pod network integration (Shadow mode)

[AryanGodara]

Description

Closes #4126. Supersedes #4052.

Adds an opt-in shadow path in the driver that mirrors each auction onto the pod network. After the driver scores its own best solution, a tokio::spawn-ed task submits it as a bid to a pod auction contract, waits for the deadline, fetches everyone's bids, and runs a local copy of the same arbitration. Pod failures never block, delay, or mutate the response to autopilot.

If [pod] is omitted from the driver TOML, nothing pod-shaped is allocated.

Highlights

• Isolated. Pod state lives in crates/driver/src/infra/pod. PodManager (in flow.rs) owns the provider, the reusable AuctionClient, and the local arbitrator; it exposes a single spawn(). Competition::solve invokes it once and is otherwise untouched.
• Deterministic tie-breaking. winner_selection::Solution::canonical_hash is shared by autopilot and driver, so independent observers tie-break identically on the same logical solution.
• Protocol parameter, not a constant. max_winners (used by the local arbitrator) is configurable from the [pod] block; defaults to 10.
• Locked-account recovery. Pod allows one in-flight tx per submitter. On the locked-account error we call pod_getRecoveryTargetTx → recover(tx_hash, nonce) on the 0x50d…0003 precompile and retry once. See infra/pod/recovery.rs for the production-mode caveats (TODO(production-pod)).
• Malformed bid resilience. A single bad bid is logged and skipped, never aborts arbitration.

What's new

Area	What
Crate	winner-selection — Solution::canonical_hash, Arbitrator::arbitrate_paired, public SolutionKey.
Driver module	infra::pod (config, flow, recovery) and domain::competition::solver_winner_selection.
Driver TOML	[pod] endpoint, auction-contract-address, max-winners (max-winners defaults to 10). Pod is opt-in.
E2E tests	pod_test_basic, pod_test_multi_order, pod_test_multi_solver (gated by --run-ignored ignored-only; need live pod RPC).

How to test

# Lint, exactly what CI runs
just fmt --check && just clippy && just fmt-toml --check

# Unit tests
cargo nextest run -p winner-selection -p driver -p autopilot

# Pod e2e (needs cow.pod.network:11600 reachable)
just test-pod

[github-actions]

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

[github-actions]

This pull request has been marked as stale because it has been inactive a while. Please update this pull request or it will be automatically closed.

[github-actions]

This pull request has been marked as stale because it has been inactive a while. Please update this pull request or it will be automatically closed.

[AryanGodara]

Pod Integration: Design Decisions (more context apart from PR description)

Shadow Mode Architecture

Pod integration runs in shadow mode, so bid submission failures are logged as warnings but never block the protocol flow.

Haircut-Based Score Differentiation (fo rthe e2e Tests)

Since i'm using 2 instances of baseline solvers to simulate competition for the e2e tests; they produce the same flowTwo solvers competing for the same order find identical routes → identical scores.

Solution

Use haircut_bps parameter to artificially differentiate scores:

• Solver A: haircut_bps = 0 (full score)
• Solver B: haircut_bps = 5000 (50% haircut → lower score)

This reliably produces different scores for testing pod winner selection without complex liquidity setup.

Nonce/Pending TX Handling

Current Issue

Pod network rejects new TXs when previous ones from same sender are pending:

error code -32603: Another transaction 0x... is still pending

Approach

• Log nonce on provider init for debugging
• Shadow mode ensures failures don't block main flow
• Pod team to resolve stuck TXs on their end
• Future: pod-sdk should handle nonce conflicts internally (replace-by-fee)

Deterministic Test Addresses

E2E tests use deterministic addresses derived from Anvil's default mnemonic. Pre-funding these on pod network:

• 0xf985d2cf3f3c5cfc798d8e9e4ebdd6777653c3cb - solver 1
• 0x9315fc8ffae493123b9b6b1c93d50c9b9eef0344 - solver 2

Both funded with ~10 ETH on pod network.

Config Structure

[pod]
endpoint = "http://cow.pod.network:8545"
auction-contract = "0xeDD0670497E00ded712a398563Ea938A29dD28c7"

Wallet uses existing [account] section - no separate pod wallet config needed.

