test: improve export rng coverage

Add ConsensusExtensions debug logging to the entropy and export scenario suite defaults so participant bitmap diagnostics are captured without live log-level changes.

.codecov.yml

@@ -0,0 +1,37 @@
+codecov:
+  require_ci_to_pass: true
+
+comment:
+  behavior: default
+  layout: reach,diff,flags,tree,reach
+  show_carryforward_flags: false
+
+coverage:
+  range: "60..80"
+  precision: 1
+  round: nearest
+  status:
+    project:
+      default:
+        target: 60%
+        threshold: 2%
+    patch:
+      default:
+        target: auto
+        threshold: 2%
+    changes: false
+
+github_checks:
+  annotations: true
+
+parsers:
+  cobertura:
+    partials_as_hits: true
+    handle_missing_conditions : true
+
+slack_app: false
+
+ignore:
+  - "src/test/"
+  - "include/xrpl/beast/test/"
+  - "include/xrpl/beast/unit_test/"

.git-blame-ignore-revs

@@ -1,8 +1,25 @@
 # This feature requires Git >= 2.24
 # To use it by default in git blame:
 # git config blame.ignoreRevsFile .git-blame-ignore-revs
+# Format first-party source according to .clang-format
 50760c693510894ca368e90369b0cc2dabfd07f3
-e2384885f5f630c8f0ffe4bf21a169b433a16858
-241b9ddde9e11beb7480600fd5ed90e1ef109b21
-760f16f56835663d9286bd29294d074de26a7ba6
-0eebe6a5f4246fced516d52b83ec4e7f47373edd
+# Reintroduce Clang-Format & Levelization
+da1d20d6d5d862716125d60899b80fab5302954a
+# Consolidate external libraries
+da1d20d6d5d862716125d60899b80fab5302954a
+# Rename .hpp to .h
+0345a2645d0f5ad900f4fbbcaff96040d3a887fc
+# Format formerly .hpp files
+5a227dc719016e10045e17c9396ad401118044f1
+# Rewrite includes
+e61880699997398f5a746e6c4034edc7632661f5
+# Move CMake directory (#4997)
+e47b1c1b3b97c3f6d11858ee02f463596e29e7f0
+# Rearrange sources (#4997)
+bfafa2bb39e562901736d656806bd700c3699a2f
+# Rewrite includes (#4997)
+e61880699997398f5a746e6c4034edc7632661f5
+# Recompute loops (#4997)
+d25b5dcd568bb96c18e347d55fac10fe901a1bfb
+# Reformat code with clang-format-18
+02749feea88ce61c1f7eeb2d61a57d8ecf07ab11

.github/actions/xahau-ga-build/action.yml

@@ -2,6 +2,14 @@ name: build
 description: 'Builds the project with ccache integration'
 
 inputs:
+  cmake-target:
+    description: 'CMake target to build'
+    required: false
+    default: all
+  cmake-args:
+    description: 'Additional CMake arguments'
+    required: false
+    default: null
   generator:
     description: 'CMake generator to use'
     required: true
@@ -20,6 +28,10 @@ inputs:
     description: 'C++ compiler to use'
     required: false
     default: ''
+  gcov:
+    description: 'Gcov to use'
+    required: false
+    default: ''
   compiler-id:
     description: 'Unique identifier: compiler-version-stdlib[-gccversion] (e.g. clang-14-libstdcxx-gcc11, gcc-13-libstdcxx)'
     required: false
@@ -41,10 +53,11 @@ inputs:
     required: false
     default: 'dev'
   stdlib:
-    description: 'C++ standard library to use'
+    description: 'C++ standard library to use (default = compiler default, e.g. GCC always uses libstdc++)'
     required: true
     type: choice
     options:
+      - default
       - libstdcxx
       - libcxx
   clang_gcc_toolchain:
@@ -87,11 +100,6 @@ runs:
         export CCACHE_CONFIGPATH="$HOME/.config/ccache/ccache.conf"
         echo "CCACHE_CONFIGPATH=$CCACHE_CONFIGPATH" >> $GITHUB_ENV
 
-        # Keep config separate from cache_dir so configs aren't swapped when CCACHE_DIR changes between steps
-        mkdir -p ~/.config/ccache
-        export CCACHE_CONFIGPATH="$HOME/.config/ccache/ccache.conf"
-        echo "CCACHE_CONFIGPATH=$CCACHE_CONFIGPATH" >> $GITHUB_ENV
-
         # Configure ccache settings AFTER cache restore (prevents stale cached config)
         ccache --set-config=max_size=${{ inputs.ccache_max_size }}
         ccache --set-config=hash_dir=${{ inputs.ccache_hash_dir }}
@@ -122,6 +130,10 @@ runs:
           export CXX="${{ inputs.cxx }}"
         fi
 
+        if [ -n "${{ inputs.gcov }}" ]; then
+          ln -sf /usr/bin/${{ inputs.gcov }} /usr/local/bin/gcov
+        fi
+
         # Create wrapper toolchain that overlays ccache on top of Conan's toolchain
         # This enables ccache for the main app build without affecting Conan dependency builds
         if [ "${{ inputs.ccache_enabled }}" = "true" ]; then
@@ -185,7 +197,8 @@ runs:
           -DCMAKE_TOOLCHAIN_FILE:FILEPATH=${TOOLCHAIN_FILE} \
           -DCMAKE_BUILD_TYPE=${{ inputs.configuration }} \
           -Dtests=TRUE \
-          -Dxrpld=TRUE
+          -Dxrpld=TRUE \
+          ${{ inputs.cmake-args }}
 
     - name: Show ccache config before build
       if: inputs.ccache_enabled == 'true'
@@ -209,7 +222,7 @@ runs:
           VERBOSE_FLAG="-- -v"
         fi
 
-        cmake --build . --config ${{ inputs.configuration }} --parallel $(nproc) ${VERBOSE_FLAG}
+        cmake --build . --config ${{ inputs.configuration }} --parallel $(nproc) --target ${{ inputs.cmake-target }} ${VERBOSE_FLAG}
 
     - name: Show ccache statistics
       if: inputs.ccache_enabled == 'true'

.github/workflows/check-genesis-hooks.yml

@@ -0,0 +1,107 @@
+name: Check Genesis Hooks
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  check-genesis-hooks:
+    runs-on: ubuntu-24.04
+    env:
+      CLANG_VERSION: 18
+    name: Verify xahau.h is in sync with genesis hooks
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      # Install binaryen from GitHub Releases (pinned to version 100)
+      - name: Install binaryen (version 100)
+        run: |
+          curl -LO https://github.com/WebAssembly/binaryen/releases/download/version_100/binaryen-version_100-x86_64-linux.tar.gz
+          tar -xzf binaryen-version_100-x86_64-linux.tar.gz
+          sudo cp binaryen-version_100/bin/* /usr/local/bin/
+          wasm-opt --version
+
+      - name: Install clang-format
+        run: |
+          codename=$( lsb_release --codename --short )
+          sudo tee /etc/apt/sources.list.d/llvm.list >/dev/null <<EOF
+          deb http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-${CLANG_VERSION} main
+          deb-src http://apt.llvm.org/${codename}/ llvm-toolchain-${codename}-${CLANG_VERSION} main
+          EOF
+          wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add
+          sudo apt-get update
+          sudo apt-get install clang-format-${CLANG_VERSION}
+          clang-format --version
+
+      # Install wasienv (WebAssembly SDK)
+      - name: Install wasienv
+        run: |
+          # Download install.sh
+          curl -o /tmp/wasienv-install.sh https://raw.githubusercontent.com/wasienv/wasienv/master/install.sh
+
+          # Replace /bin to /local/bin
+          sed -i 's|/bin|/local/bin|g' /tmp/wasienv-install.sh
+
+          # Execute the installed script
+          bash /tmp/wasienv-install.sh
+
+      # Add wasienv to PATH for subsequent steps
+      - name: Setup wasienv
+        run: |
+          echo "$HOME/.wasienv/bin" >> $GITHUB_PATH
+          wasmcc -v || true
+
+      # Build and install hook-cleaner tool
+      - name: Build and install hook-cleaner
+        run: |
+          git clone https://github.com/richardah/hook-cleaner-c.git /tmp/hook-cleaner
+          cd /tmp/hook-cleaner
+          make
+          cp hook-cleaner /usr/local/bin/
+          chmod +x /usr/local/bin/hook-cleaner
+
+      # Build and install guard_checker tool
+      - name: Build and install guard_checker
+        run: |
+          cd include/xrpl/hook
+          make
+          cp guard_checker /usr/local/bin/
+          chmod +x /usr/local/bin/guard_checker
+
+      # Verify all required tools are available
+      - name: Verify required tools
+        run: |
+          echo "Checking tool availability..."
+          command -v wasmcc || (echo "Error: wasmcc not found" && exit 1)
+          command -v wasm-opt || (echo "Error: wasm-opt not found" && exit 1)
+          command -v hook-cleaner || (echo "Error: hook-cleaner not found" && exit 1)
+          command -v guard_checker || (echo "Error: guard_checker not found" && exit 1)
+          command -v xxd || (echo "Error: xxd not found" && exit 1)
+          command -v clang-format || (echo "Error: clang-format not found" && exit 1)
+          echo "All tools verified successfully"
+
+      # Execute build script to regenerate xahau.h
+      - name: Run build_xahau_h.sh
+        run: |
+          cd hook/genesis
+          ./build_xahau_h.sh
+
+      # Check if xahau.h has changed (fail if out of sync)
+      - name: Verify xahau.h is in sync
+        run: |
+          if ! git diff --exit-code include/xrpl/hook/xahau.h; then
+            echo ""
+            echo "❌ ERROR: xahau.h is out of sync with genesis hooks"
+            echo ""
+            echo "The generated xahau.h differs from the committed version."
+            echo "Please run the following command and commit the changes:"
+            echo ""
+            echo "    cd hook/genesis && ./build_xahau_h.sh"
+            echo ""
+            echo "Diff:"
+            git diff include/xrpl/hook/xahau.h
+            exit 1
+          fi
+          echo "✅ xahau.h is in sync with genesis hooks"

.github/workflows/clang-format.yml

@@ -20,7 +20,7 @@ jobs:
         sudo apt-get update
         sudo apt-get install clang-format-${CLANG_VERSION}
     - name: Format first-party sources
-      run: find include src -type f \( -name '*.cpp' -o -name '*.hpp' -o -name '*.h' -o -name '*.ipp' \) -not -path "src/magic/magic_enum.h" -exec clang-format-${CLANG_VERSION} -i {} +
+      run: find include src -type f \( -name '*.cpp' -o -name '*.hpp' -o -name '*.h' -o -name '*.ipp' \) -exec clang-format-${CLANG_VERSION} -i {} +
     - name: Check for differences
       id: assert
       run: |

.github/workflows/levelization.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Check levelization
-      run: Builds/levelization/levelization.sh
+      run: python Builds/levelization/levelization.py
     - name: Check for differences
       id: assert
       run: |
@@ -40,7 +40,7 @@ jobs:
           To fix it, you can do one of two things:
           1. Download and apply the patch generated as an artifact of this
              job to your repo, commit, and push.
-          2. Run './Builds/levelization/levelization.sh' in your repo,
+          2. Run 'python Builds/levelization/levelization.py' in your repo,
              commit, and push.
 
           See Builds/levelization/README.md for more info.

.github/workflows/verify-generated-headers.yml

@@ -18,6 +18,10 @@ jobs:
             generator: bash ./hook/generate_sfcodes.sh
           - target: hook/tts.h
             generator: ./hook/generate_tts.sh
+          - target: hook/ls_flags.h
+            generator: ./hook/generate_lsflags.sh
+          - target: hook/tx_flags.h
+            generator: ./hook/generate_txflags.sh
     runs-on: ubuntu-24.04
     env:
       CLANG_VERSION: 18

.github/workflows/xahau-ga-nix.yml

@@ -57,8 +57,9 @@ jobs:
                   "cc": "gcc-11",
                   "cxx": "g++-11",
                   "compiler_version": 11,
-                  "stdlib": "libstdcxx",
-                  "configuration": "Debug"
+                  "stdlib": "default",
+                  "configuration": "Debug",
+                  "job_type": "build"
               },
               {
                   "compiler_id": "gcc-13-libstdcxx",
@@ -66,8 +67,20 @@ jobs:
                   "cc": "gcc-13",
                   "cxx": "g++-13",
                   "compiler_version": 13,
-                  "stdlib": "libstdcxx",
-                  "configuration": "Debug"
+                  "stdlib": "default",
+                  "configuration": "Debug",
+                  "job_type": "build"
+              },
+              {
+                  "compiler_id": "gcc-13-libstdcxx",
+                  "compiler": "gcc",
+                  "cc": "gcc-13",
+                  "cxx": "g++-13",
+                  "gcov": "gcov-13",
+                  "compiler_version": 13,
+                  "stdlib": "default",
+                  "configuration": "Debug",
+                  "job_type": "coverage"
               },
               {
                   "compiler_id": "clang-14-libstdcxx-gcc11",
@@ -77,7 +90,8 @@ jobs:
                   "compiler_version": 14,
                   "stdlib": "libstdcxx",
                   "clang_gcc_toolchain": 11,
-                  "configuration": "Debug"
+                  "configuration": "Debug",
+                  "job_type": "build"
               },
               {
                   "compiler_id": "clang-16-libstdcxx-gcc13",
@@ -87,7 +101,8 @@ jobs:
                   "compiler_version": 16,
                   "stdlib": "libstdcxx",
                   "clang_gcc_toolchain": 13,
-                  "configuration": "Debug"
+                  "configuration": "Debug",
+                  "job_type": "build"
               },
               {
                   "compiler_id": "clang-17-libcxx",
@@ -96,7 +111,8 @@ jobs:
                   "cxx": "clang++-17",
                   "compiler_version": 17,
                   "stdlib": "libcxx",
-                  "configuration": "Debug"
+                  "configuration": "Debug",
+                  "job_type": "build"
               },
               {
                   # Clang 18 - testing if it's faster than Clang 17 with libc++
@@ -107,14 +123,16 @@ jobs:
                   "cxx": "clang++-18",
                   "compiler_version": 18,
                   "stdlib": "libcxx",
-                  "configuration": "Debug"
+                  "configuration": "Debug",
+                  "job_type": "build"
               }
           ]
           
           # Minimal matrix for PRs and feature branches
           minimal_matrix = [
               full_matrix[1],  # gcc-13 (middle-ground gcc)
-              full_matrix[2]   # clang-14 (mature, stable clang)
+              full_matrix[2],  # gcc-13 coverage
+              full_matrix[3]   # clang-14 (mature, stable clang)
           ]
           
           # Determine which matrix to use based on the target branch
@@ -189,14 +207,21 @@ jobs:
           # Select the appropriate matrix
           if use_full:
               if force_full:
-                  print(f"Using FULL matrix (6 configs) - forced by [ci-nix-full-matrix] tag")
+                  print(f"Using FULL matrix (7 configs) - forced by [ci-nix-full-matrix] tag")
               else:
-                  print(f"Using FULL matrix (6 configs) - targeting main branch")
+                  print(f"Using FULL matrix (7 configs) - targeting main branch")
               matrix = full_matrix
           else:
-              print(f"Using MINIMAL matrix (2 configs) - feature branch/PR")
+              print(f"Using MINIMAL matrix (3 configs) - feature branch/PR")
               matrix = minimal_matrix
-          
+
+          # Add runs_on based on job_type
+          for entry in matrix:
+              if entry.get("job_type") == "coverage":
+                  entry["runs_on"] = '["self-hosted", "generic", 24.04]'
+              else:
+                  entry["runs_on"] = '["self-hosted", "generic", 20.04]'
+
           # Output the matrix as JSON
           output = json.dumps({"include": matrix})
           with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
@@ -204,7 +229,10 @@ jobs:
 
   build:
     needs: matrix-setup
-    runs-on: [self-hosted, generic, 20.04]
+    runs-on: ${{ fromJSON(matrix.runs_on) }}
+    permissions:
+      id-token: write
+      contents: read
     container:
       image: ubuntu:24.04
       volumes:
@@ -233,7 +261,7 @@ jobs:
           apt-get install -y software-properties-common
           add-apt-repository ppa:ubuntu-toolchain-r/test -y
           apt-get update
-          apt-get install -y python3 python-is-python3 pipx
+          apt-get install -y git python3 python-is-python3 pipx
           pipx ensurepath
           apt-get install -y cmake ninja-build ${{ matrix.cc }} ${{ matrix.cxx }} ccache
           apt-get install -y perl # for openssl build
@@ -304,6 +332,12 @@ jobs:
           pipx install "conan>=2.0,<3"
           echo "$HOME/.local/bin" >> $GITHUB_PATH
 
+          # Install gcovr for coverage jobs
+          if [ "${{ matrix.job_type }}" = "coverage" ]; then
+            pipx install "gcovr>=7,<9"
+            apt-get install -y curl lcov
+          fi
+
       - name: Check environment
         run: |
           echo "PATH:"
@@ -313,6 +347,13 @@ jobs:
           which ${{ matrix.cc }} && ${{ matrix.cc }} --version || echo "${{ matrix.cc }} not found"
           which ${{ matrix.cxx }} && ${{ matrix.cxx }} --version || echo "${{ matrix.cxx }} not found"
           which ccache && ccache --version || echo "ccache not found"
+
+          # Check gcovr for coverage jobs
+          if [ "${{ matrix.job_type }}" = "coverage" ]; then
+            which gcov && gcov --version || echo "gcov not found"
+            which gcovr && gcovr --version || echo "gcovr not found"
+          fi
+
           echo "---- Full Environment ----"
           env
 
@@ -340,6 +381,7 @@ jobs:
           gha_cache_enabled: 'false' # Disable caching for self hosted runner
 
       - name: Build
+        if: matrix.job_type == 'build'
         uses: ./.github/actions/xahau-ga-build
         with:
           generator: Ninja
@@ -354,7 +396,27 @@ jobs:
           clang_gcc_toolchain: ${{ matrix.clang_gcc_toolchain || '' }}
           ccache_max_size: '100G'
 
+      - name: Build (Coverage)
+        if: matrix.job_type == 'coverage'
+        uses: ./.github/actions/xahau-ga-build
+        with:
+          generator: Ninja
+          configuration: ${{ matrix.configuration }}
+          build_dir: ${{ env.build_dir }}
+          cc: ${{ matrix.cc }}
+          cxx: ${{ matrix.cxx }}
+          gcov: ${{ matrix.gcov }}
+          compiler-id: ${{ matrix.compiler_id }}
+          cache_version: ${{ env.CACHE_VERSION }}
+          main_branch: ${{ env.MAIN_BRANCH_NAME }}
+          stdlib: ${{ matrix.stdlib }}
+          # Coverage builds are slower due to instrumentation; use fewer parallel jobs to avoid flakiness
+          cmake-args: '-Dcoverage=ON -Dcoverage_format=xml -Dcoverage_test_parallelism=$(($(nproc)/2)) -DCODE_COVERAGE_VERBOSE=ON -DCMAKE_CXX_FLAGS="-O0" -DCMAKE_C_FLAGS="-O0"'
+          cmake-target: 'coverage'
+          ccache_max_size: '100G'
+
       - name: Set artifact name
+        if: matrix.job_type == 'build'
         id: set-artifact-name
         run: |
           ARTIFACT_NAME="build-output-nix-${{ github.run_id }}-${{ matrix.compiler }}-${{ matrix.configuration }}"
@@ -367,6 +429,7 @@ jobs:
           ls -la ${{ env.build_dir }} || echo "Build directory not found or empty"
 
       - name: Run tests
+        if: matrix.job_type == 'build'
         run: |
           # Ensure the binary exists before trying to run
           if [ -f "${{ env.build_dir }}/rippled" ]; then
@@ -375,3 +438,42 @@ jobs:
              echo "Error: rippled executable not found in ${{ env.build_dir }}"
              exit 1
           fi
+
+      # Coverage-specific steps
+      - name: Move coverage report
+        if: matrix.job_type == 'coverage'
+        shell: bash
+        run: |
+          mv "${{ env.build_dir }}/coverage.xml" ./
+
+      - name: Archive coverage report
+        if: matrix.job_type == 'coverage'
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage.xml
+          path: coverage.xml
+          retention-days: 30
+
+      - name: Upload coverage report
+        if: matrix.job_type == 'coverage'
+        uses: codecov/codecov-action@v5
+        with:
+          files: coverage.xml
+          fail_ci_if_error: true
+          disable_search: true
+          verbose: true
+          plugins: noop
+          use_oidc: true
+
+      - name: Export server definitions
+        if: matrix.job_type == 'build' && matrix.compiler_id == 'gcc-13-libstdcxx'
+        run: |
+          ${{ env.build_dir }}/rippled --definitions | python3 -m json.tool > server_definitions.json
+
+      - name: Upload server definitions
+        if: matrix.job_type == 'build' && matrix.compiler_id == 'gcc-13-libstdcxx'
+        uses: actions/upload-artifact@v7
+        with:
+          name: server-definitions
+          path: server_definitions.json
+          archive: false

.gitignore

@@ -53,6 +53,9 @@ Builds/levelization/results/paths.txt
 Builds/levelization/results/includes/
 Builds/levelization/results/includedby/
 
+# Python
+__pycache__
+
 # Ignore tmp directory.
 tmp
 
@@ -124,5 +127,8 @@ bld.rippled/
 generated
 .vscode
 
+# AI docs (local working documents)
+.ai-docs/
+
 # Suggested in-tree build directory
 /.build/

.testnet/.gitignore

@@ -0,0 +1,4 @@
+output/
+__pycache__/
+scenarios/odd-cases/
+scenarios/suite-experiments.yml

.testnet/scenarios/entropy/consensus_entropy_crash.py

@@ -0,0 +1,29 @@
+"""Scenario: ConsensusEntropy amendment crashes non-supporting node.
+
+Votes ConsensusEntropy accept on all nodes except n4, then waits for n4
+to crash as the amendment activates without its support.
+
+    x-testnet run --scenario-script consensus_entropy_crash.py
+"""
+
+from helpers import CONSENSUS_ENTROPY_FEATURE
+
+
+async def scenario(ctx, log):
+    await ctx.wait_for_ledger_close()
+    ctx.feature(CONSENSUS_ENTROPY_FEATURE, vetoed=False, exclude_nodes=[4])
+
+    log("Waiting for ConsensusEntropy to be voted for...")
+    await ctx.wait_for_feature(
+        CONSENSUS_ENTROPY_FEATURE,
+        check=lambda s: not s.get("vetoed"),
+        exclude_nodes=[4],
+        timeout=60,
+    )
+
+    log("Waiting for n4 to crash...")
+    op = await ctx.wait_for_nodes_down(nodes=[4], timeout=600)
+
+    ctx.assert_log("unsupported amendments activated", since=op.started, nodes=[4])
+    ctx.assert_exit_status(0, nodes=[4])
+    log("PASS: n4 shut down due to unsupported amendment")

.testnet/scenarios/entropy/entropy_with_transactions.py

@@ -0,0 +1,52 @@
+""":descr: entropy stays valid under transaction load"""
+
+from __future__ import annotations
+
+from helpers import require_entropy, get_entropy_tx, assert_valid_entropy
+
+variants = [
+    {"label": "light", "min_txns": 5, "max_txns": 10},
+    {"label": "heavy", "min_txns": 50, "max_txns": 60},
+    {"label": "super_heavy", "min_txns": 90, "max_txns": 120},
+]
+
+
+async def scenario(ctx, log, *, min_txns=5, max_txns=10, **_):
+    await require_entropy(ctx, log)
+
+    gen = ctx.txn_generator(min_txns=min_txns, max_txns=max_txns)
+    await gen.start()
+    await gen.wait_until_ready()
+    log(f"Transaction generator ready ({min_txns}-{max_txns} txns/ledger)")
+
+    # Wait for pipeline warmup + a few txn-bearing ledgers.
+    await ctx.wait_for_ledgers(3, node_id=0, timeout=60)
+
+    start_seq = ctx.validated_ledger_index(0)
+    await ctx.wait_for_ledgers(10, node_id=0, timeout=120)
+    end_seq = ctx.validated_ledger_index(0)
+    log(f"Inspecting ledgers {start_seq + 1} → {end_seq}")
+
+    digests = set()
+    total_user_txns = 0
+
+    for seq in range(start_seq + 1, end_seq + 1):
+        ce, user_txns = get_entropy_tx(ctx, seq)
+        digest, count = assert_valid_entropy(ce, seq, seen_digests=digests)
+        total_user_txns += len(user_txns)
+        log(
+            f"  Ledger {seq}: EntropyCount={count} "
+            f"user_txns={len(user_txns)} Digest={digest[:16]}..."
+        )
+
+    await gen.stop()
+
+    log(
+        f"Verified {end_seq - start_seq} ledgers: {total_user_txns} user txns, "
+        f"all entropy valid and unique"
+    )
+
+    if total_user_txns == 0:
+        raise AssertionError("No user transactions were included in any ledger")
+
+    log("PASS")

.testnet/scenarios/entropy/quorum_degradation_smoke.py

@@ -0,0 +1,125 @@
+""":descr: 4/5 liveness, 3/5 zero-entropy fallback, recovery"""
+
+from __future__ import annotations
+
+from helpers import require_entropy, get_entropy_tx, entropy_fields
+
+
+async def scenario(ctx, log):
+    await require_entropy(ctx, log)
+
+    # Baseline: wait 1 ledger to confirm network is healthy.
+    await ctx.wait_for_ledgers(1, node_id=0, timeout=30)
+
+    # --- 4/5 liveness ---
+    ctx.stop_node(4)
+    await ctx.wait_for_nodes_down(nodes=[4], timeout=30)
+    await ctx.wait_for_ledgers(1, node_id=0, timeout=30)
+    log("4/5: liveness OK")
+
+    # Snapshot validated seq before dropping to 3/5.
+    val_before = ctx.validated_ledger_index(0)
+
+    # --- 3/5 degraded window ---
+    ctx.stop_node(3)
+    await ctx.wait_for_nodes_down(nodes=[3], timeout=30)
+
+    # 10s ≈ 3 rounds at 3s cadence.
+    await ctx.sleep(10)
+
+    val_after = ctx.validated_ledger_index(0)
+    log(f"3/5: validated ledger {val_before} → {val_after}")
+
+    # Accepted/built ledgers may still later appear as validated once the full
+    # network rejoins. For ConsensusEntropy the key invariant is that every
+    # ledger created during this sub-quorum window carries ZERO entropy.
+    degraded_zero = 0
+    degraded_end = val_after or val_before
+    if val_before and degraded_end and degraded_end > val_before:
+        for seq in range(val_before + 1, degraded_end + 1):
+            ce, _ = get_entropy_tx(ctx, seq)
+            digest, entropy_count, is_zero = entropy_fields(ce)
+
+            if not is_zero:
+                raise AssertionError(
+                    f"Ledger {seq}: expected ZERO entropy during 3/5 window, "
+                    f"got Digest={digest[:16]}... EntropyCount={entropy_count}"
+                )
+
+            degraded_zero += 1
+            log(f"  Degraded ledger {seq}: EntropyCount={entropy_count} ZERO")
+
+    log(f"3/5 entropy summary: {degraded_zero} zero")
+
+    # Log checks tied to current transition mechanics:
+    # - commit-set SHAMap publication is the observable output of entering the
+    #   commit sidecar phase
+    # - ConvergingCommit transition is the gateway out of seq=0-only behavior
+    # - reason=impossible-quorum is the explicit degraded-window fallback path
+    ctx.log_level("LedgerConsensus", "trace")
+    ctx.log_level("ConsensusExtensions", "trace")
+    op = await ctx.sleep(6, name="stall_window")
+
+    ctx.assert_not_log(
+        r"RNG: transitioned to ConvergingCommit", within=op.window, nodes=[0, 1, 2]
+    )
+    ctx.assert_not_log(
+        r"RNG: built commitSet SHAMap", within=op.window, nodes=[0, 1, 2]
+    )
+
+    gate_blocked = ctx.search_logs(
+        r"STALLDIAG: establish gate blocked reason=(pause|no-tx-consensus)",
+        within=op.window,
+        nodes=[0, 1, 2],
+    )
+    log(f"3/5: establish gate-blocked logs in 6s: {gate_blocked.count}")
+
+    impossible = ctx.search_logs(
+        r"RNG: skipping commit wait reason=impossible-quorum",
+        within=op.window,
+        nodes=[0, 1, 2],
+    )
+    log(f"3/5: RNG impossible-quorum skips in 6s: {impossible.count}")
+
+    # --- Recovery: restart nodes, verify ledger advancement ---
+    ctx.start_node(3)
+    ctx.start_node(4)
+    await ctx.wait_for_ledgers(1, node_id=0, timeout=120)
+
+    val_recovered = ctx.validated_ledger_index(0)
+    pre_recovery = max(v for v in [val_before, val_after] if v is not None)
+    log(f"Recovered: validated seq {pre_recovery} → {val_recovered}")
+
+    if not val_recovered or val_recovered <= pre_recovery:
+        raise AssertionError(
+            f"Validated ledger did not advance after recovery "
+            f"({pre_recovery} → {val_recovered})"
+        )
+
+    # Inspect post-recovery ledgers separately from the degraded window above.
+    # Once the network is back at quorum, non-zero entropy is valid again but
+    # must still be quorum-met.
+    zero_count = 0
+    nonzero_count = 0
+    for seq in range(pre_recovery + 1, val_recovered + 1):
+        ce, _ = get_entropy_tx(ctx, seq)
+        digest, entropy_count, is_zero = entropy_fields(ce)
+
+        if is_zero:
+            zero_count += 1
+        else:
+            nonzero_count += 1
+            if entropy_count < 4:
+                raise AssertionError(
+                    f"Ledger {seq}: non-zero entropy with sub-quorum "
+                    f"EntropyCount={entropy_count} (need >= 4)"
+                )
+
+        log(
+            f"  Ledger {seq}: EntropyCount={entropy_count} "
+            f"{'ZERO' if is_zero else 'REAL'}"
+        )
+
+    log(f"Entropy summary: {zero_count} zero, {nonzero_count} non-zero")
+
+    log("PASS")

.testnet/scenarios/entropy/quorum_recovery_smoke.py

@@ -0,0 +1,44 @@
+""":descr: drop 2 nodes (3/5 stall), restart both, verify recovery"""
+
+from __future__ import annotations
+
+from helpers import require_entropy
+
+
+async def scenario(ctx, log):
+    await require_entropy(ctx, log)
+
+    await ctx.wait_for_ledgers(1, node_id=0, timeout=60)
+    log("Baseline OK")
+
+    # Drop 2 nodes → validation stall.
+    ctx.stop_node(3)
+    ctx.stop_node(4)
+    await ctx.wait_for_nodes_down(nodes=[3, 4], timeout=30)
+
+    info = ctx.rpc.server_info(node_id=0)
+    val_before = info.get("info", {}).get("validated_ledger", {}).get("seq", 0)
+    log(f"Stalled at validated seq {val_before}")
+
+    # Let it sit for a few rounds in degraded state.
+    await ctx.sleep(6)
+
+    # Bring both nodes back.
+    ctx.start_node(3)
+    ctx.start_node(4)
+    log("Restarted n3 and n4, waiting for recovery...")
+
+    # Recovery: wait for ANY validated ledger advance on n0.
+    await ctx.wait_for_ledger_close(node_id=0, timeout=60)
+
+    info = ctx.rpc.server_info(node_id=0)
+    val_after = info.get("info", {}).get("validated_ledger", {}).get("seq", 0)
+    log(f"Recovered: validated seq {val_before} → {val_after}")
+
+    if val_after <= val_before:
+        raise AssertionError(
+            f"Validated ledger did not advance after recovery "
+            f"({val_before} → {val_after})"
+        )
+
+    log("PASS")

.testnet/scenarios/entropy/steady_state_entropy.py

@@ -0,0 +1,27 @@
+""":descr: all 5 nodes healthy, every ledger has valid unique quorum-met entropy"""
+
+from __future__ import annotations
+
+from helpers import require_entropy, get_entropy_tx, assert_valid_entropy
+
+
+async def scenario(ctx, log):
+    await require_entropy(ctx, log)
+
+    # Wait for RNG pipeline to warm up past bootstrap skip.
+    await ctx.wait_for_ledgers(3, node_id=0, timeout=60)
+    log("Pipeline warmed up")
+
+    start_seq = ctx.validated_ledger_index(0)
+    await ctx.wait_for_ledgers(10, node_id=0, timeout=120)
+    end_seq = ctx.validated_ledger_index(0)
+    log(f"Inspecting ledgers {start_seq + 1} → {end_seq}")
+
+    digests = set()
+    for seq in range(start_seq + 1, end_seq + 1):
+        ce, _ = get_entropy_tx(ctx, seq)
+        digest, count = assert_valid_entropy(ce, seq, seen_digests=digests)
+        log(f"  Ledger {seq}: EntropyCount={count} Digest={digest[:16]}...")
+
+    log(f"Verified {end_seq - start_seq} ledgers: all quorum entropy, all unique")
+    log("PASS")

.testnet/scenarios/export-suite.yml

@@ -0,0 +1,88 @@
+defaults:
+  network:
+    node_count: 5
+    launcher: tmux
+    find_ports: true
+    slave_delay: 0.2
+    features:
+      - ConsensusEntropy
+      - Export
+    track_features:
+      - ConsensusEntropy
+      - Export
+    log_levels:
+      TxQ: info
+      Protocol: debug
+      Peer: debug
+      LedgerConsensus: debug
+      ConsensusExtensions: debug
+      NetworkOPs: info
+    env:
+      XAHAU_RESOURCE_PER_PORT: "1"
+      XAHAU_RNG_POLL_MS: "333"
+
+tests:
+  # --- CE + Export (80% quorum, SHAMap convergence) ---
+  - name: steady_state_export_ce
+    script: .testnet/scenarios/export/steady_state_export.py
+
+  - name: retriable_export_ce
+    script: .testnet/scenarios/export/retriable_export.py
+
+  - name: export_degradation_ce
+    script: .testnet/scenarios/export/export_degradation.py
+    network:
+      node_env:
+        3:
+          XAHAUD_NO_EXPORT_SIG: "1"
+        4:
+          XAHAUD_NO_EXPORT_SIG: "1"
+
+  # CE + Export: 1 node suppressed, 4/5 = 80% quorum, should succeed
+  - name: export_ce_one_node_down
+    script: .testnet/scenarios/export/export_quorum.py
+    params:
+      expect_success: true
+    network:
+      node_env:
+        4:
+          XAHAUD_NO_EXPORT_SIG: "1"
+
+  # --- Export only, no CE (80% active-view quorum) ---
+  - name: export_only_all_up
+    script: .testnet/scenarios/export/export_quorum.py
+    params:
+      expect_success: true
+    network:
+      features:
+        - Export
+      track_features:
+        - Export
+
+  - name: export_only_one_node_down
+    script: .testnet/scenarios/export/export_quorum.py
+    params:
+      expect_success: true
+    network:
+      features:
+        - Export
+      track_features:
+        - Export
+      node_env:
+        4:
+          XAHAUD_NO_EXPORT_SIG: "1"
+
+  - name: export_only_two_nodes_down
+    script: .testnet/scenarios/export/export_quorum.py
+    params:
+      expect_success: false
+    network:
+      features:
+        - Export
+      track_features:
+        - Export
+      node_env:
+        3:
+          XAHAUD_NO_EXPORT_SIG: "1"
+        4:
+          XAHAUD_NO_EXPORT_SIG: "1"

.testnet/scenarios/export/export_degradation.py

@@ -0,0 +1,118 @@
+""":descr: Submit ttEXPORT with 2 nodes suppressing export sigs, verify it
+retries via terRETRY_EXPORT until LLS expiry (insufficient signatures).
+
+Nodes 3 and 4 have XAHAUD_NO_EXPORT_SIG=1, so only 3/5 nodes provide
+export signatures. With 80% quorum = ceil(5*0.8) = 4 required, the
+export cannot reach quorum and should expire via tecEXPORT_EXPIRED.
+
+Flow:
+  1. Fund alice and bob
+  2. alice submits ttEXPORT with tight LLS
+  3. Export retries (only 3/5 sigs available, need 4)
+  4. Verify export expires with tecEXPORT_EXPIRED
+  5. Verify subsequent payment still works (sequence not permanently blocked)
+"""
+
+from __future__ import annotations
+
+from export_helpers import require_export, assert_shadow_ticket
+
+
+async def scenario(ctx, log):
+    await require_export(ctx, log)
+
+    # --- Setup ---
+    await ctx.fund_accounts({"alice": 10000, "bob": 1000})
+    log("Accounts funded")
+
+    alice = ctx.account("alice")
+    bob = ctx.account("bob")
+    current_seq = ctx.validated_ledger_index(0)
+
+    log(f"Current ledger: {current_seq}")
+    log("Nodes 3,4 have XAHAUD_NO_EXPORT_SIG=1 (3/5 sigs, need 4)")
+
+    # --- Submit ttEXPORT (should retry then expire -- only 3/5 sigs) ---
+    export_start = ctx.mark("export-degradation-submit-start")
+    result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Export",
+            "LastLedgerSequence": current_seq + 8,
+            "Fee": "1000000",
+            "ExportedTxn": {
+                "TransactionType": "Payment",
+                "Account": alice.address,
+                "Destination": bob.address,
+                "Amount": "1000000",
+                "Fee": "10",
+                "Sequence": 0,
+                "TicketSequence": 1,
+                "FirstLedgerSequence": current_seq + 1,
+                "LastLedgerSequence": current_seq + 6,
+                "Flags": 2147483648,
+                "SigningPubKey": "",
+            },
+        },
+        alice.wallet,
+        timeout=60,
+    )
+    export_end = ctx.mark("export-degradation-submit-end")
+
+    final_seq = ctx.validated_ledger_index(0)
+    engine_result = result.get("engine_result", "")
+    log(f"Export completed at ledger {final_seq}, result: {engine_result}")
+
+    # With only 3/5 sigs and 80% quorum (4 required), export MUST fail
+    if engine_result == "tesSUCCESS":
+        raise AssertionError(
+            "Export should NOT have succeeded with only 3/5 sigs "
+            "(need 4 for 80% quorum) -- check XAHAUD_NO_EXPORT_SIG config"
+        )
+
+    # Should be tecEXPORT_EXPIRED (LLS reached without quorum)
+    if engine_result != "tecEXPORT_EXPIRED":
+        log(f"WARNING: expected tecEXPORT_EXPIRED, got {engine_result}")
+
+    log(f"Export failed as expected ({engine_result})")
+
+    retry_logs = ctx.assert_log(
+        r"Export: insufficient signatures .*result=terRETRY_EXPORT",
+        since=export_start,
+        until=export_end,
+    )
+    log(f"Export insufficient-signature retries: {retry_logs.count}")
+
+    expired_logs = ctx.assert_log(
+        r"Export: last ledger expired .*result=tecEXPORT_EXPIRED",
+        since=export_start,
+        until=export_end,
+    )
+    log(f"Export LLS expiry logs: {expired_logs.count}")
+
+    # No shadow ticket should exist (export never reached quorum)
+    assert_shadow_ticket(ctx, alice.address, log, expect_exists=False)
+
+    # --- Verify subsequent payment works regardless ---
+    log("Submitting payment from alice to bob...")
+    pay_result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Payment",
+            "Destination": bob.address,
+            "Amount": "1000000",
+            "Fee": "12",
+        },
+        alice.wallet,
+        timeout=30,
+    )
+
+    pay_engine = pay_result.get("engine_result", "")
+    log(f"Payment result: {pay_engine}")
+
+    if pay_engine != "tesSUCCESS":
+        raise AssertionError(
+            f"Payment failed after expired export: {pay_engine} "
+            f"-- sequence may be blocked"
+        )
+
+    log("Payment succeeded -- account not permanently blocked")
+    log("PASS")

.testnet/scenarios/export/export_helpers.py

@@ -0,0 +1,146 @@
+"""Shared helpers for Export scenario tests."""
+
+from __future__ import annotations
+
+from xahaud_scripts.testnet.config import feature_name_to_hash
+
+
+async def require_export(ctx, log):
+    """Wait for first ledger and assert Export is enabled."""
+    await ctx.wait_for_ledger_close(timeout=120)
+    feature = ctx.feature_check(feature_name_to_hash("Export"), node_id=0)
+    if not feature or not feature.get("enabled", False):
+        raise AssertionError(f"Export not enabled: {feature}")
+    log("Export enabled")
+
+
+def find_export_txns(ctx, seq):
+    """Find Export transactions in a ledger.
+
+    Returns list of Export transaction dicts.
+    """
+    result = ctx.ledger(seq, transactions=True)
+    if not result:
+        return []
+
+    txns = result.get("ledger", {}).get("transactions", [])
+    return [tx for tx in txns if tx.get("TransactionType") == "Export"]
+
+
+def dst_param(address):
+    """Encode an address as a HookParameter entry for the DST param."""
+    from xrpl.core.addresscodec import decode_classic_address
+
+    dst_hex = decode_classic_address(address).hex().upper()
+    return {
+        "HookParameter": {
+            "HookParameterName": "445354",  # "DST"
+            "HookParameterValue": dst_hex,
+        }
+    }
+
+
+def assert_hook_accepted(meta, log, *, expected_emits=1):
+    """Assert hook executed with ACCEPT and the expected emit count.
+
+    Checks sfHookExecutions in transaction metadata.
+    Returns the hook execution entry for further inspection.
+    """
+    hook_execs = meta.get("HookExecutions", [])
+    if not hook_execs:
+        raise AssertionError("No HookExecutions in metadata")
+
+    exec_entry = hook_execs[0].get("HookExecution", {})
+    hook_result = exec_entry.get("HookResult", -1)
+    emit_count = exec_entry.get("HookEmitCount", -1)
+    return_code = exec_entry.get("HookReturnCode", "")
+
+    log(f"  HookResult={hook_result} EmitCount={emit_count} ReturnCode={return_code}")
+
+    # HookResult 3 = ExitType::ACCEPT
+    if hook_result != 3:
+        raise AssertionError(
+            f"Hook did not ACCEPT: HookResult={hook_result} "
+            f"ReturnCode={return_code}"
+        )
+
+    if emit_count != expected_emits:
+        raise AssertionError(
+            f"Expected {expected_emits} emits, got {emit_count}"
+        )
+
+    # ReturnCode 0 = success; non-zero = ASSERT line number in hook
+    if return_code and str(return_code) != "0":
+        raise AssertionError(
+            f"Hook returned error code {return_code} "
+            f"(likely ASSERT failure at that line)"
+        )
+
+    return exec_entry
+
+
+def assert_export_result(meta, log, *, require_signers=True):
+    """Assert ExportResult is present and well-formed in metadata.
+
+    Returns the ExportResult dict.
+    """
+    export_result = meta.get("ExportResult", {})
+    if not export_result:
+        raise AssertionError("ExportResult not found in metadata")
+
+    # Must have LedgerSequence and TransactionHash
+    if "LedgerSequence" not in export_result:
+        raise AssertionError("ExportResult missing LedgerSequence")
+    if "TransactionHash" not in export_result:
+        raise AssertionError("ExportResult missing TransactionHash")
+
+    # Must have the inner ExportedTxn object
+    inner = export_result.get("ExportedTxn", {})
+    if not inner:
+        raise AssertionError("ExportResult missing ExportedTxn (multisigned blob)")
+
+    log(f"  ExportResult: seq={export_result['LedgerSequence']} "
+        f"hash={export_result['TransactionHash'][:16]}...")
+
+    # Inner tx should have Account, Destination, TransactionType
+    if "Account" not in inner:
+        raise AssertionError("ExportedTxn missing Account")
+    if "TransactionType" not in inner:
+        raise AssertionError("ExportedTxn missing TransactionType")
+
+    # Should have empty SigningPubKey (multisigned)
+    if inner.get("SigningPubKey", "NOT_EMPTY") != "":
+        raise AssertionError(
+            f"ExportedTxn SigningPubKey should be empty, "
+            f"got '{inner.get('SigningPubKey')}'"
+        )
+
+    if require_signers:
+        signers = inner.get("Signers", [])
+        if not signers:
+            raise AssertionError("ExportedTxn has no Signers (multisig not applied)")
+        log(f"  Signers: {len(signers)} validator(s)")
+
+    return export_result
+
+
+def assert_shadow_ticket(ctx, account_address, log, *, expect_exists=True):
+    """Assert shadow ticket exists (or doesn't) for the account."""
+    obj_result = ctx.rpc.request(
+        0, "account_objects", {"account": account_address}
+    )
+    all_objects = (obj_result or {}).get("account_objects", [])
+    shadow_tickets = [
+        obj for obj in all_objects
+        if obj.get("LedgerEntryType") == "ShadowTicket"
+    ]
+    log(f"  Shadow tickets: {len(shadow_tickets)}")
+
+    if expect_exists and not shadow_tickets:
+        raise AssertionError("Expected shadow ticket but none found")
+    if not expect_exists and shadow_tickets:
+        raise AssertionError(
+            f"Expected no shadow tickets but found {len(shadow_tickets)}"
+        )
+
+    return shadow_tickets

.testnet/scenarios/export/export_quorum.py

@@ -0,0 +1,112 @@
+""":descr: Test Export quorum behavior. When enough active validators sign,
+the export should succeed whether or not CE is enabled. When fewer than the
+active-view quorum sign, the export should expire.
+
+Parameterized via `expect_success` kwarg from suite.yml.
+
+Flow:
+  1. Fund alice and bob
+  2. alice submits ttEXPORT
+  3. Verify result matches expectation (tesSUCCESS or tecEXPORT_EXPIRED)
+  4. Verify ExportResult + shadow ticket on success, absence on failure
+  5. Verify subsequent payment works regardless
+"""
+
+from __future__ import annotations
+
+from export_helpers import (
+    require_export,
+    assert_export_result,
+    assert_shadow_ticket,
+)
+
+
+async def scenario(ctx, log, expect_success=True):
+    await require_export(ctx, log)
+
+    # --- Setup ---
+    await ctx.fund_accounts({"alice": 10000, "bob": 1000})
+    log("Accounts funded")
+
+    alice = ctx.account("alice")
+    bob = ctx.account("bob")
+    current_seq = ctx.validated_ledger_index(0)
+
+    log(f"Current ledger: {current_seq}")
+    outcome = "success" if expect_success else "failure (below quorum)"
+    log(f"Expecting export {outcome}")
+
+    # --- Submit ttEXPORT ---
+    result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Export",
+            "LastLedgerSequence": current_seq + 10,
+            "Fee": "1000000",
+            "ExportedTxn": {
+                "TransactionType": "Payment",
+                "Account": alice.address,
+                "Destination": bob.address,
+                "Amount": "1000000",
+                "Fee": "10",
+                "Sequence": 0,
+                "TicketSequence": 1,
+                "FirstLedgerSequence": current_seq + 1,
+                "LastLedgerSequence": current_seq + 8,
+                "Flags": 2147483648,
+                "SigningPubKey": "",
+            },
+        },
+        alice.wallet,
+        timeout=60,
+    )
+
+    final_seq = ctx.validated_ledger_index(0)
+    engine_result = result.get("engine_result", "")
+    meta = result.get("meta", {})
+
+    log(f"Export at ledger {final_seq}, result: {engine_result}")
+
+    if expect_success:
+        if engine_result != "tesSUCCESS":
+            raise AssertionError(
+                f"Expected tesSUCCESS, got {engine_result}"
+            )
+
+        # Assert ExportResult is well-formed with signers
+        assert_export_result(meta, log, require_signers=True)
+
+        # Assert shadow ticket was created
+        assert_shadow_ticket(ctx, alice.address, log, expect_exists=True)
+
+        log("Export succeeded as expected (active-view quorum reached)")
+    else:
+        if engine_result == "tesSUCCESS":
+            raise AssertionError(
+                "Export should NOT have succeeded below active-view quorum"
+            )
+        log(f"Export failed as expected ({engine_result})")
+
+        # No shadow ticket should exist
+        assert_shadow_ticket(ctx, alice.address, log, expect_exists=False)
+
+    # --- Verify subsequent payment works ---
+    log("Submitting payment from alice to bob...")
+    pay_result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Payment",
+            "Destination": bob.address,
+            "Amount": "1000000",
+            "Fee": "12",
+        },
+        alice.wallet,
+        timeout=30,
+    )
+
+    pay_engine = pay_result.get("engine_result", "")
+    log(f"Payment result: {pay_engine}")
+
+    if pay_engine != "tesSUCCESS":
+        raise AssertionError(f"Payment failed: {pay_engine}")
+
+    log("Payment succeeded -- account not blocked")
+    log("PASS")

.testnet/scenarios/export/retriable_export.py

@@ -0,0 +1,94 @@
+""":descr: Submit ttEXPORT directly (no hook), verify it succeeds with
+ExportResult in metadata. Then submit a payment from the same account
+to verify sequence handling doesn't block subsequent transactions.
+
+Flow:
+  1. Fund alice and bob
+  2. alice submits ttEXPORT with inner payment -> tesSUCCESS (provisional)
+  3. Validators attach sigs via proposals -> quorum -> ExportResult in metadata
+  4. alice submits a Payment to bob -> should succeed (sequence not blocked)
+"""
+
+from __future__ import annotations
+
+from export_helpers import require_export, assert_export_result, assert_shadow_ticket
+
+
+async def scenario(ctx, log):
+    await require_export(ctx, log)
+
+    # --- Setup ---
+    await ctx.fund_accounts({"alice": 10000, "bob": 1000})
+    log("Accounts funded")
+
+    alice = ctx.account("alice")
+    bob = ctx.account("bob")
+    current_seq = ctx.validated_ledger_index(0)
+
+    log(f"Current ledger: {current_seq}")
+
+    # --- 1. Submit ttEXPORT ---
+    result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Export",
+            "LastLedgerSequence": current_seq + 15,
+            "Fee": "1000000",
+            "ExportedTxn": {
+                "TransactionType": "Payment",
+                "Account": alice.address,
+                "Destination": bob.address,
+                "Amount": "1000000",
+                "Fee": "10",
+                "Sequence": 0,
+                "TicketSequence": 1,
+                "FirstLedgerSequence": current_seq + 1,
+                "LastLedgerSequence": current_seq + 10,
+                "Flags": 2147483648,
+                "SigningPubKey": "",
+            },
+        },
+        alice.wallet,
+        timeout=60,
+    )
+
+    export_seq = ctx.validated_ledger_index(0)
+    engine_result = result.get("engine_result", "")
+    log(f"Export completed at ledger {export_seq}, result: {engine_result}")
+
+    if engine_result != "tesSUCCESS":
+        raise AssertionError(
+            f"Expected tesSUCCESS for export, got {engine_result}"
+        )
+
+    # Assert ExportResult is well-formed with signers
+    meta = result.get("meta", {})
+    assert_export_result(meta, log, require_signers=True)
+
+    # Assert shadow ticket was created
+    assert_shadow_ticket(ctx, alice.address, log, expect_exists=True)
+
+    # --- 2. Submit Payment from same account ---
+    log("Submitting payment from alice to bob...")
+    pay_result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Payment",
+            "Destination": bob.address,
+            "Amount": "1000000",
+            "Fee": "12",
+        },
+        alice.wallet,
+        timeout=30,
+    )
+
+    pay_engine = pay_result.get("engine_result", "")
+    log(f"Payment result: {pay_engine}")
+
+    if pay_engine != "tesSUCCESS":
+        raise AssertionError(f"Payment failed: {pay_engine}")
+
+    log(
+        f"Both transactions succeeded: "
+        f"Export at ledger {export_seq}, Payment at ledger {ctx.validated_ledger_index(0)}"
+    )
+    log("Sequence handling OK - export didn't block subsequent txns")
+    log("PASS")

