Execution Model
Open Execution (MVP)
In the current model:
- Any authorized keeper may attempt to process any due subscription
- The first valid transaction succeeds
- All others revert due to idempotency
This is intentional.
It trades:
- some duplicated gas
for:
- extreme simplicity
- robustness
- zero coordination requirements
This mode is production-safe and sufficient to launch.
Idempotency Is the Core Safety Mechanism
Every billing window is uniquely identified by a windowId.
On-chain state tracks whether a window has already been processed.
This guarantees:
- at most one successful execution per window
- replay safety
- race-condition safety
- MEV resistance
Keepers can race freely. The chain resolves the winner.
Failure Modes
The system assumes the following failures are normal:
- keeper offline
- keeper crashes mid-epoch
- multiple keepers racing
- failed executions due to allowance expiry
- temporary balance insufficiency
These do not compromise correctness.
They only affect:
- execution latency
- keeper profitability
The retry engine (off-chain) handles rescheduling failed attempts within allowed windows.
Keeper Risk Model
Keepers assume:
- gas cost risk
- execution failure risk
They do not assume:
- counterparty risk
- custody risk
- balance risk
The system is explicitly designed so that a keeper cannot lose funds except gas.