Payments rearchitecture: RFQ hardening + multi-asset bill weighting + facet split for EIP-170 (#133)

* fix(quotes): RFQ replay / freshness / cumulative TTL hardening

Three security findings on the RFQ quote paths, all closed:

- Job RFQ `requester` is signed but was not verified. Thread `msg.sender`
  through `verifyAndMarkJobQuoteUsed`; reject when the verified address
  does not match the quote's bound requester. Wildcard requesters
  (`address(0)`) are also rejected.
- Service-creation quotes lacked the freshness check the per-job path
  enforces. Add the same `block.timestamp <= details.timestamp + maxQuoteAge`
  gate to `verifyQuoteBatch` so stale quotes cannot be redeemed long after
  the protocol's max-quote-age window.
- `extendServiceFromQuotes` allowed unbounded cumulative TTL. Cap the
  cumulative service TTL at `MAX_SERVICE_TTL` so repeated extensions
  cannot push a single service past the protocol's lifetime ceiling.

New errors: `JobQuoteRequesterMismatch`, `QuoteTimestampStale`,
`CumulativeTtlExceeded`.

Tests added in `QuoteVerification.t.sol`, `QuoteExtension.t.sol`,
`RFQPaymentDistribution.t.sol` covering each guard. Full RFQ suite
57/57 passes.

* feat(payments): multi-asset subscription bill weighting

Restore the per-asset commitment system to subscription bills. Previously
the bill weighted by a single bond-asset cum-stake-seconds × the operator's
overall `ServiceOperator.exposureBps`, collapsing the protocol's
multi-asset security model. Now the bill iterates the operator's
`AssetSecurityCommitment[]` for the service and sums
`cumDelta_op_asset × commitmentBps_asset` (USD-normalized via oracle when
configured) across every (op, asset) pair the service requires.

- TWAP cursors are now keyed `(serviceId, operator, assetHash)` so per-asset
  joins, leaves, and rejoins compute correct deltas.
- Activation pins a multi-asset baseline of
  `Σ_op Σ_asset (delegation × commitmentBps × price)`.
- Bill amount + operator payout weight share the same per-asset stake-time
  × exposure aggregate, so customer-fairness and operator-fairness move
  together across assets.
- Fallback: when an operator has no per-asset commitments stored (services
  that don't opt into the multi-asset commitment system), bill against the
  bond asset at `ServiceOperator.exposureBps`. Mirrors the legacy
  single-asset semantics so existing tests / services keep working.

Storage: replaces `_twapCursorByOp` (2-level) with `_twapCursorByOpAsset`
(3-level). Greenfield rename — no migration.

Full regression: 1450 / 1450 ✅.

* refactor(facets): split Payments + Services facets to fit EIP-170

Three facets exceeded the 24,576-byte runtime ceiling (TanglePaymentsFacet 31,846,
TangleServicesFacet 26,805, TanglePaymentsDistributionFacet 28,971), blocking
deployment on any chain that enforces EIP-170. Split the abstract `Payments`
contract into focused mixins so each facet inherits only its slice, and pull
validation pure-compute out of `ServicesApprovals` into an external library.

Payments split:
- `PaymentsCore` — shared events, `_activeServiceOperators`, `_depositToEscrow`
- `PaymentsEscrow` — `fundService`, `withdrawRemainingEscrow`
- `PaymentsBilling` — subscription bill flow, TWAP weighting, `_accrueOperatorWeights`
- `PaymentsDistribution` — distribution core, exposure fallback, baseline init
- `PaymentsRewards` — already-split rewards/admin (+ `getBillableServices`)

Subscription billing's distribution path is reached via a diamond self-call
(`ITanglePaymentsInternal.distributeBillWithKeeper`) so the distribution
machinery only contributes bytecode to the facet that hosts it. Same for
`initSubscriptionBaseline` (now on `TanglePaymentsDistributionFacet`).

`hasSecurityCommitments` is now computed inline in `_accrueOperatorWeights`
instead of via a second `_calculateEffectiveExposures` pass, which lets
`PaymentsBilling` drop its `PaymentsEffectiveExposure` inheritance entirely.

