​

Cowboy: Technical Whitepaper

Note: This document provides complete technical specifications for Cowboy. For architectural rationale and design decisions, see the Design Decisions Overview.

​

Abstract

​

Introduction

​

Key Features

• Deterministic Python Actors: A sandboxed Python VM (PVM) with mailbox messaging, reentrancy (depth‑capped to 32), and deterministic execution guarantees.
• Native Timers & Scheduler: Protocol-level timer mechanism with tiered calendar queue, Gas Bidding Agent (GBA) for dynamic pricing, and dedicated execution lanes.
• Verifiable Off-Chain Compute: Marketplace for off-chain jobs with N-of-M consensus, TEE attestations, and (in V2) ZK-proofs. Supports LLM inference, HTTP requests, and custom job types.
• Dual-Metered Gas: Independent EIP-1559-style fee markets for compute (Cycles) and data/storage (Cells), with separate basefee adjustment mechanisms.

​

Accounts and State

• External Accounts (EOAs): Controlled by private keys (secp256k1). They initiate transactions and hold balances of CBY and other assets.
• Actors: Autonomous Python programs executed in the PVM (Python Virtual Machine). Actors own storage, receive messages, and can send messages to other actors.

​

Transactions and Message Passing

​

Native Timers and the Actor Scheduler

​

Scalable Design: The Tiered Calendar Queue

• Tier 1: Block Ring Buffer: An O(1) queue for imminent timers, organized as a ring buffer where each slot represents a single block. This handles near-term scheduling with maximum efficiency.
• Tier 2: Epoch Queue: A medium-term queue for timers scheduled in future epochs. Timers from this queue are efficiently migrated in batches to the Block Ring Buffer at the start of each new epoch.
• Tier 3: Overflow Sorted Set: A Merkleized binary search tree for very long-term timers that fall outside the Epoch Queue’s range, ensuring the protocol can handle any future-dated schedule.

​

Economic Rationality: The Gas Bidding Agent (GBA)

​

Fairness and Liveness

​

Timer Rate Limiting and DoS Prevention

deposit(n) = base_deposit × (1 + floor(n / 100))

• Timers 1-99: 10 CBY each
• Timers 100-199: 20 CBY each
• Timers 200-299: 30 CBY each
• …and so on

surcharge(k) = base_cost × 2^max(0, k - 16)

• Timer 17: 2× base cost
• Timer 18: 4× base cost
• Timer 19: 8× base cost
• Timer 32: 65,536× base cost

timer_basefee_{i+1} = timer_basefee_i × (1 + clamp((Q - T) / (T × alpha), -delta, +delta))

• Q = current total timer queue depth (across all tiers)
• T = target queue depth (governance-tunable, default: 100,000)
• alpha = 8, delta = 0.125 (same as cycle/cell basefees)

• Timer budget: 20% of block cycle capacity (default: 2,000,000 cycles)
• Timers compete for this budget via the GBA auction
• Remaining 80% is available for user transactions

​

Asynchronous Execution and Multi-Block Semantics

​

The Single-Block Atomicity Guarantee

​

Why Cross-Block Transactions Are Not Provided

# CONCEPTUAL - NOT HOW COWBOY WORKS
async def handle_trade(self, msg):
    price = self.storage.get("price")       # Block N: reads $100
    if price < 150:
        analysis = await runner.llm(...)     # Suspends... Runner executes...
        # Block N+5: Resumes here
        # But price may now be $200
        # The branch (price < 150) is no longer valid
        self.execute_buy(price)              # Dangerous: stale assumptions

1. Stale State: Values read before the yield may have changed.
2. Invalid Control Flow: Branches taken based on pre-yield state may no longer be appropriate.
3. Composability Explosion: Nested yields and actor-to-actor calls create a tree of interleavings where each path depends on potentially invalidated assumptions.
4. Adversarial Griefing: Attackers can deliberately mutate state between yield points to exploit stale assumptions.

​

The Message-Passing Continuation Model

from cowboy_sdk import actor, send, RUNNER

@actor
class TradingBot:

    def handle_trade(self, msg):
        """Initiate a trade analysis - Block N"""
        price = self.storage.get("price")

        if price < 150:
            # Send job request to Runner system actor
            # Include all context needed to continue later
            send(RUNNER, {
                "job_type": "llm",
                "prompt": f"Analyze buying opportunity at ${price}",
                "reply_to": self.address,
                "reply_handler": "handle_analysis_result",
                "context": {
                    "original_price": price,
                    "request_block": current_block()
                }
            })

    def handle_analysis_result(self, msg):
        """Process Runner result - Block N+K"""
        result = msg.result
        context = msg.context

        # Re-read current state
        current_price = self.storage.get("price")

        # Validate assumptions before proceeding
        if current_price != context["original_price"]:
            # Price changed - abort or re-evaluate
            self.storage.set("last_abort_reason", "price_changed")
            return

        # Assumptions valid - proceed with action
        if "bullish" in result.lower():
            self.execute_buy(current_price)

​

Design Principles

User TX → Actor A → [message] → Runner System Actor → [off-chain execution]
                                        ↓
              Actor A ← [result message] ← Runner System Actor

​

Correlation and Message Ordering

• Correlation IDs: Each outbound job request includes a unique correlation_id. The Runner system actor includes this ID in the response message, allowing actors to match responses to requests.
• No Ordering Guarantees: If an actor sends multiple Runner requests, responses may arrive in any order. Actors must handle out-of-order delivery.

