lazor-kit
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 4 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 10 additions & 8 deletions b/‎README.md‎
Lines changed: 10 additions & 8 deletions
diff --git a/‎docs/Architecture.md‎
Lines changed: 16 additions & 15 deletions b/‎docs/Architecture.md‎
Lines changed: 16 additions & 15 deletions
diff --git a/‎docs/Costs.md‎
Lines changed: 37 additions & 20 deletions b/‎docs/Costs.md‎
Lines changed: 37 additions & 20 deletions
@@ -8,8 +8,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Added
 
-- Odometer counter replay protection for Secp256r1 (monotonic u64 per authority)
+- Odometer counter replay protection for Secp256r1 (monotonic u32 per authority)
 - program_id included in challenge hash (cross-program replay prevention)
+- rpId stored on authority account at creation (saves ~14 bytes per transaction)
 - TypeScript SDK (`sdk/solita-client`) with Solita code generation
 - Integration test suite (`tests-sdk/`) with 28 tests across 7 files
 - Benchmark script for CU and transaction size measurements
@@ -26,12 +27,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 ### Changed
 
 - Secp256r1 replay protection: primary mechanism changed from WebAuthn hardware counter to program-controlled odometer
-- Auth payload layout: added 8-byte counter field at offset 8 (all subsequent fields shifted)
+- Auth payload layout: added 4-byte counter field at offset 8 (all subsequent fields shifted)
 - Challenge hash: 5 elements -> 7 elements (added counter + program_id)
-- AuthorityAccountHeader: added `counter` (u64) and `version` (u8) fields
+- AuthorityAccountHeader: added `counter` (u32) and `version` (u8) fields
 - Secp256r1 pubkey storage: verified as 33-byte compressed format
 - Authenticator trait: added `program_id` parameter
 - Counter write timing: moved to after full signature verification
+- Slot freshness: replaced SlotHashes sysvar with `Clock::get()` (removes 1 account from transaction)
+- Counter size: u64 -> u32 (4 billion operations per authority is sufficient)
+- Execute Secp256r1 transaction size: 708 -> 658 bytes (50 bytes saved)
+- Execute Secp256r1 accounts: 8 -> 7 (SlotHashes sysvar removed)
 
 ### Fixed
 
@@ -46,5 +51,5 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Role-Based Access Control (Owner, Admin, Spender)
 - Ephemeral session keys with slot-based expiry
 - CompactInstructions for Execute
-- SlotHashes nonce for signature freshness
+- SlotHashes nonce for signature freshness (replaced by Clock::get() in v2)
 - Zero-copy serialization via pinocchio
@@ -11,7 +11,8 @@ A high-performance smart wallet program on Solana with passkey (WebAuthn/Secp256
 - **Multi-Protocol Authentication**: Ed25519 (native Solana) + Secp256r1 (WebAuthn/Passkeys/Apple Secure Enclave)
 - **Role-Based Access Control**: Owner / Admin / Spender with strict permission hierarchy
 - **Ephemeral Session Keys**: Time-bound keys with absolute slot-based expiry (max 30 days)
-- **Odometer Replay Protection**: Monotonic u64 counter per authority — works reliably with synced passkeys (iCloud, Google)
+- **Odometer Replay Protection**: Monotonic u32 counter per authority — works reliably with synced passkeys (iCloud, Google)
+- **Clock-Based Slot Freshness**: 150-slot window via `Clock::get()` — no SlotHashes sysvar needed
 - **Zero-Copy Serialization**: Raw byte casting via pinocchio, no Borsh overhead
 - **CompactInstructions**: Index-based instruction packing for multi-call payloads within Solana's 1,232-byte tx limit
 - **CPI Reentrancy Protection**: stack_height check prevents cross-program authentication attacks
@@ -22,9 +23,9 @@ A high-performance smart wallet program on Solana with passkey (WebAuthn/Secp256
 
 | Metric | Normal Transfer | LazorKit (Secp256r1) | LazorKit (Session) |
 |---|---|---|---|
-| Compute Units | 150 | 9,316 | 7,483 |
-| Transaction Size | 215 bytes | 708 bytes | 452 bytes |
-| Accounts | 2 | 8 | 7 |
+| Compute Units | 150 | 10,941 | 4,483 |
+| Transaction Size | 215 bytes | 658 bytes | 452 bytes |
+| Accounts | 2 | 7 | 7 |
 | Instructions | 1 | 2 | 1 |
 | Transaction Fee | 0.000005 SOL | 0.000005 SOL | 0.000005 SOL |
 