Services split:
- `AttestationLib` — shared `teeNonce` + `blsPopMessage` pure compute
- `ServiceValidationLib` — external library hosting `_validateTeeCommitments`,
  `_validateSecurityCommitments`, `_requireBlsProofOfPossession`
- `ServicesApprovalsViews` — views facet, no longer inherited by `ServicesApprovals`

Final runtime sizes (default profile, optimizer on, runs=1):
- TanglePaymentsFacet              24,160  (-416 under EIP-170)
- TanglePaymentsDistributionFacet  18,144
- TanglePaymentsRewardsFacet       15,266
- TangleServicesFacet              21,741
- ServiceValidationLib              3,802  (deployed separately, auto-linked)

No storage layout changes. No diamond-side ABI changes — same selectors, just
routed to different physical facet contracts. Full regression: 1,450/1,450
tests pass.

---------

Co-authored-by: Drew Stone <drewstone329@gmail.com>

Author: tangletools

foundry.toml

@@ -6,7 +6,7 @@ fuzz = { runs = 1_000 }
 gas_reports = ["*"]
 libs = ["dependencies"]
 # optimizer = true (default)
-optimizer_runs = 200
+optimizer_runs = 1
 fs_permissions = [{ access = "read-write", path = "./" }]
 solc = "0.8.26"
 evm_version = "cancun"

script/DemoSimulation.s.sol

@@ -19,13 +19,16 @@ import { TangleBlueprintsManagementFacet } from "../src/facets/tangle/TangleBlue
 import { TangleOperatorsFacet } from "../src/facets/tangle/TangleOperatorsFacet.sol";
 import { TangleServicesRequestsFacet } from "../src/facets/tangle/TangleServicesRequestsFacet.sol";
 import { TangleServicesFacet } from "../src/facets/tangle/TangleServicesFacet.sol";
+import { TangleServicesViewsFacet } from "../src/facets/tangle/TangleServicesViewsFacet.sol";
 import { TangleServicesLifecycleFacet } from "../src/facets/tangle/TangleServicesLifecycleFacet.sol";
 import { TangleJobsFacet } from "../src/facets/tangle/TangleJobsFacet.sol";
 import { TangleJobsAggregationFacet } from "../src/facets/tangle/TangleJobsAggregationFacet.sol";
 import { TangleJobsRFQFacet } from "../src/facets/tangle/TangleJobsRFQFacet.sol";
 import { TangleQuotesFacet } from "../src/facets/tangle/TangleQuotesFacet.sol";
 import { TangleQuotesExtensionFacet } from "../src/facets/tangle/TangleQuotesExtensionFacet.sol";
 import { TanglePaymentsFacet } from "../src/facets/tangle/TanglePaymentsFacet.sol";
+import { TanglePaymentsRewardsFacet } from "../src/facets/tangle/TanglePaymentsRewardsFacet.sol";
+import { TanglePaymentsDistributionFacet } from "../src/facets/tangle/TanglePaymentsDistributionFacet.sol";
 import { TangleSlashingFacet } from "../src/facets/tangle/TangleSlashingFacet.sol";
 import { StakingOperatorsFacet } from "../src/facets/staking/StakingOperatorsFacet.sol";
 import { StakingDepositsFacet } from "../src/facets/staking/StakingDepositsFacet.sol";
@@ -177,13 +180,16 @@ contract DemoSimulation is Script, BlueprintDefinitionHelper {
         router.registerFacet(address(new TangleOperatorsFacet()));
         router.registerFacet(address(new TangleServicesRequestsFacet()));
         router.registerFacet(address(new TangleServicesFacet()));
+        router.registerFacet(address(new TangleServicesViewsFacet()));
         router.registerFacet(address(new TangleServicesLifecycleFacet()));
         router.registerFacet(address(new TangleJobsFacet()));
         router.registerFacet(address(new TangleJobsAggregationFacet()));
         router.registerFacet(address(new TangleJobsRFQFacet()));
         router.registerFacet(address(new TangleQuotesFacet()));
         router.registerFacet(address(new TangleQuotesExtensionFacet()));
         router.registerFacet(address(new TanglePaymentsFacet()));
+        router.registerFacet(address(new TanglePaymentsRewardsFacet()));
+        router.registerFacet(address(new TanglePaymentsDistributionFacet()));
         router.registerFacet(address(new TangleSlashingFacet()));
     }
 