​

Timeout and Failure Handling

def handle_trade(self, msg):
    correlation_id = generate_id()

    # Store pending request info
    self.storage.set(f"pending:{correlation_id}", {
        "type": "trade_analysis",
        "submitted_block": current_block(),
        "context": {...}
    })

    # Send job request
    send(RUNNER, {
        "correlation_id": correlation_id,
        "job_type": "llm",
        ...
    })

    # Schedule timeout - returns a timer_id for later cancellation
    timer_id = set_timer(
        height=current_block() + 100,
        handler="handle_timeout",
        data={"correlation_id": correlation_id}
    )

    # Store timer_id so we can cancel it when result arrives
    self.storage.set(f"timer:{correlation_id}", timer_id)

def handle_analysis_result(self, msg):
    correlation_id = msg.correlation_id

    # Cancel timeout timer using stored timer_id
    timer_id = self.storage.get(f"timer:{correlation_id}")
    if timer_id:
        cancel_timer(timer_id)
        self.storage.delete(f"timer:{correlation_id}")

    # Process result
    pending = self.storage.get(f"pending:{correlation_id}")
    if pending is None:
        return  # Already timed out or duplicate

    self.storage.delete(f"pending:{correlation_id}")
    # Continue processing...

def handle_timeout(self, msg):
    correlation_id = msg.correlation_id

    pending = self.storage.get(f"pending:{correlation_id}")
    if pending is None:
        return  # Result already arrived

    # Clean up
    self.storage.delete(f"pending:{correlation_id}")
    self.storage.delete(f"timer:{correlation_id}")

    # Handle timeout - retry, abort, or escalate
    self.handle_job_failure(correlation_id, "timeout")

• Store the timer_id returned by set_timer() so it can be cancelled when the result arrives
• Always check for the pending request before processing—it may have been cleaned up by a timeout
• Clean up all associated state (pending request, timer reference) in both success and timeout paths
• Consider implementing retry logic with exponential backoff for transient failures

​

SDK Ergonomics

from cowboy_sdk import actor, runner

@actor
class TradingBot:

    @runner.continuation
    async def handle_trade(self, msg):
        price = self.storage.get("price")

        if price < 150:
            # SDK helper - compiles to message passing
            result = await runner.llm(
                prompt=f"Analyze buying opportunity at ${price}",
                context={"original_price": price}
            )

            # Developer still validates - SDK doesn't hide this
            if self.storage.get("price") != result.context["original_price"]:
                return

            if "bullish" in result.output.lower():
                self.execute_buy(price)

1. A request handler that sends the message and stores continuation state
2. A result handler that retrieves continuation state and resumes execution

​

Comparison with Other Models

​

The Cowboy Actor VM (PVM)

​

Python as Execution Language

​

Execution Environment and Determinism Guarantees

​

Runtime Environment

• No JIT Compilation: The PVM operates in pure interpretation mode. Just-In-Time compilation is forbidden, as JIT optimizations are a source of non-determinism across runs and platforms.
• Deterministic Memory Management: Memory is managed via deterministic reference counting. The cyclic garbage collector is disabled. Objects are deallocated immediately when their reference count reaches zero, ensuring predictable memory behavior.
• Fixed Recursion Limit: The recursion limit MUST be set to a consensus-defined constant (256 by default). Stack depth enforcement is integrated with cycle metering.

​

Numeric Determinism

• Floating-Point Operations: All floating-point operations MUST use a cross-platform, deterministic software-based math library (softfloat), not the host machine’s native FPU. This prevents micro-variations across different CPU architectures (x86 vs ARM, different FPU implementations).
• Integer Arithmetic: Python’s arbitrary-precision integers are deterministic. No overflow behavior varies across platforms.
• Decimal Module: If the decimal module is included in the whitelist, it MUST use a fixed rounding mode (ROUND_HALF_EVEN) and fixed precision, specified at the consensus level.
• Math Functions: Transcendental functions (sin, cos, log, exp, etc.) MUST use deterministic implementations from the softfloat library, not platform-native libm.

​

Hash Seed and Collection Ordering

• Fixed Hash Seed: PYTHONHASHSEED MUST be set to a consensus-defined constant (0). This ensures hash() returns identical values across all nodes.
• Dictionary Ordering: Python 3.7+ guarantees insertion-order iteration for dict. This is deterministic and permitted.
• Set Replacement: The built-in set and frozenset types have non-deterministic iteration order even with a fixed hash seed (due to hash collisions and table resizing). The PVM MUST replace set with ordered_set, an insertion-ordered set implementation provided by the standard library. Code using set syntax transparently receives ordered_set semantics.
• Forbidden Hash Operations: Actors MUST NOT rely on hash() values for anything persisted to storage or sent in messages, as hash values are not guaranteed stable across PVM versions.

​

String and Text Handling

• Unicode Normalization: All string comparisons MUST use NFC (Canonical Decomposition, followed by Canonical Composition) normalization. The PVM normalizes all input strings to NFC on ingestion.
• Fixed Locale: The locale MUST be fixed to C.UTF-8 (POSIX). Locale-dependent operations (collation, case conversion) use Unicode rules, not system locale.
• Case Folding: Case-insensitive comparisons MUST use Unicode case folding (str.casefold()), which is locale-independent.
• String Interning: Identity comparisons (is) on strings are forbidden in user code. The PVM MAY raise a warning or error. Use equality (==) for string comparison.
• Encoding: All strings are UTF-8. Other encodings MUST be explicitly converted via encode()/decode() with the errors='strict' policy.

​

Serialization

• Format: CBOR (RFC 8949) with Core Deterministic Encoding Requirements (Section 4.2).
• Canonical Rules:
  • Map keys MUST be sorted by byte-wise lexicographic order of their encoded form.
  • Integers MUST use the shortest encoding.
  • No indefinite-length arrays or maps.
  • Floats MUST be encoded as 64-bit IEEE 754 (no float16/float32 downcasting).
  • No duplicate map keys.
• Forbidden: The pickle module is forbidden. It is non-deterministic, insecure, and version-dependent.
• JSON: If JSON is needed for human-readable output, json.dumps() MUST use sort_keys=True, separators=(',', ':'), and ensure_ascii=False.
• Custom Types: User-defined classes that need serialization MUST implement the __cowboy_serialize__() and __cowboy_deserialize__() protocol methods.

​

Module and Dependency Management

• Whitelisted Imports: Actors can only import modules from a strict, consensus-defined whitelist. Each module is pinned to an exact version.
• No C Extensions: C extension modules (numpy, pandas, etc.) are forbidden. They introduce hardware-dependent behavior, platform-specific optimizations, and are difficult to audit for determinism.
• No Dynamic Imports: importlib, __import__(), and dynamic module loading are forbidden.
• Initial Whitelist (v1):
  • collections, dataclasses, enum, functools, itertools
  • json (with canonical constraints), re, struct
  • math (deterministic implementation), decimal (fixed precision)
  • typing, abc
  • hashlib (for keccak256, sha256)
  • cowboy_sdk (Cowboy standard library)

​

Exception Handling

• Exception Types: Exception types and their inheritance hierarchy are deterministic.
• Exception Messages: Exception message strings MAY vary across platforms or Python versions. Actors MUST NOT branch on exception message text content.
• Tracebacks: Traceback objects are stripped before any on-chain storage or message passing. They are available only for local debugging.