.testnet/scenarios/export/steady_state_export.py

@@ -0,0 +1,211 @@
+""":descr: install xport hook, trigger export, verify emitted ttEXPORT lifecycle
+
+  1. Fund alice (hook holder), bob (trigger), carol (export destination)
+  2. Install xport hook on alice
+  3. bob pays alice with DST=carol → hook calls xport() → emits ttEXPORT
+  4. Emitted ttEXPORT enters open ledger, validators attach sigs via proposals
+  5. Verify Export transaction appears in a subsequent ledger
+"""
+
+from __future__ import annotations
+
+from export_helpers import (
+    require_export,
+    find_export_txns,
+    dst_param,
+    assert_hook_accepted,
+    assert_export_result,
+    assert_shadow_ticket,
+)
+
+# C source for the xport hook — verbatim from src/test/app/Export_test_hooks.h
+# On Payment to the hook account, exports a 1 XAH payment to the DST param.
+XPORT_HOOK_C = r"""
+#include <stdint.h>
+extern int32_t _g(uint32_t id, uint32_t maxiter);
+extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+extern int64_t xport(uint32_t write_ptr, uint32_t write_len, uint32_t read_ptr, uint32_t read_len);
+extern int64_t xport_reserve(uint32_t count);
+extern int64_t hook_account(uint32_t write_ptr, uint32_t write_len);
+extern int64_t otxn_param(uint32_t write_ptr, uint32_t write_len, uint32_t name_ptr, uint32_t name_len);
+extern int64_t otxn_type(void);
+extern int64_t ledger_seq(void);
+
+#define SBUF(x) (uint32_t)(x), sizeof(x)
+#define ASSERT(x) if (!(x)) rollback((uint32_t)#x, sizeof(#x), __LINE__)
+
+#define ttPAYMENT 0
+#define tfCANONICAL 0x80000000UL
+#define amAMOUNT 1
+#define amFEE 8
+#define atACCOUNT 1
+#define atDESTINATION 3
+
+#define ENCODE_TT(buf_out, tt) \
+    buf_out[0] = 0x12U; buf_out[1] = (tt >> 8) & 0xFFU; buf_out[2] = tt & 0xFFU; buf_out += 3;
+
+#define ENCODE_FLAGS(buf_out, flags) \
+    buf_out[0] = 0x22U; buf_out[1] = (flags >> 24) & 0xFFU; buf_out[2] = (flags >> 16) & 0xFFU; \
+    buf_out[3] = (flags >> 8) & 0xFFU; buf_out[4] = flags & 0xFFU; buf_out += 5;
+
+#define ENCODE_SEQUENCE(buf_out, seq) \
+    buf_out[0] = 0x24U; buf_out[1] = (seq >> 24) & 0xFFU; buf_out[2] = (seq >> 16) & 0xFFU; \
+    buf_out[3] = (seq >> 8) & 0xFFU; buf_out[4] = seq & 0xFFU; buf_out += 5;
+
+#define ENCODE_FLS(buf_out, fls) \
+    buf_out[0] = 0x20U; buf_out[1] = 0x1AU; buf_out[2] = (fls >> 24) & 0xFFU; \
+    buf_out[3] = (fls >> 16) & 0xFFU; buf_out[4] = (fls >> 8) & 0xFFU; \
+    buf_out[5] = fls & 0xFFU; buf_out += 6;
+
+#define ENCODE_LLS(buf_out, lls) \
+    buf_out[0] = 0x20U; buf_out[1] = 0x1BU; buf_out[2] = (lls >> 24) & 0xFFU; \
+    buf_out[3] = (lls >> 16) & 0xFFU; buf_out[4] = (lls >> 8) & 0xFFU; \
+    buf_out[5] = lls & 0xFFU; buf_out += 6;
+
+#define ENCODE_DROPS(buf_out, drops, amt_type) \
+    buf_out[0] = 0x60U + amt_type; buf_out[1] = 0x40U + ((drops >> 56) & 0x3FU); \
+    buf_out[2] = (drops >> 48) & 0xFFU; buf_out[3] = (drops >> 40) & 0xFFU; \
+    buf_out[4] = (drops >> 32) & 0xFFU; buf_out[5] = (drops >> 24) & 0xFFU; \
+    buf_out[6] = (drops >> 16) & 0xFFU; buf_out[7] = (drops >> 8) & 0xFFU; \
+    buf_out[8] = drops & 0xFFU; buf_out += 9;
+
+#define ENCODE_SIGNING_PUBKEY_EMPTY(buf_out) \
+    buf_out[0] = 0x73U; buf_out[1] = 0x00U; buf_out += 2;
+
+#define ENCODE_ACCOUNT(buf_out, acc, acc_type) \
+    buf_out[0] = 0x80U + acc_type; buf_out[1] = 0x14U; \
+    for (int i = 0; i < 20; ++i) buf_out[2+i] = acc[i]; buf_out += 22;
+
+#define PREPARE_PAYMENT_SIMPLE_SIZE 270U
+
+int64_t hook(uint32_t reserved) {
+    _g(1, 1);
+
+    if (otxn_type() != ttPAYMENT)
+        return accept(0, 0, 0);
+
+    ASSERT(xport_reserve(1) == 1);
+
+    uint8_t dst[20];
+    int64_t dst_len = otxn_param(SBUF(dst), "DST", 3);
+    ASSERT(dst_len == 20);
+
+    uint8_t acc[20];
+    ASSERT(hook_account(SBUF(acc)) == 20);
+
+    uint32_t cls = (uint32_t)ledger_seq();
+
+    uint8_t tx[PREPARE_PAYMENT_SIMPLE_SIZE];
+    uint8_t* buf = tx;
+
+    ENCODE_TT(buf, ttPAYMENT);
+    ENCODE_FLAGS(buf, tfCANONICAL);
+    ENCODE_SEQUENCE(buf, 0);
+    ENCODE_FLS(buf, cls + 1);
+    ENCODE_LLS(buf, cls + 5);
+    // sfTicketSequence = UINT32 field 41 = 0x20 0x29
+    buf[0] = 0x20U; buf[1] = 0x29U;
+    buf[2] = 0; buf[3] = 0; buf[4] = 0; buf[5] = 1;
+    buf += 6;
+
+    uint64_t drops = 1000000;
+    ENCODE_DROPS(buf, drops, amAMOUNT);
+    ENCODE_DROPS(buf, 10, amFEE);
+
+    ENCODE_SIGNING_PUBKEY_EMPTY(buf);
+    ENCODE_ACCOUNT(buf, acc, atACCOUNT);
+    ENCODE_ACCOUNT(buf, dst, atDESTINATION);
+
+    uint8_t hash[32];
+    int64_t xport_result = xport(SBUF(hash), (uint32_t)tx, buf - tx);
+    ASSERT(xport_result == 32);
+
+    return accept(0, 0, 0);
+}
+"""
+
+
+async def scenario(ctx, log):
+    # Wait for network to start and amendments to activate
+    await require_export(ctx, log)
+
+    # --- Setup ---
+    await ctx.fund_accounts({"alice": 10000, "bob": 10000, "carol": 1000})
+    log("Accounts funded")
+
+    alice = ctx.account("alice")
+    carol = ctx.account("carol")
+
+    # Compile and install xport hook on alice
+    wasm = ctx.compile_hook(XPORT_HOOK_C, label="xport")
+    await ctx.submit_and_wait(
+        {
+            "TransactionType": "SetHook",
+            "Hooks": [
+                {
+                    "Hook": {
+                        "CreateCode": wasm.hex().upper(),
+                        "HookOn": "0" * 64,
+                        "HookNamespace": "0" * 64,
+                        "HookApiVersion": 0,
+                        "Flags": 1,  # hsfOVERRIDE
+                    }
+                }
+            ],
+            "Fee": "100000000",
+        },
+        alice.wallet,
+    )
+    log(
+        f"Hook installed on alice ({alice.address[:12]}...) "
+        f"ledger {ctx.validated_ledger_index(0)}"
+    )
+
+    # --- Trigger ---
+    # bob pays alice → hook calls xport() → emits ttEXPORT
+    trigger_result = await ctx.submit_and_wait(
+        {
+            "TransactionType": "Payment",
+            "Destination": alice.address,
+            "Amount": "100000000",
+            "Fee": "1000000",
+            "HookParameters": [dst_param(carol.address)],
+        },
+        ctx.account("bob").wallet,
+    )
+    trigger_seq = ctx.validated_ledger_index(0)
+    log(f"Export triggered at ledger {trigger_seq}")
+
+    # Assert hook fired with ACCEPT and emitted 1 tx
+    trigger_meta = trigger_result.get("meta", {})
+    assert_hook_accepted(trigger_meta, log, expected_emits=1)
+
+    # --- Verify: check each ledger close for the Export transaction ---
+    max_ledgers = 10
+    for i in range(max_ledgers):
+        await ctx.wait_for_ledgers(1, node_id=0, timeout=30)
+        seq = ctx.validated_ledger_index(0)
+        exports = find_export_txns(ctx, seq)
+        if exports:
+            export_tx = exports[0]
+            meta = export_tx.get("meta", export_tx.get("metaData", {}))
+            result = meta.get("TransactionResult", "")
+            log(f"Ledger {seq}: Export txn found, result={result}")
+
+            if result != "tesSUCCESS":
+                raise AssertionError(f"Export did not succeed: {result}")
+
+            # Assert ExportResult is well-formed with signers and inner tx
+            assert_export_result(meta, log, require_signers=True)
+
+            # Assert shadow ticket was created
+            assert_shadow_ticket(ctx, alice.address, log, expect_exists=True)
+
+            log("PASS")
+            return
+        log(f"Ledger {seq}: no Export txn yet")
+
+    raise AssertionError(
+        f"No Export transaction found after {max_ledgers} ledger closes"
+    )

.testnet/scenarios/helpers.py

@@ -0,0 +1,82 @@
+"""Shared helpers for ConsensusEntropy scenario tests."""
+
+from __future__ import annotations
+
+from xahaud_scripts.testnet.config import feature_name_to_hash
+
+ZERO_DIGEST = "0" * 64
+CONSENSUS_ENTROPY_FEATURE = feature_name_to_hash("ConsensusEntropy")
+
+
+def feature_hash(name: str) -> str:
+    """Return the amendment hash accepted by feature RPC."""
+    return feature_name_to_hash(name)
+
+
+def feature_status(ctx, name: str, node_id=0):
+    """Query a feature by amendment hash; feature RPC names are ambiguous."""
+    return ctx.feature_check(feature_hash(name), node_id=node_id)
+
+
+def consensus_entropy_feature(ctx, node_id=0):
+    """Query ConsensusEntropy by amendment hash."""
+    return feature_status(ctx, "ConsensusEntropy", node_id=node_id)
+
+
+async def require_entropy(ctx, log):
+    """Wait for first ledger and assert ConsensusEntropy is enabled."""
+    await ctx.wait_for_ledger_close(timeout=120)
+    feature = consensus_entropy_feature(ctx, node_id=0)
+    if not feature or not feature.get("enabled", False):
+        raise AssertionError(f"ConsensusEntropy not enabled: {feature}")
+    log("ConsensusEntropy enabled")
+
+
+def get_entropy_tx(ctx, seq):
+    """Fetch ledger and return (ce_tx, user_txns) or raise."""
+    result = ctx.ledger(seq, transactions=True)
+    if not result:
+        raise AssertionError(f"Ledger {seq}: fetch failed")
+
+    ledger = result.get("ledger")
+    if not isinstance(ledger, dict):
+        raise AssertionError(f"Ledger {seq}: fetch returned no ledger: {result}")
+
+    txns = ledger.get("transactions", [])
+    ce = [tx for tx in txns if tx.get("TransactionType") == "ConsensusEntropy"]
+    user = [tx for tx in txns if tx.get("TransactionType") != "ConsensusEntropy"]
+
+    if len(ce) != 1:
+        raise AssertionError(
+            f"Ledger {seq}: expected 1 ConsensusEntropy txn, got {len(ce)}"
+        )
+
+    return ce[0], user
+
+
+def entropy_fields(ce_tx):
+    """Return (digest, entropy_count, is_zero) from a ConsensusEntropy tx."""
+    digest = ce_tx.get("Digest", "")
+    entropy_count = ce_tx.get("EntropyCount", -1)
+    is_zero = digest == ZERO_DIGEST and entropy_count == 0
+    return digest, entropy_count, is_zero
+
+
+def assert_valid_entropy(ce_tx, seq, seen_digests=None):
+    """Assert non-zero quorum-met entropy. Optionally check uniqueness."""
+    digest, entropy_count, is_zero = entropy_fields(ce_tx)
+
+    if is_zero or not digest:
+        raise AssertionError(f"Ledger {seq}: zero/empty Digest")
+
+    if entropy_count < 4:
+        raise AssertionError(
+            f"Ledger {seq}: EntropyCount={entropy_count} < 4 (sub-quorum)"
+        )
+
+    if seen_digests is not None:
+        if digest in seen_digests:
+            raise AssertionError(f"Ledger {seq}: duplicate Digest {digest[:16]}...")
+        seen_digests.add(digest)
+
+    return digest, entropy_count

.testnet/scenarios/suite.yml

@@ -0,0 +1,45 @@
+defaults:
+  network:
+    node_count: 5
+    launcher: tmux
+    find_ports: true
+    slave_delay: 0.2
+    features:
+      - ConsensusEntropy
+    track_features:
+      - ConsensusEntropy
+    log_levels:
+      TxQ: info
+      Protocol: debug
+      Peer: debug
+      LedgerConsensus: debug
+      ConsensusExtensions: debug
+      NetworkOPs: info
+    env:
+      XAHAU_RESOURCE_PER_PORT: "1"
+      XAHAU_RNG_POLL_MS: "333"
+
+tests:
+  - name: steady_state_entropy
+    script: .testnet/scenarios/entropy/steady_state_entropy.py
+
+  - name: steady_state_entropy_fast_start
+    script: .testnet/scenarios/entropy/steady_state_entropy.py
+    network:
+      env:
+        XAHAUD_BOOTSTRAP_FAST_START: "1"
+
+  - name: entropy_with_transactions
+    script: .testnet/scenarios/entropy/entropy_with_transactions.py
+
+  - name: quorum_recovery_smoke
+    script: .testnet/scenarios/entropy/quorum_recovery_smoke.py
+
+  - name: quorum_degradation_smoke
+    script: .testnet/scenarios/entropy/quorum_degradation_smoke.py
+    network:
+      log_levels:
+        LedgerConsensus: trace
+        ConsensusExtensions: trace
+
+  # Export scenarios: see export-suite.yml

Builds/levelization/README.md

@@ -50,7 +50,7 @@ that `test` code should *never* be included in `ripple` code.)
 
 ## Validation
 
-The [levelization.sh](levelization.sh) script takes no parameters,
+The [levelization.py](levelization.py) script takes no parameters,
 reads no environment variables, and can be run from any directory,
 as long as it is in the expected location in the rippled repo.
 It can be run at any time from within a checked out repo, and will
@@ -84,7 +84,7 @@ It generates many files of [results](results):
   Github Actions workflow to test that levelization loops haven't
   changed.  Unfortunately, if changes are detected, it can't tell if
   they are improvements or not, so if you have resolved any issues or
-  done anything else to improve levelization, run `levelization.sh`,
+  done anything else to improve levelization, run `levelization.py`,
   and commit the updated results.
 
 The  `loops.txt` and `ordering.txt` files relate the modules
@@ -108,7 +108,7 @@ The committed files hide the detailed values intentionally, to
 prevent false alarms and merging issues, and because it's easy to
 get those details locally.
 
-1. Run `levelization.sh`
+1. Run `levelization.py`
 2. Grep the modules in `paths.txt`.
    * For example, if a cycle is found `A ~= B`, simply `grep -w
      A Builds/levelization/results/paths.txt | grep -w B`

Builds/levelization/levelization.py

@@ -0,0 +1,283 @@
+#!/usr/bin/env python3
+
+"""
+Usage: levelization.py
+This script takes no parameters, and can be called from any directory in the file system.
+"""
+
+import os
+import re
+import sys
+from collections import defaultdict
+from pathlib import Path
+
+# Compile regex patterns once at module level
+INCLUDE_PATTERN = re.compile(r"^\s*#include.*/.*\.h")
+INCLUDE_PATH_PATTERN = re.compile(r'[<"]([^>"]+)[>"]')
+
+
+def dictionary_sort_key(s):
+    """
+    Create a sort key that mimics 'sort -d' (dictionary order).
+    Dictionary order only considers blanks and alphanumeric characters.
+    """
+    return "".join(c for c in s if c.isalnum() or c.isspace())
+
+
+def get_level(file_path):
+    """
+    Extract the level from a file path (second and third directory components).
+    Equivalent to bash: cut -d/ -f 2,3
+
+    Examples:
+        src/ripple/app/main.cpp -> ripple.app
+        src/test/app/Import_test.cpp -> test.app
+    """
+    parts = file_path.split("/")
+
+    if len(parts) >= 3:
+        level = f"{parts[1]}/{parts[2]}"
+    elif len(parts) >= 2:
+        level = f"{parts[1]}/toplevel"
+    else:
+        level = file_path
+
+    # If the "level" indicates a file, cut off the filename
+    if "." in level.split("/")[-1]:
+        # Use the "toplevel" label as a workaround for `sort`
+        # inconsistencies between different utility versions
+        level = level.rsplit("/", 1)[0] + "/toplevel"
+
+    return level.replace("/", ".")
+
+
+def extract_include_level(include_line):
+    """
+    Extract the include path from an #include directive.
+    Gets the first two directory components from the include path.
+    Equivalent to bash: cut -d/ -f 1,2
+
+    Examples:
+        #include <ripple/basics/base_uint.h> -> ripple.basics
+        #include "ripple/app/main/Application.h" -> ripple.app
+    """
+    match = INCLUDE_PATH_PATTERN.search(include_line)
+    if not match:
+        return None
+
+    include_path = match.group(1)
+    parts = include_path.split("/")
+
+    if len(parts) >= 2:
+        include_level = f"{parts[0]}/{parts[1]}"
+    else:
+        include_level = include_path
+
+    # If the "includelevel" indicates a file, cut off the filename
+    if "." in include_level.split("/")[-1]:
+        include_level = include_level.rsplit("/", 1)[0] + "/toplevel"
+
+    return include_level.replace("/", ".")
+
+
+def find_repository_directories(start_path, depth_limit=10):
+    """
+    Find the repository root by looking for src or include folders.
+    Walks up the directory tree from the start path.
+    """
+    current = start_path.resolve()
+
+    for _ in range(depth_limit):
+        src_path = current / "src"
+        include_path = current / "include"
+        has_src = src_path.exists()
+        has_include = include_path.exists()
+
+        if has_src or has_include:
+            dirs = []
+            if has_src:
+                dirs.append(src_path)
+            if has_include:
+                dirs.append(include_path)
+            return current, dirs
+
+        parent = current.parent
+        if parent == current:
+            break
+        current = parent
+
+    raise RuntimeError(
+        "Could not find repository root. "
+        "Expected to find a directory containing 'src' and/or 'include' folders."
+    )
+
+
+def main():
+    script_dir = Path(__file__).parent.resolve()
+    os.chdir(script_dir)
+
+    # Clean up and create results directory.
+    results_dir = script_dir / "results"
+    if results_dir.exists():
+        import shutil
+
+        shutil.rmtree(results_dir)
+    results_dir.mkdir()
+
+    # Find the repository root.
+    try:
+        repo_root, scan_dirs = find_repository_directories(script_dir)
+        print(f"Found repository root: {repo_root}")
+        for scan_dir in scan_dirs:
+            print(f"  Scanning: {scan_dir.relative_to(repo_root)}")
+    except RuntimeError as e:
+        print(f"Error: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    # Find all #include directives.
+    print("\nScanning for raw includes...")
+    raw_includes = []
+    rawincludes_file = results_dir / "rawincludes.txt"
+
+    with open(rawincludes_file, "w", buffering=8192) as raw_f:
+        for dir_path in scan_dirs:
+            for file_path in dir_path.rglob("*"):
+                if not file_path.is_file():
+                    continue
+                try:
+                    rel_path_str = str(file_path.relative_to(repo_root))
+                    with open(
+                        file_path, "r", encoding="utf-8", errors="ignore", buffering=8192
+                    ) as f:
+                        for line in f:
+                            if "#include" not in line or "boost" in line:
+                                continue
+                            if INCLUDE_PATTERN.match(line):
+                                line_stripped = line.strip()
+                                entry = f"{rel_path_str}:{line_stripped}\n"
+                                print(entry, end="")
+                                raw_f.write(entry)
+                                raw_includes.append((rel_path_str, line_stripped))
+                except Exception as e:
+                    print(f"Error reading {file_path}: {e}", file=sys.stderr)
+
+    # Build levelization paths and count directly.
+    print("Build levelization paths")
+    path_counts = defaultdict(int)
+
+    for file_path, include_line in raw_includes:
+        include_level = extract_include_level(include_line)
+        if not include_level:
+            continue
+        level = get_level(file_path)
+        if level != include_level:
+            path_counts[(level, include_level)] += 1
+
+    # Sort and deduplicate paths.
+    print("Sort and deduplicate paths")
+    sorted_items = sorted(
+        path_counts.items(),
+        key=lambda x: (dictionary_sort_key(x[0][0]), dictionary_sort_key(x[0][1])),
+    )
+
+    paths_file = results_dir / "paths.txt"
+    with open(paths_file, "w") as f:
+        for (level, include_level), count in sorted_items:
+            line = f"{count:7} {level} {include_level}\n"
+            print(line.rstrip())
+            f.write(line)
+
+    # Split into flat-file database.
+    print("Split into flat-file database")
+    includes_dir = results_dir / "includes"
+    includedby_dir = results_dir / "includedby"
+    includes_dir.mkdir()
+    includedby_dir.mkdir()
+
+    includes_data = defaultdict(list)
+    includedby_data = defaultdict(list)
+
+    for (level, include_level), count in sorted_items:
+        includes_data[level].append((include_level, count))
+        includedby_data[include_level].append((level, count))
+
+    for level in sorted(includes_data.keys(), key=dictionary_sort_key):
+        with open(includes_dir / level, "w") as f:
+            for include_level, count in includes_data[level]:
+                line = f"{include_level} {count}\n"
+                print(line.rstrip())
+                f.write(line)
+
+    for include_level in sorted(includedby_data.keys(), key=dictionary_sort_key):
+        with open(includedby_dir / include_level, "w") as f:
+            for level, count in includedby_data[include_level]:
+                line = f"{level} {count}\n"
+                print(line.rstrip())
+                f.write(line)
+
+    # Search for loops.
+    print("Search for loops")
+    loops_file = results_dir / "loops.txt"
+    ordering_file = results_dir / "ordering.txt"
+
+    # Pre-load all include files into memory for fast lookup.
+    includes_cache = {}
+    includes_lookup = {}
+
+    for include_file in sorted(includes_dir.iterdir(), key=lambda p: p.name):
+        if not include_file.is_file():
+            continue
+        includes_cache[include_file.name] = []
+        includes_lookup[include_file.name] = {}
+        with open(include_file, "r") as f:
+            for line in f:
+                parts = line.strip().split()
+                if len(parts) >= 2:
+                    name, count = parts[0], int(parts[1])
+                    includes_cache[include_file.name].append((name, count))
+                    includes_lookup[include_file.name][name] = count
+
+    loops_found = set()
+
+    with open(loops_file, "w", buffering=8192) as loops_f, open(
+        ordering_file, "w", buffering=8192
+    ) as ordering_f:
+        for source in sorted(includes_cache.keys()):
+            for include, include_freq in includes_cache[source]:
+                if include not in includes_lookup:
+                    continue
+
+                source_freq = includes_lookup[include].get(source)
+
+                if source_freq is not None:
+                    loop_key = tuple(sorted([source, include]))
+                    if loop_key in loops_found:
+                        continue
+                    loops_found.add(loop_key)
+
+                    loops_f.write(f"Loop: {source} {include}\n")
+
+                    diff = include_freq - source_freq
+                    if diff > 3:
+                        loops_f.write(f"  {source} > {include}\n\n")
+                    elif diff < -3:
+                        loops_f.write(f"  {include} > {source}\n\n")
+                    elif source_freq == include_freq:
+                        loops_f.write(f"  {include} == {source}\n\n")
+                    else:
+                        loops_f.write(f"  {include} ~= {source}\n\n")
+                else:
+                    ordering_f.write(f"{source} > {include}\n")
+
+    # Print results.
+    print("\nOrdering:")
+    with open(ordering_file, "r") as f:
+        print(f.read(), end="")
+
+    print("\nLoops:")
+    with open(loops_file, "r") as f:
+        print(f.read(), end="")
+
+
+if __name__ == "__main__":
+    main()

Builds/levelization/levelization.sh

@@ -1,130 +0,0 @@
-#!/bin/bash
-
-# Usage: levelization.sh
-# This script takes no parameters, reads no environment variables,
-# and can be run from any directory, as long as it is in the expected
-# location in the repo.
-
-pushd $( dirname $0 )
-
-if [ -v PS1 ]
-then
-  # if the shell is interactive, clean up any flotsam before analyzing
-  git clean -ix
-fi
-
-# Ensure all sorting is ASCII-order consistently across platforms.
-export LANG=C
-
-rm -rfv results
-mkdir results
-includes="$( pwd )/results/rawincludes.txt"
-pushd ../..
-echo Raw includes:
-grep -r '^[ ]*#include.*/.*\.h' include src | \
-    grep -v boost | tee ${includes}
-popd
-pushd results
-
-oldifs=${IFS}
-IFS=:
-mkdir includes
-mkdir includedby
-echo Build levelization paths
-exec 3< ${includes} # open rawincludes.txt for input
-while read -r -u 3 file include
-do
-    level=$( echo ${file} | cut -d/ -f 2,3 )
-    # If the "level" indicates a file, cut off the filename
-    if [[ "${level##*.}" != "${level}" ]]
-    then
-        # Use the "toplevel" label as a workaround for `sort`
-        # inconsistencies between different utility versions
-        level="$( dirname ${level} )/toplevel"
-    fi
-    level=$( echo ${level} | tr '/' '.' )
-
-    includelevel=$( echo ${include} | sed 's/.*["<]//; s/[">].*//' | \
-        cut -d/ -f 1,2 )
-    if [[ "${includelevel##*.}" != "${includelevel}" ]]
-    then
-        # Use the "toplevel" label as a workaround for `sort`
-        # inconsistencies between different utility versions
-        includelevel="$( dirname ${includelevel} )/toplevel"
-    fi
-    includelevel=$( echo ${includelevel} | tr '/' '.' )
-
-    if [[ "$level" != "$includelevel" ]]
-    then
-        echo $level $includelevel | tee -a paths.txt
-    fi
-done
-echo Sort and dedup paths
-sort -ds paths.txt | uniq -c | tee sortedpaths.txt
-mv sortedpaths.txt paths.txt
-exec 3>&- #close fd 3
-IFS=${oldifs}
-unset oldifs
-
-echo Split into flat-file database
-exec 4<paths.txt # open paths.txt for input
-while read -r -u 4 count level include
-do
-    echo ${include} ${count} | tee -a includes/${level}
-    echo ${level} ${count} | tee -a includedby/${include}
-done
-exec 4>&- #close fd 4
-
-loops="$( pwd )/loops.txt"
-ordering="$( pwd )/ordering.txt"
-pushd includes
-echo Search for loops
-# Redirect stdout to a file
-exec 4>&1
-exec 1>"${loops}"
-for source in *
-do
-  if [[ -f "$source" ]]
-  then
-    exec 5<"${source}" # open for input
-    while read -r -u 5 include includefreq
-    do
-      if [[ -f $include ]]
-      then
-        if grep -q -w $source $include
-        then
-          if grep -q -w "Loop: $include $source" "${loops}"
-          then
-            continue
-          fi
-          sourcefreq=$( grep -w $source $include | cut -d\  -f2 )
-          echo "Loop: $source $include"
-          # If the counts are close, indicate that the two modules are
-          # on the same level, though they shouldn't be
-          if [[ $(( $includefreq - $sourcefreq )) -gt 3 ]]
-          then
-              echo -e "  $source > $include\n"
-          elif [[ $(( $sourcefreq - $includefreq )) -gt 3 ]]
-          then
-              echo -e "  $include > $source\n"
-          elif [[ $sourcefreq -eq $includefreq ]]
-          then
-              echo -e "  $include == $source\n"
-          else
-              echo -e "  $include ~= $source\n"
-          fi
-        else
-          echo "$source > $include" >> "${ordering}"
-        fi
-      fi
-    done
-    exec 5>&- #close fd 5
-  fi
-done
-exec 1>&4 #close fd 1
-exec 4>&- #close fd 4
-cat "${ordering}"
-cat "${loops}"
-popd
-popd
-popd

Builds/levelization/results/loops.txt

@@ -26,7 +26,7 @@ Loop: xrpld.app xrpld.nodestore
   xrpld.app > xrpld.nodestore
 
 Loop: xrpld.app xrpld.overlay
-  xrpld.overlay ~= xrpld.app
+  xrpld.overlay == xrpld.app
 
 Loop: xrpld.app xrpld.peerfinder
   xrpld.app > xrpld.peerfinder

Builds/levelization/results/ordering.txt

@@ -43,6 +43,7 @@ test.consensus > xrpld.app
 test.consensus > xrpld.consensus
 test.consensus > xrpld.core
 test.consensus > xrpld.ledger
+test.consensus > xrpl.json
 test.consensus > xrpl.protocol
 test.core > test.jtx
 test.core > test.toplevel
@@ -84,6 +85,7 @@ test.nodestore > xrpl.basics
 test.nodestore > xrpld.core
 test.nodestore > xrpld.nodestore
 test.nodestore > xrpld.unity
+test.nodestore > xrpl.protocol
 test.overlay > test.jtx
 test.overlay > test.toplevel
 test.overlay > test.unit_test
@@ -118,6 +120,7 @@ test.rpc > xrpld.core
 test.rpc > xrpld.net
 test.rpc > xrpld.overlay
 test.rpc > xrpld.rpc
+test.rpc > xrpld.shamap
 test.rpc > xrpl.hook
 test.rpc > xrpl.json
 test.rpc > xrpl.protocol

CMakeLists.txt

@@ -122,6 +122,7 @@ endif()
 find_package(nudb REQUIRED)
 find_package(date REQUIRED)
 find_package(xxHash REQUIRED)
+find_package(magic_enum REQUIRED)
 
 include(deps/WasmEdge) 
   if(TARGET nudb::core)

README.md

@@ -12,7 +12,7 @@ The server software that powers Xahau is called `xahaud` and is available in thi
 
 ### Build from Source
 
-* [Read the build instructions in our documentation](https://xahau.network/infrastructure/building-xahau)
+* [Read the build instructions in our documentation](https://xahau.network/docs/infrastructure/build-xahaud/)
 * If you encounter any issues, please [open an issue](https://github.com/xahau/xahaud/issues)
 
 ## Highlights of Xahau

build-core.sh

@@ -71,6 +71,7 @@ cmake .. -G Ninja \
   -Dxrpld=TRUE \
   -Dtests=TRUE &&
 ccache -z &&
+ccache -p &&
 ninja -j $3 && echo "=== Re-running final link with verbose output ===" && rm -f rippled && ninja -v rippled &&
 ccache -s &&
 strip -s rippled &&

build-full.sh

@@ -12,17 +12,16 @@ echo "-- GITHUB_REPOSITORY: $1"
 echo "-- GITHUB_SHA:        $2"
 echo "-- GITHUB_RUN_NUMBER: $4"
 
-umask 0000;
+umask 0000
 
 ####
 
-cd /io;
-mkdir -p src/certs;
-curl --silent -k https://raw.githubusercontent.com/RichardAH/rippled-release-builder/main/ca-bundle/certbundle.h -o src/certs/certbundle.h;
-if [ "`grep certbundle.h src/xrpld/net/detail/RegisterSSLCerts.cpp | wc -l`" -eq "0" ]
-then
-    cp src/xrpld/net/detail/RegisterSSLCerts.cpp src/xrpld/net/detail/RegisterSSLCerts.cpp.old
-    perl -i -pe "s/^{/{
+cd /io
+mkdir -p src/certs
+curl --silent -k https://raw.githubusercontent.com/RichardAH/rippled-release-builder/main/ca-bundle/certbundle.h -o src/certs/certbundle.h
+if [ "$(grep certbundle.h src/xrpld/net/detail/RegisterSSLCerts.cpp | wc -l)" -eq "0" ]; then
+  cp src/xrpld/net/detail/RegisterSSLCerts.cpp src/xrpld/net/detail/RegisterSSLCerts.cpp.old
+  perl -i -pe "s/^{/{
     #ifdef EMBEDDED_CA_BUNDLE
     BIO *cbio = BIO_new_mem_buf(ca_bundle.data(), ca_bundle.size());
     X509_STORE  *cts = SSL_CTX_get_cert_store(ctx.native_handle());
@@ -68,15 +67,14 @@ fi
 source /opt/rh/gcc-toolset-11/enable
 export PATH=/usr/local/bin:$PATH
 export CC='/usr/lib64/ccache/gcc' &&
-export CXX='/usr/lib64/ccache/g++' &&
-echo "-- Build Rippled --" &&
-pwd &&
+  export CXX='/usr/lib64/ccache/g++' &&
+  echo "-- Build Rippled --" &&
+  pwd &&
+  echo "MOVING TO [ build-core.sh ]"
 
-echo "MOVING TO [ build-core.sh ]";
-
-printenv > .env.temp;
-cat .env.temp | grep '=' | sed s/\\\(^[^=]\\+=\\\)/\\1\\\"/g|sed s/\$/\\\"/g > .env;
-rm .env.temp;
+printenv >.env.temp
+cat .env.temp | grep '=' | sed s/\\\(^[^=]\\+=\\\)/\\1\\\"/g | sed s/\$/\\\"/g >.env
+rm .env.temp
 
 echo "Persisting ENV:"
 cat .env

cmake/CodeCoverage.cmake

@@ -95,6 +95,9 @@
 #     - replace both functions setup_target_for_coverage_gcovr_* with a single setup_target_for_coverage_gcovr
 #     - add support for all gcovr output formats
 #
+# 2024-04-03, Bronek Kozicki
+#     - add support for output formats: jacoco, clover, lcov
+#
 # USAGE:
 #
 # 1. Copy this file into your cmake modules path.
@@ -256,10 +259,10 @@ endif()
 #     BASE_DIRECTORY "../"                   # Base directory for report
 #                                            #  (defaults to PROJECT_SOURCE_DIR)
 #     FORMAT "cobertura"                     # Output format, one of:
-#                                            #  xml cobertura sonarqube json-summary
-#                                            #  json-details coveralls csv txt
-#                                            #  html-single html-nested html-details
-#                                            #  (xml is an alias to cobertura;
+#                                            #  xml cobertura sonarqube jacoco clover
+#                                            #  json-summary json-details coveralls csv
+#                                            #  txt html-single html-nested html-details
+#                                            #  lcov (xml is an alias to cobertura;
 #                                            #  if no format is set, defaults to xml)
 #     EXCLUDE "src/dir1/*" "src/dir2/*"      # Patterns to exclude (can be relative
 #                                            #  to BASE_DIRECTORY, with CMake 3.4+)
@@ -308,6 +311,8 @@ function(setup_target_for_coverage_gcovr)
             set(GCOVR_OUTPUT_FILE ${Coverage_NAME}.txt)
         elseif(Coverage_FORMAT STREQUAL "csv")
             set(GCOVR_OUTPUT_FILE ${Coverage_NAME}.csv)
+        elseif(Coverage_FORMAT STREQUAL "lcov")
+            set(GCOVR_OUTPUT_FILE ${Coverage_NAME}.lcov)
         else()
             set(GCOVR_OUTPUT_FILE ${Coverage_NAME}.xml)
         endif()
@@ -320,6 +325,14 @@ function(setup_target_for_coverage_gcovr)
         set(Coverage_FORMAT cobertura) # overwrite xml
     elseif(Coverage_FORMAT STREQUAL "sonarqube")
         list(APPEND GCOVR_ADDITIONAL_ARGS --sonarqube "${GCOVR_OUTPUT_FILE}" )
+    elseif(Coverage_FORMAT STREQUAL "jacoco")
+        list(APPEND GCOVR_ADDITIONAL_ARGS --jacoco "${GCOVR_OUTPUT_FILE}" )
+        list(APPEND GCOVR_ADDITIONAL_ARGS --jacoco-pretty )
+    elseif(Coverage_FORMAT STREQUAL "clover")
+        list(APPEND GCOVR_ADDITIONAL_ARGS --clover "${GCOVR_OUTPUT_FILE}" )
+        list(APPEND GCOVR_ADDITIONAL_ARGS --clover-pretty )
+    elseif(Coverage_FORMAT STREQUAL "lcov")
+        list(APPEND GCOVR_ADDITIONAL_ARGS --lcov "${GCOVR_OUTPUT_FILE}" )
     elseif(Coverage_FORMAT STREQUAL "json-summary")
         list(APPEND GCOVR_ADDITIONAL_ARGS --json-summary "${GCOVR_OUTPUT_FILE}" )
         list(APPEND GCOVR_ADDITIONAL_ARGS --json-summary-pretty)
@@ -380,6 +393,7 @@ function(setup_target_for_coverage_gcovr)
         ${GCOVR_PATH}
         --gcov-executable ${GCOV_TOOL}
         --gcov-ignore-parse-errors=negative_hits.warn_once_per_file
+        --gcov-ignore-parse-errors=suspicious_hits.warn_once_per_file
         -r ${BASEDIR}
         ${GCOVR_ADDITIONAL_ARGS}
         ${GCOVR_EXCLUDE_ARGS}

cmake/RippledCore.cmake

@@ -54,6 +54,7 @@ add_library(xrpl.imports.main INTERFACE)
 target_link_libraries(xrpl.imports.main
   INTERFACE
     LibArchive::LibArchive
+    magic_enum::magic_enum
     OpenSSL::Crypto
     Ripple::boost
     wasmedge::wasmedge
@@ -68,6 +69,17 @@ target_link_libraries(xrpl.imports.main
     $<$<BOOL:${voidstar}>:antithesis-sdk-cpp>
 )
 
+# date-tz for enhanced logging (always linked, code is #ifdef guarded)
+if(TARGET date::date-tz)
+  target_link_libraries(xrpl.imports.main INTERFACE date::date-tz)
+endif()
+
+# BEAST_ENHANCED_LOGGING: enable for Debug builds OR when explicitly requested
+# Uses generator expression so it works with multi-config generators (Xcode, VS, Ninja Multi-Config)
+target_compile_definitions(xrpl.imports.main INTERFACE
+  $<$<OR:$<CONFIG:Debug>,$<BOOL:${BEAST_ENHANCED_LOGGING}>>:BEAST_ENHANCED_LOGGING=1>
+)
+
 include(add_module)
 include(target_link_modules)
 

cmake/RippledInterface.cmake

@@ -22,6 +22,9 @@ target_compile_definitions (opts
     $<$<BOOL:${beast_no_unit_test_inline}>:BEAST_NO_UNIT_TEST_INLINE=1>
     $<$<BOOL:${beast_disable_autolink}>:BEAST_DONT_AUTOLINK_TO_WIN32_LIBRARIES=1>
     $<$<BOOL:${single_io_service_thread}>:RIPPLE_SINGLE_IO_SERVICE_THREAD=1>
+    # Enhanced logging is enabled for Debug builds, or explicitly via
+    # -DBEAST_ENHANCED_LOGGING=ON for other build types.
+    $<$<OR:$<CONFIG:Debug>,$<BOOL:${BEAST_ENHANCED_LOGGING}>>:BEAST_ENHANCED_LOGGING=1>
     $<$<BOOL:${voidstar}>:ENABLE_VOIDSTAR>)
 target_compile_options (opts
   INTERFACE

conanfile.py

@@ -29,6 +29,7 @@ class Xrpl(ConanFile):
         'date/3.0.3',
         'grpc/1.50.1',
         'libarchive/3.7.6',
+        'magic_enum/0.9.5',
         'nudb/2.0.8',
         'openssl/3.6.0',
         'soci/4.0.3@xahaud/stable',

hook/error.h

@@ -47,5 +47,8 @@
 #define MEM_OVERLAP -43
 #define TOO_MANY_STATE_MODIFICATIONS -44
 #define TOO_MANY_NAMESPACES -45
+#define EXPORT_FAILURE -46
+#define TOO_MANY_EXPORTED_TXN -47
+#define TOO_LITTLE_ENTROPY -48
 #define HOOK_ERROR_CODES
 #endif //HOOK_ERROR_CODES

hook/extern.h

@@ -2,6 +2,9 @@
 // Generated using generate_extern.sh
 #include <stdint.h>
 #ifndef HOOK_EXTERN
+#ifdef __cplusplus
+extern "C" {
+#endif
 
 extern int32_t __attribute__((noduplicate))
 _g(uint32_t guard_id, uint32_t maxiter);
@@ -336,5 +339,27 @@ prepare(
     uint32_t read_ptr,
     uint32_t read_len);
 
+extern int64_t
+xport_reserve(uint32_t count);
+
+extern int64_t
+xport(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+xport_cancel(uint32_t ticket_seq);
+
+extern int64_t
+dice(uint32_t sides);
+
+extern int64_t
+random(uint32_t write_ptr, uint32_t write_len);
+
+#ifdef __cplusplus
+}
+#endif
 #define HOOK_EXTERN
 #endif  // HOOK_EXTERN

hook/generate_error.sh

@@ -9,7 +9,7 @@ ENUM_FILE="$SCRIPT_DIR/../include/xrpl/hook/Enum.h"
 echo '// For documentation please see: https://xrpl-hooks.readme.io/reference/'
 echo '// Generated using generate_error.sh'
 echo '#ifndef HOOK_ERROR_CODES'
-sed -n '/enum hook_return_code/,/};/p' "$ENUM_FILE" |
+sed -n '/enum class hook_return_code/,/};/p' "$ENUM_FILE" |
     awk '
         function ltrim(s) { sub(/^[[:space:]]+/, "", s); return s }
         function rtrim(s) { sub(/[[:space:]]+$/, "", s); return s }
@@ -31,7 +31,7 @@ sed -n '/enum hook_return_code/,/};/p' "$ENUM_FILE" |
 
         {
             line = $0
-            if (line ~ /enum[[:space:]]+hook_return_code/)
+            if (line ~ /enum[[:space:]]+class[[:space:]]+hook_return_code/)
                 next
             if (line ~ /^[[:space:]]*\{/)
                 next

hook/generate_extern.sh

@@ -11,6 +11,9 @@ APPLY_HOOK="$SCRIPT_DIR/../include/xrpl/hook/hook_api.macro"
     echo '// Generated using generate_extern.sh'
     echo '#include <stdint.h>'
     echo '#ifndef HOOK_EXTERN'
+    echo '#ifdef __cplusplus'
+    echo 'extern "C" {'
+    echo '#endif'
     echo
     awk '
         function trim(s) {
@@ -46,6 +49,9 @@ APPLY_HOOK="$SCRIPT_DIR/../include/xrpl/hook/hook_api.macro"
         }
     ' "$APPLY_HOOK"
 
