Update documentation to include Protocol 19 features (#673)

Shaptic · leighmcculloch · web-flow · commit 3f3f19f7ecfd · 2022-05-06T13:34:36.000-04:00
* Add signed payloads to alternative signer types

* Describe new transaction preconditions

* Add new transaction and account fields to API docs

* Touch-ups to signed payloads and extra signers, cross-ref

* I think I'm missing some required properties?

* Blind leading the blind at this point

* Simplify types so that they render cleaner

* Specify correct verbiage for seqnum changes

Co-authored-by: Leigh McCulloch &lt;351529+leighmcculloch@users.noreply.github.com&gt;

* Consolidate terminology for consistency.

Co-authored-by: Leigh McCulloch &lt;351529+leighmcculloch@users.noreply.github.com&gt;

* Reword paragraph relating seqage to timebounds

Co-authored-by: Leigh McCulloch &lt;351529+leighmcculloch@users.noreply.github.com&gt;

* Improve verbiage around account sequence number "touch time".

* Clarify types for all of the new fields in API docs

* Clarify how signed payloads can be revealed

* New verbiage around sequence number touch-time: age!

* Fix relative links

* Improve verbiage around signed payload signers.

Co-authored-by: Leigh McCulloch &lt;351529+leighmcculloch@users.noreply.github.com&gt;

* More verbiage and seqnum age improvements

* Fix another broken link

* Drop txMALFORMED reference

* Clarify condition type in paragraph body

Co-authored-by: Leigh McCulloch &lt;351529+leighmcculloch@users.noreply.github.com&gt;

Co-authored-by: Leigh McCulloch &lt;351529+leighmcculloch@users.noreply.github.com&gt;
diff --git a/content/api/resources/accounts/object.mdx b/content/api/resources/accounts/object.mdx
@@ -23,6 +23,12 @@ When Horizon returns information about an account, it uses the following format:
 - sequence
   - number
   - This account's current sequence number. For use when submitting this account's next transaction.
+- sequence_ledger
+  - number
+  - The unsigned 32-bit ledger number of the sequence number's [age](../../../docs/glossary/accounts#sequence-time-and-ledger).
+- sequence_time
+  - string
+  - The unsigned 64-bit UNIX timestamp of the sequence number's [age](../../../docs/glossary/accounts#sequence-time-and-ledger).
 - subentry_count
   - number
   - The number of subentries on this account.
diff --git a/content/api/resources/transactions/object.mdx b/content/api/resources/transactions/object.mdx
@@ -69,10 +69,43 @@ When Horizon returns information about a transaction, it uses the following form
   - An array of signatures used to sign this transaction.
 - valid_after
   - RFC3339 date-time string
-  - The date after which a transaction is valid.
+  - The date after which a transaction is valid. This field is deprecated in lieu of `preconditions.time_bounds.min_time` and will be removed in Horizon v3.
 - valid_before
   - RFC3339 date-time string
-  - The date before which a transaction is valid.
+  - The date before which a transaction is valid. This field is deprecated in lieu of `preconditions.time_bounds.max_time` and will be removed in Horizon v3.
+- preconditions
+  - object
+  - A set of transaction preconditions affecting its validity.
+    - time_bounds
+      - object
+      - The time range for which this transaction is valid, with bounds as unsigned 64-bit UNIX timestamps
+        - min_time
+          - string
+          - the lower bound
+        - max_time
+          - string
+          - the upper bound
+    - ledger_bounds
+      - object
+      - The ledger range for which this transaction is valid, as unsigned 32-bit integers.
+        - min_ledger
+          - number
+          - the lower bound
+        - max_ledger
+          - number
+          - the upper bound
+    - min_account_sequence
+      - string
+      - Containing a positive, signed 64-bit integer representing the lowest source account sequence number for which the transaction is valid.
+    - min_account_sequence_age
+      - number
+      - The minimum duration of time (in seconds as an unsigned 64-bit integer) that must have passed since the source account's sequence number changed for the transaction to be valid.
+    - min_account_sequence_ledger_gap
+      - number
+      - An unsigned 32-bit integer representing the minimum number of ledgers that must have closed since the source account's sequence number changed for the transaction to be valid.
+    - extra_signers
+      - array of strings
+      - The list of up to two additional signers that must have corresponding signatures for this transaction to be valid.
 
 </AttributeTable>
 
diff --git a/content/docs/glossary/accounts.mdx b/content/docs/glossary/accounts.mdx
@@ -33,6 +33,10 @@ The public key that was used to create the account. Even if you replace the sign
 
 The current transaction sequence number of the account. This number starts equal to the ledger number at which the account was created, and increments upward as the account signs transactions.
 