​

Forbidden Operations and Patterns

​

Determinism Testing

1. Executes actor code on multiple platforms (x86, ARM) and Python builds.
2. Compares all outputs, state transitions, and cycle counts.
3. Flags any divergence as a consensus-critical bug.

​

A New Security Model

​

Storage and State Persistence

1. The Ledger: An append-only log of blocks, serving as the sequential, historical source of truth for all transactions.
2. The Triedb: The canonical state repository, which uses a Merkle-Patricia Trie (MPT), similar to Ethereum, to generate a verifiable state_root for each block. This layer holds the authoritative state of all accounts, code, and storage.
3. Auxiliary Indexes: Rebuildable, read-optimized tables for data like transaction hashes or event topics. These indexes are derived from the Ledger and Triedb and allow for fast queries without being part of the consensus-critical state root.

​

Cross-VM Compatibility

• State Separation: A vm_ns (VM namespace) flag is embedded directly into storage keys. This allows PVM and EVM storage slots for the same address to coexist without collision, enabling a single actor address to have state in both environments.
• Cross-VM Calls: A standardized C-ABI (Application Binary Interface) wrapper is defined at the protocol level. This allows the storage layer to remain neutral while enabling seamless and predictable calls between the PVM and EVM.

​

Pricing: Cycles and Cells

• Cycles measure compute: Python operations and host calls (e.g., send, set‑timer, blob‑commit) each have a fixed cost. Cycles resemble Erlang reductions: a budget of discrete steps that bounds how long a handler runs.
• Cells measure bytes: calldata, return data, blobs, and storage all consume cells.

​

On-Chain Metering

• Cycles: Computational work is metered by instrumenting the Python VM at the bytecode level. Every instruction has a fixed Cycle cost, defined in a consensus-critical cost table. This approach ensures that all computational paths, including loops and function calls, are accurately measured.
• Cells: Data and storage work is metered at specific I/O boundaries. Cells (where 1 Cell = 1 byte) are consumed for transaction payloads, return data, state storage (storage_set), and temporary scratch space used by an actor during execution.

​

Off-Chain Fee Model

​

Off-Chain Compute: The Runner Marketplace

​

Asynchronous Task Framework and Runner Reliability

1. Task Submission: An actor submits a task by calling a dispatcher contract. The submission defines the task, the number of Runners required, and a result_schema that specifies the expected output format and constraints (e.g., max return size).
2. Runner Selection & Health: A committee of Runners is implicitly and deterministically selected for the task using a Verifiable Random Function (VRF). This selection is made from a dynamic active runner list. To remain on this list, Runners must periodically send a heartbeat() transaction, ensuring that tasks are only assigned to nodes that are proven to be online and responsive.
3. Execution and Submission: Selected Runners execute the task. If a Runner chooses not to perform the work, it can call a skip_task function, explicitly and verifiably passing responsibility to the next Runner in the deterministic sequence. Results are submitted to a dedicated contract.
4. Deferred Callback: Once the required number of results are collected, the system constructs and signs a deferred transaction. This transaction, which contains the call to the original actor’s callback function, is then executed in a future block.

​

Cowboy’s Off-Chain Tiered Trust Model

​

Runner Resource Accounting and Pricing

​

Resource Bounds

job_spec = {
    "type": "llm",
    "model_id": "0x...",              # Registered model hash
    "prompt": "...",
    "bounds": {
        "max_input_tokens": 4000,     # Maximum input size
        "max_output_tokens": 2000,    # Maximum output size
        "max_wall_time_seconds": 60,  # Maximum execution time
        "max_memory_mb": 512,         # Maximum memory usage
        "max_retries": 2,             # Retries on transient failure
        "max_price": 100_000_000      # Maximum price in CBY wei
    },
    "trust_model": "n_of_m",
    "tee_required": false
}

• Cost ceiling: The actor knows their maximum exposure before submitting
• Runner filtering: Runners can evaluate whether they can fulfill the job within bounds
• Timeout enforcement: Jobs exceeding max_wall_time_seconds are considered failed
• DoS prevention: Unbounded jobs are rejected at submission

​

Price Discovery: Posted Prices with Priority Tips

rate_card = {
    "runner_address": "0x...",
    "rates": {
        "llm_input_token": 1000,      # CBY wei per input token
        "llm_output_token": 3000,     # CBY wei per output token
        "http_request": 50000,        # CBY wei per HTTP request
        "compute_second": 10000,      # CBY wei per second of compute
    },
    "supported_models": ["0x...", "0x..."],
    "min_job_value": 10000,           # Minimum job size
    "max_job_value": 10_000_000_000,  # Maximum job size
    "entitlements": ["tee_sgx", "region_us"]
}

expected_price = Σ(rate[resource] × bounds[resource])

actual_payment = min(reported_usage × rates, max_price)

job_spec = {
    ...
    "max_price": 100_000_000,
    "tip": 10_000_000,               # Priority tip, paid on completion
}

1. Filters runners by entitlements (actor’s requirements ⊆ runner’s capabilities)
2. Filters runners by supported models
3. Filters runners by price (runner’s expected price ≤ actor’s max_price)
4. Selects committee via VRF from eligible runners

​

Trust Model for Resource Reporting

1. Reputation scores: Runners accumulate reputation based on successful job completions, disputes lost, and uptime. Low-reputation runners may be excluded from job selection.
2. Anomaly detection: If reported usage is >2× the expected usage (based on job type and historical data), the result is automatically flagged for review.
3. Slashing for fraud: If a runner is proven to have misreported usage (via challenge), they are slashed 30% of their stake.