+    echo '#ifdef __cplusplus'
+    echo '}'
+    echo '#endif'
     echo '#define HOOK_EXTERN'
     echo '#endif  // HOOK_EXTERN'
 } | (

hook/generate_lsflags.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+set -eu
+
+SCRIPT_DIR=$(dirname "$0")
+SCRIPT_DIR=$(cd "$SCRIPT_DIR" && pwd)
+
+RIPPLED_ROOT="$SCRIPT_DIR/../include/xrpl"
+LEDGER_FORMATS="$RIPPLED_ROOT/protocol/LedgerFormats.h"
+
+echo '// Generated using generate_lsflags.sh'
+echo ''
+echo '#ifndef HOOKLSFLAGS_INCLUDED'
+echo '#define HOOKLSFLAGS_INCLUDED 1'
+echo ''
+awk '
+    function ltrim(s) { sub(/^[[:space:]]+/, "", s); return s }
+    function rtrim(s) { sub(/[[:space:]]+$/, "", s); return s }
+    function trim(s) { return rtrim(ltrim(s)) }
+
+    function flush_group() {
+        if (entry_count > 0 && group != "") {
+            printf "enum %s {\n", group
+            for (i = 1; i <= entry_count; i++) {
+                printf "    %s,\n", entries[i]
+            }
+            printf "};\n"
+        }
+        delete entries
+        entry_count = 0
+    }
+
+    /enum LedgerSpecificFlags \{/ { inside = 1; next }
+    inside && /^\};/ { inside = 0; flush_group(); next }
+    !inside { next }
+
+    # Group header comments: // ltFOO or // remarks
+    /^[[:space:]]*\/\/[[:space:]]*(lt[A-Z_]+|remarks)[[:space:]]*$/ {
+        flush_group()
+        line = $0
+        sub(/.*\/\/[[:space:]]*/, "", line)
+        group = trim(line)
+        next
+    }
+
+    # Skip pure comment lines (not group headers)
+    /^[[:space:]]*\/\// { next }
+
+    # Skip blank lines
+    /^[[:space:]]*$/ { next }
+
+    # Accumulate flag lines (handle multi-line values)
+    {
+        line = $0
+        # Strip inline comments
+        sub(/\/\/.*/, "", line)
+        line = trim(line)
+        if (line == "") next
+
+        if (pending != "") {
+            pending = pending " " line
+        } else {
+            pending = line
+        }
+
+        # If line ends with comma, the entry is complete
+        if (pending ~ /,$/) {
+            # Remove trailing comma
+            sub(/,$/, "", pending)
+            entries[++entry_count] = pending
+            pending = ""
+        }
+    }
+
+    BEGIN {
+        inside = 0
+        group = ""
+        pending = ""
+        entry_count = 0
+    }
+' "$LEDGER_FORMATS"
+echo ''
+echo '#endif // HOOKLSFLAGS_INCLUDED'

hook/generate_txflags.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+set -eu
+
+SCRIPT_DIR=$(dirname "$0")
+SCRIPT_DIR=$(cd "$SCRIPT_DIR" && pwd)
+
+RIPPLED_ROOT="$SCRIPT_DIR/../include/xrpl"
+TX_FLAGS="$RIPPLED_ROOT/protocol/TxFlags.h"
+
+echo '// Generated using generate_txflags.sh'
+echo '#include "ls_flags.h"'
+echo '#include <stdint.h>'
+echo ''
+cat "$TX_FLAGS" |
+    awk '
+        /^[[:space:]]*enum / {
+            if (count > 0) print ""
+            inside = 1
+            count++
+        }
+        inside {
+            print
+            if (/};/) inside = 0
+        }
+    '

hook/genesis/build_xahau_h.sh

@@ -0,0 +1,203 @@
+#!/bin/bash
+
+# build_xahau_h.sh
+# Builds genesis hook WASMs and updates xahau.h with hex arrays
+
+set -euo pipefail
+
+# Color codes for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Script directory and path constants
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+XAHAU_H="${SCRIPT_DIR}/../../include/xrpl/hook/xahau.h"
+TEMP_DIR="${SCRIPT_DIR}/.temp"
+
+# Hook file mappings (space-separated: name:file)
+HOOK_FILES=(
+    "GovernanceHook:govern.wasm"
+    "RewardHook:reward.wasm"
+    # "MintHook:mint.wasm"
+)
+
+# Cleanup function
+cleanup() {
+    local exit_code=$?
+    if [ ${exit_code} -eq 0 ] && [ -d "${TEMP_DIR}" ]; then
+        rm -rf "${TEMP_DIR}"
+    elif [ ${exit_code} -ne 0 ]; then
+        echo -e "${RED}Error: Script failed with exit code ${exit_code}${NC}" >&2
+        if [ -d "${TEMP_DIR}" ]; then
+            echo -e "${YELLOW}Temp files preserved at: ${TEMP_DIR}${NC}" >&2
+        fi
+    fi
+    exit ${exit_code}
+}
+
+trap cleanup EXIT INT TERM
+
+# Tool verification
+echo -e "${BLUE}==> Checking required tools...${NC}"
+REQUIRED_TOOLS=("make" "xxd" "sed" "clang-format" "wasm-opt")
+for tool in "${REQUIRED_TOOLS[@]}"; do
+    if ! command -v "${tool}" &> /dev/null; then
+        echo -e "${RED}Error: Required tool '${tool}' not found${NC}" >&2
+        exit 1
+    fi
+    echo -e "${GREEN}    ✓ ${tool}${NC}"
+done
+
+# Verify wasm-opt version is exactly 100
+WASM_OPT_VERSION=$(wasm-opt --version | grep -oE '[0-9]+' | head -1)
+if [ "${WASM_OPT_VERSION}" != "100" ]; then
+    echo -e "${RED}Error: wasm-opt version must be 100, but found ${WASM_OPT_VERSION}${NC}" >&2
+    exit 1
+fi
+echo -e "${GREEN}    ✓ wasm-opt version 100${NC}"
+
+# Verify xahau.h exists
+if [ ! -f "${XAHAU_H}" ]; then
+    echo -e "${RED}Error: xahau.h not found at ${XAHAU_H}${NC}" >&2
+    exit 1
+fi
+
+# Create temp directory
+mkdir -p "${TEMP_DIR}"
+
+# Build all WASM files
+echo -e "${BLUE}==> Building WASM files with 'make all'...${NC}"
+cd "${SCRIPT_DIR}"
+make all
+echo -e "${GREEN}    Build completed successfully${NC}"
+
+# Function to convert WASM to hex array
+wasm_to_hex_array() {
+    local wasm_file="$1"
+    local indent="    "
+
+    if [ ! -f "${wasm_file}" ]; then
+        echo -e "${RED}Error: WASM file not found: ${wasm_file}${NC}" >&2
+        return 1
+    fi
+
+    # Convert to hex with xxd, format with sed
+    xxd -p -u -c 10 "${wasm_file}" | \
+        sed 's/../0x&U,/g' | \
+        sed "s/^/${indent}/g" | \
+        sed '$ s/,$//'
+}
+
+# Function to update hook array in xahau.h
+update_hook_array() {
+    local hook_name="$1"
+    local hex_array="$2"
+    local temp_file="${TEMP_DIR}/xahau.h.tmp"
+
+    echo -e "${BLUE}==> Updating ${hook_name}...${NC}"
+
+    # Check if hook already exists
+    if grep -q "static const std::vector<uint8_t> ${hook_name} = {" "${XAHAU_H}"; then
+        echo -e "${YELLOW}    Replacing existing ${hook_name}${NC}"
+
+        # Use awk to replace the array content
+        awk -v hook="${hook_name}" -v hex="${hex_array}" '
+        BEGIN { in_array=0 }
+        {
+            if ($0 ~ "static const std::vector<uint8_t> " hook " = {") {
+                print $0
+                print hex
+                in_array=1
+                next
+            }
+            if (in_array && $0 ~ /};/) {
+                print "};"
+                in_array=0
+                next
+            }
+            if (!in_array) {
+                print $0
+            }
+        }
+        ' "${XAHAU_H}" > "${temp_file}"
+
+        mv "${temp_file}" "${XAHAU_H}"
+    else
+        echo -e "${YELLOW}    Adding new ${hook_name}${NC}"
+
+        # Find the position before #endif and add the new hook
+        awk -v hook="${hook_name}" -v hex="${hex_array}" '
+        {
+            if ($0 ~ /#endif.*XAHAU_GENESIS_HOOKS/) {
+                print ""
+                print "static const std::vector<uint8_t> " hook " = {"
+                print hex
+                print "};"
+                print ""
+                print $0
+            } else {
+                print $0
+            }
+        }
+        ' "${XAHAU_H}" > "${temp_file}"
+
+        mv "${temp_file}" "${XAHAU_H}"
+    fi
+
+    echo -e "${GREEN}    ✓ ${hook_name} updated${NC}"
+}
+
+# Process each hook
+for hook_entry in "${HOOK_FILES[@]}"; do
+    hook_name="${hook_entry%%:*}"
+    wasm_file="${SCRIPT_DIR}/${hook_entry##*:}"
+
+    echo -e "${BLUE}==> Converting ${wasm_file} to hex array...${NC}"
+    hex_array=$(wasm_to_hex_array "${wasm_file}")
+
+    if [ $? -ne 0 ]; then
+        echo -e "${RED}Error: Failed to convert ${wasm_file}${NC}" >&2
+        exit 1
+    fi
+
+    echo -e "${GREEN}    Conversion successful ($(echo "${hex_array}" | wc -l) lines)${NC}"
+
+    update_hook_array "${hook_name}" "${hex_array}"
+done
+
+# Format with clang-format
+echo -e "${BLUE}==> Formatting with clang-format...${NC}"
+cp "${XAHAU_H}" "${TEMP_DIR}/xahau.h.before_format"
+clang-format -i "${XAHAU_H}"
+echo -e "${GREEN}    Formatting completed${NC}"
+
+# Verification
+echo -e "${BLUE}==> Verifying changes...${NC}"
+for hook_entry in "${HOOK_FILES[@]}"; do
+    hook_name="${hook_entry%%:*}"
+    if grep -q "static const std::vector<uint8_t> ${hook_name} = {" "${XAHAU_H}"; then
+        echo -e "${GREEN}    ✓ ${hook_name} found in xahau.h${NC}"
+    else
+        echo -e "${RED}    ✗ ${hook_name} NOT found in xahau.h${NC}" >&2
+        exit 1
+    fi
+done
+
+# Show summary
+echo ""
+echo -e "${GREEN}========================================${NC}"
+echo -e "${GREEN}Successfully updated xahau.h${NC}"
+echo -e "${GREEN}========================================${NC}"
+echo -e "Updated hooks:"
+for hook_entry in "${HOOK_FILES[@]}"; do
+    hook_name="${hook_entry%%:*}"
+    wasm_file="${SCRIPT_DIR}/${hook_entry##*:}"
+    size=$(wc -c < "${wasm_file}" | tr -d ' ')
+    echo -e "  - ${hook_name}: ${size} bytes"
+done
+echo ""
+echo -e "File location: ${XAHAU_H}"
+echo ""

hook/genesis/headers/error.h

@@ -0,0 +1,46 @@
+// For documentation please see: https://xrpl-hooks.readme.io/reference/
+// Generated using generate_error.sh
+#ifndef HOOK_ERROR_CODES
+#define SUCCESS 0
+#define OUT_OF_BOUNDS -1
+#define INTERNAL_ERROR -2
+#define TOO_BIG -3
+#define TOO_SMALL -4
+#define DOESNT_EXIST -5
+#define NO_FREE_SLOTS -6
+#define INVALID_ARGUMENT -7
+#define ALREADY_SET -8
+#define PREREQUISITE_NOT_MET -9
+#define FEE_TOO_LARGE -10
+#define EMISSION_FAILURE -11
+#define TOO_MANY_NONCES -12
+#define TOO_MANY_EMITTED_TXN -13
+#define NOT_IMPLEMENTED -14
+#define INVALID_ACCOUNT -15
+#define GUARD_VIOLATION -16
+#define INVALID_FIELD -17
+#define PARSE_ERROR -18
+#define RC_ROLLBACK -19
+#define RC_ACCEPT -20
+#define NO_SUCH_KEYLET -21
+#define NOT_AN_ARRAY -22
+#define NOT_AN_OBJECT -23
+#define INVALID_FLOAT -10024
+#define DIVISION_BY_ZERO -25
+#define MANTISSA_OVERSIZED -26
+#define MANTISSA_UNDERSIZED -27
+#define EXPONENT_OVERSIZED -28
+#define EXPONENT_UNDERSIZED -29
+#define OVERFLOW -30
+#define NOT_IOU_AMOUNT -31
+#define NOT_AN_AMOUNT -32
+#define CANT_RETURN_NEGATIVE -33
+#define NOT_AUTHORIZED -34
+#define PREVIOUS_FAILURE_PREVENTS_RETRY -35
+#define TOO_MANY_PARAMS -36
+#define INVALID_TXN -37
+#define RESERVE_INSUFFICIENT -38
+#define COMPLEX_NOT_SUPPORTED -39
+#define DOES_NOT_MATCH -40
+#define HOOK_ERROR_CODES
+#endif //HOOK_ERROR_CODES

hook/genesis/headers/extern.h

@@ -0,0 +1,352 @@
+// For documentation please see: https://xrpl-hooks.readme.io/reference/
+// Generated using generate_extern.sh
+#include <stdint.h>
+#ifndef HOOK_EXTERN
+
+extern int32_t __attribute__((noduplicate))
+_g(uint32_t guard_id, uint32_t maxiter);
+
+extern int64_t
+accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+
+extern int64_t
+emit(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+etxn_burden(void);
+
+extern int64_t
+etxn_details(uint32_t write_ptr, uint32_t write_len);
+
+extern int64_t
+etxn_fee_base(uint32_t read_ptr, uint32_t read_len);
+
+extern int64_t
+etxn_generation(void);
+
+extern int64_t
+etxn_nonce(uint32_t write_ptr, uint32_t write_len);
+
+extern int64_t
+etxn_reserve(uint32_t count);
+
+extern int64_t
+fee_base(void);
+
+extern int64_t
+float_compare(int64_t float1, int64_t float2, uint32_t mode);
+
+extern int64_t
+float_divide(int64_t float1, int64_t float2);
+
+extern int64_t
+float_exponent(int64_t float1);
+
+extern int64_t
+float_exponent_set(int64_t float1, int32_t exponent);
+
+extern int64_t
+float_int(int64_t float1, uint32_t decimal_places, uint32_t abs);
+
+extern int64_t
+float_invert(int64_t float1);
+
+extern int64_t
+float_log(int64_t float1);
+
+extern int64_t
+float_mantissa(int64_t float1);
+
+extern int64_t
+float_mantissa_set(int64_t float1, int64_t mantissa);
+
+extern int64_t
+float_mulratio(
+    int64_t float1,
+    uint32_t round_up,
+    uint32_t numerator,
+    uint32_t denominator);
+
+extern int64_t
+float_multiply(int64_t float1, int64_t float2);
+
+extern int64_t
+float_negate(int64_t float1);
+
+extern int64_t
+float_one(void);
+
+extern int64_t
+float_root(int64_t float1, uint32_t n);
+
+extern int64_t
+float_set(int32_t exponent, int64_t mantissa);
+
+extern int64_t
+float_sign(int64_t float1);
+
+extern int64_t
+float_sign_set(int64_t float1, uint32_t negative);
+
+extern int64_t
+float_sto(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t cread_ptr,
+    uint32_t cread_len,
+    uint32_t iread_ptr,
+    uint32_t iread_len,
+    int64_t float1,
+    uint32_t field_code);
+
+extern int64_t
+float_sto_set(uint32_t read_ptr, uint32_t read_len);
+
+extern int64_t
+float_sum(int64_t float1, int64_t float2);
+
+extern int64_t
+hook_account(uint32_t write_ptr, uint32_t write_len);
+
+extern int64_t
+hook_again(void);
+
+extern int64_t
+hook_hash(uint32_t write_ptr, uint32_t write_len, int32_t hook_no);
+
+extern int64_t
+hook_param(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+otxn_param(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+hook_param_set(
+    uint32_t read_ptr,
+    uint32_t read_len,
+    uint32_t kread_ptr,
+    uint32_t kread_len,
+    uint32_t hread_ptr,
+    uint32_t hread_len);
+
+extern int64_t
+hook_pos(void);
+
+extern int64_t
+hook_skip(uint32_t read_ptr, uint32_t read_len, uint32_t flags);
+
+extern int64_t
+ledger_keylet(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t lread_ptr,
+    uint32_t lread_len,
+    uint32_t hread_ptr,
+    uint32_t hread_len);
+
+extern int64_t
+ledger_last_hash(uint32_t write_ptr, uint32_t write_len);
+
+extern int64_t
+ledger_last_time(void);
+
+extern int64_t
+ledger_nonce(uint32_t write_ptr, uint32_t write_len);
+
+extern int64_t
+ledger_seq(void);
+
+extern int64_t
+meta_slot(uint32_t slot_no);
+
+extern int64_t
+otxn_burden(void);
+
+extern int64_t
+otxn_field(uint32_t write_ptr, uint32_t write_len, uint32_t field_id);
+
+extern int64_t
+otxn_field_txt(uint32_t write_ptr, uint32_t write_len, uint32_t field_id);
+
+extern int64_t
+otxn_generation(void);
+
+extern int64_t
+otxn_id(uint32_t write_ptr, uint32_t write_len, uint32_t flags);
+
+extern int64_t
+otxn_slot(uint32_t slot_no);
+
+extern int64_t
+otxn_type(void);
+
+extern int64_t
+rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+
+extern int64_t
+slot(uint32_t write_ptr, uint32_t write_len, uint32_t slot);
+
+extern int64_t
+slot_clear(uint32_t slot);
+
+extern int64_t
+slot_count(uint32_t slot);
+
+extern int64_t
+slot_float(uint32_t slot_no);
+
+extern int64_t
+slot_id(uint32_t write_ptr, uint32_t write_len, uint32_t slot);
+
+extern int64_t
+slot_set(uint32_t read_ptr, uint32_t read_len, uint32_t slot);
+
+extern int64_t
+slot_size(uint32_t slot);
+
+extern int64_t
+slot_subarray(uint32_t parent_slot, uint32_t array_id, uint32_t new_slot);
+
+extern int64_t
+slot_subfield(uint32_t parent_slot, uint32_t field_id, uint32_t new_slot);
+
+extern int64_t
+slot_type(uint32_t slot_no, uint32_t flags);
+
+extern int64_t
+state(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t kread_ptr,
+    uint32_t kread_len);
+
+extern int64_t
+state_foreign(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t kread_ptr,
+    uint32_t kread_len,
+    uint32_t nread_ptr,
+    uint32_t nread_len,
+    uint32_t aread_ptr,
+    uint32_t aread_len);
+
+extern int64_t
+state_foreign_set(
+    uint32_t read_ptr,
+    uint32_t read_len,
+    uint32_t kread_ptr,
+    uint32_t kread_len,
+    uint32_t nread_ptr,
+    uint32_t nread_len,
+    uint32_t aread_ptr,
+    uint32_t aread_len);
+
+extern int64_t
+state_set(
+    uint32_t read_ptr,
+    uint32_t read_len,
+    uint32_t kread_ptr,
+    uint32_t kread_len);
+
+extern int64_t
+sto_emplace(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t sread_ptr,
+    uint32_t sread_len,
+    uint32_t fread_ptr,
+    uint32_t fread_len,
+    uint32_t field_id);
+
+extern int64_t
+sto_erase(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len,
+    uint32_t field_id);
+
+extern int64_t
+sto_subarray(uint32_t read_ptr, uint32_t read_len, uint32_t array_id);
+
+extern int64_t
+sto_subfield(uint32_t read_ptr, uint32_t read_len, uint32_t field_id);
+
+extern int64_t
+sto_validate(uint32_t tread_ptr, uint32_t tread_len);
+
+extern int64_t
+trace(
+    uint32_t mread_ptr,
+    uint32_t mread_len,
+    uint32_t dread_ptr,
+    uint32_t dread_len,
+    uint32_t as_hex);
+
+extern int64_t
+trace_float(uint32_t read_ptr, uint32_t read_len, int64_t float1);
+
+extern int64_t
+trace_num(uint32_t read_ptr, uint32_t read_len, int64_t number);
+
+extern int64_t
+trace_slot(uint32_t read_ptr, uint32_t read_len, uint32_t slot);
+
+extern int64_t
+util_accid(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+util_keylet(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t keylet_type,
+    uint32_t a,
+    uint32_t b,
+    uint32_t c,
+    uint32_t d,
+    uint32_t e,
+    uint32_t f);
+
+extern int64_t
+util_raddr(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+util_sha512h(
+    uint32_t write_ptr,
+    uint32_t write_len,
+    uint32_t read_ptr,
+    uint32_t read_len);
+
+extern int64_t
+util_verify(
+    uint32_t dread_ptr,
+    uint32_t dread_len,
+    uint32_t sread_ptr,
+    uint32_t sread_len,
+    uint32_t kread_ptr,
+    uint32_t kread_len);
+
+extern int64_t xpop_slot(uint32_t, uint32_t);
+#define HOOK_EXTERN
+#endif  // HOOK_EXTERN

hook/genesis/headers/hookapi.h

@@ -0,0 +1,50 @@
+/**
+ * Hook API include file
+ *
+ * Note to the reader:
+ * This include defines two types of things: external functions and macros
+ * Functions are used sparingly because a non-inlining compiler may produce
+ * undesirable output.
+ *
+ * Find documentation here: https://xrpl-hooks.readme.io/reference/
+ */
+
+#ifndef HOOKAPI_INCLUDED
+#define HOOKAPI_INCLUDED 1
+
+#define KEYLET_HOOK 1
+#define KEYLET_HOOK_STATE 2
+#define KEYLET_ACCOUNT 3
+#define KEYLET_AMENDMENTS 4
+#define KEYLET_CHILD 5
+#define KEYLET_SKIP 6
+#define KEYLET_FEES 7
+#define KEYLET_NEGATIVE_UNL 8
+#define KEYLET_LINE 9
+#define KEYLET_OFFER 10
+#define KEYLET_QUALITY 11
+#define KEYLET_EMITTED_DIR 12
+#define KEYLET_TICKET 13
+#define KEYLET_SIGNERS 14
+#define KEYLET_CHECK 15
+#define KEYLET_DEPOSIT_PREAUTH 16
+#define KEYLET_UNCHECKED 17
+#define KEYLET_OWNER_DIR 18
+#define KEYLET_PAGE 19
+#define KEYLET_ESCROW 20
+#define KEYLET_PAYCHAN 21
+#define KEYLET_EMITTED 22
+#define KEYLET_NFT_OFFER 23
+#define KEYLET_HOOK_DEFINITION 24
+
+#define COMPARE_EQUAL 1U
+#define COMPARE_LESS 2U
+#define COMPARE_GREATER 4U
+
+#include "error.h"
+#include "extern.h"
+#include "sfcodes.h"
+#include "macro.h"
+#include "types.h"
+
+#endif

hook/genesis/headers/macro.h

@@ -0,0 +1,668 @@
+/**
+ * These are helper macros for writing hooks, all of them are optional as is including hookmacro.h at all
+ */
+
+#include <stdint.h>
+#include "hookapi.h"
+#include "sfcodes.h"
+
+#ifndef HOOKMACROS_INCLUDED
+#define HOOKMACROS_INCLUDED 1
+
+
+#ifdef NDEBUG
+#define DEBUG 0
+#else
+#define DEBUG 1
+#endif
+
+#define TRACEVAR(v) if (DEBUG) trace_num((uint32_t)(#v), (uint32_t)(sizeof(#v) - 1), (int64_t)v);
+#define TRACEHEX(v) if (DEBUG) trace((uint32_t)(#v), (uint32_t)(sizeof(#v) - 1), (uint32_t)(v), (uint32_t)(sizeof(v)), 1);
+#define TRACEXFL(v) if (DEBUG) trace_float((uint32_t)(#v), (uint32_t)(sizeof(#v) - 1), (int64_t)v);
+#define TRACESTR(v) if (DEBUG) trace((uint32_t)(#v), (uint32_t)(sizeof(#v) - 1), (uint32_t)(v), sizeof(v), 0);
+
+// hook developers should use this guard macro, simply GUARD(<maximum iterations>)
+#define GUARD(maxiter) _g((1ULL << 31U) + __LINE__, (maxiter)+1)
+#define GUARDM(maxiter, n) _g(( (1ULL << 31U) + (__LINE__ << 16) + n), (maxiter)+1)
+
+#define SBUF(str) (uint32_t)(str), sizeof(str)
+
+#define REQUIRE(cond, str)\
+{\
+    if (!(cond))\
+        rollback(SBUF(str), __LINE__);\
+}
+
+// make a report buffer as a c-string
+// provide a name for a buffer to declare (buf)
+// provide a static string
+// provide an integer to print after the string
+#define RBUF(buf, out_len, str, num)\
+unsigned char buf[sizeof(str) + 21];\
+int out_len = 0;\
+{\
+    int i = 0;\
+    for (; GUARDM(sizeof(str),1),i < sizeof(str); ++i)\
+        (buf)[i] = str[i];\
+    if ((buf)[sizeof(str)-1] == 0) i--;\
+    if ((num) < 0) (buf)[i++] = '-';\
+    uint64_t unsigned_num = (uint64_t)( (num) < 0 ? (num) * -1 : (num) );\
+    uint64_t j = 10000000000000000000ULL;\
+    int start = 1;\
+    for (; GUARDM(20,2), unsigned_num > 0 && j > 0; j /= 10)\
+    {\
+        unsigned char digit = ( unsigned_num / j ) % 10;\
+        if (digit == 0 && start)\
+            continue;\
+        start = 0;\
+        (buf)[i++] = '0' + digit;\
+    }\
+    (buf)[i] = '\0';\
+    out_len = i;\
+}
+
+#define RBUF2(buff, out_len, str, num, str2, num2)\
+unsigned char buff[sizeof(str) + sizeof(str2) + 42];\
+int out_len = 0;\
+{\
+    unsigned char* buf = buff;\
+    int i = 0;\
+    for (; GUARDM(sizeof(str),1),i < sizeof(str); ++i)\
+        (buf)[i] = str[i];\
+    if ((buf)[sizeof(str)-1] == 0) i--;\
+    if ((num) < 0) (buf)[i++] = '-';\
+    uint64_t unsigned_num = (uint64_t)( (num) < 0 ? (num) * -1 : (num) );\
+    uint64_t j = 10000000000000000000ULL;\
+    int start = 1;\
+    for (; GUARDM(20,2), unsigned_num > 0 && j > 0; j /= 10)\
+    {\
+        unsigned char digit = ( unsigned_num / j ) % 10;\
+        if (digit == 0 && start)\
+            continue;\
+        start = 0;\
+        (buf)[i++] = '0' + digit;\
+    }\
+    buf += i;\
+    out_len += i;\
+    i = 0;\
+    for (; GUARDM(sizeof(str2),3),i < sizeof(str2); ++i)\
+        (buf)[i] = str2[i];\
+    if ((buf)[sizeof(str2)-1] == 0) i--;\
+    if ((num2) < 0) (buf)[i++] = '-';\
+    unsigned_num = (uint64_t)( (num2) < 0 ? (num2) * -1 : (num2) );\
+    j = 10000000000000000000ULL;\
+    start = 1;\
+    for (; GUARDM(20,4), unsigned_num > 0 && j > 0; j /= 10)\
+    {\
+        unsigned char digit = ( unsigned_num / j ) % 10;\
+        if (digit == 0 && start)\
+            continue;\
+        start = 0;\
+        (buf)[i++] = '0' + digit;\
+    }\
+    (buf)[i] = '\0';\
+    out_len += i;\
+}
+
+#define CLEARBUF(b)\
+{\
+    for (int x = 0; GUARD(sizeof(b)), x < sizeof(b); ++x)\
+        b[x] = 0;\
+}
+
+// returns an in64_t, negative if error, non-negative if valid drops
+#define AMOUNT_TO_DROPS(amount_buffer)\
+     (((amount_buffer)[0] >> 7) ? -2 : (\
+     ((((uint64_t)((amount_buffer)[0])) & 0xb00111111) << 56) +\
+      (((uint64_t)((amount_buffer)[1])) << 48) +\
+      (((uint64_t)((amount_buffer)[2])) << 40) +\
+      (((uint64_t)((amount_buffer)[3])) << 32) +\
+      (((uint64_t)((amount_buffer)[4])) << 24) +\
+      (((uint64_t)((amount_buffer)[5])) << 16) +\
+      (((uint64_t)((amount_buffer)[6])) <<  8) +\
+      (((uint64_t)((amount_buffer)[7])))))
+
+#define SUB_OFFSET(x) ((int32_t)(x >> 32))
+#define SUB_LENGTH(x) ((int32_t)(x & 0xFFFFFFFFULL))
+
+#define BUFFER_EQUAL_20(buf1, buf2)\
+    (\
+        *(((uint64_t*)(buf1)) + 0) == *(((uint64_t*)(buf2)) + 0) &&\
+        *(((uint64_t*)(buf1)) + 1) == *(((uint64_t*)(buf2)) + 1) &&\
+        *(((uint32_t*)(buf1)) + 4) == *(((uint32_t*)(buf2)) + 4))
+
+#define BUFFER_EQUAL_32(buf1, buf2)\
+    (\
+        *(((uint64_t*)(buf1)) + 0) == *(((uint64_t*)(buf2)) + 0) &&\
+        *(((uint64_t*)(buf1)) + 1) == *(((uint64_t*)(buf2)) + 1) &&\
+        *(((uint64_t*)(buf1)) + 2) == *(((uint64_t*)(buf2)) + 2) &&\
+        *(((uint64_t*)(buf1)) + 3) == *(((uint64_t*)(buf2)) + 3))
+
+
+// when using this macro buf1len may be dynamic but buf2len must be static
+// provide n >= 1 to indicate how many times the macro will be hit on the line of code
+// e.g. if it is in a loop that loops 10 times n = 10
+
+#define BUFFER_EQUAL_GUARD(output, buf1, buf1len, buf2, buf2len, n)\
+{\
+    output = ((buf1len) == (buf2len) ? 1 : 0);\
+    for (int x = 0; GUARDM( (buf2len) * (n), 1 ), output && x < (buf2len);\
+         ++x)\
+        output = *(((uint8_t*)(buf1)) + x) == *(((uint8_t*)(buf2)) + x);\
+}
+
+#define BUFFER_SWAP(x,y)\
+{\
+    uint8_t* z = x;\
+    x = y;\
+    y = z;\
+}
+
+#define ACCOUNT_COMPARE(compare_result, buf1, buf2)\
+{\
+    compare_result = 0;\
+    for (int i = 0; GUARD(20), i < 20; ++i)\
+    {\
+        if (buf1[i] > buf2[i])\
+        {\
+            compare_result = 1;\
+            break;\
+        }\
+        else if (buf1[i] < buf2[i])\
+        {\
+            compare_result = -1;\
+            break;\
+        }\
+    }\
+}
+
+#define BUFFER_EQUAL_STR_GUARD(output, buf1, buf1len, str, n)\
+    BUFFER_EQUAL_GUARD(output, buf1, buf1len, str, (sizeof(str)-1), n)
+
+#define BUFFER_EQUAL_STR(output, buf1, buf1len, str)\
+    BUFFER_EQUAL_GUARD(output, buf1, buf1len, str, (sizeof(str)-1), 1)
+
+#define BUFFER_EQUAL(output, buf1, buf2, compare_len)\
+    BUFFER_EQUAL_GUARD(output, buf1, compare_len, buf2, compare_len, 1)
+
+#define UINT16_TO_BUF(buf_raw, i)\
+{\
+    unsigned char* buf = (unsigned char*)buf_raw;\
+    buf[0] = (((uint64_t)i) >> 8) & 0xFFUL;\
+    buf[1] = (((uint64_t)i) >> 0) & 0xFFUL;\
+}
+
+#define UINT16_FROM_BUF(buf)\
+    (((uint64_t)((buf)[0]) <<  8) +\
+     ((uint64_t)((buf)[1]) <<  0))
+
+#define UINT32_TO_BUF(buf_raw, i)\
+{\
+    unsigned char* buf = (unsigned char*)buf_raw;\
+    buf[0] = (((uint64_t)i) >> 24) & 0xFFUL;\
+    buf[1] = (((uint64_t)i) >> 16) & 0xFFUL;\
+    buf[2] = (((uint64_t)i) >>  8) & 0xFFUL;\
+    buf[3] = (((uint64_t)i) >>  0) & 0xFFUL;\
+}
+
+
+#define UINT32_FROM_BUF(buf)\
+    (((uint64_t)((buf)[0]) << 24) +\
+     ((uint64_t)((buf)[1]) << 16) +\
+     ((uint64_t)((buf)[2]) <<  8) +\
+     ((uint64_t)((buf)[3]) <<  0))
+
+#define UINT64_TO_BUF(buf_raw, i)\
+{\
+    unsigned char* buf = (unsigned char*)buf_raw;\
+    buf[0] = (((uint64_t)i) >> 56) & 0xFFUL;\
+    buf[1] = (((uint64_t)i) >> 48) & 0xFFUL;\
+    buf[2] = (((uint64_t)i) >> 40) & 0xFFUL;\
+    buf[3] = (((uint64_t)i) >> 32) & 0xFFUL;\
+    buf[4] = (((uint64_t)i) >> 24) & 0xFFUL;\
+    buf[5] = (((uint64_t)i) >> 16) & 0xFFUL;\
+    buf[6] = (((uint64_t)i) >>  8) & 0xFFUL;\
+    buf[7] = (((uint64_t)i) >>  0) & 0xFFUL;\
+}
+
+
+#define UINT64_FROM_BUF(buf)\
+    (((uint64_t)((buf)[0]) << 56) +\
+     ((uint64_t)((buf)[1]) << 48) +\
+     ((uint64_t)((buf)[2]) << 40) +\
+     ((uint64_t)((buf)[3]) << 32) +\
+     ((uint64_t)((buf)[4]) << 24) +\
+     ((uint64_t)((buf)[5]) << 16) +\
+     ((uint64_t)((buf)[6]) <<  8) +\
+     ((uint64_t)((buf)[7]) <<  0))
+
+
+#define INT64_FROM_BUF(buf)\
+   ((((uint64_t)((buf)[0] & 0x7FU) << 56) +\
+     ((uint64_t)((buf)[1]) << 48) +\
+     ((uint64_t)((buf)[2]) << 40) +\
+     ((uint64_t)((buf)[3]) << 32) +\
+     ((uint64_t)((buf)[4]) << 24) +\
+     ((uint64_t)((buf)[5]) << 16) +\
+     ((uint64_t)((buf)[6]) <<  8) +\
+     ((uint64_t)((buf)[7]) <<  0)) * (buf[0] & 0x80U ? -1 : 1))
+
+#define INT64_TO_BUF(buf_raw, i)\
+{\
+    unsigned char* buf = (unsigned char*)buf_raw;\
+    buf[0] = (((uint64_t)i) >> 56) & 0x7FUL;\
+    buf[1] = (((uint64_t)i) >> 48) & 0xFFUL;\
+    buf[2] = (((uint64_t)i) >> 40) & 0xFFUL;\
+    buf[3] = (((uint64_t)i) >> 32) & 0xFFUL;\
+    buf[4] = (((uint64_t)i) >> 24) & 0xFFUL;\
+    buf[5] = (((uint64_t)i) >> 16) & 0xFFUL;\
+    buf[6] = (((uint64_t)i) >>  8) & 0xFFUL;\
+    buf[7] = (((uint64_t)i) >>  0) & 0xFFUL;\
+    if (i < 0) buf[0] |= 0x80U;\
+}
+
+#define ttPAYMENT 0
+#define ttESCROW_CREATE 1
+#define ttESCROW_FINISH 2
+#define ttACCOUNT_SET 3
+#define ttESCROW_CANCEL 4
+#define ttREGULAR_KEY_SET 5
+#define ttOFFER_CREATE 7
+#define ttOFFER_CANCEL 8
+#define ttTICKET_CREATE 10
+#define ttSIGNER_LIST_SET 12
+#define ttPAYCHAN_CREATE 13
+#define ttPAYCHAN_FUND 14
+#define ttPAYCHAN_CLAIM 15
+#define ttCHECK_CREATE 16
+#define ttCHECK_CASH 17
+#define ttCHECK_CANCEL 18
+#define ttDEPOSIT_PREAUTH 19
+#define ttTRUST_SET 20
+#define ttACCOUNT_DELETE 21
+#define ttHOOK_SET 22
+#define ttNFTOKEN_MINT 25
+#define ttNFTOKEN_BURN 26
+#define ttNFTOKEN_CREATE_OFFER 27
+#define ttNFTOKEN_CANCEL_OFFER 28
+#define ttNFTOKEN_ACCEPT_OFFER 29
+#define ttURITOKEN_MINT 45
+#define ttURITOKEN_BURN 46
+#define ttURITOKEN_BUY 47
+#define ttURITOKEN_CREATE_SELL_OFFER 48
+#define ttURITOKEN_CANCEL_SELL_OFFER 49
+#define ttCLAIM_REWARD 98
+#define ttINVOKE 99
+#define ttAMENDMENT 100
+#define ttFEE 101
+#define ttUNL_MODIFY 102
+#define ttEMIT_FAILURE 103
+#define tfCANONICAL 0x80000000UL
+
+#define atACCOUNT 1U
+#define atOWNER 2U
+#define atDESTINATION 3U
+#define atISSUER 4U
+#define atAUTHORIZE 5U
+#define atUNAUTHORIZE 6U
+#define atTARGET 7U
+#define atREGULARKEY 8U
+#define atPSEUDOCALLBACK 9U
+
+#define amAMOUNT 1U
+#define amBALANCE 2U
+#define amLIMITAMOUNT 3U
+#define amTAKERPAYS 4U
+#define amTAKERGETS 5U
+#define amLOWLIMIT 6U
+#define amHIGHLIMIT 7U
+#define amFEE 8U
+#define amSENDMAX 9U
+#define amDELIVERMIN 10U
+#define amMINIMUMOFFER 16U
+#define amRIPPLEESCROW 17U
+#define amDELIVEREDAMOUNT 18U
+
+/**
+ * RH NOTE -- PAY ATTENTION
+ *
+ * ALL 'ENCODE' MACROS INCREMENT BUF_OUT
+ * THIS IS TO MAKE CHAINING EASY
+ * BUF_OUT IS A SACRIFICIAL POINTER
+ *
+ * 'ENCODE' MACROS WITH CONSTANTS HAVE
+ * ALIASING TO ASSIST YOU WITH ORDER
+ * _TYPECODE_FIELDCODE_ENCODE_MACRO
+ * TO PRODUCE A SERIALIZED OBJECT
+ * IN CANONICAL FORMAT YOU MUST ORDER
+ * FIRST BY TYPE CODE THEN BY FIELD CODE
+ *
+ * ALL 'PREPARE' MACROS PRESERVE POINTERS
+ *
+ **/
+
+
+#define ENCODE_TL_SIZE 49
+#define ENCODE_TL(buf_out, tlamt, amount_type)\
+{\
+        uint8_t uat = amount_type; \
+        buf_out[0] = 0x60U +(uat & 0x0FU ); \
+        for (int i = 1; GUARDM(48, 1), i < 49; ++i)\
+            buf_out[i] = tlamt[i-1];\
+        buf_out += ENCODE_TL_SIZE;\
+}
+#define _06_XX_ENCODE_TL(buf_out, drops, amount_type )\
+    ENCODE_TL(buf_out, drops, amount_type );
+#define ENCODE_TL_AMOUNT(buf_out, drops )\
+    ENCODE_TL(buf_out, drops, amAMOUNT );
+#define _06_01_ENCODE_TL_AMOUNT(buf_out, drops )\
+    ENCODE_TL_AMOUNT(buf_out, drops );
+
+
+// Encode drops to serialization format
+// consumes 9 bytes
+#define ENCODE_DROPS_SIZE 9
+#define ENCODE_DROPS(buf_out, drops, amount_type ) \
+    {\
+        uint8_t uat = amount_type; \
+        uint64_t udrops = drops; \
+        buf_out[0] = 0x60U +(uat & 0x0FU ); \
+        buf_out[1] = 0b01000000 + (( udrops >> 56 ) & 0b00111111 ); \
+        buf_out[2] = (udrops >> 48) & 0xFFU; \
+        buf_out[3] = (udrops >> 40) & 0xFFU; \
+        buf_out[4] = (udrops >> 32) & 0xFFU; \
+        buf_out[5] = (udrops >> 24) & 0xFFU; \
+        buf_out[6] = (udrops >> 16) & 0xFFU; \
+        buf_out[7] = (udrops >>  8) & 0xFFU; \
+        buf_out[8] = (udrops >>  0) & 0xFFU; \
+        buf_out += ENCODE_DROPS_SIZE; \
+    }
+
+#define _06_XX_ENCODE_DROPS(buf_out, drops, amount_type )\
+    ENCODE_DROPS(buf_out, drops, amount_type );
+
+#define ENCODE_DROPS_AMOUNT(buf_out, drops )\
+    ENCODE_DROPS(buf_out, drops, amAMOUNT );
+#define _06_01_ENCODE_DROPS_AMOUNT(buf_out, drops )\
+    ENCODE_DROPS_AMOUNT(buf_out, drops );
+
+#define ENCODE_DROPS_FEE(buf_out, drops )\
+    ENCODE_DROPS(buf_out, drops, amFEE );
+#define _06_08_ENCODE_DROPS_FEE(buf_out, drops )\
+    ENCODE_DROPS_FEE(buf_out, drops );
+
+#define ENCODE_TT_SIZE 3
+#define ENCODE_TT(buf_out, tt )\
+    {\
+        uint8_t utt = tt;\
+        buf_out[0] = 0x12U;\
+        buf_out[1] =(utt >> 8 ) & 0xFFU;\
+        buf_out[2] =(utt >> 0 ) & 0xFFU;\
+        buf_out += ENCODE_TT_SIZE; \
+    }
+#define _01_02_ENCODE_TT(buf_out, tt)\
+    ENCODE_TT(buf_out, tt);
+
+
+#define ENCODE_ACCOUNT_SIZE 22
+#define ENCODE_ACCOUNT(buf_out, account_id, account_type)\
+    {\
+        uint8_t uat = account_type;\
+        buf_out[0] = 0x80U + uat;\
+        buf_out[1] = 0x14U;\
+        *(uint64_t*)(buf_out +  2) = *(uint64_t*)(account_id +  0);\
+        *(uint64_t*)(buf_out + 10) = *(uint64_t*)(account_id +  8);\
+        *(uint32_t*)(buf_out + 18) = *(uint32_t*)(account_id + 16);\
+        buf_out += ENCODE_ACCOUNT_SIZE;\
+    }
+#define _08_XX_ENCODE_ACCOUNT(buf_out, account_id, account_type)\
+    ENCODE_ACCOUNT(buf_out, account_id, account_type);
+
+#define ENCODE_ACCOUNT_SRC_SIZE 22
+#define ENCODE_ACCOUNT_SRC(buf_out, account_id)\
+    ENCODE_ACCOUNT(buf_out, account_id, atACCOUNT);
+#define _08_01_ENCODE_ACCOUNT_SRC(buf_out, account_id)\
+    ENCODE_ACCOUNT_SRC(buf_out, account_id);
+
+#define ENCODE_ACCOUNT_DST_SIZE 22
+#define ENCODE_ACCOUNT_DST(buf_out, account_id)\
+    ENCODE_ACCOUNT(buf_out, account_id, atDESTINATION);
+#define _08_03_ENCODE_ACCOUNT_DST(buf_out, account_id)\
+    ENCODE_ACCOUNT_DST(buf_out, account_id);
+
+#define ENCODE_ACCOUNT_OWNER_SIZE 22
+#define ENCODE_ACCOUNT_OWNER(buf_out, account_id) \
+    ENCODE_ACCOUNT(buf_out, account_id, atOWNER);
+#define _08_02_ENCODE_ACCOUNT_OWNER(buf_out, account_id) \
+    ENCODE_ACCOUNT_OWNER(buf_out, account_id);
+
+#define ENCODE_UINT32_COMMON_SIZE 5U
+#define ENCODE_UINT32_COMMON(buf_out, i, field)\
+    {\
+        uint32_t ui = i; \
+        uint8_t uf = field; \
+        buf_out[0] = 0x20U +(uf & 0x0FU); \
+        buf_out[1] =(ui >> 24 ) & 0xFFU; \
+        buf_out[2] =(ui >> 16 ) & 0xFFU; \
+        buf_out[3] =(ui >>  8 ) & 0xFFU; \
+        buf_out[4] =(ui >>  0 ) & 0xFFU; \
+        buf_out += ENCODE_UINT32_COMMON_SIZE; \
+    }
+#define _02_XX_ENCODE_UINT32_COMMON(buf_out, i, field)\
+    ENCODE_UINT32_COMMON(buf_out, i, field)\
+
+#define ENCODE_UINT32_UNCOMMON_SIZE 6U
+#define ENCODE_UINT32_UNCOMMON(buf_out, i, field)\
+    {\
+        uint32_t ui = i; \
+        uint8_t uf = field; \
+        buf_out[0] = 0x20U; \
+        buf_out[1] = uf; \
+        buf_out[2] =(ui >> 24 ) & 0xFFU; \
+        buf_out[3] =(ui >> 16 ) & 0xFFU; \
+        buf_out[4] =(ui >>  8 ) & 0xFFU; \
+        buf_out[5] =(ui >>  0 ) & 0xFFU; \
+        buf_out += ENCODE_UINT32_UNCOMMON_SIZE; \
+    }
+#define _02_XX_ENCODE_UINT32_UNCOMMON(buf_out, i, field)\
+    ENCODE_UINT32_UNCOMMON(buf_out, i, field)\
+
+#define ENCODE_LLS_SIZE 6U
+#define ENCODE_LLS(buf_out, lls )\
+    ENCODE_UINT32_UNCOMMON(buf_out, lls, 0x1B );
+#define _02_27_ENCODE_LLS(buf_out, lls )\
+    ENCODE_LLS(buf_out, lls );
+
+#define ENCODE_FLS_SIZE 6U
+#define ENCODE_FLS(buf_out, fls )\
+    ENCODE_UINT32_UNCOMMON(buf_out, fls, 0x1A );
+#define _02_26_ENCODE_FLS(buf_out, fls )\
+    ENCODE_FLS(buf_out, fls );
+
+#define ENCODE_TAG_SRC_SIZE 5
+#define ENCODE_TAG_SRC(buf_out, tag )\
+    ENCODE_UINT32_COMMON(buf_out, tag, 0x3U );
+#define _02_03_ENCODE_TAG_SRC(buf_out, tag )\
+    ENCODE_TAG_SRC(buf_out, tag );
+
+#define ENCODE_TAG_DST_SIZE 5
+#define ENCODE_TAG_DST(buf_out, tag )\
+    ENCODE_UINT32_COMMON(buf_out, tag, 0xEU );
+#define _02_14_ENCODE_TAG_DST(buf_out, tag )\
+    ENCODE_TAG_DST(buf_out, tag );
+
+#define ENCODE_SEQUENCE_SIZE 5
+#define ENCODE_SEQUENCE(buf_out, sequence )\
+    ENCODE_UINT32_COMMON(buf_out, sequence, 0x4U );
+#define _02_04_ENCODE_SEQUENCE(buf_out, sequence )\
+    ENCODE_SEQUENCE(buf_out, sequence );
+
+#define ENCODE_FLAGS_SIZE 5
+#define ENCODE_FLAGS(buf_out, tag )\
+    ENCODE_UINT32_COMMON(buf_out, tag, 0x2U );
+#define _02_02_ENCODE_FLAGS(buf_out, tag )\
+    ENCODE_FLAGS(buf_out, tag );
+
+#define ENCODE_SIGNING_PUBKEY_SIZE 35
+#define ENCODE_SIGNING_PUBKEY(buf_out, pkey )\
+    {\
+        buf_out[0] = 0x73U;\
+        buf_out[1] = 0x21U;\
+        *(uint64_t*)(buf_out +  2) = *(uint64_t*)(pkey +  0);\
+        *(uint64_t*)(buf_out + 10) = *(uint64_t*)(pkey +  8);\
+        *(uint64_t*)(buf_out + 18) = *(uint64_t*)(pkey + 16);\
+        *(uint64_t*)(buf_out + 26) = *(uint64_t*)(pkey + 24);\
+        buf[34] = pkey[32];\
+        buf_out += ENCODE_SIGNING_PUBKEY_SIZE;\
+    }
+
+#define _07_03_ENCODE_SIGNING_PUBKEY(buf_out, pkey )\
+    ENCODE_SIGNING_PUBKEY(buf_out, pkey );
+
+#define ENCODE_SIGNING_PUBKEY_NULL_SIZE 2
+#define ENCODE_SIGNING_PUBKEY_NULL(buf_out )\
+    {\
+        *buf_out++ = 0x73U;\
+        *buf_out++ = 0x00U;\
+    }
+
+#define _07_03_ENCODE_SIGNING_PUBKEY_NULL(buf_out )\
+    ENCODE_SIGNING_PUBKEY_NULL(buf_out );
+
+
+#define _0E_0E_ENCODE_HOOKOBJ(buf_out, hhash)\
+{\
+        uint8_t* hook0 = (hhash);\
+        *buf_out++ = 0xEEU;   /* hook obj start */ \
+        if (hook0 == 0) /* noop */\
+        {\
+            /* do nothing */ \
+        }\
+        else\
+        {\
+            *buf_out++ = 0x22U; /* flags = override */\
+            *buf_out++ = 0x00U;\
+            *buf_out++ = 0x00U;\
+            *buf_out++ = 0x00U;\
+            *buf_out++ = 0x01U;\
+            if (hook0 == 0xFFFFFFFFUL) /* delete operation */ \
+            {\
+                *buf_out++ = 0x7BU; /* empty createcode */ \
+                *buf_out++ = 0x00U;\
+            }\
+            else\
+            {\
+                *buf_out++ = 0x50U; /* HookHash */\
+                *buf_out++ = 0x1FU;\
+                uint64_t* d = (uint64_t*)buf_out;\
+                uint64_t* s = (uint64_t*)hook0;\
+                *d++ = *s++;\
+                *d++ = *s++;\
+                *d++ = *s++;\
+                *d++ = *s++;\
+                buf_out+=32;\
+            }\
+        }\
+        *buf_out++ = 0xE1U;\
+}
+
+#define PREPARE_HOOKSET(buf_out_master, maxlen, h, sizeout)\
+    {\
+        uint8_t* buf_out = (buf_out_master);                                            \
+        uint8_t acc[20];                                                                \
+        uint32_t cls = (uint32_t)ledger_seq();                                          \
+        hook_account(SBUF(acc));                                                        \
+        _01_02_ENCODE_TT                   (buf_out, ttHOOK_SET                     );  \
+        _02_02_ENCODE_FLAGS                (buf_out, tfCANONICAL                    );  \
+        _02_04_ENCODE_SEQUENCE             (buf_out, 0                              );  \
+        _02_26_ENCODE_FLS                  (buf_out, cls + 1                        );  \
+        _02_27_ENCODE_LLS                  (buf_out, cls + 5                        );  \
+        uint8_t* fee_ptr = buf_out;                                                     \
+        _06_08_ENCODE_DROPS_FEE            (buf_out, 0                              );  \
+        _07_03_ENCODE_SIGNING_PUBKEY_NULL  (buf_out                                 );  \
+        _08_01_ENCODE_ACCOUNT_SRC          (buf_out, acc                            );  \
+        uint32_t remaining_size = (maxlen) - (buf_out - (buf_out_master));              \
+        int64_t edlen = etxn_details((uint32_t)buf_out, remaining_size);                \
+        buf_out += edlen;                                                               \
+        *buf_out++ = 0xFBU;   /* hook array start */                                    \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[0]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[1]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[2]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[3]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[4]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[5]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[6]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[7]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[8]);                           \
+        _0E_0E_ENCODE_HOOKOBJ               (buf_out, h[9]);                           \
+        *buf_out++ = 0xF1U;  /* hook array end */                                       \
+        sizeout = (buf_out - (buf_out_master));                                         \
+        int64_t fee = etxn_fee_base(buf_out_master, sizeout);                           \
+        _06_08_ENCODE_DROPS_FEE            (fee_ptr, fee                            );  \
+    }
+
+#ifdef HAS_CALLBACK
+#define PREPARE_PAYMENT_SIMPLE_SIZE 270U
+#else
+#define PREPARE_PAYMENT_SIMPLE_SIZE 248U
+#endif
+
+#define PREPARE_PAYMENT_SIMPLE(buf_out_master, drops_amount_raw, to_address, dest_tag_raw, src_tag_raw)\
+    {\
+        uint8_t* buf_out = buf_out_master;\
+        uint8_t acc[20];\
+        uint64_t drops_amount = (drops_amount_raw);\
+        uint32_t dest_tag = (dest_tag_raw);\
+        uint32_t src_tag = (src_tag_raw);\
+        uint32_t cls = (uint32_t)ledger_seq();\
+        hook_account(SBUF(acc));\
+        _01_02_ENCODE_TT                   (buf_out, ttPAYMENT                      );      /* uint16  | size   3 */ \
+        _02_02_ENCODE_FLAGS                (buf_out, tfCANONICAL                    );      /* uint32  | size   5 */ \
+        _02_03_ENCODE_TAG_SRC              (buf_out, src_tag                        );      /* uint32  | size   5 */ \
+        _02_04_ENCODE_SEQUENCE             (buf_out, 0                              );      /* uint32  | size   5 */ \
+        _02_14_ENCODE_TAG_DST              (buf_out, dest_tag                       );      /* uint32  | size   5 */ \
+        _02_26_ENCODE_FLS                  (buf_out, cls + 1                        );      /* uint32  | size   6 */ \
+        _02_27_ENCODE_LLS                  (buf_out, cls + 5                        );      /* uint32  | size   6 */ \
+        _06_01_ENCODE_DROPS_AMOUNT         (buf_out, drops_amount                   );      /* amount  | size   9 */ \
+        uint8_t* fee_ptr = buf_out;\
+        _06_08_ENCODE_DROPS_FEE            (buf_out, 0                              );      /* amount  | size   9 */ \
+        _07_03_ENCODE_SIGNING_PUBKEY_NULL  (buf_out                                 );      /* pk      | size  35 */ \
+        _08_01_ENCODE_ACCOUNT_SRC          (buf_out, acc                            );      /* account | size  22 */ \
+        _08_03_ENCODE_ACCOUNT_DST          (buf_out, to_address                     );      /* account | size  22 */ \
+        int64_t edlen = etxn_details((uint32_t)buf_out, PREPARE_PAYMENT_SIMPLE_SIZE);       /* emitdet | size 1?? */ \
+        int64_t fee = etxn_fee_base(buf_out_master, PREPARE_PAYMENT_SIMPLE_SIZE);                                    \
+        _06_08_ENCODE_DROPS_FEE            (fee_ptr, fee                            );                               \
+    }
+
+#ifdef HAS_CALLBACK
+#define PREPARE_PAYMENT_SIMPLE_TRUSTLINE_SIZE 309
+#else
+#define PREPARE_PAYMENT_SIMPLE_TRUSTLINE_SIZE 287
+#endif
+#define PREPARE_PAYMENT_SIMPLE_TRUSTLINE(buf_out_master, tlamt, to_address, dest_tag_raw, src_tag_raw)\
+    {\
+        uint8_t* buf_out = buf_out_master;\
+        uint8_t acc[20];\
+        uint32_t dest_tag = (dest_tag_raw);\
+        uint32_t src_tag = (src_tag_raw);\
+        uint32_t cls = (uint32_t)ledger_seq();\
+        hook_account(SBUF(acc));\
+        _01_02_ENCODE_TT                   (buf_out, ttPAYMENT                      );      /* uint16  | size   3 */ \
+        _02_02_ENCODE_FLAGS                (buf_out, tfCANONICAL                    );      /* uint32  | size   5 */ \
+        _02_03_ENCODE_TAG_SRC              (buf_out, src_tag                        );      /* uint32  | size   5 */ \
+        _02_04_ENCODE_SEQUENCE             (buf_out, 0                              );      /* uint32  | size   5 */ \
+        _02_14_ENCODE_TAG_DST              (buf_out, dest_tag                       );      /* uint32  | size   5 */ \
+        _02_26_ENCODE_FLS                  (buf_out, cls + 1                        );      /* uint32  | size   6 */ \
+        _02_27_ENCODE_LLS                  (buf_out, cls + 5                        );      /* uint32  | size   6 */ \
+        _06_01_ENCODE_TL_AMOUNT            (buf_out, tlamt                          );      /* amount  | size  48 */ \
+        uint8_t* fee_ptr = buf_out;\
+        _06_08_ENCODE_DROPS_FEE            (buf_out, 0                              );      /* amount  | size   9 */ \
+        _07_03_ENCODE_SIGNING_PUBKEY_NULL  (buf_out                                 );      /* pk      | size  35 */ \
+        _08_01_ENCODE_ACCOUNT_SRC          (buf_out, acc                            );      /* account | size  22 */ \
+        _08_03_ENCODE_ACCOUNT_DST          (buf_out, to_address                     );      /* account | size  22 */ \
+        etxn_details((uint32_t)buf_out, PREPARE_PAYMENT_SIMPLE_TRUSTLINE_SIZE);             /* emitdet | size 1?? */  \
+        int64_t fee = etxn_fee_base(buf_out_master, PREPARE_PAYMENT_SIMPLE_TRUSTLINE_SIZE);                          \
+        _06_08_ENCODE_DROPS_FEE            (fee_ptr, fee                            );                               \
+    }
+
+#endif

