.ref, 'refs/tags/') }}
        env:
          REMOTE_NAME: ${{ inputs.remote_name }}
        run: |
--- a/.github/workflows/upload-conan-deps.yml
+++ b/.github/workflows/upload-conan-deps.yml
@@ -70,12 +70,12 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Prepare runner
-        uses: XRPLF/actions/prepare-runner@2cbf481018d930656e9276fcc20dc0e3a0be5b6d
+        uses: XRPLF/actions/prepare-runner@90f11ee655d1687824fb8793db770477d52afbab
        with:
          enable_ccache: false

      - name: Print build environment
-        uses: ./.github/actions/print-env
+        uses: XRPLF/actions/print-build-env@59dec886e4afb05a1724443af08baccbc045b574

      - name: Get number of processors
        uses: XRPLF/actions/get-nproc@cf0433aa74563aead044a1e395610c96d65a37cf
@@ -103,11 +103,11 @@ jobs:
          sanitizers: ${{ matrix.sanitizers }}

      - name: Log into Conan remote
-        if: ${{ github.repository_owner == 'XRPLF' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
+        if: ${{ github.repository == 'XRPLF/rippled' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
        run: conan remote login "${CONAN_REMOTE_NAME}" "${{ secrets.CONAN_REMOTE_USERNAME }}" --password "${{ secrets.CONAN_REMOTE_PASSWORD }}"

      - name: Upload Conan packages
-        if: ${{ github.repository_owner == 'XRPLF' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
+        if: ${{ github.repository == 'XRPLF/rippled' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
        env:
          FORCE_OPTION: ${{ github.event.inputs.force_upload == 'true' && '--force' || '' }}
        run: conan upload "*" --remote="${CONAN_REMOTE_NAME}" --confirm ${FORCE_OPTION}
--- a/.gitignore
+++ b/.gitignore
@@ -13,6 +13,7 @@
 Debug/
 Release/
 /.build/
+/.venv/
 /build/
 /db/
 /out.txt
@@ -71,10 +72,15 @@ DerivedData
 /.zed/

 # AI tools.
+/.agent
+/.agents
 /.augment
 /.claude
 /CLAUDE.md

+# Python
+__pycache__
+
 # Direnv's directory
 /.direnv

--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -13,39 +13,81 @@ repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # frozen: v6.0.0
    hooks:
+      - id: check-added-large-files
+        args: [--maxkb=400, --enforce-all]
      - id: trailing-whitespace
      - id: end-of-file-fixer
-      - id: mixed-line-ending
      - id: check-merge-conflict
        args: [--assume-in-merge]

+  - repo: local
+    hooks:
+      - id: clang-tidy
+        name: "clang-tidy (enable with: TIDY=1)"
+        entry: ./bin/pre-commit/clang_tidy_check.py
+        language: python
+        types_or: [c++, c]
+        exclude: ^include/xrpl/protocol_autogen
+        pass_filenames: false # script determines the staged files itself
+      - id: fix-include-style
+        name: fix include style
+        entry: ./bin/pre-commit/fix_include_style.py
+        language: python
+        types_or: [c++, c]
+        exclude: ^include/xrpl/protocol_autogen/(transactions|ledger_entries)/
+
  - repo: https://github.com/pre-commit/mirrors-clang-format
-    rev: cd481d7b0bfb5c7b3090c21846317f9a8262e891 # frozen: v22.1.0
+    rev: dd18dad857d6133e90bbe478f4f2f22ec0030269 # frozen: v22.1.5
    hooks:
      - id: clang-format
        args: [--style=file]
        "types_or": [c++, c, proto]
+        exclude: ^include/xrpl/protocol_autogen/(transactions|ledger_entries)/

-  - repo: https://github.com/BlankSpruce/gersemi
-    rev: 0.26.0
+  - repo: https://github.com/BlankSpruce/gersemi-pre-commit
+    rev: faadd6a9d852369ca94f4d15b2404c967ba8cb01 # frozen: 0.27.6
    hooks:
      - id: gersemi

  - repo: https://github.com/rbubley/mirrors-prettier
-    rev: c2bc67fe8f8f549cc489e00ba8b45aa18ee713b1 # frozen: v3.8.1
+    rev: 515f543f5718ebfd6ce22e16708bb32c68ff96e1 # frozen: v3.8.3
    hooks:
      - id: prettier
+        args: [--end-of-line=auto]

  - repo: https://github.com/psf/black-pre-commit-mirror
-    rev: ea488cebbfd88a5f50b8bd95d5c829d0bb76feb8 # frozen: 26.1.0
+    rev: 4160603246a6b365d4a2af661c6d71b0a0f50478 # frozen: 26.5.1
    hooks:
      - id: black

+  - repo: https://github.com/scop/pre-commit-shfmt
+    rev: 05c1426671b9237fb5e1444dd63aa5731bec0dfb # frozen: v3.13.1-1
+    hooks:
+      - id: shfmt
+        args: [--write, --indent=4, --case-indent=true]
+
+  - repo: local
+    hooks:
+      - id: format-inline-bash-workflows
+        name: "format `run:` blocks in workflows/actions"
+        entry: ./.github/scripts/format-inline-bash.py
+        language: python
+        files: ^\.github/(workflows|actions)/.*\.ya?ml$
+      - id: format-inline-bash-markdown
+        name: "format ```bash blocks in markdown"
+        entry: ./.github/scripts/format-inline-bash.py
+        language: python
+        files: \.md$
+
  - repo: https://github.com/streetsidesoftware/cspell-cli
-    rev: a42085ade523f591dca134379a595e7859986445 # frozen: v9.7.0
+    rev: 4643f154907327ee0a2c7038f0296e0dd77d9776 # frozen: v10.0.0
    hooks:
      - id: cspell # Spell check changed files
-        exclude: .config/cspell.config.yaml
+        exclude: |
+          (?x)^(
+              .config/cspell.config.yaml|
+              include/xrpl/protocol_autogen/(transactions|ledger_entries)/.*
+          )$
      - id: cspell # Spell check the commit message
        name: check commit message spelling
        args:
@@ -77,5 +119,6 @@ repos:
 exclude: |
  (?x)^(
      external/.*|
-      .github/scripts/levelization/results/.*\.txt
+      .github/scripts/levelization/results/.*\.txt|
+      src/tests/libxrpl/protocol_autogen/(transactions|ledger_entries)/.*
  )$
--- a/API-CHANGELOG.md
+++ b/API-CHANGELOG.md
@@ -4,23 +4,23 @@ This changelog is intended to list all updates to the [public API methods](https

 For info about how [API versioning](https://xrpl.org/request-formatting.html#api-versioning) works, including examples, please view the [XLS-22d spec](https://github.com/XRPLF/XRPL-Standards/discussions/54). For details about the implementation of API versioning, view the [implementation PR](https://github.com/XRPLF/rippled/pull/3155). API versioning ensures existing integrations and users continue to receive existing behavior, while those that request a higher API version will experience new behavior.

-The API version controls the API behavior you see. This includes what properties you see in responses, what parameters you're permitted to send in requests, and so on. You specify the API version in each of your requests. When a breaking change is introduced to the `rippled` API, a new version is released. To avoid breaking your code, you should set (or increase) your version when you're ready to upgrade.
+The API version controls the API behavior you see. This includes what properties you see in responses, what parameters you're permitted to send in requests, and so on. You specify the API version in each of your requests. When a breaking change is introduced to the `xrpld` API, a new version is released. To avoid breaking your code, you should set (or increase) your version when you're ready to upgrade.

 The [commandline](https://xrpl.org/docs/references/http-websocket-apis/api-conventions/request-formatting/#commandline-format) always uses the latest API version. The command line is intended for ad-hoc usage by humans, not programs or automated scripts. The command line is not meant for use in production code.

-For a log of breaking changes, see the **API Version [number]** headings. In general, breaking changes are associated with a particular API Version number. For non-breaking changes, scroll to the **XRP Ledger version [x.y.z]** headings. Non-breaking changes are associated with a particular XRP Ledger (`rippled`) release.
+For a log of breaking changes, see the **API Version [number]** headings. In general, breaking changes are associated with a particular API Version number. For non-breaking changes, scroll to the **XRP Ledger version [x.y.z]** headings. Non-breaking changes are associated with a particular XRP Ledger (`xrpld`) release.

 ## API Version 3 (Beta)

-API version 3 is currently a beta API. It requires enabling `[beta_rpc_api]` in the rippled configuration to use. See [API-VERSION-3.md](API-VERSION-3.md) for the full list of changes in API version 3.
+API version 3 is currently a beta API. It requires enabling `[beta_rpc_api]` in the xrpld configuration to use. See [API-VERSION-3.md](API-VERSION-3.md) for the full list of changes in API version 3.

 ## API Version 2

-API version 2 is available in `rippled` version 2.0.0 and later. See [API-VERSION-2.md](API-VERSION-2.md) for the full list of changes in API version 2.
+API version 2 is available in `xrpld` version 2.0.0 and later. See [API-VERSION-2.md](API-VERSION-2.md) for the full list of changes in API version 2.

 ## API Version 1

-This version is supported by all `rippled` versions. For WebSocket and HTTP JSON-RPC requests, it is currently the default API version used when no `api_version` is specified.
+This version is supported by all `xrpld` versions. For WebSocket and HTTP JSON-RPC requests, it is currently the default API version used when no `api_version` is specified.

 ## Unreleased

@@ -28,6 +28,8 @@ This section contains changes targeting a future version.

 ### Additions

+- `ledger_entry`, `account_objects`: The `Delegate` ledger entry now includes an optional `DestinationNode` field, which stores the index into the authorized account's owner directory. This field is present on entries created after bidirectional directory tracking was introduced and may appear in RPC responses for those entries. ([#6681](https://github.com/XRPLF/rippled/pull/6681))
+
 - `server_definitions`: Added the following new sections to the response ([#6321](https://github.com/XRPLF/rippled/pull/6321)):
  - `TRANSACTION_FORMATS`: Describes the fields and their optionality for each transaction type, including common fields shared across all transactions.
  - `LEDGER_ENTRY_FORMATS`: Describes the fields and their optionality for each ledger entry type, including common fields shared across all ledger entries.
@@ -35,6 +37,20 @@ This section contains changes targeting a future version.
  - `LEDGER_ENTRY_FLAGS`: Maps ledger entry type names to their flags and flag values.
  - `ACCOUNT_SET_FLAGS`: Maps AccountSet flag names (asf flags) to their numeric values.

+### Bugfixes
+
+- Peer Crawler: The `port` field in `overlay.active[]` now consistently returns an integer instead of a string for outbound peers. [#6318](https://github.com/XRPLF/rippled/pull/6318)
+- `ping`: The `ip` field is no longer returned as an empty string for proxied connections without a forwarded-for header. It is now omitted, consistent with the behavior for identified connections. [#6730](https://github.com/XRPLF/rippled/pull/6730)
+- gRPC `GetLedgerDiff`: Fixed error message that incorrectly said "base ledger not validated" when the desired ledger was not validated. [#6730](https://github.com/XRPLF/rippled/pull/6730)
+- `account_channels`: The `destination_account` field now returns an error if the value is not a string. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `subscribe`: The `taker` field in the `books` array now returns an error if the value is not a string. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `account_info`: The `urlgravatar` field now uses HTTPS instead of HTTP. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `ledger`: The `full`, `accounts`, `transactions`, `expand`, `binary`, `owner_funds`, and `queue` fields now return an error if the value is not a boolean. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `ledger_data`: The `binary` field now returns an error if the value is not a boolean. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `submit`: The `fail_hard` field now returns an error if the value is not a boolean. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- `subscribe`: The `taker` field in the `books` array now returns `actMalformed` instead of `badIssuer` if the value is not a valid account. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+- Fixed a bug in `Forwarded` HTTP header parsing where the extracted IP address could be incorrect when no comma or semicolon delimiter follows the address. This could cause the server to misidentify a client's IP address when operating behind a reverse proxy. [#6529](https://github.com/XRPLF/rippled/pull/6529)
+
 ## XRP Ledger server version 3.1.0

 [Version 3.1.0](https://github.com/XRPLF/rippled/releases/tag/3.1.0) was released on Jan 27, 2026.
--- a/API-VERSION-2.md
+++ b/API-VERSION-2.md
@@ -1,6 +1,6 @@
 # API Version 2

-API version 2 is available in `rippled` version 2.0.0 and later. To use this API, clients specify `"api_version" : 2` in each request.
+API version 2 is available in `xrpld` version 2.0.0 and later. To use this API, clients specify `"api_version" : 2` in each request.

 For info about how [API versioning](https://xrpl.org/request-formatting.html#api-versioning) works, including examples, please view the [XLS-22d spec](https://github.com/XRPLF/XRPL-Standards/discussions/54). For details about the implementation of API versioning, view the [implementation PR](https://github.com/XRPLF/rippled/pull/3155). API versioning ensures existing integrations and users continue to receive existing behavior, while those that request a higher API version will experience new behavior.

--- a/API-VERSION-3.md
+++ b/API-VERSION-3.md
@@ -1,6 +1,6 @@
 # API Version 3

-API version 3 is currently a **beta API**. It requires enabling `[beta_rpc_api]` in the rippled configuration to use. To use this API, clients specify `"api_version" : 3` in each request.
+API version 3 is currently a **beta API**. It requires enabling `[beta_rpc_api]` in the xrpld configuration to use. To use this API, clients specify `"api_version" : 3` in each request.

 For info about how [API versioning](https://xrpl.org/request-formatting.html#api-versioning) works, including examples, please view the [XLS-22d spec](https://github.com/XRPLF/XRPL-Standards/discussions/54). For details about the implementation of API versioning, view the [implementation PR](https://github.com/XRPLF/rippled/pull/3155). API versioning ensures existing integrations and users continue to receive existing behavior, while those that request a higher API version will experience new behavior.

--- a/BUILD.md
+++ b/BUILD.md
@@ -125,9 +125,9 @@ default profile.

 ### Patched recipes

-The recipes in Conan Center occasionally need to be patched for compatibility
-with the latest version of `xrpld`. We maintain a fork of the Conan Center
-[here](https://github.com/XRPLF/conan-center-index/) containing the patches.
+Occasionally, we need patched recipes or recipes not present in Conan Center.
+We maintain a fork of the Conan Center Index
+[here](https://github.com/XRPLF/conan-center-index/) containing the modified and newly added recipes.

 To ensure our patched recipes are used, you must add our Conan remote at a
 higher index than the default Conan Center remote, so it is consulted first. You
@@ -137,19 +137,11 @@ can do this by running:
 conan remote add --index 0 xrplf https://conan.ripplex.io
 ```

-Alternatively, you can pull the patched recipes into the repository and use them
-locally:
+Alternatively, you can pull our recipes from the repository and export them locally:

 ```bash
-# Extract the version number from the lockfile.
-function extract_version {
-  version=$(cat conan.lock | sed -nE "s@.+${1}/(.+)#.+@\1@p" | head -n1)
-  echo ${version}
-}
-
 # Define which recipes to export.
-recipes=('ed25519' 'grpc' 'nudb' 'openssl' 'secp256k1' 'snappy' 'soci')
-folders=('all'     'all'  'all'  '3.x.x'   'all'       'all'    'all')
+recipes=('abseil' 'ed25519' 'mpt-crypto' 'openssl' 'secp256k1' 'snappy' 'soci' 'wasm-xrplf' 'wasmi')

 # Selectively check out the recipes from our CCI fork.
 cd external
@@ -158,29 +150,19 @@ cd conan-center-index
 git init
 git remote add origin git@github.com:XRPLF/conan-center-index.git
 git sparse-checkout init
-for ((index = 1; index <= ${#recipes[@]}; index++)); do
-  recipe=${recipes[index]}
-  folder=${folders[index]}
-  echo "Checking out recipe '${recipe}' from folder '${folder}'..."
-  git sparse-checkout add recipes/${recipe}/${folder}
+for recipe in "${recipes[@]}"; do
+    echo "Checking out recipe '${recipe}'..."
+    git sparse-checkout add recipes/${recipe}
 done
 git fetch origin master
 git checkout master
-cd ../..

-# Export the recipes into the local cache.
-for ((index = 1; index <= ${#recipes[@]}; index++)); do
-  recipe=${recipes[index]}
-  folder=${folders[index]}
-  version=$(extract_version ${recipe})
-  echo "Exporting '${recipe}/${version}' from '${recipe}/${folder}'..."
-  conan export --version $(extract_version ${recipe}) \
-    external/conan-center-index/recipes/${recipe}/${folder}
-done
+./export_all.sh
+cd ../../
 ```

 In the case we switch to a newer version of a dependency that still requires a
-patch, it will be necessary for you to pull in the changes and re-export the
+patch or add a new dependency, it will be necessary for you to pull in the changes and re-export the
 updated dependencies with the newer version. However, if we switch to a newer
 version that no longer requires a patch, no action is required on your part, as
 the new recipe will be automatically pulled from the official Conan Center.
@@ -189,6 +171,8 @@ the new recipe will be automatically pulled from the official Conan Center.
 > You might need to add `--lockfile=""` to your `conan install` command
 > to avoid automatic use of the existing `conan.lock` file when you run
 > `conan export` manually on your machine
+>
+> This is not recommended though, as you might end up using different revisions of recipes.

 ### Conan profile tweaks

@@ -196,7 +180,7 @@ the new recipe will be automatically pulled from the official Conan Center.

 If you see an error similar to the following after running `conan profile show`:

-```bash
+```text
 ERROR: Invalid setting '17' is not a valid 'settings.compiler.version' value.
 Possible values are ['5.0', '5.1', '6.0', '6.1', '7.0', '7.3', '8.0', '8.1',
 '9.0', '9.1', '10.0', '11.0', '12.0', '13', '13.0', '13.1', '14', '14.0', '15',
@@ -204,39 +188,14 @@ Possible values are ['5.0', '5.1', '6.0', '6.1', '7.0', '7.3', '8.0', '8.1',
 Read "http://docs.conan.io/2/knowledge/faq.html#error-invalid-setting"
 ```

-you need to amend the list of compiler versions in
-`$(conan config home)/settings.yml`, by appending the required version number(s)
+you need to add your compiler to the list of compiler versions in
+`$(conan config home)/settings_user.yml`, by adding the required version number(s)
 to the `version` array specific for your compiler. For example:

 ```yaml
-apple-clang:
-  version:
-    [
-      "5.0",
-      "5.1",
-      "6.0",
-      "6.1",
-      "7.0",
-      "7.3",
-      "8.0",
-      "8.1",
-      "9.0",
-      "9.1",
-      "10.0",
-      "11.0",
-      "12.0",
-      "13",
-      "13.0",
-      "13.1",
-      "14",
-      "14.0",
-      "15",
-      "15.0",
-      "16",
-      "16.0",
-      "17",
-      "17.0",
-    ]
+compiler:
+  apple-clang:
+    version: ["17.0"]
 ```

 #### Multiple compilers
@@ -468,16 +427,19 @@ install ccache --version 4.11.3 --allow-downgrade`.
   Single-config generators:

   ```
-   cmake --build .
+   cmake --build . --parallel N
   ```

   Multi-config generators:

   ```
-   cmake --build . --config Release
-   cmake --build . --config Debug
+   cmake --build . --config Release --parallel N
+   cmake --build . --config Debug --parallel N
   ```

+   Replace the `--parallel` parameter N with the desired number of parallel jobs. A common starting point is half of the number of available CPU
+   cores.
+
 5. Test xrpld.

   Single-config generators:
@@ -500,6 +462,21 @@ install ccache --version 4.11.3 --allow-downgrade`.
   The location of `xrpld` binary in your build directory depends on your
   CMake generator. Pass `--help` to see the rest of the command line options.

+## Code generation
+
+The protocol wrapper classes in `include/xrpl/protocol_autogen/` are generated
+from macro definition files in `include/xrpl/protocol/detail/`. If you modify
+the macro files (e.g. `transactions.macro`, `ledger_entries.macro`) or the
+generation scripts/templates in `cmake/scripts/codegen/`, you need to regenerate the
+files:
+
+```
+cmake --build . --target setup_code_gen  # create venv and install dependencies (once)
+cmake --build . --target code_gen        # regenerate code
+```
+
+The regenerated files should be committed alongside your changes.
+
 ## Coverage report

 The coverage report is intended for developers using compilers GCC
@@ -556,16 +533,16 @@ stored inside the build directory, as either of:
 ## Sanitizers

 To build dependencies and xrpld with sanitizer instrumentation, set the
-`SANITIZERS` environment variable (only once before running conan and cmake) and use the `sanitizers` profile in conan:
+`SANITIZERS` environment variable when running `conan install` and use the `sanitizers` profile:

 ```bash
 export SANITIZERS=address,undefinedbehavior

 conan install .. --output-folder . --profile:all sanitizers --build missing --settings build_type=Debug
-
-cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake -DCMAKE_BUILD_TYPE=Debug -Dxrpld=ON -Dtests=ON ..
 ```

+You can then build and test as usual, with the generated `xrpld` binary containing the sanitizer instrumentation. When you run it, it will report any sanitizer errors it detects in the console output.
+
 See [Sanitizers docs](./docs/build/sanitizers.md) for more details.

 ## Options
@@ -644,8 +621,8 @@ If you want to experiment with a new package, follow these steps:
     `default_options` property (with syntax `'$package:$option': $value`).
 3. Modify [`CMakeLists.txt`](./CMakeLists.txt):
   - Add a call to `find_package($package REQUIRED)`.
-   - Link a library from the package to the target `ripple_libs`
-     (search for the existing call to `target_link_libraries(ripple_libs INTERFACE ...)`).
+   - Link a library from the package to the target `xrpl_libs`
+     (search for the existing call to `target_link_libraries(xrpl_libs INTERFACE ...)`).
 4. Start coding! Don't forget to include whatever headers you need from the package.

 [1]: https://github.com/conan-io/conan-center-index/issues/13168
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -131,9 +131,10 @@ if(coverage)
    include(XrplCov)
 endif()

-set(PROJECT_EXPORT_SET XrplExports)
 include(XrplCore)
+include(XrplProtocolAutogen)
 include(XrplInstall)
+include(XrplPackaging)
 include(XrplValidatorKeys)

 if(tests)
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -127,26 +127,6 @@ tl;dr
 > 6. Wrap the body at 72 characters.
 > 7. Use the body to explain what and why vs. how.

-In addition to those guidelines, please add one of the following
-prefixes to the subject line if appropriate.
-
- `fix:` - The primary purpose is to fix an existing bug.
- `perf:` - The primary purpose is performance improvements.
- `refactor:` - The changes refactor code without affecting
-  functionality.
- `test:` - The changes _only_ affect unit tests.
- `docs:` - The changes _only_ affect documentation. This can
-  include code comments in addition to `.md` files like this one.
- `build:` - The changes _only_ affect the build process,
-  including CMake and/or Conan settings.
- `chore:` - Other tasks that don't affect the binary, but don't fit
-  any of the other cases. e.g. formatting, git settings, updating
-  Github Actions jobs.
-
-Whenever possible, when updating commits after the PR is open, please
-add the PR number to the end of the subject line. e.g. `test: Add
-unit tests for Feature X (#1234)`.
-
 ## Pull requests

 In general, pull requests use `develop` as the base branch.
@@ -180,6 +160,23 @@ credibility of the existing approvals is insufficient.
 Pull requests must be merged by [squash-and-merge][squash]
 to preserve a linear history for the `develop` branch.

+### Type of Change
+
+In addition to those guidelines, please start your PR title with one of the following:
+
+- `build:` - The changes _only_ affect the build process, including CMake and/or Conan settings.
+- `feat`: New feature (change which adds functionality).
+- `fix:` - The primary purpose is to fix an existing bug.
+- `docs:` - The changes _only_ affect documentation.
+- `test:` - The changes _only_ affect unit tests.
+- `ci`: Continuous Integration (changes to our CI configuration files and scripts).
+- `style`: Code style (formatting).
+- `refactor:` - The changes refactor code without affecting functionality.
+- `perf:` - The primary purpose is performance improvements.
+- `chore:` - Other tasks that don't affect the binary, but don't fit any of the other cases. e.g. `git` settings, `clang-tidy`, removing dead code, dropping support for older tooling.
+
+First letter after the type prefix should be capitalized, and the type prefix should be followed by a colon and a space. e.g. `feat: Add support for Borrowing Protocol`.
+
 ### "Ready to merge"

 A pull request should only have the "Ready to merge" label added when it
@@ -262,17 +259,46 @@ There is a Continuous Integration job that runs clang-tidy on pull requests. The

 This ensures that configuration changes don't introduce new warnings across the codebase.

+### Installing clang-tidy
+
+See the [environment setup guide](./docs/build/environment.md#clang-tidy) for platform-specific installation instructions.
+
 ### Running clang-tidy locally

 Before running clang-tidy, you must build the project to generate required files (particularly protobuf headers). Refer to [`BUILD.md`](./BUILD.md) for build instructions.

+#### Via pre-commit (recommended)
+
+If you have already installed the pre-commit hooks (see above), you can run clang-tidy on your staged files using:
+
+```
+TIDY=1 pre-commit run clang-tidy
+```
+
+This runs clang-tidy locally with the same configuration/flags as CI, scoped to your staged C++ files. The `TIDY=1` environment variable is required to opt in — without it the hook is skipped.
+
+You can also have clang-tidy run automatically on every `git commit` by setting `TIDY=1` in your shell environment:
+
+```
+export TIDY=1
+```
+
+With this set, the hook will run as part of `git commit` alongside the other pre-commit checks.
+
+#### Manually
+
 Then run clang-tidy on your local changes:

 ```
-run-clang-tidy -p build src tests
+run-clang-tidy -p build -allow-no-checks src tests
 ```

-This will check all source files in the `src` and `tests` directories using the compile commands from your `build` directory.
+This will check all source files in the `src`, `include` and `tests` directories using the compile commands from your `build` directory.
+If you wish to automatically fix whatever clang-tidy finds _and_ is capable of fixing, add `-fix` to the above command:
+
+```
+run-clang-tidy -p build -quiet -fix -allow-no-checks src tests
+```

 ## Contracts and instrumentation

@@ -322,8 +348,8 @@ For this reason:
 - Contract description for `UNREACHABLE` should describe the _unexpected_
  situation which caused the line to have been reached.
 - Example good name for an
-  `UNREACHABLE` macro `"Json::operator==(Value, Value) : invalid type"`; example
-  good name for an `XRPL_ASSERT` macro `"Json::Value::asCString : valid type"`.
+  `UNREACHABLE` macro `"json::operator==(Value, Value) : invalid type"`; example
+  good name for an `XRPL_ASSERT` macro `"json::Value::asCString : valid type"`.
 - Example **bad** name
  `"RFC1751::insert(char* s, int x, int start, int length) : length is greater than or equal zero"`
  (missing namespace, unnecessary full function signature, description too verbose).
@@ -527,7 +553,7 @@ All releases, including release candidates and betas, are handled
 differently from typical PRs. Most importantly, never use
 the Github UI to merge a release.

