src/token: token primitives (RYLA).src/bridge: bridge adapter domain.src/settlement: settlement module + verifier domain.src/pool: ZK UTXO pool domain (MARKPool,RYLACreditLedger, support libraries).src/withdraw: withdrawal adapter domain (MARKWithdrawAdapter).src/crypto: shared cryptographic primitives (Merkle tree, Poseidon).src/interfaces: shared interfaces used across domains.src/errors: shared error types.
src/bridge/**must not import fromsrc/settlement/**.src/settlement/**must not import fromsrc/bridge/**.src/pool/**must not import fromsrc/settlement/**orsrc/bridge/**.src/withdraw/**must not import fromsrc/settlement/**orsrc/bridge/**.- Cross-domain sharing should be done through narrow interfaces and shared types only.
src/token/**is an allowed dependency for all domains.src/crypto/**andsrc/interfaces/**are allowed dependencies for all domains.
Notes enter the pool via transact() (ZK proof) or bridgeIn() (restricted). The pool
is a nullifier registry — it does not hold tokens.
To withdraw RYLA, a note owner:
- Calls
MARKPool.transactWithWithdrawBinding()— verifies ZK proof, marks nullifiers spent, records a withdraw binding (hash of owner/recipient/amount). No token transfer. - Calls
MARKWithdrawAdapter.withdrawWithSig()— verifies the binding matches, verifies EIP-712 signatures, callsRYLACreditLedger.debit(owner, amount)which burns RYLA.
The owner must hold RYLA equal to the withdrawal amount and approve RYLACreditLedger
before step 2. The ZK proof proves note ownership; the RYLA burn redeems it.
- CI runs
make architecture-guard. - Guard implementation:
script/ci/architecture-guard.sh. - CI runs
make layering-guard. - Guard implementation:
script/ci/layering-guard.sh. - Any forbidden cross-domain import causes CI failure.