1. The runner executes the job inside a Trusted Execution Environment (SGX, TDX, or SEV)
2. The TEE measures actual resource consumption
3. The runner submits an attestation report alongside the result
4. The protocol verifies the attestation against known-good TEE measurements
5. Reported usage in the attestation is authoritative

• A registry of trusted TEE signing keys (updated via governance)
• Expected measurement hashes for approved runner software
• Revocation lists for compromised keys

​

Payment and Failure Handling

1. Runner fault: Runner accepted the job but failed to deliver a valid result within bounds. Evidence: timeout exceeded, result fails schema validation, or N-of-M quorum shows divergent results.
2. Impossible job: Runner demonstrates that the job cannot be completed within bounds. Evidence: multiple runners report the same failure mode (e.g., “output exceeded max_tokens at 50% completion”).
3. Actor fault: Job input is malformed or violates protocol rules. Evidence: schema validation failure on input, or runner returns standardized error code.
4. External fault: Failure due to external dependencies. Evidence: runner provides proof of external failure (e.g., HTTP 503 response, API rate limit).

pro_rata_payment = (work_completed / total_work_estimate) × expected_price

​

Dispute Resolution

1. Actor posts 100 CBY bond
2. Actor provides evidence: benchmark data, comparable job costs, statistical analysis
3. Arbitration: If reported usage is >3σ above expected for job type, runner is presumed to have overcharged
4. Resolution: Runner slashed, actor refunded difference + challenger reward

1. Runner posts 100 CBY bond
2. Runner provides evidence: execution logs, TEE attestation, proof of external failure
3. Arbitration: Review of evidence against fault criteria
4. Resolution: If runner was wrongly faulted, receive payment + bond back; actor loses dispute bond

1. Anyone can challenge suspicious patterns (e.g., runner and actor colluding on fake jobs)
2. Evidence: on-chain analysis, statistical anomalies
3. Resolution: Both parties slashed if collusion proven, challenger rewarded

​

Anti-Gaming Measures

1. Rate card cooldown: Runners cannot change rates more than once per epoch (1 hour). Prevents bait-and-switch.
2. Minimum job value: Runners can set a minimum job value to avoid spam.
3. Reputation decay: Reputation scores decay over time, requiring ongoing good behavior.
4. Sybil resistance: New runners start with zero reputation and limited job allocation. Building reputation requires stake lockup time.
5. Price bands: Governance can set acceptable price ranges for job types. Runners outside bands are flagged (not excluded, but visible to actors).

​

LLM Result Verification

​

The Challenge of Non-Deterministic Outputs

Prompt: "What is the capital of France?"

Runner 1: "The capital of France is Paris."
Runner 2: "Paris is the capital of France."
Runner 3: "France's capital city is Paris."

​

Verification Modes

job_spec = {
    "type": "llm",
    "model_id": "0x...",
    "prompt": "...",
    "verification": {
        "mode": "structured_match",
        "runners": 3,
        "threshold": 2,  # 2-of-3 must agree
        "checks": [...]
    }
}

​

Verification Mode Details

"verification": {"mode": "none"}

"verification": {
    "mode": "economic_bond",
    "bond_multiplier": 2.0,  # Runner bonds 2× job value
    "objective_checks": ["schema_valid", "min_length", "no_prompt_leak"]
}

"verification": {
    "mode": "majority_vote",
    "runners": 5,
    "threshold": 3,
    "vote_field": "classification"  # Field to vote on
}

"verification": {
    "mode": "structured_match",
    "runners": 3,
    "threshold": 2,
    "checks": [
        {"fn": "json_schema_valid", "schema": {...}},
        {"fn": "structured_match", "fields": ["entity_name", "entity_type"]},
        {"fn": "numeric_tolerance", "field": "confidence", "tolerance": 0.05}
    ]
}

"verification": {
    "mode": "deterministic",
    "runners": 3,
    "threshold": 3,  # All must match
    "tee_required": true,
    "inference_config": {
        "temperature": 0,
        "seed": 12345,
        "framework": "[email protected]"
    }
}

"verification": {
    "mode": "semantic_similarity",
    "runners": 3,
    "threshold": 2,
    "similarity_threshold": 0.85,
    "embedding_model": "0x..."  # Pinned embedding model
}

​

SDK Verifier Functions

"verification": {
    "mode": "structured_match",
    "checks": [
        {"fn": "json_schema_valid"},
        {"fn": "custom", "actor": "0x...", "method": "verify_output"}
    ]
}

• The job spec
• All runner outputs
• Runner metadata (addresses, attestations)

• {valid: true, canonical_output: ...} — accept, with optional canonical output
• {valid: false, reason: ...} — reject all outputs

​

Objective Failure Criteria

​

Subjective Correctness and the Market

1. Actors accept risk when choosing economic_bond or none modes
2. Reputation reflects quality — actors who receive poor outputs stop using that runner
3. Competition drives quality — runners with better outputs earn more jobs
4. Transparency enables choice — runner stats (completion rate, dispute rate, repeat usage) are public

​

Challenge Scope by Mode

​

External Data and Oracle Semantics

​

Sources of Non-Determinism

​

Data Source Classification

​

Freshness Requirements

job_spec = {
    "type": "http",
    "url": "https://api.exchange.com/price/BTC",
    "freshness": {
        "max_age_seconds": 10,
        "timestamp_field": "$.data.timestamp",
        "reference": "block"  # or "submission", "absolute"
    }
}

• block — Data timestamp must be within max_age_seconds of the block timestamp when results are committed
• submission — Data timestamp must be within max_age_seconds of job submission time
• absolute — Actor specifies an exact timestamp; data must be from that point in time (±tolerance)

1. Fetch data from the source
2. Extract timestamp from specified field (or use fetch time if no field specified)
3. Reject and retry if timestamp is outside freshness window
4. Include fetch metadata in result attestation

​

Snapshot Modes

job_spec = {
    "type": "http",
    "url": "...",
    "snapshot": {
        "mode": "first_valid"
    }
}

"snapshot": {
    "mode": "median",
    "outlier_threshold": 0.02  # Flag results >2% from median
}

​

Extraction-Based Verification

job_spec = {
    "type": "http_extract",
    "url": "https://disclosures.house.gov/...",
    "extraction": {
        "method": "css_selector",  # or "xpath", "regex", "jsonpath"
        "selectors": {
            "representative": "div.member-name::text",
            "ticker": "td.asset-ticker::text",
            "transaction_type": "td.tx-type::text",
            "amount": "td.amount::text"
        },
        "schema": {
            "type": "array",
            "items": {
                "type": "object",
                "properties": {
                    "representative": {"type": "string"},
                    "ticker": {"type": "string"},
                    "transaction_type": {"enum": ["buy", "sell"]},
                    "amount": {"type": "string"}
                }
            }
        }
    },
    "verification": {
        "mode": "structured_match",
        "runners": 3,
        "threshold": 2,
        "fields": ["[*].ticker", "[*].transaction_type"]
    }
}