-Rippled uses a linear workflow model that can be summarized as:
+Xrpld uses a linear workflow model that can be summarized as:

 1. In between releases, developers work against the `develop` branch.
 2. Periodically, a maintainer will build and tag a beta version from
--- a/LICENSE.md
+++ b/LICENSE.md
@@ -1,7 +1,7 @@
 ISC License

 Copyright (c) 2011, Arthur Britto, David Schwartz, Jed McCaleb, Vinnie Falco, Bob Way, Eric Lombrozo, Nikolaos D. Bougalis, Howard Hinnant.
-Copyright (c) 2012-2025, the XRP Ledger developers.
+Copyright (c) 2012-present, the XRP Ledger developers.

 Permission to use, copy, modify, and distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
--- a/README.md
+++ b/README.md
@@ -8,11 +8,11 @@ The [XRP Ledger](https://xrpl.org/) is a decentralized cryptographic ledger powe

 [XRP](https://xrpl.org/xrp.html) is a public, counterparty-free crypto-asset native to the XRP Ledger, and is designed as a gas token for network services and to bridge different currencies. XRP is traded on the open-market and is available for anyone to access. The XRP Ledger was created in 2012 with a finite supply of 100 billion units of XRP.

-## rippled
+## xrpld

-The server software that powers the XRP Ledger is called `rippled` and is available in this repository under the permissive [ISC open-source license](LICENSE.md). The `rippled` server software is written primarily in C++ and runs on a variety of platforms. The `rippled` server software can run in several modes depending on its [configuration](https://xrpl.org/rippled-server-modes.html).
+The server software that powers the XRP Ledger is called `xrpld` and is available in this repository under the permissive [ISC open-source license](LICENSE.md). The `xrpld` server software is written primarily in C++ and runs on a variety of platforms. The `xrpld` server software can run in several modes depending on its [configuration](https://xrpl.org/rippled-server-modes.html).

-If you are interested in running an **API Server** (including a **Full History Server**), take a look at [Clio](https://github.com/XRPLF/clio). (rippled Reporting Mode has been replaced by Clio.)
+If you are interested in running an **API Server** (including a **Full History Server**), take a look at [Clio](https://github.com/XRPLF/clio). (xrpld Reporting Mode has been replaced by Clio.)

 ### Build from Source

@@ -41,19 +41,19 @@ If you are interested in running an **API Server** (including a **Full History S

 Here are some good places to start learning the source code:

- Read the markdown files in the source tree: `src/ripple/**/*.md`.
+- Read the markdown files in the source tree: `src/xrpld/**/*.md`.
 - Read [the levelization document](.github/scripts/levelization) to get an idea of the internal dependency graph.
 - In the big picture, the `main` function constructs an `ApplicationImp` object, which implements the `Application` virtual interface. Almost every component in the application takes an `Application&` parameter in its constructor, typically named `app` and stored as a member variable `app_`. This allows most components to depend on any other component.

 ### Repository Contents

-| Folder     | Contents                                         |
-| :--------- | :----------------------------------------------- |
-| `./bin`    | Scripts and data files for Ripple integrators.   |
-| `./Builds` | Platform-specific guides for building `rippled`. |
-| `./docs`   | Source documentation files and doxygen config.   |
-| `./cfg`    | Example configuration files.                     |
-| `./src`    | Source code.                                     |
+| Folder     | Contents                                       |
+| :--------- | :--------------------------------------------- |
+| `./bin`    | Scripts and data files for XRPL developers.    |
+| `./Builds` | Platform-specific guides for building `xrpld`. |
+| `./docs`   | Source documentation files and doxygen config. |
+| `./cfg`    | Example configuration files.                   |
+| `./src`    | Source code.                                   |

 Some of the directories under `src` are external repositories included using
 git-subtree. See those directories' README files for more details.
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,7 +6,7 @@ For more details on operating an XRP Ledger server securely, please visit https:

 ## Supported Versions

-Software constantly evolves. In order to focus resources, we only generally only accept vulnerability reports that affect recent and current versions of the software. We always accept reports for issues present in the **master**, **release** or **develop** branches, and with proposed, [open pull requests](https://github.com/ripple/rippled/pulls).
+Software constantly evolves. In order to focus resources, we generally only accept vulnerability reports that affect recent and current versions of the software. We always accept reports for issues present in the **master**, **release** or **develop** branches, and with proposed, [open pull requests](https://github.com/XRPLF/rippled/pulls).

 ## Identifying and Reporting Vulnerabilities

@@ -22,117 +22,10 @@ Responsible investigation includes, but isn't limited to, the following:
 - Not targeting physical security measures, or attempting to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
 - Investigating bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to the XRP Ledger and the broader ecosystem.

-### Responsible Disclosure
-
-If you discover a vulnerability or potential threat, or if you _think_
-you have, please reach out by dropping an email using the contact
-information below.
-
-Your report should include the following:
-
- Your contact information (typically, an email address);
- The description of the vulnerability;
- The attack scenario (if any);
- The steps to reproduce the vulnerability;
- Any other relevant details or artifacts, including code, scripts or patches.
-
-In your email, please describe the issue or potential threat. If possible, include a "repro" (code that can reproduce the issue) or describe the best way to reproduce and replicate the issue. Please make your report as detailed and comprehensive as possible.
-
-For more information on responsible disclosure, please read this [Wikipedia article](https://en.wikipedia.org/wiki/Responsible_disclosure).
-
-## Report Handling Process
-
-Please report the bug directly to us and limit further disclosure. If you want to prove that you knew the bug as of a given time, consider using a cryptographic pre-commitment: hash the content of your report and publish the hash on a medium of your choice (e.g. on Twitter or as a memo in a transaction) as "proof" that you had written the text at a given point in time.
-
-Once we receive a report, we:
-
-1. Assign two people to independently evaluate the report;
-2. Consider their recommendations;
-3. If action is necessary, formulate a plan to address the issue;
-4. Communicate privately with the reporter to explain our plan.
-5. Prepare, test and release a version which fixes the issue; and
-6. Announce the vulnerability publicly.
-
-We will triage and respond to your disclosure within 24 hours. Beyond that, we will work to analyze the issue in more detail, formulate, develop and test a fix.
-
-While we commit to responding with 24 hours of your initial report with our triage assessment, we cannot guarantee a response time for the remaining steps. We will communicate with you throughout this process, letting you know where we are and keeping you updated on the timeframe.
-
 ## Bug Bounty Program

-[Ripple](https://ripple.com) is generously sponsoring a bug bounty program for vulnerabilities in [`rippled`](https://github.com/XRPLF/rippled) (and other related projects, like [`xrpl.js`](https://github.com/XRPLF/xrpl.js), [`xrpl-py`](https://github.com/XRPLF/xrpl-py), [`xrpl4j`](https://github.com/XRPLF/xrpl4j)).
+[Ripple](https://ripple.com) is generously sponsoring a bug bounty program for vulnerabilities in [`xrpld`](https://github.com/XRPLF/rippled) (and other related projects, like [`Clio`](https://github.com/XRPLF/clio), [`xrpl.js`](https://github.com/XRPLF/xrpl.js), [`xrpl-py`](https://github.com/XRPLF/xrpl-py), [`xrpl4j`](https://github.com/XRPLF/xrpl4j)).

-This program allows us to recognize and reward individuals or groups that identify and report bugs. In summary, in order to qualify for a bounty, the bug must be:
+This program allows us to recognize and reward individuals or groups that identify and report bugs.

-1. **In scope**. Only bugs in software under the scope of the program qualify. Currently, that means `rippled`, `xrpl.js`, `xrpl-py`, `xrpl4j`.
-2. **Relevant**. A security issue, posing a danger to user funds, privacy, or the operation of the XRP Ledger.
-3. **Original and previously unknown**. Bugs that are already known and discussed in public do not qualify. Previously reported bugs, even if publicly unknown, are not eligible.
-4. **Specific**. We welcome general security advice or recommendations, but we cannot pay bounties for that.
-5. **Fixable**. There has to be something we can do to permanently fix the problem. Note that bugs in other people’s software may still qualify in some cases. For example, if you find a bug in a library that we use which can compromise the security of software that is in scope and we can get it fixed, you may qualify for a bounty.
-6. **Unused**. If you use the exploit to attack the XRP Ledger, you do not qualify for a bounty. If you report a vulnerability used in an ongoing or past attack and there is specific, concrete evidence that suggests you are the attacker we reserve the right not to pay a bounty.
-
-The amount paid varies dramatically. Vulnerabilities that are harmless on their own, but could form part of a critical exploit will usually receive a bounty. Full-blown exploits can receive much higher bounties. Please don’t hold back partial vulnerabilities while trying to construct a full-blown exploit. We will pay a bounty to anyone who reports a complete chain of vulnerabilities even if they have reported each component of the exploit separately and those vulnerabilities have been fixed in the meantime. However, to qualify for a the full bounty, you must to have been the first to report each of the partial exploits.
-
-### Contacting Us
-
-To report a qualifying bug, please send a detailed report to:
-
-| Email Address | bugs@ripple.com                                     |
-| :-----------: | :-------------------------------------------------- |
-| Short Key ID  | `0xA9F514E0`                                        |
-|  Long Key ID  | `0xD900855AA9F514E0`                                |
-|  Fingerprint  | `B72C 0654 2F2A E250 2763 A268 D900 855A A9F5 14E0` |
-
-The full PGP key for this address, which is also available on several key servers (e.g. on [keyserver.ubuntu.com](https://keyserver.ubuntu.com)), is:
-
-```
-----BEGIN PGP PUBLIC KEY BLOCK-----
-mQINBGkSZAQBEACprU199OhgdsOsygNjiQV4msuN3vDOUooehL+NwfsGfW79Tbqq
-Q2u7uQ3NZjW+M2T4nsDwuhkr7pe7xSReR5W8ssaczvtUyxkvbMClilcgZ2OSCAuC
-N9tzJsqOqkwBvXoNXkn//T2jnPz0ZU2wSF+NrEibq5FeuyGdoX3yXXBxq9pW9HzK
-HkQll63QSl6BzVSGRQq+B6lGgaZGLwf3mzmIND9Z5VGLNK2jKynyz9z091whNG/M
-kV+E7/r/bujHk7WIVId07G5/COTXmSr7kFnNEkd2Umw42dkgfiNKvlmJ9M7c1wLK
-KbL9Eb4ADuW6rRc5k4s1e6GT8R4/VPliWbCl9SE32hXH8uTkqVIFZP2eyM5WRRHs
-aKzitkQG9UK9gcb0kdgUkxOvvgPHAe5IuZlcHFzU4y0dBbU1VEFWVpiLU0q+IuNw
-5BRemeHc59YNsngkmAZ+/9zouoShRusZmC8Wzotv75C2qVBcjijPvmjWAUz0Zunm
-Lsr+O71vqHE73pERjD07wuD/ISjiYRYYE/bVrXtXLZijC7qAH4RE3nID+2ojcZyO
-/2jMQvt7un56RsGH4UBHi3aBHi9bUoDGCXKiQY981cEuNaOxpou7Mh3x/ONzzSvk
-sTV6nl1LOZHykN1JyKwaNbTSAiuyoN+7lOBqbV04DNYAHL88PrT21P83aQARAQAB
-tB1SaXBwbGUgTGFicyA8YnVnc0ByaXBwbGUuY29tPokCTgQTAQgAOBYhBLcsBlQv
-KuJQJ2OiaNkAhVqp9RTgBQJpEmQEAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
-AAoJENkAhVqp9RTgBzgP/i7y+aDWl1maig1XMdyb+o0UGusumFSW4Hmj278wlKVv
-usgLPihYgHE0PKrv6WRyKOMC1tQEcYYN93M+OeQ1vFhS2YyURq6RCMmh4zq/awXG
-uZbG36OURB5NH8lGBOHiN/7O+nY0CgenBT2JWm+GW3nEOAVOVm4+r5GlpPlv+Dp1
-NPBThcKXFMnH73++NpSQoDzTfRYHPxhDAX3jkLi/moXfSanOLlR6l94XNNN0jBHW
-Quao0rzf4WSXq9g6AS224xhAA5JyIcFl8TX7hzj5HaFn3VWo3COoDu4U7H+BM0fl
-85yqiMQypp7EhN2gxpMMWaHY5TFM85U/bFXFYfEgihZ4/gt4uoIzsNI9jlX7mYvG
-KFdDij+oTlRsuOxdIy60B3dKcwOH9nZZCz0SPsN/zlRWgKzK4gDKdGhFkU9OlvPu
-94ZqscanoiWKDoZkF96+sjgfjkuHsDK7Lwc1Xi+T4drHG/3aVpkYabXox+lrKB/S
-yxZjeqOIQzWPhnLgCaLyvsKo5hxKzL0w3eURu8F3IS7RgOOlljv4M+Me9sEVcdNV
-aN3/tQwbaomSX1X5D5YXqhBwC3rU3wXwamsscRTGEpkV+JCX6KUqGP7nWmxCpAly
-FL05XuOd5SVHJjXLeuje0JqLUpN514uL+bThWwDbDTdAdwW3oK/2WbXz7IfJRLBj
-uQINBGkSZAQBEADdI3SL2F72qkrgFqXWE6HSRBu9bsAvTE5QrRPWk7ux6at537r4
-S4sIw2dOwLvbyIrDgKNq3LQ5wCK88NO/NeCOFm4AiCJSl3pJHXYnTDoUxTrrxx+o
-vSRI4I3fHEql/MqzgiAb0YUezjgFdh3vYheMPp/309PFbOLhiFqEcx80Mx5h06UH
-gDzu1qNj3Ec+31NLic5zwkrAkvFvD54d6bqYR3SEgMau6aYEewpGHbWBi2pLqSi2
-lQcAeOFixqGpTwDmAnYR8YtjBYepy0MojEAdTHcQQlOYSDk4q4elG+io2N8vECfU
-rD6ORecN48GXdZINYWTAdslrUeanmBdgQrYkSpce8TSghgT9P01SNaXxmyaehVUO
-lqI4pcg5G2oojAE8ncNS3TwDtt7daTaTC3bAdr4PXDVAzNAiewjMNZPB7xidkDGQ
-Y4W1LxTMXyJVWxehYOH7tsbBRKninlfRnLgYzmtIbNRAAvNcsxU6ihv3AV0WFknN
-YbSzotEv1Xq/5wk309x8zCDe+sP0cQicvbXafXmUzPAZzeqFg+VLFn7F9MP1WGlW
-B1u7VIvBF1Mp9Nd3EAGBAoLRdRu+0dVWIjPTQuPIuD9cCatJA0wVaKUrjYbBMl88
-a12LixNVGeSFS9N7ADHx0/o7GNT6l88YbaLP6zggUHpUD/bR+cDN7vllIQARAQAB
-iQI2BBgBCAAgFiEEtywGVC8q4lAnY6Jo2QCFWqn1FOAFAmkSZAQCGwwACgkQ2QCF
-Wqn1FOAfAA/8CYq4p0p4bobY20CKEMsZrkBTFJyPDqzFwMeTjgpzqbD7Y3Qq5QCK
-OBbvY02GWdiIsNOzKdBxiuam2xYP9WHZj4y7/uWEvT0qlPVmDFu+HXjoJ43oxwFd
-CUp2gMuQ4cSL3X94VRJ3BkVL+tgBm8CNY0vnTLLOO3kum/R69VsGJS1JSGUWjNM+
-4qwS3mz+73xJu1HmERyN2RZF/DGIZI2PyONQQ6aH85G1Dd2ohu2/DBAkQAMBrPbj
-FrbDaBLyFhODxU3kTWqnfLlaElSm2EGdIU2yx7n4BggEa//NZRMm5kyeo4vzhtlQ
-YIVUMLAOLZvnEqDnsLKp+22FzNR/O+htBQC4lPywl53oYSALdhz1IQlcAC1ru5KR
-XPzhIXV6IIzkcx9xNkEclZxmsuy5ERXyKEmLbIHAlzFmnrldlt2ZgXDtzaorLmxj
-klKibxd5tF50qOpOivz+oPtFo7n+HmFa1nlVAMxlDCUdM0pEVeYDKI5zfVwalyhZ
-NnjpakdZSXMwgc7NP/hH9buF35hKDp7EckT2y3JNYwHsDdy1icXN2q40XZw5tSIn
-zkPWdu3OUY8PISohN6Pw4h0RH4ZmoX97E8sEfmdKaT58U4Hf2aAv5r9IWCSrAVqY
-u5jvac29CzQR9Kal0A+8phHAXHNFD83SwzIC0syaT9ficAguwGH8X6Q=
-=nGuD
-----END PGP PUBLIC KEY BLOCK-----
-```
+We have partnered with Bugcrowd to manage this program. It is a private program, and security researchers can participate based on invitation. If you need access to the program, please email bugs@ripple.com with your Bugcrowd handle or Bugcrowd registered email, and we will get you added to the program. Once you have been added, please submit vulnerability reports through Bugcrowd, not by email. The detailed bug bounty policy is available on the Bugcrowd website.
--- a/bin/git/setup-upstreams.sh
+++ b/bin/git/setup-upstreams.sh
@@ -1,83 +1,71 @@
 #!/bin/bash

-if [[ $# -ne 1 || "$1" == "--help" || "$1" == "-h" ]]
-then
-  name=$( basename $0 )
-  cat <<- USAGE
-  Usage: $name <username>
+if [[ $# -ne 1 || "$1" == "--help" || "$1" == "-h" ]]; then
+    name=$(basename $0)
+    cat <<-USAGE
+    Usage: $name <username>

-  Where <username> is the Github username of the upstream repo. e.g. XRPLF
+    Where <username> is the Github username of the upstream repo. e.g. XRPLF
 USAGE
-  exit 0
+    exit 0
 fi

 # Create upstream remotes based on origin
 shift
 user="$1"
 # Get the origin URL. Expect it be an SSH-style URL
-origin=$( git remote get-url origin )
-if [[ "${origin}" == "" ]]
-then
-  echo Invalid origin remote >&2
-  exit 1
+origin=$(git remote get-url origin)
+if [[ "${origin}" == "" ]]; then
+    echo Invalid origin remote >&2
+    exit 1
 fi
 # echo "Origin: ${origin}"
 # Parse the origin
 ifs_orig="${IFS}"
-IFS=':' read remote originpath <<< "${origin}"
+IFS=':' read remote originpath <<<"${origin}"
 # echo "Remote: ${remote}, Originpath: ${originpath}"
-IFS='@' read sshuser server <<< "${remote}"
+IFS='@' read sshuser server <<<"${remote}"
 # echo "SSHUser: ${sshuser}, Server: ${server}"
-IFS='/' read originuser repo <<< "${originpath}"
+IFS='/' read originuser repo <<<"${originpath}"
 # echo "Originuser: ${originuser}, Repo: ${repo}"
-if [[ "${sshuser}" == "" || "${server}" == "" || "${originuser}" == ""
-  || "${repo}" == "" ]]
-then
-  echo "Can't parse origin URL: ${origin}" >&2
-  exit 1
+if [[ "${sshuser}" == "" || "${server}" == "" || "${originuser}" == "" || "${repo}" == "" ]]; then
+    echo "Can't parse origin URL: ${origin}" >&2
+    exit 1
 fi
 upstream="https://${server}/${user}/${repo}"
 upstreampush="${remote}:${user}/${repo}"
 upstreamgroup="upstream upstream-push"
-current=$( git remote get-url upstream 2>/dev/null )
-currentpush=$( git remote get-url upstream-push 2>/dev/null )
-currentgroup=$( git config remotes.upstreams )
-if [[ "${current}" == "${upstream}" ]]
-then
-  echo "Upstream already set up correctly. Skip"
-elif [[ -n "${current}" && "${current}" != "${upstream}" &&
-  "${current}" != "${upstreampush}" ]]
-then
-  echo "Upstream already set up as: ${current}. Skip"
+current=$(git remote get-url upstream 2>/dev/null)
+currentpush=$(git remote get-url upstream-push 2>/dev/null)
+currentgroup=$(git config remotes.upstreams)
+if [[ "${current}" == "${upstream}" ]]; then
+    echo "Upstream already set up correctly. Skip"
+elif [[ -n "${current}" && "${current}" != "${upstream}" && "${current}" != "${upstreampush}" ]]; then
+    echo "Upstream already set up as: ${current}. Skip"
 else
-  if [[ "${current}" == "${upstreampush}" ]]
-  then
-    echo "Upstream set to dangerous push URL. Update."
-    _run git remote rename upstream upstream-push || \
-    _run git remote remove upstream
-    currentpush=$( git remote get-url upstream-push 2>/dev/null )
-  fi
-  _run git remote add upstream "${upstream}"
+    if [[ "${current}" == "${upstreampush}" ]]; then
+        echo "Upstream set to dangerous push URL. Update."
+        _run git remote rename upstream upstream-push ||
+            _run git remote remove upstream
+        currentpush=$(git remote get-url upstream-push 2>/dev/null)
+    fi
+    _run git remote add upstream "${upstream}"
 fi

-if [[ "${currentpush}" == "${upstreampush}" ]]
-then
-  echo "upstream-push already set up correctly. Skip"
-elif [[ -n "${currentpush}" && "${currentpush}" != "${upstreampush}" ]]
-then
-  echo "upstream-push already set up as: ${currentpush}. Skip"
+if [[ "${currentpush}" == "${upstreampush}" ]]; then
+    echo "upstream-push already set up correctly. Skip"
+elif [[ -n "${currentpush}" && "${currentpush}" != "${upstreampush}" ]]; then
+    echo "upstream-push already set up as: ${currentpush}. Skip"
 else
-  _run git remote add upstream-push "${upstreampush}"
+    _run git remote add upstream-push "${upstreampush}"
 fi

-if [[ "${currentgroup}" == "${upstreamgroup}" ]]
-then
-  echo "Upstreams group already set up correctly. Skip"
-elif [[ -n "${currentgroup}" && "${currentgroup}" != "${upstreamgroup}" ]]
-then
-  echo "Upstreams group already set up as: ${currentgroup}. Skip"
+if [[ "${currentgroup}" == "${upstreamgroup}" ]]; then
+    echo "Upstreams group already set up correctly. Skip"
+elif [[ -n "${currentgroup}" && "${currentgroup}" != "${upstreamgroup}" ]]; then
+    echo "Upstreams group already set up as: ${currentgroup}. Skip"
 else
-  _run git config --add remotes.upstreams "${upstreamgroup}"
+    _run git config --add remotes.upstreams "${upstreamgroup}"
 fi

 _run git fetch --jobs=$(nproc) upstreams
--- a/bin/git/squash-branches.sh
+++ b/bin/git/squash-branches.sh
@@ -1,61 +1,56 @@
 #!/bin/bash

-if [[ $# -lt 3 || "$1" == "--help" || "$1" = "-h" ]]
-then
-  name=$( basename $0 )
-  cat <<- USAGE
-  Usage: $name workbranch base/branch user/branch [user/branch [...]]
+if [[ $# -lt 3 || "$1" == "--help" || "$1" = "-h" ]]; then
+    name=$(basename $0)
+    cat <<-USAGE
+    Usage: $name workbranch base/branch user/branch [user/branch [...]]

-  * workbranch will be created locally from base/branch
-  * base/branch and user/branch may be specified as user:branch to allow
-    easy copying from Github PRs
-  * Remotes for each user must already be set up
+    * workbranch will be created locally from base/branch
+    * base/branch and user/branch may be specified as user:branch to allow
+        easy copying from Github PRs
+    * Remotes for each user must already be set up
 USAGE
-exit 0
+    exit 0
 fi

 work="$1"
 shift

-branches=( $( echo "${@}" | sed "s/:/\//" ) )
+branches=($(echo "${@}" | sed "s/:/\//"))
 base="${branches[0]}"
 unset branches[0]

 set -e

 users=()
-for b in "${branches[@]}"
-do
-  users+=( $( echo $b | cut -d/ -f1 ) )
+for b in "${branches[@]}"; do
+    users+=($(echo $b | cut -d/ -f1))
 done

-users=( $( printf '%s\n' "${users[@]}" | sort -u ) )
+users=($(printf '%s\n' "${users[@]}" | sort -u))

 git fetch --multiple upstreams "${users[@]}"
 git checkout -B "$work" --no-track "$base"

-for b in "${branches[@]}"
-do
-  git merge --squash "${b}"
-  git commit -S # Use the commit message provided on the PR
+for b in "${branches[@]}"; do
+    git merge --squash "${b}"
+    git commit -S # Use the commit message provided on the PR
 done

 # Make sure the commits look right
 git log --show-signature "$base..HEAD"

-parts=( $( echo $base | sed "s/\// /" ) )
+parts=($(echo $base | sed "s/\// /"))
 repo="${parts[0]}"
 b="${parts[1]}"
 push=$repo
-if [[ "$push" == "upstream" ]]
-then
-  push="upstream-push"
+if [[ "$push" == "upstream" ]]; then
+    push="upstream-push"
 fi
-if [[ "$repo" == "upstream" ]]
-then
-  repo="upstreams"
+if [[ "$repo" == "upstream" ]]; then
+    repo="upstreams"
 fi
-cat << PUSH
+cat <<PUSH

 -------------------------------------------------------------------
 This script will not push. Verify everything is correct, then push
--- a/bin/git/update-version.sh
+++ b/bin/git/update-version.sh
@@ -1,23 +1,22 @@
 #!/bin/bash

-if [[ $# -ne 3 || "$1" == "--help" || "$1" = "-h" ]]
-then
-  name=$( basename $0 )
-  cat <<- USAGE
-  Usage: $name workbranch base/branch version
+if [[ $# -ne 3 || "$1" == "--help" || "$1" = "-h" ]]; then
+    name=$(basename $0)
+    cat <<-USAGE
+    Usage: $name workbranch base/branch version

-  * workbranch will be created locally from base/branch. If it exists,
-    it will be reused, so make sure you don't overwrite any work.
-  * base/branch may be specified as user:branch to allow easy copying
-    from Github PRs.
+    * workbranch will be created locally from base/branch. If it exists,
+        it will be reused, so make sure you don't overwrite any work.
+    * base/branch may be specified as user:branch to allow easy copying
+        from Github PRs.
 USAGE
-exit 0
+    exit 0
 fi

 work="$1"
 shift

-base=$( echo "$1" | sed "s/:/\//" )
+base=$(echo "$1" | sed "s/:/\//")
 shift

 version=$1
@@ -29,17 +28,16 @@ git fetch upstreams

 git checkout -B "${work}" --no-track "${base}"

-push=$( git rev-parse --abbrev-ref --symbolic-full-name '@{push}' \
-              2>/dev/null ) || true
-if [[ "${push}" != "" ]]
-then
-  echo "Warning: ${push} may already exist."
+push=$(git rev-parse --abbrev-ref --symbolic-full-name '@{push}' \
+    2>/dev/null) || true
+if [[ "${push}" != "" ]]; then
+    echo "Warning: ${push} may already exist."
 fi

-build=$( find -name BuildInfo.cpp )
-sed 's/\(^.*versionString =\).*$/\1 "'${version}'"/' ${build} > version.cpp && \
-diff "${build}" version.cpp && exit 1 || \
-mv -vi version.cpp ${build}
+build=$(find -name BuildInfo.cpp)
+sed 's/\(^.*versionString =\).*$/\1 "'${version}'"/' ${build} >version.cpp &&
+    diff "${build}" version.cpp && exit 1 ||
+    mv -vi version.cpp ${build}

 git diff

@@ -49,7 +47,7 @@ git commit -S -m "Set version to ${version}"

 git log --oneline --first-parent ${base}^..