script/Deploy.s.sol

@@ -18,13 +18,16 @@ import { TangleBlueprintsManagementFacet } from "../src/facets/tangle/TangleBlue
 import { TangleOperatorsFacet } from "../src/facets/tangle/TangleOperatorsFacet.sol";
 import { TangleServicesRequestsFacet } from "../src/facets/tangle/TangleServicesRequestsFacet.sol";
 import { TangleServicesFacet } from "../src/facets/tangle/TangleServicesFacet.sol";
+import { TangleServicesViewsFacet } from "../src/facets/tangle/TangleServicesViewsFacet.sol";
 import { TangleServicesLifecycleFacet } from "../src/facets/tangle/TangleServicesLifecycleFacet.sol";
 import { TangleJobsFacet } from "../src/facets/tangle/TangleJobsFacet.sol";
 import { TangleJobsAggregationFacet } from "../src/facets/tangle/TangleJobsAggregationFacet.sol";
 import { TangleJobsRFQFacet } from "../src/facets/tangle/TangleJobsRFQFacet.sol";
 import { TangleQuotesFacet } from "../src/facets/tangle/TangleQuotesFacet.sol";
 import { TangleQuotesExtensionFacet } from "../src/facets/tangle/TangleQuotesExtensionFacet.sol";
 import { TanglePaymentsFacet } from "../src/facets/tangle/TanglePaymentsFacet.sol";
+import { TanglePaymentsRewardsFacet } from "../src/facets/tangle/TanglePaymentsRewardsFacet.sol";
+import { TanglePaymentsDistributionFacet } from "../src/facets/tangle/TanglePaymentsDistributionFacet.sol";
 import { TangleSlashingFacet } from "../src/facets/tangle/TangleSlashingFacet.sol";
 import { StakingOperatorsFacet } from "../src/facets/staking/StakingOperatorsFacet.sol";
 import { StakingDepositsFacet } from "../src/facets/staking/StakingDepositsFacet.sol";
@@ -398,13 +401,16 @@ contract DeployV2 is DeployScriptBase {
         router.registerFacet(address(new TangleOperatorsFacet()));
         router.registerFacet(address(new TangleServicesRequestsFacet()));
         router.registerFacet(address(new TangleServicesFacet()));
+        router.registerFacet(address(new TangleServicesViewsFacet()));
         router.registerFacet(address(new TangleServicesLifecycleFacet()));
         router.registerFacet(address(new TangleJobsFacet()));
         router.registerFacet(address(new TangleJobsAggregationFacet()));
         router.registerFacet(address(new TangleJobsRFQFacet()));
         router.registerFacet(address(new TangleQuotesFacet()));
         router.registerFacet(address(new TangleQuotesExtensionFacet()));
         router.registerFacet(address(new TanglePaymentsFacet()));
+        router.registerFacet(address(new TanglePaymentsRewardsFacet()));
+        router.registerFacet(address(new TanglePaymentsDistributionFacet()));
         router.registerFacet(address(new TangleSlashingFacet()));
     }
 

script/DeployContractsOnly.s.sol

@@ -16,13 +16,16 @@ import { TangleBlueprintsManagementFacet } from "../src/facets/tangle/TangleBlue
 import { TangleOperatorsFacet } from "../src/facets/tangle/TangleOperatorsFacet.sol";
 import { TangleServicesRequestsFacet } from "../src/facets/tangle/TangleServicesRequestsFacet.sol";
 import { TangleServicesFacet } from "../src/facets/tangle/TangleServicesFacet.sol";
+import { TangleServicesViewsFacet } from "../src/facets/tangle/TangleServicesViewsFacet.sol";
 import { TangleServicesLifecycleFacet } from "../src/facets/tangle/TangleServicesLifecycleFacet.sol";
 import { TangleJobsFacet } from "../src/facets/tangle/TangleJobsFacet.sol";
 import { TangleJobsAggregationFacet } from "../src/facets/tangle/TangleJobsAggregationFacet.sol";
 import { TangleJobsRFQFacet } from "../src/facets/tangle/TangleJobsRFQFacet.sol";
 import { TangleQuotesFacet } from "../src/facets/tangle/TangleQuotesFacet.sol";
 import { TangleQuotesExtensionFacet } from "../src/facets/tangle/TangleQuotesExtensionFacet.sol";
 import { TanglePaymentsFacet } from "../src/facets/tangle/TanglePaymentsFacet.sol";
+import { TanglePaymentsRewardsFacet } from "../src/facets/tangle/TanglePaymentsRewardsFacet.sol";
+import { TanglePaymentsDistributionFacet } from "../src/facets/tangle/TanglePaymentsDistributionFacet.sol";
 import { TangleSlashingFacet } from "../src/facets/tangle/TangleSlashingFacet.sol";
 import { StakingOperatorsFacet } from "../src/facets/staking/StakingOperatorsFacet.sol";
 import { StakingDepositsFacet } from "../src/facets/staking/StakingDepositsFacet.sol";
@@ -127,13 +130,16 @@ contract DeployContractsOnly is Script {
         tangle.registerFacet(address(new TangleOperatorsFacet()));
         tangle.registerFacet(address(new TangleServicesRequestsFacet()));
         tangle.registerFacet(address(new TangleServicesFacet()));
+        tangle.registerFacet(address(new TangleServicesViewsFacet()));
         tangle.registerFacet(address(new TangleServicesLifecycleFacet()));
         tangle.registerFacet(address(new TangleJobsFacet()));
         tangle.registerFacet(address(new TangleJobsAggregationFacet()));
         tangle.registerFacet(address(new TangleJobsRFQFacet()));
         tangle.registerFacet(address(new TangleQuotesFacet()));
         tangle.registerFacet(address(new TangleQuotesExtensionFacet()));
         tangle.registerFacet(address(new TanglePaymentsFacet()));
+        tangle.registerFacet(address(new TanglePaymentsRewardsFacet()));
+        tangle.registerFacet(address(new TanglePaymentsDistributionFacet()));
         tangle.registerFacet(address(new TangleSlashingFacet()));
     }
 }

