Skip to main content

Production Readiness

Secrets

SecretExposure
MASTER_ENCRYPTION_KEYAll stored memory content
JWT_SECRETSessions for any user
Authority keypairCommitment submission
Wallet keyUser account and stake

Use a secrets manager. Do not commit the authority keypair.

Master-key rotation is not implemented. Existing user data keys must be rewrapped before changing MASTER_ENCRYPTION_KEY.

Anchor service

Run one active instance and monitor:

SignalAlert condition
Authority SOL balanceBelow the required operating buffer
Oldest unanchored memoryOlder than one sweep plus confirmation time
Failed batchesSustained increase
Submitted batchesConfirmation delay
Sweep durationNear ANCHOR_INTERVAL_MS
Tree save conflictsNon-zero with one instance

Writes can continue while the authority is unfunded. This leaves new memory unanchored.

RPC

The anchor service reads the nonce and confirms a transaction for every batch. Use a production RPC with sufficient rate limits.

Failed balance reads are treated as unknown, not zero. Staking withdrawals return 503 when the vault balance cannot be read.

Database

Postgres contains all offchain state:

users wrapped data keys
memories ciphertext and leaf data
merkle_trees rebuildable tree cache
commit_batches anchor history
siws_nonces login challenges
api_keys key hashes
stake_lots maturity timing

Back up users and memories together. A commitment does not provide data recovery.

merkle_trees can be rebuilt. users.wrapped_data_key cannot.

Rate limiting

The APIs do not include rate limiting. Add limits at the gateway for:

  • POST /auth/challenge
  • POST /memories
  • capability consumption routes
  • POST /memories/search

Recall decrypts and scans one user's log for each query. Cost grows linearly with log size.

TLS and CORS

Terminate TLS before the API.

Restrict core API CORS to expected origins. The extension API accepts chrome-extension:// origins and a configured allowlist.

Cluster

Devnet commitments are not permanent.

Mainnet deployment requires:

  1. a mainnet toda-commit deployment
  2. a mainnet RPC
  3. SIWS_CHAIN_ID=mainnet
  4. a funded mainnet authority

Commitments do not migrate between clusters.

Current limits

  • Anchoring is asynchronous. Low-volume writes can wait five minutes plus confirmation time.
  • verify() compares with the current tip and uses the API-provided root.
  • Older roots require historical transaction verification or reconstruction of the current tree.
  • Recall uses substring matching, not semantic search.
  • Metadata is not encrypted.
  • The operator can decrypt memory content.
  • Onchain updates reveal timing and count changes.
  • The protocol provides inclusion proofs, not non-inclusion proofs.
  • Deletion is detectable but not prevented.

See Verifying a memory and Encryption.

Tests

bun test
bun test programs/toda-staking/tests/

The commitment program test directory currently contains scaffolded tests with no assertions. A passing workspace suite does not provide commitment-program coverage.

The incremental tree property test checks that the persisted tree root equals computeRoot() for every tested size.

Checklist

[ ] Secrets generated and stored outside the repository
[ ] Authority funded and monitored
[ ] One anchor service instance
[ ] Production Solana RPC
[ ] SIWS values match the deployment
[ ] Postgres backups include wrapped data keys
[ ] Rate limiting enabled
[ ] CORS restricted
[ ] TLS enabled
[ ] Anchor health alerts enabled
[ ] Operator decryption access disclosed