-cat << PUSH
+cat <<PUSH

 -------------------------------------------------------------------
 This script will not push. Verify everything is correct, then push
--- a/bin/pre-commit/clang_tidy_check.py
+++ b/bin/pre-commit/clang_tidy_check.py
@@ -0,0 +1,212 @@
+#!/usr/bin/env python3
+"""Pre-commit hook that runs clang-tidy on changed files using run-clang-tidy."""
+
+from __future__ import annotations
+
+import json
+import os
+import re
+import shutil
+import subprocess
+import sys
+from collections import defaultdict
+from pathlib import Path
+
+HEADER_EXTENSIONS = {".h", ".hpp", ".ipp"}
+SOURCE_EXTENSIONS = {".cpp"}
+INCLUDE_RE = re.compile(r"^\s*#\s*include\s*[<\"]([^>\"]+)[>\"]")
+
+
+def find_run_clang_tidy() -> str | None:
+    for candidate in ("run-clang-tidy-21", "run-clang-tidy"):
+        if path := shutil.which(candidate):
+            return path
+    return None
+
+
+def find_build_dir(repo_root: Path) -> Path | None:
+    for name in (".build", "build"):
+        candidate = repo_root / name
+        if (candidate / "compile_commands.json").exists():
+            return candidate
+    return None
+
+
+def build_include_graph(build_dir: Path, repo_root: Path) -> tuple[dict, set]:
+    """
+    Scan all files reachable from compile_commands.json and build an inverted include graph.
+
+    Returns:
+        inverted: header_path -> set of files that include it
+        source_files: set of all TU paths from compile_commands.json
+    """
+    with open(build_dir / "compile_commands.json") as f:
+        db = json.load(f)
+
+    source_files = {Path(e["file"]).resolve() for e in db}
+    include_roots = [repo_root / "include", repo_root / "src"]
+    inverted: dict[Path, set[Path]] = defaultdict(set)
+
+    to_scan: set[Path] = set(source_files)
+    scanned: set[Path] = set()
+
+    while to_scan:
+        file = to_scan.pop()
+        if file in scanned or not file.exists():
+            continue
+        scanned.add(file)
+
+        content = file.read_text()
+
+        for line in content.splitlines():
+            m = INCLUDE_RE.match(line)
+            if not m:
+                continue
+            for root in include_roots:
+                candidate = (root / m.group(1)).resolve()
+                if candidate.exists():
+                    inverted[candidate].add(file)
+                    if candidate not in scanned:
+                        to_scan.add(candidate)
+                    break
+
+    return inverted, source_files
+
+
+def find_tus_for_headers(
+    headers: list[Path],
+    inverted: dict[Path, set[Path]],
+    source_files: set[Path],
+) -> set[Path]:
+    """
+    For each header, pick one TU that transitively includes it.
+    Prefers a TU whose stem matches the header's stem, otherwise picks the first found.
+    """
+    result: set[Path] = set()
+
+    for header in headers:
+        preferred: Path | None = None
+        visited: set[Path] = {header}
+        stack: list[Path] = [header]
+
+        while stack:
+            h = stack.pop()
+            for inc in inverted.get(h, ()):
+                if inc in source_files:
+                    if inc.stem == header.stem:
+                        preferred = inc
+                        break
+                    if preferred is None:
+                        preferred = inc
+                if inc not in visited:
+                    visited.add(inc)
+                    stack.append(inc)
+            if preferred is not None and preferred.stem == header.stem:
+                break
+
+        if preferred is not None:
+            result.add(preferred)
+
+    return result
+
+
+def resolve_files(
+    input_files: list[str], build_dir: Path, repo_root: Path
+) -> list[str]:
+    """
+    Split input into source files and headers. Source files are passed through;
+    headers are resolved to the TUs that transitively include them.
+    """
+    sources: list[Path] = []
+    headers: list[Path] = []
+
+    for f in input_files:
+        p = Path(f).resolve()
+        if p.suffix in SOURCE_EXTENSIONS:
+            sources.append(p)
+        elif p.suffix in HEADER_EXTENSIONS:
+            headers.append(p)
+
+    if not headers:
+        return [str(p) for p in sources]
+
+    print(
+        f"Resolving {len(headers)} header(s) to compilation units...", file=sys.stderr
+    )
+    inverted, source_files = build_include_graph(build_dir, repo_root)
+    tus = find_tus_for_headers(headers, inverted, source_files)
+
+    if not tus:
+        print(
+            "Warning: no compilation units found that include the modified headers; "
+            "skipping clang-tidy for headers.",
+            file=sys.stderr,
+        )
+
+    return sorted({str(p) for p in (*sources, *tus)})
+
+
+def staged_files(repo_root: Path) -> list[str]:
+    result = subprocess.run(
+        ["git", "diff", "--staged", "--name-only", "--diff-filter=d"],
+        capture_output=True,
+        text=True,
+        cwd=repo_root,
+    )
+    if result.returncode != 0:
+        print(
+            "clang-tidy check failed: 'git diff --staged' command failed.",
+            file=sys.stderr,
+        )
+        if result.stderr:
+            print(result.stderr, file=sys.stderr)
+        sys.exit(result.returncode or 1)
+    return [str(repo_root / p) for p in result.stdout.splitlines() if p]
+
+
+def main():
+    if not os.environ.get("TIDY"):
+        return 0
+
+    repo_root = Path(
+        subprocess.check_output(
+            ["git", "rev-parse", "--show-toplevel"],
+            cwd=Path(__file__).parent,
+            text=True,
+        ).strip()
+    )
+    files = staged_files(repo_root)
+    if not files:
+        return 0
+
+    run_clang_tidy = find_run_clang_tidy()
+    if not run_clang_tidy:
+        print(
+            "clang-tidy check failed: TIDY is enabled but neither "
+            "'run-clang-tidy-21' nor 'run-clang-tidy' was found in PATH.",
+            file=sys.stderr,
+        )
+        return 1
+
+    build_dir = find_build_dir(repo_root)
+    if not build_dir:
+        print(
+            "clang-tidy check failed: no build directory with compile_commands.json found "
+            "(looked for .build/ and build/)",
+            file=sys.stderr,
+        )
+        return 1
+
+    tidy_files = resolve_files(files, build_dir, repo_root)
+    if not tidy_files:
+        return 0
+
+    result = subprocess.run(
+        [run_clang_tidy, "-quiet", "-p", str(build_dir), "-fix", "-allow-no-checks"]
+        + tidy_files
+    )
+    return result.returncode
+
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/bin/pre-commit/fix_include_style.py
+++ b/bin/pre-commit/fix_include_style.py
@@ -0,0 +1,37 @@
+#!/usr/bin/env python3
+
+"""
+Converts quoted includes (#include "...") to angle-bracket includes
+(#include <...>), which is the required style in this project.
+
+Usage: ./bin/pre-commit/fix_include_style.py <file1> <file2> ...
+"""
+
+import re
+import sys
+from pathlib import Path
+
+PATTERN = re.compile(r'^(\s*#include\s*)"([^"]+)"', re.MULTILINE)
+
+
+def fix_includes(path: Path) -> bool:
+    original = path.read_text(encoding="utf-8")
+    fixed = PATTERN.sub(r"\1<\2>", original)
+    if fixed != original:
+        path.write_text(fixed, encoding="utf-8")
+        return False
+    return True
+
+
+def main() -> int:
+    files = [Path(f) for f in sys.argv[1:]]
+    success = True
+
+    for path in files:
+        success &= fix_includes(path)
+
+    return 0 if success else 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())
--- a/cfg/validators-example.txt
+++ b/cfg/validators-example.txt
@@ -28,7 +28,7 @@
 #    https://vl.ripple.com
 #    https://unl.xrplf.org
 #    http://127.0.0.1:8000
-#    file:///etc/opt/ripple/vl.txt
+#    file:///etc/xrpld/vl.txt
 #
 # [validator_list_keys]
 #
@@ -43,11 +43,11 @@
 #    ED307A760EE34F2D0CAA103377B1969117C38B8AA0AA1E2A24DAC1F32FC97087ED
 #

-# The default validator list publishers that the rippled instance
+# The default validator list publishers that the xrpld instance
 # trusts.
 #
-# WARNING: Changing these values can cause your rippled instance to see a
-#          validated ledger that contradicts other rippled instances'
+# WARNING: Changing these values can cause your xrpld instance to see a
+#          validated ledger that contradicts other xrpld instances'
 #          validated ledgers (aka a ledger fork) if your validator list(s)
 #          do not sufficiently overlap with the list(s) used by others.
 #          See: https://arxiv.org/pdf/1802.07242.pdf
--- a/cfg/xrpld-example.cfg
+++ b/cfg/xrpld-example.cfg
@@ -9,7 +9,7 @@
 #
 #   2. Peer Protocol
 #
-#   3. Ripple Protocol
+#   3. XRPL protocol
 #
 #   4. HTTPS Client
 #
@@ -383,7 +383,7 @@
 #
 #   These settings control security and access attributes of the Peer to Peer
 #   server section of the xrpld process. Peer Protocol implements the
-#   Ripple Payment protocol. It is over peer connections that transactions
+#   XRPL payment protocol. It is over peer connections that transactions
 #   and validations are passed from to machine to machine, to determine the
 #   contents of validated ledgers.
 #
@@ -406,7 +406,7 @@
 #
 # [ips]
 #
-#   List of hostnames or ips where the Ripple protocol is served.  A default
+#   List of hostnames or ips where the XRPL protocol is served.  A default
 #   starter list is included in the code and used if no other hostnames are
 #   available.
 #
@@ -435,7 +435,7 @@
 #   List of IP addresses or hostnames to which xrpld should always attempt to
 #   maintain peer connections with. This is useful for manually forming private
 #   networks, for example to configure a validation server that connects to the
-#   Ripple network through a public-facing server, or for building a set
+#   XRPL network through a public-facing server, or for building a set
 #   of cluster peers.
 #
 #   One address or domain names per line is allowed. A port must be specified
@@ -527,6 +527,17 @@
 #
 #       The current default (which is subject to change) is 300 seconds.
 #
+#   verify_endpoints = <0 | 1>
+#
+#       If set to 0, the server will skip validation of endpoint
+#       addresses received in TMEndpoints peer protocol messages,
+#       allowing addresses that are not publicly routable or have a
+#       port of 0. The default is 1 (verification enabled).
+#
+#       WARNING: Disabling this option is a security risk and should
+#       only be used for local testing and debugging. Do not disable
+#       on mainnet.
+#
 #
 # [transaction_queue] EXPERIMENTAL
 #
@@ -748,8 +759,8 @@
 #   the folder in which the xrpld.cfg file is located.
 #
 #   Examples:
-#    /home/ripple/validators.txt
-#    C:/home/ripple/validators.txt
+#    /home/username/validators.txt
+#    C:/home/username/validators.txt
 #
 #   Example content:
 #    [validators]
@@ -840,7 +851,7 @@
 #
 #   0: Disable the ledger replay feature [default]
 #   1: Enable the ledger replay feature. With this feature enabled, when
-#      acquiring a ledger from the network, a xrpld node only downloads
+#      acquiring a ledger from the network, an xrpld node only downloads
 #      the ledger header and the transactions instead of the whole ledger.
 #      And the ledger is built by applying the transactions to the parent
 #      ledger.
@@ -853,7 +864,7 @@
 #
 #   The xrpld server instance uses HTTPS GET requests in a variety of
 #   circumstances, including but not limited to contacting trusted domains to
-#   fetch information such as mapping an email address to a Ripple Payment
+#   fetch information such as mapping an email address to an XRPL payment
 #   Network address.
 #
 # [ssl_verify]
@@ -942,6 +953,21 @@
 #
 #   Optional keys for NuDB and RocksDB:
 #
+#       cache_size          Size of cache for database records. Default is 16384.
+#                           Setting this value to 0 will use the default value.
+#
+#       cache_age           Length of time in minutes to keep database records
+#                           cached. Default is 5 minutes. Setting this value to
+#                           0 will use the default value.
+#
+#                           Note: if cache_size or cache_age is not specified,
+#                           default values will be used for the unspecified
+#                           parameter.
+#
+#                           Note: the cache will not be created if online_delete
+#                           is specified, because the rotating NodeStore does
+#                           not use this cache).
+#
 #       fast_load           Boolean. If set, load the last persisted ledger
 #                           from disk upon process start before syncing to
 #                           the network. This is likely to improve performance
@@ -1227,7 +1253,7 @@
 #
 #----------
 #
-#   The vote settings configure settings for the entire Ripple network.
+#   The vote settings configure settings for the entire XRPL network.
 #   While a single instance of xrpld cannot unilaterally enforce network-wide
 #   settings, these choices become part of the instance's vote during the
 #   consensus process for each voting ledger.
@@ -1258,7 +1284,7 @@
 #       default. Don't change this without understanding the consequences.
 #
 #       Example:
-#           account_reserve = 10000000   # 10 XRP
+#           account_reserve = 1000000   # 1 XRP
 #
 #   owner_reserve = <drops>
 #
@@ -1270,7 +1296,7 @@
 #       default. Don't change this without understanding the consequences.
 #
 #       Example:
-#           owner_reserve = 2000000      # 2 XRP
+#           owner_reserve = 200000      # 0.2 XRP
 #
 #-------------------------------------------------------------------------------
 #
@@ -1416,6 +1442,12 @@
 #       in this section to a comma-separated list of the addresses
 #       of your Clio servers, in order to bypass xrpld's rate limiting.
 #
+#       TLS/SSL can be enabled for gRPC by specifying ssl_cert and ssl_key.
+#       Both parameters must be provided together. The ssl_cert_chain parameter
+#       is optional and provides intermediate CA certificates for the certificate
+#       chain. The ssl_client_ca parameter is optional and enables mutual TLS
+#       (client certificate verification).
+#
 #   This port is commented out but can be enabled by removing
 #   the '#' from each corresponding line including the entry under [server]
 #
@@ -1449,10 +1481,7 @@ admin = 127.0.0.1
 protocol = http

 [port_peer]
-# Many servers still use the legacy port of 51235, so for backward-compatibility
-# we maintain that port number here. However, for new servers we recommend
-# changing this to the default port of 2459.
-port = 51235
+port = 2459
 ip = 0.0.0.0
 # alternatively, to accept connections on IPv4 + IPv6, use:
 #ip = ::
@@ -1465,11 +1494,74 @@ admin = 127.0.0.1
 protocol = ws
 send_queue_limit = 500

+# gRPC TLS/SSL Configuration
+#
+#   The gRPC port supports optional TLS/SSL encryption. When TLS is not
+#   configured, the gRPC server will accept unencrypted connections.
+#
+#   ssl_cert = <filename>
+#   ssl_key = <filename>
+#
+#       To enable TLS for gRPC, both ssl_cert and ssl_key must be specified.
+#       If only one is provided, xrpld will fail to start.
+#
+#       ssl_cert: Path to the server's SSL certificate file in PEM format.
+#       ssl_key:  Path to the server's SSL private key file in PEM format.
+#
+#       When configured, the gRPC server will only accept TLS-encrypted
+#       connections. Clients must use TLS (secure) channel credentials rather
+#       than plaintext / insecure connections.
+#
+#   ssl_cert_chain = <filename>
+#
+#       Optional. Path to intermediate CA certificate(s) in PEM format that
+#       complete the server's certificate chain.
+#
+#       This file should contain the intermediate CA certificate(s) needed
+#       to build a trust chain from the server certificate (ssl_cert) to a
+#       root CA that clients trust. Multiple certificates should be
+#       concatenated in PEM format.
+#
+#       This is needed when your server certificate was signed by an
+#       intermediate CA rather than directly by a root CA. Without this,
+#       clients may fail to verify your server certificate.
+#
+#       If not specified, only the server certificate from ssl_cert will be
+#       presented to clients.
+#
+#   ssl_client_ca = <filename>
+#
+#       Optional. Path to a CA certificate file in PEM format for verifying
+#       client certificates (mutual TLS / mTLS).
+#
+#       When specified, the gRPC server will verify client certificates
+#       against this CA. This enables mutual authentication where both the
+#       server and client verify each other's identity.
+#
+#       This is typically NOT needed for public-facing gRPC servers. Only
+#       use this if you want to restrict access to clients with valid
+#       certificates signed by the specified CA.
+#
+#       If not specified, the server will use one-way TLS (server
+#       authentication only) and will accept connections from any client.
+#
 [port_grpc]
 port = 50051
 ip = 127.0.0.1
 secure_gateway = 127.0.0.1

+# Optional TLS/SSL configuration for gRPC
+# To enable TLS, uncomment and configure both ssl_cert and ssl_key:
+#ssl_cert = /etc/ssl/certs/grpc-server.crt
+#ssl_key = /etc/ssl/private/grpc-server.key
+
+# Optional: Include intermediate CA certificates for complete certificate chain
+#ssl_cert_chain = /etc/ssl/certs/grpc-intermediate-ca.crt
+
+# Optional: Enable mutual TLS (client certificate verification)
+# Uncomment to require and verify client certificates:
+#ssl_client_ca = /etc/ssl/certs/grpc-client-ca.crt
+
 #[port_ws_public]
 #port = 6005
 #ip = 127.0.0.1
--- a/cmake/XrplConfig.cmake
+++ b/cmake/XrplConfig.cmake
@@ -1,60 +0,0 @@
-include(CMakeFindDependencyMacro)
-# need to represent system dependencies of the lib here
-#[=========================================================[
-  Boost
-#]=========================================================]
-if(static OR APPLE OR MSVC)
-    set(Boost_USE_STATIC_LIBS ON)
-endif()
-set(Boost_USE_MULTITHREADED ON)
-if(static OR MSVC)
-    set(Boost_USE_STATIC_RUNTIME ON)
-else()
-    set(Boost_USE_STATIC_RUNTIME OFF)
-endif()
-find_dependency(
-    Boost
-    COMPONENTS
-    chrono
-    container
-    context
-    coroutine
-    date_time
-    filesystem
-    program_options
-    regex
-    system
-    thread
-)
-#[=========================================================[
-  OpenSSL
-#]=========================================================]
-if(NOT DEFINED OPENSSL_ROOT_DIR)
-    if(DEFINED ENV{OPENSSL_ROOT})
-        set(OPENSSL_ROOT_DIR $ENV{OPENSSL_ROOT})
-    elseif(APPLE)
-        find_program(homebrew brew)
-        if(homebrew)
-            execute_process(
-                COMMAND ${homebrew} --prefix openssl
-                OUTPUT_VARIABLE OPENSSL_ROOT_DIR
-                OUTPUT_STRIP_TRAILING_WHITESPACE
-            )
-        endif()
-    endif()
-    file(TO_CMAKE_PATH "${OPENSSL_ROOT_DIR}" OPENSSL_ROOT_DIR)
-endif()
-
-if(static OR APPLE OR MSVC)
-    set(OPENSSL_USE_STATIC_LIBS ON)
-endif()
-set(OPENSSL_MSVC_STATIC_RT ON)
-find_dependency(OpenSSL REQUIRED)
-find_dependency(ZLIB)
-find_dependency(date)
-if(TARGET ZLIB::ZLIB)
-    set_target_properties(
-        OpenSSL::Crypto
-        PROPERTIES INTERFACE_LINK_LIBRARIES ZLIB::ZLIB
-    )
-endif()
--- a/cmake/XrplCore.cmake
+++ b/cmake/XrplCore.cmake
@@ -108,17 +108,28 @@ target_link_libraries(
 )

 # Level 05
-add_module(xrpl core)
+add_module(xrpl protocol_autogen)
 target_link_libraries(
-    xrpl.libxrpl.core
-    PUBLIC xrpl.libxrpl.basics xrpl.libxrpl.json xrpl.libxrpl.protocol
+    xrpl.libxrpl.protocol_autogen
+    PUBLIC xrpl.libxrpl.protocol
 )

 # Level 06
+add_module(xrpl core)
+target_link_libraries(
+    xrpl.libxrpl.core
+    PUBLIC
+        xrpl.libxrpl.basics
+        xrpl.libxrpl.json
+        xrpl.libxrpl.protocol
+        xrpl.libxrpl.protocol_autogen
+)
+
+# Level 07
 add_module(xrpl resource)
 target_link_libraries(xrpl.libxrpl.resource PUBLIC xrpl.libxrpl.protocol)

-# Level 07
+# Level 08
 add_module(xrpl net)
 target_link_libraries(
    xrpl.libxrpl.net
@@ -171,6 +182,7 @@ target_link_libraries(
        xrpl.libxrpl.basics
        xrpl.libxrpl.json
        xrpl.libxrpl.protocol
+        xrpl.libxrpl.protocol_autogen
        xrpl.libxrpl.rdb
        xrpl.libxrpl.server
        xrpl.libxrpl.shamap
@@ -206,6 +218,7 @@ target_link_modules(
    net
    nodestore
    protocol
+    protocol_autogen
    rdb
    resource
    server
--- a/cmake/XrplInstall.cmake
+++ b/cmake/XrplInstall.cmake
@@ -2,100 +2,38 @@
   install stuff
 #]===================================================================]

-include(create_symbolic_link)
+include(GNUInstallDirs)

-# If no suffix is defined for executables (e.g. Windows uses .exe but Linux
-# and macOS use none), then explicitly set it to the empty string.
-if(NOT DEFINED suffix)
-    set(suffix "")
+if(is_root_project AND TARGET xrpld)
+    install(
+        TARGETS xrpld
+        RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT runtime
+    )
+
+    install(
+        FILES "${CMAKE_CURRENT_SOURCE_DIR}/cfg/xrpld-example.cfg"
+        DESTINATION "${CMAKE_INSTALL_SYSCONFDIR}/xrpld"
+        RENAME xrpld.cfg
+        COMPONENT runtime
+    )
+
+    install(
+        FILES "${CMAKE_CURRENT_SOURCE_DIR}/cfg/validators-example.txt"
+        DESTINATION "${CMAKE_INSTALL_SYSCONFDIR}/xrpld"
+        RENAME validators.txt
+        COMPONENT runtime
+    )
 endif()

 install(
-    TARGETS
-        common
-        opts
-        xrpl_boost
-        xrpl_libs
-        xrpl_syslibs
-        xrpl.imports.main
-        xrpl.libpb
-        xrpl.libxrpl
-        xrpl.libxrpl.basics
-        xrpl.libxrpl.beast
-        xrpl.libxrpl.conditions
-        xrpl.libxrpl.core
-        xrpl.libxrpl.crypto
-        xrpl.libxrpl.git
-        xrpl.libxrpl.json
-        xrpl.libxrpl.rdb
-        xrpl.libxrpl.ledger
-        xrpl.libxrpl.net
-        xrpl.libxrpl.nodestore
-        xrpl.libxrpl.protocol
-        xrpl.libxrpl.resource
-        xrpl.libxrpl.server
-        xrpl.libxrpl.shamap
-        xrpl.libxrpl.tx
-        antithesis-sdk-cpp
-    EXPORT XrplExports
-    LIBRARY DESTINATION lib
-    ARCHIVE DESTINATION lib
-    RUNTIME DESTINATION bin
-    INCLUDES DESTINATION include
+    TARGETS xrpl.libpb xrpl.libxrpl
+    LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT development
+    ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT development
+    RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT development
 )