@@ -42,15 +43,15 @@ See [docs/Costs.md](docs/Costs.md) for full cost analysis, session key costs, an
 |---|---|---|
 | Wallet PDA | 8 bytes | 0.000947 |
 | Authority (Ed25519) | 80 bytes | 0.001448 |
-| Authority (Secp256r1) | 113 bytes | 0.001677 |
+| Authority (Secp256r1) | ~125 bytes | 0.001761 |
 | Session | 80 bytes | 0.001448 |
 
 ### Total Wallet Creation
 
 | Auth Type | Total Cost | ~USD at $150/SOL |
 |---|---|---|
 | Ed25519 | 0.002399 SOL | $0.36 |
-| Secp256r1 (Passkey) | 0.002629 SOL | $0.39 |
+| Secp256r1 (Passkey) | 0.002713 SOL | $0.41 |
 
 ### Session Key Cost
 
@@ -157,12 +158,13 @@ LazorKit V2 has been audited by **Accretion** (Solana Foundation funded).
 **Status**: 17/17 security issues resolved
 
 Security features:
-- Odometer counter replay protection (per-authority monotonic u64)
-- SlotHashes liveness window (150 slots)
+- Odometer counter replay protection (per-authority monotonic u32)
+- Clock-based slot freshness window (150 slots via `Clock::get()`)
 - CPI reentrancy prevention (stack_height check)
 - Signature binding (payer, accounts hash, counter, program_id)
 - Self-removal and owner removal protection
 - Session expiry validation (future + 30-day max)
+- rpId stored on-chain (prevents cross-origin attacks)
 
 Report vulnerabilities via [SECURITY.md](SECURITY.md).
 
 
@@ -16,8 +16,8 @@ LazorKit is a high-performance smart wallet on Solana with passkey (WebAuthn) au
 