1. Fetch the URL
2. Apply extraction rules to raw response
3. Validate extracted data against schema
4. Submit extracted data (not raw HTML)

​

Domain Entitlements

# Actor entitlement (in deployment manifest)
"entitlements": {
    "http_domains": ["api.coingecko.com", "disclosures.house.gov"]
}

# Runner capability
"capabilities": {
    "http_domains": ["*"]  # or specific list
}

"entitlements": {
    "http_domain_set": "price_feeds"
}

​

Source Attestation

result = {
    "data": {...},
    "attestation": {
        "fetch_timestamp": 1702500000,
        "url": "https://...",
        "http_status": 200,
        "response_hash": "0x...",           # Hash of raw response
        "tls_cert_fingerprint": "0x...",    # Proves connection to real server
        "response_headers": {
            "etag": "...",
            "cache-control": "...",
            "last-modified": "..."
        }
    }
}

• After-the-fact auditing of data sources
• Dispute resolution when data changes
• Proof that runner connected to authentic server (not MITM)

​

Secrets Management

Actor Storage (encrypted) ← Actor writes secrets
         ↓
    Secrets Manager (0x08)
         ↓
    TEE Runner (decrypts in enclave)
         ↓
    External API

from cowboy_sdk import secrets

# Actor stores an API key (encrypted to authorized runners)
secrets.store(
    key="broker_api_key",
    value="sk-...",
    access_policy={
        "runners": ["tee_required"],           # Only TEE runners
        "entitlements": ["region_us"],          # Only US-based runners
        "job_types": ["http"]                   # Only for HTTP jobs
    }
)

job_spec = {
    "type": "http",
    "url": "https://api.broker.com/portfolio",
    "auth": {
        "type": "bearer",
        "secret_ref": "broker_api_key"  # Reference to stored secret
    },
    "verification": {
        "mode": "economic_bond",
        "tee_required": true
    }
}

1. Actor encrypts secret to the Secrets Manager’s public key
2. Secret is stored on-chain (encrypted) with access policy
3. When a job references the secret, protocol verifies runner meets access policy
4. Runner’s TEE requests secret from Secrets Manager
5. Secrets Manager verifies TEE attestation, releases secret encrypted to enclave
6. Secret is decrypted only inside TEE, never exposed to runner operator

• Secrets are never stored in plaintext on-chain
• Runner operators cannot access secrets (TEE isolation)
• Access policies are enforced by the protocol
• Secret rotation is supported (actors can update values)
• Audit log of secret access is maintained

• Requires TEE-capable runners (limits runner pool)
• Actor must trust TEE implementation
• Secrets Manager is a system actor (governance-controlled)

​

Verification Modes for HTTP Jobs

​

Example: Price Feed Oracle

job_spec = {
    "type": "http",
    "url": "https://api.coingecko.com/api/v3/simple/price?ids=bitcoin&vs_currencies=usd",
    "freshness": {
        "max_age_seconds": 30,
        "reference": "block"
    },
    "extraction": {
        "method": "jsonpath",
        "selectors": {
            "price": "$.bitcoin.usd"
        }
    },
    "snapshot": {
        "mode": "median",
        "outlier_threshold": 0.01
    },
    "verification": {
        "mode": "median",
        "runners": 5,
        "threshold": 3
    }
}

​

Randomness

​

Consensus and Networking

​

Protocol Overview

1. Propose: The current proposer (selected by VRF) broadcasts a block proposal
2. Vote: Validators vote on the proposal; votes are buffered until quorum
3. Certify: Upon reaching 2f+1 votes, a Quorum Certificate (QC) is formed
4. Finalize: Block with QC from the next round is final and irreversible

• Block time: ~1 second target
• Finality: ~2 seconds under normal conditions
• Fault tolerance: Tolerates up to f < n/3 Byzantine validators

​

Validator Set

• Stake ≥ minimum_validator_stake (governance-tunable)
• Self-stake only (no delegation in v1)
• Must run compliant validator software
• Must maintain network connectivity

1. Register: Stake CBY, submit validator public key (BLS12-381)
2. Activate: Validator becomes active at next epoch boundary
3. Operate: Propose blocks, vote, earn rewards
4. Exit: Signal unbonding; stake locked for unbonding period
5. Withdraw: After unbonding period, stake is returned

​

Epochs and Rotation

• Epoch duration: 3600 blocks (~1 hour)
• Validator set updates: Only at epoch boundaries
• Proposer selection: Per-block VRF, weighted by stake

1. New validators who registered during the epoch are activated
2. Validators who signaled exit are removed from active set
3. Slashing penalties are applied
4. Epoch randomness seed is derived from previous epoch’s final QC

proposer = VRF_select(epoch_seed, block_height, active_validators, stakes)

​

Staking and Rewards

• Minimum stake: Governance-tunable (e.g., 50,000 CBY at genesis)
• No maximum stake per validator
• Self-bonded only; delegation deferred to v2

validator_reward = (validator_stake / total_staked) × block_inflation_reward

• Unbonding period: 7 days
• During unbonding, stake is not counted for consensus
• Stake can still be slashed during unbonding (for offenses discovered late)
• After unbonding completes, stake is withdrawable

​

Slashing

• Jailed validators are removed from active set immediately
• Must wait jail period (24 hours) before unjailing
• Unjailing requires explicit transaction from validator
• Repeated offenses increase jail duration exponentially

• Encourages validator participation (lower risk)
• Protects against accidental slashing from bugs/misconfig
• Jailing still removes bad actors from consensus
• Severe offenses (double signing) still incur economic penalty

​

View Changes and Leader Failure

1. Timeout: Validators waiting for proposal trigger timeout after block_time × 2
2. New-View: Validators broadcast highest QC they’ve seen
3. Leader election: Next leader is determined by VRF (skipping failed proposer)
4. Resume: New leader proposes block extending highest QC

​

Finality and Reorgs

• Runners are stateless with respect to chain state
• Jobs reference block height, not block hash
• If a reorg occurs before finality, affected jobs may need to resubmit
• Actors should design handlers to be idempotent (safe to replay)
• For critical jobs, actors can wait for finality before considering results confirmed