 install(
    DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}/include/xrpl"
    DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}"
-)
-
-install(
-    EXPORT XrplExports
-    FILE XrplTargets.cmake
-    NAMESPACE Xrpl::
-    DESTINATION lib/cmake/xrpl
-)
-include(CMakePackageConfigHelpers)
-write_basic_package_version_file(
-    XrplConfigVersion.cmake
-    VERSION ${xrpld_version}
-    COMPATIBILITY SameMajorVersion
-)
-
-if(is_root_project AND TARGET xrpld)
-    install(TARGETS xrpld RUNTIME DESTINATION bin)
-    set_target_properties(xrpld PROPERTIES INSTALL_RPATH_USE_LINK_PATH ON)
-    # sample configs should not overwrite existing files
-    # install if-not-exists workaround as suggested by
-    # https://cmake.org/Bug/view.php?id=12646
-    install(
-        CODE
-            "
-    macro (copy_if_not_exists SRC DEST NEWNAME)
-      if (NOT EXISTS \"\$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/\${DEST}/\${NEWNAME}\")
-        file (INSTALL FILE_PERMISSIONS OWNER_READ OWNER_WRITE DESTINATION \"\${CMAKE_INSTALL_PREFIX}/\${DEST}\" FILES \"\${SRC}\" RENAME \"\${NEWNAME}\")
-      else ()
-        message (\"-- Skipping : \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/\${DEST}/\${NEWNAME}\")
-      endif ()
-    endmacro()
-    copy_if_not_exists(\"${CMAKE_CURRENT_SOURCE_DIR}/cfg/xrpld-example.cfg\" etc xrpld.cfg)
-    copy_if_not_exists(\"${CMAKE_CURRENT_SOURCE_DIR}/cfg/validators-example.txt\" etc validators.txt)
-  "
-    )
-    install(
-        CODE
-            "
-    set(CMAKE_MODULE_PATH \"${CMAKE_MODULE_PATH}\")
-    include(create_symbolic_link)
-    create_symbolic_link(xrpld${suffix} \
-       \$ENV{DESTDIR}\${CMAKE_INSTALL_PREFIX}/${CMAKE_INSTALL_BINDIR}/rippled${suffix})
-  "
-    )
-endif()
-
-install(
-    FILES
-        ${CMAKE_CURRENT_SOURCE_DIR}/cmake/XrplConfig.cmake
-        ${CMAKE_CURRENT_BINARY_DIR}/XrplConfigVersion.cmake
-    DESTINATION lib/cmake/xrpl
+    COMPONENT development
 )
--- a/cmake/XrplInterface.cmake
+++ b/cmake/XrplInterface.cmake
@@ -23,7 +23,6 @@ target_compile_definitions(
        BOOST_FILESYSTEM_NO_DEPRECATED
        >
        $<$<NOT:$<BOOL:${boost_show_deprecated}>>:
-        BOOST_COROUTINES_NO_DEPRECATION_WARNING
        BOOST_BEAST_ALLOW_DEPRECATED
        BOOST_FILESYSTEM_DEPRECATED
        >
--- a/cmake/XrplPackaging.cmake
+++ b/cmake/XrplPackaging.cmake
@@ -0,0 +1,44 @@
+#[===================================================================[
+   Linux packaging support: 'package' target.
+
+   The packaging script (package/build_pkg.sh) installs to FHS-standard
+   paths (/usr/bin, /etc/xrpld, etc.) regardless of CMAKE_INSTALL_PREFIX,
+   so no prefix guard is needed here.
+#]===================================================================]
+if(NOT is_linux)
+    message(STATUS "Packaging not supported on non-Linux hosts")
+    return()
+endif()
+
+if(NOT DEFINED pkg_release)
+    set(pkg_release 1)
+endif()
+
+find_program(RPMBUILD_EXECUTABLE rpmbuild)
+find_program(DPKG_BUILDPACKAGE_EXECUTABLE dpkg-buildpackage)
+
+if(NOT (RPMBUILD_EXECUTABLE OR DPKG_BUILDPACKAGE_EXECUTABLE))
+    message(
+        STATUS
+        "Neither rpmbuild nor dpkg-buildpackage found; 'package' target not available"
+    )
+    return()
+endif()
+
+set(package_env
+    SRC_DIR=${CMAKE_SOURCE_DIR}
+    BUILD_DIR=${CMAKE_BINARY_DIR}
+    PKG_VERSION=${xrpld_version}
+    PKG_RELEASE=${pkg_release}
+)
+
+add_custom_target(
+    package
+    COMMAND
+        ${CMAKE_COMMAND} -E env ${package_env}
+        ${CMAKE_SOURCE_DIR}/package/build_pkg.sh
+    WORKING_DIRECTORY ${CMAKE_BINARY_DIR}
+    DEPENDS xrpld
+    COMMENT "Building Linux package (deb/rpm inferred from host tooling)"
+    VERBATIM
+)
--- a/cmake/XrplProtocolAutogen.cmake
+++ b/cmake/XrplProtocolAutogen.cmake
@@ -0,0 +1,146 @@
+#[===================================================================[
+   Protocol Autogen - Code generation for protocol wrapper classes
+#]===================================================================]
+
+set(CODEGEN_VENV_DIR
+    "${CMAKE_CURRENT_SOURCE_DIR}/.venv"
+    CACHE PATH
+    "Path to a Python virtual environment for code generation. A venv will be created here by setup_code_gen and used to run generation scripts."
+)
+
+# Directory paths
+set(MACRO_DIR "${CMAKE_CURRENT_SOURCE_DIR}/include/xrpl/protocol/detail")
+set(AUTOGEN_HEADER_DIR
+    "${CMAKE_CURRENT_SOURCE_DIR}/include/xrpl/protocol_autogen"
+)
+set(AUTOGEN_TEST_DIR
+    "${CMAKE_CURRENT_SOURCE_DIR}/src/tests/libxrpl/protocol_autogen"
+)
+set(SCRIPTS_DIR "${CMAKE_CURRENT_SOURCE_DIR}/cmake/scripts/codegen")
+
+# Input macro files
+set(TRANSACTIONS_MACRO "${MACRO_DIR}/transactions.macro")
+set(LEDGER_ENTRIES_MACRO "${MACRO_DIR}/ledger_entries.macro")
+set(SFIELDS_MACRO "${MACRO_DIR}/sfields.macro")
+
+# Python scripts and templates
+set(GENERATE_TX_SCRIPT "${SCRIPTS_DIR}/generate_tx_classes.py")
+set(GENERATE_LEDGER_SCRIPT "${SCRIPTS_DIR}/generate_ledger_classes.py")
+set(REQUIREMENTS_FILE "${SCRIPTS_DIR}/requirements.txt")
+set(MACRO_PARSER_COMMON "${SCRIPTS_DIR}/macro_parser_common.py")
+set(TX_TEMPLATE "${SCRIPTS_DIR}/templates/Transaction.h.mako")
+set(TX_TEST_TEMPLATE "${SCRIPTS_DIR}/templates/TransactionTests.cpp.mako")
+set(LEDGER_TEMPLATE "${SCRIPTS_DIR}/templates/LedgerEntry.h.mako")
+set(LEDGER_TEST_TEMPLATE "${SCRIPTS_DIR}/templates/LedgerEntryTests.cpp.mako")
+set(ALL_INPUT_FILES
+    "${TRANSACTIONS_MACRO}"
+    "${LEDGER_ENTRIES_MACRO}"
+    "${SFIELDS_MACRO}"
+    "${GENERATE_TX_SCRIPT}"
+    "${GENERATE_LEDGER_SCRIPT}"
+    "${REQUIREMENTS_FILE}"
+    "${MACRO_PARSER_COMMON}"
+    "${TX_TEMPLATE}"
+    "${TX_TEST_TEMPLATE}"
+    "${LEDGER_TEMPLATE}"
+    "${LEDGER_TEST_TEMPLATE}"
+)
+
+# Create output directories
+file(MAKE_DIRECTORY "${AUTOGEN_HEADER_DIR}/transactions")
+file(MAKE_DIRECTORY "${AUTOGEN_HEADER_DIR}/ledger_entries")
+file(MAKE_DIRECTORY "${AUTOGEN_TEST_DIR}/ledger_entries")
+file(MAKE_DIRECTORY "${AUTOGEN_TEST_DIR}/transactions")
+
+# Find Python3
+if(NOT Python3_EXECUTABLE)
+    find_package(Python3 COMPONENTS Interpreter QUIET)
+endif()
+
+if(NOT Python3_EXECUTABLE)
+    find_program(Python3_EXECUTABLE NAMES python3 python)
+endif()
+
+if(NOT Python3_EXECUTABLE)
+    message(
+        WARNING
+        "Python3 not found. The 'code_gen' and 'setup_code_gen' targets will not be available."
+    )
+    return()
+endif()
+
+# Warn if pip is configured with a non-default index (may need VPN).
+execute_process(
+    COMMAND ${Python3_EXECUTABLE} -m pip config get global.index-url
+    OUTPUT_VARIABLE PIP_INDEX_URL
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+    ERROR_QUIET
+    RESULT_VARIABLE PIP_CONFIG_RESULT
+)
+if(PIP_CONFIG_RESULT EQUAL 0 AND PIP_INDEX_URL)
+    if(
+        NOT PIP_INDEX_URL STREQUAL "https://pypi.org/simple"
+        AND NOT PIP_INDEX_URL STREQUAL "https://pypi.python.org/simple"
+    )
+        message(
+            WARNING
+            "Private pip index URL detected: ${PIP_INDEX_URL}\n"
+            "You may need to connect to VPN to access this URL."
+        )
+    endif()
+endif()
+
+# Determine which Python interpreter to use for code generation.
+if(CODEGEN_VENV_DIR)
+    if(WIN32)
+        set(CODEGEN_PYTHON "${CODEGEN_VENV_DIR}/Scripts/python.exe")
+    else()
+        set(CODEGEN_PYTHON "${CODEGEN_VENV_DIR}/bin/python")
+    endif()
+else()
+    set(CODEGEN_PYTHON "${Python3_EXECUTABLE}")
+    message(
+        WARNING
+        "CODEGEN_VENV_DIR is not set. Dependencies will be installed globally.\n"
+        "If this is not intended, reconfigure with:\n"
+        "  cmake . -UCODEGEN_VENV_DIR"
+    )
+endif()
+
+# Custom target to create a venv and install Python dependencies.
+# Run manually with: cmake --build . --target setup_code_gen
+if(CODEGEN_VENV_DIR)
+    add_custom_target(
+        setup_code_gen
+        COMMAND ${Python3_EXECUTABLE} -m venv "${CODEGEN_VENV_DIR}"
+        COMMAND ${CODEGEN_PYTHON} -m pip install -r "${REQUIREMENTS_FILE}"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+        COMMENT "Creating venv and installing code generation dependencies..."
+    )
+else()
+    add_custom_target(
+        setup_code_gen
+        COMMAND ${Python3_EXECUTABLE} -m pip install -r "${REQUIREMENTS_FILE}"
+        WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+        COMMENT "Installing code generation dependencies..."
+    )
+endif()
+
+# Custom target for code generation, excluded from ALL.
+# Run manually with: cmake --build . --target code_gen
+add_custom_target(
+    code_gen
+    COMMAND
+        ${CMAKE_COMMAND} -DCODEGEN_PYTHON=${CODEGEN_PYTHON}
+        -DGENERATE_TX_SCRIPT=${GENERATE_TX_SCRIPT}
+        -DGENERATE_LEDGER_SCRIPT=${GENERATE_LEDGER_SCRIPT}
+        -DTRANSACTIONS_MACRO=${TRANSACTIONS_MACRO}
+        -DLEDGER_ENTRIES_MACRO=${LEDGER_ENTRIES_MACRO}
+        -DSFIELDS_MACRO=${SFIELDS_MACRO}
+        -DAUTOGEN_HEADER_DIR=${AUTOGEN_HEADER_DIR}
+        -DAUTOGEN_TEST_DIR=${AUTOGEN_TEST_DIR} -P
+        "${CMAKE_CURRENT_SOURCE_DIR}/cmake/XrplProtocolAutogenRun.cmake"
+    WORKING_DIRECTORY "${CMAKE_CURRENT_SOURCE_DIR}"
+    COMMENT "Running protocol code generation..."
+    SOURCES ${ALL_INPUT_FILES}
+)
--- a/cmake/XrplProtocolAutogenRun.cmake
+++ b/cmake/XrplProtocolAutogenRun.cmake
@@ -0,0 +1,39 @@
+#[===================================================================[
+   Protocol Autogen - Run script invoked by the 'code_gen' target
+#]===================================================================]
+
+# Generate transaction classes.
+execute_process(
+    COMMAND
+        ${CODEGEN_PYTHON} "${GENERATE_TX_SCRIPT}" "${TRANSACTIONS_MACRO}"
+        --header-dir "${AUTOGEN_HEADER_DIR}/transactions" --test-dir
+        "${AUTOGEN_TEST_DIR}/transactions" --sfields-macro "${SFIELDS_MACRO}"
+    RESULT_VARIABLE TX_RESULT
+    OUTPUT_VARIABLE TX_OUTPUT
+    ERROR_VARIABLE TX_ERROR
+)
+if(NOT TX_RESULT EQUAL 0)
+    message(
+        FATAL_ERROR
+        "Transaction code generation failed:\n${TX_OUTPUT}\n${TX_ERROR}\n${TX_RESULT}"
+    )
+endif()
+
+# Generate ledger entry classes.
+execute_process(
+    COMMAND
+        ${CODEGEN_PYTHON} "${GENERATE_LEDGER_SCRIPT}" "${LEDGER_ENTRIES_MACRO}"
+        --header-dir "${AUTOGEN_HEADER_DIR}/ledger_entries" --test-dir
+        "${AUTOGEN_TEST_DIR}/ledger_entries" --sfields-macro "${SFIELDS_MACRO}"
+    RESULT_VARIABLE LEDGER_RESULT
+    OUTPUT_VARIABLE LEDGER_OUTPUT
+    ERROR_VARIABLE LEDGER_ERROR
+)
+if(NOT LEDGER_RESULT EQUAL 0)
+    message(
+        FATAL_ERROR
+        "Ledger entry code generation failed:\n${LEDGER_OUTPUT}\n${LEDGER_ERROR}\n${TX_RESULT}"
+    )
+endif()
+
+message(STATUS "Protocol autogen: code generation complete")
--- a/cmake/XrplSanitizers.cmake
+++ b/cmake/XrplSanitizers.cmake
@@ -1,138 +1,33 @@
 #[===================================================================[
-   Configure sanitizers based on environment variables.
+   Apply sanitizer flags built by the Conan profile.

-   This module reads the following environment variables:
-   - SANITIZERS: The sanitizers to enable. Possible values:
-     - "address"
-     - "address,undefinedbehavior"
-     - "thread"
-     - "thread,undefinedbehavior"
-     - "undefinedbehavior"
+   Parsing, validation, and flag construction are performed in conan/profiles/sanitizers.
+   This module reads the following CMake variables injected by the Conan toolchain via extra_variables:

-   The compiler type and platform are detected in CompilationEnv.cmake.
-   The sanitizer compile options are applied to the 'common' interface library
-   which is linked to all targets in the project.
+   - SANITIZERS:                The active sanitizers (e.g. "address,undefinedbehavior").
+   - SANITIZERS_COMPILER_FLAGS: Space-separated compiler flags.
+   - SANITIZERS_LINKER_FLAGS:   Space-separated linker flags.

-   Internal flag variables set by this module:
-
-   - SANITIZER_TYPES: List of sanitizer types to enable (e.g., "address",
-     "thread", "undefined"). And two more flags for undefined behavior sanitizer (e.g., "float-divide-by-zero", "unsigned-integer-overflow").
-     This list is joined with commas and passed to -fsanitize=<list>.
-
-   - SANITIZERS_COMPILE_FLAGS: Compiler flags for sanitizer instrumentation.
-     Includes:
-     * -fno-omit-frame-pointer: Preserves frame pointers for stack traces
-     * -O1: Minimum optimization for reasonable performance
-     * -fsanitize=<types>: Enables sanitizer instrumentation
-     * -fsanitize-ignorelist=<path>: (Clang only) Compile-time ignorelist
-     * -mcmodel=large/medium: (GCC only) Code model for large binaries
-     * -Wno-stringop-overflow: (GCC only) Suppresses false positive warnings
-     * -Wno-tsan: (For GCC TSAN combination only) Suppresses atomic_thread_fence warnings
-
-   - SANITIZERS_LINK_FLAGS: Linker flags for sanitizer runtime libraries.
-     Includes:
-     * -fsanitize=<types>: Links sanitizer runtime libraries
-     * -mcmodel=large/medium: (GCC only) Matches compile-time code model
-
-   - SANITIZERS_RELOCATION_FLAGS: (GCC only) Code model flags for linking.
-     Used to handle large instrumented binaries on x86_64:
-     * -mcmodel=large: For AddressSanitizer (prevents relocation errors)
-     * -mcmodel=medium: For ThreadSanitizer (large model is incompatible)
+   The flags are applied to the 'common' interface library which is linked to all targets in the project.
 #]===================================================================]

+include_guard(GLOBAL)
 include(CompilationEnv)

-# Read environment variable
-set(SANITIZERS "")
-if(DEFINED ENV{SANITIZERS})
-    set(SANITIZERS "$ENV{SANITIZERS}")
-endif()
-
-# Set SANITIZERS_ENABLED flag for use in other modules
-if(SANITIZERS MATCHES "address|thread|undefinedbehavior")
-    set(SANITIZERS_ENABLED TRUE)
-else()
+if(NOT DEFINED SANITIZERS)
    set(SANITIZERS_ENABLED FALSE)
    return()
 endif()
+set(SANITIZERS_ENABLED TRUE)

-# Sanitizers are not supported on Windows/MSVC
-if(is_msvc)
-    message(
-        FATAL_ERROR
-        "Sanitizers are not supported on Windows/MSVC. "
-        "Please unset the SANITIZERS environment variable."
-    )
-endif()
+message(STATUS "=== Configuring Sanitizers ===")
+message(STATUS "  SANITIZERS: ${SANITIZERS}")
+message(STATUS "  Compile flags: ${SANITIZERS_COMPILER_FLAGS}")
+message(STATUS "  Link flags: ${SANITIZERS_LINKER_FLAGS}")

-message(STATUS "Configuring sanitizers: ${SANITIZERS}")
-
-# Parse SANITIZERS value to determine which sanitizers to enable
-set(enable_asan FALSE)
-set(enable_tsan FALSE)
-set(enable_ubsan FALSE)
-
-# Normalize SANITIZERS into a list
-set(san_list "${SANITIZERS}")
-string(REPLACE "," ";" san_list "${san_list}")
-separate_arguments(san_list)
-
-foreach(san IN LISTS san_list)
-    if(san STREQUAL "address")
-        set(enable_asan TRUE)
-    elseif(san STREQUAL "thread")
-        set(enable_tsan TRUE)
-    elseif(san STREQUAL "undefinedbehavior")
-        set(enable_ubsan TRUE)
-    else()
-        message(
-            FATAL_ERROR
-            "Unsupported sanitizer type: ${san}"
-            "Supported: address, thread, undefinedbehavior and their combinations."
-        )
-    endif()
-endforeach()
-
-# Validate sanitizer compatibility
-if(enable_asan AND enable_tsan)
-    message(
-        FATAL_ERROR
-        "AddressSanitizer and ThreadSanitizer are incompatible and cannot be enabled simultaneously. "
-        "Use 'address' or 'thread', optionally with 'undefinedbehavior'."
-    )
-endif()
-
-# Frame pointer is required for meaningful stack traces. Sanitizers recommend minimum of -O1 for reasonable performance
-set(SANITIZERS_COMPILE_FLAGS "-fno-omit-frame-pointer" "-O1")
-
-# Build the sanitizer flags list
-set(SANITIZER_TYPES)
-
-if(enable_asan)
-    list(APPEND SANITIZER_TYPES "address")
-elseif(enable_tsan)
-    list(APPEND SANITIZER_TYPES "thread")
-endif()
-
-if(enable_ubsan)
-    # UB sanitizer flags
-    list(APPEND SANITIZER_TYPES "undefined" "float-divide-by-zero")
-    if(is_clang)
-        # Clang supports additional UB checks. More info here
-        # https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html
-        list(APPEND SANITIZER_TYPES "unsigned-integer-overflow")
-    endif()
-endif()
-
-# Configure code model for GCC on amd64 Use large code model for ASAN to avoid relocation errors Use medium code model
-# for TSAN (large is not compatible with TSAN)
-set(SANITIZERS_RELOCATION_FLAGS)
-
-# Compiler-specific configuration
+# GCC with sanitizers is incompatible with mold, gold, and lld linkers.
+# Namely, the instrumented binary exceeds size limits imposed by these linkers.
 if(is_gcc)
-    # Disable mold, gold and lld linkers for GCC with sanitizers Use default linker (bfd/ld) which is more lenient with
-    # mixed code models This is needed since the size of instrumented binary exceeds the limits set by mold, lld and
-    # gold linkers
    set(use_mold OFF CACHE BOOL "Use mold linker" FORCE)
    set(use_gold OFF CACHE BOOL "Use gold linker" FORCE)
    set(use_lld OFF CACHE BOOL "Use lld linker" FORCE)
@@ -140,80 +35,62 @@ if(is_gcc)
        STATUS
        "  Disabled mold, gold, and lld linkers for GCC with sanitizers"
    )
-
-    # Suppress false positive warnings in GCC with stringop-overflow
-    list(APPEND SANITIZERS_COMPILE_FLAGS "-Wno-stringop-overflow")
-
-    if(is_amd64 AND enable_asan)
-        message(STATUS "  Using large code model (-mcmodel=large)")
-        list(APPEND SANITIZERS_COMPILE_FLAGS "-mcmodel=large")
-        list(APPEND SANITIZERS_RELOCATION_FLAGS "-mcmodel=large")
-    elseif(enable_tsan)
-        # GCC doesn't support atomic_thread_fence with tsan. Suppress warnings.
-        list(APPEND SANITIZERS_COMPILE_FLAGS "-Wno-tsan")
-        message(STATUS "  Using medium code model (-mcmodel=medium)")
-        list(APPEND SANITIZERS_COMPILE_FLAGS "-mcmodel=medium")
-        list(APPEND SANITIZERS_RELOCATION_FLAGS "-mcmodel=medium")
-    endif()
-
-    # Join sanitizer flags with commas for -fsanitize option
-    list(JOIN SANITIZER_TYPES "," SANITIZER_TYPES_STR)
-
-    # Add sanitizer to compile and link flags
-    list(APPEND SANITIZERS_COMPILE_FLAGS "-fsanitize=${SANITIZER_TYPES_STR}")
-    set(SANITIZERS_LINK_FLAGS
-        "${SANITIZERS_RELOCATION_FLAGS}"
-        "-fsanitize=${SANITIZER_TYPES_STR}"
-    )
-elseif(is_clang)
-    # Add ignorelist for Clang (GCC doesn't support this) Use CMAKE_SOURCE_DIR to get the path to the ignorelist
-    set(IGNORELIST_PATH
-        "${CMAKE_SOURCE_DIR}/sanitizers/suppressions/sanitizer-ignorelist.txt"
-    )
-    if(NOT EXISTS "${IGNORELIST_PATH}")
-        message(
-            FATAL_ERROR
-            "Sanitizer ignorelist not found: ${IGNORELIST_PATH}"
-        )
-    endif()
-
-    list(
-        APPEND SANITIZERS_COMPILE_FLAGS
-        "-fsanitize-ignorelist=${IGNORELIST_PATH}"
-    )
-    message(STATUS "  Using sanitizer ignorelist: ${IGNORELIST_PATH}")
-
-    # Join sanitizer flags with commas for -fsanitize option
-    list(JOIN SANITIZER_TYPES "," SANITIZER_TYPES_STR)
-
-    # Add sanitizer to compile and link flags
-    list(APPEND SANITIZERS_COMPILE_FLAGS "-fsanitize=${SANITIZER_TYPES_STR}")
-    set(SANITIZERS_LINK_FLAGS "-fsanitize=${SANITIZER_TYPES_STR}")
 endif()

-message(STATUS "  Compile flags: ${SANITIZERS_COMPILE_FLAGS}")
-message(STATUS "  Link flags: ${SANITIZERS_LINK_FLAGS}")
+# Flags arrive as space-separated strings; split into CMake lists before use
+separate_arguments(
+    sanitizers_compiler_flags
+    UNIX_COMMAND
+    "${SANITIZERS_COMPILER_FLAGS}"
+)
+separate_arguments(
+    sanitizers_linker_flags
+    UNIX_COMMAND
+    "${SANITIZERS_LINKER_FLAGS}"
+)

-# Apply the sanitizer flags to the 'common' interface library This is the same library used by XrplCompiler.cmake
 target_compile_options(
    common
    INTERFACE
-        $<$<COMPILE_LANGUAGE:CXX>:${SANITIZERS_COMPILE_FLAGS}>
-        $<$<COMPILE_LANGUAGE:C>:${SANITIZERS_COMPILE_FLAGS}>
+        $<$<COMPILE_LANGUAGE:CXX>:${sanitizers_compiler_flags}>
+        $<$<COMPILE_LANGUAGE:C>:${sanitizers_compiler_flags}>
 )
+target_link_options(common INTERFACE ${sanitizers_linker_flags})

-# Apply linker flags
-target_link_options(common INTERFACE ${SANITIZERS_LINK_FLAGS})
+# This module appends -fsanitize-ignorelist=<path> for Clang builds.
+# The ignorelist path contains CMAKE_SOURCE_DIR, so it must be set here, rather than in the Conan profile.
+# GCC does not support -fsanitize-ignorelist.
+if(is_clang)
+    set(ignorelist_path
+        "${CMAKE_SOURCE_DIR}/sanitizers/suppressions/sanitizer-ignorelist.txt"
+    )
+    if(NOT EXISTS "${ignorelist_path}")
+        message(
+            FATAL_ERROR
+            "Sanitizer ignorelist not found: ${ignorelist_path}"
+        )
+    endif()
+    target_compile_options(
+        common
+        INTERFACE
+            $<$<COMPILE_LANGUAGE:CXX>:-fsanitize-ignorelist=${ignorelist_path}>
+            $<$<COMPILE_LANGUAGE:C>:-fsanitize-ignorelist=${ignorelist_path}>
+    )
+    message(STATUS "  Ignorelist: ${ignorelist_path}")
+endif()

 # Define SANITIZERS macro for BuildInfo.cpp
 set(sanitizers_list)
-if(enable_asan)
+if(SANITIZERS MATCHES "address")
+    set(enable_asan ON)
    list(APPEND sanitizers_list "ASAN")
 endif()
-if(enable_tsan)
+if(SANITIZERS MATCHES "thread")
+    set(enable_tsan ON)
    list(APPEND sanitizers_list "TSAN")
 endif()
-if(enable_ubsan)
+if(SANITIZERS MATCHES "undefinedbehavior")
+    set(enable_ubsan ON)
    list(APPEND sanitizers_list "UBSAN")
 endif()

--- a/cmake/XrplSanity.cmake
+++ b/cmake/XrplSanity.cmake
@@ -50,6 +50,13 @@ if(MSVC AND CMAKE_GENERATOR_PLATFORM STREQUAL "Win32")
    message(FATAL_ERROR "Visual Studio 32-bit build is not supported.")
 endif()

