feat(rust/mpp): confidential charges + solana 4.0 migration

.github/workflows/ci.yml

@@ -98,6 +98,8 @@ jobs:
         run: pnpm vitest run --coverage --config vitest.config.ci.ts
         env:
           SURFPOOL_REPORT: "1"
+          # Reliable RPC datasource for the embedded surfnet (see the Rust job).
+          SURFPOOL_DATASOURCE_RPC_URL: ${{ secrets.SURFPOOL_DATASOURCE_RPC_URL }}
 
       - name: Upload TS coverage
         if: always()
@@ -175,6 +177,10 @@ jobs:
         working-directory: rust
         env:
           SURFPOOL_REPORT: "1"
+          # Reliable RPC datasource for the embedded surfnet — without it the
+          # surfpool integration tests clone from the public mainnet-beta RPC,
+          # which rate-limits and crashes surfnet mid-test in CI.
+          SURFPOOL_DATASOURCE_RPC_URL: ${{ secrets.SURFPOOL_DATASOURCE_RPC_URL }}
         # Lock to library scope: solana-mpp only (x402 has its own
         # coverage budget tracked separately), exclude bin entrypoints
         # (harness), on-chain program crates under src/program/,

.github/workflows/lua.yml

@@ -95,7 +95,6 @@ jobs:
 
   harness-lua:
     name: Lua harness focused matrix
-    needs: test-lua
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
@@ -136,6 +135,18 @@ jobs:
       - name: Install Rust toolchain
         uses: dtolnay/rust-toolchain@stable
 
+      # Cache the cargo registry + target dir so the harness_client build below
+      # doesn't recompile the whole Solana dependency tree from scratch each run
+      # (the other harness workflows — go/php/python/ruby — all cache this).
+      - uses: actions/cache@v5
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            rust/target
+          key: ${{ runner.os }}-cargo-rust-${{ hashFiles('rust/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-rust-
+
       - name: Install TypeScript SDK deps
         working-directory: typescript
         run: pnpm install --frozen-lockfile

rust/Cargo.toml

@@ -8,3 +8,11 @@ members = [
     "crates/x402",
     "crates/kit",
 ]
+
+# Patched litesvm whose `solana-address` pin is loosened from `=2.2.0` so it can
+# coexist with the confidential-transfer proof crates (solana-zk-sdk 6/7 require
+# `solana-address ^2.5`). Applies to litesvm pulled transitively by surfpool-sdk
+# too. Pending upstream PR: github.com/litesvm/litesvm (fork branch below).
+[patch.crates-io]
+litesvm = { git = "https://github.com/lgalabru/litesvm.git", branch = "loosen-solana-address-constraint" }
+litesvm-token = { git = "https://github.com/lgalabru/litesvm.git", branch = "loosen-solana-address-constraint" }

rust/crates/core/Cargo.toml

@@ -8,14 +8,14 @@ repository = "https://github.com/solana-foundation/pay-kit"
 
 [dependencies]
 # Signing — solana-keychain with sdk-v3 (matches mpp/x402 pins)
-solana-keychain = { git = "https://github.com/solana-foundation/solana-keychain", rev = "abf75944", default-features = false, features = ["memory", "sdk-v3"] }
+solana-keychain = { git = "https://github.com/solana-foundation/solana-keychain", rev = "d788028edbe02a94ef5eee7585d0230ad771296e", default-features = false, features = ["memory", "sdk-v3"] }
 
 # Solana — atomic crates only
 solana-hash = { version = "3.1", default-features = false }
 solana-instruction = { version = "3.1", default-features = false }
-solana-message = { version = "3.0", default-features = false }
+solana-message = { version = "3", default-features = false }
 solana-pubkey = { version = "3.0", default-features = false }
-solana-transaction = { version = "3.0", default-features = false }
+solana-transaction = { version = "3", default-features = false }
 solana-address = { version = "2", features = ["borsh", "curve25519"] }
 
 # Payment-channels program client (generated)

rust/crates/mpp/Cargo.toml

@@ -12,25 +12,94 @@ server = ["dep:tokio"]
 client = ["dep:reqwest"]
 axum = ["server", "dep:axum"]
 gcp_kms = ["solana-keychain/gcp_kms"]
+# Token-2022 confidential transfers: pulls in ZK proof generation
+# (solana-zk-sdk) and the Token-2022 confidential-transfer instruction
+# builders. Opt-in so non-confidential consumers (mobile/wasm/FFI) stay lean.
+confidential = [
+    "dep:solana-zk-sdk",
+    "dep:spl-token-2022",
+    "dep:spl-token-confidential-transfer-proof-generation",
+    "dep:spl-token-confidential-transfer-proof-extraction",
+    "dep:solana-zk-elgamal-proof-interface",
+    "dep:solana-zk-sdk-pod",
+    "dep:spl-record",
+    "dep:spl-associated-token-account",
+    "dep:bytemuck",
+    "dep:solana-keypair",
+    "dep:solana-signer",
+]
+# Single confidential-settlement worker run-loop (tokio actor) + the orphan
+# sweeper. Needs the server (tokio) + confidential settlement primitives.
+# solana-rpc-client-api (the getProgramAccounts scan) lives here, NOT in
+# `confidential`, so confidential-only consumers (e.g. the pay client) don't
+# pull it — it shifts solana-signature's feature unification and breaks their
+# build, and they never sweep anyway.
+worker = ["confidential", "server", "dep:solana-rpc-client-api"]
 