​

Network Layer

• Transactions: Flood to all peers
• Blocks: Proposer broadcasts; validators relay
• Votes: Direct to proposer (reduces gossip overhead)

​

Dedicated Lanes

• Each lane has its own basefee, adjusted independently based on lane utilization
• Unused capacity in higher-priority lanes cascades down to lower-priority lanes
• Transactions are tagged by type at submission; the proposer cannot reassign lanes
• If a lane is full, excess transactions wait for the next block (no spillover to other lanes)

​

MEV Prevention

• Cross-block MEV strategies
• Block-builder collusion patterns
• Proposer-searcher relationships

order_key = VRF(proposer_key, tx_hash, block_height)

• Strategic transaction placement by proposers
• Insertion of proposer’s own transactions at advantageous positions
• Sandwich attack construction

• Observation window: Attackers have less than 1s from tx broadcast to block inclusion
• Reorg risk: Zero after finality; attacks requiring reorgs are impossible
• Front-running: Extremely difficult given the tight timing constraints

• Timer-triggered trades execute regardless of user lane congestion
• Runner results post reliably even during activity spikes
• Adversaries cannot selectively delay transactions by lane type

• VRF ordering removes proposer discretion
• Rotation prevents multi-block observation
• Fast finality closes the timing window
• Lane separation prevents congestion attacks

​

Data Availability, State Rent, and Storage

​

Inline Data vs. Blobs

​

State Rent Model

​

Market-Based Rent Pricing

rent_rate_{i+1} = rent_rate_i × (1 + clamp((S - T) / (T × alpha), -delta, +delta))

• S = current total state size (bytes across all actors)
• T = target state size (governance-tunable, e.g., 100 GB)
• alpha = 8, delta = 0.125 (same as cycle/cell basefees)

epoch_rent = actor_storage_bytes × rent_rate_per_byte_per_epoch

​

Rent Payment Options

On epoch boundary:
  if actor.balance >= epoch_rent:
    actor.balance -= epoch_rent
  else:
    enter_grace_period(actor)

from cowboy_sdk import rent

# Prepay rent for 1000 epochs
rent.prepay(epochs=1000)

# Check rent status
status = rent.status()  # {paid_through_epoch: 15000, balance_epochs: 847}

rent.sponsor(actor_address="0x...", epochs=100)

​

Minimum Balance Reserve

minimum_reserve = estimated_annual_rent × reserve_multiplier

• Cannot be spent on transactions or jobs
• Is automatically used for rent if main balance is insufficient
• Provides a buffer before grace period begins
• Can be withdrawn only when closing the actor

​

Grace Period and Eviction

Epoch N:     Rent due, insufficient funds → Grace period begins
Epoch N+168: Grace period ends (7 days) → Warning period begins
Epoch N+240: Warning period ends (3 more days) → Eviction eligible
Epoch N+241: Storage evicted

• Actor remains fully functional
• Can still receive messages, execute handlers, modify storage
• Actor is flagged as “rent overdue” (visible on-chain)
• A catch-up fee accumulates (10% of missed rent)

• Same as grace period
• Actor is flagged as “eviction imminent”
• Events emitted to alert dependent actors

To exit grace period:
  payment_required = missed_rent × 1.1

​

Eviction Mechanics

• Actor’s storage (all key-value data)
• Active timers associated with the actor

• Actor’s code (immutable, stored separately)
• Actor’s address (reserved, cannot be reused)
• Actor’s balance (if any remains)
• Storage root hash (for potential restoration)

1. Storage root hash is recorded on-chain
2. All storage keys are marked for deletion
3. Storage is pruned from active state trie at next epoch
4. Actor enters “dormant” state

• Cannot execute handlers (no storage to read/write)
• Can still receive CBY transfers
• Can be restored if storage data is provided

​

Storage Restoration

1. Original storage data (e.g., from backup, archive node, or third party)
2. Data must hash to the recorded storage root
3. Payment of all back-rent plus catch-up fees

from cowboy_sdk import storage

# Anyone with the data can restore an actor
storage.restore(
    actor_address="0x...",
    storage_data=original_data,  # Must match recorded root hash
    pay_from=sponsor_address     # Can be actor itself or sponsor
)

restoration_cost = back_rent + (back_rent × 0.1) + current_epoch_rent

• Actors to backup their own storage and self-restore
• Third parties to restore important public infrastructure
• Recovery from accidental rent lapses

​

Ledger Growth and Pruning

​

Block Storage

Block data per year (estimate):
  ~1 KB/block × 86,400 blocks/day × 365 days ≈ 31 GB/year

​

State Storage

• Full nodes keep only the current state trie
• Historical state (old trie versions) can be pruned after finality
• State size is bounded by rent economics—high rent discourages bloat

​

Archive Nodes

• Required for historical queries, indexing, block explorers
• Not required for consensus participation
• Can reconstruct any historical state
• Enable storage restoration for evicted actors

​

Node Types

​

Light Clients

• Verify block headers form valid chain
• Verify transaction inclusion via Merkle proofs
• Verify state queries via Merkle proofs against state root
• Submit transactions

• Cannot execute arbitrary queries without full node
• Rely on full nodes for proof generation

​

Storage Quotas and Bonds

bond_required = (requested_quota - 1 MiB) × bond_rate_per_byte

• Locked while quota is in use
• Returned when quota is reduced
• Forfeited if actor is evicted (incentivizes rent payment)
• Subject to rent on the full allocated quota (not just used storage)

​

Monetary Policy and Fees

​

Inflation Schedule

• Year 1-2: 8% annual inflation
• Year 3-4: 5% annual inflation
• Year 5-6: 3% annual inflation
• Year 7-10: 2% annual inflation
• Year 10+: 1% terminal inflation

​

Fee Distribution

• Basefees (Cycles & Cells): 100% burned.
• Tips: Paid to block proposers.
• Off-Chain Job Payments: Flow to Runners, with a small percentage to the protocol treasury.

