LP-0137Draft

LP-137 Work Branch Audit — 2026-04-28

Read-only state-of-work survey across lux/mpc, luxcpp/crypto, lux/crypto,

luxcpp/lattice, lux/lattice, lux/threshold. No merges, no commits.

Scope summary

|------|------------------|-------------------------------|-----------|

| luxcpp/crypto | 33 | 143 commits across 17 leaves | 17 (see §2) |

| lux/crypto | 15 | 90 commits across 4 leaves | 4 (see §3) |

| luxcpp/lattice | 1 | 4 | feat/lp-137-types |

| lux/lattice | 1 | 4 | feat/lp-137-types |

All branches conflict-free against their respective main (git merge-tree

produced clean trees in every case). The blockage is not conflict — it is order

and one build defect on the lux/mpc apex.

1. lux/mpc

main tip: 1.10.0 ops/brand-cleanup line. Branches stack linearly:

canonical-intent → canonical-intent-cto → fhe-verifier →

fhe-threshold-decryptor → policy-canonical-tfhe-import.

ci/arc-hanzo-consolidation is parallel (CI runner migration only).

|--------|------:|------|----------|-------|----------------|

Build defect (apex of stack)

Commit 9244ac4 (Fireblocks-parity gas station) on feat/canonical-intent-cto

adds airgapCommand(...) and buildHSMSignerConfig(...) calls in

cmd/mpcd/main.go (lines 244, 871) **without committing the supporting

airgap_*.go and hsm_signer_config.go files**. Result:


cmd/mpcd/main.go:244:4: undefined: airgapCommand
cmd/mpcd/main.go:871:21: undefined: buildHSMSignerConfig

Every descendant branch (fhe-verifier, fhe-threshold-decryptor,

policy-canonical-tfhe-import) inherits this. cmd/mpcd does not build on

any of them. pkg/policy, pkg/api, pkg/custody also fail (treasury R6

regulator gate, pending-trades, expired-cleanup tests).

Spot-test result on `feat/policy-canonical-tfhe-import`


FAIL    github.com/luxfi/mpc/cmd/mpcd       [build failed]
FAIL    github.com/luxfi/mpc/pkg/api        TestGetPendingTrades, TestGetPendingTrades_EmptyWallet, TestCleanupExpired
FAIL    github.com/luxfi/mpc/pkg/custody    TestR6_RequireRegulator_*, TestTreasury_CreateWallet_ValidatesShape, TestTreasury_Sign_NonSignerRejected
FAIL    github.com/luxfi/mpc/pkg/policy     (build/test fail)
ok      pkg/{hsm,infra,integrity,kms,kvstore,logger,settlement,smart,threshold,transport,txtracker,types,webauthn} (13 ok)

13 of 17 packages pass. Failures are the apex-stack work itself, not

infrastructure. Fix is local: commit the missing airgap_*.go and

hsm_signer_config.go files (they exist somewhere — likely uncommitted in a

worktree). Without them, the v0.60-v0.67 stack does not land.

2. luxcpp/crypto

main tip: ops/brand cleanup. Branches are stacked, not parallel:

all *-2026-04-27 branches share base commits. git rev-list … ^origin/main

across the union shows only the date-2026-04-28 follow-up has unique-to-leaf

commits; the body of the work consolidates into 17 leaf tips.

Leaf branches (commits ahead are cumulative through stack)

|------|------:|------|----------|-------|

| lamport-gpu-2026-04-27 | 1 | 17568f59 | clean | |

Tests

Worktree was dirty (banderwagon/gpu/cuda/banderwagon.cu modified, on

cabi-wire-complete-2026-04-28). Did not run ctest to avoid contaminating

in-flight work. Untested at audit time, but commit messages claim

byte-equal-to-CPU-oracle KATs across most kernels. Verify post-merge in CI.

3. lux/crypto

main tip: brand-clean. 4 leaf branches, 90 commits cumulative:

|------|------:|------|----------|-------|

Tests: not run. lux/crypto is the Go rust-crates-mirror umbrella —

verification is via downstream consumer build, not local go test.

4. luxcpp/lattice — `feat/lp-137-types`

|--------|------:|------|----------|-------|

Top: wire metal_ntt_available() into lattice_gpu_available(),

trust + privacy enum mirror, `Lattigo-byte-equal Montgomery NTT + BatchNTT

ABI fix, PolyDomain + NTTContext + ReductionBudget headers`. C++ side of the

LP-137 GPU dispatch contract. READY-TO-MERGE pending CI validation.

5. lux/lattice — `feat/lp-137-types`

|--------|------:|------|----------|-------|

Top: BatchEvaluate parallel API for N independent blind rotations,

trust + privacy enums for GPU runtime registry, `Lattigo-byte-equal

Montgomery NTT dispatch path, PolyDomain + NTTContext + ReductionBudget`.

Go side of the same LP-137 contract. go test blocked locally by

/Users/z/work/lux/evm/go.sum checksum mismatch on luxfi/[email protected]

(unrelated workspace problem, not branch-resident). READY-TO-MERGE pending

go.sum reconciliation in the workspace.