 ### Replay Protection
 
-- **Secp256r1 (Primary: Odometer Counter)**: Program-controlled u64 counter per authority. Client submits `stored_counter + 1`. The WebAuthn hardware counter is intentionally NOT used -- synced passkeys (iCloud, Google) return unreliable values. Counter is committed only after successful signature verification.
-- **Secp256r1 (Secondary: SlotHashes Liveness)**: Slot from auth_payload must appear in SlotHashes sysvar (valid within 150 slots). Provides freshness without stateful nonces.
+- **Secp256r1 (Primary: Odometer Counter)**: Program-controlled u32 counter per authority. Client submits `stored_counter + 1`. The WebAuthn hardware counter is intentionally NOT used -- synced passkeys (iCloud, Google) return unreliable values. Counter is committed only after successful signature verification.
+- **Secp256r1 (Secondary: Clock-based Slot Freshness)**: Slot from auth_payload must be within 150 slots of `Clock::get()`. Provides freshness without stateful nonces or the SlotHashes sysvar.
 - **Secp256r1 (CPI Protection)**: stack_height check prevents authentication via CPI.
 - **Secp256r1 (Signature Binding)**: Challenge hash binds signature to specific instruction, payer, accounts, counter, and program_id.
 - **Ed25519**: Standard Solana runtime signer verification. No counter needed.
@@ -78,17 +78,18 @@ pub struct AuthorityAccountHeader {
     pub role: u8,            // 0=Owner, 1=Admin, 2=Spender
     pub bump: u8,
     pub version: u8,
-    pub _padding: [u8; 3],
-    pub counter: u64,        // Monotonic odometer for Secp256r1 replay protection
+    pub _padding1: [u8; 3],
+    pub counter: u32,        // Monotonic u32 odometer for Secp256r1 replay protection
+    pub _padding2: [u8; 4],  // Alignment padding (wallet stays at offset 16)
     pub wallet: Pubkey,      // 32 bytes
 }
-// Header: 1+1+1+1+1+3+8+32 = 48 bytes
+// Header: 1+1+1+1+1+3+4+4+32 = 48 bytes (same size, wallet at same offset)
 ```
 
 Variable data after header:
 
 - **Ed25519**: `[pubkey: [u8; 32]]` -- total 80 bytes.
-- **Secp256r1**: `[credential_id_hash: [u8; 32]] [compressed_pubkey: [u8; 33]]` -- total 113 bytes.
+- **Secp256r1**: `[credential_id_hash: [u8; 32]] [compressed_pubkey: [u8; 33]] [rpIdLen: u8] [rpId: [u8; N]]` -- total 114+ bytes (rpId stored on-chain to avoid per-tx transmission).
 
 ### C. SessionAccount (80 bytes)
 
@@ -127,7 +128,7 @@ No data allocated. Holds SOL. Program signs for it via PDA seeds during Execute.
 - Creates new Authority PDA.
 - Requires Admin or Owner authentication.
 - Owner can add any role; Admin can only add Spender.
-- Accounts: payer, wallet, admin_authority, new_authority, system_program, rent_sysvar [+ sysvar_instructions, sysvar_slothashes for Secp256r1].
+- Accounts: payer, wallet, admin_authority, new_authority, system_program, rent_sysvar [+ sysvar_instructions for Secp256r1].
 
 ### RemoveAuthority (discriminator: 2)
 
@@ -177,16 +178,18 @@ For Secp256r1 Execute, the signed payload includes a SHA256 hash of all account
 ## 7. Auth Payload Layout (Secp256r1)
 
 ```
-[slot: u64 LE]              // 8 bytes  -- SlotHashes liveness
-[counter: u64 LE]           // 8 bytes  -- odometer value (stored + 1)
+[slot: u64 LE]              // 8 bytes  -- Clock-based slot freshness
+[counter: u32 LE]           // 4 bytes  -- odometer value (stored + 1)
 [sysvar_ix_index: u8]       // 1 byte   -- index of sysvar_instructions in accounts
-[sysvar_slothashes_index: u8] // 1 byte
 [type_and_flags: u8]        // 1 byte   -- WebAuthn type + flags
-[rp_id_len: u8]             // 1 byte
-[rp_id: u8[]]               // N bytes  -- e.g., "lazorkit.app"
 [authenticator_data: u8[]]  // M bytes  -- WebAuthn authenticator data (min 37 bytes)
 ```
 
+Compared to the previous layout, 3 optimizations reduce the per-transaction payload:
+- **Counter**: u64 -> u32 (saves 4 bytes; 4 billion ops per authority is sufficient)
+- **SlotHashes index**: removed (slot freshness via `Clock::get()` instead of sysvar lookup)
+- **rpId**: stored on the authority account at creation, not sent per-tx (saves ~12 bytes)
+
 ## 8. Project Structure
 
 ```
@@ -195,10 +198,8 @@ program/
     auth/
       ed25519.rs              Native signer verification
       secp256r1/
-        mod.rs                Passkey authenticator with odometer
+        mod.rs                Passkey authenticator with odometer + Clock-based slot check
         introspection.rs      Precompile instruction verification
-        nonce.rs              SlotHashes liveness validation
-        slothashes.rs         Sysvar memory parsing
         webauthn.rs           ClientDataJSON reconstruction + AuthDataParser
       traits.rs               Authenticator trait
     processor/
 