[ogabrielides]

I have read the CLA Document and I hereby sign the CLA

[gemini-code-assist]

Code Review

This pull request implements integration with the pod network to support decentralized solver competitions. Key changes include upgrading the Alloy dependency suite to version 1.8.3, introducing deterministic solution hashing within the winner-selection crate, and adding a pod_flow to the driver for bid submission and local arbitration. The PR also includes new E2E tests, local configurations, and account recovery logic for the pod network. Feedback was provided regarding the fragility of the bid-fetching process, where a single malformed bid currently causes the entire batch to fail; it is recommended to collect individual errors instead of aborting the process.

[gemini-code-assist]

Aborting the entire bid fetching process due to a single malformed bid is fragile. However, simply skipping the error is insufficient. According to our rules, when fetching a batch of items where individual fetches can fail, the API response should explicitly indicate which items failed and provide error details for each failure, rather than silently ignoring them.

        let mut errors = Vec::new();
        for bid in bids {
            match serde_json::from_slice::<dto::SolveResponse>(bid.data.as_slice()) {
                Ok(resp) => {
                    for solution in resp.solutions {
                        participants.push(Bid::new(solution));
                    }
                }
                Err(e) => {
                    tracing::error!(error = %e, "failed to deserialize SolveResponse");
                    errors.push((bid.id, e.to_string()));
                }
            }
        }

References

1. When fetching a batch of items where individual fetches can fail, do not silently ignore errors. The API response should explicitly indicate which items failed and provide error details for each failure.

[jmg-duarte]

Can't we split this by doing a merge over the winsel changes and their downstream friends?

IMO this is way too much to be merged and released confidently in one go

[jmg-duarte]

These don't need to be public, arguably the key doesn't either

[jmg-duarte]

This makes other constructions of SolutionKey { .. } inconsistent, either use the same for all of them, or remove this one and use the same approach as the others (2nd is better IMO)

[jmg-duarte]

The comment should rather explain what this represents, the current one is more like a footnote

[jmg-duarte]

1. What is supposed to be the shape of T?
2. I see this is only used by arbitrate_paired_and_rejoin, we can drop the pub

[jmg-duarte]

I see this only being used with Bid<BigPayload, Unscored>; I think we can lock in the type here and extend to generics later if needed

[jmg-duarte]

The move to paired just to make items mut is kinda weird, you can also avoid the extra collection muts with an iterator

Suggested change

	pub fn arbitrate_paired<T>(
	&self,
	items: Vec<(T, Solution<Unscored>)>,
	context: &AuctionContext,
	) -> (Ranking, HashMap<SolutionKey, T>) {
	let mut paired = items;
	paired.sort_by_cached_key(|(_, solution)| solution.canonical_hash());
	let mut by_key = HashMap::with_capacity(paired.len());
	let mut solutions = Vec::with_capacity(paired.len());
	for (item, solution) in paired {
	by_key.insert(SolutionKey::from(&solution), item);
	solutions.push(solution);
	}
	(self.arbitrate(solutions, context), by_key)
	}
	pub fn arbitrate_paired<T>(
	&self,
	mut items: Vec<(T, Solution<Unscored>)>,
	context: &AuctionContext,
	) -> (Ranking, HashMap<SolutionKey, T>) {
	items.sort_by_cached_key(|(_, solution)| solution.canonical_hash());
	let (by_key, solutions) = items
	.into_iter()
	.map(|(item, solution)| ((SolutionKey::from(&solution), item), solution))
	.collect();
	(self.arbitrate(solutions, context), by_key)
	}

[jmg-duarte]

There must be a simpler way of doing this, there's mutation and pure things leading to collects, looks very weird to me

The FnMut + captured mutable state sounds like an accident waiting to happen as well

Can this made simpler?

[jmg-duarte]

This Clone is not actually needed because the SolverArbitrator also doesn't need one

[jmg-duarte]

So, can't we make cannonical_hash's signature be fn(&self, &HashMap<Address, U256>) instead?

Or store the hash of the prices at creation time instead of carrying them around?

[jmg-duarte]

Even though it's not 1:1, we can use derive(Clone) here instead