+if(voidstar AND NOT is_amd64)
+    message(
+        FATAL_ERROR
+        "The voidstar library only supported on amd64/x86_64. Detected archictecture was: ${CMAKE_SYSTEM_PROCESSOR}"
+    )
+endif()
+
 if(APPLE AND NOT HOMEBREW)
    find_program(HOMEBREW brew)
 endif()
--- a/cmake/deps/Boost.cmake
+++ b/cmake/deps/Boost.cmake
@@ -7,7 +7,7 @@ find_package(
    COMPONENTS
        chrono
        container
-        coroutine
+        context
        date_time
        filesystem
        json
@@ -26,7 +26,7 @@ target_link_libraries(
        Boost::headers
        Boost::chrono
        Boost::container
-        Boost::coroutine
+        Boost::context
        Boost::date_time
        Boost::filesystem
        Boost::json
@@ -38,23 +38,26 @@ target_link_libraries(
 if(Boost_COMPILER)
    target_link_libraries(xrpl_boost INTERFACE Boost::disable_autolinking)
 endif()
-if(SANITIZERS_ENABLED AND is_clang)
-    # TODO: gcc does not support -fsanitize-blacklist...can we do something else for gcc ?
-    if(NOT Boost_INCLUDE_DIRS AND TARGET Boost::headers)
-        get_target_property(
-            Boost_INCLUDE_DIRS
-            Boost::headers
-            INTERFACE_INCLUDE_DIRECTORIES
-        )
-    endif()
-    message(STATUS "Adding [${Boost_INCLUDE_DIRS}] to sanitizer blacklist")
-    file(
-        WRITE ${CMAKE_CURRENT_BINARY_DIR}/san_bl.txt
-        "src:${Boost_INCLUDE_DIRS}/*"
-    )
-    target_compile_options(
-        opts
-        INTERFACE # ignore boost headers for sanitizing
-            -fsanitize-blacklist=${CMAKE_CURRENT_BINARY_DIR}/san_bl.txt
+
+# GCC 14+ has a false positive -Wuninitialized warning in Boost.Coroutine2's
+# state.hpp when compiled with -O3. This is due to GCC's intentional behavior
+# change (Bug #98871, #119388) where warnings from inlined system header code
+# are no longer suppressed by -isystem. The warning occurs in operator|= in
+# boost/coroutine2/detail/state.hpp when inlined from push_control_block::destroy().
+# See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=119388
+if(is_gcc AND CMAKE_CXX_COMPILER_VERSION VERSION_GREATER_EQUAL 14)
+    target_compile_options(xrpl_boost INTERFACE -Wno-uninitialized)
+endif()
+
+# Boost.Context's ucontext backend has ASAN fiber-switching annotations
+# (start/finish_switch_fiber) that are compiled in when BOOST_USE_ASAN is defined.
+# This tells ASAN about coroutine stack switches, preventing false positive
+# stack-use-after-scope errors. BOOST_USE_UCONTEXT ensures the ucontext backend
+# is selected (fcontext does not support ASAN annotations).
+# These defines must match what Boost was compiled with (see conan/profiles/sanitizers).
+if(enable_asan)
+    target_compile_definitions(
+        xrpl_boost
+        INTERFACE BOOST_USE_ASAN BOOST_USE_UCONTEXT
    )
 endif()
--- a/cmake/scripts/codegen/generate_ledger_classes.py
+++ b/cmake/scripts/codegen/generate_ledger_classes.py
@@ -0,0 +1,211 @@
+#!/usr/bin/env python3
+"""
+Generate C++ wrapper classes for XRP Ledger entry types from ledger_entries.macro.
+
+This script parses the ledger_entries.macro file and generates type-safe wrapper
+classes for each ledger entry type, similar to the transaction wrapper classes.
+
+Uses pcpp to preprocess the macro file and pyparsing to parse the DSL.
+"""
+
+import io
+import argparse
+from pathlib import Path
+import pyparsing as pp
+
+# Import common utilities
+from macro_parser_common import (
+    CppCleaner,
+    parse_sfields_macro,
+    parse_field_list,
+    generate_cpp_class,
+    generate_from_template,
+    clear_output_directory,
+)
+
+
+def create_ledger_entry_parser():
+    """Create a pyparsing parser for LEDGER_ENTRY macros.
+
+    This parser extracts the full LEDGER_ENTRY macro call and parses its arguments
+    using pyparsing's nesting-aware delimited list parsing.
+    """
+    # Match the exact words
+    ledger_entry = pp.Keyword("LEDGER_ENTRY") | pp.Keyword("LEDGER_ENTRY_DUPLICATE")
+
+    # Define nested structures so pyparsing protects them
+    nested_braces = pp.original_text_for(pp.nested_expr("{", "}"))
+    nested_parens = pp.original_text_for(pp.nested_expr("(", ")"))
+
+    # Define standard text (anything that isn't a comma, parens, or braces)
+    plain_text = pp.Word(pp.printables + " \t\n", exclude_chars=",{}()")
+
+    # A single argument is any combination of the above
+    single_arg = pp.Combine(pp.OneOrMore(nested_braces | nested_parens | plain_text))
+    single_arg.set_parse_action(lambda t: t[0].strip())
+
+    # The arguments are a delimited list
+    args_list = pp.DelimitedList(single_arg)
+
+    # The full macro: LEDGER_ENTRY(args) or LEDGER_ENTRY_DUPLICATE(args)
+    macro_parser = (
+        ledger_entry + pp.Suppress("(") + pp.Group(args_list)("args") + pp.Suppress(")")
+    )
+
+    return macro_parser
+
+
+def parse_ledger_entry_args(args_list):
+    """Parse the arguments of a LEDGER_ENTRY macro call.
+
+    Args:
+        args_list: A list of parsed arguments from pyparsing, e.g.,
+                   ['ltACCOUNT_ROOT', '0x0061', 'AccountRoot', 'account', '({...})']
+
+    Returns:
+        A dict with parsed ledger entry information.
+    """
+    if len(args_list) < 5:
+        raise ValueError(
+            f"Expected at least 5 parts in LEDGER_ENTRY, got {len(args_list)}: {args_list}"
+        )
+
+    tag = args_list[0]
+    value = args_list[1]
+    name = args_list[2]
+    rpc_name = args_list[3]
+    fields_str = args_list[-1]
+
+    # Parse fields: ({field1, field2, ...})
+    fields = parse_field_list(fields_str)
+
+    return {
+        "tag": tag,
+        "value": value,
+        "name": name,
+        "rpc_name": rpc_name,
+        "fields": fields,
+    }
+
+
+def parse_macro_file(file_path):
+    """Parse the ledger_entries.macro file and return a list of ledger entry definitions.
+
+    Uses pcpp to preprocess the file and pyparsing to parse the LEDGER_ENTRY macros.
+    """
+    with open(file_path, "r") as f:
+        c_code = f.read()
+
+    # Step 1: Clean the C++ code using pcpp
+    cleaner = CppCleaner("LEDGER_ENTRY_INCLUDE", "LEDGER_ENTRY")
+    cleaner.parse(c_code)
+
+    out = io.StringIO()
+    cleaner.write(out)
+    clean_text = out.getvalue()
+
+    # Step 2: Parse the clean text using pyparsing
+    parser = create_ledger_entry_parser()
+    entries = []
+
+    for match, _, _ in parser.scan_string(clean_text):
+        # Extract the macro name and arguments
+        raw_args = match.args
+
+        # Parse the arguments
+        entry_data = parse_ledger_entry_args(raw_args)
+        entries.append(entry_data)
+
+    return entries
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Generate C++ ledger entry classes from ledger_entries.macro"
+    )
+    parser.add_argument("macro_path", help="Path to ledger_entries.macro")
+    parser.add_argument(
+        "--header-dir",
+        help="Output directory for header files",
+        default="include/xrpl/protocol_autogen/ledger_entries",
+    )
+    parser.add_argument(
+        "--test-dir",
+        help="Output directory for test files (optional)",
+        default=None,
+    )
+    parser.add_argument(
+        "--sfields-macro",
+        help="Path to sfields.macro (default: auto-detect from macro_path)",
+    )
+    parser.add_argument("--venv-dir", help=argparse.SUPPRESS)
+    args = parser.parse_args()
+
+    # Parse the macro file to get ledger entry names
+    entries = parse_macro_file(args.macro_path)
+
+    # Auto-detect sfields.macro path if not provided
+    if args.sfields_macro:
+        sfields_path = Path(args.sfields_macro)
+    else:
+        # Assume sfields.macro is in the same directory as ledger_entries.macro
+        macro_path = Path(args.macro_path)
+        sfields_path = macro_path.parent / "sfields.macro"
+
+    # Parse sfields.macro to get field type information
+    print(f"Parsing {sfields_path}...")
+    field_types = parse_sfields_macro(sfields_path)
+    print(
+        f"Found {len(field_types)} field definitions ({sum(1 for f in field_types.values() if f['typed'])} typed, {sum(1 for f in field_types.values() if not f['typed'])} untyped)\n"
+    )
+
+    print(f"Found {len(entries)} ledger entries\n")
+
+    for entry in entries:
+        print(f"Ledger Entry: {entry['name']}")
+        print(f"  Tag: {entry['tag']}")
+        print(f"  Value: {entry['value']}")
+        print(f"  RPC Name: {entry['rpc_name']}")
+        print(f"  Fields: {len(entry['fields'])}")
+        for field in entry["fields"]:
+            mpt_info = f" ({field['mpt_support']})" if "mpt_support" in field else ""
+            print(f"    - {field['name']}: {field['requirement']}{mpt_info}")
+        print()
+
+    # Set up template directory
+    script_dir = Path(__file__).parent
+    template_dir = script_dir / "templates"
+
+    # Generate C++ classes
+    header_dir = Path(args.header_dir)
+    header_dir.mkdir(parents=True, exist_ok=True)
+
+    # Clear existing generated files before regenerating
+    clear_output_directory(header_dir)
+
+    for entry in entries:
+        generate_cpp_class(
+            entry, header_dir, template_dir, field_types, "LedgerEntry.h.mako"
+        )
+
+    print(f"\nGenerated {len(entries)} ledger entry classes")
+
+    # Generate unit tests if --test-dir is provided
+    if args.test_dir:
+        test_dir = Path(args.test_dir)
+        test_dir.mkdir(parents=True, exist_ok=True)
+
+        # Clear existing generated test files before regenerating
+        clear_output_directory(test_dir)
+
+        for entry in entries:
+            # Fields are already enriched from generate_cpp_class above
+            generate_from_template(
+                entry, test_dir, template_dir, "LedgerEntryTests.cpp.mako", "Tests.cpp"
+            )
+
+        print(f"\nGenerated {len(entries)} ledger entry test files")
+
+
+if __name__ == "__main__":
+    main()
--- a/cmake/scripts/codegen/generate_tx_classes.py
+++ b/cmake/scripts/codegen/generate_tx_classes.py
@@ -0,0 +1,231 @@
+#!/usr/bin/env python3
+"""
+Parse transactions.macro file to extract transaction information
+and generate C++ classes for each transaction type.
+
+Uses pcpp to preprocess the macro file and pyparsing to parse the DSL.
+"""
+
+import io
+import argparse
+from pathlib import Path
+import pyparsing as pp
+
+# Import common utilities
+from macro_parser_common import (
+    CppCleaner,
+    parse_sfields_macro,
+    parse_field_list,
+    generate_cpp_class,
+    generate_from_template,
+    clear_output_directory,
+)
+
+
+def create_transaction_parser():
+    """Create a pyparsing parser for TRANSACTION macros.
+
+    This parser extracts the full TRANSACTION macro call and parses its arguments
+    using pyparsing's nesting-aware delimited list parsing.
+    """
+    # Define nested structures so pyparsing protects them
+    nested_braces = pp.original_text_for(pp.nested_expr("{", "}"))
+    nested_parens = pp.original_text_for(pp.nested_expr("(", ")"))
+
+    # Define standard text (anything that isn't a comma, parens, or braces)
+    plain_text = pp.Word(pp.printables + " \t\n", exclude_chars=",{}()")
+
+    # A single argument is any combination of the above
+    single_arg = pp.Combine(pp.OneOrMore(nested_braces | nested_parens | plain_text))
+    single_arg.set_parse_action(lambda t: t[0].strip())
+
+    # The arguments are a delimited list
+    args_list = pp.DelimitedList(single_arg)
+
+    # The full macro: TRANSACTION(args)
+    macro_parser = (
+        pp.Keyword("TRANSACTION")
+        + pp.Suppress("(")
+        + pp.Group(args_list)("args")
+        + pp.Suppress(")")
+    )
+
+    return macro_parser
+
+
+def parse_transaction_args(args_list):
+    """Parse the arguments of a TRANSACTION macro call.
+
+    Args:
+        args_list: A list of parsed arguments from pyparsing, e.g.,
+                   ['ttPAYMENT', '0', 'Payment', 'Delegation::delegable',
+                    'uint256{}', 'createAcct', '({...})']
+
+    Returns:
+        A dict with parsed transaction information.
+    """
+    if len(args_list) < 7:
+        raise ValueError(
+            f"Expected at least 7 parts in TRANSACTION, got {len(args_list)}: {args_list}"
+        )
+
+    tag = args_list[0]
+    value = args_list[1]
+    name = args_list[2]
+    delegable = args_list[3]
+    amendments = args_list[4]
+    privileges = args_list[5]
+    fields_str = args_list[-1]
+
+    # Parse fields: ({field1, field2, ...})
+    fields = parse_field_list(fields_str)
+
+    return {
+        "tag": tag,
+        "value": value,
+        "name": name,
+        "delegable": delegable,
+        "amendments": amendments,
+        "privileges": privileges,
+        "fields": fields,
+    }
+
+
+def parse_macro_file(filepath):
+    """Parse the transactions.macro file.
+
+    Uses pcpp to preprocess the file and pyparsing to parse the TRANSACTION macros.
+    """
+    with open(filepath, "r") as f:
+        c_code = f.read()
+
+    # Step 1: Clean the C++ code using pcpp
+    cleaner = CppCleaner("TRANSACTION_INCLUDE", "TRANSACTION")
+    cleaner.parse(c_code)
+
+    out = io.StringIO()
+    cleaner.write(out)
+    clean_text = out.getvalue()
+
+    # Step 2: Parse the clean text using pyparsing
+    parser = create_transaction_parser()
+    transactions = []
+
+    for match, _, _ in parser.scan_string(clean_text):
+        # Extract the macro name and arguments
+        raw_args = match.args
+
+        # Parse the arguments
+        tx_data = parse_transaction_args(raw_args)
+        transactions.append(tx_data)
+
+    return transactions
+
+
+# TransactionBase is a static file in the repository at:
+# - include/xrpl/protocol/TransactionBase.h
+# - src/libxrpl/protocol/TransactionBase.cpp
+# It is NOT generated by this script.
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        description="Generate C++ transaction classes from transactions.macro"
+    )
+    parser.add_argument("macro_path", help="Path to transactions.macro")
+    parser.add_argument(
+        "--header-dir",
+        help="Output directory for header files",
+        default="include/xrpl/protocol_autogen/transactions",
+    )
+    parser.add_argument(
+        "--test-dir",
+        help="Output directory for test files (optional)",
+        default=None,
+    )
+    parser.add_argument(
+        "--sfields-macro",
+        help="Path to sfields.macro (default: auto-detect from macro_path)",
+    )
+    parser.add_argument("--venv-dir", help=argparse.SUPPRESS)
+    args = parser.parse_args()
+
+    # Parse the macro file to get transaction names
+    transactions = parse_macro_file(args.macro_path)
+
+    # Auto-detect sfields.macro path if not provided
+    if args.sfields_macro:
+        sfields_path = Path(args.sfields_macro)
+    else:
+        # Assume sfields.macro is in the same directory as transactions.macro
+        macro_path = Path(args.macro_path)
+        sfields_path = macro_path.parent / "sfields.macro"
+
+    # Parse sfields.macro to get field type information
+    print(f"Parsing {sfields_path}...")
+    field_types = parse_sfields_macro(sfields_path)
+    print(
+        f"Found {len(field_types)} field definitions ({sum(1 for f in field_types.values() if f['typed'])} typed, {sum(1 for f in field_types.values() if not f['typed'])} untyped)\n"
+    )
+
+    print(f"Found {len(transactions)} transactions\n")
+
+    for tx in transactions:
+        print(f"Transaction: {tx['name']}")
+        print(f"  Tag: {tx['tag']}")
+        print(f"  Value: {tx['value']}")
+        print(f"  Fields: {len(tx['fields'])}")
+        for field in tx["fields"]:
+            print(f"    - {field['name']}: {field['requirement']}")
+        print()
+
+    # Set up output directory
+    header_dir = Path(args.header_dir)
+    header_dir.mkdir(parents=True, exist_ok=True)
+
+    # Clear existing generated files before regenerating
+    clear_output_directory(header_dir)
+
+    print(f"\nGenerating header-only template classes...")
+    print(f"  Headers: {header_dir}\n")
+
+    # Set up template directory
+    script_dir = Path(__file__).parent
+    template_dir = script_dir / "templates"
+
+    generated_files = []
+    for tx_info in transactions:
+        header_path = generate_cpp_class(
+            tx_info, header_dir, template_dir, field_types, "Transaction.h.mako"
+        )
+        generated_files.append(header_path)
+        print(f"  Generated: {tx_info['name']}.h")
+
+    print(
+        f"\nGenerated {len(transactions)} transaction classes ({len(generated_files)} header files)"
+    )
+    print(f"  Headers: {header_dir.absolute()}")
+
+    # Generate unit tests if --test-dir is provided
+    if args.test_dir:
+        test_dir = Path(args.test_dir)
+        test_dir.mkdir(parents=True, exist_ok=True)
+
+        # Clear existing generated test files before regenerating
+        clear_output_directory(test_dir)
+
+        for tx_info in transactions:
+            # Fields are already enriched from generate_cpp_class above
+            generate_from_template(
+                tx_info,
+                test_dir,
+                template_dir,
+                "TransactionTests.cpp.mako",
+                "Tests.cpp",
+            )
+
+        print(f"\nGenerated {len(transactions)} transaction test files")
+
+
+if __name__ == "__main__":
+    main()
--- a/cmake/scripts/codegen/macro_parser_common.py
+++ b/cmake/scripts/codegen/macro_parser_common.py
@@ -0,0 +1,297 @@
+#!/usr/bin/env python3
+"""
+Common utilities for parsing XRP Ledger macro files.
+
+This module provides shared functionality for parsing transactions.macro
+and ledger_entries.macro files using pcpp and pyparsing.
+"""
+
+import re
+import shutil
+from pathlib import Path
+import pyparsing as pp
+from pcpp import Preprocessor
+
+
+def clear_output_directory(directory):
+    """Clear all generated files from an output directory.
+
+    Removes all .h and .cpp files from the directory, but preserves
+    the directory itself and any subdirectories.
+
+    Args:
+        directory: Path to the directory to clear
+    """
+    dir_path = Path(directory)
+    if not dir_path.exists():
+        return
+
+    # Remove generated files (headers and source files)
+    for pattern in ["*.h", "*.cpp"]:
+        for file_path in dir_path.glob(pattern):
+            file_path.unlink()
+
+    print(f"Cleared output directory: {dir_path}")
+
+
+class CppCleaner(Preprocessor):
+    """C preprocessor that removes C++ noise while preserving macro calls."""
+
+    def __init__(self, macro_include_name, macro_name):
+        """
+        Initialize the preprocessor.
+
+        Args:
+            macro_include_name: The name of the include flag to set to 0
+                               (e.g., "TRANSACTION_INCLUDE" or "LEDGER_ENTRY_INCLUDE")
+            macro_name: The name of the macro to define so #if !defined() checks pass
+                       (e.g., "TRANSACTION" or "LEDGER_ENTRY")
+        """
+        super(CppCleaner, self).__init__()
+        # Define flags so #if blocks evaluate correctly
+        # We set the include flag to 0 so includes are skipped
+        self.define(f"{macro_include_name} 0")
+        # Define the macro so #if !defined(MACRO) / #error checks pass
+        # We define it to expand to itself so the macro calls remain in the output
+        # for pyparsing to find and parse
+        self.define(f"{macro_name}(...) {macro_name}(__VA_ARGS__)")
+        # Suppress line directives
+        self.line_directive = None
+
+    def on_error(self, file, line, msg):
+        # Ignore #error directives
+        pass
+
+    def on_include_not_found(
+        self, is_malformed, is_system_include, curdir, includepath
+    ):
+        # Ignore missing headers
+        pass
+
+
+def parse_sfields_macro(sfields_path):
+    """
+    Parse sfields.macro to determine which fields are typed vs untyped.
+
+    Returns a dict mapping field names to their type information:
+    {
+        'sfMemos': {'typed': False, 'stiSuffix': 'ARRAY', 'typeData': {...}},
+        'sfAmount': {'typed': True, 'stiSuffix': 'AMOUNT', 'typeData': {...}},
+        ...
+    }
+    """
+    # Mapping from STI suffix to C++ type for untyped fields
+    UNTYPED_TYPE_MAP = {
+        "ARRAY": {
+            "getter_method": "getFieldArray",
+            "setter_method": "setFieldArray",
+            "setter_use_brackets": False,
+            "setter_type": "STArray const&",
+            "return_type": "STArray const&",
+            "return_type_optional": "std::optional<std::reference_wrapper<STArray const>>",
+        },
+        "OBJECT": {
+            "getter_method": "getFieldObject",
+            "setter_method": "setFieldObject",
+            "setter_use_brackets": False,
+            "setter_type": "STObject const&",
+            "return_type": "STObject",
+            "return_type_optional": "std::optional<STObject>",
+        },
+        "PATHSET": {
+            "getter_method": "getFieldPathSet",
+            "setter_method": "setFieldPathSet",
+            "setter_use_brackets": False,
+            "setter_type": "STPathSet const&",
+            "return_type": "STPathSet const&",
+            "return_type_optional": "std::optional<std::reference_wrapper<STPathSet const>>",
+        },
+    }
+
+    field_info = {}
+
+    with open(sfields_path, "r") as f:
+        content = f.read()
+
+    # Parse TYPED_SFIELD entries
+    # Format: TYPED_SFIELD(sfName, stiSuffix, fieldValue, ...)
+    typed_pattern = r"TYPED_SFIELD\s*\(\s*(\w+)\s*,\s*(\w+)\s*,"
+    for match in re.finditer(typed_pattern, content):
+        field_name = match.group(1)
+        sti_suffix = match.group(2)
+        field_info[field_name] = {
+            "typed": True,
+            "stiSuffix": sti_suffix,
+            "typeData": {
+                "getter_method": "at",
+                "setter_method": "",
+                "setter_use_brackets": True,
+                "setter_type": f"std::decay_t<typename SF_{sti_suffix}::type::value_type> const&",
+                "return_type": f"SF_{sti_suffix}::type::value_type",
+                "return_type_optional": f"protocol_autogen::Optional<SF_{sti_suffix}::type::value_type>",
+            },
+        }
+
+    # Parse UNTYPED_SFIELD entries
+    # Format: UNTYPED_SFIELD(sfName, stiSuffix, fieldValue, ...)
+    untyped_pattern = r"UNTYPED_SFIELD\s*\(\s*(\w+)\s*,\s*(\w+)\s*,"
+    for match in re.finditer(untyped_pattern, content):
+        field_name = match.group(1)
+        sti_suffix = match.group(2)
+        type_data = UNTYPED_TYPE_MAP.get(
+            sti_suffix, UNTYPED_TYPE_MAP.get("OBJECT")
+        )  # Default to OBJECT
+        field_info[field_name] = {
+            "typed": False,
+            "stiSuffix": sti_suffix,
+            "typeData": type_data,
+        }
+
+    return field_info
+
+
+def create_field_list_parser():
+    """Create a pyparsing parser for field lists like '({...})'."""
+    # A field identifier (e.g., sfDestination, SoeRequired, SoeMptSupported)
+    field_identifier = pp.Word(pp.alphas + "_", pp.alphanums + "_")
+
+    # A single field definition: {sfName, SoeRequired, ...}
+    # Allow optional trailing comma inside the braces
+    field_def = (
+        pp.Suppress("{")
+        + pp.Group(pp.DelimitedList(field_identifier) + pp.Optional(pp.Suppress(",")))(
+            "parts"
+        )
+        + pp.Suppress("}")
+    )
+
+    # The field list: ({field1, field2, ...}) or ({}) for empty lists
+    # Allow optional trailing comma after the last field definition
+    field_list = (
+        pp.Suppress("(")
+        + pp.Suppress("{")
+        + pp.Group(
+            pp.Optional(pp.DelimitedList(field_def) + pp.Optional(pp.Suppress(",")))
+        )("fields")
+        + pp.Suppress("}")
+        + pp.Suppress(")")
+    )
+
+    return field_list
+
+
+def parse_field_list(fields_str):
+    """Parse a field list string like '({...})' using pyparsing.
+
+    Args:
+        fields_str: A string like '({
+            {sfDestination, SoeRequired},
+            {sfAmount, SoeRequired, SoeMptSupported}
+        })'
+
+    Returns:
+        A list of field dicts with 'name', 'requirement', 'flags', and 'supports_mpt'.
+    """