​

Governance and Upgrades

​

Applications

​

Architecture: Sovereign L1

• Native PVM with Python execution (not constrained to EVM)
• Custom consensus (Simplex BFT) with 1s block time
• Protocol-level timers and Runner integration
• Sovereign governance and upgrade path

​

Ethereum Interoperability

​

The State Transition Function

1. Header/Proposer: determined by Simplex; R derives from the parent QC.
2. Execute Transactions (ordered):
   • Validate signature, nonce, and balance.
   • Initialize meters with user limits; charge intrinsic cells.
   • Dispatch to target. Actor may send messages (fanout ≤ 1,024), schedule timers, and commit blobs; reentrancy depth ≤ 32.
   • Enforce memory (10 MiB), mailbox (≤ 1,000,000), and storage quotas.
   • Deduct fees: cycles_used*(bf_c+tip_c) + cells_used*(bf_b+tip_b); burn basefees.
3. Deliver Timers: Inject due timers at height(B).
4. Resolve Jobs: Process commitments, reveals, challenges, and payouts.
5. Adjust Basefees: Update (bf_c, bf_b) via EIP-1559 feedback.
6. Mint Rewards: Distribute per-block inflation to validators.

​

Terminology

• Actor: A Python program with persistent key/value state and a mailbox.
• Message: A datagram delivered to an actor handler.
• Cycle: Unit of metered on‑chain compute.
• Cell: Unit of metered bytes (1 cell = 1 byte).
• Runner: Off‑chain worker that executes a job and returns an attested result.
• Entitlement: A permission governing an actor’s or runner’s capabilities.
• Model: A registry entry describing an off-chain compute model’s digest and metadata.

​

Normative Conventions

​

1. Accounts, Addresses, and Keys

​

2. Transaction Types & Encoding

​

3. Execution Model (Actors)

• Official SDKs: Python SDK. The runtime MUST enforce determinism:
  • Allowed operations: Standard Python operations, file I/O limited to /tmp, cooperative yields via async/await.
  • Forbidden: sys.exit(), random module (except chain VRF), time.time()/datetime.now(), os.environ access, socket/network operations, subprocess calls, path traversal outside /tmp.
  • Floating point: Permitted; Cowboy provides a deterministic math library.
  • Scratch space: /tmp MUST be per‑invocation, capped at 256 KiB (counts toward cells_used), wiped post‑handler.

• Per‑call memory limit: 10 MiB heap memory.
• Per‑actor persistent storage quota: 1 MiB (governance‑tunable) with state rent (§4.4).
• Quota extensions: An actor MAY post a storage bond up to 8 MiB total; rent applies to the full allocated quota.

• Delivery: Exactly‑once. Each message ID MUST be keccak256(sender||nonce||msg_hash) and recorded in a per‑actor dedup set.
• Mailbox: Capacity 1,000,000 items; enqueue beyond the limit MUST revert.
• Per‑tx fanout: A transaction (including all nested sends) MUST NOT enqueue more than 1,024 messages.
• Reentrancy: Allowed; recursion/await depth cap = 32.
• Timers (chain‑native): The following timer primitives are provided:
  • timer_id = set_timer(height, handler, data) — Schedule a one-time timer for the specified block height. Returns a unique timer_id.
  • timer_id = set_interval(every_n_blocks, handler, data) — Schedule a recurring timer. Returns a unique timer_id.
  • cancel_timer(timer_id) — Cancel a pending timer by its ID. Returns the deposit if successful.
  • Timer delivery is best‑effort; execution depends on the GBA auction (see §Timer Rate Limiting).

• Validators MUST generate a threshold‑BLS VRF per block: R_n = VRF_sk_epoch(QC_{n-1}). Actors MAY call an API which returns HKDF(R_n, label).

• Exact metering is consensus‑critical; implementers MUST match the reference cost table.

​

4. Fees, Metering, and Basefee Adjustment

• Cycles: Deterministic step count over Python operations + host calls.
• Cells: Bytes used by calldata, return data, inline blobs (≤ 64 KiB), and /tmp. 4.2 Dual EIP‑1559 basefees. Let U_c, T_c be cycles usage/target; U_b, T_b be cells usage/target. With elasticity E=2 (hard cap E*T_*), adjustment uses:

• T_c (cycles target): 10,000,000 cycles (cap 20,000,000).
• T_b (cells target): 500,000 bytes (cap 1,000,000). 4.4 State rent. Persistent storage incurs rent per byte per epoch, which is governance-tunable. If unpaid for 90 epochs, keys MAY be pruned after a 30‑epoch grace period.

​

5. Off‑Chain Compute

1. Post: Actor posts a job with escrowed price.
2. Assign: For HTTP domains, a committee of M=5 is sampled; N=3 matching reveals finalize. LLM jobs MAY use committees or single-runner.
3. Commit: Runner returns commit = keccak256(output||salt).
4. Reveal: Runner reveals {output, salt, proof?}.
5. Challenge: A challenge window of 15 min is opened, requiring a 100 CBY bond.
6. Resolve: Proven fault ⇒ 30% slash of active stake (70% to challenger, 30% burned).
7. Payout: On finalization, 99% of job payment to runner(s), 1% to Treasury.

​

6. Consensus, Randomness, and Networking

• Timer and runner lanes prevent user transaction spam from blocking autonomous actor execution
• Unused capacity in higher-priority lanes cascades to lower-priority lanes
• Each lane has independent basefee tracking 6.4 Gossip (mempool).

order_key = VRF(proposer_key, tx_hash, block_height)

• Front-running (limited observation time)
• Sandwich attacks (high risk of failed execution)
• Time-bandit attacks (chain never reorgs past finality)

​

7. Data Availability & Blobs

​

8. Economics, Inflation, and Fees

• Year 1-2: 8% annual inflation
• Year 3-4: 5% annual inflation
• Year 5-6: 3% annual inflation
• Year 7-10: 2% annual inflation
• Year 10+: 1% terminal inflation 8.3 Distribution at genesis.

​

9. System Actors & Precompiles

• 0x01 Messaging: Enqueue and fanout messages.
• 0x02 Timers: Schedule/cancel timers.
• 0x03 Oracle/Runner: Manage off-chain jobs.
• 0x04 Blob store: Commit/retrieve blob multihashes.
• 0x05 Signer utils: secp/BLS/VRF helpers.
• 0x06 EventListener: Ethereum event subscriptions (see §16).
• 0x07 TEE Verifier: Verify TEE attestations against trusted measurements.
• 0x08 Secrets Manager: Secure credential storage and access control for TEE runners.

