Object model, namespaces, and running a node.
Every object shares a common envelope. Identity is derived from content:
the objectHash is a keccak256 of the canonical serialization of all
other fields. Objects are immutable. If any field changes, the result is a new object
with a different hash.
{
"objectType": "authorization | condition | reserve | proof | receipt | revocation | namespace_manifest",
"schemaVersion": "1",
"namespace": "aon:example",
"createdAt": 1781080000000,
"creator": "0x...",
"references": ["0x..."],
"payload": { ... },
"objectHash": "0x..."
}The node recomputes and verifies the hash on every submission. Objects submitted without a hash have one computed and attached.
A user-signed permission for a bounded state transition. Specifies who grants
permission, what action is permitted, execution constraints, and validity window
(validAfter and validBefore). Must carry a valid EIP-712
signature; the node verifies it on ingestion.
A requirement that must be satisfied before execution may occur. The namespace determines what constitutes a valid proof for a given condition.
Committed settlement state pending execution. Represents assets locked pending receipt of a cross-chain payment proof or similar condition. References the authorization that authorized the commitment.
Evidence that a condition has been met. Proofs do not create the facts they describe;
those originate within external systems. The node propagates proofs; namespaces
validate them. For aon:csd-usdc, a proof carries raw transaction bytes,
a merkle branch, and a block header; the node verifies all of it locally.
A record that execution completed or was refunded. References the authorization, reserve, and proof that comprised the graph. Once a receipt exists for a reserve, that reserve cannot be consumed again.
A signed declaration that an authorization is no longer valid. References the target authorization by hash and must carry a valid signature from the original signer. Nodes exclude revoked authorizations from executable graphs and open authorization listings. Revocation does not modify the original object; it creates a new object that nodes interpret as superseding it. On-chain settlement contracts enforce revocation independently — the revocation object makes that intent visible and propagatable across the network.
Declares the adapter, object types, settlement target, and reward model for a namespace. Manifests allow independent implementations to understand how authorization relationships should be interpreted.
Objects reference other objects through the references field. An
authorization graph becomes executable when all required components are present
and no receipt has yet consumed the reserve.
The canonical shape for aon:csd-usdc:
Authorization → Reserve → Proof → ReceiptThe shape for aon:evm-spot:
Maker Authorization + Taker Authorization + Fill → ReceiptExecutability is a property of the graph, not of any participant. Any executor that discovers a satisfiable graph may act on it.
A namespace identifies the environment within which objects are interpreted. The network transports objects; namespaces determine what those objects mean and what constitutes valid proof, valid execution, and valid reward.
Cross-chain settlement between CSD (a UTXO chain) and USDC on EVM. A buyer signs an authorization granting release of USDC conditioned on a CSD payment proof. The seller locks the buyer's USDC on-chain (the reserve), sends CSD and submits proof. An executor settles and collects the executor fee.
Non-custodial EVM spot trading. Maker and taker each sign a bounded session authorization specifying token pair, price range, exposure limits, and validity window. An executor matches them into a fill and settles atomically on-chain. No reserve step; settlement is the lock.
Nodes may support different namespaces. The protocol is unchanged regardless of which namespaces are active.
The node exposes a JSON API on port 8787 (configurable via AON_PORT).
All responses carry an ok boolean; errors carry a string error.code.
Core surface: POST /v1/objects to submit any object,
GET /v1/objects/:hash to fetch one, GET /v1/objects
to list with optional filters for type, namespace, or referenced hash.
GET /v1/graphs/:hash traverses the full object graph in both directions.
GET /v1/executable/open returns graphs ready for execution sorted by
reward. POST /v1/executor/consume selects the next consumable graph,
verifies it, calls the settlement contract, and publishes the receipt.
Pass auto: true to let the node select, or supply specific hashes.
Namespace-specific endpoints handle typed ingestion with additional validation:
/v1/authorizations/csd-usdc/from-signed-auth,
/v1/proofs/csd/from-txid, and
/v1/reserves/csd-usdc/lock each verify signatures, check validity
windows, and normalize fields before storing. Equivalents exist for evm-spot.
Revocations are submitted via POST /v1/revocations with the target
authorization hash and a valid signature. GET /v1/revocations/by-target/:hash
returns whether a given authorization has been revoked and the revocation objects
referencing it.
Nodes form a libp2p mesh over TCP using Noise encryption and GossipSub for object announcements. When a new object is stored, the node gossips its hash to all connected peers. Peers that receive an announcement for an unknown hash fetch the full object, validate it locally, and re-announce it. Hashes travel by push; full objects travel by pull.
Bootstrap peers are set via AON_BOOTSTRAP. A periodic peer exchange
(default every 30 seconds) walks connected peers and dials any newly discovered
addresses. There is no central coordinator and no canonical node.
npm install
npm run dev
The object store is a flat JSON file, defaulting to data/aon-objects.json.
To join the network, configure at least one bootnode address under
AON_BOOTSTRAP. For execution against real contracts the node also needs
an EVM RPC endpoint, settlement contract address, and executor private key.
AON_PORT=8787
AON_P2P_PORT=9000
AON_PEER_KEY_PATH=./data/peer.key
AON_BOOTSTRAP=/ip4/<bootnode-ip>/tcp/9000/p2p/<peer-id>
AON_EVM_RPC_URL=https://...
AON_SETTLEMENT_CONTRACT=0x...
AON_EXECUTOR_PRIVATE_KEY=0x...
The following are stable entry points for joining the network. Pass one or more
as AON_BOOTSTRAP, comma-separated.
# Published at launch
/ip4/<ip>/tcp/9000/p2p/<peer-id>