@@ -11,42 +11,56 @@ This document provides comprehensive cost data for the LazorKit smart wallet pro
 | Instruction | CU | Tx Size (bytes) | Ix Data (bytes) | Accounts | Instructions |
 |---|---|---|---|---|---|
 | Normal SOL Transfer (baseline) | 150 | 215 | 12 | 2 | 1 |
-| CreateWallet (Ed25519) | 13,687 | 408 | 73 | 6 | 1 |
-| CreateWallet (Secp256r1) | 12,185 | 441 | 106 | 6 | 1 |
-| AddAuthority (Ed25519 admin) | 7,342 | 473 | 41 | 7 | 1 |
-| Execute Secp256r1 (SOL transfer) | 9,316 | 708 | 271 | 8 | 2 |
-| Execute Session (SOL transfer) | 7,483 | 452 | 20 | 7 | 1 |
-| CreateSession (Ed25519) | 9,015 | 473 | 41 | 7 | 1 |
+| CreateWallet (Ed25519) | 15,187 | 408 | 73 | 6 | 1 |
+| CreateWallet (Secp256r1) | 13,687 | 453 | 118 | 6 | 1 |
+| AddAuthority (Ed25519 admin) | 5,846 | 473 | 41 | 7 | 1 |
+| Execute Secp256r1 (SOL transfer) | 10,941 | 658 | 254 | 7 | 2 |
+| Execute Session (SOL transfer) | 4,483 | 452 | 20 | 7 | 1 |
+| CreateSession (Ed25519) | 6,015 | 473 | 41 | 7 | 1 |
 
 **Notes:**
 - CU values are from real transactions on a local validator
 - Secp256r1 Execute requires 2 instructions (precompile verification + execute)
-- Session Execute is cheaper — only 1 instruction, no precompile, no auth payload
+- Session Execute is cheaper -- only 1 instruction, no precompile, no auth payload
 - All operations fit well within Solana's 200,000 CU default budget
 - Transaction sizes are well within Solana's 1,232-byte limit
 
 ---
 
+## Transaction Size Optimization (v2)
+
+The Secp256r1 Execute transaction was optimized from **708 bytes to 658 bytes** (50 bytes saved) via three changes:
+
+| Optimization | Bytes Saved | Details |
+|---|---|---|
+| Drop SlotHashes sysvar | ~32 bytes | Use `Clock::get()` for slot freshness instead of SlotHashes sysvar lookup. Removes 1 account from the transaction. |
+| u32 counter (was u64) | ~4 bytes | 4 billion operations per authority is sufficient. Saves 4 bytes in auth payload + 4 bytes in challenge hash. |
+| rpId stored on-chain | ~14 bytes | rpId (e.g. "example.com") stored on authority account at creation time, no longer sent per-tx. |
+
+**Security impact:** None. The odometer counter remains the primary replay protection. Slot freshness via `Clock::get()` provides the same age check (150-slot window) without requiring the SlotHashes sysvar account.
+
+---
+
 ## LazorKit vs Normal SOL Transfer
 
 | Metric | Normal Transfer | LazorKit Secp256r1 | LazorKit Session | Notes |
 |---|---|---|---|---|
-| Compute Units | 150 | 9,316 | 7,483 | Session uses Ed25519 signer (no precompile) |
-| Transaction Size | 215 bytes | 708 bytes | 452 bytes | Session tx is smaller (no precompile ix) |
-| Instruction Data | 12 bytes | 271 bytes | 20 bytes | Session has no auth payload |
-| Accounts | 2 | 8 | 7 | Session skips sysvar accounts |
+| Compute Units | 150 | 10,941 | 4,483 | Session uses Ed25519 signer (no precompile) |
+| Transaction Size | 215 bytes | 658 bytes | 452 bytes | Session tx is smaller (no precompile ix) |
+| Instruction Data | 12 bytes | 254 bytes | 20 bytes | Session has no auth payload |
+| Accounts | 2 | 7 | 7 | Secp256r1 uses sysvar_instructions only |
 | Instructions per Tx | 1 | 2 | 1 | Session needs only 1 instruction |
 | Transaction Fee | 0.000005 SOL | 0.000005 SOL | 0.000005 SOL | Same base fee |
 