hook/genesis/headers/sfcodes.h

@@ -0,0 +1,215 @@
+// For documentation please see: https://xrpl-hooks.readme.io/reference/
+// Generated using generate_sfcodes.sh
+#define sfCloseResolution ((16U << 16U) + 1U)
+#define sfMethod ((16U << 16U) + 2U)
+#define sfTransactionResult ((16U << 16U) + 3U)
+#define sfTickSize ((16U << 16U) + 16U)
+#define sfUNLModifyDisabling ((16U << 16U) + 17U)
+#define sfHookResult ((16U << 16U) + 18U)
+#define sfLedgerEntryType ((1U << 16U) + 1U)
+#define sfTransactionType ((1U << 16U) + 2U)
+#define sfSignerWeight ((1U << 16U) + 3U)
+#define sfTransferFee ((1U << 16U) + 4U)
+#define sfVersion ((1U << 16U) + 16U)
+#define sfHookStateChangeCount ((1U << 16U) + 17U)
+#define sfHookEmitCount ((1U << 16U) + 18U)
+#define sfHookExecutionIndex ((1U << 16U) + 19U)
+#define sfHookApiVersion ((1U << 16U) + 20U)
+#define sfNetworkID ((2U << 16U) + 1U)
+#define sfFlags ((2U << 16U) + 2U)
+#define sfSourceTag ((2U << 16U) + 3U)
+#define sfSequence ((2U << 16U) + 4U)
+#define sfPreviousTxnLgrSeq ((2U << 16U) + 5U)
+#define sfLedgerSequence ((2U << 16U) + 6U)
+#define sfCloseTime ((2U << 16U) + 7U)
+#define sfParentCloseTime ((2U << 16U) + 8U)
+#define sfSigningTime ((2U << 16U) + 9U)
+#define sfExpiration ((2U << 16U) + 10U)
+#define sfTransferRate ((2U << 16U) + 11U)
+#define sfWalletSize ((2U << 16U) + 12U)
+#define sfOwnerCount ((2U << 16U) + 13U)
+#define sfDestinationTag ((2U << 16U) + 14U)
+#define sfHighQualityIn ((2U << 16U) + 16U)
+#define sfHighQualityOut ((2U << 16U) + 17U)
+#define sfLowQualityIn ((2U << 16U) + 18U)
+#define sfLowQualityOut ((2U << 16U) + 19U)
+#define sfQualityIn ((2U << 16U) + 20U)
+#define sfQualityOut ((2U << 16U) + 21U)
+#define sfStampEscrow ((2U << 16U) + 22U)
+#define sfBondAmount ((2U << 16U) + 23U)
+#define sfLoadFee ((2U << 16U) + 24U)
+#define sfOfferSequence ((2U << 16U) + 25U)
+#define sfFirstLedgerSequence ((2U << 16U) + 26U)
+#define sfLastLedgerSequence ((2U << 16U) + 27U)
+#define sfTransactionIndex ((2U << 16U) + 28U)
+#define sfOperationLimit ((2U << 16U) + 29U)
+#define sfReferenceFeeUnits ((2U << 16U) + 30U)
+#define sfReserveBase ((2U << 16U) + 31U)
+#define sfReserveIncrement ((2U << 16U) + 32U)
+#define sfSetFlag ((2U << 16U) + 33U)
+#define sfClearFlag ((2U << 16U) + 34U)
+#define sfSignerQuorum ((2U << 16U) + 35U)
+#define sfCancelAfter ((2U << 16U) + 36U)
+#define sfFinishAfter ((2U << 16U) + 37U)
+#define sfSignerListID ((2U << 16U) + 38U)
+#define sfSettleDelay ((2U << 16U) + 39U)
+#define sfTicketCount ((2U << 16U) + 40U)
+#define sfTicketSequence ((2U << 16U) + 41U)
+#define sfNFTokenTaxon ((2U << 16U) + 42U)
+#define sfMintedNFTokens ((2U << 16U) + 43U)
+#define sfBurnedNFTokens ((2U << 16U) + 44U)
+#define sfHookStateCount ((2U << 16U) + 45U)
+#define sfEmitGeneration ((2U << 16U) + 46U)
+#define sfLockCount ((2U << 16U) + 47U)
+#define sfRewardTime ((2U << 16U) + 98U)
+#define sfRewardLgrFirst ((2U << 16U) + 99U)
+#define sfRewardLgrLast ((2U << 16U) + 100U)
+#define sfIndexNext ((3U << 16U) + 1U)
+#define sfIndexPrevious ((3U << 16U) + 2U)
+#define sfBookNode ((3U << 16U) + 3U)
+#define sfOwnerNode ((3U << 16U) + 4U)
+#define sfBaseFee ((3U << 16U) + 5U)
+#define sfExchangeRate ((3U << 16U) + 6U)
+#define sfLowNode ((3U << 16U) + 7U)
+#define sfHighNode ((3U << 16U) + 8U)
+#define sfDestinationNode ((3U << 16U) + 9U)
+#define sfCookie ((3U << 16U) + 10U)
+#define sfServerVersion ((3U << 16U) + 11U)
+#define sfNFTokenOfferNode ((3U << 16U) + 12U)
+#define sfEmitBurden ((3U << 16U) + 13U)
+#define sfHookInstructionCount ((3U << 16U) + 17U)
+#define sfHookReturnCode ((3U << 16U) + 18U)
+#define sfReferenceCount ((3U << 16U) + 19U)
+#define sfRewardAccumulator ((3U << 16U) + 100U)
+#define sfEmailHash ((4U << 16U) + 1U)
+#define sfTakerPaysCurrency ((10U << 16U) + 1U)
+#define sfTakerPaysIssuer ((10U << 16U) + 2U)
+#define sfTakerGetsCurrency ((10U << 16U) + 3U)
+#define sfTakerGetsIssuer ((10U << 16U) + 4U)
+#define sfLedgerHash ((5U << 16U) + 1U)
+#define sfParentHash ((5U << 16U) + 2U)
+#define sfTransactionHash ((5U << 16U) + 3U)
+#define sfAccountHash ((5U << 16U) + 4U)
+#define sfPreviousTxnID ((5U << 16U) + 5U)
+#define sfLedgerIndex ((5U << 16U) + 6U)
+#define sfWalletLocator ((5U << 16U) + 7U)
+#define sfRootIndex ((5U << 16U) + 8U)
+#define sfAccountTxnID ((5U << 16U) + 9U)
+#define sfNFTokenID ((5U << 16U) + 10U)
+#define sfEmitParentTxnID ((5U << 16U) + 11U)
+#define sfEmitNonce ((5U << 16U) + 12U)
+#define sfEmitHookHash ((5U << 16U) + 13U)
+#define sfBookDirectory ((5U << 16U) + 16U)
+#define sfInvoiceID ((5U << 16U) + 17U)
+#define sfNickname ((5U << 16U) + 18U)
+#define sfAmendment ((5U << 16U) + 19U)
+#define sfHookOn ((5U << 16U) + 20U)
+#define sfDigest ((5U << 16U) + 21U)
+#define sfChannel ((5U << 16U) + 22U)
+#define sfConsensusHash ((5U << 16U) + 23U)
+#define sfCheckID ((5U << 16U) + 24U)
+#define sfValidatedHash ((5U << 16U) + 25U)
+#define sfPreviousPageMin ((5U << 16U) + 26U)
+#define sfNextPageMin ((5U << 16U) + 27U)
+#define sfNFTokenBuyOffer ((5U << 16U) + 28U)
+#define sfNFTokenSellOffer ((5U << 16U) + 29U)
+#define sfHookStateKey ((5U << 16U) + 30U)
+#define sfHookHash ((5U << 16U) + 31U)
+#define sfHookNamespace ((5U << 16U) + 32U)
+#define sfHookSetTxnID ((5U << 16U) + 33U)
+#define sfOfferID ((5U << 16U) + 34U)
+#define sfEscrowID ((5U << 16U) + 35U)
+#define sfURITokenID ((5U << 16U) + 36U)
+#define sfAmount ((6U << 16U) + 1U)
+#define sfBalance ((6U << 16U) + 2U)
+#define sfLimitAmount ((6U << 16U) + 3U)
+#define sfTakerPays ((6U << 16U) + 4U)
+#define sfTakerGets ((6U << 16U) + 5U)
+#define sfLowLimit ((6U << 16U) + 6U)
+#define sfHighLimit ((6U << 16U) + 7U)
+#define sfFee ((6U << 16U) + 8U)
+#define sfSendMax ((6U << 16U) + 9U)
+#define sfDeliverMin ((6U << 16U) + 10U)
+#define sfMinimumOffer ((6U << 16U) + 16U)
+#define sfRippleEscrow ((6U << 16U) + 17U)
+#define sfDeliveredAmount ((6U << 16U) + 18U)
+#define sfNFTokenBrokerFee ((6U << 16U) + 19U)
+#define sfHookCallbackFee ((6U << 16U) + 20U)
+#define sfLockedBalance ((6U << 16U) + 21U)
+#define sfPublicKey ((7U << 16U) + 1U)
+#define sfMessageKey ((7U << 16U) + 2U)
+#define sfSigningPubKey ((7U << 16U) + 3U)
+#define sfTxnSignature ((7U << 16U) + 4U)
+#define sfURI ((7U << 16U) + 5U)
+#define sfSignature ((7U << 16U) + 6U)
+#define sfDomain ((7U << 16U) + 7U)
+#define sfFundCode ((7U << 16U) + 8U)
+#define sfRemoveCode ((7U << 16U) + 9U)
+#define sfExpireCode ((7U << 16U) + 10U)
+#define sfCreateCode ((7U << 16U) + 11U)
+#define sfMemoType ((7U << 16U) + 12U)
+#define sfMemoData ((7U << 16U) + 13U)
+#define sfMemoFormat ((7U << 16U) + 14U)
+#define sfFulfillment ((7U << 16U) + 16U)
+#define sfCondition ((7U << 16U) + 17U)
+#define sfMasterSignature ((7U << 16U) + 18U)
+#define sfUNLModifyValidator ((7U << 16U) + 19U)
+#define sfValidatorToDisable ((7U << 16U) + 20U)
+#define sfValidatorToReEnable ((7U << 16U) + 21U)
+#define sfHookStateData ((7U << 16U) + 22U)
+#define sfHookReturnString ((7U << 16U) + 23U)
+#define sfHookParameterName ((7U << 16U) + 24U)
+#define sfHookParameterValue ((7U << 16U) + 25U)
+#define sfBlob ((7U << 16U) + 26U)
+#define sfAccount ((8U << 16U) + 1U)
+#define sfOwner ((8U << 16U) + 2U)
+#define sfDestination ((8U << 16U) + 3U)
+#define sfIssuer ((8U << 16U) + 4U)
+#define sfAuthorize ((8U << 16U) + 5U)
+#define sfUnauthorize ((8U << 16U) + 6U)
+#define sfRegularKey ((8U << 16U) + 8U)
+#define sfNFTokenMinter ((8U << 16U) + 9U)
+#define sfEmitCallback ((8U << 16U) + 10U)
+#define sfHookAccount ((8U << 16U) + 16U)
+#define sfIndexes ((19U << 16U) + 1U)
+#define sfHashes ((19U << 16U) + 2U)
+#define sfAmendments ((19U << 16U) + 3U)
+#define sfNFTokenOffers ((19U << 16U) + 4U)
+#define sfHookNamespaces ((19U << 16U) + 5U)
+#define sfPaths ((18U << 16U) + 1U)
+#define sfTransactionMetaData ((14U << 16U) + 2U)
+#define sfCreatedNode ((14U << 16U) + 3U)
+#define sfDeletedNode ((14U << 16U) + 4U)
+#define sfModifiedNode ((14U << 16U) + 5U)
+#define sfPreviousFields ((14U << 16U) + 6U)
+#define sfFinalFields ((14U << 16U) + 7U)
+#define sfNewFields ((14U << 16U) + 8U)
+#define sfTemplateEntry ((14U << 16U) + 9U)
+#define sfMemo ((14U << 16U) + 10U)
+#define sfSignerEntry ((14U << 16U) + 11U)
+#define sfNFToken ((14U << 16U) + 12U)
+#define sfEmitDetails ((14U << 16U) + 13U)
+#define sfHook ((14U << 16U) + 14U)
+#define sfSigner ((14U << 16U) + 16U)
+#define sfMajority ((14U << 16U) + 18U)
+#define sfDisabledValidator ((14U << 16U) + 19U)
+#define sfEmittedTxn ((14U << 16U) + 20U)
+#define sfHookExecution ((14U << 16U) + 21U)
+#define sfHookDefinition ((14U << 16U) + 22U)
+#define sfHookParameter ((14U << 16U) + 23U)
+#define sfHookGrant ((14U << 16U) + 24U)
+#define sfSigners ((15U << 16U) + 3U)
+#define sfSignerEntries ((15U << 16U) + 4U)
+#define sfTemplate ((15U << 16U) + 5U)
+#define sfNecessary ((15U << 16U) + 6U)
+#define sfSufficient ((15U << 16U) + 7U)
+#define sfAffectedNodes ((15U << 16U) + 8U)
+#define sfMemos ((15U << 16U) + 9U)
+#define sfNFTokens ((15U << 16U) + 10U)
+#define sfHooks ((15U << 16U) + 11U)
+#define sfMajorities ((15U << 16U) + 16U)
+#define sfDisabledValidators ((15U << 16U) + 17U)
+#define sfHookExecutions ((15U << 16U) + 18U)
+#define sfHookParameters ((15U << 16U) + 19U)
+#define sfHookGrants ((15U << 16U) + 20U)
+#define sfActiveValidators ((15U << 16U) + 95U)

hook/genesis/headers/types.h

@@ -0,0 +1,239 @@
+#include <stdint.h>
+
+// 8 byte-int = 1 bytes
+#define SFL_CLOSERESOLUTION 1
+#define SFL_METHOD 1
+#define SFL_TRANSACTIONRESULT 1
+#define SFL_TICKSIZE 1
+#define SFL_UNLMODIFYDISABLING 1
+#define SFL_HOOKRESULT 1
+// 16 byte-int = 2 bytes
+#define SFL_LEDGERENTRYTYPE 2
+#define SFL_TRANSACTIONTYPE 2
+#define SFL_SIGNERWEIGHT 2
+#define SFL_TRANSFERFEE 2
+#define SFL_VERSION 2
+#define SFL_HOOKSTATECHANGECOUNT 2
+#define SFL_HOOKEMITCOUNT 2
+#define SFL_HOOKEXECUTIONINDEX 2
+#define SFL_HOOKAPIVERSION 2
+// 32 byte-int = 4 bytes
+#define SFL_NETWORKID 4
+#define SFL_FLAGS 4
+#define SFL_SOURCETAG 4
+#define SFL_SEQUENCE 4
+#define SFL_PREVIOUSTXNLGRSEQ 4
+#define SFL_LEDGERSEQUENCE 4
+#define SFL_CLOSETIME 4
+#define SFL_PARENTCLOSETIME 4
+#define SFL_SIGNINGTIME 4
+#define SFL_EXPIRATION 4
+#define SFL_TRANSFERRATE 4
+#define SFL_WALLETSIZE 4
+#define SFL_OWNERCOUNT 4
+#define SFL_DESTINATIONTAG 4
+#define SFL_HIGHQUALITYIN 4
+#define SFL_HIGHQUALITYOUT 4
+#define SFL_LOWQUALITYIN 4
+#define SFL_LOWQUALITYOUT 4
+#define SFL_QUALITYIN 4
+#define SFL_QUALITYOUT 4
+#define SFL_STAMPESCROW 4
+#define SFL_BONDAMOUNT 4
+#define SFL_LOADFEE 4
+#define SFL_OFFERSEQUENCE 4
+#define SFL_FIRSTLEDGERSEQUENCE 4
+#define SFL_LASTLEDGERSEQUENCE 4
+#define SFL_TRANSACTIONINDEX 4
+#define SFL_OPERATIONLIMIT 4
+#define SFL_REFERENCEFEEUNITS 4
+#define SFL_RESERVEBASE 4
+#define SFL_RESERVEINCREMENT 4
+#define SFL_SETFLAG 4
+#define SFL_CLEARFLAG 4
+#define SFL_SIGNERQUORUM 4
+#define SFL_CANCELAFTER 4
+#define SFL_FINISHAFTER 4
+#define SFL_SIGNERLISTID 4
+#define SFL_SETTLEDELAY 4
+#define SFL_TICKETCOUNT 4
+#define SFL_TICKETSEQUENCE 4
+#define SFL_NFTOKENTAXON 4
+#define SFL_MINTEDNFTOKENS 4
+#define SFL_BURNEDNFTOKENS 4
+#define SFL_HOOKSTATECOUNT 4
+#define SFL_EMITGENERATION 4
+#define SFL_LOCKCOUNT 4
+#define SFL_REWARDTIME 4
+#define SFL_REWARDLGRFIRST 4
+#define SFL_REWARDLGRLAST 4
+#define SFL_FIRSTNFTOKENSEQUENCE 4
+// 64 byte-int = 8 bytes
+#define SFL_INDEX_NEXT 8
+#define SFL_INDEX_PREVIOUS 8
+#define SFL_BOOK_NODE 8
+#define SFL_OWNER_NODE 8
+#define SFL_BASE_FEE 8
+#define SFL_EXCHANGE_RATE 8
+#define SFL_LOW_NODE 8
+#define SFL_HIGH_NODE 8
+#define SFL_DESTINATION_NODE 8
+#define SFL_COOKIE 8
+#define SFL_SERVER_VERSION 8
+#define SFL_EMIT_BURDEN 8
+#define SFL_NFTOKEN_OFFER_NODE 8
+#define SFL_HOOK_INSTRUCTION_COUNT 8
+#define SFL_HOOK_RETURN_CODE 8
+#define SFL_REFERENCE_COUNT 8
+#define SFL_REWARD_ACCUMULATOR 8
+// 128 byte-int = 4 bytes
+#define SFL_EMAIL_HASH 128
+// 160 byte-int = 4 bytes
+#define SFL_TAKER_PAYS_CURRENCY 160
+#define SFL_TAKER_PAYS_ISSUER 160
+#define SFL_TAKER_GETS_CURRENCY 160
+#define SFL_TAKER_GETS_ISSUER 160
+// 256 byte-int = ??? bytes
+#define SFL_LEDGER_HASH 256
+#define SFL_PARENT_HASH 256
+#define SFL_TRANSACTION_HASH 256
+#define SFL_ACCOUNT_HASH 256
+#define SFL_HOOK_ON 256
+#define SFL_PREVIOUS_TXN_ID 256
+#define SFL_LEDGER_INDEX 256
+#define SFL_WALLET_LOCATOR 256
+#define SFL_ROOT_INDEX 256
+#define SFL_ACCOUNT_TXN_ID 256
+#define SFL_NFTOKEN_ID 256
+#define SFL_EMIT_PARENT_TXN_ID 256
+#define SFL_EMIT_NONCE 256
+#define SFL_EMIT_HOOK_HASH 256
+// 256 byte-int = ??? bytes
+#define SFL_BOOK_DIRECTORY 256
+#define SFL_INVOICE_ID 256
+#define SFL_NICKNAME 256
+#define SFL_AMENDMENT 256
+#define SFL_DIGEST 256
+#define SFL_CHANNEL 256
+#define SFL_CONSENSUS_HASH 256
+#define SFL_CHECK_ID 256
+#define SFL_VALIDATED_HASH 256
+#define SFL_PREVIOUS_PAGE_MIN 256
+#define SFL_NEXT_PAGE_MIN 256
+#define SFL_NFTOKEN_BUY_OFFER 256
+#define SFL_NFTOKEN_SELL_OFFER 256
+#define SFL_HOOK_STATE_KEY 256
+#define SFL_HOOK_HASH 256
+#define SFL_HOOK_NAMESPACE 256
+#define SFL_HOOK_SET_TXN_ID 256
+#define SFL_OFFER_ID 256
+#define SFL_ESCROW_ID 256
+#define SFL_URITOKEN_ID 256
+// 20 bytes
+#define SFL_AMOUNT 20
+#define SFL_BALANCE 20
+#define SFL_LIMIT_AMOUNT 20
+#define SFL_TAKER_PAYS 20
+#define SFL_TAKER_GETS 20
+#define SFL_LOW_LIMIT 20
+#define SFL_HIGH_LIMIT 20
+#define SFL_FEE 20
+#define SFL_SEND_MAX 20
+#define SFL_DELIVER_MIN 20
+#define SFL_LOCKED_BALANCE 20
+// Unimplemented
+#define SFL_AMOUNT_MINIMUM_OFFER 8
+#define SFL_AMOUNT_RIPPLE_ESCROW 8
+#define SFL_AMOUNT_DELIVERED_AMOUNT 8
+#define SFL_AMOUNT_NFTOKEN_BROKER_FEE 8
+#define SFL_AMOUNT_HOOK_CALLBACK_FEE 8
+#define SFL_AMOUNT_BASE_FEE_DROPS 8
+#define SFL_AMOUNT_RESERVE_BASE_DROPS 8
+#define SFL_AMOUNT_RESERVE_INCREMENT_DROPS 8
+// Unimplemented
+#define SFL_VL_PUBLIC_KEY 64
+#define SFL_VL_MESSAGE_KEY 64
+#define SFL_VL_SIGNING_PUB_KEY 64
+// Unimplemented
+#define SFL_VL_TXN_SIGNATURE 96
+// Unimplemented
+#define SFL_VL_URI 256
+// Unimplemented
+#define SFL_VL_SIGNATURE 96
+// Unimplemented
+#define SFL_VL_DOMAIN 256
+#define SFL_VL_FUND_CODE 256
+#define SFL_VL_REMOVE_CODE 256
+#define SFL_VL_EXPIRE_CODE 256
+#define SFL_VL_CREATE_CODE 256
+#define SFL_VL_MEMO_TYPE 256
+#define SFL_VL_MEMO_DATA 256
+#define SFL_VL_MEMO_FORMAT 256
+#define SFL_VL_FULFILLMENT 256
+#define SFL_VL_CONDITION 256
+// Unimplemented
+#define SFL_VL_MASTER_SIGNATURE 96
+// Unimplemented
+#define SFL_VL_UNL_MODIFY_VALIDATOR 256
+#define SFL_VL_VALIDATOR_TO_DISABLE 256
+#define SFL_VL_VALIDATOR_TO_RE_ENABLE 256
+#define SFL_VL_HOOK_STATE_DATA 256
+#define SFL_VL_HOOK_RETURN_STRING 256
+#define SFL_VL_HOOK_PARAMETER_NAME 256
+#define SFL_VL_HOOK_PARAMETER_VALUE 256
+#define SFL_VL_BLOB 256
+// 20 bytes
+#define SFL_ACCOUNT 20
+#define SFL_OWNER 20
+#define SFL_DESTINATION 20
+#define SFL_ISSUER 20
+#define SFL_AUTHORIZE 20
+#define SFL_UNAUTHORIZE 20
+#define SFL_REGULAR_KEY 20
+#define SFL_NFTOKEN_MINTER 20
+#define SFL_EMIT_CALLBACK 20
+#define SFL_HOOK_ACCOUNT 20
+#define SFL_NFTOKEN_MINTER 20
+// Unimplemented
+#define SFL_PATHS 1
+// Unimplemented
+#define SFL_VECTOR256_INDEXES 32
+#define SFL_VECTOR256_HASHES 32
+#define SFL_VECTOR256_AMENDMENTS 32
+#define SFL_VECTOR256_NFTOKEN_OFFERS 32
+#define SFL_VECTOR256_HOOK_NAMESPACES 32
+// Unimplemented
+#define SFL_TRANSACTION_META_DATA 1
+#define SFL_CREATED_NODE 1
+#define SFL_DELETED_NODE 1
+#define SFL_MODIFIED_NODE 1
+#define SFL_PREVIOUS_FIELDS 1
+#define SFL_FINAL_FIELDS 1
+#define SFL_NEW_FIELDS 1
+#define SFL_TEMPLATE_ENTRY 1
+#define SFL_MEMO 1
+#define SFL_SIGNER_ENTRY 1
+#define SFL_NFTOKEN 1
+#define SFL_EMIT_DETAILS 1
+#define SFL_HOOK 1
+#define SFL_SIGNER 1
+#define SFL_MAJORITY 1
+#define SFL_DISABLED_VALIDATOR 1
+#define SFL_EMITTED_TXN 1
+#define SFL_HOOK_EXECUTION 1
+#define SFL_HOOK_DEFINITION 1
+#define SFL_HOOK_PARAMETER 1
+#define SFL_HOOK_GRANT 1
+#define SFL_SIGNERS 1
+#define SFL_SIGNER_ENTRIES 1
+#define SFL_TEMPLATE 1
+#define SFL_NECESSARY 1
+#define SFL_SUFFICIENT 1
+#define SFL_AFFECTED_NODES 1
+#define SFL_MEMOS 1
+#define SFL_NFTOKENS 1
+#define SFL_HOOKS 1
+#define SFL_MAJORITIES 1
+#define SFL_DISABLED_VALIDATORS 1
+#define SFL_HOOK_EXECUTIONS 1
+#define SFL_HOOK_EXECUTION 1

hook/genesis/makefile

@@ -1,9 +1,9 @@
 all: reward govern mint
 accept:
-	wasmcc accept.c -o accept.wasm -Oz -Wl,--allow-undefined  -I../
+	wasmcc accept.c -o accept.wasm -Oz -Wl,--allow-undefined  -I./headers
 	hook-cleaner accept.wasm
 reward:
-	wasmcc reward.c -o reward.wasm -Oz -Wl,--allow-undefined  -I../
+	wasmcc reward.c -o reward.wasm -Oz -Wl,--allow-undefined  -I./headers
 	wasm-opt reward.wasm -o reward.wasm \
 		--shrink-level=100000000 \
 		--coalesce-locals-learning \
@@ -58,7 +58,7 @@ reward:
 	hook-cleaner reward.wasm
 	guard_checker reward.wasm
 govern:
-	wasmcc govern.c -o govern.wasm -Oz -Wl,--allow-undefined  -I../
+	wasmcc govern.c -o govern.wasm -Oz -Wl,--allow-undefined  -I./headers
 	wasm-opt govern.wasm -o govern.wasm \
 		--shrink-level=100000000 \
 		--coalesce-locals-learning \
@@ -113,7 +113,7 @@ govern:
 	hook-cleaner govern.wasm
 	guard_checker govern.wasm
 mint:
-	wasmcc mint.c -o mint.wasm -Oz -Wl,--allow-undefined  -I../
+	wasmcc mint.c -o mint.wasm -Oz -Wl,--allow-undefined  -I./headers
 	wasm-opt mint.wasm -o mint.wasm \
 		--shrink-level=100000000 \
 		--coalesce-locals-learning \
@@ -142,5 +142,5 @@ mint:
 	hook-cleaner mint.wasm
 	guard_checker mint.wasm
 nftoken:
-	wasmcc nftoken.c -o nftoken.wasm -Oz -Wl,--allow-undefined  -I../
+	wasmcc nftoken.c -o nftoken.wasm -Oz -Wl,--allow-undefined  -I./headers
 	hook-cleaner nftoken.wasm

hook/hookapi.h

@@ -49,4 +49,7 @@
 #include "macro.h"
 #include "tts.h"
 
+#include "ls_flags.h"
+#include "tx_flags.h"
+
 #endif

hook/ls_flags.h

@@ -0,0 +1,75 @@
+// Generated using generate_lsflags.sh
+
+#ifndef HOOKLSFLAGS_INCLUDED
+#define HOOKLSFLAGS_INCLUDED 1
+
+enum ltACCOUNT_ROOT {
+    lsfPasswordSpent = 0x00010000,
+    lsfRequireDestTag = 0x00020000,
+    lsfRequireAuth = 0x00040000,
+    lsfDisallowXRP = 0x00080000,
+    lsfDisableMaster = 0x00100000,
+    lsfNoFreeze = 0x00200000,
+    lsfGlobalFreeze = 0x00400000,
+    lsfDefaultRipple = 0x00800000,
+    lsfDepositAuth = 0x01000000,
+    lsfTshCollect = 0x02000000,
+    lsfDisallowIncomingNFTokenOffer = 0x04000000,
+    lsfDisallowIncomingCheck = 0x08000000,
+    lsfDisallowIncomingPayChan = 0x10000000,
+    lsfDisallowIncomingTrustline = 0x20000000,
+    lsfURITokenIssuer = 0x40000000,
+    lsfDisallowIncomingRemit = 0x80000000,
+    lsfAllowTrustLineClawback = 0x00001000,
+};
+enum ltOFFER {
+    lsfPassive = 0x00010000,
+    lsfSell = 0x00020000,
+};
+enum ltRIPPLE_STATE {
+    lsfLowReserve = 0x00010000,
+    lsfHighReserve = 0x00020000,
+    lsfLowAuth = 0x00040000,
+    lsfHighAuth = 0x00080000,
+    lsfLowNoRipple = 0x00100000,
+    lsfHighNoRipple = 0x00200000,
+    lsfLowFreeze = 0x00400000,
+    lsfHighFreeze = 0x00800000,
+    lsfLowDeepFreeze = 0x02000000,
+    lsfHighDeepFreeze = 0x04000000,
+    lsfAMMNode = 0x01000000,
+};
+enum ltSIGNER_LIST {
+    lsfOneOwnerCount = 0x00010000,
+};
+enum ltDIR_NODE {
+    lsfNFTokenBuyOffers = 0x00000001,
+    lsfNFTokenSellOffers = 0x00000002,
+    lsfEmittedDir = 0x00000004,
+};
+enum ltNFTOKEN_OFFER {
+    lsfSellNFToken = 0x00000001,
+};
+enum ltURI_TOKEN {
+    lsfBurnable = 0x00000001,
+};
+enum remarks {
+    lsfImmutable = 1,
+};
+enum ltMPTOKEN_ISSUANCE {
+    lsfMPTLocked = 0x00000001,
+    lsfMPTCanLock = 0x00000002,
+    lsfMPTRequireAuth = 0x00000004,
+    lsfMPTCanEscrow = 0x00000008,
+    lsfMPTCanTrade = 0x00000010,
+    lsfMPTCanTransfer = 0x00000020,
+    lsfMPTCanClawback = 0x00000040,
+};
+enum ltMPTOKEN {
+    lsfMPTAuthorized = 0x00000002,
+};
+enum ltCREDENTIAL {
+    lsfAccepted = 0x00010000,
+};
+
+#endif // HOOKLSFLAGS_INCLUDED

hook/sfcodes.h

@@ -9,6 +9,7 @@
 #define sfUNLModifyDisabling ((16U << 16U) + 17U)
 #define sfHookResult ((16U << 16U) + 18U)
 #define sfWasLockingChainSend ((16U << 16U) + 19U)
+#define sfSidecarType ((16U << 16U) + 20U)
 #define sfLedgerEntryType ((1U << 16U) + 1U)
 #define sfTransactionType ((1U << 16U) + 2U)
 #define sfSignerWeight ((1U << 16U) + 3U)
@@ -22,6 +23,8 @@
 #define sfHookApiVersion ((1U << 16U) + 20U)
 #define sfHookStateScale ((1U << 16U) + 21U)
 #define sfLedgerFixType ((1U << 16U) + 22U)
+#define sfHookExportCount ((1U << 16U) + 98U)
+#define sfEntropyCount ((1U << 16U) + 99U)
 #define sfNetworkID ((2U << 16U) + 1U)
 #define sfFlags ((2U << 16U) + 2U)
 #define sfSourceTag ((2U << 16U) + 3U)
@@ -80,6 +83,7 @@
 #define sfRewardTime ((2U << 16U) + 98U)
 #define sfRewardLgrFirst ((2U << 16U) + 99U)
 #define sfRewardLgrLast ((2U << 16U) + 100U)
+#define sfCancelTicketSequence ((2U << 16U) + 101U)
 #define sfIndexNext ((3U << 16U) + 1U)
 #define sfIndexPrevious ((3U << 16U) + 2U)
 #define sfBookNode ((3U << 16U) + 3U)
@@ -159,6 +163,7 @@
 #define sfEmittedTxnID ((5U << 16U) + 97U)
 #define sfGovernanceMarks ((5U << 16U) + 98U)
 #define sfGovernanceFlags ((5U << 16U) + 99U)
+#define sfEntropyDigest ((5U << 16U) + 100U)
 #define sfNumber ((9U << 16U) + 1U)
 #define sfAmount ((6U << 16U) + 1U)
 #define sfBalance ((6U << 16U) + 2U)
@@ -189,6 +194,7 @@
 #define sfSignatureReward ((6U << 16U) + 29U)
 #define sfMinAccountCreateAmount ((6U << 16U) + 30U)
 #define sfLPTokenBalance ((6U << 16U) + 31U)
+#define sfTrustLineRewardAccumulator ((6U << 16U) + 99U)
 #define sfPublicKey ((7U << 16U) + 1U)
 #define sfMessageKey ((7U << 16U) + 2U)
 #define sfSigningPubKey ((7U << 16U) + 3U)
@@ -220,6 +226,7 @@
 #define sfProvider ((7U << 16U) + 30U)
 #define sfMPTokenMetadata ((7U << 16U) + 31U)
 #define sfCredentialType ((7U << 16U) + 32U)
+#define sfHookName ((7U << 16U) + 97U)
 #define sfRemarkValue ((7U << 16U) + 98U)
 #define sfRemarkName ((7U << 16U) + 99U)
 #define sfAccount ((8U << 16U) + 1U)
@@ -255,6 +262,7 @@
 #define sfIssuingChainIssue ((24U << 16U) + 2U)
 #define sfAsset ((24U << 16U) + 3U)
 #define sfAsset2 ((24U << 16U) + 4U)
+#define sfClaimCurrency ((24U << 16U) + 5U)
 #define sfXChainBridge ((25U << 16U) + 1U)
 #define sfTransactionMetaData ((14U << 16U) + 2U)
 #define sfCreatedNode ((14U << 16U) + 3U)
@@ -274,7 +282,6 @@
 #define sfDisabledValidator ((14U << 16U) + 19U)
 #define sfEmittedTxn ((14U << 16U) + 20U)
 #define sfHookExecution ((14U << 16U) + 21U)
-#define sfHookDefinition ((14U << 16U) + 22U)
 #define sfHookParameter ((14U << 16U) + 23U)
 #define sfHookGrant ((14U << 16U) + 24U)
 #define sfVoteEntry ((14U << 16U) + 25U)
@@ -286,6 +293,7 @@
 #define sfXChainCreateAccountAttestationCollectionElement ((14U << 16U) + 31U)
 #define sfPriceData ((14U << 16U) + 32U)
 #define sfCredential ((14U << 16U) + 33U)
+#define sfExportedTxn ((14U << 16U) + 90U)
 #define sfAmountEntry ((14U << 16U) + 91U)
 #define sfMintURIToken ((14U << 16U) + 92U)
 #define sfHookEmission ((14U << 16U) + 93U)
@@ -293,6 +301,9 @@
 #define sfActiveValidator ((14U << 16U) + 95U)
 #define sfGenesisMint ((14U << 16U) + 96U)
 #define sfRemark ((14U << 16U) + 97U)
+#define sfHighReward ((14U << 16U) + 98U)
+#define sfLowReward ((14U << 16U) + 99U)
+#define sfExportResult ((14U << 16U) + 100U)
 #define sfSigners ((15U << 16U) + 3U)
 #define sfSignerEntries ((15U << 16U) + 4U)
 #define sfTemplate ((15U << 16U) + 5U)

hook/tts.h

@@ -61,6 +61,7 @@
 #define ttNFTOKEN_MODIFY 70
 #define ttPERMISSIONED_DOMAIN_SET 71
 #define ttPERMISSIONED_DOMAIN_DELETE 72
+#define ttEXPORT 91
 #define ttCRON 92
 #define ttCRON_SET 93
 #define ttREMARKS_SET 94
@@ -74,3 +75,4 @@
 #define ttUNL_MODIFY 102
 #define ttEMIT_FAILURE 103
 #define ttUNL_REPORT 104
+#define ttCONSENSUS_ENTROPY 105

hook/tx_flags.h

@@ -0,0 +1,122 @@
+// Generated using generate_txflags.sh
+#include "ls_flags.h"
+#include <stdint.h>
+
+enum UniversalFlags : uint32_t {
+    tfFullyCanonicalSig = 0x80000000,
+};
+
+enum AccountSetFlags : uint32_t {
+    tfRequireDestTag = 0x00010000,
+    tfOptionalDestTag = 0x00020000,
+    tfRequireAuth = 0x00040000,
+    tfOptionalAuth = 0x00080000,
+    tfDisallowXRP = 0x00100000,
+    tfAllowXRP = 0x00200000,
+};
+
+enum AccountFlags : uint32_t {
+    asfRequireDest = 1,
+    asfRequireAuth = 2,
+    asfDisallowXRP = 3,
+    asfDisableMaster = 4,
+    asfAccountTxnID = 5,
+    asfNoFreeze = 6,
+    asfGlobalFreeze = 7,
+    asfDefaultRipple = 8,
+    asfDepositAuth = 9,
+    asfAuthorizedNFTokenMinter = 10,
+    asfTshCollect = 11,
+    asfDisallowIncomingNFTokenOffer = 12,
+    asfDisallowIncomingCheck = 13,
+    asfDisallowIncomingPayChan = 14,
+    asfDisallowIncomingTrustline = 15,
+    asfDisallowIncomingRemit = 16,
+    asfAllowTrustLineClawback = 17,
+};
+
+enum OfferCreateFlags : uint32_t {
+    tfPassive = 0x00010000,
+    tfImmediateOrCancel = 0x00020000,
+    tfFillOrKill = 0x00040000,
+    tfSell = 0x00080000,
+};
+
+enum PaymentFlags : uint32_t {
+    tfNoRippleDirect = 0x00010000,
+    tfPartialPayment = 0x00020000,
+    tfLimitQuality = 0x00040000,
+};
+
+enum TrustSetFlags : uint32_t {
+    tfSetfAuth = 0x00010000,
+    tfSetNoRipple = 0x00020000,
+    tfClearNoRipple = 0x00040000,
+    tfSetFreeze = 0x00100000,
+    tfClearFreeze = 0x00200000,
+    tfSetDeepFreeze = 0x00400000,
+    tfClearDeepFreeze = 0x00800000
+};
+
+enum EnableAmendmentFlags : uint32_t {
+    tfGotMajority = 0x00010000,
+    tfLostMajority = 0x00020000,
+    tfTestSuite = 0x80000000,
+};
+
+enum PaymentChannelClaimFlags : uint32_t {
+    tfRenew = 0x00010000,
+    tfClose = 0x00020000,
+};
+
+enum NFTokenMintFlags : uint32_t {
+    tfBurnable = 0x00000001,
+    tfOnlyXRP = 0x00000002,
+    tfTrustLine = 0x00000004,
+    tfTransferable = 0x00000008,
+    tfMutable = 0x00000010,
+    tfStrongTSH = 0x00008000,
+};
+
+enum MPTokenIssuanceCreateFlags : uint32_t {
+    tfMPTCanLock = lsfMPTCanLock,
+    tfMPTRequireAuth = lsfMPTRequireAuth,
+    tfMPTCanEscrow = lsfMPTCanEscrow,
+    tfMPTCanTrade = lsfMPTCanTrade,
+    tfMPTCanTransfer = lsfMPTCanTransfer,
+    tfMPTCanClawback = lsfMPTCanClawback,
+};
+
+enum MPTokenAuthorizeFlags : uint32_t {
+    tfMPTUnauthorize = 0x00000001,
+};
+
+enum MPTokenIssuanceSetFlags : uint32_t {
+    tfMPTLock = 0x00000001,
+    tfMPTUnlock = 0x00000002,
+};
+
+enum NFTokenCreateOfferFlags : uint32_t {
+    tfSellNFToken = 0x00000001,
+};
+
+enum ClaimRewardFlags : uint32_t {
+    tfOptOut = 0x00000001,
+};
+
+enum CronSetFlags : uint32_t {
+    tfCronUnset = 0x00000001,
+};
+
+enum AMMClawbackFlags : uint32_t {
+    tfClawTwoAssets = 0x00000001,
+};
+
+enum BridgeModifyFlags : uint32_t {
+    tfClearAccountCreateAmount = 0x00010000,
+};
+
+enum ConsensusEntropyFlags : uint32_t {
+    tfEntropyCommit = 0x00000001,  // entry is a commitment in commitSet
+    tfEntropyReveal = 0x00000002,  // entry is a reveal in entropySet
+};

include/xrpl/hook/Enum.h

@@ -15,7 +15,10 @@
 #define uint256 std::string
 #define featureHooksUpdate1 "1"
 #define featureHooksUpdate2 "1"
+#define featureExport "1"
+#define featureConsensusEntropy "1"
 #define fix20250131 "1"
+#define fixGuardDepth32 "1"
 namespace hook_api {
 struct Rules
 {
@@ -319,7 +322,7 @@ namespace compare_mode {
 enum compare_mode : uint32_t { EQUAL = 1, LESS = 2, GREATER = 4 };
 }
 
-enum hook_return_code : int64_t {
+enum class hook_return_code : int64_t {
     SUCCESS =
         0,  // return codes > 0 are reserved for hook apis to return "success"
     OUT_OF_BOUNDS =
@@ -383,10 +386,13 @@ enum hook_return_code : int64_t {
     MEM_OVERLAP = -43,   // one or more specified buffers are the same memory
     TOO_MANY_STATE_MODIFICATIONS = -44,  // more than 5000 modified state
                                          // entires in the combined hook chains
-    TOO_MANY_NAMESPACES = -45
+    TOO_MANY_NAMESPACES = -45,
+    EXPORT_FAILURE = -46,
+    TOO_MANY_EXPORTED_TXN = -47,
+    TOO_LITTLE_ENTROPY = -48,
 };
 
-enum ExitType : uint8_t {
+enum class ExitType : uint8_t {
     UNSET = 0,
     WASM_ERROR = 1,
     ROLLBACK = 2,
@@ -397,6 +403,7 @@ const uint16_t max_state_modifications = 256;
 const uint8_t max_slots = 255;
 const uint8_t max_nonce = 255;
 const uint8_t max_emit = 255;
+const uint8_t max_export = 2;
 const uint8_t max_params = 16;
 const double fee_base_multiplier = 1.1f;
 
@@ -437,12 +444,9 @@ getImportWhitelist(Rules const& rules)
     return whitelist;
 }
 
-#undef HOOK_API_DEFINITION
-#undef I32
-#undef I64
-
 enum GuardRulesVersion : uint64_t {
     GuardRuleFix20250131 = 0x00000001,
+    GuardRuleDepth32 = 0x00000002,
 };
 
 inline uint64_t
@@ -451,6 +455,8 @@ getGuardRulesVersion(Rules const& rules)
     uint64_t version = 0;
     if (rules.enabled(fix20250131))
         version |= GuardRuleFix20250131;
+    if (rules.enabled(fixGuardDepth32))
+        version |= GuardRuleDepth32;
     return version;
 }
 

include/xrpl/hook/Guard.h

@@ -204,9 +204,13 @@ struct WasmBlkInf
     }
 // compute worst case execution time
 inline uint64_t
-compute_wce(const WasmBlkInf* blk, int level, bool* recursion_limit_reached)
+compute_wce(
+    const WasmBlkInf* blk,
+    int level,
+    int max_level,
+    bool* recursion_limit_reached)
 {
-    if (level > 16)
+    if (level > max_level)
     {
         *recursion_limit_reached = true;
         return 0;
@@ -233,8 +237,8 @@ compute_wce(const WasmBlkInf* blk, int level, bool* recursion_limit_reached)
 
     if (blk->children.size() > 0)
         for (auto const& child : blk->children)
-            worst_case_execution +=
-                compute_wce(child, level + 1, recursion_limit_reached);
+            worst_case_execution += compute_wce(
+                child, level + 1, max_level, recursion_limit_reached);
 
     if (parent == 0 ||
         parent->iteration_bound ==
@@ -788,12 +792,17 @@ check_guard(
     }
 
     bool recursion_limit_reached = false;
-    uint64_t wce = compute_wce(&(*root), 0, &recursion_limit_reached);
+    int max_level = 16;
+    if (rulesVersion & hook_api::GuardRuleDepth32)
+        max_level = 32;
+    uint64_t wce =
+        compute_wce(&(*root), 0, max_level, &recursion_limit_reached);
     if (recursion_limit_reached)
     {
         GUARDLOG(hook::log::NESTING_LIMIT)
             << "GuardCheck "
-            << "Maximum allowable depth of blocks reached (16 levels). Flatten "
+            << "Maximum allowable depth of blocks reached (" << max_level
+            << " levels). Flatten "
                "your loops and conditions!.\n";
         return {};
     }

include/xrpl/hook/Macro.h

@@ -89,58 +89,69 @@
 
 #define WASM_VAL_TYPE(T, b) CAT2(TYP_, T)
 
-#define DECLARE_HOOK_FUNCTION(R, F, ...)                         \
-    R F(hook::HookContext& hookCtx,                              \
-        WasmEdge_CallingFrameContext const& frameCtx __VA_OPT__( \
-            COMMA __VA_ARGS__));                                 \
-    extern WasmEdge_Result WasmFunction##F(                      \
-        void* data_ptr,                                          \
-        const WasmEdge_CallingFrameContext* frameCtx,            \
-        const WasmEdge_Value* in,                                \
-        WasmEdge_Value* out);                                    \
-    extern WasmEdge_ValType WasmFunctionParams##F[];             \
-    extern WasmEdge_ValType WasmFunctionResult##F[];             \
-    extern WasmEdge_FunctionTypeContext* WasmFunctionType##F;    \
+#define UNSIGNED_TYPE(T) std::make_unsigned_t<T>
+
+#define DECLARE_HOOK_FUNCTION(R, F, ...)                          \
+    std::variant<UNSIGNED_TYPE(R), hook_api::hook_return_code> F( \
+        hook::HookContext& hookCtx,                               \
+        WasmEdge_CallingFrameContext const& frameCtx __VA_OPT__(  \
+            COMMA __VA_ARGS__));                                  \
+    extern WasmEdge_Result WasmFunction##F(                       \
+        void* data_ptr,                                           \
+        const WasmEdge_CallingFrameContext* frameCtx,             \
+        const WasmEdge_Value* in,                                 \
+        WasmEdge_Value* out);                                     \
+    extern WasmEdge_ValType WasmFunctionParams##F[];              \
+    extern WasmEdge_ValType WasmFunctionResult##F[];              \
+    extern WasmEdge_FunctionTypeContext* WasmFunctionType##F;     \
     extern WasmEdge_String WasmFunctionName##F;
 