 [dependencies]
-# Signing — solana-keychain with sdk-v3 (fix/deps branch pins solana-signature <3.3)
-solana-keychain = { git = "https://github.com/solana-foundation/solana-keychain", rev = "abf75944", default-features = false, features = ["memory", "sdk-v3"] }
+# Signing — solana-keychain with sdk-v3. Rev d788028 widens the solana-signature
+# bound to <3.5, letting signature resolve to 3.3.x — the version the solana 4.0
+# client line (`~3.3.0`) and litesvm 0.13 require.
+solana-keychain = { git = "https://github.com/solana-foundation/solana-keychain", rev = "d788028edbe02a94ef5eee7585d0230ad771296e", default-features = false, features = ["memory", "sdk-v3"] }
 
-# Solana — atomic crates only
+# Solana — atomic crates only. Low-level interface crates stay on flexible 3.x
+# ranges so they unify with litesvm 0.13's pins (message 3.1.0, instruction
+# 3.2.0); the higher-level client crates that published a 4.0 major move to 4.0.
 solana-hash = { version = "3.1", default-features = false }
 solana-instruction = { version = "3.1", default-features = false }
-solana-message = { version = "3.0", default-features = false }
+solana-message = { version = "3", default-features = false }
 solana-pubkey = { version = "3.0", default-features = false }
 solana-commitment-config = { version = "3.0", default-features = false }
-solana-rpc-client = { version = "3.1", default-features = false }
+solana-rpc-client = { version = "4", default-features = false }
+# Program-account scan (memcmp by gateway authority) for the confidential
+# orphan sweeper. Optional; pulled in only by the `worker` feature (NOT plain
+# `confidential`) so confidential-only consumers don't take this dependency.
+solana-rpc-client-api = { version = "4", default-features = false, optional = true }
 solana-signature = { version = "3.1", default-features = false, features = ["default"] }
 solana-system-interface = { version = "2.0", default-features = false }
-solana-transaction = { version = "3.0", default-features = false }
-solana-transaction-status = { version = "3.1", default-features = false }
-# Keep spl-token-2022-interface 2.1 compiling until Solana 3.1 can move to
-# the newer token-2022 interface line.
-solana-zero-copy = { version = "=1.0.0", default-features = false }
+solana-transaction = { version = "3", default-features = false }
+# transaction-status 4.0 gates its whole lib behind `agave-unstable-api`; the
+# wire types we use live in the stable client-types crate.
+solana-transaction-status-client-types = { version = "4", default-features = false }
+solana-zero-copy = { version = "1", default-features = false }
+
+# Confidential transfers (opt-in via the `confidential` feature).
+#
+# TWO zk-sdk lines coexist by design, bridged with POD byte-casts (the wire
+# format of ElGamal pubkey/ciphertext and AES ciphertext is fixed across
+# versions):
+#   * zk-sdk 4.0  — pulled transitively by spl-token-2022 10.0.0 for its
+#     confidential-transfer *instruction* POD types (the on-chain ABI).
+#   * zk-sdk 7.0.1 — used directly for ElGamal/AES key derivation and for
+#     *proof generation* (via proof-generation 0.6.1). The generated proof
+#     bytes must match the format the target cluster's ZK ElGamal Proof
+#     program verifies; 7.0.1 targets current agave. If a deployment cluster
+#     runs an older proof program, pin this line to match it.
+#
+# spl-token-2022 stays =10.0.0: it pairs with interface 2.1.0 and does NOT pull
+# solana-zero-copy 1.0.1, so it respects the deliberate `=1.0.0` pin above.
+# (11.0.0 would need interface 3.x + zero-copy 1.0.1 — a whole-line bump.)
+#
+# proof-extraction 0.5.1 matches spl-token-2022 10.0.0's transitive copy so we
+# can name the `ProofLocation` boundary type. The U128 range proof exceeds the
+# 1232-byte tx limit, so it is staged into an spl-record account and verified
+# from there (encode_verify_proof_from_account).
+solana-zk-sdk = { version = "7.0.1", optional = true }
+spl-token-2022 = { version = "=10.0.0", optional = true, default-features = false, features = ["zk-ops"] }
+spl-token-confidential-transfer-proof-generation = { version = "0.6.1", optional = true }
+spl-token-confidential-transfer-proof-extraction = { version = "0.5.1", optional = true }
+solana-zk-elgamal-proof-interface = { version = "0.1.2", optional = true }
+solana-zk-sdk-pod = { version = "0.1.1", optional = true }
+spl-record = { version = "0.4.0", optional = true, features = ["no-entrypoint"] }
+# `no-entrypoint`: we only use ATA address derivation. Without it the crate
+# emits the on-chain `entrypoint` symbol, which collides ("duplicate symbol:
+# entrypoint") at link time with surfpool's bundled programs when a downstream
+# integration test links confidential + surfpool together (linux ld).
+spl-associated-token-account = { version = "8.0.0", optional = true, features = ["no-entrypoint"] }
+bytemuck = { version = "1.25", optional = true }
+# Ephemeral keypairs for proof context-state + record accounts (client-side).
+solana-keypair = { version = "3.0", optional = true }
+solana-signer = { version = "3.0", optional = true }
 
 # Async
 tokio = { version = "1", features = ["full"], optional = true }
@@ -71,5 +140,8 @@ thiserror = "2"
 [dev-dependencies]
 tokio = { version = "1", features = ["full"] }
 axum = "0.8"
-surfpool-sdk = { git = "https://github.com/solana-foundation/surfpool", rev = "3dcb436" }
+surfpool-sdk = { git = "https://github.com/solana-foundation/surfpool", rev = "b46c47e06c28ed1aa31e119215b479b70e72d4c3" }
+# litesvm 0.13 via the workspace [patch.crates-io] (local fork with the
+# solana-address pin loosened so the confidential proof crates can resolve).
+litesvm = "0.13.0"
 serial_test = "3"