script/LocalTestnet.s.sol

@@ -30,13 +30,16 @@ import { TangleBlueprintsManagementFacet } from "../src/facets/tangle/TangleBlue
 import { TangleOperatorsFacet } from "../src/facets/tangle/TangleOperatorsFacet.sol";
 import { TangleServicesRequestsFacet } from "../src/facets/tangle/TangleServicesRequestsFacet.sol";
 import { TangleServicesFacet } from "../src/facets/tangle/TangleServicesFacet.sol";
+import { TangleServicesViewsFacet } from "../src/facets/tangle/TangleServicesViewsFacet.sol";
 import { TangleServicesLifecycleFacet } from "../src/facets/tangle/TangleServicesLifecycleFacet.sol";
 import { TangleJobsFacet } from "../src/facets/tangle/TangleJobsFacet.sol";
 import { TangleJobsAggregationFacet } from "../src/facets/tangle/TangleJobsAggregationFacet.sol";
 import { TangleJobsRFQFacet } from "../src/facets/tangle/TangleJobsRFQFacet.sol";
 import { TangleQuotesFacet } from "../src/facets/tangle/TangleQuotesFacet.sol";
 import { TangleQuotesExtensionFacet } from "../src/facets/tangle/TangleQuotesExtensionFacet.sol";
 import { TanglePaymentsFacet } from "../src/facets/tangle/TanglePaymentsFacet.sol";
+import { TanglePaymentsRewardsFacet } from "../src/facets/tangle/TanglePaymentsRewardsFacet.sol";
+import { TanglePaymentsDistributionFacet } from "../src/facets/tangle/TanglePaymentsDistributionFacet.sol";
 import { TangleSlashingFacet } from "../src/facets/tangle/TangleSlashingFacet.sol";
 import { StakingOperatorsFacet } from "../src/facets/staking/StakingOperatorsFacet.sol";
 import { StakingDepositsFacet } from "../src/facets/staking/StakingDepositsFacet.sol";
@@ -1326,13 +1329,16 @@ contract LocalTestnetSetup is Script, BlueprintDefinitionHelper {
         router.registerFacet(address(new TangleOperatorsFacet()));
         router.registerFacet(address(new TangleServicesRequestsFacet()));
         router.registerFacet(address(new TangleServicesFacet()));
+        router.registerFacet(address(new TangleServicesViewsFacet()));
         router.registerFacet(address(new TangleServicesLifecycleFacet()));
         router.registerFacet(address(new TangleJobsFacet()));
         router.registerFacet(address(new TangleJobsAggregationFacet()));
         router.registerFacet(address(new TangleJobsRFQFacet()));
         router.registerFacet(address(new TangleQuotesFacet()));
         router.registerFacet(address(new TangleQuotesExtensionFacet()));
         router.registerFacet(address(new TanglePaymentsFacet()));
+        router.registerFacet(address(new TanglePaymentsRewardsFacet()));
+        router.registerFacet(address(new TanglePaymentsDistributionFacet()));
         router.registerFacet(address(new TangleSlashingFacet()));
     }
 

src/TangleStorage.sol

@@ -410,21 +410,17 @@ abstract contract TangleStorage {
     mapping(address => uint256) internal _pendingDisputeBondRefunds;
 