-#define DEFINE_HOOK_FUNCTION(R, F, ...)                             \
-    WasmEdge_Result hook_api::WasmFunction##F(                      \
-        void* data_ptr,                                             \
-        const WasmEdge_CallingFrameContext* frameCtx,               \
-        const WasmEdge_Value* in,                                   \
-        WasmEdge_Value* out)                                        \
-    {                                                               \
-        __VA_OPT__(int _stack = 0;)                                 \
-        __VA_OPT__(FOR_VARS(VAR_ASSIGN, 2, __VA_ARGS__);)           \
-        hook::HookContext* hookCtx =                                \
-            reinterpret_cast<hook::HookContext*>(data_ptr);         \
-        R return_code = hook_api::F(                                \
-            *hookCtx,                                               \
-            *const_cast<WasmEdge_CallingFrameContext*>(frameCtx)    \
-                __VA_OPT__(COMMA STRIP_TYPES(__VA_ARGS__)));        \
-        if (return_code == RC_ROLLBACK || return_code == RC_ACCEPT) \
-            return WasmEdge_Result_Terminate;                       \
-        out[0] = RET_ASSIGN(R, return_code);                        \
-        return WasmEdge_Result_Success;                             \
-    };                                                              \
-    WasmEdge_ValType hook_api::WasmFunctionParams##F[] = {          \
-        __VA_OPT__(FOR_VARS(WASM_VAL_TYPE, 0, __VA_ARGS__))};       \
-    WasmEdge_ValType hook_api::WasmFunctionResult##F[1] = {         \
-        WASM_VAL_TYPE(R, dummy)};                                   \
-    WasmEdge_FunctionTypeContext* hook_api::WasmFunctionType##F =   \
-        WasmEdge_FunctionTypeCreate(                                \
-            WasmFunctionParams##F,                                  \
-            VA_NARGS(NULL __VA_OPT__(, __VA_ARGS__)),               \
-            WasmFunctionResult##F,                                  \
-            1);                                                     \
-    WasmEdge_String hook_api::WasmFunctionName##F =                 \
-        WasmEdge_StringCreateByCString(#F);                         \
-    R hook_api::F(                                                  \
-        hook::HookContext& hookCtx,                                 \
-        WasmEdge_CallingFrameContext const& frameCtx __VA_OPT__(    \
+#define DEFINE_HOOK_FUNCTION(R, F, ...)                                        \
+    WasmEdge_Result hook_api::WasmFunction##F(                                 \
+        void* data_ptr,                                                        \
+        const WasmEdge_CallingFrameContext* frameCtx,                          \
+        const WasmEdge_Value* in,                                              \
+        WasmEdge_Value* out)                                                   \
+    {                                                                          \
+        __VA_OPT__(int _stack = 0;)                                            \
+        __VA_OPT__(FOR_VARS(VAR_ASSIGN, 2, __VA_ARGS__);)                      \
+        hook::HookContext* hookCtx =                                           \
+            reinterpret_cast<hook::HookContext*>(data_ptr);                    \
+        auto const& return_code = hook_api::F(                                 \
+            *hookCtx,                                                          \
+            *const_cast<WasmEdge_CallingFrameContext*>(frameCtx)               \
+                __VA_OPT__(COMMA STRIP_TYPES(__VA_ARGS__)));                   \
+        if (std::holds_alternative<hook_api::hook_return_code>(return_code) && \
+            (std::get<hook_api::hook_return_code>(return_code) ==              \
+                 RC_ROLLBACK ||                                                \
+             std::get<hook_api::hook_return_code>(return_code) == RC_ACCEPT))  \
+            return WasmEdge_Result_Terminate;                                  \
+        out[0] = RET_ASSIGN(                                                   \
+            R,                                                                 \
+            std::holds_alternative<UNSIGNED_TYPE(R)>(return_code)              \
+                ? std::get<UNSIGNED_TYPE(R)>(return_code)                      \
+                : R(std::get<hook_api::hook_return_code>(return_code)));       \
+        return WasmEdge_Result_Success;                                        \
+    };                                                                         \
+    WasmEdge_ValType hook_api::WasmFunctionParams##F[] = {                     \
+        __VA_OPT__(FOR_VARS(WASM_VAL_TYPE, 0, __VA_ARGS__))};                  \
+    WasmEdge_ValType hook_api::WasmFunctionResult##F[1] = {                    \
+        WASM_VAL_TYPE(R, dummy)};                                              \
+    WasmEdge_FunctionTypeContext* hook_api::WasmFunctionType##F =              \
+        WasmEdge_FunctionTypeCreate(                                           \
+            WasmFunctionParams##F,                                             \
+            VA_NARGS(NULL __VA_OPT__(, __VA_ARGS__)),                          \
+            WasmFunctionResult##F,                                             \
+            1);                                                                \
+    WasmEdge_String hook_api::WasmFunctionName##F =                            \
+        WasmEdge_StringCreateByCString(#F);                                    \
+    std::variant<UNSIGNED_TYPE(R), hook_api::hook_return_code> hook_api::F(    \
+        hook::HookContext& hookCtx,                                            \
+        WasmEdge_CallingFrameContext const& frameCtx __VA_OPT__(               \
             COMMA __VA_ARGS__))
 
 #define HOOK_SETUP()                                                 \
+    using enum hook_api::hook_return_code;                           \
     try                                                              \
     {                                                                \
         [[maybe_unused]] ApplyContext& applyCtx = hookCtx.applyCtx;  \
@@ -203,7 +214,7 @@
     host_memory_ptr,                  \
     guest_memory_length)              \
     {                                 \
-        int64_t bytes_written = 0;    \
+        uint64_t bytes_written = 0;   \
         WRITE_WASM_MEMORY(            \
             bytes_written,            \
             guest_dst_ptr,            \
@@ -272,7 +283,7 @@
             data_ptr < (data_ptr_in))                                    \
             return INTERNAL_ERROR;                                       \
         if (data_len == 0)                                               \
-            return 0;                                                    \
+            return 0ULL;                                                 \
         if ((write_ptr_in) == 0)                                         \
             return data_as_int64(data_ptr, data_len);                    \
         if (data_len > (write_len_in))                                   \

include/xrpl/hook/hook_api.macro

@@ -372,3 +372,28 @@ HOOK_API_DEFINITION(
 HOOK_API_DEFINITION(
   int64_t, prepare, (uint32_t, uint32_t, uint32_t, uint32_t),
   featureHooksUpdate2)
+
+// int64_t xport_reserve(uint32_t count);
+HOOK_API_DEFINITION(
+  int64_t, xport_reserve, (uint32_t),
+  featureExport)
+
+// int64_t xport(uint32_t write_ptr, uint32_t write_len, uint32_t read_ptr, uint32_t read_len);
+HOOK_API_DEFINITION(
+  int64_t, xport, (uint32_t, uint32_t, uint32_t, uint32_t),
+  featureExport)
+
+// int64_t xport_cancel(uint32_t ticket_seq);
+HOOK_API_DEFINITION(
+  int64_t, xport_cancel, (uint32_t),
+  featureExport)
+
+// int64_t dice(uint32_t sides);
+HOOK_API_DEFINITION(
+  int64_t, dice, (uint32_t),
+  featureConsensusEntropy)
+
+// int64_t random(uint32_t write_ptr, uint32_t write_len);
+HOOK_API_DEFINITION(
+  int64_t, random, (uint32_t, uint32_t),
+  featureConsensusEntropy)

include/xrpl/proto/.clang-format

@@ -0,0 +1,2 @@
+---
+DisableFormat: true

include/xrpl/proto/ripple.proto

@@ -166,6 +166,14 @@ message TMProposeSet
 
     // Number of hops traveled
     optional uint32 hops                = 12    [deprecated=true];
+
+    // Export signatures for pending exports seen in the proposal set. The
+    // proposal's ExtendedPosition includes a digest of this repeated field, so
+    // these side-channel blobs are covered by the proposal signature.
+    // Each entry is: txnHash (32 bytes) + validator pubkey (33 bytes)
+    // + multisign signature (variable length). Validators attach these
+    // so export quorum can be reached within the same consensus round.
+    repeated bytes exportSignatures     = 13;
 }
 
 enum TxSetStatus
@@ -384,4 +392,3 @@ message TMHaveTransactions
 {
     repeated bytes hashes = 1;
 }
-

include/xrpl/protocol/ExportLimits.h

@@ -0,0 +1,33 @@
+#ifndef RIPPLE_PROTOCOL_EXPORT_LIMITS_H_INCLUDED
+#define RIPPLE_PROTOCOL_EXPORT_LIMITS_H_INCLUDED
+
+#include <cstdint>
+
+namespace ripple {
+
+// Export system caps.
+//
+// These limits bound the DoS surface of the export signature system:
+// - Each pending export requires every validator to sign it every round
+//   (sign-once, attach once via TMProposeSet)
+// - Inbound signature processing involves crypto verification per sig
+// - The open-ledger cap (maxPendingExports) is the root constraint;
+//   signing throughput and inbound processing are transitively bounded by it
+struct ExportLimits
+{
+    // Maximum exports a single hook execution may produce
+    // (also enforced by hook_api::max_export in Enum.h)
+    static constexpr std::uint8_t maxExportsPerHook = 2;
+
+    // Maximum pending export transactions in an open/apply ledger.
+    // Hook-emitted export backlog drains into the open ledger at this cap.
+    // This transitively caps:
+    //   - signatures per TMProposeSet message (1 per pending export)
+    //   - inbound proposal signature processing (clamped to this)
+    //   - validator signing work per round
+    static constexpr std::uint8_t maxPendingExports = 8;
+};
+
+}  // namespace ripple
+
+#endif

include/xrpl/protocol/Feature.h

@@ -33,35 +33,39 @@
  *
  * Steps required to add new features to the code:
  *
- * 1) In this file, increment `numFeatures` and add a uint256 declaration
- *    for the feature at the bottom
- * 2) Add a uint256 definition for the feature to the corresponding source
- *    file (Feature.cpp). Use `registerFeature` to create the feature with
- *    the feature's name, `Supported::no`, and `VoteBehavior::DefaultNo`. This
- *    should be the only place the feature's name appears in code as a string.
- * 3) Use the uint256 as the parameter to `view.rules.enabled()` to
- *    control flow into new code that this feature limits.
- * 4) If the feature development is COMPLETE, and the feature is ready to be
- *    SUPPORTED, change the `registerFeature` parameter to Supported::yes.
- * 5) When the feature is ready to be ENABLED, change the `registerFeature`
- *    parameter to `VoteBehavior::DefaultYes`.
- * In general, any newly supported amendments (`Supported::yes`) should have
- * a `VoteBehavior::DefaultNo` for at least one full release cycle. High
- * priority bug fixes can be an exception to this rule of thumb.
+ * 1) Add the appropriate XRPL_FEATURE or XRPL_FIX macro definition for the
+ *    feature to features.macro with the feature's name, `Supported::no`, and
+ *    `VoteBehavior::DefaultNo`.
+ *
+ * 2) Use the generated variable name as the parameter to `view.rules.enabled()`
+ *    to control flow into new code that this feature limits. (featureName or
+ *    fixName)
+ *
+ * 3) If the feature development is COMPLETE, and the feature is ready to be
+ *    SUPPORTED, change the macro parameter in features.macro to Supported::yes.
+ *
+ * 4) In general, any newly supported amendments (`Supported::yes`) should have
+ *    a `VoteBehavior::DefaultNo` indefinitely so that external governance can
+ *    make the decision on when to activate it. High priority bug fixes can be
+ *    an exception to this rule. In such cases, ensure the fix has been
+ *    clearly communicated to the community using appropriate channels,
+ *    then change the macro parameter in features.macro to
+ *    `VoteBehavior::DefaultYes`. The communication process is beyond
+ *    the scope of these instructions.
+ *
  *
  * When a feature has been enabled for several years, the conditional code
  * may be removed, and the feature "retired". To retire a feature:
- * 1) Remove the uint256 declaration from this file.
- * 2) MOVE the uint256 definition in Feature.cpp to the "retired features"
- *    section at the end of the file.
- * 3) CHANGE the name of the variable to start with "retired".
- * 4) CHANGE the parameters of the `registerFeature` call to `Supported::yes`
- *    and `VoteBehavior::DefaultNo`.
+ *
+ * 1) MOVE the macro definition in features.macro to the "retired features"
+ *    section at the end of the file, and change the macro to XRPL_RETIRE.
+ *
  * The feature must remain registered and supported indefinitely because it
- * still exists in the ledger, but there is no need to vote for it because
- * there's nothing to vote for. If it is removed completely from the code, any
- * instances running that code will get amendment blocked. Removing the
- * feature from the ledger is beyond the scope of these instructions.
+ * may exist in the Amendments object on ledger. There is no need to vote
+ * for it because there's nothing to vote for. If the feature definition is
+ * removed completely from the code, any instances running that code will get
+ * amendment blocked. Removing the feature from the ledger is beyond the scope
+ * of these instructions.
  *
  */
 
@@ -76,11 +80,32 @@ allAmendments();
 
 namespace detail {
 
+#pragma push_macro("XRPL_FEATURE")
+#undef XRPL_FEATURE
+#pragma push_macro("XRPL_FIX")
+#undef XRPL_FIX
+#pragma push_macro("XRPL_RETIRE")
+#undef XRPL_RETIRE
+
+#define XRPL_FEATURE(name, supported, vote) +1
+#define XRPL_FIX(name, supported, vote) +1
+#define XRPL_RETIRE(name) +1
+
 // This value SHOULD be equal to the number of amendments registered in
 // Feature.cpp. Because it's only used to reserve storage, and determine how
 // large to make the FeatureBitset, it MAY be larger. It MUST NOT be less than
 // the actual number of amendments. A LogicError on startup will verify this.
-static constexpr std::size_t numFeatures = 113;
+static constexpr std::size_t numFeatures =
+    (0 +
+#include <xrpl/protocol/detail/features.macro>
+    );
+
+#undef XRPL_RETIRE
+#pragma pop_macro("XRPL_RETIRE")
+#undef XRPL_FIX
+#pragma pop_macro("XRPL_FIX")
+#undef XRPL_FEATURE
+#pragma pop_macro("XRPL_FEATURE")
 
 /** Amendments that this server supports and the default voting behavior.
    Whether they are enabled depends on the Rules defined in the validated
@@ -320,12 +345,17 @@ foreachFeature(FeatureBitset bs, F&& f)
 #undef XRPL_FEATURE
 #pragma push_macro("XRPL_FIX")
 #undef XRPL_FIX
+#pragma push_macro("XRPL_RETIRE")
+#undef XRPL_RETIRE
 
 #define XRPL_FEATURE(name, supported, vote) extern uint256 const feature##name;
 #define XRPL_FIX(name, supported, vote) extern uint256 const fix##name;
+#define XRPL_RETIRE(name)
 
 #include <xrpl/protocol/detail/features.macro>
 
+#undef XRPL_RETIRE
+#pragma pop_macro("XRPL_RETIRE")
 #undef XRPL_FIX
 #pragma pop_macro("XRPL_FIX")
 #undef XRPL_FEATURE

include/xrpl/protocol/HashPrefix.h

@@ -96,6 +96,9 @@ enum class HashPrefix : std::uint32_t {
 
     /** Credentials signature */
     credential = detail::make_hash_prefix('C', 'R', 'D'),
+
+    /** consensus extension sidecar object */
+    sidecar = detail::make_hash_prefix('S', 'C', 'R'),
 };
 
 template <class Hasher>

include/xrpl/protocol/Indexes.h

@@ -62,6 +62,9 @@ emittedDir() noexcept;
 Keylet
 emittedTxn(uint256 const& id) noexcept;
 
+Keylet
+shadowTicket(AccountID const& account, std::uint32_t ticketSeq) noexcept;
+
 Keylet
 hookDefinition(uint256 const& hash) noexcept;
 
@@ -118,6 +121,10 @@ negativeUNL() noexcept;
 Keylet const&
 UNLReport() noexcept;
 
+/** The (fixed) index of the object containing consensus-derived entropy. */
+Keylet const&
+consensusEntropy() noexcept;
+
 /** The beginning of an order book */
 struct book_t
 {

include/xrpl/protocol/SidecarType.h

@@ -0,0 +1,21 @@
+#ifndef RIPPLE_PROTOCOL_SIDECAR_TYPE_H_INCLUDED
+#define RIPPLE_PROTOCOL_SIDECAR_TYPE_H_INCLUDED
+
+#include <cstdint>
+
+namespace ripple {
+
+/// Discriminator for sidecar set entries (SHAMap leaves used for
+/// consensus extension data: RNG commit/reveal, export signatures).
+///
+/// Stored in sfSidecarType (UINT8) on each STObject entry.
+/// Makes sidecar sets self-describing — no content-sniffing needed.
+enum SidecarType : std::uint8_t {
+    sidecarRngCommit = 1,
+    sidecarRngReveal = 2,
+    sidecarExportSig = 3,
+};
+
+}  // namespace ripple
+
+#endif

include/xrpl/protocol/TER.h

@@ -68,6 +68,7 @@ enum TELcodes : TERUnderlyingType {
     telNON_LOCAL_EMITTED_TXN,
     telIMPORT_VL_KEY_NOT_RECOGNISED,
     telCAN_NOT_QUEUE_IMPORT,
+    telSHADOW_TICKET_REQUIRED,
     telENV_RPC_FAILED,
 };
 
@@ -137,6 +138,7 @@ enum TEMcodes : TERUnderlyingType {
     temXCHAIN_BRIDGE_NONDOOR_OWNER,
     temXCHAIN_BRIDGE_BAD_MIN_ACCOUNT_CREATE_AMOUNT,
     temXCHAIN_BRIDGE_BAD_REWARD_AMOUNT,
+    temXCHAIN_TOO_MANY_ATTESTATIONS,  // RESERVED - not used
 
     temHOOK_DATA_TOO_LARGE,
     temEMPTY_DID,
@@ -233,8 +235,10 @@ enum TERcodes : TERUnderlyingType {
     terQUEUED,       // Transaction is being held in TxQ until fee drops
     terPRE_TICKET,   // Ticket is not yet in ledger but might be on its way
     terNO_AMM,       // AMM doesn't exist for the asset pair
-    terNO_HOOK       // Transaction requires a non-existent hook definition
+    terNO_HOOK,      // Transaction requires a non-existent hook definition
                      // (referenced by sfHookHash)
+    terRETRY_EXPORT  // Export does not yet have enough validator signatures.
+                     // Retained in retriable set for next ledger.
 };
 
 //------------------------------------------------------------------------------
@@ -362,6 +366,7 @@ enum TECcodes : TERUnderlyingType {
     tecARRAY_TOO_LARGE = 197,
     tecLOCKED = 198,
     tecBAD_CREDENTIALS = 199,
+    tecEXPORT_EXPIRED = 200,
     tecLAST_POSSIBLE_ENTRY = 255,
 };
 

include/xrpl/protocol/TxFlags.h

@@ -132,7 +132,7 @@ constexpr std::uint32_t tfTrustSetMask =
       tfClearFreeze | tfSetDeepFreeze | tfClearDeepFreeze);
 
 // EnableAmendment flags:
-enum EnableAmendmentFlags : std::uint32_t {
+enum EnableAmendmentFlags : uint32_t {
     tfGotMajority = 0x00010000,
     tfLostMajority = 0x00020000,
     tfTestSuite = 0x80000000,
@@ -274,6 +274,13 @@ enum BridgeModifyFlags : uint32_t {
     tfClearAccountCreateAmount = 0x00010000,
 };
 constexpr std::uint32_t tfBridgeModifyMask = ~(tfUniversal | tfClearAccountCreateAmount);
+
+// ConsensusEntropy flags (used on ttCONSENSUS_ENTROPY SHAMap entries):
+enum ConsensusEntropyFlags : uint32_t {
+    tfEntropyCommit = 0x00000001,  // entry is a commitment in commitSet
+    tfEntropyReveal = 0x00000002,  // entry is a reveal in entropySet
+};
+// flag=0 (no tfEntropyCommit/tfEntropyReveal) = final injected pseudo-tx
 // clang-format on
 
 }  // namespace ripple

include/xrpl/protocol/TxMeta.h

@@ -140,6 +140,12 @@ public:
         mHookEmissions = hookEmissions;
     }
 
+    void
+    setExportResult(STObject const& exportResult)
+    {
+        mExportResult = exportResult;
+    }
+
     bool
     hasHookExecutions() const
     {
@@ -152,6 +158,12 @@ public:
         return static_cast<bool>(mHookEmissions);
     }
 
+    bool
+    hasExportResult() const
+    {
+        return static_cast<bool>(mExportResult);
+    }
+
     STAmount
     getDeliveredAmount() const
     {
@@ -176,6 +188,7 @@ private:
     std::optional<STAmount> mDelivered;
     std::optional<STArray> mHookExecutions;
     std::optional<STArray> mHookEmissions;
+    std::optional<STObject> mExportResult;
 
     STArray mNodes;
 };

include/xrpl/protocol/detail/features.macro

@@ -23,6 +23,9 @@
 #if !defined(XRPL_FIX)
 #error "undefined macro: XRPL_FIX"
 #endif
+#if !defined(XRPL_RETIRE)
+#error "undefined macro: XRPL_RETIRE"
+#endif
 
 // clang-format off
 
@@ -31,6 +34,11 @@
 // If you add an amendment here, then do not forget to increment `numFeatures`
 // in include/xrpl/protocol/Feature.h.
 
+XRPL_FIX    (GuardDepth32,               Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(NamedHooks,                 Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(IOURewardClaim,             Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FIX    (IOULockedBalanceInvariant,  Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FIX    (ImportIssuer,               Supported::yes, VoteBehavior::DefaultYes)
 XRPL_FEATURE(HookAPISerializedType240,   Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FEATURE(PermissionedDomains,        Supported::no,  VoteBehavior::DefaultNo)
 XRPL_FEATURE(DynamicNFT,                 Supported::no,  VoteBehavior::DefaultNo)
@@ -54,16 +62,18 @@ XRPL_FIX    (DisallowIncomingV1,         Supported::yes, VoteBehavior::DefaultYe
 XRPL_FEATURE(XChainBridge,               Supported::no,  VoteBehavior::DefaultNo)
 XRPL_FEATURE(AMM,                        Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (ReducedOffersV1,            Supported::yes, VoteBehavior::DefaultYes)
-XRPL_FEATURE(HooksUpdate2,               Supported::yes, VoteBehavior::DefaultNo);
-XRPL_FEATURE(HookOnV2,                   Supported::yes, VoteBehavior::DefaultNo);
-XRPL_FIX    (HookAPI20251128,            Supported::yes, VoteBehavior::DefaultYes);
-XRPL_FIX    (CronStacking,               Supported::yes, VoteBehavior::DefaultYes);
-XRPL_FEATURE(ExtendedHookState,          Supported::yes, VoteBehavior::DefaultNo);
-XRPL_FIX    (InvalidTxFlags,             Supported::yes, VoteBehavior::DefaultYes);
-XRPL_FEATURE(Cron,                       Supported::yes, VoteBehavior::DefaultNo);
-XRPL_FEATURE(IOUIssuerWeakTSH,           Supported::yes, VoteBehavior::DefaultNo);
-XRPL_FEATURE(DeepFreeze,                 Supported::yes, VoteBehavior::DefaultNo);
-XRPL_FIX    (ProvisionalDoubleThreading, Supported::yes, VoteBehavior::DefaultYes);
+XRPL_FEATURE(HooksUpdate2,               Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(HookOnV2,                   Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(Export,                     Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(ConsensusEntropy,           Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FIX    (HookAPI20251128,            Supported::yes, VoteBehavior::DefaultYes)
+XRPL_FIX    (CronStacking,               Supported::yes, VoteBehavior::DefaultYes)
+XRPL_FEATURE(ExtendedHookState,          Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FIX    (InvalidTxFlags,             Supported::yes, VoteBehavior::DefaultYes)
+XRPL_FEATURE(Cron,                       Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(IOUIssuerWeakTSH,           Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FEATURE(DeepFreeze,                 Supported::yes, VoteBehavior::DefaultNo)
+XRPL_FIX    (ProvisionalDoubleThreading, Supported::yes, VoteBehavior::DefaultYes)
 XRPL_FEATURE(Clawback,                   Supported::yes, VoteBehavior::DefaultNo)
 XRPL_FIX    (RewardClaimFlags,           Supported::yes, VoteBehavior::DefaultYes)
 XRPL_FEATURE(HookCanEmit,                Supported::yes, VoteBehavior::DefaultNo)
@@ -147,4 +157,24 @@ XRPL_FIX    (NFTokenDirV1,          Supported::yes, VoteBehavior::Obsolete)
 XRPL_FEATURE(NonFungibleTokensV1,   Supported::yes, VoteBehavior::Obsolete)
 XRPL_FEATURE(CryptoConditionsSuite, Supported::yes, VoteBehavior::Obsolete)
 
+// The following amendments have been active for at least two years. Their
+// pre-amendment code has been removed and the identifiers are deprecated.
+// All known amendments and amendments that may appear in a validated
+// ledger must be registered either here or above with the "active" amendments
+XRPL_RETIRE(MultiSign)
+XRPL_RETIRE(TrustSetAuth)
+XRPL_RETIRE(FeeEscalation)
+XRPL_RETIRE(PayChan)
+XRPL_RETIRE(CryptoConditions)
+XRPL_RETIRE(TickSize)
+XRPL_RETIRE(fix1368)
+XRPL_RETIRE(Escrow)
+XRPL_RETIRE(fix1373)
+XRPL_RETIRE(EnforceInvariants)
+XRPL_RETIRE(SortedDirectories)
+XRPL_RETIRE(fix1201)
+XRPL_RETIRE(fix1512)
+XRPL_RETIRE(fix1523)
+XRPL_RETIRE(fix1528)
+
 // clang-format on

include/xrpl/protocol/detail/ledger_entries.macro

@@ -223,6 +223,20 @@ LEDGER_ENTRY(ltURI_TOKEN, 0x0055, URIToken, uri_token, ({
     {sfPreviousTxnLgrSeq,    soeREQUIRED},
 }))
 
+/** The ledger object which stores consensus-derived entropy.
+
+    \note This is a singleton: only one such object exists in the ledger.
+
+    \sa keylet::consensusEntropy
+ */
+LEDGER_ENTRY_DUPLICATE(ltCONSENSUS_ENTROPY, 0x0058, ConsensusEntropy, consensus_entropy, ({
+    {sfDigest,               soeREQUIRED},
+    {sfEntropyCount,         soeREQUIRED},
+    {sfLedgerSequence,       soeREQUIRED},
+    {sfPreviousTxnID,        soeREQUIRED},
+    {sfPreviousTxnLgrSeq,    soeREQUIRED},
+}))
+
 /** A ledger object which describes an account.
 
     \sa keylet::account
@@ -396,6 +410,8 @@ LEDGER_ENTRY(ltRIPPLE_STATE, 0x0072, RippleState, state, ({
     {sfHighQualityOut,       soeOPTIONAL},
     {sfLockedBalance,        soeOPTIONAL},
     {sfLockCount,            soeOPTIONAL},
+    {sfHighReward,           soeOPTIONAL},
+    {sfLowReward,            soeOPTIONAL},
 }))
 
 /** The ledger object which lists the network's fee settings.
@@ -590,6 +606,22 @@ LEDGER_ENTRY(ltDID, 0x008D, DID, did, ({
     {sfPreviousTxnLgrSeq,    soeREQUIRED},
 }))
 
+//@@start shadow-ticket-ledger-entry
+/** A shadow ticket for export replay protection.
+
+    Created when a transaction is exported. Consumed when
+    proof-of-execution is imported back. Account-owned (pays reserve).
+
+    \sa keylet::shadowTicket
+ */
+LEDGER_ENTRY(ltSHADOW_TICKET, 0x5374, ShadowTicket, shadow_ticket, ({
+    {sfAccount,              soeREQUIRED},
+    {sfTicketSequence,       soeREQUIRED},
+    {sfTransactionHash,      soeREQUIRED},
+    {sfLedgerSequence,       soeREQUIRED},
+    {sfOwnerNode,            soeREQUIRED},
+}))
+//@@end shadow-ticket-ledger-entry
+
 #undef EXPAND
 #undef LEDGER_ENTRY_DUPLICATE
-

include/xrpl/protocol/detail/sfields.macro

@@ -42,6 +42,7 @@ TYPED_SFIELD(sfTickSize,                 UINT8,     16)
 TYPED_SFIELD(sfUNLModifyDisabling,       UINT8,     17)
 TYPED_SFIELD(sfHookResult,               UINT8,     18)
 TYPED_SFIELD(sfWasLockingChainSend,      UINT8,     19)
+TYPED_SFIELD(sfSidecarType,              UINT8,     20)
 
 // 16-bit integers (common)
 TYPED_SFIELD(sfLedgerEntryType,          UINT16,     1, SField::sMD_Never)
@@ -59,6 +60,8 @@ TYPED_SFIELD(sfHookExecutionIndex,       UINT16,    19)
 TYPED_SFIELD(sfHookApiVersion,           UINT16,    20)
 TYPED_SFIELD(sfHookStateScale,           UINT16,    21)
 TYPED_SFIELD(sfLedgerFixType,            UINT16,    22)
+TYPED_SFIELD(sfHookExportCount,          UINT16,    98)
+TYPED_SFIELD(sfEntropyCount,             UINT16,    99)
 
 // 32-bit integers (common)
 TYPED_SFIELD(sfNetworkID,                UINT32,     1)
@@ -123,6 +126,7 @@ TYPED_SFIELD(sfImportSequence,           UINT32,    97)
 TYPED_SFIELD(sfRewardTime,               UINT32,    98)
 TYPED_SFIELD(sfRewardLgrFirst,           UINT32,    99)
 TYPED_SFIELD(sfRewardLgrLast,            UINT32,   100)
+TYPED_SFIELD(sfCancelTicketSequence,     UINT32,   101)
 
 // 64-bit integers (common)
 TYPED_SFIELD(sfIndexNext,                UINT64,     1)
@@ -217,6 +221,7 @@ TYPED_SFIELD(sfHookCanEmit,              UINT256,   96)
 TYPED_SFIELD(sfEmittedTxnID,             UINT256,   97)
 TYPED_SFIELD(sfGovernanceMarks,          UINT256,   98)
 TYPED_SFIELD(sfGovernanceFlags,          UINT256,   99)
+TYPED_SFIELD(sfEntropyDigest,            UINT256,  100)
 
 // number (common)
 TYPED_SFIELD(sfNumber,                   NUMBER,     1)
@@ -257,6 +262,7 @@ TYPED_SFIELD(sfPrice,                    AMOUNT,    28)
 TYPED_SFIELD(sfSignatureReward,          AMOUNT,    29)
 TYPED_SFIELD(sfMinAccountCreateAmount,   AMOUNT,    30)
 TYPED_SFIELD(sfLPTokenBalance,           AMOUNT,    31)
+TYPED_SFIELD(sfTrustLineRewardAccumulator,AMOUNT,   99)
 
 // variable length (common)
 TYPED_SFIELD(sfPublicKey,                VL,         1)
@@ -292,6 +298,7 @@ TYPED_SFIELD(sfAssetClass,               VL,        29)
 TYPED_SFIELD(sfProvider,                 VL,        30)
 TYPED_SFIELD(sfMPTokenMetadata,          VL,        31)
 TYPED_SFIELD(sfCredentialType,           VL,        32)
+TYPED_SFIELD(sfHookName,                 VL,        97)
 TYPED_SFIELD(sfRemarkValue,              VL,        98)
 TYPED_SFIELD(sfRemarkName,               VL,        99)
 
@@ -340,6 +347,7 @@ TYPED_SFIELD(sfLockingChainIssue,        ISSUE,      1)
 TYPED_SFIELD(sfIssuingChainIssue,        ISSUE,      2)
 TYPED_SFIELD(sfAsset,                    ISSUE,      3)
 TYPED_SFIELD(sfAsset2,                   ISSUE,      4)
+TYPED_SFIELD(sfClaimCurrency,            ISSUE,      5)
 
 // bridge
 TYPED_SFIELD(sfXChainBridge,             XCHAIN_BRIDGE, 1)
@@ -367,7 +375,7 @@ UNTYPED_SFIELD(sfMajority,               OBJECT,    18)
 UNTYPED_SFIELD(sfDisabledValidator,      OBJECT,    19)
 UNTYPED_SFIELD(sfEmittedTxn,             OBJECT,    20)
 UNTYPED_SFIELD(sfHookExecution,          OBJECT,    21)
-UNTYPED_SFIELD(sfHookDefinition,         OBJECT,    22)
+                                                 // 22 unused
 UNTYPED_SFIELD(sfHookParameter,          OBJECT,    23)
 UNTYPED_SFIELD(sfHookGrant,              OBJECT,    24)
 UNTYPED_SFIELD(sfVoteEntry,              OBJECT,    25)
@@ -379,6 +387,7 @@ UNTYPED_SFIELD(sfXChainClaimAttestationCollectionElement, OBJECT, 30)
 UNTYPED_SFIELD(sfXChainCreateAccountAttestationCollectionElement, OBJECT, 31)
 UNTYPED_SFIELD(sfPriceData,              OBJECT,    32)
 UNTYPED_SFIELD(sfCredential,             OBJECT,    33)
+UNTYPED_SFIELD(sfExportedTxn,            OBJECT,    90)
 UNTYPED_SFIELD(sfAmountEntry,            OBJECT,    91)
 UNTYPED_SFIELD(sfMintURIToken,           OBJECT,    92)
 UNTYPED_SFIELD(sfHookEmission,           OBJECT,    93)
@@ -386,6 +395,9 @@ UNTYPED_SFIELD(sfImportVLKey,            OBJECT,    94)
 UNTYPED_SFIELD(sfActiveValidator,        OBJECT,    95)
 UNTYPED_SFIELD(sfGenesisMint,            OBJECT,    96)
 UNTYPED_SFIELD(sfRemark,                 OBJECT,    97)
+UNTYPED_SFIELD(sfHighReward,             OBJECT,    98)
+UNTYPED_SFIELD(sfLowReward,              OBJECT,    99)
+UNTYPED_SFIELD(sfExportResult,           OBJECT,    100)
 
 // array of objects (common)
 // ARRAY/1 is reserved for end of array

include/xrpl/protocol/detail/transactions.macro

@@ -500,6 +500,17 @@ TRANSACTION(ttPERMISSIONED_DOMAIN_DELETE, 72, PermissionedDomainDelete, ({
     {sfDomainID, soeREQUIRED},
 }))
 
+//@@start export-transaction-types
+/* User-submittable export: creates a cross-chain transaction for
+   validator signing. Retries via terRETRY_EXPORT until quorum.
+   Also supports shadow ticket cancellation via sfCancelTicketSequence.
+   At least one of sfExportedTxn or sfCancelTicketSequence must be present. */
+TRANSACTION(ttEXPORT, 91, Export, ({
+    {sfExportedTxn, soeOPTIONAL},
+    {sfCancelTicketSequence, soeOPTIONAL},
+}))
+//@@end export-transaction-types
+
 /* A pseudo-txn alarm signal for invoking a hook, emitted by validators after alarm set conditions are met */
 TRANSACTION(ttCRON, 92, Cron, ({
     {sfOwner, soeREQUIRED},
@@ -550,6 +561,7 @@ TRANSACTION(ttIMPORT, 97, Import, ({
   * from a specified hook */
 TRANSACTION(ttCLAIM_REWARD, 98, ClaimReward, ({
     {sfIssuer, soeOPTIONAL},
+    {sfClaimCurrency, soeOPTIONAL},
 }))
 
 /** This transaction invokes a hook, providing arbitrary data. Essentially as a 0 drop payment. **/
@@ -605,3 +617,10 @@ TRANSACTION(ttUNL_REPORT, 104, UNLReport, ({
     {sfActiveValidator, soeOPTIONAL},
     {sfImportVLKey, soeOPTIONAL},
 }))
+
+TRANSACTION(ttCONSENSUS_ENTROPY, 105, ConsensusEntropy, ({
+    {sfLedgerSequence, soeREQUIRED},
+    {sfDigest, soeREQUIRED},
+    {sfEntropyCount, soeREQUIRED},
+    {sfBlob, soeOPTIONAL},
+}))

include/xrpl/protocol/jss.h

@@ -76,6 +76,7 @@ JSS(Holder);              // field.
 JSS(HookApiVersion);      // field
 JSS(HookCanEmit);         // field
 JSS(HookHash);            // field
+JSS(HookName);            // field
 JSS(HookNamespace);       // field
 JSS(HookOn);              // field
 JSS(HookOnIncoming);      // field

include/xrpl/resource/detail/Logic.h

@@ -109,14 +109,22 @@ public:
     Consumer
     newInboundEndpoint(beast::IP::Endpoint const& address)
     {
+        //@@start rng-local-testnet-resource-bucket
+        // Inbound connections from the same IP normally share one
+        // resource bucket (port stripped) for DoS protection.  For
+        // loopback addresses, preserve the port so local testnet nodes
+        // each get their own bucket instead of all sharing one.
+        auto const key = is_loopback(address) ? address : address.at_port(0);
+        //@@end rng-local-testnet-resource-bucket
+
         Entry* entry(nullptr);
 
         {
             std::lock_guard _(lock_);
             auto [resultIt, resultInserted] = table_.emplace(
                 std::piecewise_construct,
-                std::make_tuple(kindInbound, address.at_port(0)),  // Key
-                std::make_tuple(m_clock.now()));                   // Entry
+                std::make_tuple(kindInbound, key),
+                std::make_tuple(m_clock.now()));
 
             entry = &resultIt->second;
             entry->key = &resultIt->first;

release-builder.sh

@@ -11,11 +11,11 @@ echo "START BUILDING (HOST)"
 echo "Cleaning previously built binary"
 rm -f release-build/xahaud
 
-BUILD_CORES=$(echo "scale=0 ; `nproc` / 1.337" | bc)
+BUILD_CORES=$(echo "scale=0 ; $(nproc) / 1.337" | bc)
 
 if [[ "$GITHUB_REPOSITORY" == "" ]]; then
   #Default
-  BUILD_CORES=${BUILD_CORES:-8} 
+  BUILD_CORES=${BUILD_CORES:-8}
 fi
 
 # Ensure still works outside of GH Actions by setting these to /dev/null
@@ -31,21 +31,19 @@ echo "-- GITHUB_SHA:        $GITHUB_SHA"
 echo "-- GITHUB_RUN_NUMBER: $GITHUB_RUN_NUMBER"
 echo "-- CONTAINER_NAME:    $CONTAINER_NAME"
 
-which docker 2> /dev/null 2> /dev/null
-if [ "$?" -eq "1" ]
-then
+which docker 2>/dev/null 2>/dev/null
+if [ "$?" -eq "1" ]; then
   echo 'Docker not found. Install it first.'
   exit 1
 fi
 
-stat .git 2> /dev/null 2> /dev/null
-if [ "$?" -eq "1" ]
-then
+stat .git 2>/dev/null 2>/dev/null
+if [ "$?" -eq "1" ]; then
   echo 'Run this inside the source directory. (.git dir not found).'
   exit 1
 fi
 
-STATIC_CONTAINER=$(docker ps -a | grep $CONTAINER_NAME |wc -l)
+STATIC_CONTAINER=$(docker ps -a | grep $CONTAINER_NAME | wc -l)
 
 CACHE_VOLUME_NAME="xahau-release-builder-cache"
 
@@ -57,13 +55,14 @@ if false; then
   docker stop $CONTAINER_NAME
 else
   echo "No static container, build on temp container"
-  rm -rf release-build;
-  mkdir -p release-build;
+  rm -rf release-build
+  mkdir -p release-build
 
   docker volume create $CACHE_VOLUME_NAME
 
   # Create inline Dockerfile with environment setup for build-full.sh
-  DOCKERFILE_CONTENT=$(cat <<'DOCKERFILE_EOF'
+  DOCKERFILE_CONTENT=$(
+    cat <<'DOCKERFILE_EOF'
 FROM ghcr.io/phusion/holy-build-box:4.0.1-amd64
 
 ARG BUILD_CORES=8
@@ -196,6 +195,7 @@ ENV PATH=/usr/local/bin:$PATH
 RUN /hbb_exe/activate-exec bash -c "ccache -M 100G && \
     ccache -o cache_dir=/cache/ccache && \
     ccache -o compiler_check=content && \
+    ccache -o direct_mode=true && \
     mkdir -p ~/.conan2 /cache/conan2 /cache/conan2_download /cache/conan2_sources && \
     echo 'core.cache:storage_path=/cache/conan2' > ~/.conan2/global.conf && \
     echo 'core.download:download_cache=/cache/conan2_download' >> ~/.conan2/global.conf && \
@@ -217,7 +217,7 @@ RUN /hbb_exe/activate-exec bash -c "ccache -M 100G && \
     ln -s ../../bin/ccache /usr/lib64/ccache/c++"
 
 DOCKERFILE_EOF
-)
+  )
 
   # Build custom Docker image
   IMAGE_NAME="xahaud-builder:latest"
@@ -227,14 +227,14 @@ DOCKERFILE_EOF
   if [[ "$GITHUB_REPOSITORY" == "" ]]; then
     # Non GH, local building
     echo "Non-GH runner, local building, temp container"
-    docker run -i --user 0:$(id -g) --rm -v /data/builds:/data/builds -v `pwd`:/io -v "$CACHE_VOLUME_NAME":/cache --network host "$IMAGE_NAME" /hbb_exe/activate-exec bash -c "source /opt/rh/gcc-toolset-11/enable && bash -x /io/build-full.sh '$GITHUB_REPOSITORY' '$GITHUB_SHA' '$BUILD_CORES' '$GITHUB_RUN_NUMBER'"
+    docker run -i --user 0:$(id -g) --rm -v /data/builds:/data/builds -v $(pwd):/io -v "$CACHE_VOLUME_NAME":/cache --network host "$IMAGE_NAME" /hbb_exe/activate-exec bash -c "source /opt/rh/gcc-toolset-11/enable && bash -x /io/build-full.sh '$GITHUB_REPOSITORY' '$GITHUB_SHA' '$BUILD_CORES' '$GITHUB_RUN_NUMBER'"
   else
     # GH Action, runner
     echo "GH Action, runner, clean & re-create create persistent container"
     docker rm -f $CONTAINER_NAME
-    echo "echo 'Stopping container: $CONTAINER_NAME'" >> "$JOB_CLEANUP_SCRIPT"
-    echo "docker stop --time=15 \"$CONTAINER_NAME\" || echo 'Failed to stop container or container not running'" >> "$JOB_CLEANUP_SCRIPT"
-    docker run -di --user 0:$(id -g) --name $CONTAINER_NAME -v /data/builds:/data/builds -v `pwd`:/io -v "$CACHE_VOLUME_NAME":/cache --network host "$IMAGE_NAME" /hbb_exe/activate-exec bash
+    echo "echo 'Stopping container: $CONTAINER_NAME'" >>"$JOB_CLEANUP_SCRIPT"
+    echo "docker stop --time=15 \"$CONTAINER_NAME\" || echo 'Failed to stop container or container not running'" >>"$JOB_CLEANUP_SCRIPT"
+    docker run -di --user 0:$(id -g) --name $CONTAINER_NAME -v /data/builds:/data/builds -v $(pwd):/io -v "$CACHE_VOLUME_NAME":/cache --network host "$IMAGE_NAME" /hbb_exe/activate-exec bash
     docker exec -i $CONTAINER_NAME /hbb_exe/activate-exec bash -c "source /opt/rh/gcc-toolset-11/enable && bash -x /io/build-full.sh '$GITHUB_REPOSITORY' '$GITHUB_SHA' '$BUILD_CORES' '$GITHUB_RUN_NUMBER'"
     docker stop $CONTAINER_NAME
   fi

src/libxrpl/basics/Log.cpp

@@ -31,6 +31,7 @@
 #include <cassert>
 #include <cstring>
 #include <ctime>
+#include <exception>
 #include <fstream>
 #include <functional>
 #include <iostream>
@@ -351,9 +352,18 @@ Logs::format(
 
     if (useLocalTime)
     {
-        auto now = std::chrono::system_clock::now();
-        auto local = date::make_zoned(date::current_zone(), now);
-        output = date::format(fmt, local);
+        try
+        {
+            auto now = std::chrono::system_clock::now();
+            auto local = date::make_zoned(date::current_zone(), now);
+            output = date::format(fmt, local);
+        }
+        catch (std::exception const&)
+        {
+            // Enhanced logging should not make startup fatal if tzdb lookup is
+            // unavailable or misconfigured. Fall back to UTC formatting.
+            output = date::format(fmt, std::chrono::system_clock::now());
+        }
     }
     else
     {

src/libxrpl/protocol/AMMCore.cpp

@@ -66,7 +66,7 @@ invalidAMMAsset(
     Issue const& issue,
     std::optional<std::pair<Issue, Issue>> const& pair)
 {
-    if (badCurrency() == issue.currency)
+    if (isBadCurrency(issue.currency))
         return temBAD_CURRENCY;
     if (isXRP(issue) && issue.account.isNonZero())
         return temBAD_ISSUER;

src/libxrpl/protocol/Feature.cpp

@@ -250,12 +250,9 @@ FeatureCollections::registerFeature(
     Feature const* i = getByName(name);
     if (!i)
     {
-        // If this check fails, and you just added a feature, increase the
-        // numFeatures value in Feature.h
         check(
             features.size() < detail::numFeatures,
-            "More features defined than allocated. Adjust numFeatures in "
-            "Feature.h.");
+            "More features defined than allocated.");
 
         auto const f = sha512Half(Slice(name.data(), name.size()));
 
@@ -424,45 +421,26 @@ featureToName(uint256 const& f)
 #undef XRPL_FEATURE
 #pragma push_macro("XRPL_FIX")
 #undef XRPL_FIX
+#pragma push_macro("XRPL_RETIRE")
+#undef XRPL_RETIRE
 
 #define XRPL_FEATURE(name, supported, vote) \
     uint256 const feature##name = registerFeature(#name, supported, vote);
 #define XRPL_FIX(name, supported, vote) \
     uint256 const fix##name = registerFeature("fix" #name, supported, vote);
+#define XRPL_RETIRE(name)                                                     \
+    [[deprecated("The referenced amendment has been retired"), maybe_unused]] \
+    uint256 const retired##name = retireFeature(#name);
 
 #include <xrpl/protocol/detail/features.macro>
 
+#undef XRPL_RETIRE
+#pragma pop_macro("XRPL_RETIRE")
 #undef XRPL_FIX
 #pragma pop_macro("XRPL_FIX")
 #undef XRPL_FEATURE
 #pragma pop_macro("XRPL_FEATURE")
 
-// clang-format off
-
-// The following amendments have been active for at least two years. Their
-// pre-amendment code has been removed and the identifiers are deprecated.
-// All known amendments and amendments that may appear in a validated
-// ledger must be registered either here or above with the "active" amendments
-[[deprecated("The referenced amendment has been retired"), maybe_unused]]
-uint256 const
-    retiredMultiSign         = retireFeature("MultiSign"),
-    retiredTrustSetAuth      = retireFeature("TrustSetAuth"),
-    retiredFeeEscalation     = retireFeature("FeeEscalation"),
-    retiredPayChan           = retireFeature("PayChan"),
-    retiredCryptoConditions  = retireFeature("CryptoConditions"),
-    retiredTickSize          = retireFeature("TickSize"),
-    retiredFix1368           = retireFeature("fix1368"),
-    retiredEscrow            = retireFeature("Escrow"),
-    retiredFix1373           = retireFeature("fix1373"),
-    retiredEnforceInvariants = retireFeature("EnforceInvariants"),
-    retiredSortedDirectories = retireFeature("SortedDirectories"),
-    retiredFix1201           = retireFeature("fix1201"),
-    retiredFix1512           = retireFeature("fix1512"),
-    retiredFix1523           = retireFeature("fix1523"),
-    retiredFix1528           = retireFeature("fix1528");
-
-// clang-format on
-
 // All of the features should now be registered, since variables in a cpp file
 // are initialized from top to bottom.
 //

src/libxrpl/protocol/Indexes.cpp

@@ -31,6 +31,8 @@
 
 namespace ripple {
 
+#define LEDGER_NAMESPACE2(value1, value2) (uint16_t(value1) << 8) | value2
+
 /** Type-specific prefix for calculating ledger indices.
 