​

10. Developer Experience (DX)

• SDKs: A primary Python SDK (cowboy-py) is provided.
• Local dev: A suite of tools including a single-node devnet (cowboyd), runner simulator, faucet, and explorer will be available.
• Best practices: Reentrancy guards, capability-scoped handles, and idempotent message handling are encouraged via the SDK.

​

11. Governance & Upgrades

• Model: Foundation 5‑of‑9 multisig sunsets after ~12 months to token‑weighted on‑chain governance.
• Timelocks: Standard actions 7 days; emergency fast‑track 6 hours.
• Upgrades: Hot‑code upgrades coordinated by governance.

​

12. Security Considerations

• max_tx_size = 128 KiB
• max_message_depth_per_tx = 32
• per_actor_per_block_cycles = 1,000,000 (burstable)

​

13. Parameters (Genesis Defaults)

​

14. Differences vs. Ethereum

• Execution: Python actors vs. EVM contracts.
• Fees: Dual meters (cycles/cells) vs. single gas scalar.
• Timers: Native timers vs. external keepers.
• Off‑chain compute: Native verifiable market vs. external oracles.
• State: Rent with eviction vs. indefinite storage.

​

15. Entitlements

• Least privilege by default.
• Deterministic enforcement.
• Declarative & composable.
• Auditable on-chain.

• Actor Entitlements: Permissions the actor requires.
• Runner Entitlements: Capabilities the runner provides.

1. MUST: Actors require entitlements; runners provide them.
2. MUST: Scheduler matches only if requires ⊆ provides.
3. MUST: Syscalls fail if the corresponding entitlement is missing.
4. MUST: Child actors only inherit entitlements marked inheritable:true.

​

16. Ethereum Interoperability

​

16.1. Account Unification

• Cowboy external accounts (EOAs) MUST use the same secp256k1 elliptic curve for signatures as Ethereum. This allows a single private key to control accounts on both networks, simplifying key management for users and agents.
• An actor, through a host call, MAY verify an EIP-712 signed data structure against a given Ethereum address, enabling actors to validate off-chain authorizations from Ethereum users.

​

16.2. Canonical Bridge

• The bridge MUST support the locking of native ETH and ERC-20 tokens on Ethereum to mint a corresponding wrapped representation on Cowboy (wETH, wERC-20).
• Conversely, the bridge MUST support the burning of wrapped assets on Cowboy to unlock the corresponding native assets on Ethereum.
• Bridge operations SHALL be secured by a committee of validators running light clients of the counterparty chain, with security bonds slashable on-chain for malicious behavior.

• The bridge protocol MUST allow a transaction on one chain to trigger a corresponding message call to a designated recipient actor/contract on the other.
• The payload of a cross-chain message MUST be included in the event logs of the source chain’s bridge contract, which the destination chain’s bridge validators can verify.

​

16.3. Event Subscription (Ethereum to Cowboy)

• Cowboy actors MAY subscribe to event logs emitted by specific contracts on the Ethereum blockchain.
• A system actor on Cowboy, 0x06 EventListener, SHALL manage these subscriptions. This actor relies on the bridge validator set to act as a decentralized oracle, monitoring the Ethereum chain for specified events.
• When a subscribed event is confirmed (i.e., finalized on Ethereum), the EventListener actor MUST enqueue a message to the subscribing Cowboy actor, delivering the event’s topic and data as the message payload.
• The cost of this subscription service SHALL be paid by the actor in CBY, covering the gas fees incurred by the oracle validators on Ethereum.

​

16.4. Policy and Security

• All interoperability functions available to an actor, such as bridge_asset or subscribe_event, MUST be governed by the Entitlements system (§15).
• An actor’s deployment manifest MUST declare the specific Ethereum contracts it is permitted to interact with and the types of assets it is allowed to bridge, enforcing the principle of least privilege.

​

17. Fee Model Specification

​

17.1. Overview

1. On-chain execution — Cycles consumed by transaction processing
2. On-chain storage — Cells consumed by state writes + ongoing state rent
3. Off-chain services — Direct CBY payments to Runners (LLM inference) and Providers (blob storage)

​

17.2. Transaction Intrinsic Costs

​

17.3. Execution Costs (Cycles)

​

Opcode Costs

​

Actor API Costs

​

Platform Token Costs (CIP-20)

​

17.4. On-Chain Storage Costs (Cells)

​

17.5. State Rent

rent_per_epoch = max(0, account_size - grace_threshold) × rent_rate

Parameters:
  grace_threshold = 10,240 bytes (10 KB)
  rent_rate       = 0.001 CBY/byte/year (governance-adjustable)
  epoch_length    = 1 day
  eviction_threshold = 2 years unpaid rent

• Accounts ≤10 KB: No rent charged
• Accounts >10 KB: Rent charged on excess bytes only
• Unpaid rent accumulates as debt against the account
• Eviction after 2 years of accumulated debt (state archived to blob storage, recoverable upon debt repayment)

​

17.6. Off-Chain Blob Storage (CIP-7)

• Retention policies and SLAs
• Provider staking and availability commitments
• Watchtower auditing and challenge mechanism
• Payment schedules and slashing conditions

​

17.7. Off-Chain Compute (Runner Marketplace)

​

17.8. Fee Adjustment (EIP-1559 Style)

next_basefee = basefee × (1 + δ × (usage - target) / target)

​

17.9. Reserved Capacity (Execution Lanes)

• Unused capacity in reserved lanes spills to User lane
• User lane cannot borrow from reserved lanes
• Timer lane has highest priority (guaranteed execution)

​

17.10. Fee Estimation

def estimate_fee(tx):
    intrinsic_cycles = INTRINSIC_COSTS[tx.type]
    intrinsic_cells = len(tx.calldata)

    # Estimate execution cost (via simulation or heuristics)
    execution_cycles = simulate_execution(tx)
    execution_cells = estimate_storage_writes(tx)

    total_cycles = intrinsic_cycles + execution_cycles
    total_cells = intrinsic_cells + execution_cells

    # Apply current basefees
    cycle_fee = total_cycles * cycle_basefee
    cell_fee = total_cells * cell_basefee

    # Add priority tip
    priority_fee = (total_cycles + total_cells) * priority_tip

    return cycle_fee + cell_fee + priority_fee