     // ═══════════════════════════════════════════════════════════════════════════
-    // TWAP SUBSCRIPTION BILLING — PER-OPERATOR CURSORS
-    // ═══════════════════════════════════════════════════════════════════════════
-    // Stores the cumulative stake-seconds value last attributed to each
-    // (service, operator) pair. Replaces the earlier aggregate-only cursor that
-    // produced a bogus `cumDelta` whenever the active-operator set changed
-    // between bills (sum-over-old-set vs sum-over-new-set is not a valid delta).
-    //
-    // Per-operator cursors make the billing window correct under joins, leaves,
-    // and rejoins: each operator is attributed only the stake-seconds they
-    // accrued *while bonded to this service* over the billed period.
-
-    /// @notice Service ID => Operator => cumulative stake-seconds at the
-    ///         operator's most recent attribution event for this service
-    ///         (join, prior bill). Zero sentinel = "never attributed."
-    mapping(uint64 => mapping(address => uint256)) internal _twapCursorByOp;
+    // TWAP SUBSCRIPTION BILLING — PER-(SERVICE, OPERATOR, ASSET) CURSORS
+    // ═══════════════════════════════════════════════════════════════════════════
+    // The bill weight is the integral of `stake × commitmentBps` over the period,
+    // per (operator, asset) the service requires. Cursors track the cumulative
+    // stake-seconds last attributed for each (service, op, asset) so cumDelta is
+    // correct under joins, leaves, rejoins, and per-asset commitment changes.
+
+    /// @notice Service ID => Operator => keccak256(asset.kind, asset.token) =>
+    ///         cum stake-seconds at the most recent attribution event (activation
+    ///         seed, join hook, prior bill). Zero sentinel = "never attributed."
+    mapping(uint64 => mapping(address => mapping(bytes32 => uint256))) internal _twapCursorByOpAsset;
 
     // ═══════════════════════════════════════════════════════════════════════════
     // RESERVED STORAGE GAP

src/config/ProtocolConfig.sol

@@ -57,6 +57,13 @@ library ProtocolConfig {
     /// @notice Maximum TTL for service requests (365 days)
     uint64 internal constant MAX_SERVICE_TTL = 365 days;
 
+    /// @notice Maximum cumulative TTL a service may accumulate across extensions.
+    /// @dev Per-call validation bounds `additionalTtl` to `MAX_SERVICE_TTL`; without a
+    ///      cumulative cap a long-lived service could grow `svc.ttl` arbitrarily by
+    ///      chaining extensions. Four years is large enough for any realistic
+    ///      production deployment yet small enough to keep escrow exposure bounded.
+    uint64 internal constant MAX_CUMULATIVE_SERVICE_TTL = 4 * MAX_SERVICE_TTL;
+
     /// @notice Default request expiry grace period (1 hour)
     /// @dev Operators have this additional time to approve after expiry
     uint64 internal constant REQUEST_EXPIRY_GRACE_PERIOD = 1 hours;

src/core/JobsRFQ.sol

@@ -82,7 +82,8 @@ abstract contract JobsRFQ is Base {
 
         // Verify quotes and compute total cost
         uint64 effectiveMaxQuoteAge = _maxQuoteAge > 0 ? _maxQuoteAge : ProtocolConfig.MAX_QUOTE_AGE;
-        uint256 totalPrice = _verifyQuotesAndRecordOperators(serviceId, jobIndex, quotes, effectiveMaxQuoteAge);
+        uint256 totalPrice =
+            _verifyQuotesAndRecordOperators(serviceId, jobIndex, quotes, effectiveMaxQuoteAge, msg.sender);
 
         if (totalPrice > 0 && !_isPaymentAssetAllowedByManager(bp.manager, serviceId, address(0))) {
             revert Errors.TokenNotAllowed(address(0));
@@ -132,7 +133,8 @@ abstract contract JobsRFQ is Base {
         uint64 serviceId,
         uint8 jobIndex,
         Types.SignedJobQuote[] calldata quotes,
-        uint64 maxQuoteAge
+        uint64 maxQuoteAge,
+        address expectedRequester
     )
         private
         returns (uint256 totalPrice)
@@ -174,7 +176,9 @@ abstract contract JobsRFQ is Base {
 
             // Verify EIP-712 signature and mark as used. Domain separator is recomputed
             // per-call against current chainid so cross-fork replay is impossible.
-            SignatureLib.verifyAndMarkJobQuoteUsed(_usedQuotes, _domainSeparatorView(), quote, maxQuoteAge);
+            SignatureLib.verifyAndMarkJobQuoteUsed(
+                _usedQuotes, _domainSeparatorView(), quote, maxQuoteAge, expectedRequester
+            );
 
             totalPrice += quote.details.price;
         }