+    parser = create_field_list_parser()
+
+    try:
+        result = parser.parse_string(fields_str, parse_all=True)
+        fields = []
+
+        for field_parts in result.fields:
+            if len(field_parts) < 2:
+                continue
+
+            field_name = field_parts[0]
+            requirement = field_parts[1]
+            flags = list(field_parts[2:]) if len(field_parts) > 2 else []
+            supports_mpt = "SoeMptSupported" in flags
+
+            fields.append(
+                {
+                    "name": field_name,
+                    "requirement": requirement,
+                    "flags": flags,
+                    "supports_mpt": supports_mpt,
+                }
+            )
+
+        return fields
+    except pp.ParseException as e:
+        raise ValueError(f"Failed to parse field list: {e}")
+
+
+def enrich_fields_with_type_data(entry_info, field_types):
+    """Enrich field information with type data from sfields.macro.
+
+    Args:
+        entry_info: Dict containing entry information (name, fields, etc.)
+        field_types: Dict mapping field names to type information
+
+    Modifies entry_info["fields"] in place.
+    """
+    for field in entry_info["fields"]:
+        field_name = field["name"]
+        if field_name in field_types:
+            field["typed"] = field_types[field_name]["typed"]
+            field["paramName"] = field_name[2].lower() + field_name[3:]
+            field["stiSuffix"] = field_types[field_name]["stiSuffix"]
+            field["typeData"] = field_types[field_name]["typeData"]
+        else:
+            # Unknown field - assume typed for safety
+            field["typed"] = True
+            field["paramName"] = ""
+            field["stiSuffix"] = None
+            field["typeData"] = None
+
+
+def generate_from_template(
+    entry_info, output_dir, template_dir, template_name, output_suffix
+):
+    """Generate a file from a Mako template.
+
+    Args:
+        entry_info: Dict containing entry information (name, fields, etc.)
+                    Fields should already be enriched with type data.
+        output_dir: Output directory for generated files
+        template_dir: Directory containing Mako templates
+        template_name: Name of the Mako template file to use
+        output_suffix: Suffix for the output file (e.g., ".h" or "Tests.cpp")
+
+    Returns:
+        Path to the generated file
+    """
+    from mako.template import Template
+
+    template_path = Path(template_dir) / template_name
+    template = Template(filename=str(template_path))
+
+    # Render the template - pass entry_info directly so templates can access any field
+    content = template.render(**entry_info)
+
+    # Write output file in binary mode to avoid any line ending conversion
+    output_path = Path(output_dir) / f"{entry_info['name']}{output_suffix}"
+    with open(output_path, "wb") as f:
+        f.write(content.encode("utf-8"))
+
+    print(f"Generated {output_path}")
+    return output_path
+
+
+def generate_cpp_class(
+    entry_info, header_dir, template_dir, field_types, template_name
+):
+    """Generate C++ header file from a Mako template.
+
+    Args:
+        entry_info: Dict containing entry information (name, fields, etc.)
+        header_dir: Output directory for generated header files
+        template_dir: Directory containing Mako templates
+        field_types: Dict mapping field names to type information
+        template_name: Name of the Mako template file to use
+    """
+    # Enrich field information with type data
+    enrich_fields_with_type_data(entry_info, field_types)
+
+    # Generate the header file
+    generate_from_template(entry_info, header_dir, template_dir, template_name, ".h")
--- a/cmake/scripts/codegen/requirements.in
+++ b/cmake/scripts/codegen/requirements.in
@@ -0,0 +1,13 @@
+# Python dependencies for XRP Ledger code generation scripts
+#
+# These packages are required to run the code generation scripts that
+# parse macro files and generate C++ wrapper classes.
+
+# C preprocessor for Python - used to preprocess macro files
+pcpp>=1.30
+
+# Parser combinator library - used to parse the macro DSL
+pyparsing>=3.0.0
+
+# Template engine - used to generate C++ code from templates
+Mako>=1.2.2
--- a/cmake/scripts/codegen/requirements.txt
+++ b/cmake/scripts/codegen/requirements.txt
@@ -0,0 +1,105 @@
+# This file was autogenerated by uv via the following command:
+#    uv pip compile requirements.in --generate-hashes --output-file requirements.txt
+mako==1.3.12 \
+    --hash=sha256:8f61569480282dbf557145ce441e4ba888be453c30989f879f0d652e39f53ea9 \
+    --hash=sha256:9f778e93289bd410bb35daadeb4fc66d95a746f0b75777b942088b7fd7af550a
+    # via -r requirements.in
+markupsafe==3.0.3 \
+    --hash=sha256:0303439a41979d9e74d18ff5e2dd8c43ed6c6001fd40e5bf2e43f7bd9bbc523f \
+    --hash=sha256:068f375c472b3e7acbe2d5318dea141359e6900156b5b2ba06a30b169086b91a \
+    --hash=sha256:0bf2a864d67e76e5c9a34dc26ec616a66b9888e25e7b9460e1c76d3293bd9dbf \
+    --hash=sha256:0db14f5dafddbb6d9208827849fad01f1a2609380add406671a26386cdf15a19 \
+    --hash=sha256:0eb9ff8191e8498cca014656ae6b8d61f39da5f95b488805da4bb029cccbfbaf \
+    --hash=sha256:0f4b68347f8c5eab4a13419215bdfd7f8c9b19f2b25520968adfad23eb0ce60c \
+    --hash=sha256:1085e7fbddd3be5f89cc898938f42c0b3c711fdcb37d75221de2666af647c175 \
+    --hash=sha256:116bb52f642a37c115f517494ea5feb03889e04df47eeff5b130b1808ce7c219 \
+    --hash=sha256:12c63dfb4a98206f045aa9563db46507995f7ef6d83b2f68eda65c307c6829eb \
+    --hash=sha256:133a43e73a802c5562be9bbcd03d090aa5a1fe899db609c29e8c8d815c5f6de6 \
+    --hash=sha256:1353ef0c1b138e1907ae78e2f6c63ff67501122006b0f9abad68fda5f4ffc6ab \
+    --hash=sha256:15d939a21d546304880945ca1ecb8a039db6b4dc49b2c5a400387cdae6a62e26 \
+    --hash=sha256:177b5253b2834fe3678cb4a5f0059808258584c559193998be2601324fdeafb1 \
+    --hash=sha256:1872df69a4de6aead3491198eaf13810b565bdbeec3ae2dc8780f14458ec73ce \
+    --hash=sha256:1b4b79e8ebf6b55351f0d91fe80f893b4743f104bff22e90697db1590e47a218 \
+    --hash=sha256:1b52b4fb9df4eb9ae465f8d0c228a00624de2334f216f178a995ccdcf82c4634 \
+    --hash=sha256:1ba88449deb3de88bd40044603fafffb7bc2b055d626a330323a9ed736661695 \
+    --hash=sha256:1cc7ea17a6824959616c525620e387f6dd30fec8cb44f649e31712db02123dad \
+    --hash=sha256:218551f6df4868a8d527e3062d0fb968682fe92054e89978594c28e642c43a73 \
+    --hash=sha256:26a5784ded40c9e318cfc2bdb30fe164bdb8665ded9cd64d500a34fb42067b1c \
+    --hash=sha256:2713baf880df847f2bece4230d4d094280f4e67b1e813eec43b4c0e144a34ffe \
+    --hash=sha256:2a15a08b17dd94c53a1da0438822d70ebcd13f8c3a95abe3a9ef9f11a94830aa \
+    --hash=sha256:2f981d352f04553a7171b8e44369f2af4055f888dfb147d55e42d29e29e74559 \
+    --hash=sha256:32001d6a8fc98c8cb5c947787c5d08b0a50663d139f1305bac5885d98d9b40fa \
+    --hash=sha256:3524b778fe5cfb3452a09d31e7b5adefeea8c5be1d43c4f810ba09f2ceb29d37 \
+    --hash=sha256:3537e01efc9d4dccdf77221fb1cb3b8e1a38d5428920e0657ce299b20324d758 \
+    --hash=sha256:35add3b638a5d900e807944a078b51922212fb3dedb01633a8defc4b01a3c85f \
+    --hash=sha256:38664109c14ffc9e7437e86b4dceb442b0096dfe3541d7864d9cbe1da4cf36c8 \
+    --hash=sha256:3a7e8ae81ae39e62a41ec302f972ba6ae23a5c5396c8e60113e9066ef893da0d \
+    --hash=sha256:3b562dd9e9ea93f13d53989d23a7e775fdfd1066c33494ff43f5418bc8c58a5c \
+    --hash=sha256:457a69a9577064c05a97c41f4e65148652db078a3a509039e64d3467b9e7ef97 \
+    --hash=sha256:4bd4cd07944443f5a265608cc6aab442e4f74dff8088b0dfc8238647b8f6ae9a \
+    --hash=sha256:4e885a3d1efa2eadc93c894a21770e4bc67899e3543680313b09f139e149ab19 \
+    --hash=sha256:4faffd047e07c38848ce017e8725090413cd80cbc23d86e55c587bf979e579c9 \
+    --hash=sha256:509fa21c6deb7a7a273d629cf5ec029bc209d1a51178615ddf718f5918992ab9 \
+    --hash=sha256:5678211cb9333a6468fb8d8be0305520aa073f50d17f089b5b4b477ea6e67fdc \
+    --hash=sha256:591ae9f2a647529ca990bc681daebdd52c8791ff06c2bfa05b65163e28102ef2 \
+    --hash=sha256:5a7d5dc5140555cf21a6fefbdbf8723f06fcd2f63ef108f2854de715e4422cb4 \
+    --hash=sha256:69c0b73548bc525c8cb9a251cddf1931d1db4d2258e9599c28c07ef3580ef354 \
+    --hash=sha256:6b5420a1d9450023228968e7e6a9ce57f65d148ab56d2313fcd589eee96a7a50 \
+    --hash=sha256:722695808f4b6457b320fdc131280796bdceb04ab50fe1795cd540799ebe1698 \
+    --hash=sha256:729586769a26dbceff69f7a7dbbf59ab6572b99d94576a5592625d5b411576b9 \
+    --hash=sha256:77f0643abe7495da77fb436f50f8dab76dbc6e5fd25d39589a0f1fe6548bfa2b \
+    --hash=sha256:795e7751525cae078558e679d646ae45574b47ed6e7771863fcc079a6171a0fc \
+    --hash=sha256:7be7b61bb172e1ed687f1754f8e7484f1c8019780f6f6b0786e76bb01c2ae115 \
+    --hash=sha256:7c3fb7d25180895632e5d3148dbdc29ea38ccb7fd210aa27acbd1201a1902c6e \
+    --hash=sha256:7e68f88e5b8799aa49c85cd116c932a1ac15caaa3f5db09087854d218359e485 \
+    --hash=sha256:83891d0e9fb81a825d9a6d61e3f07550ca70a076484292a70fde82c4b807286f \
+    --hash=sha256:8485f406a96febb5140bfeca44a73e3ce5116b2501ac54fe953e488fb1d03b12 \
+    --hash=sha256:8709b08f4a89aa7586de0aadc8da56180242ee0ada3999749b183aa23df95025 \
+    --hash=sha256:8f71bc33915be5186016f675cd83a1e08523649b0e33efdb898db577ef5bb009 \
+    --hash=sha256:915c04ba3851909ce68ccc2b8e2cd691618c4dc4c4232fb7982bca3f41fd8c3d \
+    --hash=sha256:949b8d66bc381ee8b007cd945914c721d9aba8e27f71959d750a46f7c282b20b \
+    --hash=sha256:94c6f0bb423f739146aec64595853541634bde58b2135f27f61c1ffd1cd4d16a \
+    --hash=sha256:9a1abfdc021a164803f4d485104931fb8f8c1efd55bc6b748d2f5774e78b62c5 \
+    --hash=sha256:9b79b7a16f7fedff2495d684f2b59b0457c3b493778c9eed31111be64d58279f \
+    --hash=sha256:a320721ab5a1aba0a233739394eb907f8c8da5c98c9181d1161e77a0c8e36f2d \
+    --hash=sha256:a4afe79fb3de0b7097d81da19090f4df4f8d3a2b3adaa8764138aac2e44f3af1 \
+    --hash=sha256:ad2cf8aa28b8c020ab2fc8287b0f823d0a7d8630784c31e9ee5edea20f406287 \
+    --hash=sha256:b8512a91625c9b3da6f127803b166b629725e68af71f8184ae7e7d54686a56d6 \
+    --hash=sha256:bc51efed119bc9cfdf792cdeaa4d67e8f6fcccab66ed4bfdd6bde3e59bfcbb2f \
+    --hash=sha256:bdc919ead48f234740ad807933cdf545180bfbe9342c2bb451556db2ed958581 \
+    --hash=sha256:bdd37121970bfd8be76c5fb069c7751683bdf373db1ed6c010162b2a130248ed \
+    --hash=sha256:be8813b57049a7dc738189df53d69395eba14fb99345e0a5994914a3864c8a4b \
+    --hash=sha256:c0c0b3ade1c0b13b936d7970b1d37a57acde9199dc2aecc4c336773e1d86049c \
+    --hash=sha256:c47a551199eb8eb2121d4f0f15ae0f923d31350ab9280078d1e5f12b249e0026 \
+    --hash=sha256:c4ffb7ebf07cfe8931028e3e4c85f0357459a3f9f9490886198848f4fa002ec8 \
+    --hash=sha256:ccfcd093f13f0f0b7fdd0f198b90053bf7b2f02a3927a30e63f3ccc9df56b676 \
+    --hash=sha256:d2ee202e79d8ed691ceebae8e0486bd9a2cd4794cec4824e1c99b6f5009502f6 \
+    --hash=sha256:d53197da72cc091b024dd97249dfc7794d6a56530370992a5e1a08983ad9230e \
+    --hash=sha256:d6dd0be5b5b189d31db7cda48b91d7e0a9795f31430b7f271219ab30f1d3ac9d \
+    --hash=sha256:d88b440e37a16e651bda4c7c2b930eb586fd15ca7406cb39e211fcff3bf3017d \
+    --hash=sha256:de8a88e63464af587c950061a5e6a67d3632e36df62b986892331d4620a35c01 \
+    --hash=sha256:df2449253ef108a379b8b5d6b43f4b1a8e81a061d6537becd5582fba5f9196d7 \
+    --hash=sha256:e1c1493fb6e50ab01d20a22826e57520f1284df32f2d8601fdd90b6304601419 \
+    --hash=sha256:e1cf1972137e83c5d4c136c43ced9ac51d0e124706ee1c8aa8532c1287fa8795 \
+    --hash=sha256:e2103a929dfa2fcaf9bb4e7c091983a49c9ac3b19c9061b6d5427dd7d14d81a1 \
+    --hash=sha256:e56b7d45a839a697b5eb268c82a71bd8c7f6c94d6fd50c3d577fa39a9f1409f5 \
+    --hash=sha256:e8afc3f2ccfa24215f8cb28dcf43f0113ac3c37c2f0f0806d8c70e4228c5cf4d \
+    --hash=sha256:e8fc20152abba6b83724d7ff268c249fa196d8259ff481f3b1476383f8f24e42 \
+    --hash=sha256:eaa9599de571d72e2daf60164784109f19978b327a3910d3e9de8c97b5b70cfe \
+    --hash=sha256:ec15a59cf5af7be74194f7ab02d0f59a62bdcf1a537677ce67a2537c9b87fcda \
+    --hash=sha256:f190daf01f13c72eac4efd5c430a8de82489d9cff23c364c3ea822545032993e \
+    --hash=sha256:f34c41761022dd093b4b6896d4810782ffbabe30f2d443ff5f083e0cbbb8c737 \
+    --hash=sha256:f3e98bb3798ead92273dc0e5fd0f31ade220f59a266ffd8a4f6065e0a3ce0523 \
+    --hash=sha256:f42d0984e947b8adf7dd6dde396e720934d12c506ce84eea8476409563607591 \
+    --hash=sha256:f71a396b3bf33ecaa1626c255855702aca4d3d9fea5e051b41ac59a9c1c41edc \
+    --hash=sha256:f9e130248f4462aaa8e2552d547f36ddadbeaa573879158d721bbd33dfe4743a \
+    --hash=sha256:fed51ac40f757d41b7c48425901843666a6677e3e8eb0abcff09e4ba6e664f50
+    # via mako
+pcpp==1.30 \
+    --hash=sha256:05fe08292b6da57f385001c891a87f40d6aa7f46787b03e8ba326d20a3297c6e \
+    --hash=sha256:5af9fbce55f136d7931ae915fae03c34030a3b36c496e72d9636cedc8e2543a1
+    # via -r requirements.in
+pyparsing==3.3.2 \
+    --hash=sha256:850ba148bd908d7e2411587e247a1e4f0327839c40e2e5e6d05a007ecc69911d \
+    --hash=sha256:c777f4d763f140633dcb6d8a3eda953bf7a214dc4eff598413c070bcdc117cbc
+    # via -r requirements.in
--- a/cmake/scripts/codegen/templates/LedgerEntry.h.mako
+++ b/cmake/scripts/codegen/templates/LedgerEntry.h.mako
@@ -0,0 +1,216 @@
+// This file is auto-generated. Do not edit.
+#pragma once
+
+#include <xrpl/protocol/STLedgerEntry.h>
+#include <xrpl/protocol/STParsedJSON.h>
+#include <xrpl/protocol/jss.h>
+#include <xrpl/protocol_autogen/LedgerEntryBase.h>
+#include <xrpl/protocol_autogen/LedgerEntryBuilderBase.h>
+#include <xrpl/json/json_value.h>
+
+#include <stdexcept>
+#include <optional>
+
+namespace xrpl::ledger_entries {
+
+class ${name}Builder;
+
+/**
+ * @brief Ledger Entry: ${name}
+ *
+ * Type: ${tag} (${value})
+ * RPC Name: ${rpc_name}
+ *
+ * Immutable wrapper around SLE providing type-safe field access.
+ * Use ${name}Builder to construct new ledger entries.
+ */
+class ${name} : public LedgerEntryBase
+{
+public:
+    static constexpr LedgerEntryType entryType = ${tag};
+
+    /**
+     * @brief Construct a ${name} ledger entry wrapper from an existing SLE object.
+     * @throws std::runtime_error if the ledger entry type doesn't match.
+     */
+    explicit ${name}(SLE::const_pointer sle)
+        : LedgerEntryBase(std::move(sle))
+    {
+        // Verify ledger entry type
+        if (sle_->getType() != entryType)
+        {
+            throw std::runtime_error("Invalid ledger entry type for ${name}");
+        }
+    }
+
+    // Ledger entry-specific field getters
+% for field in fields:
+% if field['typed']:
+
+    /**
+     * @brief Get ${field['name']} (${field['requirement']})
+% if field.get('mpt_support'):
+     * MPT Support: ${field['mpt_support']}
+% endif
+% if field['requirement'] == 'SoeRequired':
+     * @return The field value.
+% else:
+     * @return The field value, or std::nullopt if not present.
+% endif
+     */
+% if field['requirement'] == 'SoeRequired':
+    [[nodiscard]]
+    ${field['typeData']['return_type']}
+    get${field['name'][2:]}() const
+    {
+        return this->sle_->${field['typeData']['getter_method']}(${field['name']});
+    }
+% else:
+    [[nodiscard]]
+    ${field['typeData']['return_type_optional']}
+    get${field['name'][2:]}() const
+    {
+        if (has${field['name'][2:]}())
+            return this->sle_->${field['typeData']['getter_method']}(${field['name']});
+        return std::nullopt;
+    }
+
+    /**
+     * @brief Check if ${field['name']} is present.
+     * @return True if the field is present, false otherwise.
+     */
+    [[nodiscard]]
+    bool
+    has${field['name'][2:]}() const
+    {
+        return this->sle_->isFieldPresent(${field['name']});
+    }
+% endif
+% else:
+
+    /**
+     * @brief Get ${field['name']} (${field['requirement']})
+% if field.get('mpt_support'):
+     * MPT Support: ${field['mpt_support']}
+% endif
+     * @note This is an untyped field (${field.get('cppType', 'unknown')}).
+% if field['requirement'] == 'SoeRequired':
+     * @return The field value.
+% else:
+     * @return The field value, or std::nullopt if not present.
+% endif
+     */
+% if field['requirement'] == 'SoeRequired':
+    [[nodiscard]]
+    ${field['typeData']['return_type']}
+    get${field['name'][2:]}() const
+    {
+        return this->sle_->${field['typeData']['getter_method']}(${field['name']});
+    }
+% else:
+    [[nodiscard]]
+    ${field['typeData']['return_type_optional']}
+    get${field['name'][2:]}() const
+    {
+        if (this->sle_->isFieldPresent(${field['name']}))
+            return this->sle_->${field['typeData']['getter_method']}(${field['name']});
+        return std::nullopt;
+    }
+
+    /**
+     * @brief Check if ${field['name']} is present.
+     * @return True if the field is present, false otherwise.
+     */
+    [[nodiscard]]
+    bool
+    has${field['name'][2:]}() const
+    {
+        return this->sle_->isFieldPresent(${field['name']});
+    }
+% endif
+% endif
+% endfor
+};
+
+<%
+    required_fields = [f for f in fields if f['requirement'] == 'SoeRequired']
+%>\
+/**
+ * @brief Builder for ${name} ledger entries.
+ *
+ * Provides a fluent interface for constructing ledger entries with method chaining.
+ * Uses STObject internally for flexible ledger entry construction.
+ * Inherits common field setters from LedgerEntryBuilderBase.
+ */
+class ${name}Builder : public LedgerEntryBuilderBase<${name}Builder>
+{
+public:
+    /**
+     * @brief Construct a new ${name}Builder with required fields.
+% for field in required_fields:
+     * @param ${field['paramName']} The ${field['name']} field value.
+% endfor
+     */
+    ${name}Builder(\
+% for i, field in enumerate(required_fields):
+${field['typeData']['setter_type']} ${field['paramName']}${',' if i < len(required_fields) - 1 else ''}\
+% endfor
+)
+        : LedgerEntryBuilderBase<${name}Builder>(${tag})
+    {
+% for field in required_fields:
+        set${field['name'][2:]}(${field['paramName']});
+% endfor
+    }
+
+    /**
+     * @brief Construct a ${name}Builder from an existing SLE object.
+     * @param sle The existing ledger entry to copy from.
+     * @throws std::runtime_error if the ledger entry type doesn't match.
+     */
+    ${name}Builder(SLE::const_pointer sle)
+    {
+        if (sle->at(sfLedgerEntryType) != ${tag})
+        {
+            throw std::runtime_error("Invalid ledger entry type for ${name}");
+        }
+        object_ = *sle;
+    }
+
+    /** @brief Ledger entry-specific field setters */
+% for field in fields:
+
+    /**
+     * @brief Set ${field['name']} (${field['requirement']})
+% if field.get('mpt_support'):
+     * MPT Support: ${field['mpt_support']}
+% endif
+     * @return Reference to this builder for method chaining.
+     */
+    ${name}Builder&
+    set${field['name'][2:]}(${field['typeData']['setter_type']} value)
+    {
+% if field.get('stiSuffix') == 'ISSUE':
+        object_[${field['name']}] = STIssue(${field['name']}, value);
+% elif field['typeData'].get('setter_use_brackets'):
+        object_[${field['name']}] = value;
+% else:
+        object_.${field['typeData']['setter_method']}(${field['name']}, value);
+% endif
+        return *this;
+    }
+% endfor
+
+    /**
+     * @brief Build and return the completed ${name} wrapper.
+     * @param index The ledger entry index.
+     * @return The constructed ledger entry wrapper.
+     */
+    ${name}
+    build(uint256 const& index)
+    {
+        return ${name}{std::make_shared<SLE>(std::move(object_), index)};
+    }
+};
+
+}  // namespace xrpl::ledger_entries
--- a/cmake/scripts/codegen/templates/LedgerEntryTests.cpp.mako
+++ b/cmake/scripts/codegen/templates/LedgerEntryTests.cpp.mako
@@ -0,0 +1,231 @@
+// Auto-generated unit tests for ledger entry ${name}
+<%
+    required_fields = [f for f in fields if f["requirement"] == "SoeRequired"]
+    optional_fields = [f for f in fields if f["requirement"] != "SoeRequired"]
+
+    def canonical_expr(field):
+        return f"canonical_{field['stiSuffix']}()"
+
+    # Pick a wrong ledger entry to test type mismatch
+    # Use Ticket as it has minimal required fields (just Account)
+    if name != "Ticket":
+        wrong_le_include = "Ticket"
+    else:
+        wrong_le_include = "Check"
+%>
+
+#include <gtest/gtest.h>
+
+#include <protocol_autogen/TestHelpers.h>
+
+#include <xrpl/protocol/STLedgerEntry.h>
+#include <xrpl/protocol_autogen/ledger_entries/${name}.h>
+#include <xrpl/protocol_autogen/ledger_entries/${wrong_le_include}.h>
+
+#include <string>
+
+namespace xrpl::ledger_entries {
+
+// 1 & 4) Set fields via builder setters, build, then read them back via
+// wrapper getters. After build(), validate() should succeed for both the
+// builder's STObject and the wrapper's SLE.
+TEST(${name}Tests, BuilderSettersRoundTrip)
+{
+    uint256 const index{1u};
+
+% for field in fields:
+    auto const ${field["paramName"]}Value = ${canonical_expr(field)};
+% endfor
+
+    ${name}Builder builder{
+% for i, field in enumerate(required_fields):
+        ${field["paramName"]}Value${"," if i < len(required_fields) - 1 else ""}
+% endfor
+    };
+
+% for field in optional_fields:
+    builder.set${field["name"][2:]}(${field["paramName"]}Value);
+% endfor
+
+    builder.setLedgerIndex(index);
+    builder.setFlags(0x1u);
+
+    EXPECT_TRUE(builder.validate());
+
+    auto const entry = builder.build(index);
+
+    EXPECT_TRUE(entry.validate());
+
+% for field in required_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+        auto const actual = entry.get${field["name"][2:]}();
+        expectEqualField(expected, actual, "${field["name"]}");
+    }
+
+% endfor
+% for field in optional_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+        auto const actualOpt = entry.get${field["name"][2:]}();
+        ASSERT_TRUE(actualOpt.has_value());
+        expectEqualField(expected, *actualOpt, "${field["name"]}");
+        EXPECT_TRUE(entry.has${field["name"][2:]}());
+    }
+
+% endfor
+    EXPECT_TRUE(entry.hasLedgerIndex());
+    auto const ledgerIndex = entry.getLedgerIndex();
+    ASSERT_TRUE(ledgerIndex.has_value());
+    EXPECT_EQ(*ledgerIndex, index);
+    EXPECT_EQ(entry.getKey(), index);
+}
+
+// 2 & 4) Start from an SLE, set fields directly on it, construct a builder
+// from that SLE, build a new wrapper, and verify all fields (and validate()).
+TEST(${name}Tests, BuilderFromSleRoundTrip)
+{
+    uint256 const index{2u};
+
+% for field in fields:
+    auto const ${field["paramName"]}Value = ${canonical_expr(field)};
+% endfor
+
+    auto sle = std::make_shared<SLE>(${name}::entryType, index);
+
+% for field in fields:
+% if field.get("stiSuffix") == "ISSUE":
+    sle->at(${field["name"]}) = STIssue(${field["name"]}, ${field["paramName"]}Value);
+% elif field["typeData"].get("setter_use_brackets"):
+    sle->at(${field["name"]}) = ${field["paramName"]}Value;
+% else:
+    sle->${field["typeData"]["setter_method"]}(${field["name"]}, ${field["paramName"]}Value);
+% endif
+% endfor
+
+    ${name}Builder builderFromSle{sle};
+    EXPECT_TRUE(builderFromSle.validate());
+
+    auto const entryFromBuilder = builderFromSle.build(index);
+
+    ${name} entryFromSle{sle};
+    EXPECT_TRUE(entryFromBuilder.validate());
+    EXPECT_TRUE(entryFromSle.validate());
+
+% for field in required_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+
+        auto const fromSle = entryFromSle.get${field["name"][2:]}();
+        auto const fromBuilder = entryFromBuilder.get${field["name"][2:]}();
+
+        expectEqualField(expected, fromSle, "${field["name"]}");
+        expectEqualField(expected, fromBuilder, "${field["name"]}");
+    }
+
+% endfor
+% for field in optional_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+
+        auto const fromSleOpt = entryFromSle.get${field["name"][2:]}();
+        auto const fromBuilderOpt = entryFromBuilder.get${field["name"][2:]}();
+
+        ASSERT_TRUE(fromSleOpt.has_value());
+        ASSERT_TRUE(fromBuilderOpt.has_value());
+
+        expectEqualField(expected, *fromSleOpt, "${field["name"]}");
+        expectEqualField(expected, *fromBuilderOpt, "${field["name"]}");
+    }
+
+% endfor
+    EXPECT_EQ(entryFromSle.getKey(), index);
+    EXPECT_EQ(entryFromBuilder.getKey(), index);
+}
+
+// 3) Verify wrapper throws when constructed from wrong ledger entry type.
+TEST(${name}Tests, WrapperThrowsOnWrongEntryType)
+{
+    uint256 const index{3u};
+
+    // Build a valid ledger entry of a different type