 **Why the overhead is acceptable:**
-- 9,316 CU (Secp256r1) is only **4.7%** of the 200,000 CU default budget
-- 7,483 CU (Session) is only **3.7%** of the 200,000 CU default budget
-- 708 bytes (Secp256r1) is **57%** of the 1,232-byte transaction limit
+- 10,941 CU (Secp256r1) is only **5.5%** of the 200,000 CU default budget
+- 4,483 CU (Session) is only **2.2%** of the 200,000 CU default budget
+- 658 bytes (Secp256r1) is **53%** of the 1,232-byte transaction limit, leaving **574 bytes** for inner instructions
 - 452 bytes (Session) is only **37%** of the 1,232-byte limit
 - Transaction fee is identical (base fee is per-signature, not per-CU)
 - The overhead buys: passkey auth, RBAC, replay protection, session keys, multi-sig
 
-**Session keys** are ideal for frequent transactions (gaming, DeFi) — they're faster, cheaper, and only need a one-time setup cost.
+**Session keys** are ideal for frequent transactions (gaming, DeFi) -- they're faster, cheaper, and only need a one-time setup cost.
 
 ---
 
@@ -58,11 +72,13 @@ Solana requires accounts to maintain a minimum balance (rent-exempt) based on da
 |---|---|---|---|
 | Wallet PDA | 8 | 0.000946560 | 946,560 |
 | Authority (Ed25519) | 80 | 0.001447680 | 1,447,680 |
-| Authority (Secp256r1) | 113 | 0.001677360 | 1,677,360 |
+| Authority (Secp256r1) | ~125 | 0.001760880 | 1,760,880 |
 | Session | 80 | 0.001447680 | 1,447,680 |
 | Vault PDA | 0 | 0 | 0 |
 
-**Vault PDA** is not initialized as a program-owned account. It simply receives SOL via transfer. No rent cost.
+**Notes:**
+- Secp256r1 authority size is variable: 48 (header) + 32 (cred hash) + 33 (pubkey) + 1 (rpIdLen) + N (rpId). For `rpId = "example.com"` (11 bytes), total = 125 bytes.
+- **Vault PDA** is not initialized as a program-owned account. It simply receives SOL via transfer. No rent cost.
 
 ---
 
@@ -73,9 +89,9 @@ Creating a wallet involves allocating a Wallet PDA and the first Authority PDA.
 | Auth Type | Wallet Rent | Authority Rent | Tx Fee | Total |
 |---|---|---|---|---|
 | Ed25519 | 0.000947 SOL | 0.001448 SOL | 0.000005 SOL | **0.002399 SOL** |
-| Secp256r1 (Passkey) | 0.000947 SOL | 0.001677 SOL | 0.000005 SOL | **0.002629 SOL** |
+| Secp256r1 (Passkey) | 0.000947 SOL | 0.001761 SOL | 0.000005 SOL | **0.002713 SOL** |
 
-At $150/SOL, wallet creation costs approximately **$0.36 - $0.39 USD**.
+At $150/SOL, wallet creation costs approximately **$0.36 - $0.41 USD**.
 
 ---
 
@@ -120,13 +136,14 @@ At $150/SOL, session setup costs ~$0.22 USD. Each subsequent execute costs $0.00
 |---|---|---|---|
 | WalletAccount | 8 bytes | 0 | **8 bytes** |
 | Authority (Ed25519) | 48 bytes | 32 bytes (pubkey) | **80 bytes** |
-| Authority (Secp256r1) | 48 bytes | 65 bytes (cred_hash + compressed_pubkey) | **113 bytes** |
+| Authority (Secp256r1) | 48 bytes | 32 (cred_hash) + 33 (pubkey) + 1 (rpIdLen) + N (rpId) | **114+ bytes** |
 | SessionAccount | 80 bytes | 0 | **80 bytes** |
 
 The compact data sizes are achieved through:
 - `#[repr(C, align(8))]` with `NoPadding` derive macro
 - 33-byte compressed Secp256r1 public keys (not 64-byte uncompressed)
 - No Borsh serialization overhead
+- rpId stored on authority account (saves per-tx payload bytes)
 
 ---