+### Sequence time and ledger
+
+These two fields reflect the last time an account touched its sequence number. This occurs both when an account is the source account for a transaction and when it's the target of a [Bump Sequence](../start/list-of-operations.mdx#bump-sequence) operation. Both the ledger number and timestamp (i.e. the close time of the ledger) of the last touch is tracked by the network. Note that even if the [Bump Sequence](../start/list-of-operations.mdx#bump-sequence) operation has no effect, i.e. does not increase the sequence number, it still counts as a "touch".
+
 ### Number of subentries
 
 Number of entries the account owns. This number is used to calculate the account's minimum balance: each subentry increases an account’s reserve by 0.5XLM. Subentries include:
diff --git a/content/docs/glossary/multisig.mdx b/content/docs/glossary/multisig.mdx
@@ -55,6 +55,10 @@ If the weight of the master key is updated to 0, it cannot be used to sign trans
 
 Each additional signer beyond the master key increases the account's [minimum balance](./minimum-balance.mdx).
 
+## Extra Signers
+
+You can require that a transaction have a particular signer that isn't associated with any of the accounts used in the transaction by including it in the [transaction validity precondition](./transactions.mdx#extra-signers). The extra signer applies only to that one transaction.
+
 ## Alternate Signature Types
 
 To enable some advanced smart contract features there are a couple of additional signature types. These signature types also have weights and can be added and removed similarly to normal signature types. But rather than check a cryptographic signature for authorization they have a different method of proving validity to the network.
@@ -69,10 +73,18 @@ This type of signer is especially useful in escrow accounts. You can pre-authori
 
 ### Hash(x)
 
-Adding a signature of type hash(x) allows anyone who knows `x` to sign the transaction. This type of signer is especially useful in [atomic cross-chain swaps](https://en.bitcoin.it/wiki/Atomic_cross-chain_trading) which are needed for inter-blockchain protocols like [lightning networks](https://lightning.network).
+Adding a signer of type hash(x) allows anyone who knows `x` to sign the transaction. This type of signer is especially useful in [atomic cross-chain swaps](https://en.bitcoin.it/wiki/Atomic_cross-chain_trading) which are needed for inter-blockchain protocols like [lightning networks](https://lightning.network).
 
 First, create a random 256 bit value, which we call `x`. The SHA256 hash of that value can be added as a signer of type hash(x). Then in order to authorize a transaction, `x` is added as one of the signatures of the transaction. Keep in mind that `x` will be known to the world as soon as a transaction is submitted to the network with `x` as a signature. This means anyone will be able to sign for that account with the hash(x) signer at that point. Often you want there to be additional signers so someone must have a particular secret key and know `x` in order to reach the weight threshold required to authorize transactions on the account.
 
+### Signed Payloads
+
+Adding a signed payload as a signer means that transactions are only valid if they are accompanied by a signature of the signer's payload. The signature must be produced using the private key corresponding to the public key specified in the signer.
+
+More verbosely, you add a signer of `(public key, payload)`, where the public key is the Stellar address of the expected signer and the payload is any arbitrary data of up to 64 bytes. A valid signature, then, is a signature on that payload by the private key corresponding to the public key. This is also described in [CAP-40](https://stellar.org/protocol/cap-40) which introduced this new signer.
+
+Like with [hash signers](#hashx), once the signed payload signature is revealed to the world, anyone can use the signature to authorize transactions that are contingent on that signed payload signer.
+
 ## Envelopes
 
 A transaction **envelope** wraps a transaction with a set of signatures. The transaction object is the thing that the signers are actually signing. Technically, a transaction envelope is the thing that is passed around the network and included in transaction sets.
diff --git a/content/docs/glossary/transactions.mdx b/content/docs/glossary/transactions.mdx
@@ -42,10 +42,38 @@ The memo contains optional extra information. It is the responsibility of the cl
 - `MEMO_HASH` : A 32 byte hash.
 - `MEMO_RETURN` : A 32 byte hash intended to be interpreted as the hash of the transaction the sender is refunding.
 
-### Time Bounds
+### Validity Conditions
 
+There are a number of ways to control when a transaction should be considered valid. These conditions are checked first, prior to the validity of the operations or other parts of the transaction, so they're often referred to as "preconditions". They can all be combined, provided the combination is logically sound.
+
+Some of the validity preconditions, namely the minimum sequence [age](#minimum-sequence-age) or [ledger gap](#minimum-sequence-ledger-gap) preconditions, are based on the account's [sequence number age](./accounts.mdx#sequence-time-and-ledger).
+
+#### Time Bounds
 The optional UNIX timestamp (in seconds), determined by ledger time, of a lower and upper bound of when this transaction will be valid. If a transaction is submitted too early or too late, it will fail to make it into the transaction set. `maxTime` equal `0` means that it's not set. _We highly advise for all transactions to use time bounds, and many SDKs enforce their usage._ If a transaction doesn't make it into the transaction set, it is kept around in memory in order to be added to the next transaction set on a best-effort basis. Because of this behavior, we highly advise that all transactions are created with time bounds in order to invalidate transactions after a certain amount of time, especially if you plan to resubmit your transaction at a later time.
 