+    // Ticket requires: Account, OwnerNode, TicketSequence, PreviousTxnID, PreviousTxnLgrSeq
+    // Check requires: Account, Destination, SendMax, Sequence, OwnerNode, DestinationNode, PreviousTxnID, PreviousTxnLgrSeq
+% if wrong_le_include == "Ticket":
+    ${wrong_le_include}Builder wrongBuilder{
+        canonical_ACCOUNT(),
+        canonical_UINT64(),
+        canonical_UINT32(),
+        canonical_UINT256(),
+        canonical_UINT32()};
+% else:
+    ${wrong_le_include}Builder wrongBuilder{
+        canonical_ACCOUNT(),
+        canonical_ACCOUNT(),
+        canonical_AMOUNT(),
+        canonical_UINT32(),
+        canonical_UINT64(),
+        canonical_UINT64(),
+        canonical_UINT256(),
+        canonical_UINT32()};
+% endif
+    auto wrongEntry = wrongBuilder.build(index);
+
+    EXPECT_THROW(${name}{wrongEntry.getSle()}, std::runtime_error);
+}
+
+// 4) Verify builder throws when constructed from wrong ledger entry type.
+TEST(${name}Tests, BuilderThrowsOnWrongEntryType)
+{
+    uint256 const index{4u};
+
+    // Build a valid ledger entry of a different type
+% if wrong_le_include == "Ticket":
+    ${wrong_le_include}Builder wrongBuilder{
+        canonical_ACCOUNT(),
+        canonical_UINT64(),
+        canonical_UINT32(),
+        canonical_UINT256(),
+        canonical_UINT32()};
+% else:
+    ${wrong_le_include}Builder wrongBuilder{
+        canonical_ACCOUNT(),
+        canonical_ACCOUNT(),
+        canonical_AMOUNT(),
+        canonical_UINT32(),
+        canonical_UINT64(),
+        canonical_UINT64(),
+        canonical_UINT256(),
+        canonical_UINT32()};
+% endif
+    auto wrongEntry = wrongBuilder.build(index);
+
+    EXPECT_THROW(${name}Builder{wrongEntry.getSle()}, std::runtime_error);
+}
+
+% if optional_fields:
+// 5) Build with only required fields and verify optional fields return nullopt.
+TEST(${name}Tests, OptionalFieldsReturnNullopt)
+{
+    uint256 const index{3u};
+
+% for field in required_fields:
+    auto const ${field["paramName"]}Value = ${canonical_expr(field)};
+% endfor
+
+    ${name}Builder builder{
+% for i, field in enumerate(required_fields):
+        ${field["paramName"]}Value${"," if i < len(required_fields) - 1 else ""}
+% endfor
+    };
+
+    auto const entry = builder.build(index);
+
+    // Verify optional fields are not present
+% for field in optional_fields:
+    EXPECT_FALSE(entry.has${field["name"][2:]}());
+    EXPECT_FALSE(entry.get${field["name"][2:]}().has_value());
+% endfor
+}
+% endif
+}
--- a/cmake/scripts/codegen/templates/Transaction.h.mako
+++ b/cmake/scripts/codegen/templates/Transaction.h.mako
@@ -0,0 +1,226 @@
+// This file is auto-generated. Do not edit.
+#pragma once
+
+#include <xrpl/protocol/STTx.h>
+#include <xrpl/protocol/STParsedJSON.h>
+#include <xrpl/protocol/jss.h>
+#include <xrpl/protocol_autogen/TransactionBase.h>
+#include <xrpl/protocol_autogen/TransactionBuilderBase.h>
+#include <xrpl/json/json_value.h>
+
+#include <stdexcept>
+#include <optional>
+
+namespace xrpl::transactions {
+
+class ${name}Builder;
+
+/**
+ * @brief Transaction: ${name}
+ *
+ * Type: ${tag} (${value})
+ * Delegable: ${delegable}
+ * Amendment: ${amendments}
+ * Privileges: ${privileges}
+ *
+ * Immutable wrapper around STTx providing type-safe field access.
+ * Use ${name}Builder to construct new transactions.
+ */
+class ${name} : public TransactionBase
+{
+public:
+    static constexpr xrpl::TxType txType = ${tag};
+
+    /**
+     * @brief Construct a ${name} transaction wrapper from an existing STTx object.
+     * @throws std::runtime_error if the transaction type doesn't match.
+     */
+    explicit ${name}(std::shared_ptr<STTx const> tx)
+        : TransactionBase(std::move(tx))
+    {
+        // Verify transaction type
+        if (tx_->getTxnType() != txType)
+        {
+            throw std::runtime_error("Invalid transaction type for ${name}");
+        }
+    }
+
+    // Transaction-specific field getters
+% for field in fields:
+% if field['typed']:
+
+    /**
+     * @brief Get ${field['name']} (${field['requirement']})
+% if field.get('supports_mpt'):
+     * @note This field supports MPT (Multi-Purpose Token) amounts.
+% endif
+% if field['requirement'] == 'SoeRequired':
+     * @return The field value.
+% else:
+     * @return The field value, or std::nullopt if not present.
+% endif
+     */
+% if field['requirement'] == 'SoeRequired':
+    [[nodiscard]]
+    ${field['typeData']['return_type']}
+    get${field['name'][2:]}() const
+    {
+        return this->tx_->${field['typeData']['getter_method']}(${field['name']});
+    }
+% else:
+    [[nodiscard]]
+    ${field['typeData']['return_type_optional']}
+    get${field['name'][2:]}() const
+    {
+        if (has${field['name'][2:]}())
+        {
+            return this->tx_->${field['typeData']['getter_method']}(${field['name']});
+        }
+        return std::nullopt;
+    }
+
+    /**
+     * @brief Check if ${field['name']} is present.
+     * @return True if the field is present, false otherwise.
+     */
+    [[nodiscard]]
+    bool
+    has${field['name'][2:]}() const
+    {
+        return this->tx_->isFieldPresent(${field['name']});
+    }
+% endif
+% else:
+    /**
+     * @brief Get ${field['name']} (${field['requirement']})
+% if field.get('supports_mpt'):
+     * @note This field supports MPT (Multi-Purpose Token) amounts.
+% endif
+     * @note This is an untyped field.
+% if field['requirement'] == 'SoeRequired':
+     * @return The field value.
+% else:
+     * @return The field value, or std::nullopt if not present.
+% endif
+     */
+% if field['requirement'] == 'SoeRequired':
+    [[nodiscard]]
+    ${field['typeData']['return_type']}
+    get${field['name'][2:]}() const
+    {
+        return this->tx_->${field['typeData']['getter_method']}(${field['name']});
+    }
+% else:
+    [[nodiscard]]
+    ${field['typeData']['return_type_optional']}
+    get${field['name'][2:]}() const
+    {
+        if (this->tx_->isFieldPresent(${field['name']}))
+            return this->tx_->${field['typeData']['getter_method']}(${field['name']});
+        return std::nullopt;
+    }
+
+    /**
+     * @brief Check if ${field['name']} is present.
+     * @return True if the field is present, false otherwise.
+     */
+    [[nodiscard]]
+    bool
+    has${field['name'][2:]}() const
+    {
+        return this->tx_->isFieldPresent(${field['name']});
+    }
+% endif
+% endif
+% endfor
+};
+
+<%
+    required_fields = [f for f in fields if f['requirement'] == 'SoeRequired']
+%>\
+/**
+ * @brief Builder for ${name} transactions.
+ *
+ * Provides a fluent interface for constructing transactions with method chaining.
+ * Uses STObject internally for flexible transaction construction.
+ * Inherits common field setters from TransactionBuilderBase.
+ */
+class ${name}Builder : public TransactionBuilderBase<${name}Builder>
+{
+public:
+    /**
+     * @brief Construct a new ${name}Builder with required fields.
+     * @param account The account initiating the transaction.
+% for field in required_fields:
+     * @param ${field['paramName']} The ${field['name']} field value.
+% endfor
+     * @param sequence Optional sequence number for the transaction.
+     * @param fee Optional fee for the transaction.
+     */
+    ${name}Builder(SF_ACCOUNT::type::value_type account,
+% for i, field in enumerate(required_fields):
+                     ${field['typeData']['setter_type']} ${field['paramName']},\
+% endfor
+                    std::optional<SF_UINT32::type::value_type> sequence = std::nullopt,
+                    std::optional<SF_AMOUNT::type::value_type> fee = std::nullopt
+)
+        : TransactionBuilderBase<${name}Builder>(${tag}, account, sequence, fee)
+    {
+% for field in required_fields:
+        set${field['name'][2:]}(${field['paramName']});
+% endfor
+    }
+
+    /**
+     * @brief Construct a ${name}Builder from an existing STTx object.
+     * @param tx The existing transaction to copy from.
+     * @throws std::runtime_error if the transaction type doesn't match.
+     */
+    ${name}Builder(std::shared_ptr<STTx const> tx)
+    {
+        if (tx->getTxnType() != ${tag})
+        {
+            throw std::runtime_error("Invalid transaction type for ${name}Builder");
+        }
+        object_ = *tx;
+    }
+
+    /** @brief Transaction-specific field setters */
+% for field in fields:
+
+    /**
+     * @brief Set ${field['name']} (${field['requirement']})
+% if field.get('supports_mpt'):
+     * @note This field supports MPT (Multi-Purpose Token) amounts.
+% endif
+     * @return Reference to this builder for method chaining.
+     */
+    ${name}Builder&
+    set${field['name'][2:]}(${field['typeData']['setter_type']} value)
+    {
+% if field.get('stiSuffix') == 'ISSUE':
+        object_[${field['name']}] = STIssue(${field['name']}, value);
+% elif field['typeData'].get('setter_use_brackets'):
+        object_[${field['name']}] = value;
+% else:
+        object_.${field['typeData']['setter_method']}(${field['name']}, value);
+% endif
+        return *this;
+    }
+% endfor
+
+    /**
+     * @brief Build and return the ${name} wrapper.
+     * @param publicKey The public key for signing.
+     * @param secretKey The secret key for signing.
+     * @return The constructed transaction wrapper.
+     */
+    ${name}
+    build(PublicKey const& publicKey, SecretKey const& secretKey)
+    {
+        sign(publicKey, secretKey);
+        return ${name}{std::make_shared<STTx>(std::move(object_))};
+    }
+};
+
+}  // namespace xrpl::transactions
--- a/cmake/scripts/codegen/templates/TransactionTests.cpp.mako
+++ b/cmake/scripts/codegen/templates/TransactionTests.cpp.mako
@@ -0,0 +1,241 @@
+// Auto-generated unit tests for transaction ${name}
+<%
+    required_fields = [f for f in fields if f["requirement"] == "SoeRequired"]
+    optional_fields = [f for f in fields if f["requirement"] != "SoeRequired"]
+
+    def canonical_expr(field):
+        return f"canonical_{field['stiSuffix']}()"
+
+    # Pick a wrong transaction to test type mismatch
+    if name != "AccountSet":
+        wrong_tx_include = "AccountSet"
+    else:
+        wrong_tx_include = "OfferCancel"
+%>
+
+#include <gtest/gtest.h>
+
+#include <protocol_autogen/TestHelpers.h>
+
+#include <xrpl/protocol/SecretKey.h>
+#include <xrpl/protocol/Seed.h>
+#include <xrpl/protocol/STTx.h>
+#include <xrpl/protocol_autogen/transactions/${name}.h>
+#include <xrpl/protocol_autogen/transactions/${wrong_tx_include}.h>
+
+#include <string>
+
+namespace xrpl::transactions {
+
+// 1 & 4) Set fields via builder setters, build, then read them back via
+// wrapper getters. After build(), validate() should succeed.
+TEST(Transactions${name}Tests, BuilderSettersRoundTrip)
+{
+    // Generate a deterministic keypair for signing
+    auto const [publicKey, secretKey] =
+        generateKeyPair(KeyType::Secp256k1, generateSeed("test${name}"));
+
+    // Common transaction fields
+    auto const accountValue = calcAccountID(publicKey);
+    std::uint32_t const sequenceValue = 1;
+    auto const feeValue = canonical_AMOUNT();
+
+    // Transaction-specific field values
+% for field in fields:
+    auto const ${field["paramName"]}Value = ${canonical_expr(field)};
+% endfor
+
+    ${name}Builder builder{
+        accountValue,
+% for field in required_fields:
+        ${field["paramName"]}Value,
+% endfor
+        sequenceValue,
+        feeValue
+    };
+
+    // Set optional fields
+% for field in optional_fields:
+    builder.set${field["name"][2:]}(${field["paramName"]}Value);
+% endfor
+
+    auto tx = builder.build(publicKey, secretKey);
+
+    std::string reason;
+    EXPECT_TRUE(tx.validate(reason)) << reason;
+
+    // Verify signing was applied
+    EXPECT_FALSE(tx.getSigningPubKey().empty());
+    EXPECT_TRUE(tx.hasTxnSignature());
+
+    // Verify common fields
+    EXPECT_EQ(tx.getAccount(), accountValue);
+    EXPECT_EQ(tx.getSequence(), sequenceValue);
+    EXPECT_EQ(tx.getFee(), feeValue);
+
+    // Verify required fields
+% for field in required_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+        auto const actual = tx.get${field["name"][2:]}();
+        expectEqualField(expected, actual, "${field["name"]}");
+    }
+
+% endfor
+    // Verify optional fields
+% for field in optional_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+        auto const actualOpt = tx.get${field["name"][2:]}();
+        ASSERT_TRUE(actualOpt.has_value()) << "Optional field ${field["name"]} should be present";
+        expectEqualField(expected, *actualOpt, "${field["name"]}");
+        EXPECT_TRUE(tx.has${field["name"][2:]}());
+    }
+
+% endfor
+}
+
+// 2 & 4) Start from an STTx, construct a builder from it, build a new wrapper,
+// and verify all fields match.
+TEST(Transactions${name}Tests, BuilderFromStTxRoundTrip)
+{
+    // Generate a deterministic keypair for signing
+    auto const [publicKey, secretKey] =
+        generateKeyPair(KeyType::Secp256k1, generateSeed("test${name}FromTx"));
+
+    // Common transaction fields
+    auto const accountValue = calcAccountID(publicKey);
+    std::uint32_t const sequenceValue = 2;
+    auto const feeValue = canonical_AMOUNT();
+
+    // Transaction-specific field values
+% for field in fields:
+    auto const ${field["paramName"]}Value = ${canonical_expr(field)};
+% endfor
+
+    // Build an initial transaction
+    ${name}Builder initialBuilder{
+        accountValue,
+% for field in required_fields:
+        ${field["paramName"]}Value,
+% endfor
+        sequenceValue,
+        feeValue
+    };
+
+% for field in optional_fields:
+    initialBuilder.set${field["name"][2:]}(${field["paramName"]}Value);
+% endfor
+
+    auto initialTx = initialBuilder.build(publicKey, secretKey);
+
+    // Create builder from existing STTx
+    ${name}Builder builderFromTx{initialTx.getSTTx()};
+
+    auto rebuiltTx = builderFromTx.build(publicKey, secretKey);
+
+    std::string reason;
+    EXPECT_TRUE(rebuiltTx.validate(reason)) << reason;
+
+    // Verify common fields
+    EXPECT_EQ(rebuiltTx.getAccount(), accountValue);
+    EXPECT_EQ(rebuiltTx.getSequence(), sequenceValue);
+    EXPECT_EQ(rebuiltTx.getFee(), feeValue);
+
+    // Verify required fields
+% for field in required_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+        auto const actual = rebuiltTx.get${field["name"][2:]}();
+        expectEqualField(expected, actual, "${field["name"]}");
+    }
+
+% endfor
+    // Verify optional fields
+% for field in optional_fields:
+    {
+        auto const& expected = ${field["paramName"]}Value;
+        auto const actualOpt = rebuiltTx.get${field["name"][2:]}();
+        ASSERT_TRUE(actualOpt.has_value()) << "Optional field ${field["name"]} should be present";
+        expectEqualField(expected, *actualOpt, "${field["name"]}");
+    }
+
+% endfor
+}
+
+// 3) Verify wrapper throws when constructed from wrong transaction type.
+TEST(Transactions${name}Tests, WrapperThrowsOnWrongTxType)
+{
+    // Build a valid transaction of a different type
+    auto const [pk, sk] =
+        generateKeyPair(KeyType::Secp256k1, generateSeed("testWrongType"));
+    auto const account = calcAccountID(pk);
+
+% if wrong_tx_include == "AccountSet":
+    ${wrong_tx_include}Builder wrongBuilder{account, 1, canonical_AMOUNT()};
+% else:
+    ${wrong_tx_include}Builder wrongBuilder{account, canonical_UINT32(), 1, canonical_AMOUNT()};
+% endif
+    auto wrongTx = wrongBuilder.build(pk, sk);
+
+    EXPECT_THROW(${name}{wrongTx.getSTTx()}, std::runtime_error);
+}
+
+// 4) Verify builder throws when constructed from wrong transaction type.
+TEST(Transactions${name}Tests, BuilderThrowsOnWrongTxType)
+{
+    // Build a valid transaction of a different type
+    auto const [pk, sk] =
+        generateKeyPair(KeyType::Secp256k1, generateSeed("testWrongTypeBuilder"));
+    auto const account = calcAccountID(pk);
+
+% if wrong_tx_include == "AccountSet":
+    ${wrong_tx_include}Builder wrongBuilder{account, 1, canonical_AMOUNT()};
+% else:
+    ${wrong_tx_include}Builder wrongBuilder{account, canonical_UINT32(), 1, canonical_AMOUNT()};
+% endif
+    auto wrongTx = wrongBuilder.build(pk, sk);
+
+    EXPECT_THROW(${name}Builder{wrongTx.getSTTx()}, std::runtime_error);
+}
+
+% if optional_fields:
+// 5) Build with only required fields and verify optional fields return nullopt.
+TEST(Transactions${name}Tests, OptionalFieldsReturnNullopt)
+{
+    // Generate a deterministic keypair for signing
+    auto const [publicKey, secretKey] =
+        generateKeyPair(KeyType::Secp256k1, generateSeed("test${name}Nullopt"));
+
+    // Common transaction fields
+    auto const accountValue = calcAccountID(publicKey);
+    std::uint32_t const sequenceValue = 3;
+    auto const feeValue = canonical_AMOUNT();
+
+    // Transaction-specific required field values
+% for field in required_fields:
+    auto const ${field["paramName"]}Value = ${canonical_expr(field)};
+% endfor
+
+    ${name}Builder builder{
+        accountValue,
+% for field in required_fields:
+        ${field["paramName"]}Value,
+% endfor
+        sequenceValue,
+        feeValue
+    };
+
+    // Do NOT set optional fields
+
+    auto tx = builder.build(publicKey, secretKey);
+
+    // Verify optional fields are not present
+% for field in optional_fields:
+    EXPECT_FALSE(tx.has${field["name"][2:]}());
+    EXPECT_FALSE(tx.get${field["name"][2:]}().has_value());
+% endfor
+}
+% endif
+
+}
--- a/conan.lock
+++ b/conan.lock
@@ -1,62 +1,60 @@
 {
    "version": "0.5",
    "requires": [
-        "zlib/1.3.1#b8bc2603263cf7eccbd6e17e66b0ed76%1765850150.075",
+        "zlib/1.3.2#1cb806da49011867778ffb6ac7190fcb%1777558780.503",
        "xxhash/0.8.3#681d36a0a6111fc56e5e45ea182c19cc%1765850149.987",
-        "sqlite3/3.49.1#8631739a4c9b93bd3d6b753bac548a63%1765850149.926",
-        "soci/4.0.3#a9f8d773cd33e356b5879a4b0564f287%1765850149.46",
+        "sqlite3/3.53.0#324ada52333108388a9a6108bfa96734%1776096494.149",
+        "soci/4.0.3#fe32b9ad5eb47e79ab9e45a68f363945%1774450067.231",
        "snappy/1.1.10#968fef506ff261592ec30c574d4a7809%1765850147.878",
-        "secp256k1/0.7.1#3a61e95e220062ef32c48d019e9c81f7%1770306721.686",
+        "secp256k1/0.7.1#481881709eb0bdd0185a12b912bbe8ad%1770910500.329",
        "rocksdb/10.5.1#4a197eca381a3e5ae8adf8cffa5aacd0%1765850186.86",
-        "re2/20230301#ca3b241baec15bd31ea9187150e0b333%1765850148.103",
-        "protobuf/6.32.1#f481fd276fc23a33b85a3ed1e898b693%1765850161.038",
-        "openssl/3.5.5#05a4ac5b7323f7a329b2db1391d9941f%1769599205.414",
-        "nudb/2.0.9#0432758a24204da08fee953ec9ea03cb%1769436073.32",
+        "re2/20251105#8579cfd0bda4daf0683f9e3898f964b4%1774398111.888",
+        "protobuf/6.33.5#d96d52ba5baaaa532f47bda866ad87a5%1774467363.12",
+        "openssl/3.6.2#4789bbf131b77d0515d15e094c8f697f%1778071755.506",
+        "nudb/2.0.9#11149c73f8f2baff9a0198fe25971fc7%1775040983.408",
        "lz4/1.10.0#59fc63cac7f10fbe8e05c7e62c2f3504%1765850143.914",
        "libiconv/1.17#1e65319e945f2d31941a9d28cc13c058%1765842973.492",
        "libbacktrace/cci.20210118#a7691bfccd8caaf66309df196790a5a1%1765842973.03",
-        "libarchive/3.8.1#ffee18995c706e02bf96e7a2f7042e0d%1765850144.736",
-        "jemalloc/5.3.0#e951da9cf599e956cebc117880d2d9f8%1729241615.244",
+        "libarchive/3.8.7#c446109bd1f1d8ba7936c94189bc50e6%1776147552.838",
+        "jemalloc/5.3.1#1fc58d55316041f10fbc1e8a2eae632a%1776700028.228",
        "gtest/1.17.0#5224b3b3ff3b4ce1133cbdd27d53ee7d%1768312129.152",
-        "grpc/1.72.0#f244a57bff01e708c55a1100b12e1589%1765850193.734",
+        "grpc/1.78.1#b1a9e74b145cc471bed4dc64dc6eb2c1%1774467387.342",
        "ed25519/2015.03#ae761bdc52730a843f0809bdf6c1b1f6%1765850143.772",
        "date/3.0.4#862e11e80030356b53c2c38599ceb32b%1765850143.772",
-        "c-ares/1.34.5#5581c2b62a608b40bb85d965ab3ec7c8%1765850144.336",
+        "c-ares/1.34.6#545240bb1c40e2cacd4362d6b8967650%1774439234.681",
        "bzip2/1.0.8#c470882369c2d95c5c77e970c0c7e321%1765850143.837",
-        "boost/1.90.0#d5e8defe7355494953be18524a7f135b%1769454080.269",
-        "abseil/20250127.0#99262a368bd01c0ccca8790dfced9719%1766517936.993"
+        "boost/1.91.0#ea540ca2133d831b560036aa24dece3c%1778050991.9",
+        "abseil/20250127.0#bb0baf1f362bc4a725a24eddd419b8f7%1774365460.196"
    ],
    "build_requires": [
-        "zlib/1.3.1#b8bc2603263cf7eccbd6e17e66b0ed76%1765850150.075",
-        "strawberryperl/5.32.1.1#707032463aa0620fa17ec0d887f5fe41%1765850165.196",
-        "protobuf/6.32.1#f481fd276fc23a33b85a3ed1e898b693%1765850161.038",
+        "zlib/1.3.2#1cb806da49011867778ffb6ac7190fcb%1777558780.503",
+        "strawberryperl/5.32.1.1#8d114504d172cfea8ea1662d09b6333e%1774447376.964",
+        "protobuf/6.33.5#d96d52ba5baaaa532f47bda866ad87a5%1774467363.12",
        "nasm/2.16.01#31e26f2ee3c4346ecd347911bd126904%1765850144.707",
-        "msys2/cci.latest#eea83308ad7e9023f7318c60d5a9e6cb%1770199879.083",
-        "m4/1.4.19#70dc8bbb33e981d119d2acc0175cf381%1763158052.846",
-        "cmake/4.2.0#ae0a44f44a1ef9ab68fd4b3e9a1f8671%1765850153.937",
-        "cmake/3.31.10#313d16a1aa16bbdb2ca0792467214b76%1765850153.479",
-        "b2/5.3.3#107c15377719889654eb9a162a673975%1765850144.355",
+        "msys2/cci.latest#d22fe7b2808f5fd34d0a7923ace9c54f%1770657326.649",
+        "m4/1.4.19#4523e4347b55cd26ae918bd5770cab9a%1778062762.471",
+        "cmake/4.3.0#b939a42e98f593fb34d3a8c5cc860359%1774439249.183",
+        "b2/5.4.2#ffd6084a119587e70f11cd45d1a386e2%1774439233.447",
        "automake/1.16.5#b91b7c384c3deaa9d535be02da14d04f%1755524470.56",
        "autoconf/2.71#51077f068e61700d65bb05541ea1e4b0%1731054366.86",
-        "abseil/20250127.0#99262a368bd01c0ccca8790dfced9719%1766517936.993"
+        "abseil/20250127.0#bb0baf1f362bc4a725a24eddd419b8f7%1774365460.196"
    ],
    "python_requires": [],
    "overrides": {
-        "boost/1.90.0#d5e8defe7355494953be18524a7f135b": [
-            null,
-            "boost/1.90.0"
-        ],
-        "protobuf/5.27.0": [
-            "protobuf/6.32.1"
+        "protobuf/[>=5.27.0 <7]": [
+            "protobuf/6.33.5"
        ],
        "lz4/1.9.4": [
            "lz4/1.10.0"
        ],
-        "sqlite3/3.44.2": [
-            "sqlite3/3.49.1"
+        "boost/[>=1.83.0 <1.91.0]": [
+            "boost/1.91.0"
+        ],
+        "sqlite3/[>=3.44 <4]": [
+            "sqlite3/3.53.0"
        ],
        "boost/1.83.0": [
-            "boost/1.90.0"
+            "boost/1.91.0"
        ],
        "lz4/[>=1.9.4 <2]": [
            "lz4/1.10.0#59fc63cac7f10fbe8e05c7e62c2f3504"
--- a/conan/global.conf
+++ b/conan/global.conf
@@ -3,3 +3,5 @@
 core:non_interactive=True
 core.download:parallel={{ os.cpu_count() }}
 core.upload:parallel={{ os.cpu_count() }}
+tools.files.download:retry=5
+tools.files.download:retry_wait=10
--- a/conan/lockfile/regenerate.sh
+++ b/conan/lockfile/regenerate.sh
@@ -23,14 +23,14 @@ rm -f conan.lock
 # first create command will create a new lockfile, while the subsequent create
 # commands will merge any additional dependencies into the created lockfile.
 conan lock create . \
-  --options '&:jemalloc=True' \
-  --options '&:rocksdb=True' \
-  --profile:all=conan/lockfile/linux.profile
+    --options '&:jemalloc=True' \
+    --options '&:rocksdb=True' \
+    --profile:all=conan/lockfile/linux.profile
 conan lock create . \
-  --options '&:jemalloc=True' \
-  --options '&:rocksdb=True' \
-  --profile:all=conan/lockfile/macos.profile
+    --options '&:jemalloc=True' \
+    --options '&:rocksdb=True' \
+    --profile:all=conan/lockfile/macos.profile
 conan lock create . \
-  --options '&:jemalloc=True' \
-  --options '&:rocksdb=True' \
-  --profile:all=conan/lockfile/windows.profile
+    --options '&:jemalloc=True' \
+    --options '&:rocksdb=True' \
+    --profile:all=conan/lockfile/windows.profile
--- a/conan/profiles/ci
+++ b/conan/profiles/ci
@@ -1 +1 @@
- include(sanitizers)
+include(sanitizers)
--- a/conan/profiles/sanitizers
+++ b/conan/profiles/sanitizers
@@ -1,59 +1,122 @@
 include(default)
 {% set compiler, version, compiler_exe = detect_api.detect_default_compiler() %}
+{% set arch = detect_api.detect_arch() %}
 {% set sanitizers = os.getenv("SANITIZERS") %}

