aldabra/ROADMAP.md

aldabra roadmap

Phased buildout. Each phase ships a usable increment + leaves the codebase in a state where Phase N+1 picks up cleanly.

Phase 1 — MVP read path (current scaffold)

Goal: address + balance + UTXOs from a real mnemonic, working end-to-end through the MCP transport.

• Cargo workspace
• Crate skeletons: aldabra-core, aldabra-chain, aldabra-mcp
• Type stubs + ZeroizeOnDrop scaffolding for keys
• aldabra-core::Mnemonic::into_root_key — real CIP-3 derivation via pallas-crypto
• aldabra-core::derive_base_address — real CIP-1852 + bech32
• aldabra-chain::KoiosClient::get_utxos — real reqwest to /address_utxos
• aldabra-chain::KoiosClient::get_balance
• Interactive mnemonic bootstrap CLI: paste once, age-encrypt to disk
• On-startup decryption — single passphrase prompt, derived key in RAM only
• Wire MCP server (rmcp) — register wallet.address, wallet.balance, wallet.utxos tools
• Smoke test against testnet (preprod)

Done = claude can invoke wallet.address and get the right preprod address back; wallet.balance returns matching numbers from a Koios query.

Phase 2 — write path (send)

Goal: the wallet can spend.

• aldabra-chain::ChainBackend::submit_tx — POST CBOR to Koios /submittx
• aldabra-chain::tx_status — poll /tx_info
• Build + sign ADA-only payment via pallas-txbuilder
• MCP tool wallet.send with to_address, lovelace args
• MCP tool wallet.tx_status with tx_hash arg
• Add native-asset send (multi-asset value bundle)
• Add wallet.send.sign_only for offline / multisig flows
• Hard guard: reject outbound TXs over $X equivalent unless flag set (preventable LLM mistake)

Done = the wallet successfully sends 1 tADA on preprod, then 1 ADA on mainnet to a known test address, both initiated via an MCP tool call from Claude Code.

Phase 3 — minting

Goal: wallet can mint Sulkta native assets.

• Policy script construction — pure-timelock + multisig variants
• CIP-25 metadata serialization (legacy 721 metadatum)
• CIP-68 ref-NFT pattern (300/100/333 standards)
• MCP tool wallet.policy.create — returns policy_id + serialized script
• MCP tool wallet.mint — args: policy, assets, metadata
• Integration with the MAP treasury minting pattern (2-of-2 multisig)

Done = the wallet can mint a test asset on preprod with both CIP-25 and CIP-68 metadata, queryable via Koios /asset_info.

Phase 4 — Plutus interaction

Goal: consume Plutus-locked UTXOs, attach reference scripts, delegate stake.

• Inline datum support
• Reference input attachment
• wallet.script.spend — args: utxo_ref, redeemer_cbor, script_cbor or reference, additional_signers
• Script execution unit estimation (call out to a local cardano-cli or a reasonable approximation)
• Stake key derivation (chain index 2)
• wallet.stake.delegate — args: pool_id, optional drep_id (Voltaire era)
• Drep voting tools if Cobb cares (separate ask)

Done = the wallet successfully spends a UTXO locked by a trivial Plutus validator (e.g. "always succeeds") on preprod.

Out-of-scope (deliberately)

• Hot-key signing for high-value mainnet — for any tx over a per-config threshold, the wallet should write the unsigned TX to a file and require a separate cold-signing flow (mirrors the ADAMaps treasury pattern at memory/MEMORY.md ADAMaps section).
• Smart contract deployment / Plutus compilation — that's an Aiken / plutus-tx job. This wallet only consumes pre-compiled scripts.
• Browser / Web UI — pure MCP-as-the-interface. Humans interact via the LLM client.
• Multiple wallets in one daemon — instance-per-wallet by design. Run multiple binaries if needed.

Performance / size targets (informal)

• Cold-start time: < 200 ms (mnemonic decrypt + key derive)
• Per-tool latency: dominated by chain backend (Koios round-trip ~50-200 ms); the wallet itself should add < 10 ms
• Binary size: < 30 MB stripped release
• Memory: < 50 MB RSS steady-state