     The identifier for a given object within the ledger is calculated based
@@ -72,6 +74,7 @@ enum class LedgerNameSpace : std::uint16_t {
     HOOK_DEFINITION = 'D',
     EMITTED_TXN = 'E',
     EMITTED_DIR = 'F',
+    SHADOW_TICKET = 0x5374,  // St
     NFTOKEN_OFFER = 'q',
     NFTOKEN_BUY_OFFERS = 'h',
     NFTOKEN_SELL_OFFERS = 'i',
@@ -79,15 +82,16 @@ enum class LedgerNameSpace : std::uint16_t {
     IMPORT_VLSEQ = 'I',
     UNL_REPORT = 'R',
     CRON = 'L',
+    CONSENSUS_ENTROPY = 'X',
     AMM = 'A',
-    BRIDGE = 'H',
+    BRIDGE = LEDGER_NAMESPACE2(0x01, 'H'),
     XCHAIN_CLAIM_ID = 'Q',
     XCHAIN_CREATE_ACCOUNT_CLAIM_ID = 'K',
-    DID = 'I',
-    ORACLE = 'R',
+    DID = LEDGER_NAMESPACE2(0x01, 'I'),
+    ORACLE = LEDGER_NAMESPACE2(0x01, 'R'),
     MPTOKEN_ISSUANCE = '~',
     MPTOKEN = 't',
-    CREDENTIAL = 'D',
+    CREDENTIAL = LEDGER_NAMESPACE2(0x01, 'D'),
     PERMISSIONED_DOMAIN = 'm',
 
     // No longer used or supported. Left here to reserve the space
@@ -186,6 +190,15 @@ emittedTxn(uint256 const& id) noexcept
     return {ltEMITTED_TXN, indexHash(LedgerNameSpace::EMITTED_TXN, id)};
 }
 
+Keylet
+shadowTicket(AccountID const& account, std::uint32_t ticketSeq) noexcept
+{
+    return {
+        ltSHADOW_TICKET,
+        indexHash(
+            LedgerNameSpace::SHADOW_TICKET, account, std::uint32_t(ticketSeq))};
+}
+
 Keylet
 hook(AccountID const& id) noexcept
 {
@@ -544,6 +557,14 @@ cron(uint32_t timestamp, std::optional<AccountID> const& id)
     return {ltCRON, uint256::fromVoid(h)};
 }
 
+Keylet const&
+consensusEntropy() noexcept
+{
+    static Keylet const ret{
+        ltCONSENSUS_ENTROPY, indexHash(LedgerNameSpace::CONSENSUS_ENTROPY)};
+    return ret;
+}
+
 Keylet
 amm(Asset const& issue1, Asset const& issue2) noexcept
 {

src/libxrpl/protocol/InnerObjectFormats.cpp

@@ -78,6 +78,7 @@ InnerObjectFormats::InnerObjectFormats()
          {sfHookExecutionIndex, soeREQUIRED},
          {sfHookStateChangeCount, soeREQUIRED},
          {sfHookEmitCount, soeREQUIRED},
+         {sfHookExportCount, soeOPTIONAL},
          {sfFlags, soeOPTIONAL}});
 
     add(sfHookEmission.jsonName,
@@ -87,19 +88,6 @@ InnerObjectFormats::InnerObjectFormats()
          {sfEmittedTxnID, soeREQUIRED},
          {sfEmitNonce, soeOPTIONAL}});
 
-    add(sfHookDefinition.jsonName,
-        sfHookDefinition.getCode(),
-        {{sfCreateCode, soeREQUIRED},
-         {sfHookNamespace, soeREQUIRED},
-         {sfHookParameters, soeREQUIRED},
-         {sfHookOn, soeOPTIONAL},
-         {sfHookOnIncoming, soeOPTIONAL},
-         {sfHookOnOutgoing, soeOPTIONAL},
-         {sfHookCanEmit, soeOPTIONAL},
-         {sfHookApiVersion, soeREQUIRED},
-         {sfFlags, soeREQUIRED},
-         {sfFee, soeREQUIRED}});
-
     add(sfHook.jsonName,
         sfHook.getCode(),
         {{sfHookHash, soeOPTIONAL},
@@ -112,6 +100,7 @@ InnerObjectFormats::InnerObjectFormats()
          {sfHookOnOutgoing, soeOPTIONAL},
          {sfHookCanEmit, soeOPTIONAL},
          {sfHookApiVersion, soeOPTIONAL},
+         {sfHookName, soeOPTIONAL},
          {sfFlags, soeOPTIONAL}});
 
     add(sfHookGrant.jsonName,
@@ -266,6 +255,24 @@ InnerObjectFormats::InnerObjectFormats()
             {sfIssuer, soeREQUIRED},
             {sfCredentialType, soeREQUIRED},
         });
+
+    add(sfHighReward.jsonName,
+        sfHighReward.getCode(),
+        {
+            {sfRewardLgrFirst, soeREQUIRED},
+            {sfRewardLgrLast, soeREQUIRED},
+            {sfRewardTime, soeREQUIRED},
+            {sfTrustLineRewardAccumulator, soeREQUIRED},
+        });
+
+    add(sfLowReward.jsonName,
+        sfLowReward.getCode(),
+        {
+            {sfRewardLgrFirst, soeREQUIRED},
+            {sfRewardLgrLast, soeREQUIRED},
+            {sfRewardTime, soeREQUIRED},
+            {sfTrustLineRewardAccumulator, soeREQUIRED},
+        });
 }
 
 InnerObjectFormats const&

src/libxrpl/protocol/Issue.cpp

@@ -111,7 +111,7 @@ issueFromJson(Json::Value const& v)
     }
 
     auto const currency = to_currency(curStr.asString());
-    if (currency == badCurrency() || currency == noCurrency())
+    if (isBadCurrency(currency) || currency == noCurrency())
     {
         Throw<Json::error>("issueFromJson currency must be a valid currency");
     }

src/libxrpl/protocol/STCurrency.cpp

@@ -103,7 +103,7 @@ currencyFromJson(SField const& name, Json::Value const& v)
     }
 
     auto const currency = to_currency(v.asString());
-    if (currency == badCurrency() || currency == noCurrency())
+    if (isBadCurrency(currency) || currency == noCurrency())
     {
         Throw<std::runtime_error>(
             "currencyFromJson currency must be a valid currency");

src/libxrpl/protocol/STTx.cpp

@@ -684,7 +684,8 @@ isPseudoTx(STObject const& tx)
 
     auto tt = safe_cast<TxType>(*t);
     return tt == ttAMENDMENT || tt == ttFEE || tt == ttUNL_MODIFY ||
-        tt == ttEMIT_FAILURE || tt == ttUNL_REPORT || tt == ttCRON;
+        tt == ttEMIT_FAILURE || tt == ttUNL_REPORT || tt == ttCRON ||
+        tt == ttCONSENSUS_ENTROPY;
 }
 
 }  // namespace ripple

src/libxrpl/protocol/TER.cpp

@@ -124,6 +124,7 @@ transResults()
         MAKE_ERROR(tecARRAY_TOO_LARGE,               "Array is too large."),
         MAKE_ERROR(tecLOCKED,                        "Fund is locked."),
         MAKE_ERROR(tecBAD_CREDENTIALS,               "Bad credentials."),
+        MAKE_ERROR(tecEXPORT_EXPIRED,                "Export expired without reaching signature quorum."),
 
         MAKE_ERROR(tefALREADY,                     "The exact transaction was already in this ledger."),
         MAKE_ERROR(tefBAD_ADD_AUTH,                "Not authorized to add account."),
@@ -171,6 +172,7 @@ transResults()
         MAKE_ERROR(telNON_LOCAL_EMITTED_TXN, "Emitted transaction cannot be applied because it was not generated locally."),
         MAKE_ERROR(telIMPORT_VL_KEY_NOT_RECOGNISED, "Import vl key was not recognized."),
         MAKE_ERROR(telCAN_NOT_QUEUE_IMPORT,   "Import transaction was not able to be directly applied and cannot be queued."),
+        MAKE_ERROR(telSHADOW_TICKET_REQUIRED, "The imported transaction uses a TicketSequence but no shadow ticket exists."),
         MAKE_ERROR(telENV_RPC_FAILED,         "Unit test RPC failure."),
 
         MAKE_ERROR(temMALFORMED,                 "Malformed transaction."),
@@ -238,6 +240,7 @@ transResults()
         MAKE_ERROR(terPRE_TICKET,             "Ticket is not yet in ledger."),
         MAKE_ERROR(terNO_HOOK,                "No hook with that hash exists on the ledger."),
         MAKE_ERROR(terNO_AMM,                 "AMM doesn't exist for the asset pair."),
+        MAKE_ERROR(terRETRY_EXPORT,          "Export awaiting validator signatures."),
 
         MAKE_ERROR(tesSUCCESS,                "The transaction was applied. Only final in a validated ledger."),
         MAKE_ERROR(tesPARTIAL,                "The transaction was applied but should be submitted again until returning tesSUCCESS."),

src/libxrpl/protocol/TxFormats.cpp

@@ -48,6 +48,7 @@ TxFormats::TxFormats()
         {sfFirstLedgerSequence, soeOPTIONAL},
         {sfNetworkID, soeOPTIONAL},
         {sfHookParameters, soeOPTIONAL},
+        {sfHookName, soeOPTIONAL},
     };
 
 #pragma push_macro("UNWRAP")

src/libxrpl/protocol/TxMeta.cpp

@@ -49,6 +49,11 @@ TxMeta::TxMeta(
 
     if (obj.isFieldPresent(sfHookEmissions))
         setHookEmissions(obj.getFieldArray(sfHookEmissions));
+
+    if (obj.isFieldPresent(sfExportResult))
+        setExportResult(const_cast<STObject&>(obj)
+                            .getField(sfExportResult)
+                            .downcast<STObject>());
 }
 
 TxMeta::TxMeta(uint256 const& txid, std::uint32_t ledger, STObject const& obj)
@@ -75,6 +80,11 @@ TxMeta::TxMeta(uint256 const& txid, std::uint32_t ledger, STObject const& obj)
 
     if (obj.isFieldPresent(sfHookEmissions))
         setHookEmissions(obj.getFieldArray(sfHookEmissions));
+
+    if (obj.isFieldPresent(sfExportResult))
+        setExportResult(const_cast<STObject&>(obj)
+                            .getField(sfExportResult)
+                            .downcast<STObject>());
 }
 
 TxMeta::TxMeta(uint256 const& txid, std::uint32_t ledger, Blob const& vec)
@@ -245,6 +255,14 @@ TxMeta::getAsObject() const
     if (hasHookEmissions())
         metaData.setFieldArray(sfHookEmissions, getHookEmissions());
 
+    if (hasExportResult())
+    {
+        Serializer s;
+        mExportResult->add(s);
+        SerialIter sit(s.slice());
+        metaData.emplace_back(STObject(sit, sfExportResult));
+    }
+
     return metaData;
 }
 

src/test/app/BaseFee_test.cpp

@@ -582,9 +582,9 @@ class BaseFee_test : public beast::unit_test::suite
     }
 
     void
-    testSignersListSet(FeatureBitset features)
+    testSignerListSet(FeatureBitset features)
     {
-        testcase("signers list set w/ hook params");
+        testcase("signer list set w/ hook params");
 
         using namespace test::jtx;
         using namespace std::literals;
@@ -810,7 +810,7 @@ class BaseFee_test : public beast::unit_test::suite
         testPaymentChannelFund(features);
         testSetHook(features);
         testSetRegularKey(features);
-        testSignersListSet(features);
+        testSignerListSet(features);
         testTicketCreate(features);
         testTrustSet(features);
         testURITokenBurnFee(features);

src/test/app/ClaimReward_test.cpp

@@ -18,6 +18,7 @@
 //==============================================================================
 
 #include <test/jtx.h>
+#include <test/jtx/AMM.h>
 #include <xrpld/app/ledger/LedgerMaster.h>
 #include <xrpl/protocol/Feature.h>
 #include <xrpl/protocol/jss.h>
@@ -26,6 +27,14 @@ namespace ripple {
 namespace test {
 struct ClaimReward_test : public beast::unit_test::suite
 {
+private:
+    // helper
+    void static overrideFlag(Json::Value& jv)
+    {
+        jv[jss::Flags] = hsfOVERRIDE;
+    }
+
+public:
     bool
     expectRewards(
         jtx::Env const& env,
@@ -59,6 +68,52 @@ struct ClaimReward_test : public beast::unit_test::suite
         return true;
     }
 
+    bool
+    expectRewardsIOU(
+        jtx::Env const& env,
+        jtx::Account const& acct,
+        jtx::IOU const& iou,
+        std::uint32_t ledgerFirst,
+        std::uint32_t ledgerLast,
+        STAmount accumulator,
+        std::uint32_t time)
+    {
+        auto const sle = env.le(keylet::line(acct, iou.account, iou.currency));
+        BEAST_EXPECT(!!sle);
+        auto const& sfRewardField =
+            std::minmax(acct.id(), iou.account.id()).first == acct.id()
+            ? sfLowReward
+            : sfHighReward;
+
+        if (!sle->isFieldPresent(sfRewardField))
+            return false;
+
+        auto const& reward =
+            static_cast<STObject const&>(sle->peekAtField(sfRewardField));
+
+        if (!reward.isFieldPresent(sfRewardLgrFirst) ||
+            reward.getFieldU32(sfRewardLgrFirst) != ledgerFirst)
+        {
+            return false;
+        }
+        if (!reward.isFieldPresent(sfRewardLgrLast) ||
+            reward.getFieldU32(sfRewardLgrLast) != ledgerLast)
+        {
+            return false;
+        }
+        if (!reward.isFieldPresent(sfTrustLineRewardAccumulator) ||
+            reward.getFieldAmount(sfTrustLineRewardAccumulator) != accumulator)
+        {
+            return false;
+        }
+        if (!reward.isFieldPresent(sfRewardTime) ||
+            reward.getFieldU32(sfRewardTime) != time)
+        {
+            return false;
+        }
+        return true;
+    }
+
     bool
     expectNoRewards(jtx::Env const& env, jtx::Account const& acct)
     {
@@ -82,6 +137,24 @@ struct ClaimReward_test : public beast::unit_test::suite
         return true;
     }
 
+    bool
+    expectNoRewardsIOU(
+        jtx::Env const& env,
+        jtx::Account const& acct,
+        jtx::IOU const& iou)
+    {
+        auto const sle = env.le(keylet::line(acct, iou.account, iou.currency));
+        BEAST_EXPECT(!!sle);
+        auto const& sfRewardField =
+            std::minmax(acct.id(), iou.account.id()).first == acct.id()
+            ? sfLowReward
+            : sfHighReward;
+
+        if (sle->isFieldPresent(sfRewardField))
+            return false;
+        return true;
+    }
+
     void
     testEnabled(FeatureBitset features)
     {
@@ -91,7 +164,7 @@ struct ClaimReward_test : public beast::unit_test::suite
 
         // setup env
         auto const alice = Account("alice");
-        auto const issuer = Account("issuer");
+        auto const issuer = Account::master;
 
         for (bool const withClaimReward : {false, true})
         {
@@ -101,7 +174,11 @@ struct ClaimReward_test : public beast::unit_test::suite
                 withClaimReward ? features : features - featureBalanceRewards;
             Env env{*this, amend};
 
-            env.fund(XRP(1000), alice, issuer);
+            env.fund(XRP(1000), alice);
+            env.close();
+
+            env(hook(issuer, {{hso(jtx::genesis::AcceptHook)}}, 0),
+                fee(XRP(1)));
             env.close();
 
             auto const txResult =
@@ -118,7 +195,10 @@ struct ClaimReward_test : public beast::unit_test::suite
                     .count();
 
             // CLAIM
-            env(reward::claim(alice), reward::issuer(issuer), txResult);
+            env(reward::claim(alice),
+                reward::issuer(issuer),
+                fee(XRP(1)),
+                txResult);
             env.close();
 
             if (withClaimReward)
@@ -194,14 +274,19 @@ struct ClaimReward_test : public beast::unit_test::suite
                 Env env{*this, amend};
 
                 auto const alice = Account("alice");
-                auto const issuer = Account("issuer");
+                auto const issuer = Account::master;
 
-                env.fund(XRP(1000), alice, issuer);
+                env.fund(XRP(1000), alice);
+                env.close();
+
+                env(hook(issuer, {{hso(jtx::genesis::AcceptHook)}}, 0),
+                    fee(XRP(1)));
                 env.close();
 
                 auto tx = reward::claim(alice);
                 env(tx,
                     reward::issuer(issuer),
+                    fee(XRP(1)),
                     txflags(tfFullyCanonicalSig),
                     withFixFlags ? ter(tesSUCCESS) : ter(temINVALID_FLAG));
                 env.close();
@@ -220,6 +305,105 @@ struct ClaimReward_test : public beast::unit_test::suite
             env(reward::claim(alice), reward::issuer(alice), ter(temMALFORMED));
             env.close();
         }
+
+        // featureIOURewardClaim
+
+        // temDISABLED
+        // featureIOURewardClaim amendment is disabled
+        {
+            test::jtx::Env env{
+                *this,
+                network::makeNetworkConfig(21337),
+                features - featureIOURewardClaim};
+
+            auto const alice = Account("alice");
+            auto const bob = Account("bob");
+            auto const gw = Account("gw");
+            env.fund(XRP(1000), alice, bob, gw);
+            env.close();
+
+            jtx::IOU const USD = gw["USD"];
+
+            env(reward::claim(alice),
+                reward::issuer(bob),
+                reward::claimCurrency(USD),
+                ter(temDISABLED));
+            env.close();
+        }
+
+        // temMALFORMED
+        // ClaimCurrency.account cannot be the source account.
+        {
+            test::jtx::Env env{*this, network::makeNetworkConfig(21337)};
+
+            auto const alice = Account("alice");
+            auto const bob = Account("bob");
+            env.fund(XRP(1000), alice);
+            env.close();
+
+            jtx::IOU const USD = alice["USD"];
+
+            env(reward::claim(alice),
+                reward::issuer(bob),
+                reward::claimCurrency(USD),
+                ter(temMALFORMED));
+            env.close();
+        }
+
+        // temMALFORMED
+        // Issuer cannot be Genesis account if ClaimCurrency is set.
+        {
+            test::jtx::Env env{*this, network::makeNetworkConfig(21337)};
+
+            auto const alice = Account("alice");
+            auto const gw = Account("gw");
+            env.fund(XRP(1000), alice, gw);
+            env.close();
+
+            jtx::IOU const USD = gw["USD"];
+
+            env(reward::claim(alice),
+                reward::issuer(Account::master),
+                reward::claimCurrency(USD),
+                ter(temBAD_ISSUER));
+        }
+
+        // MPT
+        {
+            // tested in testMPTInvalidInTx() at MPToken_test.cpp
+        }
+
+        // XAH RewardClaim: Issuer must be the Genesis account if
+        // featureXahauGenesis and featureIOURewardClaim are enabled.
+        for (bool const withIOURewardClaim : {false, true})
+        {
+            auto const amend = withIOURewardClaim
+                ? features
+                : features - featureIOURewardClaim;
+
+            auto const alice = Account("alice");
+            auto const badIssuer = Account("gw");
+            auto const issuer = Account::master;
+            auto const USD = badIssuer["USD"];
+
+            Env env{*this, amend};
+            env.fund(XRP(1000), alice, badIssuer);
+            env.close();
+
+            env(hook(issuer, {{hso(jtx::genesis::AcceptHook)}}, 0),
+                fee(XRP(1)));
+            env.close();
+
+            env(reward::claim(alice),
+                reward::issuer(badIssuer),
+                fee(XRP(1)),
+                withIOURewardClaim ? ter(temBAD_ISSUER) : ter(tesSUCCESS));
+
+            env(reward::claim(alice),
+                reward::issuer(issuer),
+                fee(XRP(1)),
+                ter(tesSUCCESS));
+        }
     }
 
     void
@@ -243,6 +427,7 @@ struct ClaimReward_test : public beast::unit_test::suite
             auto const alice = Account("alice");
             auto const issuer = Account("issuer");
             env.memoize(alice);
+            auto USD = issuer["USD"];
 
             env.fund(XRP(1000), issuer);
             env.close();
@@ -250,7 +435,10 @@ struct ClaimReward_test : public beast::unit_test::suite
             auto tx = reward::claim(alice);
             tx[jss::Sequence] = 0;
             tx[jss::Fee] = 10;
-            env(tx, reward::issuer(issuer), ter(terNO_ACCOUNT));
+            env(tx,
+                reward::issuer(issuer),
+                reward::claimCurrency(USD),
+                ter(terNO_ACCOUNT));
             env.close();
         }
 
@@ -260,9 +448,9 @@ struct ClaimReward_test : public beast::unit_test::suite
             test::jtx::Env env{*this, network::makeNetworkConfig(21337)};
 
             auto const alice = Account("alice");
-            auto const issuer = Account("issuer");
+            auto const issuer = Account::master;
 
-            env.fund(XRP(1000), alice, issuer);
+            env.fund(XRP(1000), alice);
             env.close();
 
             env(reward::claim(alice),
@@ -293,13 +481,193 @@ struct ClaimReward_test : public beast::unit_test::suite
             auto const issuer = Account("issuer");
             env.memoize(issuer);
 
+            auto USD = issuer["USD"];
+
             env.fund(XRP(1000), alice);
             env.close();
 
             auto tx = reward::claim(alice);
-            env(tx, reward::issuer(issuer), ter(tecNO_ISSUER));
+            env(tx,
+                reward::issuer(issuer),
+                reward::claimCurrency(USD),
+                ter(tecNO_ISSUER));
             env.close();
         }
+
+        // tecNO_PERMISSION
+        // issuer is an AMM account
+        {
+            test::jtx::Env env{*this, network::makeNetworkConfig(21337)};
+
+            auto const alice = Account("alice");
+            auto const issuer = Account("issuer");
+            auto const USD = issuer["USD"];
+
+            env.fund(XRP(1000), alice, issuer);
+            env.close();
+
+            AMM amm(env, issuer, XRP(100), USD(100));
+
+            BEAST_EXPECT(amm.ammExists());
+
+            env(reward::claim(alice),
+                reward::issuer(amm.ammAccount()),
+                reward::claimCurrency(USD),
+                ter(tecNO_PERMISSION));
+            env.close();
+        }
+
+        // tecNO_TARGET
+        // no claim reward hook
+        {
+            Env env{*this};
+
+            auto const alice = Account("alice");
+            auto const issuer = Account::master;
+
+            env.fund(XRP(1000), alice);
+            env.close();
+
+            // Doesn't have hook
+            {
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    ter(tecNO_TARGET));
+                env.close();
+            }
+            // Invalid HookOn
+            {
+                auto hookObj = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj[jss::HookOn] = to_string(UINT256_BIT[ttCLAIM_REWARD]);
+                env(hook(issuer, {{hookObj}}, 0), fee(XRP(1)));
+                env.close();
+
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    ter(tecNO_TARGET));
+                env.close();
+            }
+            // Invalid IncomingHookOn
+            {
+                auto hookObj = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj.removeMember(jss::HookOn);
+                hookObj[jss::HookOnIncoming] =
+                    to_string(UINT256_BIT[ttCLAIM_REWARD]);
+                hookObj[jss::HookOnOutgoing] = to_string(uint256{});
+                env(hook(issuer, {{hookObj}}, 0), fee(XRP(1)));
+                env.close();
+
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    ter(tecNO_TARGET));
+            }
+            // Vaild HookOn
+            {
+                auto hookObj = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj[jss::HookOn] = to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+                env(hook(issuer, {{hookObj}}, 0), fee(XRP(1)));
+                env.close();
+
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    fee(XRP(1)),
+                    ter(tesSUCCESS));
+            }
+            // Vaild IncomingHookOn
+            {
+                auto hookObj = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj.removeMember(jss::HookOn);
+                hookObj[jss::HookOnIncoming] =
+                    to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+                hookObj[jss::HookOnOutgoing] = to_string(uint256{});
+                env(hook(issuer, {{hookObj}}, 0), fee(XRP(1)));
+                env.close();
+
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    fee(XRP(1)),
+                    ter(tesSUCCESS));
+            }
+            // Invalid Hooks Array
+            {
+                auto hookObj = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj[jss::HookOn] = to_string(UINT256_BIT[ttCLAIM_REWARD]);
+                env(hook(
+                        issuer,
+                        {{
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                        }},
+                        0),
+                    fee(XRP(1)));
+                env.close();
+
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    fee(XRP(1)),
+                    ter(tecNO_TARGET));
+            }
+            // Vaild Hooks Array
+            {
+                auto hookObj = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj[jss::HookOn] = to_string(UINT256_BIT[ttCLAIM_REWARD]);
+                auto hookObj2 = hso(jtx::genesis::AcceptHook, overrideFlag);
+                hookObj2[jss::HookOn] = to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+                env(hook(
+                        issuer,
+                        {{
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj,
+                            hookObj2,
+                        }},
+                        0),
+                    fee(XRP(1)));
+                env.close();
+
+                env(reward::claim(alice),
+                    reward::issuer(issuer),
+                    fee(XRP(1)),
+                    ter(tesSUCCESS));
+            }
+        }
+
+        // tecNO_LINE
+        // trustline does not exist.
+        {
+            test::jtx::Env env{*this, network::makeNetworkConfig(21337)};
+
+            auto const alice = Account("alice");
+
+            auto const gw = Account("gw");
+            env.fund(XRP(1000), alice, gw);
+            env.close();
+
+            env(hook(gw, {{hso(jtx::genesis::AcceptHook)}}, 0), fee(XRP(1)));
+            env.close();
+
+            jtx::IOU const USD = gw["USD"];
+
+            env(reward::claim(alice),
+                reward::issuer(gw),
+                reward::claimCurrency(USD),
+                fee(XRP(1)),
+                ter(tecNO_LINE));
+        }
     }
 
     void
@@ -312,9 +680,17 @@ struct ClaimReward_test : public beast::unit_test::suite
         test::jtx::Env env{*this, network::makeNetworkConfig(21337)};
 
         auto const alice = Account("alice");
+        auto const bob = Account("bob");
+        auto const gw = Account("gw");
         auto const issuer = Account("issuer");
 
-        env.fund(XRP(1000), alice, issuer);
+        env.fund(XRP(1000), alice, bob, gw, issuer);
+        env.close();
+
+        env(hook(issuer, {{hso(jtx::genesis::AcceptHook)}}, 0), fee(XRP(1)));
+        env.close();
+        env(hook(Account::master, {{hso(jtx::genesis::AcceptHook)}}, 0),
+            fee(XRP(1)));
         env.close();
 
         // test claim rewards - no opt out
@@ -329,7 +705,7 @@ struct ClaimReward_test : public beast::unit_test::suite
                 .count();
 
         auto tx = reward::claim(alice);
-        env(tx, reward::issuer(issuer), ter(tesSUCCESS));
+        env(tx, reward::issuer(Account::master), fee(XRP(1)), ter(tesSUCCESS));
         env.close();
 
         BEAST_EXPECT(
@@ -342,6 +718,51 @@ struct ClaimReward_test : public beast::unit_test::suite
         env.close();
 
         BEAST_EXPECT(expectNoRewards(env, alice) == true);
+
+        // test iou claim rewards
+        {
+            // set trustline
+            env(trust(bob, gw["USD"](10000)));
+            env.close();
+
+            // opt in
+            auto const currentLedger = env.current()->seq();
+            auto const currentTime =
+                std::chrono::duration_cast<std::chrono::seconds>(
+                    env.app()
+                        .getLedgerMaster()
+                        .getValidatedLedger()
+                        ->info()
+                        .parentCloseTime.time_since_epoch())
+                    .count();
+
+            auto tx = reward::claim(bob);
+            env(tx,
+                reward::issuer(issuer),
+                reward::claimCurrency(gw["USD"]),
+                fee(XRP(1)),
+                ter(tesSUCCESS));
+            env.close();
+
+            BEAST_EXPECT(
+                expectRewardsIOU(
+                    env,
+                    bob,
+                    gw["USD"],
+                    currentLedger,
+                    currentLedger,
+                    gw["USD"](0),
+                    currentTime) == true);
+
+            // opt out
+            env(reward::claim(bob),
+                reward::claimCurrency(gw["USD"]),
+                txflags(tfOptOut),
+                ter(tesSUCCESS));
+            env.close();
+
+            BEAST_EXPECT(expectNoRewardsIOU(env, bob, gw["USD"]) == true);
+        }
     }
 
     void
@@ -352,16 +773,20 @@ struct ClaimReward_test : public beast::unit_test::suite
         using namespace std::literals::chrono_literals;
         Env env{*this, features};
         auto const alice = Account("alice");
-        auto const issuer = Account("issuer");
-        env.fund(XRP(10000), alice, issuer);
+        auto const issuer = Account::master;
+        env.fund(XRP(10000), alice);
         std::uint32_t aliceTicketSeq{env.seq(alice) + 1};
         env(ticket::create(alice, 10));
         std::uint32_t const aliceSeq{env.seq(alice)};
         env.require(owners(alice, 10));
 
+        env(hook(issuer, {{hso(jtx::genesis::AcceptHook)}}, 0), fee(XRP(1)));
+        env.close();
+
         env(reward::claim(alice),
             reward::issuer(issuer),
             ticket::use(aliceTicketSeq++),
+            fee(XRP(1)),
             ter(tesSUCCESS));
 
         env.require(tickets(alice, env.seq(alice) - aliceTicketSeq));
@@ -369,6 +794,317 @@ struct ClaimReward_test : public beast::unit_test::suite
         env.require(owners(alice, 9));
     }
 
+    void
+    testBalanceChanges(FeatureBitset features)
+    {
+        testcase("balance changes");
+        using namespace jtx;
+        using namespace std::literals::chrono_literals;
+
+        auto const getCurrentTime = [&](Env& env) {
+            return std::chrono::duration_cast<std::chrono::seconds>(
+                       env.app()
+                           .getLedgerMaster()
+                           .getValidatedLedger()
+                           ->info()
+                           .parentCloseTime.time_since_epoch())
+                .count();
+        };
+
+        // Native Reward Claim
+        {
+            Env env{*this, features};
+            auto const alice = Account("alice");
+            auto const gw = Account("gw");
+
+            auto const issuer = Account::master;
+            env.fund(XRP(10001), alice, gw);
+            env.close();
+
+            env(hook(issuer, {{hso(jtx::genesis::AcceptHook)}}, 0),
+                fee(XRP(1)));
+            env.close();
+
+            auto const currentTime = getCurrentTime(env);
+            auto const currentLedger = env.current()->seq();
+
+            env(reward::claim(alice), reward::issuer(issuer), fee(XRP(1)));
+            env.close();
+
+            env(fset(alice, 0));
+            env.close();
+
+            BEAST_EXPECT(
+                expectRewards(
+                    env,
+                    alice,
+                    currentLedger,
+                    currentLedger + 1,
+                    10000,  // 10000 XAH * time 1
+                    currentTime) == true);
+        }
+
+        // IOU Reward Claim
+        for (bool const fromHighAccount : {true, false})
+        {
+            Env env{*this, features};
+            auto const alice = Account("alice");
+            auto const bob = Account("bob");
+            auto const issuer = Account("issuer");
+
+            auto const user = fromHighAccount ? alice : bob;
+            auto const gw = fromHighAccount ? bob : alice;
+
+            if (fromHighAccount)
+                BEAST_EXPECT(user.id() < gw.id());
+            else
+                BEAST_EXPECT(user.id() > gw.id());
+
+            env.fund(XRP(10000), user, gw, issuer);
+            env(fset(gw, asfDefaultRipple));
+
+            auto hookObj = hso(jtx::genesis::AcceptHook);
+            hookObj[jss::HookOn] = to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+            env(hook(gw, {{hookObj}}, 0), fee(XRP(1)));
+            env.close();
+
+            env(trust(user, gw["USD"](1000000)), fee(XRP(1)));
+            env.close();
+            env(pay(gw, user, gw["USD"](10000)));
+            env.close();
+
+            auto currentTime = getCurrentTime(env);
+            auto currentLedger = env.current()->seq();
+
+            env(reward::claim(user),
+                reward::issuer(gw),
+                reward::claimCurrency(gw["USD"]),
+                fee(XRP(1)));
+            env.close();
+
+            env(pay(user, gw, gw["USD"](10000)));
+            env.close();
+
+            BEAST_EXPECT(
+                expectRewardsIOU(
+                    env,
+                    user,
+                    gw["USD"],
+                    currentLedger,
+                    currentLedger + 1,
+                    user["USD"](10000),  // 10000 USD * time 1
+                    currentTime) == true);
+
+            env(pay(gw, user, gw["USD"](1)));
+            env.close();
+
+            // check Balance == 0
+            BEAST_EXPECT(
+                expectRewardsIOU(
+                    env,
+                    user,
+                    gw["USD"],
+                    currentLedger,
+                    currentLedger + 2,
+                    user["USD"](10000),  // 10000 USD * time 1 + 0 USD * time 1
+                    currentTime) == true);
+        }
+
+        // Check Balance minus -> plus, plus -> minus
+        for (bool const fromHighAccount : {true, false})
+        {
+            Env env{*this, features};
+            auto const alice = Account("alice");
+            auto const bob = Account("bob");
+            auto const issuer = Account("issuer");
+
+            auto const user = fromHighAccount ? alice : bob;
+            auto const gw = fromHighAccount ? bob : alice;
+
+            if (fromHighAccount)
+                BEAST_EXPECT(user.id() < gw.id());
+            else
+                BEAST_EXPECT(user.id() > gw.id());
+
+            env.fund(XRP(10000), user, gw, issuer);
+            env(fset(gw, asfDefaultRipple));
+            env.close();
+
+            auto hookObj = hso(jtx::genesis::AcceptHook);
+            hookObj[jss::HookOn] = to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+            env(hook(gw, {{hookObj}}, 0), fee(XRP(1)));
+            env.close();
+
+            env(trust(user, gw["USD"](1000000)));
+            env.close();
+            env(trust(gw, user["USD"](1000000)));
+            env(pay(gw, user, gw["USD"](10000)));
+            env.close();
+
+            auto currentTime = getCurrentTime(env);
+            auto currentLedger = env.current()->seq();
+
+            env(reward::claim(user),
+                reward::issuer(gw),
+                reward::claimCurrency(gw["USD"]),
+                fee(XRP(1)));
+            env.close();
+
+            env(pay(user, gw, gw["USD"](20000)));
+            env.close();
+
+            env(pay(user, gw, gw["USD"](1)));
+            env.close();
+
+            BEAST_EXPECT(
+                expectRewardsIOU(
+                    env,
+                    user,
+                    gw["USD"],
+                    currentLedger,
+                    currentLedger + 2,
+                    user["USD"](10000),  // 10000 USD * time 1 + 0 USD * time 1
+                    currentTime) == true);
+        }
+
+        // test with escrow (locked balance)
+        for (bool const fromHighAccount : {true, false})
+        {
+            for (bool const hasEscrow : {true, false})
+            {
+                Env env{*this, features};
+                auto const alice = Account("alice");
+                auto const bob = Account("bob");
+                auto const issuer = Account("issuer");
+
+                auto const user = fromHighAccount ? alice : bob;
+                auto const gw = fromHighAccount ? bob : alice;
+
+                if (fromHighAccount)
+                    BEAST_EXPECT(user.id() < gw.id());
+                else
+                    BEAST_EXPECT(user.id() > gw.id());
+
+                env.fund(XRP(10000), user, gw, issuer);
+                env(fset(gw, asfDefaultRipple));
+
+                auto hookObj = hso(jtx::genesis::AcceptHook);
+                hookObj[jss::HookOn] = to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+                env(hook(gw, {{hookObj}}, 0), fee(XRP(1)));
+                env.close();
+
+                env(trust(user, gw["USD"](1000000)), fee(XRP(1)));
+                env.close();
+                env(pay(gw, user, gw["USD"](10000)));
+                env.close();
+
+                if (hasEscrow)
+                {
+                    env(escrow(user, user, gw["USD"](2000)),
+                        finish_time(env.now() + 1s),
+                        fee(XRP(1)));
+                    env.close();
+                }
+
+                auto currentTime = getCurrentTime(env);
+                auto currentLedger = env.current()->seq();
+
+                env(reward::claim(user),
+                    reward::issuer(gw),
+                    reward::claimCurrency(gw["USD"]),
+                    fee(XRP(1)));
+                env.close();
+                env(pay(user, gw, gw["USD"](5000)));
+                env.close();
+
+                BEAST_EXPECT(
+                    expectRewardsIOU(
+                        env,
+                        user,
+                        gw["USD"],
+                        currentLedger,
+                        currentLedger + 1,
+                        user["USD"](10000),  // 10000 USD * time 1
+                        currentTime) == true);
+
+                env(pay(gw, user, gw["USD"](1)));
+                env.close();
+
+                // check Balance == 0
+                BEAST_EXPECT(
+                    expectRewardsIOU(
+                        env,
+                        user,
+                        gw["USD"],
+                        currentLedger,
+                        currentLedger + 2,
+                        user["USD"](
+                            15000),  // 10000 USD * time 1 + 5000 USD * time 1
+                        currentTime) == true);
+            }
+        }
+
+        // STAmount overflow in reward accumulation should not cause
+        // transaction failure (tefEXCEPTION). The overflow should be
+        // gracefully skipped via try-catch.
+        for (bool const fromHighAccount : {true, false})
+        {
+            Env env{*this, features};
+            auto const alice = Account("alice");
+            auto const bob = Account("bob");
+            auto const issuer = Account("issuer");
+
+            auto const user = fromHighAccount ? alice : bob;
+            auto const gw = fromHighAccount ? bob : alice;
+
+            env.fund(XRP(10000), user, gw, issuer);
+            env(fset(gw, asfDefaultRipple));
+            env.close();
+
+            auto hookObj = hso(jtx::genesis::AcceptHook);
+            hookObj[jss::HookOn] = to_string(~UINT256_BIT[ttCLAIM_REWARD]);
+            env(hook(gw, {{hookObj}}, 0), fee(XRP(1)));
+            env.close();
+
+            // Use a near-max IOU balance at exponent 80. When
+            // multiply(balance, STAmount(lgrElapsed), issue) is called
+            // with lgrElapsed >= 2, the result exponent exceeds
+            // cMaxOffset(80), causing IOUAmount::normalize to throw
+            // std::overflow_error("value overflow").
+            auto const bigUSD = STAmount{
+                gw["USD"].issue(), std::uint64_t(5000000000000000ull), 80};
+            // Payment amount must be large enough to register a
+            // balance change given STAmount's 16-digit precision.
+            auto const payBackUSD = STAmount{
+                gw["USD"].issue(), std::uint64_t(1000000000000000ull), 80};
+
+            env(trust(user, bigUSD));
+            env.close();
+            env(pay(gw, user, bigUSD));
+            env.close();
+
+            // Claim IOU reward to initialize reward tracking
+            env(reward::claim(user),
+                reward::issuer(gw),
+                reward::claimCurrency(gw["USD"]),
+                fee(XRP(1)));
+            env.close();
+
+            // Advance ledger so lgrElapsed >= 2. With lgrElapsed=1
+            // the multiply result is exactly at cMaxOffset boundary
+            // (no overflow). With lgrElapsed >= 2, the result exponent
+            // exceeds cMaxOffset and triggers the overflow.
+            env.close();
+
+            // This payment modifies the trustline balance, triggering
+            // reward accumulation in Transactor. Without the try-catch
+            // fix, multiply() throws std::overflow_error("value overflow")
+            // and the transaction fails with tefEXCEPTION.
+            env(pay(user, gw, payBackUSD), ter(tesSUCCESS));
+            env.close();
+        }
+    }
+
     void
     testWithFeats(FeatureBitset features)
     {
@@ -377,6 +1113,7 @@ struct ClaimReward_test : public beast::unit_test::suite
         testInvalidPreclaim(features);
         testValidNoHook(features);
         testUsingTickets(features);
+        testBalanceChanges(features);
     }
 
 public:

src/test/app/ConsensusEntropy_test.cpp

@@ -0,0 +1,437 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+    Copyright (c) 2026 XRPL Labs
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL ,  DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <test/app/ConsensusEntropy_test_hooks.h>
+#include <test/jtx.h>
+#include <test/jtx/hook.h>
+#include <xrpl/beast/unit_test.h>
+#include <xrpl/hook/Enum.h>
+#include <xrpl/protocol/Feature.h>
+#include <xrpl/protocol/Indexes.h>
+#include <xrpl/protocol/SField.h>
+#include <xrpl/protocol/TxFlags.h>
+#include <xrpl/protocol/jss.h>
+
+namespace ripple {
+namespace test {
+
+using TestHook = std::vector<uint8_t> const&;
+
+#define BEAST_REQUIRE(x)     \
+    {                        \
+        BEAST_EXPECT(!!(x)); \
+        if (!(x))            \
+            return;          \
+    }
+
+#define HSFEE fee(100'000'000)
+#define M(m) memo(m, "", "")
+
+class ConsensusEntropy_test : public beast::unit_test::suite
+{
+    static void
+    overrideFlag(Json::Value& jv)
+    {
+        jv[jss::Flags] = hsfOVERRIDE;
+    }
+
+    void
+    testSLECreated()
+    {
+        testcase("SLE created on ledger close");
+        using namespace jtx;
+
+        Env env{
+            *this,
+            envconfig(),
+            supported_amendments() | featureConsensusEntropy,
+            nullptr};
+
+        BEAST_EXPECT(!env.le(keylet::consensusEntropy()));
+
+        env.close();
+
+        auto const sle = env.le(keylet::consensusEntropy());
+        BEAST_REQUIRE(sle);
+
+        auto const digest = sle->getFieldH256(sfDigest);
+        BEAST_EXPECT(digest != uint256{});
+
+        auto const count = sle->getFieldU16(sfEntropyCount);
+        BEAST_EXPECT(count >= 5);
+
+        auto const sleSeq = sle->getFieldU32(sfLedgerSequence);
+        BEAST_EXPECT(sleSeq == env.closed()->seq());
+    }
+
+    void
+    testSLEUpdatedOnSubsequentClose()
+    {
+        testcase("SLE updated on subsequent ledger close");
+        using namespace jtx;
+
+        Env env{
+            *this,
+            envconfig(),
+            supported_amendments() | featureConsensusEntropy,
+            nullptr};
+
+        env.close();
+        auto const sle1 = env.le(keylet::consensusEntropy());
+        BEAST_REQUIRE(sle1);
+
+        auto const digest1 = sle1->getFieldH256(sfDigest);
+        auto const seq1 = sle1->getFieldU32(sfLedgerSequence);
+
+        env.close();
+
+        auto const sle2 = env.le(keylet::consensusEntropy());
+        BEAST_REQUIRE(sle2);
+
+        auto const digest2 = sle2->getFieldH256(sfDigest);
+        auto const seq2 = sle2->getFieldU32(sfLedgerSequence);
+
+        BEAST_EXPECT(digest2 != digest1);
+        BEAST_EXPECT(seq2 == seq1 + 1);
+    }
+
+    void
+    testNoSLEWithoutAmendment()
+    {
+        testcase("No SLE without amendment");
+        using namespace jtx;
+
+        Env env{*this};
+
+        env.close();
+        env.close();
+
+        BEAST_EXPECT(!env.le(keylet::consensusEntropy()));
+    }
+
+    void
+    testDice()
+    {
+        testcase("Hook dice() API");
+        using namespace jtx;
+
+        Env env{
+            *this,
+            envconfig(),
+            supported_amendments() | featureConsensusEntropy,
+            nullptr};
+
+        auto const alice = Account{"alice"};
+        env.fund(XRP(10000), alice);
+        env.close();
+
+        // Entropy SLE must exist before hook can use dice()
+        BEAST_REQUIRE(env.le(keylet::consensusEntropy()));
+
+        // Set the hook
+        TestHook hook = consensusentropy_test_wasm[R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t dice(uint32_t sides);
+            #define GUARD(maxiter) _g((1ULL << 31U) + __LINE__, (maxiter)+1)
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+
+                // dice(6) should return 0..5
+                int64_t result = dice(6);
+
+                // negative means error
+                if (result < 0)
+                    rollback(0, 0, result);
+
+                if (result >= 6)
+                    rollback(0, 0, -1);
+
+                // return the dice result as the accept code
+                return accept(0, 0, result);
+            }
+        )[test.hook]"];
+
+        env(ripple::test::jtx::hook(alice, {{hso(hook, overrideFlag)}}, 0),
+            M("set dice hook"),
+            HSFEE);
+        env.close();
+
+        // Invoke the hook
+        Json::Value invoke;
+        invoke[jss::TransactionType] = "Invoke";
+        invoke[jss::Account] = alice.human();
+        env(invoke, M("test dice"), fee(XRP(1)));
+
+        auto meta = env.meta();
+        BEAST_REQUIRE(meta);
+        BEAST_REQUIRE(meta->isFieldPresent(sfHookExecutions));
+
+        auto const hookExecutions = meta->getFieldArray(sfHookExecutions);
+        BEAST_REQUIRE(hookExecutions.size() == 1);
+
+        auto const returnCode = hookExecutions[0].getFieldU64(sfHookReturnCode);
+        std::cerr << "  dice(6) returnCode = " << returnCode << " (hex 0x"
+                  << std::hex << returnCode << std::dec << ")\n";
+        // dice(6) returns 0..5
+        BEAST_EXPECT(returnCode <= 5);
+
+        // Result should be 3 (accept)
+        BEAST_EXPECT(hookExecutions[0].getFieldU8(sfHookResult) == 3);
+    }
+
+    void
+    testRandom()
+    {
+        testcase("Hook random() API");
+        using namespace jtx;
+
+        Env env{
+            *this,
+            envconfig(),
+            supported_amendments() | featureConsensusEntropy,
+            nullptr};
+
+        auto const alice = Account{"alice"};
+        env.fund(XRP(10000), alice);
+        env.close();
+
+        BEAST_REQUIRE(env.le(keylet::consensusEntropy()));
+
+        // Hook calls random() to fill a 32-byte buffer, then checks
+        // the buffer is not all zeroes.
+        TestHook hook = consensusentropy_test_wasm[R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t random(uint32_t write_ptr, uint32_t write_len);
+            #define GUARD(maxiter) _g((1ULL << 31U) + __LINE__, (maxiter)+1)
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+
+                uint8_t buf[32];
+                for (int i = 0; GUARD(32), i < 32; ++i)
+                    buf[i] = 0;
+
+                int64_t result = random((uint32_t)buf, 32);
+
+                // Should return 32 (bytes written)
+                if (result != 32)
+                    rollback(0, 0, result);
+
+                // Verify buffer is not all zeroes
+                int nonzero = 0;
+                for (int i = 0; GUARD(32), i < 32; ++i)
+                    if (buf[i] != 0) nonzero = 1;
+
+                if (!nonzero)
+                    rollback(0, 0, -2);
+
+                return accept(0, 0, 0);
+            }
+        )[test.hook]"];
+
+        env(ripple::test::jtx::hook(alice, {{hso(hook, overrideFlag)}}, 0),
+            M("set random hook"),
+            HSFEE);
+        env.close();
+
+        Json::Value invoke;
+        invoke[jss::TransactionType] = "Invoke";
+        invoke[jss::Account] = alice.human();
+        env(invoke, M("test random"), fee(XRP(1)));
+
+        auto meta = env.meta();
+        BEAST_REQUIRE(meta);
+        BEAST_REQUIRE(meta->isFieldPresent(sfHookExecutions));
+
+        auto const hookExecutions = meta->getFieldArray(sfHookExecutions);
+        BEAST_REQUIRE(hookExecutions.size() == 1);
+
+        // Return code 0 = all checks passed in the hook
+        BEAST_EXPECT(hookExecutions[0].getFieldU64(sfHookReturnCode) == 0);
+        BEAST_EXPECT(hookExecutions[0].getFieldU8(sfHookResult) == 3);
+    }
+
+    void
+    testDiceConsecutiveCallsDiffer()
+    {
+        testcase("Hook dice() consecutive calls return different values");
+        using namespace jtx;
+
+        Env env{
+            *this,
+            envconfig(),
+            supported_amendments() | featureConsensusEntropy,
+            nullptr};
+
+        auto const alice = Account{"alice"};
+        env.fund(XRP(10000), alice);
+        env.close();
+
+        BEAST_REQUIRE(env.le(keylet::consensusEntropy()));
+
+        // dice(1000000) twice — large range makes collision near-impossible
+        // encode r1 in low 20 bits, r2 in high bits
+        TestHook hook = consensusentropy_test_wasm[R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t dice(uint32_t sides);
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+                int64_t r1 = dice(1000000);
+                if (r1 < 0)
+                    rollback(0, 0, r1);
+
+                int64_t r2 = dice(1000000);
+                if (r2 < 0)
+                    rollback(0, 0, r2);
+
+                // consecutive calls should differ (rngCallCounter)
+                if (r1 == r2)
+                    rollback(0, 0, -1);
+
+                return accept(0, 0, r1 | (r2 << 20));
+            }
+        )[test.hook]"];
+
+        env(ripple::test::jtx::hook(alice, {{hso(hook, overrideFlag)}}, 0),
+            M("set dice hook"),
+            HSFEE);
+        env.close();
+
+        Json::Value invoke;
+        invoke[jss::TransactionType] = "Invoke";
+        invoke[jss::Account] = alice.human();
+        env(invoke, M("test dice consecutive"), fee(XRP(1)));
+
+        auto meta = env.meta();
+        BEAST_REQUIRE(meta);
+        BEAST_REQUIRE(meta->isFieldPresent(sfHookExecutions));
+
+        auto const hookExecutions = meta->getFieldArray(sfHookExecutions);
+        BEAST_REQUIRE(hookExecutions.size() == 1);
+
+        auto const rc = hookExecutions[0].getFieldU64(sfHookReturnCode);
+        auto const r1 = rc & 0xFFFFF;
+        auto const r2 = (rc >> 20) & 0xFFFFF;
+
+        std::cerr << "  two-call dice(1000000): returnCode=" << rc << " hex=0x"
+                  << std::hex << rc << std::dec << " r1=" << r1 << " r2=" << r2
+                  << "\n";
+
+        // hookResult 3 = accept (would be 1 if r1==r2 triggered rollback)
+        BEAST_EXPECT(hookExecutions[0].getFieldU8(sfHookResult) == 3);
+        BEAST_EXPECT(r1 < 1000000);
+        BEAST_EXPECT(r2 < 1000000);
+        BEAST_EXPECT(r1 != r2);
+    }
+
+    void
+    testDiceZeroSides()
+    {
+        testcase("Hook dice(0) returns INVALID_ARGUMENT");
+        using namespace jtx;
+
+        Env env{
+            *this,
+            envconfig(),
+            supported_amendments() | featureConsensusEntropy,
+            nullptr};
+
+        auto const alice = Account{"alice"};
+        env.fund(XRP(10000), alice);
+        env.close();
+
+        BEAST_REQUIRE(env.le(keylet::consensusEntropy()));
+
+        // Hook calls dice(0) and returns whatever dice returns.
+        // dice(0) should return INVALID_ARGUMENT (-7).
+        TestHook hook = consensusentropy_test_wasm[R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t dice(uint32_t sides);
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+                int64_t result = dice(0);
+                // dice(0) should return negative error code, pass it through
+                return accept(0, 0, result);
+            }
+        )[test.hook]"];
+
+        env(ripple::test::jtx::hook(alice, {{hso(hook, overrideFlag)}}, 0),
+            M("set dice0 hook"),
+            HSFEE);
+        env.close();
+
+        Json::Value invoke;
+        invoke[jss::TransactionType] = "Invoke";
+        invoke[jss::Account] = alice.human();
+        env(invoke, M("test dice(0)"), fee(XRP(1)));
+
+        auto meta = env.meta();
+        BEAST_REQUIRE(meta);
+        BEAST_REQUIRE(meta->isFieldPresent(sfHookExecutions));
+
+        auto const hookExecutions = meta->getFieldArray(sfHookExecutions);
+        BEAST_REQUIRE(hookExecutions.size() == 1);
+
+        // INVALID_ARGUMENT = -7, encoded as 0x8000000000000000 + abs(code)
+        // (see applyHook.cpp unsigned_exit_code encoding)
+        auto const rawCode = hookExecutions[0].getFieldU64(sfHookReturnCode);
+        int64_t returnCode = (rawCode & 0x8000000000000000ULL)
+            ? -static_cast<int64_t>(rawCode & 0x7FFFFFFFFFFFFFFFULL)
+            : static_cast<int64_t>(rawCode);
+        std::cerr << "  dice(0) returnCode = " << returnCode << " (raw 0x"
+                  << std::hex << rawCode << std::dec << ")\n";
+        BEAST_EXPECT(returnCode == -7);
+        BEAST_EXPECT(hookExecutions[0].getFieldU8(sfHookResult) == 3);
+    }
+
+    void
+    run() override
+    {
+        testSLECreated();
+        testSLEUpdatedOnSubsequentClose();
+        testNoSLEWithoutAmendment();
+        testDice();
+        testDiceZeroSides();
+        testRandom();
+        testDiceConsecutiveCallsDiffer();
+    }
+};
+
+BEAST_DEFINE_TESTSUITE(ConsensusEntropy, app, ripple);
+
+}  // namespace test
+}  // namespace ripple