-[conf]
-{% if sanitizers %}
-    {% if compiler == "gcc" %}
-        {% if "address" in sanitizers or "thread" in sanitizers or "undefinedbehavior" in sanitizers %}
-            {% set sanitizer_list = [] %}
-            {% set model_code = "" %}
-            {% set extra_cxxflags = ["-fno-omit-frame-pointer", "-O1", "-Wno-stringop-overflow"] %}
+{% if not sanitizers %}
+{# Sanitizers not configured; no additional settings needed #}
+{% else %}

-            {% if "address" in sanitizers %}
-                {% set _ = sanitizer_list.append("address") %}
-                {% set model_code = "-mcmodel=large" %}
-            {% elif "thread" in sanitizers %}
-                {% set _ = sanitizer_list.append("thread") %}
-                {% set model_code = "-mcmodel=medium" %}
-                {% set _ = extra_cxxflags.append("-Wno-tsan") %}
-            {% endif %}
+{% if compiler == "msvc" %}
+    {{ "Sanitizers are not supported on Windows/MSVC. Please unset the SANITIZERS environment variable." }}
+{% endif %}

-            {% if "undefinedbehavior" in sanitizers %}
-                {% set _ = sanitizer_list.append("undefined") %}
-                {% set _ = sanitizer_list.append("float-divide-by-zero") %}
-            {% endif %}
+{% set known_sanitizers = ["address", "thread", "undefinedbehavior"] %}
+{% set provided_sanitizers = [] %}
+{% for san in sanitizers.split(",") %}
+    {% set san = san.strip() %}
+    {% if san not in known_sanitizers %}
+        {{ "Unknown sanitizer in SANITIZERS: " ~ san }}
+    {% endif %}
+    {% set _ = provided_sanitizers.append(san) %}
+{% endfor %}

-            {% set sanitizer_flags = "-fsanitize=" ~ ",".join(sanitizer_list) ~ " " ~ model_code %}
+{% set enable_asan = "address" in provided_sanitizers %}
+{% set enable_tsan = "thread" in provided_sanitizers %}
+{% set enable_ubsan = "undefinedbehavior" in provided_sanitizers %}

-            tools.build:cxxflags+=['{{sanitizer_flags}} {{" ".join(extra_cxxflags)}}']
-            tools.build:sharedlinkflags+=['{{sanitizer_flags}}']
-            tools.build:exelinkflags+=['{{sanitizer_flags}}']
-        {% endif %}
-    {% elif compiler == "apple-clang" or compiler == "clang" %}
-        {% if "address" in sanitizers or "thread" in sanitizers or "undefinedbehavior" in sanitizers %}
-            {% set sanitizer_list = [] %}
-            {% set extra_cxxflags = ["-fno-omit-frame-pointer", "-O1"] %}
+{% if enable_asan and enable_tsan %}
+    {{ "AddressSanitizer and ThreadSanitizer are incompatible and cannot be enabled simultaneously." }}
+{% endif %}

-            {% if "address" in sanitizers %}
-                {% set _ = sanitizer_list.append("address") %}
-            {% elif "thread" in sanitizers %}
-                {% set _ = sanitizer_list.append("thread") %}
-            {% endif %}
+{% set sanitizer_types = [] %}
+{% set defines = [] %}

-            {% if "undefinedbehavior" in sanitizers %}
-                {% set _ = sanitizer_list.append("undefined") %}
-                {% set _ = sanitizer_list.append("float-divide-by-zero") %}
-                {% set _ = sanitizer_list.append("unsigned-integer-overflow") %}
-            {% endif %}
+{% if enable_asan %}
+    {% set _ = sanitizer_types.append("address") %}
+    {% set _ = defines.append("BOOST_USE_ASAN") %}
+    {% set _ = defines.append("BOOST_USE_UCONTEXT") %}
+{% elif enable_tsan %}
+    {% set _ = sanitizer_types.append("thread") %}
+    {% set _ = defines.append("BOOST_USE_TSAN") %}
+    {% set _ = defines.append("BOOST_USE_UCONTEXT") %}
+{% endif %}

-            {% set sanitizer_flags = "-fsanitize=" ~ ",".join(sanitizer_list) %}
-
-            tools.build:cxxflags+=['{{sanitizer_flags}} {{" ".join(extra_cxxflags)}}']
-            tools.build:sharedlinkflags+=['{{sanitizer_flags}}']
-            tools.build:exelinkflags+=['{{sanitizer_flags}}']
-        {% endif %}
+{% if enable_ubsan %}
+    {% set _ = sanitizer_types.append("undefined") %}
+    {% set _ = sanitizer_types.append("float-divide-by-zero") %}
+    {# Clang supports additional UB checks beyond the GCC baseline #}
+    {% if compiler == "clang" or compiler == "apple-clang" %}
+        {% set _ = sanitizer_types.append("unsigned-integer-overflow") %}
    {% endif %}
 {% endif %}

-tools.info.package_id:confs+=["tools.build:cxxflags", "tools.build:exelinkflags", "tools.build:sharedlinkflags"]
+{# Frame pointer required for meaningful stack traces; -O1 for reasonable performance #}
+{% set compile_flags = ["-fno-omit-frame-pointer", "-O1"] %}
+
+{% if compiler == "gcc" %}
+    {# Suppress false positive warnings with GCC #}
+    {% set _ = compile_flags.append("-Wno-stringop-overflow") %}
+
+    {% set relocation_flags = [] %}
+
+    {% if arch == "x86_64" and enable_asan %}
+        {# Large code model prevents relocation errors in instrumented ASAN binaries #}
+        {% set _ = compile_flags.append("-mcmodel=large") %}
+        {% set _ = relocation_flags.append("-mcmodel=large") %}
+    {% elif enable_tsan %}
+        {# GCC doesn't support atomic_thread_fence with TSAN; suppress warnings #}
+        {% set _ = compile_flags.append("-Wno-tsan") %}
+        {% if arch == "x86_64" %}
+            {# Medium code model for TSAN; large is incompatible #}
+            {% set _ = compile_flags.append("-mcmodel=medium") %}
+            {% set _ = relocation_flags.append("-mcmodel=medium") %}
+        {% endif %}
+    {% endif %}
+
+    {% set fsanitize = "-fsanitize=" ~ ",".join(sanitizer_types) %}
+    {% set _ = compile_flags.append(fsanitize) %}
+    {% set _ = relocation_flags.append(fsanitize) %}
+
+    {% set sanitizer_compiler_flags = " ".join(compile_flags) %}
+    {% set sanitizer_linker_flags = " ".join(relocation_flags) %}
+{% elif compiler == "clang" or compiler == "apple-clang" %}
+    {% set fsanitize = "-fsanitize=" ~ ",".join(sanitizer_types) %}
+    {% set _ = compile_flags.append(fsanitize) %}
+
+    {% set sanitizer_compiler_flags = " ".join(compile_flags) %}
+    {% set sanitizer_linker_flags = fsanitize %}
+{% endif %}
+
+[conf]
+tools.build:defines+={{defines}}
+tools.build:cxxflags+=['{{sanitizer_compiler_flags}}']
+tools.build:sharedlinkflags+=['{{sanitizer_linker_flags}}']
+tools.build:exelinkflags+=['{{sanitizer_linker_flags}}']
+
+tools.info.package_id:confs+=["tools.build:cxxflags", "tools.build:exelinkflags", "tools.build:sharedlinkflags", "tools.build:defines"]
+
+# &: means "apply only to the consumer/root package"
+&:tools.cmake.cmaketoolchain:extra_variables={"SANITIZERS": "{{sanitizers}}", "SANITIZERS_COMPILER_FLAGS": "{{sanitizer_compiler_flags}}", "SANITIZERS_LINKER_FLAGS": "{{sanitizer_linker_flags}}"}
+
+[options]
+{% if enable_asan %}
+    # Build Boost.Context with ucontext backend (not fcontext) so that
+    # ASAN fiber-switching annotations (__sanitizer_start/finish_switch_fiber)
+    # are compiled into the library. fcontext (assembly) has no ASAN support.
+    # define=BOOST_USE_ASAN=1 is critical: it must be defined when building
+    # Boost.Context itself so the ucontext backend compiles in the ASAN annotations.
+    boost/*:extra_b2_flags=context-impl=ucontext address-sanitizer=on define=BOOST_USE_ASAN=1
+    boost/*:without_context=False
+    # Boost stacktrace fails to build with some sanitizers
+    boost/*:without_stacktrace=True
+{% elif enable_tsan %}
+    # Build Boost.Context with ucontext backend for TSAN. fcontext (assembly)
+    # has no TSAN annotations, so without this the BOOST_USE_TSAN/BOOST_USE_UCONTEXT
+    # defines in [conf] would be ineffective.
+    boost/*:extra_b2_flags=context-impl=ucontext thread-sanitizer=on define=BOOST_USE_TSAN=1
+    boost/*:without_context=False
+    boost/*:without_stacktrace=True
+{% endif %}
+
+{% endif %}
--- a/conanfile.py
+++ b/conanfile.py
@@ -3,7 +3,6 @@ import re
 from conan.tools.cmake import CMake, CMakeToolchain, cmake_layout

 from conan import ConanFile
-from conan import __version__ as conan_version


 class Xrpl(ConanFile):
@@ -29,13 +28,13 @@ class Xrpl(ConanFile):

    requires = [
        "ed25519/2015.03",
-        "grpc/1.72.0",
-        "libarchive/3.8.1",
+        "grpc/1.78.1",
+        "libarchive/3.8.7",
        "nudb/2.0.9",
-        "openssl/3.5.5",
+        "openssl/3.6.2",
        "secp256k1/0.7.1",
        "soci/4.0.3",
-        "zlib/1.3.1",
+        "zlib/1.3.2",
    ]

    test_requires = [
@@ -43,7 +42,7 @@ class Xrpl(ConanFile):
    ]

    tool_requires = [
-        "protobuf/6.32.1",
+        "protobuf/6.33.5",
    ]

    default_options = {
@@ -57,6 +56,10 @@ class Xrpl(ConanFile):
        "tests": False,
        "unity": False,
        "xrpld": False,
+        "boost/*:without_cobalt": True,
+        "boost/*:without_context": False,
+        "boost/*:without_coroutine": True,
+        "boost/*:without_coroutine2": False,
        "date/*:header_only": True,
        "ed25519/*:shared": False,
        "grpc/*:shared": False,
@@ -127,20 +130,16 @@ class Xrpl(ConanFile):
            self.options["boost"].without_cobalt = True

    def requirements(self):
-        # Conan 2 requires transitive headers to be specified
-        transitive_headers_opt = (
-            {"transitive_headers": True} if conan_version.split(".")[0] == "2" else {}
-        )
-        self.requires("boost/1.90.0", force=True, **transitive_headers_opt)
-        self.requires("date/3.0.4", **transitive_headers_opt)
+        self.requires("boost/1.91.0", force=True, transitive_headers=True)
+        self.requires("date/3.0.4", transitive_headers=True)
        self.requires("lz4/1.10.0", force=True)
-        self.requires("protobuf/6.32.1", force=True)
-        self.requires("sqlite3/3.49.1", force=True)
+        self.requires("protobuf/6.33.5", force=True)
+        self.requires("sqlite3/3.53.0", force=True)
        if self.options.jemalloc:
-            self.requires("jemalloc/5.3.0")
+            self.requires("jemalloc/5.3.1")
        if self.options.rocksdb:
            self.requires("rocksdb/10.5.1")
-        self.requires("xxhash/0.8.3", **transitive_headers_opt)
+        self.requires("xxhash/0.8.3", transitive_headers=True)

    exports_sources = (
        "CMakeLists.txt",
@@ -196,7 +195,7 @@ class Xrpl(ConanFile):
            "boost::headers",
            "boost::chrono",
            "boost::container",
-            "boost::coroutine",
+            "boost::context",
            "boost::date_time",
            "boost::filesystem",
            "boost::json",
--- a/cspell.config.yaml
+++ b/cspell.config.yaml
@@ -44,6 +44,10 @@ suggestWords:
 words:
  - abempty
  - AMMID
+  - AMMMPT
+  - AMMMPToken
+  - AMMMPTokens
+  - AMMXRP
  - amt
  - amts
  - asnode
@@ -59,6 +63,7 @@ words:
  - Bougalis
  - Britto
  - Btrfs
+  - Buildx
  - canonicality
  - changespq
  - checkme
@@ -67,6 +72,7 @@ words:
  - citardauq
  - clawback
  - clawbacks
+  - cmaketoolchain
  - coeffs
  - coldwallet
  - compr
@@ -87,18 +93,24 @@ words:
  - daria
  - dcmake
  - dearmor
+  - dedented
  - deleteme
  - demultiplexer
  - deserializaton
  - desync
  - desynced
  - determ
+  - disablerepo
  - distro
  - doxyfile
  - dxrpl
+  - enabled
+  - enablerepo
  - endmacro
  - exceptioned
+  - EXPECT_STREQ
  - Falco
+  - fcontext
  - finalizers
  - firewalled
  - fmtdur
@@ -108,9 +120,11 @@ words:
  - gcovr
  - ghead
  - Gnutella
+  - godexsoft
  - gpgcheck
  - gpgkey
  - hotwallet
+  - hwaddress
  - hwrap
  - ifndef
  - inequation
@@ -144,17 +158,22 @@ words:
  - lseq
  - lsmf
  - ltype
+  - mathbunnyru
  - mcmodel
  - MEMORYSTATUSEX
+  - MPTAMM
+  - MPTDEX
  - Merkle
  - Metafuncton
  - misprediction
+  - missingok
  - mptbalance
  - MPTDEX
  - mptflags
  - mptid
  - mptissuance
  - mptissuanceid
+  - mptissue
  - mptoken
  - mptokenid
  - mptokenissuance
@@ -179,11 +198,15 @@ words:
  - NOLINT
  - NOLINTNEXTLINE
  - nonxrp
+  - noreplace
  - noripple
+  - nostdinc
+  - notifempty
  - nudb
  - nullptr
  - nunl
  - Nyffenegger
+  - onlatest
  - ostr
  - pargs
  - partitioner
@@ -199,11 +222,13 @@ words:
  - preauthorize
  - preauthorizes
  - preclaim
+  - preun
  - protobuf
  - protos
  - ptrs
  - pushd
  - pyenv
+  - pyparsing
  - qalloc
  - queuable
  - Raphson
@@ -229,14 +254,18 @@ words:
  - seqit
  - sf
  - SFIELD
+  - sfields
  - shamap
  - shamapitem
+  - shfmt
+  - shlibs
  - sidechain
  - SIGGOOD
  - sle
  - sles
  - soci
  - socidb
+  - SRPMS
  - sslws
  - statsd
  - STATSDCOLLECTOR
@@ -264,8 +293,8 @@ words:
  - txn
  - txns
  - txs
-  - UBSAN
  - ubsan
+  - UBSAN
  - umant
  - unacquired
  - unambiguity
@@ -273,6 +302,7 @@ words:
  - unauthorizing
  - unergonomic
  - unfetched
+  - unfindable
  - unflatten
  - unfund
  - unimpair
@@ -293,6 +323,7 @@ words:
  - venv
  - vfalco
  - vinnie
+  - wasmi
  - wextra
  - wptr
  - writeme
@@ -301,7 +332,6 @@ words:
  - xbridge
  - xchain
  - ximinez
-  - EXPECT_STREQ
  - XMACRO
  - xrpkuwait
  - xrpl
@@ -309,3 +339,4 @@ words:
  - xrplf
  - xxhash
  - xxhasher
+  - CGNAT
--- a/docker/loader-path.sh
+++ b/docker/loader-path.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+case "$(uname -m)" in
+    x86_64) LOADER=/lib64/ld-linux-x86-64.so.2 ;;
+    aarch64) LOADER=/lib/ld-linux-aarch64.so.1 ;;
+    *)
+        echo "Unsupported arch: $(uname -m)" >&2
+        exit 1
+        ;;
+esac
+
+echo "${LOADER}"
--- a/docker/nix.Dockerfile
+++ b/docker/nix.Dockerfile
@@ -0,0 +1,102 @@
+ARG BASE_IMAGE=nixos/nix:latest
+
+# Nix builder
+FROM nixos/nix:latest AS builder-source
+
+RUN mkdir -p ~/.config/nix && \
+    echo "experimental-features = nix-command flakes" >> ~/.config/nix/nix.conf
+
+# Copy our source and setup our working dir.
+COPY nix/ci-env.nix /tmp/build/nix/ci-env.nix
+COPY nix/packages.nix /tmp/build/nix/packages.nix
+COPY nix/utils.nix /tmp/build/nix/utils.nix
+COPY flake.nix /tmp/build/
+COPY flake.lock /tmp/build/
+WORKDIR /tmp/build
+
+FROM builder-source AS builder
+
+# Build our Nix CI environment (all build tools in a single store path)
+RUN nix \
+    --option filter-syscalls false \
+    build
+
+# Copy the Nix store closure into a directory. The Nix store closure is the
+# entire set of Nix store values that we need for our build.
+RUN mkdir /tmp/nix-store-closure && \
+    cp -R $(nix-store -qR result/) /tmp/nix-store-closure
+
+# Final image
+FROM ${BASE_IMAGE} AS final
+
+ARG BASE_IMAGE
+
+# bash is not located at /bin/bash in nixos/nix, so we need to create a symlink to it.
+RUN if [ -d /nix ]; then \
+        ln -s /root/.nix-profile/bin/bash /bin/bash; \
+    fi
+
+# Use Bash as the default shell for RUN commands, using the options
+# `set -o errexit -o pipefail`, and as the entrypoint.
+SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
+ENTRYPOINT ["/bin/bash"]
+
+# Copy /nix/store and the env symlink tree
+COPY --from=builder /tmp/nix-store-closure /nix/store
+COPY --from=builder /tmp/build/result /nix/ci-env
+
+ENV PATH="/nix/ci-env/bin:${PATH}"
+
+# Externally-built dynamically-linked ELF binaries hard-code the loader path
+# (e.g. /lib64/ld-linux-x86-64.so.2) in their PT_INTERP header. Install it
+# from the Nix store when the base image doesn't already provide one.
+COPY docker/loader-path.sh /tmp/loader-path.sh
+
+RUN <<EOF
+target="$(/tmp/loader-path.sh)"
+
+if [ ! -e "${target}" ]; then
+    # Use the loader from the same glibc that gcc links libc against, so
+    # ld-linux and libc/libpthread share GLIBC_PRIVATE symbols at runtime.
+    src="$(dirname "$(gcc -print-file-name=libc.so.6)")/$(basename "${target}")"
+    [ -e "${src}" ] || { echo "ld-linux not found at ${src}" >&2; exit 1; }
+    mkdir -p "$(dirname "${target}")"
+    cp "${src}" "${target}"
+fi
+EOF
+
+RUN <<EOF
+ccache --version
+clang --version
+clang++ --version
+clang-format --version
+cmake --version
+conan --version
+g++ --version
+gcc --version
+gcovr --version
+git --version
+make --version
+mold --version
+ninja --version
+perl --version
+pkg-config --version
+pre-commit --version
+python3 --version
+run-clang-tidy --help
+vim --version
+EOF
+
+# Sanity-check that the sanitizer runtimes shipped with g++/clang++ are able to build binaries
+COPY docker/test_files/cpp_sources/ /tmp/cpp_sources/
+COPY docker/test_files/compile-cpp-sources.sh /tmp/compile-cpp-sources.sh
+RUN /tmp/compile-cpp-sources.sh /tmp/cpp_sources /tmp/bins
+
+# Sanity-check that the built binaries are able to run.
+# We only support running the test binaries on Ubuntu and NixOS right now (will be fixed in the future)
+#
+# When build and test images will be separate, we will be to run on vanilla images.
+COPY docker/test_files/run-test-binaries.sh /tmp/run-test-binaries.sh
+RUN if echo "${BASE_IMAGE}" | grep -qiE '(ubuntu|nixos)'; then \
+        /tmp/run-test-binaries.sh /tmp/bins; \
+    fi
--- a/docker/test_files/compile-cpp-sources.sh
+++ b/docker/test_files/compile-cpp-sources.sh
@@ -0,0 +1,50 @@
+#!/bin/bash
+# Compile all C++ test binaries during the Docker image build.
+# Each binary has the target system's ELF PT_INTERP (dynamic-linker path)
+# baked in so it can run on the (potentially minimal) final BASE_IMAGE.
+
+set -eo pipefail
+
+src_dir="${1:?usage: $0 <src_dir> <dst_dir>}"
+dst_dir="${2:?usage: $0 <src_dir> <dst_dir>}"
+
+loader="$(/tmp/loader-path.sh)"
+
+mkdir -p "${dst_dir}"
+
+function compile() {
+    local compiler="${1}"
+    local name="${2}"
+    local san_flag="${3:-}"
+
+    local src="${src_dir}/${name}.cpp"
+    local binary="${dst_dir}/${name}-${compiler}"
+
+    echo "=== Compile ${name} with ${compiler} ==="
+    cmd="${compiler} -std=c++23 -O1 -g \
+        -pthread \
+        -Wl,--dynamic-linker=${loader} \
+        ${san_flag} \
+        ${src} -o ${binary}"
+    echo "Command: ${cmd}"
+    eval "${cmd}"
+}
+
+declare -A sanitize=(
+    [regular]=""
+
+    [asan]="-fsanitize=address"
+    [tsan]="-fsanitize=thread"
+    [ubsan]="-fsanitize=undefined -fno-sanitize-recover=all"
+)
+
+for name in regular asan tsan ubsan; do
+    san_flag="${sanitize[${name}]}"
+    for compiler in g++ clang++; do
+        compile "${compiler}" "${name}" "${san_flag}"
+    done
+done
+
+echo "=== All binaries compiled ==="
+
+ls -la "${dst_dir}"
--- a/docker/test_files/cpp_sources/asan.cpp
+++ b/docker/test_files/cpp_sources/asan.cpp
@@ -0,0 +1,28 @@
+#include <atomic>
+#include <cstddef>
+#include <iostream>
+
+#if defined(__clang__) || defined(__GNUC__)
+__attribute__((noinline))
+#elif defined(_MSC_VER)
+__declspec(noinline)
+#endif
+int
+read_after_free(volatile int* array, std::size_t index)
+{
+    std::atomic_signal_fence(std::memory_order_seq_cst);
+    int value = array[index];
+    std::atomic_signal_fence(std::memory_order_seq_cst);
+    return value;
+}
+
+int
+main()
+{
+    int* array = new int[5]{10, 20, 30, 40, 50};
+    delete[] array;
+
+    std::cout << "Value at index 2: " << read_after_free(array, 2) << std::endl;
+
+    return 0;
+}
--- a/docker/test_files/cpp_sources/regular.cpp
+++ b/docker/test_files/cpp_sources/regular.cpp
@@ -0,0 +1,28 @@
+#include <iostream>
+#include <mutex>
+#include <thread>
+#include <vector>
+
+static std::mutex gMutex;
+
+void
+worker(int id)
+{
+    std::lock_guard<std::mutex> lock(gMutex);
+    std::cout << "Hello from thread " << id << "\n";
+}
+
+int
+main()
+{
+    constexpr int kNumThreads = 10;
+    std::vector<std::thread> threads;
+    threads.reserve(kNumThreads);
+    for (int i = 0; i < kNumThreads; ++i)
+        threads.emplace_back(worker, i);
+    for (auto& t : threads)
+        t.join();
+
+    std::cout << "Hello from main thread\n";
+    return 0;
+}
--- a/docker/test_files/cpp_sources/tsan.cpp
+++ b/docker/test_files/cpp_sources/tsan.cpp
@@ -0,0 +1,26 @@
+#include <iostream>
+#include <thread>
+
+static int kCounter = 0;
+
+void
+increment()
+{
+    for (int i = 0; i < 100'000; ++i)
+    {
+        ++kCounter;
+    }
+}
+
+int
+main()
+{
+    std::thread t1(increment);
+    std::thread t2(increment);
+
+    t1.join();
+    t2.join();
+
+    std::cout << "Final counter value: " << kCounter << std::endl;
+    return 0;
+}
--- a/docker/test_files/cpp_sources/ubsan.cpp
+++ b/docker/test_files/cpp_sources/ubsan.cpp
@@ -0,0 +1,13 @@
+#include <iostream>
+#include <limits>
+
+int
+main()
+{
+    int maxInt = std::numeric_limits<int>::max();
+    int volatile one = 1;
+    std::cout << "Current max: " << maxInt << std::endl;
+    int overflowed = maxInt + one;
+    std::cout << "Overflowed result: " << overflowed << std::endl;
+    return 0;
+}
--- a/docker/test_files/run-test-binaries.sh
+++ b/docker/test_files/run-test-binaries.sh
@@ -0,0 +1,62 @@
+#!/bin/bash
+# Run pre-compiled sanitizer binaries and confirm each emits its expected diagnostic.
+# Binaries must already exist in <bins_dir> with the layout:
+# <name>-g++ and <name>-clang++ for name in {regular,asan,tsan,ubsan}
+
+set -eo pipefail
+
+bins_dir="${1:?usage: $0 <bins_dir>}"
+
+# Run a binary and verify its exit code and output.
+# Usage: run <binary> <expected_output> <expected_rc>
+function run() {
+    local binary="${1}"
+    local expected_output="${2}"
+    local expected_rc="${3}"
+
+    local out_file
+    out_file="$(mktemp)"
+
+    echo "=== Run ${binary} ==="
+    local rc=0
+    "${binary}" >"${out_file}" 2>&1 || rc=$?
+
+    cat "${out_file}"
+
+    if [ "${expected_rc}" = "nonzero" ]; then
+        if [ "${rc}" -eq 0 ]; then
+            echo "ERROR: expected non-zero exit code from ${binary}, got ${rc}" >&2
+            exit 1
+        fi
+    elif [ "${rc}" -ne "${expected_rc}" ]; then
+        echo "ERROR: expected exit code ${expected_rc} from ${binary}, got ${rc}" >&2
+        exit 1
+    fi
+
+    grep -q "${expected_output}" "${out_file}" ||
+        {
+            echo "ERROR: expected '${expected_output}' from ${binary}" >&2
+            exit 1
+        }
+    echo "OK: '${expected_output}' detected"
+}
+
+declare -A expect=(
+    [regular]="Hello from main thread"
+
+    [asan]="heap-use-after-free"
+    [tsan]="data race"
+    [ubsan]="signed integer overflow"
+)
+
+for compiler in g++ clang++; do
+    for name in regular asan tsan ubsan; do
+        binary="${bins_dir}/${name}-${compiler}"
+        if [ "${name}" = "regular" ]; then
+            expected_rc=0
+        else
+            expected_rc=nonzero
+        fi
+        run "${binary}" "${expect[$name]}" "${expected_rc}"
+    done
+done
--- a/Show More
+++ b/Show More