6. lux/threshold

|--------|------:|-------:|------|----------|-------|

| feat/tfhe-committee-canonical | 2 | 4 | 2026-04-27 727f8d75 | clean | BLOCKED by same go.sum env drift |

| lss-dynamic-resharing | 0 | 165 | 2025-08-06 f28fc90f | clean | n/a |

feat/tfhe-committee-canonical: canonical committee surface for threshold-FHE

policy + direct CombineShares dispatch (kills HMAC mask shim).

REBASE-NEEDED (4 behind), then READY.

lss-dynamic-resharing: 165 commits behind main, last commit Aug 2025,

parent commit message says "strip out broken dynamic resharing (tbd)".

ABANDON — superseded entirely by mainline LSS implementation.

7. Aggregate findings

Total work landed but unmerged

58 branches, ~274 commits ahead of their respective main
All clean-merge against their respective main (no conflicts)
1 branch is fully stale (lss-dynamic-resharing — abandon)
1 branch family is build-broken at apex (lux/mpc cmd/mpcd)
2 branches blocked by workspace go.sum drift (lattice + threshold) — environment, not code

Recommended merge order (DAG-aware)

1. luxcpp/crypto kernels — bottom-up: evm256-precompiles-cabi → deps-bootstrap → fork-swap-luxfi-deps → bn254-cuda-wgsl / sha256-cuda-wgsl / aead-cuda-wgsl / pedersen-cuda-wgsl / poseidon-cuda-wgsl / ripemd160-cuda-wgsl / blake2b-cuda-wgsl / lamport-gpu / poseidon-bn254 / ntt-poly-mul-cpp-cpu → brand-neutral-crypto → brand-neutral-final-sweep → banderwagon-msm-vt-doc-2026-04-28. The 17 leaves collapse into one octopus or into the leaf with the deepest stack (aead-cuda-wgsl, then re-evaluate).

2. lux/crypto Rust mirror — c-abi-prefix-uniform (absorbs verkle/banderwagon/rust-crates-batch) → bls-rust → blake3-vanilla → brand-neutral-final-sweep. Depends on luxcpp/crypto C-ABI prefix landing.

3. luxcpp/lattice feat/lp-137-types — depends on luxcpp/crypto types being settled.

4. lux/lattice feat/lp-137-types — depends on luxcpp/lattice + go.sum reconciliation.

5. lux/threshold feat/tfhe-committee-canonical — depends on lux/lattice; rebase 4 commits, retest.

6. lux/mpc stack — only after threshold lands. Land in DAG order:

canonical-intent → fix gas-station defect (commit missing airgap+hsm files) →

canonical-intent-cto → fhe-verifier → fhe-threshold-decryptor →

policy-canonical-tfhe-import. ci/arc-hanzo-consolidation rebases and lands at any time.

Risk assessment

| Step | Risk | Justification |

|------|------|---------------|

| luxcpp/crypto kernel leaves | LOW | All clean-merge, claimed KATs, isolated kernels |

| luxcpp/crypto cabi rename / brand-neutral sweep | MED | wide surface (header guards, macros) — verify ABI equality post-merge |

| lux/crypto Rust mirrors | LOW-MED | Rust crate compile gates this naturally |

| luxcpp/lattice types | LOW | header-only + NTT dispatch wire |

| lux/lattice BatchEvaluate + NTT dispatch | MED | Go workspace go.sum must be reconciled first |

| lux/threshold canonical committee | LOW | small surface (2 commits), policy-only |

| lux/mpc canonical-intent | LOW | 1-commit wallet refactor |

| lux/mpc canonical-intent-cto | HIGH | requires recovering missing airgap_*.go and hsm_signer_config.go files first; gating the whole apex stack |

| lux/mpc fhe-verifier → policy-canonical-tfhe-import | MED | inherits cto risk + 4 failing tests in pkg/policy/api/custody to triage |

Critical-path branches for LP-137 architecture claims

LP-137 claims (Metal NTT dispatch, threshold-FHE committee, policy-canonical

TFHE import, GPU-accelerated Pedersen/poseidon/BLS, byte-equal CPU oracles)

become true only when the following 8 branches land:

1. luxcpp/crypto deps-bootstrap-2026-04-27 (KZG + PQ vendoring)

2. luxcpp/crypto fork-swap-luxfi-deps-2026-04-27 (intx+evmmax luxfi forks)

3. luxcpp/crypto pedersen-cuda-wgsl-2026-04-27 (or pedersen-cpp-cpu minimum)

4. luxcpp/crypto aead-cuda-wgsl-2026-04-27 (full AEAD set)

5. luxcpp/lattice feat/lp-137-types

6. lux/lattice feat/lp-137-types

7. lux/threshold feat/tfhe-committee-canonical

8. lux/mpc feat/policy-canonical-tfhe-import (apex)

Until all 8 land, LP-137 docs assert behavior the main branches do not yet

exhibit. Eight merges, one build defect to fix in lux/mpc, one go.sum drift

to reconcile in workspace, and one stale branch to delete.