src/test/app/ConsensusEntropy_test_hooks.h

@@ -0,0 +1,235 @@
+
+// This file is generated by build_test_hooks.py
+#ifndef CONSENSUSENTROPY_TEST_WASM_INCLUDED
+#define CONSENSUSENTROPY_TEST_WASM_INCLUDED
+#include <map>
+#include <stdint.h>
+#include <string>
+#include <vector>
+namespace ripple {
+namespace test {
+std::map<std::string, std::vector<uint8_t>> consensusentropy_test_wasm = {
+    /* ==== WASM: 0 ==== */
+    {R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t dice(uint32_t sides);
+            #define GUARD(maxiter) _g((1ULL << 31U) + __LINE__, (maxiter)+1)
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+
+                // dice(6) should return 0..5
+                int64_t result = dice(6);
+
+                // negative means error
+                if (result < 0)
+                    rollback(0, 0, result);
+
+                if (result >= 6)
+                    rollback(0, 0, -1);
+
+                // return the dice result as the accept code
+                return accept(0, 0, result);
+            }
+        )[test.hook]",
+     {
+         0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U, 0x01U, 0x13U,
+         0x03U, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7FU, 0x60U, 0x01U, 0x7FU,
+         0x01U, 0x7EU, 0x60U, 0x03U, 0x7FU, 0x7FU, 0x7EU, 0x01U, 0x7EU, 0x02U,
+         0x31U, 0x04U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x02U, 0x5FU, 0x67U, 0x00U,
+         0x00U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x04U, 0x64U, 0x69U, 0x63U, 0x65U,
+         0x00U, 0x01U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x08U, 0x72U, 0x6FU, 0x6CU,
+         0x6CU, 0x62U, 0x61U, 0x63U, 0x6BU, 0x00U, 0x02U, 0x03U, 0x65U, 0x6EU,
+         0x76U, 0x06U, 0x61U, 0x63U, 0x63U, 0x65U, 0x70U, 0x74U, 0x00U, 0x02U,
+         0x03U, 0x02U, 0x01U, 0x01U, 0x05U, 0x03U, 0x01U, 0x00U, 0x02U, 0x06U,
+         0x21U, 0x05U, 0x7FU, 0x01U, 0x41U, 0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU,
+         0x00U, 0x41U, 0x80U, 0x08U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U,
+         0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U,
+         0x41U, 0x80U, 0x08U, 0x0BU, 0x07U, 0x08U, 0x01U, 0x04U, 0x68U, 0x6FU,
+         0x6FU, 0x6BU, 0x00U, 0x04U, 0x0AU, 0xD0U, 0x80U, 0x00U, 0x01U, 0xCCU,
+         0x80U, 0x00U, 0x01U, 0x02U, 0x7EU, 0x41U, 0x01U, 0x41U, 0x01U, 0x10U,
+         0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x41U, 0x06U, 0x10U, 0x81U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x22U, 0x01U, 0x21U, 0x02U, 0x02U, 0x40U,
+         0x02U, 0x40U, 0x20U, 0x01U, 0x42U, 0x00U, 0x53U, 0x0DU, 0x00U, 0x42U,
+         0x7FU, 0x21U, 0x02U, 0x20U, 0x01U, 0x42U, 0x06U, 0x53U, 0x0DU, 0x01U,
+         0x0BU, 0x41U, 0x00U, 0x41U, 0x00U, 0x20U, 0x02U, 0x10U, 0x82U, 0x80U,
+         0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x41U, 0x00U, 0x41U, 0x00U, 0x20U,
+         0x01U, 0x10U, 0x83U, 0x80U, 0x80U, 0x80U, 0x00U, 0x0BU,
+     }},
+
+    /* ==== WASM: 1 ==== */
+    {R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t random(uint32_t write_ptr, uint32_t write_len);
+            #define GUARD(maxiter) _g((1ULL << 31U) + __LINE__, (maxiter)+1)
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+
+                uint8_t buf[32];
+                for (int i = 0; GUARD(32), i < 32; ++i)
+                    buf[i] = 0;
+
+                int64_t result = random((uint32_t)buf, 32);
+
+                // Should return 32 (bytes written)
+                if (result != 32)
+                    rollback(0, 0, result);
+
+                // Verify buffer is not all zeroes
+                int nonzero = 0;
+                for (int i = 0; GUARD(32), i < 32; ++i)
+                    if (buf[i] != 0) nonzero = 1;
+
+                if (!nonzero)
+                    rollback(0, 0, -2);
+
+                return accept(0, 0, 0);
+            }
+        )[test.hook]",
+     {
+         0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U, 0x01U, 0x19U,
+         0x04U, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7FU, 0x60U, 0x02U, 0x7FU,
+         0x7FU, 0x01U, 0x7EU, 0x60U, 0x03U, 0x7FU, 0x7FU, 0x7EU, 0x01U, 0x7EU,
+         0x60U, 0x01U, 0x7FU, 0x01U, 0x7EU, 0x02U, 0x33U, 0x04U, 0x03U, 0x65U,
+         0x6EU, 0x76U, 0x02U, 0x5FU, 0x67U, 0x00U, 0x00U, 0x03U, 0x65U, 0x6EU,
+         0x76U, 0x06U, 0x72U, 0x61U, 0x6EU, 0x64U, 0x6FU, 0x6DU, 0x00U, 0x01U,
+         0x03U, 0x65U, 0x6EU, 0x76U, 0x08U, 0x72U, 0x6FU, 0x6CU, 0x6CU, 0x62U,
+         0x61U, 0x63U, 0x6BU, 0x00U, 0x02U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x06U,
+         0x61U, 0x63U, 0x63U, 0x65U, 0x70U, 0x74U, 0x00U, 0x02U, 0x03U, 0x02U,
+         0x01U, 0x03U, 0x05U, 0x03U, 0x01U, 0x00U, 0x02U, 0x06U, 0x21U, 0x05U,
+         0x7FU, 0x01U, 0x41U, 0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U, 0x41U,
+         0x80U, 0x08U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU, 0x7FU,
+         0x00U, 0x41U, 0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U,
+         0x08U, 0x0BU, 0x07U, 0x08U, 0x01U, 0x04U, 0x68U, 0x6FU, 0x6FU, 0x6BU,
+         0x00U, 0x04U, 0x0AU, 0x86U, 0x82U, 0x00U, 0x01U, 0x82U, 0x82U, 0x00U,
+         0x03U, 0x02U, 0x7FU, 0x01U, 0x7EU, 0x02U, 0x7FU, 0x23U, 0x80U, 0x80U,
+         0x80U, 0x80U, 0x00U, 0x41U, 0x20U, 0x6BU, 0x22U, 0x01U, 0x24U, 0x80U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x41U, 0x01U, 0x41U, 0x01U, 0x10U, 0x80U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x41U, 0x8EU, 0x80U, 0x80U, 0x80U,
+         0x78U, 0x41U, 0x21U, 0x10U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU,
+         0x41U, 0x00U, 0x21U, 0x02U, 0x03U, 0x40U, 0x41U, 0x8EU, 0x80U, 0x80U,
+         0x80U, 0x78U, 0x41U, 0x21U, 0x10U, 0x00U, 0x1AU, 0x20U, 0x01U, 0x20U,
+         0x02U, 0x6AU, 0x41U, 0x00U, 0x3AU, 0x00U, 0x00U, 0x41U, 0x8EU, 0x80U,
+         0x80U, 0x80U, 0x78U, 0x41U, 0x21U, 0x1AU, 0x01U, 0x01U, 0x01U, 0x01U,
+         0x01U, 0x1AU, 0x20U, 0x02U, 0x41U, 0x01U, 0x6AU, 0x22U, 0x02U, 0x41U,
+         0x20U, 0x47U, 0x0DU, 0x00U, 0x0BU, 0x02U, 0x40U, 0x20U, 0x01U, 0x41U,
+         0x20U, 0x10U, 0x81U, 0x80U, 0x80U, 0x80U, 0x00U, 0x22U, 0x03U, 0x42U,
+         0x20U, 0x51U, 0x0DU, 0x00U, 0x41U, 0x00U, 0x41U, 0x00U, 0x20U, 0x03U,
+         0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x41U, 0x99U,
+         0x80U, 0x80U, 0x80U, 0x78U, 0x41U, 0x21U, 0x10U, 0x80U, 0x80U, 0x80U,
+         0x80U, 0x00U, 0x1AU, 0x41U, 0x00U, 0x21U, 0x02U, 0x41U, 0x00U, 0x21U,
+         0x04U, 0x03U, 0x40U, 0x41U, 0x99U, 0x80U, 0x80U, 0x80U, 0x78U, 0x41U,
+         0x21U, 0x10U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x20U, 0x01U,
+         0x20U, 0x02U, 0x6AU, 0x2DU, 0x00U, 0x00U, 0x21U, 0x05U, 0x41U, 0x01U,
+         0x20U, 0x04U, 0x20U, 0x05U, 0x1BU, 0x21U, 0x04U, 0x20U, 0x02U, 0x41U,
+         0x01U, 0x6AU, 0x22U, 0x02U, 0x41U, 0x20U, 0x47U, 0x0DU, 0x00U, 0x0BU,
+         0x02U, 0x40U, 0x20U, 0x04U, 0x0DU, 0x00U, 0x41U, 0x00U, 0x41U, 0x00U,
+         0x42U, 0x7EU, 0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU,
+         0x41U, 0x00U, 0x41U, 0x00U, 0x42U, 0x00U, 0x10U, 0x83U, 0x80U, 0x80U,
+         0x80U, 0x00U, 0x21U, 0x03U, 0x20U, 0x01U, 0x41U, 0x20U, 0x6AU, 0x24U,
+         0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x20U, 0x03U, 0x0BU,
+     }},
+
+    /* ==== WASM: 2 ==== */
+    {R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t dice(uint32_t sides);
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+                int64_t r1 = dice(1000000);
+                if (r1 < 0)
+                    rollback(0, 0, r1);
+
+                int64_t r2 = dice(1000000);
+                if (r2 < 0)
+                    rollback(0, 0, r2);
+
+                // consecutive calls should differ (rngCallCounter)
+                if (r1 == r2)
+                    rollback(0, 0, -1);
+
+                return accept(0, 0, r1 | (r2 << 20));
+            }
+        )[test.hook]",
+     {
+         0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U, 0x01U, 0x13U,
+         0x03U, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7FU, 0x60U, 0x01U, 0x7FU,
+         0x01U, 0x7EU, 0x60U, 0x03U, 0x7FU, 0x7FU, 0x7EU, 0x01U, 0x7EU, 0x02U,
+         0x31U, 0x04U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x02U, 0x5FU, 0x67U, 0x00U,
+         0x00U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x04U, 0x64U, 0x69U, 0x63U, 0x65U,
+         0x00U, 0x01U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x08U, 0x72U, 0x6FU, 0x6CU,
+         0x6CU, 0x62U, 0x61U, 0x63U, 0x6BU, 0x00U, 0x02U, 0x03U, 0x65U, 0x6EU,
+         0x76U, 0x06U, 0x61U, 0x63U, 0x63U, 0x65U, 0x70U, 0x74U, 0x00U, 0x02U,
+         0x03U, 0x02U, 0x01U, 0x01U, 0x05U, 0x03U, 0x01U, 0x00U, 0x02U, 0x06U,
+         0x21U, 0x05U, 0x7FU, 0x01U, 0x41U, 0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU,
+         0x00U, 0x41U, 0x80U, 0x08U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U,
+         0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U,
+         0x41U, 0x80U, 0x08U, 0x0BU, 0x07U, 0x08U, 0x01U, 0x04U, 0x68U, 0x6FU,
+         0x6FU, 0x6BU, 0x00U, 0x04U, 0x0AU, 0xFEU, 0x80U, 0x00U, 0x01U, 0xFAU,
+         0x80U, 0x00U, 0x01U, 0x02U, 0x7EU, 0x41U, 0x01U, 0x41U, 0x01U, 0x10U,
+         0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x02U, 0x40U, 0x41U, 0xC0U,
+         0x84U, 0x3DU, 0x10U, 0x81U, 0x80U, 0x80U, 0x80U, 0x00U, 0x22U, 0x01U,
+         0x42U, 0x7FU, 0x55U, 0x0DU, 0x00U, 0x41U, 0x00U, 0x41U, 0x00U, 0x20U,
+         0x01U, 0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x02U,
+         0x40U, 0x41U, 0xC0U, 0x84U, 0x3DU, 0x10U, 0x81U, 0x80U, 0x80U, 0x80U,
+         0x00U, 0x22U, 0x02U, 0x42U, 0x7FU, 0x55U, 0x0DU, 0x00U, 0x41U, 0x00U,
+         0x41U, 0x00U, 0x20U, 0x02U, 0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U,
+         0x1AU, 0x0BU, 0x02U, 0x40U, 0x20U, 0x01U, 0x20U, 0x02U, 0x52U, 0x0DU,
+         0x00U, 0x41U, 0x00U, 0x41U, 0x00U, 0x42U, 0x7FU, 0x10U, 0x82U, 0x80U,
+         0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x41U, 0x00U, 0x41U, 0x00U, 0x20U,
+         0x02U, 0x42U, 0x14U, 0x86U, 0x20U, 0x01U, 0x84U, 0x10U, 0x83U, 0x80U,
+         0x80U, 0x80U, 0x00U, 0x0BU,
+     }},
+
+    /* ==== WASM: 3 ==== */
+    {R"[test.hook](
+            #include <stdint.h>
+            extern int32_t _g(uint32_t, uint32_t);
+            extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+            extern int64_t dice(uint32_t sides);
+
+            int64_t hook(uint32_t r)
+            {
+                _g(1,1);
+                int64_t result = dice(0);
+                // dice(0) should return negative error code, pass it through
+                return accept(0, 0, result);
+            }
+        )[test.hook]",
+     {
+         0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U, 0x01U, 0x13U,
+         0x03U, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7FU, 0x60U, 0x01U, 0x7FU,
+         0x01U, 0x7EU, 0x60U, 0x03U, 0x7FU, 0x7FU, 0x7EU, 0x01U, 0x7EU, 0x02U,
+         0x22U, 0x03U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x02U, 0x5FU, 0x67U, 0x00U,
+         0x00U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x04U, 0x64U, 0x69U, 0x63U, 0x65U,
+         0x00U, 0x01U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x06U, 0x61U, 0x63U, 0x63U,
+         0x65U, 0x70U, 0x74U, 0x00U, 0x02U, 0x03U, 0x02U, 0x01U, 0x01U, 0x05U,
+         0x03U, 0x01U, 0x00U, 0x02U, 0x06U, 0x21U, 0x05U, 0x7FU, 0x01U, 0x41U,
+         0x80U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU,
+         0x7FU, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U,
+         0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU, 0x07U,
+         0x08U, 0x01U, 0x04U, 0x68U, 0x6FU, 0x6FU, 0x6BU, 0x00U, 0x03U, 0x0AU,
+         0xA3U, 0x80U, 0x00U, 0x01U, 0x9FU, 0x80U, 0x00U, 0x00U, 0x41U, 0x01U,
+         0x41U, 0x01U, 0x10U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x41U,
+         0x00U, 0x41U, 0x00U, 0x41U, 0x00U, 0x10U, 0x81U, 0x80U, 0x80U, 0x80U,
+         0x00U, 0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U, 0x0BU,
+     }},
+
+};
+}
+}  // namespace ripple
+#endif

src/test/app/ExportResultBuilder_test.cpp

@@ -0,0 +1,221 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <xrpld/app/tx/detail/ExportResultBuilder.h>
+#include <xrpl/beast/unit_test.h>
+#include <xrpl/protocol/HashPrefix.h>
+#include <xrpl/protocol/STAmount.h>
+#include <xrpl/protocol/STArray.h>
+#include <xrpl/protocol/STObject.h>
+#include <xrpl/protocol/STTx.h>
+#include <xrpl/protocol/SecretKey.h>
+#include <xrpl/protocol/Sign.h>
+#include <xrpl/protocol/TxFlags.h>
+#include <xrpl/protocol/TxFormats.h>
+#include <xrpl/protocol/digest.h>
+
+#include <cstring>
+
+namespace ripple {
+namespace test {
+namespace {
+
+uint256
+makeHash(char const* label)
+{
+    return sha512Half(Slice(label, std::strlen(label)));
+}
+
+STTx
+makeSTTx(STObject const& obj)
+{
+    Serializer s;
+    obj.add(s);
+    SerialIter sit{s.slice()};
+    return STTx{std::ref(sit)};
+}
+
+STTx
+makeExportedPayment(AccountID const& src, AccountID const& dst)
+{
+    STObject obj(sfExportedTxn);
+    obj.setFieldU16(sfTransactionType, ttPAYMENT);
+    obj.setFieldU32(sfFlags, tfFullyCanonicalSig);
+    obj.setFieldU32(sfSequence, 0);
+    obj.setFieldU32(sfTicketSequence, 1);
+    obj.setFieldU32(sfFirstLedgerSequence, 2);
+    obj.setFieldU32(sfLastLedgerSequence, 6);
+    obj.setFieldAmount(sfAmount, XRPAmount{1000000});
+    obj.setFieldAmount(sfFee, XRPAmount{10});
+    obj.setFieldVL(sfSigningPubKey, Blob{});
+    obj.setAccountID(sfAccount, src);
+    obj.setAccountID(sfDestination, dst);
+    return makeSTTx(obj);
+}
+
+}  // namespace
+
+class ExportResultBuilder_test : public beast::unit_test::suite
+{
+public:
+    void
+    testAssemblesSignedMetadata()
+    {
+        testcase("assembles signed metadata");
+
+        auto const signerA = randomKeyPair(KeyType::secp256k1);
+        auto const signerB = randomKeyPair(KeyType::secp256k1);
+        auto const innerTx = makeExportedPayment(
+            calcAccountID(signerA.first), calcAccountID(signerB.first));
+        auto const exportTxHash = makeHash("outer-export-tx");
+
+        ExportResultBuilder::SignatureSnapshot signatures;
+        signatures.emplace(
+            signerA.first,
+            ExportResultBuilder::signExportedTxn(
+                innerTx, signerA.first, signerA.second));
+        signatures.emplace(
+            signerB.first,
+            ExportResultBuilder::signExportedTxn(
+                innerTx, signerB.first, signerB.second));
+
+        auto assembled = ExportResultBuilder::assemble(
+            innerTx, signatures, 123, exportTxHash);
+
+        BEAST_EXPECT(assembled.signerCount == 2);
+        BEAST_EXPECT(assembled.metadata.getFieldU32(sfLedgerSequence) == 123);
+        BEAST_EXPECT(
+            assembled.metadata.getFieldH256(sfTransactionHash) == exportTxHash);
+
+        auto const& multiSigned =
+            assembled.metadata.peekAtField(sfExportedTxn).downcast<STObject>();
+        BEAST_EXPECT(multiSigned.getFieldVL(sfSigningPubKey).empty());
+        BEAST_EXPECT(multiSigned.isFieldPresent(sfSigners));
+
+        auto const& signers = multiSigned.getFieldArray(sfSigners);
+        BEAST_EXPECT(signers.size() == 2);
+        if (signers.size() == 2)
+        {
+            BEAST_EXPECT(
+                signers[0].getAccountID(sfAccount) <
+                signers[1].getAccountID(sfAccount));
+        }
+
+        for (auto const& signer : signers)
+        {
+            auto const pkVL = signer.getFieldVL(sfSigningPubKey);
+            PublicKey const pk{makeSlice(pkVL)};
+            auto const sigVL = signer.getFieldVL(sfTxnSignature);
+            auto const signerAcctID = signer.getAccountID(sfAccount);
+            auto const sigData = buildMultiSigningData(innerTx, signerAcctID);
+            BEAST_EXPECT(verify(pk, sigData.slice(), makeSlice(sigVL)));
+        }
+
+        BEAST_EXPECT(
+            assembled.signedTxHash ==
+            multiSigned.getHash(HashPrefix::transactionID));
+
+        Serializer serialized;
+        multiSigned.add(serialized);
+        SerialIter sit(serialized.slice());
+        STTx signedTx{std::ref(sit)};
+        BEAST_EXPECT(signedTx.getTransactionID() == assembled.signedTxHash);
+    }
+
+    void
+    testSkipsEmptySignatures()
+    {
+        testcase("skips empty signatures");
+
+        auto const signer = randomKeyPair(KeyType::secp256k1);
+        auto const dst = randomKeyPair(KeyType::secp256k1);
+        auto const innerTx = makeExportedPayment(
+            calcAccountID(signer.first), calcAccountID(dst.first));
+
+        ExportResultBuilder::SignatureSnapshot signatures;
+        signatures.emplace(signer.first, Buffer{});
+
+        auto assembled = ExportResultBuilder::assemble(
+            innerTx, signatures, 456, makeHash("empty-sig-export"));
+
+        BEAST_EXPECT(assembled.signerCount == 0);
+
+        auto const& multiSigned =
+            assembled.metadata.peekAtField(sfExportedTxn).downcast<STObject>();
+        BEAST_EXPECT(multiSigned.getFieldVL(sfSigningPubKey).empty());
+        BEAST_EXPECT(!multiSigned.isFieldPresent(sfSigners));
+        BEAST_EXPECT(
+            assembled.signedTxHash ==
+            multiSigned.getHash(HashPrefix::transactionID));
+    }
+
+    void
+    testBuildMultiSignedExportedTxnDirect()
+    {
+        testcase("builds multisigned exported transaction directly");
+
+        auto const signerA = randomKeyPair(KeyType::secp256k1);
+        auto const signerB = randomKeyPair(KeyType::secp256k1);
+        auto const dst = randomKeyPair(KeyType::secp256k1);
+        auto const innerTx = makeExportedPayment(
+            calcAccountID(signerA.first), calcAccountID(dst.first));
+
+        ExportResultBuilder::SignatureSnapshot signatures;
+        signatures.emplace(signerB.first, Buffer{});
+        signatures.emplace(
+            signerA.first,
+            ExportResultBuilder::signExportedTxn(
+                innerTx, signerA.first, signerA.second));
+
+        auto multiSigned = ExportResultBuilder::buildMultiSignedExportedTxn(
+            innerTx, signatures);
+        BEAST_EXPECT(multiSigned.getFieldVL(sfSigningPubKey).empty());
+        BEAST_EXPECT(multiSigned.isFieldPresent(sfSigners));
+
+        auto const& signers = multiSigned.getFieldArray(sfSigners);
+        BEAST_EXPECT(signers.size() == 1);
+        if (signers.size() == 1)
+        {
+            BEAST_EXPECT(
+                signers[0].getAccountID(sfAccount) ==
+                calcAccountID(signerA.first));
+            BEAST_EXPECT(
+                makeSlice(signers[0].getFieldVL(sfSigningPubKey)) ==
+                signerA.first.slice());
+        }
+
+        ExportResultBuilder::SignatureSnapshot none;
+        auto unsignedMulti =
+            ExportResultBuilder::buildMultiSignedExportedTxn(innerTx, none);
+        BEAST_EXPECT(unsignedMulti.getFieldVL(sfSigningPubKey).empty());
+        BEAST_EXPECT(!unsignedMulti.isFieldPresent(sfSigners));
+    }
+
+    void
+    run() override
+    {
+        testAssemblesSignedMetadata();
+        testSkipsEmptySignatures();
+        testBuildMultiSignedExportedTxnDirect();
+    }
+};
+
+BEAST_DEFINE_TESTSUITE(ExportResultBuilder, app, ripple);
+
+}  // namespace test
+}  // namespace ripple

src/test/app/ExportSigCollector_test.cpp

@@ -0,0 +1,299 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <xrpld/app/misc/ExportSigCollector.h>
+#include <xrpl/basics/StringUtilities.h>
+#include <xrpl/beast/unit_test.h>
+#include <xrpl/protocol/SecretKey.h>
+#include <xrpl/protocol/digest.h>
+#include <cstring>
+
+namespace ripple {
+namespace test {
+
+namespace {
+
+uint256
+makeHash(char const* label)
+{
+    return sha512Half(Slice(label, std::strlen(label)));
+}
+
+PublicKey
+makePublicKey(char const* hex)
+{
+    auto const raw = strUnHex(hex);
+    return PublicKey{makeSlice(*raw)};
+}
+
+Buffer
+makeSignature(std::uint8_t seed)
+{
+    std::uint8_t bytes[] = {
+        seed,
+        static_cast<std::uint8_t>(seed + 1),
+        static_cast<std::uint8_t>(seed + 2)};
+    return Buffer(bytes, sizeof(bytes));
+}
+
+}  // namespace
+
+class ExportSigCollector_test : public beast::unit_test::suite
+{
+    PublicKey const validator_ = makePublicKey(
+        "0388935426E0D08083314842EDFBB2D517BD47699F9A4527318A8E10468C97C05"
+        "2");
+
+public:
+    void
+    testCleanupUsesFirstSeenSeq()
+    {
+        testcase("cleanup uses first seen sequence");
+
+        ExportSigCollector collector;
+        auto const tx = makeHash("cleanup-verified");
+        auto const sig = makeSignature(1);
+
+        collector.addVerifiedSignature(tx, validator_, sig, 10);
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+
+        collector.cleanupStale(266);
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+
+        collector.cleanupStale(267);
+        BEAST_EXPECT(collector.signatureCount(tx) == 0);
+    }
+
+    void
+    testUpgradeSetsFirstSeenSeq()
+    {
+        testcase("upgrade sets first seen sequence");
+
+        ExportSigCollector collector;
+        auto const tx = makeHash("cleanup-upgraded");
+        auto const sig = makeSignature(5);
+
+        collector.addUnverifiedSignature(tx, validator_, sig);
+        BEAST_EXPECT(collector.hasUnverifiedSignatures());
+
+        collector.upgradeSignature(tx, validator_, sig, 10);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+
+        collector.cleanupStale(266);
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+
+        collector.cleanupStale(267);
+        BEAST_EXPECT(collector.signatureCount(tx) == 0);
+    }
+
+    void
+    testRemoveInvalidUnverifiedSignature()
+    {
+        testcase("remove invalid unverified signature");
+
+        ExportSigCollector collector;
+        auto const tx = makeHash("remove-invalid");
+        auto const sig = makeSignature(9);
+        auto const otherSig = makeSignature(10);
+
+        collector.addUnverifiedSignature(tx, validator_, sig, 10);
+        BEAST_EXPECT(collector.hasUnverifiedSignatures());
+
+        BEAST_EXPECT(!collector.removeSignature(tx, validator_, otherSig));
+        BEAST_EXPECT(collector.hasUnverifiedSignatures());
+
+        BEAST_EXPECT(collector.removeSignature(tx, validator_, sig));
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(tx) == 0);
+    }
+
+    void
+    testSnapshotsAndFilteredCounts()
+    {
+        testcase("snapshots and filtered counts use verified signatures only");
+
+        auto const other = randomKeyPair(KeyType::secp256k1).first;
+        ExportSigCollector collector;
+        auto const tx = makeHash("snapshot-filtered");
+        auto const verifiedSig = makeSignature(20);
+        auto const unverifiedSig = makeSignature(30);
+
+        BEAST_EXPECT(!collector.hasVerifiedSignature(tx, validator_));
+        BEAST_EXPECT(collector.unverifiedSignatures(tx).empty());
+        BEAST_EXPECT(!collector.checkQuorumAndSnapshot(tx, 1));
+
+        collector.addVerifiedSignature(tx, validator_, verifiedSig, 10);
+        collector.addUnverifiedSignature(tx, other, unverifiedSig, 11);
+
+        BEAST_EXPECT(collector.hasVerifiedSignature(tx, validator_));
+        BEAST_EXPECT(!collector.hasVerifiedSignature(tx, other));
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+        BEAST_EXPECT(collector.signatureCount(tx, [&](PublicKey const& pk) {
+            return pk == validator_;
+        }) == 1);
+        BEAST_EXPECT(collector.signatureCount(tx, [&](PublicKey const& pk) {
+            return pk == other;
+        }) == 0);
+
+        auto unverified = collector.unverifiedSignatures(tx);
+        BEAST_EXPECT(unverified.size() == 1);
+        BEAST_EXPECT(unverified.count(other) == 1);
+
+        auto snapshot = collector.snapshot();
+        BEAST_EXPECT(snapshot.size() == 1);
+        BEAST_EXPECT(snapshot[tx].count(validator_) == 1);
+        BEAST_EXPECT(snapshot[tx].count(other) == 0);
+
+        auto sigSnapshot = collector.snapshotWithSigs();
+        BEAST_EXPECT(sigSnapshot[tx].size() == 1);
+        BEAST_EXPECT(sigSnapshot[tx][validator_] == verifiedSig);
+
+        auto filteredSnapshot = collector.snapshotWithSigs(
+            [&](PublicKey const& pk) { return pk == other; });
+        BEAST_EXPECT(filteredSnapshot.empty());
+
+        BEAST_EXPECT(!collector.checkQuorumAndSnapshot(tx, 2));
+        auto quorum = collector.checkQuorumAndSnapshot(tx, 1);
+        BEAST_EXPECT(quorum.has_value());
+        if (quorum)
+        {
+            BEAST_EXPECT(quorum->size() == 1);
+            BEAST_EXPECT((*quorum)[validator_] == verifiedSig);
+        }
+
+        collector.upgradeSignature(tx, other, makeSignature(31), 12);
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+
+        collector.upgradeSignature(tx, other, unverifiedSig, 12);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(tx) == 2);
+
+        auto filteredQuorum = collector.checkQuorumAndSnapshot(
+            tx, 1, [&](PublicKey const& pk) { return pk == other; });
+        BEAST_EXPECT(filteredQuorum.has_value());
+        if (filteredQuorum)
+            BEAST_EXPECT((*filteredQuorum)[other] == unverifiedSig);
+
+        collector.clear(tx);
+        BEAST_EXPECT(collector.signatureCount(tx) == 0);
+        BEAST_EXPECT(collector.snapshot().empty());
+    }
+
+    void
+    testStandaloneAndRoundState()
+    {
+        testcase("standalone signatures and round state");
+
+        ExportSigCollector collector;
+        auto const tx = makeHash("standalone-round");
+
+        collector.addStandaloneSignature(tx, validator_, 10);
+        BEAST_EXPECT(collector.hasVerifiedSignature(tx, validator_));
+        BEAST_EXPECT(collector.signatureCount(tx) == 1);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+
+        auto snapshot = collector.snapshot();
+        BEAST_EXPECT(snapshot.size() == 1);
+        BEAST_EXPECT(snapshot[tx].count(validator_) == 1);
+
+        auto sigSnapshot = collector.snapshotWithSigs();
+        BEAST_EXPECT(sigSnapshot.size() == 1);
+        BEAST_EXPECT(sigSnapshot[tx].count(validator_) == 1);
+        BEAST_EXPECT(sigSnapshot[tx][validator_].empty());
+
+        BEAST_EXPECT(collector.markSent(tx));
+        BEAST_EXPECT(!collector.markSent(tx));
+        collector.clearRound();
+        BEAST_EXPECT(collector.markSent(tx));
+    }
+
+    void
+    testClearAll()
+    {
+        testcase("clear all signatures and round state");
+
+        ExportSigCollector collector;
+        auto const verifiedTx = makeHash("clear-all-verified");
+        auto const unverifiedTx = makeHash("clear-all-unverified");
+        auto const sig = makeSignature(12);
+
+        collector.addVerifiedSignature(verifiedTx, validator_, sig, 10);
+        collector.addUnverifiedSignature(unverifiedTx, validator_, sig, 10);
+        BEAST_EXPECT(collector.signatureCount(verifiedTx) == 1);
+        BEAST_EXPECT(collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.markSent(verifiedTx));
+        BEAST_EXPECT(!collector.markSent(verifiedTx));
+
+        collector.clearAll();
+
+        BEAST_EXPECT(collector.signatureCount(verifiedTx) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.markSent(verifiedTx));
+    }
+
+    void
+    testDefensiveNoOps()
+    {
+        testcase("defensive no-op paths");
+
+        ExportSigCollector collector;
+        auto const missingTx = makeHash("missing-defensive");
+        auto const standaloneTx = makeHash("standalone-defensive");
+        auto const sig = makeSignature(40);
+
+        collector.upgradeSignature(missingTx, validator_, sig, 10);
+        BEAST_EXPECT(collector.signatureCount(missingTx) == 0);
+        BEAST_EXPECT(!collector.removeSignature(missingTx, validator_, sig));
+        BEAST_EXPECT(!collector.checkQuorumAndSnapshot(missingTx, 1));
+        BEAST_EXPECT(collector.signatureCount(missingTx, [](PublicKey const&) {
+            return true;
+        }) == 0);
+
+        collector.addStandaloneSignature(standaloneTx, validator_, 10);
+        collector.upgradeSignature(standaloneTx, validator_, Buffer{}, 11);
+        BEAST_EXPECT(collector.signatureCount(standaloneTx) == 1);
+        BEAST_EXPECT(collector.snapshotWithSigs()
+                         .at(standaloneTx)
+                         .at(validator_)
+                         .empty());
+
+        auto filtered =
+            collector.snapshotWithSigs([](PublicKey const&) { return false; });
+        BEAST_EXPECT(filtered.empty());
+        BEAST_EXPECT(!collector.checkQuorumAndSnapshot(
+            standaloneTx, 1, [](PublicKey const&) { return false; }));
+    }
+
+    void
+    run() override
+    {
+        testCleanupUsesFirstSeenSeq();
+        testUpgradeSetsFirstSeenSeq();
+        testRemoveInvalidUnverifiedSignature();
+        testSnapshotsAndFilteredCounts();
+        testStandaloneAndRoundState();
+        testClearAll();
+        testDefensiveNoOps();
+    }
+};
+
+BEAST_DEFINE_TESTSUITE(ExportSigCollector, app, ripple);
+
+}  // namespace test
+}  // namespace ripple

src/test/app/ExportSignatureHarvester_test.cpp

@@ -0,0 +1,400 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <test/unit_test/SuiteJournal.h>
+#include <xrpld/app/consensus/ExportSignatureHarvester.h>
+#include <xrpl/basics/StringUtilities.h>
+#include <xrpl/beast/unit_test.h>
+#include <xrpl/protocol/STAmount.h>
+#include <xrpl/protocol/STObject.h>
+#include <xrpl/protocol/STTx.h>
+#include <xrpl/protocol/SecretKey.h>
+#include <xrpl/protocol/Sign.h>
+#include <xrpl/protocol/TxFlags.h>
+#include <xrpl/protocol/TxFormats.h>
+#include <xrpl/protocol/digest.h>
+
+#include <cstring>
+#include <memory>
+
+namespace ripple {
+namespace test {
+
+namespace {
+
+uint256
+makeHash(char const* label)
+{
+    return sha512Half(Slice(label, std::strlen(label)));
+}
+
+STTx
+makeSTTx(STObject const& obj)
+{
+    Serializer s;
+    obj.add(s);
+    SerialIter sit{s.slice()};
+    return STTx{std::ref(sit)};
+}
+
+STObject
+makeExportedPayment(AccountID const& src, AccountID const& dst)
+{
+    STObject obj(sfExportedTxn);
+    obj.setFieldU16(sfTransactionType, ttPAYMENT);
+    obj.setFieldU32(sfFlags, tfFullyCanonicalSig);
+    obj.setFieldU32(sfSequence, 0);
+    obj.setFieldU32(sfTicketSequence, 1);
+    obj.setFieldU32(sfFirstLedgerSequence, 2);
+    obj.setFieldU32(sfLastLedgerSequence, 6);
+    obj.setFieldAmount(sfAmount, XRPAmount{1000000});
+    obj.setFieldAmount(sfFee, XRPAmount{10});
+    obj.setFieldVL(sfSigningPubKey, Blob{});
+    obj.setAccountID(sfAccount, src);
+    obj.setAccountID(sfDestination, dst);
+    return obj;
+}
+
+std::shared_ptr<STTx const>
+makeExportTx(STObject const& inner, AccountID const& account)
+{
+    STObject exportObj(sfGeneric);
+    exportObj.setFieldU16(sfTransactionType, ttEXPORT);
+    exportObj.setAccountID(sfAccount, account);
+    exportObj.setFieldU32(sfSequence, 0);
+    exportObj.setFieldVL(sfSigningPubKey, Blob{});
+    exportObj.setFieldU32(sfFirstLedgerSequence, 2);
+    exportObj.setFieldU32(sfLastLedgerSequence, 6);
+    exportObj.setFieldAmount(sfFee, XRPAmount{0});
+    exportObj.set(std::make_unique<STObject>(inner));
+
+    return std::make_shared<STTx const>(makeSTTx(exportObj));
+}
+
+std::shared_ptr<STTx const>
+makeExportTxWithoutInner(AccountID const& account)
+{
+    STObject exportObj(sfGeneric);
+    exportObj.setFieldU16(sfTransactionType, ttEXPORT);
+    exportObj.setAccountID(sfAccount, account);
+    exportObj.setFieldU32(sfSequence, 0);
+    exportObj.setFieldVL(sfSigningPubKey, Blob{});
+    exportObj.setFieldU32(sfFirstLedgerSequence, 2);
+    exportObj.setFieldU32(sfLastLedgerSequence, 6);
+    exportObj.setFieldAmount(sfFee, XRPAmount{0});
+
+    return std::make_shared<STTx const>(makeSTTx(exportObj));
+}
+
+std::string
+makeBlob(uint256 const& txHash, PublicKey const& pk, Slice sig)
+{
+    std::string blob;
+    blob.append(reinterpret_cast<char const*>(txHash.data()), txHash.size());
+    blob.append(reinterpret_cast<char const*>(pk.data()), pk.size());
+    blob.append(reinterpret_cast<char const*>(sig.data()), sig.size());
+    return blob;
+}
+
+std::string
+makeBlob(uint256 const& txHash, PublicKey const& pk, Buffer const& sig)
+{
+    return makeBlob(txHash, pk, Slice(sig.data(), sig.size()));
+}
+
+}  // namespace
+
+class ExportSignatureHarvester_test : public beast::unit_test::suite
+{
+    SuiteJournal journal_{"ExportSignatureHarvester_test", *this};
+    std::pair<PublicKey, SecretKey> const sender_ =
+        randomKeyPair(KeyType::secp256k1);
+    std::pair<PublicKey, SecretKey> const other_ =
+        randomKeyPair(KeyType::secp256k1);
+    uint256 const prevLedger_ = makeHash("export-harvester-prev-ledger");
+    char const* source_ = "unit-test";
+
+    ExportSignatureHarvestInput
+    makeInput(
+        std::vector<std::string> const& blobs,
+        ExportTxnLookup const& exportTxns,
+        bool active = true,
+        std::optional<uint256> sourceLedgerHash = std::nullopt,
+        PublicKey const* sender = nullptr,
+        std::size_t maxEntries = 2) const
+    {
+        return ExportSignatureHarvestInput{
+            sender ? *sender : sender_.first,
+            prevLedger_,
+            blobs,
+            sourceLedgerHash,
+            [active](PublicKey const&) { return active; },
+            exportTxns,
+            42,
+            source_,
+            maxEntries};
+    }
+
+    beast::Journal&
+    journal()
+    {
+        return journal_;
+    }
+
+public:
+    void
+    testRejectsTooManyEntries()
+    {
+        testcase("rejects too many entries");
+
+        auto const txHash = makeHash("too-many");
+        auto const blob = makeBlob(txHash, sender_.first, Slice("sig", 3));
+        std::vector<std::string> const blobs{blob, blob, blob};
+        ExportTxnLookup lookup;
+        ExportSigCollector collector;
+
+        auto input = makeInput(blobs, lookup);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 0);
+    }
+
+    void
+    testEmptyInputAndDirectVerification()
+    {
+        testcase("empty input and direct verification");
+
+        std::vector<std::string> const empty;
+        ExportTxnLookup lookup;
+        ExportSigCollector collector;
+
+        auto input = makeInput(empty, lookup, true, prevLedger_);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+
+        auto const senderAccount = calcAccountID(sender_.first);
+        auto const dstAccount = calcAccountID(other_.first);
+        auto const innerObj = makeExportedPayment(senderAccount, dstAccount);
+        auto const innerTx = makeSTTx(innerObj);
+        auto const sigData = buildMultiSigningData(innerTx, senderAccount);
+        auto const sig = sign(sender_.first, sender_.second, sigData.slice());
+        auto const exportTx = makeExportTx(innerObj, senderAccount);
+        auto const txHash = exportTx->getTransactionID();
+
+        BEAST_EXPECT(verifyExportSignatureAgainstTx(
+            *exportTx,
+            sender_.first,
+            Slice(sig.data(), sig.size()),
+            txHash,
+            journal(),
+            source_));
+
+        BEAST_EXPECT(!verifyExportSignatureAgainstTx(
+            *exportTx,
+            sender_.first,
+            Slice("bad-sig", 7),
+            txHash,
+            journal(),
+            source_));
+
+        auto const noInner = makeExportTxWithoutInner(senderAccount);
+        BEAST_EXPECT(!verifyExportSignatureAgainstTx(
+            *noInner,
+            sender_.first,
+            Slice(sig.data(), sig.size()),
+            noInner->getTransactionID(),
+            journal(),
+            source_));
+    }
+
+    void
+    testIgnoresEmptyAndMalformedEntries()
+    {
+        testcase("ignores empty and malformed entries");
+
+        auto const txHash = makeHash("malformed");
+        std::string invalidPubkeyBlob;
+        invalidPubkeyBlob.append(
+            reinterpret_cast<char const*>(txHash.data()), txHash.size());
+        invalidPubkeyBlob.append(33, '\0');
+        invalidPubkeyBlob.append("sig", 3);
+
+        std::vector<std::string> const blobs{
+            "",
+            std::string(64, 'x'),
+            makeBlob(txHash, sender_.first, Slice{}),
+            invalidPubkeyBlob};
+        ExportTxnLookup lookup;
+        ExportSigCollector collector;
+
+        auto input =
+            makeInput(blobs, lookup, true, prevLedger_, nullptr, blobs.size());
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 0);
+    }
+
+    void
+    testRejectsInactiveOrWrongParent()
+    {
+        testcase("rejects inactive or wrong-parent senders");
+
+        auto const txHash = makeHash("inactive");
+        std::vector<std::string> const blobs{
+            makeBlob(txHash, sender_.first, Slice("sig", 3))};
+        ExportTxnLookup lookup;
+        ExportSigCollector collector;
+
+        auto inactive = makeInput(blobs, lookup, false);
+        BEAST_EXPECT(
+            harvestExportSignatures(inactive, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+
+        auto wrongParent =
+            makeInput(blobs, lookup, true, makeHash("different-parent"));
+        BEAST_EXPECT(
+            harvestExportSignatures(wrongParent, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+    }
+
+    void
+    testRejectsPubkeyMismatchAtomically()
+    {
+        testcase("rejects embedded pubkey mismatch atomically");
+
+        auto const txHash = makeHash("mismatch");
+        std::vector<std::string> const blobs{
+            makeBlob(txHash, sender_.first, Slice("sig-a", 5)),
+            makeBlob(txHash, other_.first, Slice("sig-b", 5))};
+        ExportTxnLookup lookup;
+        ExportSigCollector collector;
+
+        auto input = makeInput(blobs, lookup, true, prevLedger_);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 0);
+    }
+
+    void
+    testMissingTxStoresUnverified()
+    {
+        testcase("missing tx stores unverified");
+
+        auto const txHash = makeHash("missing-tx");
+        std::vector<std::string> const blobs{
+            makeBlob(txHash, sender_.first, Slice("sig", 3))};
+        ExportTxnLookup lookup;
+        ExportSigCollector collector;
+
+        auto input = makeInput(blobs, lookup, true, prevLedger_);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 1);
+        BEAST_EXPECT(collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 0);
+    }
+
+    void
+    testOpenLedgerTxStoresVerifiedAndSkipsDuplicate()
+    {
+        testcase("open-ledger tx stores verified and skips duplicate");
+
+        auto const senderAccount = calcAccountID(sender_.first);
+        auto const dstAccount = calcAccountID(other_.first);
+        auto const innerObj = makeExportedPayment(senderAccount, dstAccount);
+        auto const innerTx = makeSTTx(innerObj);
+        auto const sigData = buildMultiSigningData(innerTx, senderAccount);
+        auto const sig = sign(sender_.first, sender_.second, sigData.slice());
+        auto const exportTx = makeExportTx(innerObj, senderAccount);
+        auto const txHash = exportTx->getTransactionID();
+
+        ExportTxnLookup lookup;
+        lookup.emplace(txHash, exportTx);
+        std::vector<std::string> const blobs{
+            makeBlob(txHash, sender_.first, sig)};
+        ExportSigCollector collector;
+
+        auto input = makeInput(blobs, lookup, true, prevLedger_);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 1);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 1);
+
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+        BEAST_EXPECT(collector.signatureCount(txHash) == 1);
+    }
+
+    void
+    testRejectsInvalidOpenLedgerSignatures()
+    {
+        testcase("rejects invalid open-ledger signatures");
+
+        auto const senderAccount = calcAccountID(sender_.first);
+        auto const dstAccount = calcAccountID(other_.first);
+        auto const innerObj = makeExportedPayment(senderAccount, dstAccount);
+        auto const exportTx = makeExportTx(innerObj, senderAccount);
+        auto const txHash = exportTx->getTransactionID();
+
+        ExportTxnLookup lookup;
+        lookup.emplace(txHash, exportTx);
+        std::vector<std::string> const blobs{
+            makeBlob(txHash, sender_.first, Slice("bad-sig", 7))};
+        ExportSigCollector collector;
+
+        auto input = makeInput(blobs, lookup, true, prevLedger_);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 0);
+    }
+
+    void
+    testRejectsOpenLedgerTxWithoutExportedTxn()
+    {
+        testcase("rejects open-ledger tx without exported transaction");
+
+        auto const senderAccount = calcAccountID(sender_.first);
+        auto const exportTx = makeExportTxWithoutInner(senderAccount);
+        auto const txHash = exportTx->getTransactionID();
+
+        ExportTxnLookup lookup;
+        lookup.emplace(txHash, exportTx);
+        std::vector<std::string> const blobs{
+            makeBlob(txHash, sender_.first, Slice("sig", 3))};
+        ExportSigCollector collector;
+
+        auto input = makeInput(blobs, lookup, true, prevLedger_);
+        BEAST_EXPECT(harvestExportSignatures(input, collector, journal()) == 0);
+        BEAST_EXPECT(!collector.hasUnverifiedSignatures());
+        BEAST_EXPECT(collector.signatureCount(txHash) == 0);
+    }
+
+    void
+    run() override
+    {
+        testRejectsTooManyEntries();
+        testEmptyInputAndDirectVerification();
+        testIgnoresEmptyAndMalformedEntries();
+        testRejectsInactiveOrWrongParent();
+        testRejectsPubkeyMismatchAtomically();
+        testMissingTxStoresUnverified();
+        testOpenLedgerTxStoresVerifiedAndSkipsDuplicate();
+        testRejectsInvalidOpenLedgerSignatures();
+        testRejectsOpenLedgerTxWithoutExportedTxn();
+    }
+};
+
+BEAST_DEFINE_TESTSUITE(ExportSignatureHarvester, app, ripple);
+
+}  // namespace test
+}  // namespace ripple