+#### Ledger Bounds
+These are like [Time Bounds](#time-bounds), except they apply to ledger numbers. With them set, a transaction will only be valid for ledger numbers that fall into the range you set. The lower bound is inclusive while the upper bound is not. If you set the upper bound to zero, this indicates that there is no upper bound.
+
+#### Minimum Sequence Number
+If a minimum sequence number is set, the transaction will only be valid when its source account's sequence number (call it `S`) is large enough. Specifically, it's valid when `S` satisfies `minSeqNum <= S < tx.seqNum`. If this precondition is omitted, the default behavior applies: the transaction's sequence number must be exactly one greater than the account's sequence number.
+
+Note that after a transaction is executed, the account will always set its sequence number to the transaction's sequence number.
+
+#### Minimum Sequence Age
+When the sequence age precondition is set, the transaction is only valid after a particular duration (expressed in seconds) elapses since the account's [sequence number age](./accounts.mdx#sequence-time-and-ledger).
+
+Minimum sequence age is a precondition relating to time, but unlike [time bounds](#time-bounds) which express absolute times, minimum sequence age is relative to when the transaction source account's sequence number was touched.
+
+#### Minimum Sequence Ledger Gap
+When the ledger gap precondition is set, the transaction is only valid after the current network ledger number meets (or exceeds) a particular gap relative to the ledger corresponding to the account's [sequence number age](./accounts.mdx#sequence-time-and-ledger).
+
+This is similar to the [minimum sequence age](#minimum-sequence-age), except it's expressed as a number of ledgers rather than a duration of time.
+
+#### Extra Signers
+A transaction can specify up to two extra signers as a precondition, meaning it must have signatures that correspond to those extra signers, even if those signatures would not otherwise be required to authorize the transaction (i.e. for its source account or operations).
+
+The additional signers can be of any type besides a pre-authorized transaction signer, since to pre-authorize a transaction, you need to know its hash, but the hash must include the extra signers. This Catch-22 relationship means including this type of extra signer will return an error.
+
 ## Transaction Envelopes
 
 Once a transaction is ready to be signed, the transaction object is wrapped in an object called a `Transaction Envelope`, which contains the transaction as well as a set of signatures. Most transaction envelopes only contain a single signature along with the transaction, but in [multi-signature setups](./multisig.mdx) it can contain many signatures.
@@ -67,7 +95,14 @@ To determine if a transaction is valid, many checks take place over the course o
   - The appropriate network passphrase was part of the transaction hash that was signed by each of the signers. See [Network Passphrases](./network-passphrase.mdx) for more.
   - The combined weight of all signatures for the source account _of the transaction_ meets the low threshold for the source account. This is necessary in order for fees to be taken and the sequence number to be incremented later in the transaction lifecycle.
 - **Memo** — The memo type must be a valid type, and the memo itself must be adhere to the formatting of the memo type.
-- **Time Bounds** — The transaction must be submitted within the set time bounds of the transaction, otherwise it will be considered invalid.
+- **Preconditions** — refer to the [Validity Conditions](#validity-conditions) described above for thorough explanations of each of these. For each of these that are set, the transaction will be considered invalid unless the transaction is submitted:
+  * **Time Bounds** — within the set time bounds of the transaction
+  * **Ledger Bounds** — within the set ledger bounds of the transaction
+  * **Minimum Sequence Number** — by a source account whose sequence number is greater than or equal to this value
+  * **Minimum Sequence Age** — after a duration meeting or exceeding the source account's [sequence number age](./accounts.mdx#sequence-time-and-ledger)
+  * **Minimum Sequence Ledger Gap** — in a ledger meeting or exceeding the source account's [sequence number age](./accounts.mdx#sequence-time-and-ledger)
+  * **Extra Signers** — with signatures that fulfill each of the extra signers
+
 
 ## Transaction Lifecycle
 
@@ -162,5 +197,5 @@ found in [List of Operations](../start/list-of-operations.mdx) doc.
 | NOT_SUPPORTED | -12 | The transaction type is not supported. |
 | FEE_BUMP_INNER_FAILED | -13 | The fee bump inner transaction failed. |
 | BAD_SPONSORSHIP | -14 | The sponsorship is not confirmed. |
-
-
+| BAD_MIN_SEQ_AGE_OR_GAP | -15 | The minimum sequence age and/or minimum sequence ledger gap conditions aren't met |
+| MALFORMED | -16 | The precondition is somehow invalid |
