Two pieces of chain state received the same treatment this month: make every validator derive the same answer, then make recovery explicit.
The privacy module had a bad class of risk hiding in transaction randomness. Random data is fine when a client creates a proof. It is not fine when consensus-critical state can vary from node to node. We moved shielded-pool handling back behind deterministic boundaries and hardened hydration so a restart reconstructs the same committed view.
At the same time, validator admission moved from scaffolding to a complete testnet flow. A network can now evaluate a candidate, update the live set, and carry that membership through the chain lifecycle without rebuilding genesis.
Why these changes belong together
Privacy and validator membership look unrelated at the product layer. At consensus they share one rule: local convenience cannot decide global state.
For privacy, proof inputs and nullifiers must resolve identically. For admission, every node must agree on who participates and when the new set becomes active. Restart behavior matters in both cases because a correct transition that cannot be reconstructed is not durable enough.
We also tightened endpoint recovery and slash-safe query routes around this work. Operational APIs should report unavailable state honestly, not fill gaps with guesses.
Source record
- Shielded-state determinismcommit / 2026-03-19
- Validator admission scaffoldingcommit / 2026-03-20
- Live testnet admission flowcommit / 2026-03-20