src/test/app/ExportSignatureUpgrader_test.cpp

@@ -0,0 +1,210 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of rippled: https://github.com/ripple/rippled
+
+    Permission to use, copy, modify, and/or distribute this software for any
+    purpose  with  or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#include <xrpld/app/tx/detail/ExportResultBuilder.h>
+#include <xrpld/app/tx/detail/ExportSignatureUpgrader.h>
+#include <xrpl/beast/unit_test.h>
+#include <xrpl/protocol/STAmount.h>
+#include <xrpl/protocol/STObject.h>
+#include <xrpl/protocol/STTx.h>
+#include <xrpl/protocol/Serializer.h>
+#include <xrpl/protocol/TxFlags.h>
+#include <xrpl/protocol/TxFormats.h>
+#include <xrpl/protocol/digest.h>
+
+#include <cstdint>
+#include <cstring>
+#include <set>
+
+namespace ripple {
+namespace test {
+namespace {
+
+uint256
+makeHash(char const* label)
+{
+    return sha512Half(Slice(label, std::strlen(label)));
+}
+
+STTx
+makeSTTx(STObject const& obj)
+{
+    Serializer s;
+    obj.add(s);
+    SerialIter sit{s.slice()};
+    return STTx{std::ref(sit)};
+}
+
+STTx
+makeExportedPayment(AccountID const& src, AccountID const& dst)
+{
+    STObject obj(sfExportedTxn);
+    obj.setFieldU16(sfTransactionType, ttPAYMENT);
+    obj.setFieldU32(sfFlags, tfFullyCanonicalSig);
+    obj.setFieldU32(sfSequence, 0);
+    obj.setFieldU32(sfTicketSequence, 1);
+    obj.setFieldU32(sfFirstLedgerSequence, 2);
+    obj.setFieldU32(sfLastLedgerSequence, 6);
+    obj.setFieldAmount(sfAmount, XRPAmount{1000000});
+    obj.setFieldAmount(sfFee, XRPAmount{10});
+    obj.setFieldVL(sfSigningPubKey, Blob{});
+    obj.setAccountID(sfAccount, src);
+    obj.setAccountID(sfDestination, dst);
+    return makeSTTx(obj);
+}
+
+Buffer
+makeInvalidSignature(std::uint8_t first = 1)
+{
+    std::uint8_t bytes[] = {
+        first,
+        static_cast<std::uint8_t>(first + 1),
+        static_cast<std::uint8_t>(first + 2),
+        static_cast<std::uint8_t>(first + 3),
+        static_cast<std::uint8_t>(first + 4)};
+    return Buffer(bytes, sizeof(bytes));
+}
+
+beast::Journal
+nullJournal()
+{
+    return beast::Journal{beast::Journal::getNullSink()};
+}
+
+}  // namespace
+
+class ExportSignatureUpgrader_test : public beast::unit_test::suite
+{
+public:
+    void
+    testUpgradeFiltersAndRemovesInvalid()
+    {
+        testcase("upgrade filters and removes invalid signatures");
+
+        auto const validSigner = randomKeyPair(KeyType::secp256k1);
+        auto const invalidSigner = randomKeyPair(KeyType::secp256k1);
+        auto const inactiveSigner = randomKeyPair(KeyType::secp256k1);
+        auto const dst = randomKeyPair(KeyType::secp256k1);
+        auto const innerTx = makeExportedPayment(
+            calcAccountID(validSigner.first), calcAccountID(dst.first));
+        auto const txHash = makeHash("export-upgrade");
+
+        auto validSig = ExportResultBuilder::signExportedTxn(
+            innerTx, validSigner.first, validSigner.second);
+        auto invalidSig = makeInvalidSignature();
+        auto inactiveSig = ExportResultBuilder::signExportedTxn(
+            innerTx, inactiveSigner.first, inactiveSigner.second);
+
+        ExportSigCollector collector;
+        collector.addUnverifiedSignature(
+            txHash, validSigner.first, validSig, 7);
+        collector.addUnverifiedSignature(
+            txHash, invalidSigner.first, invalidSig, 7);
+        collector.addUnverifiedSignature(
+            txHash, inactiveSigner.first, inactiveSig, 7);
+
+        std::set<PublicKey> active{
+            validSigner.first,
+            invalidSigner.first,
+        };
+        auto stats = ExportSignatureUpgrader::upgradeUnverifiedSignatures(
+            collector,
+            innerTx,
+            txHash,
+            12,
+            [&active](PublicKey const& pk) { return active.count(pk) > 0; },
+            nullJournal());
+
+        BEAST_EXPECT(stats.inspected == 3);
+        BEAST_EXPECT(stats.inactiveSkipped == 1);
+        BEAST_EXPECT(stats.upgraded == 1);
+        BEAST_EXPECT(stats.removedInvalid == 1);
+
+        BEAST_EXPECT(collector.hasVerifiedSignature(txHash, validSigner.first));
+        BEAST_EXPECT(
+            !collector.hasVerifiedSignature(txHash, invalidSigner.first));
+        BEAST_EXPECT(
+            !collector.hasVerifiedSignature(txHash, inactiveSigner.first));
+
+        auto const unverified = collector.unverifiedSignatures(txHash);
+        BEAST_EXPECT(!unverified.contains(invalidSigner.first));
+        BEAST_EXPECT(unverified.contains(inactiveSigner.first));
+        BEAST_EXPECT(collector.signatureCount(txHash) == 1);
+    }
+
+    void
+    testInvalidRemovalRequiresStoredBufferMatch()
+    {
+        testcase("invalid removal requires stored buffer match");
+
+        auto const invalidSigner = randomKeyPair(KeyType::secp256k1);
+        auto const dst = randomKeyPair(KeyType::secp256k1);
+        auto const innerTx = makeExportedPayment(
+            calcAccountID(invalidSigner.first), calcAccountID(dst.first));
+        auto const txHash = makeHash("export-upgrade-race");
+
+        auto invalidSig = makeInvalidSignature();
+        auto replacementSig = makeInvalidSignature(20);
+
+        ExportSigCollector collector;
+        collector.addUnverifiedSignature(
+            txHash, invalidSigner.first, invalidSig, 7);
+
+        bool mutated = false;
+        auto stats = ExportSignatureUpgrader::upgradeUnverifiedSignatures(
+            collector,
+            innerTx,
+            txHash,
+            12,
+            [&](PublicKey const& pk) {
+                if (pk == invalidSigner.first && !mutated)
+                {
+                    mutated = true;
+                    collector.addUnverifiedSignature(
+                        txHash, invalidSigner.first, replacementSig, 12);
+                }
+                return true;
+            },
+            nullJournal());
+
+        BEAST_EXPECT(mutated);
+        BEAST_EXPECT(stats.inspected == 1);
+        BEAST_EXPECT(stats.upgraded == 0);
+        BEAST_EXPECT(stats.removedInvalid == 0);
+        BEAST_EXPECT(
+            !collector.hasVerifiedSignature(txHash, invalidSigner.first));
+
+        auto const unverified = collector.unverifiedSignatures(txHash);
+        auto const it = unverified.find(invalidSigner.first);
+        BEAST_EXPECT(it != unverified.end());
+        if (it != unverified.end())
+            BEAST_EXPECT(it->second == replacementSig);
+    }
+
+    void
+    run() override
+    {
+        testUpgradeFiltersAndRemovesInvalid();
+        testInvalidRemovalRequiresStoredBufferMatch();
+    }
+};
+
+BEAST_DEFINE_TESTSUITE(ExportSignatureUpgrader, app, ripple);
+
+}  // namespace test
+}  // namespace ripple

src/test/app/Export_test_hooks.h

@@ -0,0 +1,483 @@
+
+// This file is generated by build_test_hooks.py
+#ifndef EXPORT_TEST_WASM_INCLUDED
+#define EXPORT_TEST_WASM_INCLUDED
+#include <map>
+#include <stdint.h>
+#include <string>
+#include <vector>
+namespace ripple {
+namespace test {
+std::map<std::string, std::vector<uint8_t>> export_test_wasm = {
+    /* ==== WASM: 0 ==== */
+    {R"[test.hook](
+        #include <stdint.h>
+        extern int32_t _g(uint32_t id, uint32_t maxiter);
+        extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+        extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+        extern int64_t xport(uint32_t write_ptr, uint32_t write_len, uint32_t read_ptr, uint32_t read_len);
+        extern int64_t xport_reserve(uint32_t count);
+        extern int64_t hook_account(uint32_t write_ptr, uint32_t write_len);
+        extern int64_t otxn_param(uint32_t write_ptr, uint32_t write_len, uint32_t name_ptr, uint32_t name_len);
+        extern int64_t otxn_type(void);
+        extern int64_t ledger_seq(void);
+
+        #define SBUF(x) (uint32_t)(x), sizeof(x)
+        #define ASSERT(x) if (!(x)) rollback((uint32_t)#x, sizeof(#x), __LINE__)
+
+        #define ttPAYMENT 0
+        #define tfCANONICAL 0x80000000UL
+
+        #define amAMOUNT 1
+        #define amFEE 8
+        #define atACCOUNT 1
+        #define atDESTINATION 3
+
+        #define ENCODE_TT(buf_out, tt) \
+            buf_out[0] = 0x12U; \
+            buf_out[1] = (tt >> 8) & 0xFFU; \
+            buf_out[2] = tt & 0xFFU; \
+            buf_out += 3;
+
+        #define ENCODE_FLAGS(buf_out, flags) \
+            buf_out[0] = 0x22U; \
+            buf_out[1] = (flags >> 24) & 0xFFU; \
+            buf_out[2] = (flags >> 16) & 0xFFU; \
+            buf_out[3] = (flags >> 8) & 0xFFU; \
+            buf_out[4] = flags & 0xFFU; \
+            buf_out += 5;
+
+        #define ENCODE_SEQUENCE(buf_out, seq) \
+            buf_out[0] = 0x24U; \
+            buf_out[1] = (seq >> 24) & 0xFFU; \
+            buf_out[2] = (seq >> 16) & 0xFFU; \
+            buf_out[3] = (seq >> 8) & 0xFFU; \
+            buf_out[4] = seq & 0xFFU; \
+            buf_out += 5;
+
+        #define ENCODE_FLS(buf_out, fls) \
+            buf_out[0] = 0x20U; \
+            buf_out[1] = 0x1AU; \
+            buf_out[2] = (fls >> 24) & 0xFFU; \
+            buf_out[3] = (fls >> 16) & 0xFFU; \
+            buf_out[4] = (fls >> 8) & 0xFFU; \
+            buf_out[5] = fls & 0xFFU; \
+            buf_out += 6;
+
+        #define ENCODE_LLS(buf_out, lls) \
+            buf_out[0] = 0x20U; \
+            buf_out[1] = 0x1BU; \
+            buf_out[2] = (lls >> 24) & 0xFFU; \
+            buf_out[3] = (lls >> 16) & 0xFFU; \
+            buf_out[4] = (lls >> 8) & 0xFFU; \
+            buf_out[5] = lls & 0xFFU; \
+            buf_out += 6;
+
+        #define ENCODE_DROPS(buf_out, drops, amt_type) \
+            buf_out[0] = 0x60U + amt_type; \
+            buf_out[1] = 0x40U + ((drops >> 56) & 0x3FU); \
+            buf_out[2] = (drops >> 48) & 0xFFU; \
+            buf_out[3] = (drops >> 40) & 0xFFU; \
+            buf_out[4] = (drops >> 32) & 0xFFU; \
+            buf_out[5] = (drops >> 24) & 0xFFU; \
+            buf_out[6] = (drops >> 16) & 0xFFU; \
+            buf_out[7] = (drops >> 8) & 0xFFU; \
+            buf_out[8] = drops & 0xFFU; \
+            buf_out += 9;
+
+        #define ENCODE_SIGNING_PUBKEY_EMPTY(buf_out) \
+            buf_out[0] = 0x73U; \
+            buf_out[1] = 0x00U; \
+            buf_out += 2;
+
+        #define ENCODE_ACCOUNT(buf_out, acc, acc_type) \
+            buf_out[0] = 0x80U + acc_type; \
+            buf_out[1] = 0x14U; \
+            for (int i = 0; i < 20; ++i) buf_out[2+i] = acc[i]; \
+            buf_out += 22;
+
+        #define PREPARE_PAYMENT_SIMPLE_SIZE 270U
+
+        int64_t hook(uint32_t reserved) {
+            _g(1, 1);
+
+            if (otxn_type() != ttPAYMENT)
+                return accept(0, 0, 0);
+
+            ASSERT(xport_reserve(1) == 1);
+
+            uint8_t dst[20];
+            int64_t dst_len = otxn_param(SBUF(dst), "DST", 3);
+            ASSERT(dst_len == 20);
+
+            uint8_t acc[20];
+            ASSERT(hook_account(SBUF(acc)) == 20);
+
+            uint32_t cls = (uint32_t)ledger_seq();
+
+            uint8_t tx[PREPARE_PAYMENT_SIMPLE_SIZE];
+            uint8_t* buf = tx;
+
+            ENCODE_TT(buf, ttPAYMENT);
+            ENCODE_FLAGS(buf, tfCANONICAL);
+            ENCODE_SEQUENCE(buf, 0);
+            ENCODE_FLS(buf, cls + 1);
+            ENCODE_LLS(buf, cls + 5);
+            // sfTicketSequence = UINT32 field 41 = 0x20 0x29
+            buf[0] = 0x20U; buf[1] = 0x29U;
+            buf[2] = 0; buf[3] = 0; buf[4] = 0; buf[5] = 1;
+            buf += 6;
+
+            uint64_t drops = 1000000;
+            ENCODE_DROPS(buf, drops, amAMOUNT);
+            ENCODE_DROPS(buf, 10, amFEE);
+
+            ENCODE_SIGNING_PUBKEY_EMPTY(buf);
+            ENCODE_ACCOUNT(buf, acc, atACCOUNT);
+            ENCODE_ACCOUNT(buf, dst, atDESTINATION);
+
+            uint8_t hash[32];
+            int64_t xport_result = xport(SBUF(hash), (uint32_t)tx, buf - tx);
+            ASSERT(xport_result == 32);
+
+            return accept(0, 0, 0);
+        }
+    )[test.hook]",
+     {
+         0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U, 0x01U, 0x25U,
+         0x06U, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7FU, 0x60U, 0x00U, 0x01U,
+         0x7EU, 0x60U, 0x03U, 0x7FU, 0x7FU, 0x7EU, 0x01U, 0x7EU, 0x60U, 0x01U,
+         0x7FU, 0x01U, 0x7EU, 0x60U, 0x04U, 0x7FU, 0x7FU, 0x7FU, 0x7FU, 0x01U,
+         0x7EU, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7EU, 0x02U, 0x8BU, 0x01U,
+         0x09U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x02U, 0x5FU, 0x67U, 0x00U, 0x00U,
+         0x03U, 0x65U, 0x6EU, 0x76U, 0x09U, 0x6FU, 0x74U, 0x78U, 0x6EU, 0x5FU,
+         0x74U, 0x79U, 0x70U, 0x65U, 0x00U, 0x01U, 0x03U, 0x65U, 0x6EU, 0x76U,
+         0x06U, 0x61U, 0x63U, 0x63U, 0x65U, 0x70U, 0x74U, 0x00U, 0x02U, 0x03U,
+         0x65U, 0x6EU, 0x76U, 0x0DU, 0x78U, 0x70U, 0x6FU, 0x72U, 0x74U, 0x5FU,
+         0x72U, 0x65U, 0x73U, 0x65U, 0x72U, 0x76U, 0x65U, 0x00U, 0x03U, 0x03U,
+         0x65U, 0x6EU, 0x76U, 0x08U, 0x72U, 0x6FU, 0x6CU, 0x6CU, 0x62U, 0x61U,
+         0x63U, 0x6BU, 0x00U, 0x02U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x0AU, 0x6FU,
+         0x74U, 0x78U, 0x6EU, 0x5FU, 0x70U, 0x61U, 0x72U, 0x61U, 0x6DU, 0x00U,
+         0x04U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x0CU, 0x68U, 0x6FU, 0x6FU, 0x6BU,
+         0x5FU, 0x61U, 0x63U, 0x63U, 0x6FU, 0x75U, 0x6EU, 0x74U, 0x00U, 0x05U,
+         0x03U, 0x65U, 0x6EU, 0x76U, 0x0AU, 0x6CU, 0x65U, 0x64U, 0x67U, 0x65U,
+         0x72U, 0x5FU, 0x73U, 0x65U, 0x71U, 0x00U, 0x01U, 0x03U, 0x65U, 0x6EU,
+         0x76U, 0x05U, 0x78U, 0x70U, 0x6FU, 0x72U, 0x74U, 0x00U, 0x04U, 0x03U,
+         0x02U, 0x01U, 0x03U, 0x05U, 0x03U, 0x01U, 0x00U, 0x02U, 0x06U, 0x21U,
+         0x05U, 0x7FU, 0x01U, 0x41U, 0xE0U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U,
+         0x41U, 0xD9U, 0x08U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU,
+         0x7FU, 0x00U, 0x41U, 0xE0U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U, 0x41U,
+         0x80U, 0x08U, 0x0BU, 0x07U, 0x08U, 0x01U, 0x04U, 0x68U, 0x6FU, 0x6FU,
+         0x6BU, 0x00U, 0x09U, 0x0AU, 0xC5U, 0x84U, 0x00U, 0x01U, 0xC1U, 0x84U,
+         0x00U, 0x03U, 0x01U, 0x7FU, 0x01U, 0x7EU, 0x02U, 0x7FU, 0x23U, 0x80U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x41U, 0xF0U, 0x02U, 0x6BU, 0x22U, 0x01U,
+         0x24U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x41U, 0x01U, 0x41U, 0x01U,
+         0x10U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x02U, 0x40U, 0x02U,
+         0x40U, 0x10U, 0x81U, 0x80U, 0x80U, 0x80U, 0x00U, 0x50U, 0x0DU, 0x00U,
+         0x41U, 0x00U, 0x41U, 0x00U, 0x42U, 0x00U, 0x10U, 0x82U, 0x80U, 0x80U,
+         0x80U, 0x00U, 0x21U, 0x02U, 0x0CU, 0x01U, 0x0BU, 0x02U, 0x40U, 0x41U,
+         0x01U, 0x10U, 0x83U, 0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x01U, 0x51U,
+         0x0DU, 0x00U, 0x41U, 0x80U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x16U,
+         0x42U, 0xDFU, 0x00U, 0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU,
+         0x0BU, 0x02U, 0x40U, 0x20U, 0x01U, 0x41U, 0xD0U, 0x02U, 0x6AU, 0x41U,
+         0x14U, 0x41U, 0x96U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x03U, 0x10U,
+         0x85U, 0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x14U, 0x51U, 0x0DU, 0x00U,
+         0x41U, 0x9AU, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x0EU, 0x42U, 0xE3U,
+         0x00U, 0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x02U,
+         0x40U, 0x20U, 0x01U, 0x41U, 0xB0U, 0x02U, 0x6AU, 0x41U, 0x14U, 0x10U,
+         0x86U, 0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x14U, 0x51U, 0x0DU, 0x00U,
+         0x41U, 0xA8U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x1EU, 0x42U, 0xE6U,
+         0x00U, 0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x10U,
+         0x87U, 0x80U, 0x80U, 0x80U, 0x00U, 0x21U, 0x02U, 0x20U, 0x01U, 0x41U,
+         0xCEU, 0x00U, 0x6AU, 0x41U, 0x00U, 0x3BU, 0x01U, 0x00U, 0x20U, 0x01U,
+         0x41U, 0xC0U, 0x00U, 0x3AU, 0x00U, 0x49U, 0x20U, 0x01U, 0x42U, 0x80U,
+         0x80U, 0x80U, 0x80U, 0xF0U, 0xC1U, 0x90U, 0xA0U, 0xE8U, 0x00U, 0x37U,
+         0x00U, 0x41U, 0x20U, 0x01U, 0x42U, 0xA0U, 0xD2U, 0x80U, 0x80U, 0x80U,
+         0xA0U, 0xC0U, 0xB0U, 0xC0U, 0x00U, 0x37U, 0x00U, 0x39U, 0x20U, 0x01U,
+         0x41U, 0xA0U, 0x36U, 0x3BU, 0x00U, 0x33U, 0x20U, 0x01U, 0x41U, 0xA0U,
+         0x34U, 0x3BU, 0x00U, 0x2DU, 0x20U, 0x01U, 0x41U, 0x00U, 0x36U, 0x00U,
+         0x29U, 0x20U, 0x01U, 0x41U, 0x24U, 0x3AU, 0x00U, 0x28U, 0x20U, 0x01U,
+         0x42U, 0x92U, 0x80U, 0x80U, 0x90U, 0x82U, 0x10U, 0x37U, 0x03U, 0x20U,
+         0x20U, 0x01U, 0x41U, 0x00U, 0x36U, 0x01U, 0x4AU, 0x20U, 0x01U, 0x20U,
+         0x02U, 0xA7U, 0x22U, 0x03U, 0x41U, 0x05U, 0x6AU, 0x22U, 0x04U, 0x3AU,
+         0x00U, 0x38U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x08U, 0x76U, 0x3AU,
+         0x00U, 0x37U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x10U, 0x76U, 0x3AU,
+         0x00U, 0x36U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x18U, 0x76U, 0x3AU,
+         0x00U, 0x35U, 0x20U, 0x01U, 0x20U, 0x03U, 0x41U, 0x01U, 0x6AU, 0x22U,
+         0x04U, 0x3AU, 0x00U, 0x32U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x08U,
+         0x76U, 0x3AU, 0x00U, 0x31U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x10U,
+         0x76U, 0x3AU, 0x00U, 0x30U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x18U,
+         0x76U, 0x3AU, 0x00U, 0x2FU, 0x20U, 0x01U, 0x41U, 0xDDU, 0x00U, 0x6AU,
+         0x20U, 0x01U, 0x29U, 0x03U, 0xB8U, 0x02U, 0x37U, 0x00U, 0x00U, 0x20U,
+         0x01U, 0x41U, 0xE5U, 0x00U, 0x6AU, 0x20U, 0x01U, 0x41U, 0xB0U, 0x02U,
+         0x6AU, 0x41U, 0x10U, 0x6AU, 0x28U, 0x02U, 0x00U, 0x36U, 0x00U, 0x00U,
+         0x20U, 0x01U, 0x41U, 0xF3U, 0x00U, 0x6AU, 0x20U, 0x01U, 0x29U, 0x03U,
+         0xD8U, 0x02U, 0x37U, 0x00U, 0x00U, 0x20U, 0x01U, 0x41U, 0xFBU, 0x00U,
+         0x6AU, 0x20U, 0x01U, 0x41U, 0xD0U, 0x02U, 0x6AU, 0x41U, 0x10U, 0x6AU,
+         0x28U, 0x02U, 0x00U, 0x36U, 0x00U, 0x00U, 0x20U, 0x01U, 0x41U, 0x14U,
+         0x3AU, 0x00U, 0x54U, 0x20U, 0x01U, 0x41U, 0x8AU, 0xE6U, 0x81U, 0x88U,
+         0x78U, 0x36U, 0x02U, 0x50U, 0x20U, 0x01U, 0x41U, 0x83U, 0x29U, 0x3BU,
+         0x00U, 0x69U, 0x20U, 0x01U, 0x20U, 0x01U, 0x29U, 0x03U, 0xB0U, 0x02U,
+         0x37U, 0x00U, 0x55U, 0x20U, 0x01U, 0x20U, 0x01U, 0x29U, 0x03U, 0xD0U,
+         0x02U, 0x37U, 0x00U, 0x6BU, 0x02U, 0x40U, 0x20U, 0x01U, 0x41U, 0x20U,
+         0x20U, 0x01U, 0x41U, 0x20U, 0x6AU, 0x41U, 0xDFU, 0x00U, 0x10U, 0x88U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x20U, 0x51U, 0x0DU, 0x00U, 0x41U,
+         0xC6U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x13U, 0x42U, 0x81U, 0x01U,
+         0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x41U, 0x00U,
+         0x41U, 0x00U, 0x42U, 0x00U, 0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U,
+         0x21U, 0x02U, 0x0BU, 0x20U, 0x01U, 0x41U, 0xF0U, 0x02U, 0x6AU, 0x24U,
+         0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x20U, 0x02U, 0x0BU, 0x0BU, 0x60U,
+         0x01U, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU, 0x59U, 0x78U, 0x70U, 0x6FU,
+         0x72U, 0x74U, 0x5FU, 0x72U, 0x65U, 0x73U, 0x65U, 0x72U, 0x76U, 0x65U,
+         0x28U, 0x31U, 0x29U, 0x20U, 0x3DU, 0x3DU, 0x20U, 0x31U, 0x00U, 0x44U,
+         0x53U, 0x54U, 0x00U, 0x64U, 0x73U, 0x74U, 0x5FU, 0x6CU, 0x65U, 0x6EU,
+         0x20U, 0x3DU, 0x3DU, 0x20U, 0x32U, 0x30U, 0x00U, 0x68U, 0x6FU, 0x6FU,
+         0x6BU, 0x5FU, 0x61U, 0x63U, 0x63U, 0x6FU, 0x75U, 0x6EU, 0x74U, 0x28U,
+         0x53U, 0x42U, 0x55U, 0x46U, 0x28U, 0x61U, 0x63U, 0x63U, 0x29U, 0x29U,
+         0x20U, 0x3DU, 0x3DU, 0x20U, 0x32U, 0x30U, 0x00U, 0x78U, 0x70U, 0x6FU,
+         0x72U, 0x74U, 0x5FU, 0x72U, 0x65U, 0x73U, 0x75U, 0x6CU, 0x74U, 0x20U,
+         0x3DU, 0x3DU, 0x20U, 0x33U, 0x32U, 0x00U,
+     }},
+
+    /* ==== WASM: 1 ==== */
+    {R"[test.hook](
+        #include <stdint.h>
+        extern int32_t _g(uint32_t id, uint32_t maxiter);
+        extern int64_t accept(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+        extern int64_t rollback(uint32_t read_ptr, uint32_t read_len, int64_t error_code);
+        extern int64_t xport(uint32_t write_ptr, uint32_t write_len, uint32_t read_ptr, uint32_t read_len);
+        extern int64_t xport_reserve(uint32_t count);
+        extern int64_t hook_account(uint32_t write_ptr, uint32_t write_len);
+        extern int64_t otxn_param(uint32_t write_ptr, uint32_t write_len, uint32_t name_ptr, uint32_t name_len);
+        extern int64_t otxn_type(void);
+        extern int64_t ledger_seq(void);
+
+        #define SBUF(x) (uint32_t)(x), sizeof(x)
+        #define ASSERT(x) if (!(x)) rollback((uint32_t)#x, sizeof(#x), __LINE__)
+
+        #define ttPAYMENT 0
+        #define tfCANONICAL 0x80000000UL
+
+        #define amAMOUNT 1
+        #define amFEE 8
+        #define atACCOUNT 1
+        #define atDESTINATION 3
+
+        #define ENCODE_TT(buf_out, tt) \
+            buf_out[0] = 0x12U; \
+            buf_out[1] = (tt >> 8) & 0xFFU; \
+            buf_out[2] = tt & 0xFFU; \
+            buf_out += 3;
+
+        #define ENCODE_FLAGS(buf_out, flags) \
+            buf_out[0] = 0x22U; \
+            buf_out[1] = (flags >> 24) & 0xFFU; \
+            buf_out[2] = (flags >> 16) & 0xFFU; \
+            buf_out[3] = (flags >> 8) & 0xFFU; \
+            buf_out[4] = flags & 0xFFU; \
+            buf_out += 5;
+
+        #define ENCODE_SEQUENCE(buf_out, seq) \
+            buf_out[0] = 0x24U; \
+            buf_out[1] = (seq >> 24) & 0xFFU; \
+            buf_out[2] = (seq >> 16) & 0xFFU; \
+            buf_out[3] = (seq >> 8) & 0xFFU; \
+            buf_out[4] = seq & 0xFFU; \
+            buf_out += 5;
+
+        // sfNetworkID = UINT32 field 1 = 0x21
+        #define ENCODE_NETWORK_ID(buf_out, id) \
+            buf_out[0] = 0x21U; \
+            buf_out[1] = (id >> 24) & 0xFFU; \
+            buf_out[2] = (id >> 16) & 0xFFU; \
+            buf_out[3] = (id >> 8) & 0xFFU; \
+            buf_out[4] = id & 0xFFU; \
+            buf_out += 5;
+
+        #define ENCODE_FLS(buf_out, fls) \
+            buf_out[0] = 0x20U; \
+            buf_out[1] = 0x1AU; \
+            buf_out[2] = (fls >> 24) & 0xFFU; \
+            buf_out[3] = (fls >> 16) & 0xFFU; \
+            buf_out[4] = (fls >> 8) & 0xFFU; \
+            buf_out[5] = fls & 0xFFU; \
+            buf_out += 6;
+
+        #define ENCODE_LLS(buf_out, lls) \
+            buf_out[0] = 0x20U; \
+            buf_out[1] = 0x1BU; \
+            buf_out[2] = (lls >> 24) & 0xFFU; \
+            buf_out[3] = (lls >> 16) & 0xFFU; \
+            buf_out[4] = (lls >> 8) & 0xFFU; \
+            buf_out[5] = lls & 0xFFU; \
+            buf_out += 6;
+
+        #define ENCODE_DROPS(buf_out, drops, amt_type) \
+            buf_out[0] = 0x60U + amt_type; \
+            buf_out[1] = 0x40U + ((drops >> 56) & 0x3FU); \
+            buf_out[2] = (drops >> 48) & 0xFFU; \
+            buf_out[3] = (drops >> 40) & 0xFFU; \
+            buf_out[4] = (drops >> 32) & 0xFFU; \
+            buf_out[5] = (drops >> 24) & 0xFFU; \
+            buf_out[6] = (drops >> 16) & 0xFFU; \
+            buf_out[7] = (drops >> 8) & 0xFFU; \
+            buf_out[8] = drops & 0xFFU; \
+            buf_out += 9;
+
+        #define ENCODE_SIGNING_PUBKEY_EMPTY(buf_out) \
+            buf_out[0] = 0x73U; \
+            buf_out[1] = 0x00U; \
+            buf_out += 2;
+
+        #define ENCODE_ACCOUNT(buf_out, acc, acc_type) \
+            buf_out[0] = 0x80U + acc_type; \
+            buf_out[1] = 0x14U; \
+            for (int i = 0; i < 20; ++i) buf_out[2+i] = acc[i]; \
+            buf_out += 22;
+
+        #define PREPARE_PAYMENT_SIMPLE_SIZE 270U
+
+        int64_t hook(uint32_t reserved) {
+            _g(1, 1);
+
+            if (otxn_type() != ttPAYMENT)
+                return accept(0, 0, 0);
+
+            ASSERT(xport_reserve(1) == 1);
+
+            uint8_t dst[20];
+            int64_t dst_len = otxn_param(SBUF(dst), "DST", 3);
+            ASSERT(dst_len == 20);
+
+            uint8_t acc[20];
+            ASSERT(hook_account(SBUF(acc)) == 20);
+
+            uint32_t cls = (uint32_t)ledger_seq();
+
+            uint8_t tx[PREPARE_PAYMENT_SIMPLE_SIZE];
+            uint8_t* buf = tx;
+
+            ENCODE_TT(buf, ttPAYMENT);
+            ENCODE_NETWORK_ID(buf, 21337);  // must precede Sequence (canonical order)
+            ENCODE_FLAGS(buf, tfCANONICAL);
+            ENCODE_SEQUENCE(buf, 0);
+            ENCODE_FLS(buf, cls + 1);
+            ENCODE_LLS(buf, cls + 5);
+
+            uint64_t drops = 1000000;
+            ENCODE_DROPS(buf, drops, amAMOUNT);
+            ENCODE_DROPS(buf, 10, amFEE);
+
+            ENCODE_SIGNING_PUBKEY_EMPTY(buf);
+            ENCODE_ACCOUNT(buf, acc, atACCOUNT);
+            ENCODE_ACCOUNT(buf, dst, atDESTINATION);
+
+            uint8_t hash[32];
+            int64_t xport_result = xport(SBUF(hash), (uint32_t)tx, buf - tx);
+            // xport should return EXPORT_FAILURE (-46), ASSERT will rollback
+            ASSERT(xport_result == 32);
+
+            return accept(0, 0, 0);
+        }
+    )[test.hook]",
+     {
+         0x00U, 0x61U, 0x73U, 0x6DU, 0x01U, 0x00U, 0x00U, 0x00U, 0x01U, 0x25U,
+         0x06U, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7FU, 0x60U, 0x00U, 0x01U,
+         0x7EU, 0x60U, 0x03U, 0x7FU, 0x7FU, 0x7EU, 0x01U, 0x7EU, 0x60U, 0x01U,
+         0x7FU, 0x01U, 0x7EU, 0x60U, 0x04U, 0x7FU, 0x7FU, 0x7FU, 0x7FU, 0x01U,
+         0x7EU, 0x60U, 0x02U, 0x7FU, 0x7FU, 0x01U, 0x7EU, 0x02U, 0x8BU, 0x01U,
+         0x09U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x02U, 0x5FU, 0x67U, 0x00U, 0x00U,
+         0x03U, 0x65U, 0x6EU, 0x76U, 0x09U, 0x6FU, 0x74U, 0x78U, 0x6EU, 0x5FU,
+         0x74U, 0x79U, 0x70U, 0x65U, 0x00U, 0x01U, 0x03U, 0x65U, 0x6EU, 0x76U,
+         0x06U, 0x61U, 0x63U, 0x63U, 0x65U, 0x70U, 0x74U, 0x00U, 0x02U, 0x03U,
+         0x65U, 0x6EU, 0x76U, 0x0DU, 0x78U, 0x70U, 0x6FU, 0x72U, 0x74U, 0x5FU,
+         0x72U, 0x65U, 0x73U, 0x65U, 0x72U, 0x76U, 0x65U, 0x00U, 0x03U, 0x03U,
+         0x65U, 0x6EU, 0x76U, 0x08U, 0x72U, 0x6FU, 0x6CU, 0x6CU, 0x62U, 0x61U,
+         0x63U, 0x6BU, 0x00U, 0x02U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x0AU, 0x6FU,
+         0x74U, 0x78U, 0x6EU, 0x5FU, 0x70U, 0x61U, 0x72U, 0x61U, 0x6DU, 0x00U,
+         0x04U, 0x03U, 0x65U, 0x6EU, 0x76U, 0x0CU, 0x68U, 0x6FU, 0x6FU, 0x6BU,
+         0x5FU, 0x61U, 0x63U, 0x63U, 0x6FU, 0x75U, 0x6EU, 0x74U, 0x00U, 0x05U,
+         0x03U, 0x65U, 0x6EU, 0x76U, 0x0AU, 0x6CU, 0x65U, 0x64U, 0x67U, 0x65U,
+         0x72U, 0x5FU, 0x73U, 0x65U, 0x71U, 0x00U, 0x01U, 0x03U, 0x65U, 0x6EU,
+         0x76U, 0x05U, 0x78U, 0x70U, 0x6FU, 0x72U, 0x74U, 0x00U, 0x04U, 0x03U,
+         0x02U, 0x01U, 0x03U, 0x05U, 0x03U, 0x01U, 0x00U, 0x02U, 0x06U, 0x21U,
+         0x05U, 0x7FU, 0x01U, 0x41U, 0xE0U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U,
+         0x41U, 0xD9U, 0x08U, 0x0BU, 0x7FU, 0x00U, 0x41U, 0x80U, 0x08U, 0x0BU,
+         0x7FU, 0x00U, 0x41U, 0xE0U, 0x88U, 0x04U, 0x0BU, 0x7FU, 0x00U, 0x41U,
+         0x80U, 0x08U, 0x0BU, 0x07U, 0x08U, 0x01U, 0x04U, 0x68U, 0x6FU, 0x6FU,
+         0x6BU, 0x00U, 0x09U, 0x0AU, 0xCDU, 0x84U, 0x00U, 0x01U, 0xC9U, 0x84U,
+         0x00U, 0x03U, 0x01U, 0x7FU, 0x01U, 0x7EU, 0x02U, 0x7FU, 0x23U, 0x80U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x41U, 0xF0U, 0x02U, 0x6BU, 0x22U, 0x01U,
+         0x24U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x41U, 0x01U, 0x41U, 0x01U,
+         0x10U, 0x80U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x02U, 0x40U, 0x02U,
+         0x40U, 0x10U, 0x81U, 0x80U, 0x80U, 0x80U, 0x00U, 0x50U, 0x0DU, 0x00U,
+         0x41U, 0x00U, 0x41U, 0x00U, 0x42U, 0x00U, 0x10U, 0x82U, 0x80U, 0x80U,
+         0x80U, 0x00U, 0x21U, 0x02U, 0x0CU, 0x01U, 0x0BU, 0x02U, 0x40U, 0x41U,
+         0x01U, 0x10U, 0x83U, 0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x01U, 0x51U,
+         0x0DU, 0x00U, 0x41U, 0x80U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x16U,
+         0x42U, 0xE8U, 0x00U, 0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU,
+         0x0BU, 0x02U, 0x40U, 0x20U, 0x01U, 0x41U, 0xD0U, 0x02U, 0x6AU, 0x41U,
+         0x14U, 0x41U, 0x96U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x03U, 0x10U,
+         0x85U, 0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x14U, 0x51U, 0x0DU, 0x00U,
+         0x41U, 0x9AU, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x0EU, 0x42U, 0xECU,
+         0x00U, 0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x02U,
+         0x40U, 0x20U, 0x01U, 0x41U, 0xB0U, 0x02U, 0x6AU, 0x41U, 0x14U, 0x10U,
+         0x86U, 0x80U, 0x80U, 0x80U, 0x00U, 0x42U, 0x14U, 0x51U, 0x0DU, 0x00U,
+         0x41U, 0xA8U, 0x88U, 0x80U, 0x80U, 0x00U, 0x41U, 0x1EU, 0x42U, 0xEFU,
+         0x00U, 0x10U, 0x84U, 0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x10U,
+         0x87U, 0x80U, 0x80U, 0x80U, 0x00U, 0x21U, 0x02U, 0x20U, 0x01U, 0x41U,
+         0xC0U, 0x00U, 0x3AU, 0x00U, 0x48U, 0x20U, 0x01U, 0x42U, 0x80U, 0x80U,
+         0x80U, 0x80U, 0xF0U, 0xC1U, 0x90U, 0xA0U, 0xE8U, 0x00U, 0x37U, 0x03U,
+         0x40U, 0x20U, 0x01U, 0x41U, 0xE1U, 0x80U, 0x01U, 0x3BU, 0x01U, 0x3EU,
+         0x20U, 0x01U, 0x41U, 0xA0U, 0x36U, 0x3BU, 0x01U, 0x38U, 0x20U, 0x01U,
+         0x41U, 0xA0U, 0x34U, 0x3BU, 0x01U, 0x32U, 0x20U, 0x01U, 0x41U, 0x00U,
+         0x36U, 0x01U, 0x2EU, 0x20U, 0x01U, 0x41U, 0x80U, 0xC8U, 0x00U, 0x3BU,
+         0x01U, 0x2CU, 0x20U, 0x01U, 0x41U, 0xA2U, 0x80U, 0x02U, 0x36U, 0x02U,
+         0x28U, 0x20U, 0x01U, 0x42U, 0x92U, 0x80U, 0x80U, 0x88U, 0x82U, 0x80U,
+         0xC0U, 0xA9U, 0xD9U, 0x00U, 0x37U, 0x03U, 0x20U, 0x20U, 0x01U, 0x20U,
+         0x02U, 0xA7U, 0x22U, 0x03U, 0x41U, 0x05U, 0x6AU, 0x22U, 0x04U, 0x3AU,
+         0x00U, 0x3DU, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x08U, 0x76U, 0x3AU,
+         0x00U, 0x3CU, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x10U, 0x76U, 0x3AU,
+         0x00U, 0x3BU, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x18U, 0x76U, 0x3AU,
+         0x00U, 0x3AU, 0x20U, 0x01U, 0x20U, 0x03U, 0x41U, 0x01U, 0x6AU, 0x22U,
+         0x04U, 0x3AU, 0x00U, 0x37U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x08U,
+         0x76U, 0x3AU, 0x00U, 0x36U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x10U,
+         0x76U, 0x3AU, 0x00U, 0x35U, 0x20U, 0x01U, 0x20U, 0x04U, 0x41U, 0x18U,
+         0x76U, 0x3AU, 0x00U, 0x34U, 0x20U, 0x01U, 0x41U, 0xCDU, 0x00U, 0x6AU,
+         0x41U, 0x00U, 0x3BU, 0x00U, 0x00U, 0x20U, 0x01U, 0x41U, 0xDCU, 0x00U,
+         0x6AU, 0x20U, 0x01U, 0x29U, 0x03U, 0xB8U, 0x02U, 0x37U, 0x02U, 0x00U,
+         0x20U, 0x01U, 0x41U, 0xE4U, 0x00U, 0x6AU, 0x20U, 0x01U, 0x41U, 0xB0U,
+         0x02U, 0x6AU, 0x41U, 0x10U, 0x6AU, 0x28U, 0x02U, 0x00U, 0x36U, 0x02U,
+         0x00U, 0x20U, 0x01U, 0x41U, 0xF2U, 0x00U, 0x6AU, 0x20U, 0x01U, 0x29U,
+         0x03U, 0xD8U, 0x02U, 0x37U, 0x01U, 0x00U, 0x20U, 0x01U, 0x41U, 0xFAU,
+         0x00U, 0x6AU, 0x20U, 0x01U, 0x41U, 0xD0U, 0x02U, 0x6AU, 0x41U, 0x10U,
+         0x6AU, 0x28U, 0x02U, 0x00U, 0x36U, 0x01U, 0x00U, 0x20U, 0x01U, 0x41U,
+         0x00U, 0x36U, 0x00U, 0x49U, 0x20U, 0x01U, 0x41U, 0x8AU, 0xE6U, 0x81U,
+         0x88U, 0x78U, 0x36U, 0x00U, 0x4FU, 0x20U, 0x01U, 0x41U, 0x14U, 0x3AU,
+         0x00U, 0x53U, 0x20U, 0x01U, 0x41U, 0x83U, 0x29U, 0x3BU, 0x01U, 0x68U,
+         0x20U, 0x01U, 0x20U, 0x01U, 0x29U, 0x03U, 0xB0U, 0x02U, 0x37U, 0x02U,
+         0x54U, 0x20U, 0x01U, 0x20U, 0x01U, 0x29U, 0x03U, 0xD0U, 0x02U, 0x37U,
+         0x01U, 0x6AU, 0x02U, 0x40U, 0x20U, 0x01U, 0x41U, 0x20U, 0x20U, 0x01U,
+         0x41U, 0x20U, 0x6AU, 0x41U, 0xDEU, 0x00U, 0x10U, 0x88U, 0x80U, 0x80U,
+         0x80U, 0x00U, 0x42U, 0x20U, 0x51U, 0x0DU, 0x00U, 0x41U, 0xC6U, 0x88U,
+         0x80U, 0x80U, 0x00U, 0x41U, 0x13U, 0x42U, 0x88U, 0x01U, 0x10U, 0x84U,
+         0x80U, 0x80U, 0x80U, 0x00U, 0x1AU, 0x0BU, 0x41U, 0x00U, 0x41U, 0x00U,
+         0x42U, 0x00U, 0x10U, 0x82U, 0x80U, 0x80U, 0x80U, 0x00U, 0x21U, 0x02U,
+         0x0BU, 0x20U, 0x01U, 0x41U, 0xF0U, 0x02U, 0x6AU, 0x24U, 0x80U, 0x80U,
+         0x80U, 0x80U, 0x00U, 0x20U, 0x02U, 0x0BU, 0x0BU, 0x60U, 0x01U, 0x00U,
+         0x41U, 0x80U, 0x08U, 0x0BU, 0x59U, 0x78U, 0x70U, 0x6FU, 0x72U, 0x74U,
+         0x5FU, 0x72U, 0x65U, 0x73U, 0x65U, 0x72U, 0x76U, 0x65U, 0x28U, 0x31U,
+         0x29U, 0x20U, 0x3DU, 0x3DU, 0x20U, 0x31U, 0x00U, 0x44U, 0x53U, 0x54U,
+         0x00U, 0x64U, 0x73U, 0x74U, 0x5FU, 0x6CU, 0x65U, 0x6EU, 0x20U, 0x3DU,
+         0x3DU, 0x20U, 0x32U, 0x30U, 0x00U, 0x68U, 0x6FU, 0x6FU, 0x6BU, 0x5FU,
+         0x61U, 0x63U, 0x63U, 0x6FU, 0x75U, 0x6EU, 0x74U, 0x28U, 0x53U, 0x42U,
+         0x55U, 0x46U, 0x28U, 0x61U, 0x63U, 0x63U, 0x29U, 0x29U, 0x20U, 0x3DU,
+         0x3DU, 0x20U, 0x32U, 0x30U, 0x00U, 0x78U, 0x70U, 0x6FU, 0x72U, 0x74U,
+         0x5FU, 0x72U, 0x65U, 0x73U, 0x75U, 0x6CU, 0x74U, 0x20U, 0x3DU, 0x3DU,
+         0x20U, 0x33U, 0x32U, 0x00U,
+     }},
+
+};
+}
+}  // namespace ripple
+#endif

src/test/app/HookAPI_test.cpp

@@ -50,6 +50,7 @@ private:
     }
 
 public:
+    using enum hook_api::hook_return_code;
     void
     test_accept(FeatureBitset features)
     {
@@ -4513,6 +4514,249 @@ public:
         BEAST_EXPECT(ok.value());
     }
 
+    void
+    testHookFloat(FeatureBitset features)
+    {
+        // testcase("Test hook float");
+        using namespace jtx;
+        using namespace hook::hook_float;
+
+        {
+            // get_exponent
+            testcase << "get_exponent";
+            BEAST_EXPECT(get_exponent(-1).error() == INVALID_FLOAT);
+            BEAST_EXPECT(get_exponent(0).value() == 0);
+            // 1234567891000000 * 10^(-5)
+            BEAST_EXPECT(get_exponent(6270245249190730432).value() == -5);
+        }
+
+        {
+            // get_mantissa
+            testcase << "get_mantissa";
+            BEAST_EXPECT(get_mantissa(-1).error() == INVALID_FLOAT);
+            BEAST_EXPECT(get_mantissa(0).value() == 0);
+            // 1234567891000000 * 10^(-5)
+            BEAST_EXPECT(
+                get_mantissa(6270245249190730432).value() == 1234567891000000);
+        }
+
+        {
+            // is_negative
+            testcase << "is_negative";
+            // 1234567891000000 * 10^(-5)
+            BEAST_EXPECT(is_negative(6270245249190730432) == false);
+            // -1234567891000000 * 10^(-5)
+            BEAST_EXPECT(is_negative(1658559230763342528) == true);
+        }
+
+        {
+            // invert_sign
+            testcase << "invert_sign";
+            BEAST_EXPECT(
+                invert_sign(6270245249190730432) == 1658559230763342528);
+            BEAST_EXPECT(
+                invert_sign(1658559230763342528) == 6270245249190730432);
+        }
+
+        {
+            // set_sign
+            testcase << "set_sign";
+            BEAST_EXPECT(
+                set_sign(6270245249190730432, true) == 1658559230763342528);
+            BEAST_EXPECT(
+                set_sign(1658559230763342528, false) == 6270245249190730432);
+            BEAST_EXPECT(
+                set_sign(6270245249190730432, false) == 6270245249190730432);
+            BEAST_EXPECT(
+                set_sign(1658559230763342528, true) == 1658559230763342528);
+        }
+
+        {
+            // set_mantissa
+            testcase << "set_mantissa";
+
+            BEAST_EXPECT(
+                set_mantissa(6270245249190730432, maxMantissa + 1).error() ==
+                MANTISSA_OVERSIZED);
+            BEAST_EXPECT(
+                set_mantissa(6270245249190730432, minMantissa - 1).error() ==
+                MANTISSA_UNDERSIZED);
+
+            BEAST_EXPECT(
+                set_mantissa(6270245249190730432, 1234567891000000).value() ==
+                6270245249190730432);
+            BEAST_EXPECT(
+                set_mantissa(1658559230763342528, 1234567891000000).value() ==
+                1658559230763342528);
+
+            BEAST_EXPECT(
+                set_mantissa(6270245249190730432, 1098765432100000).value() ==
+                6270109446731830432);
+            BEAST_EXPECT(
+                set_mantissa(1658559230763342528, 1098765432100000).value() ==
+                1658423428304442528);
+        }
+
+        {
+            // set_exponent
+            testcase << "set_exponent";
+            BEAST_EXPECT(
+                set_exponent(6270245249190730432, maxExponent + 1).error() ==
+                EXPONENT_OVERSIZED);
+            BEAST_EXPECT(
+                set_exponent(6270245249190730432, minExponent - 1).error() ==
+                EXPONENT_UNDERSIZED);
+
+            BEAST_EXPECT(
+                set_exponent(6270245249190730432, 40).value() ==
+                7080893182117419712);
+            BEAST_EXPECT(
+                set_exponent(6270245249190730432, -40).value() ==
+                5639741301358860992);
+        }
+
+        {
+            // make_float
+            testcase << "make_float";
+
+            BEAST_EXPECT(make_float(0, -5, false).value() == 0);
+
+            // invalid mantissa
+            BEAST_EXPECT(
+                make_float(maxMantissa + 1, -5, false).error() ==
+                MANTISSA_OVERSIZED);
+            BEAST_EXPECT(
+                make_float(minMantissa - 1, -5, false).error() ==
+                MANTISSA_UNDERSIZED);
+
+            // invalid exponent
+            BEAST_EXPECT(
+                make_float(1234567891000000, maxExponent + 1, false).error() ==
+                EXPONENT_OVERSIZED);
+            BEAST_EXPECT(
+                make_float(1234567891000000, minExponent - 1, false).error() ==
+                EXPONENT_UNDERSIZED);
+
+            BEAST_EXPECT(
+                make_float(1234567891000000, -5, false).value() ==
+                6270245249190730432);
+            BEAST_EXPECT(
+                make_float(1234567891000000, -5, true).value() ==
+                1658559230763342528);
+        }
+
+        {
+            // normalize_xfl
+            testcase << "normalize_xfl";
+
+            {
+                // zero
+                uint64_t mantissa = 0;
+                int32_t exponent = -5;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, false).value() == 0);
+                BEAST_EXPECT(mantissa == 0);
+                BEAST_EXPECT(exponent == -5);
+            }
+
+            {
+                // scale the mantissa up into the canonical range
+                uint64_t mantissa = 12345;
+                int32_t exponent = 0;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, false).value() ==
+                    make_float(1234500000000000ULL, -11, false).value());
+                BEAST_EXPECT(mantissa == 1234500000000000ULL);
+                BEAST_EXPECT(exponent == -11);
+            }
+
+            {
+                // scale the mantissa down into the canonical range
+                uint64_t mantissa = 1234567891000000000ULL;
+                int32_t exponent = -5;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, false).value() ==
+                    make_float(1234567891000000ULL, -2, false).value());
+                BEAST_EXPECT(mantissa == 1234567891000000ULL);
+                BEAST_EXPECT(exponent == -2);
+            }
+
+            {
+                // explicit negative sign
+                uint64_t mantissa = 12345;
+                int32_t exponent = 0;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, true).value() ==
+                    make_float(1234500000000000ULL, -11, true).value());
+                BEAST_EXPECT(mantissa == 1234500000000000ULL);
+                BEAST_EXPECT(exponent == -11);
+            }
+
+            {
+                // signed negative mantissa
+                int64_t mantissa = -12345;
+                int32_t exponent = 0;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent).value() ==
+                    make_float(1234500000000000ULL, -11, true).value());
+                BEAST_EXPECT(mantissa == -1234500000000000LL);
+                BEAST_EXPECT(exponent == -11);
+            }
+
+            {
+                // signed minimum is adjusted before taking the absolute value
+                int64_t mantissa = std::numeric_limits<int64_t>::min();
+                int32_t exponent = 0;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent).value() ==
+                    make_float(9223372036854775ULL, 3, true).value());
+                BEAST_EXPECT(mantissa == -9223372036854775LL);
+                BEAST_EXPECT(exponent == 3);
+            }
+
+            {
+                // one below the minimum mantissa is rounded into range
+                uint64_t mantissa = minMantissa - 1;
+                int32_t exponent = -5;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, false).value() ==
+                    make_float(minMantissa, -5, false).value());
+                BEAST_EXPECT(mantissa == minMantissa);
+                BEAST_EXPECT(exponent == -5);
+            }
+
+            {
+                // underflow returns canonical zero
+                uint64_t mantissa = 1;
+                int32_t exponent = minExponent;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, false).value() == 0);
+                BEAST_EXPECT(mantissa == 0);
+                BEAST_EXPECT(exponent == 0);
+            }
+
+            {
+                // exponent overflow is reported
+                uint64_t mantissa = minMantissa;
+                int32_t exponent = maxExponent + 1;
+
+                BEAST_EXPECT(
+                    normalize_xfl(mantissa, exponent, false).error() ==
+                    XFL_OVERFLOW);
+                BEAST_EXPECT(mantissa == minMantissa);
+                BEAST_EXPECT(exponent == maxExponent + 1);
+            }
+        }
+    }
+
     void
     testWithFeatures(FeatureBitset features)
     {
@@ -4615,6 +4859,7 @@ public:
     {
         using namespace test::jtx;
         testWithFeatures(supported_amendments());
+        testHookFloat(supported_amendments());
     }
 };