Z00Z logo

Z00ZBlockchain

Aggregators

Operator guide to aggregation roles, batch discipline, useful-work boundaries, non-custodial posture, and settlement non-authority.

Aggregators prepare network work for publication. They can collect candidate work items, normalize envelopes, order batches, attach publication metadata, and hand artifacts to data availability or validation stages. They are not wallet custodians, exchanges, settlement authorities, or useful-work reward judges. Their power should be operational, bounded, and auditable.

The role is easy to overstate because aggregation sits near the moment private wallet output becomes public evidence. A user may see “sent to aggregator” and assume the protocol accepted the action. That is wrong. Aggregation can improve liveness and batching discipline, but settlement truth still belongs to the checkpoint-facing protocol boundary described in the Main Whitepaper.

Aggregator Role Flow

flowchart TD A[Wallet or runtime work item] --> B[Aggregator intake] B --> C[Shape and version checks] C --> D[Batch preparation] D --> E[Publication request] E --> F[DA or publication record] F --> G[Validator replay] G --> H[Checkpoint-facing artifact] C --> I[Reject malformed input] D --> J[Quarantine conflict candidate] style A fill:#E3F2FD,stroke:#1E88E5,stroke-width:1px,color:#0D47A1 style B fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100 style C fill:#ECEFF1,stroke:#546E7A,stroke-width:1px,color:#263238 style D fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100 style E fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100 style F fill:#FFE0B2,stroke:#F57C00,stroke-width:1px,color:#263238 style G fill:#FFF3E0,stroke:#FB8C00,stroke-width:1px,color:#E65100 style H fill:#F3E5F5,stroke:#8E24AA,stroke-width:1px,color:#4A148C style I fill:#FFE0E0,stroke:#D32F2F,stroke-width:1px,color:#B71C1C style J fill:#FFE0E0,stroke:#D32F2F,stroke-width:1px,color:#B71C1C

The aggregator is in the left half of the flow. It prepares and publishes work. It does not own the right side of the flow.

Intake Discipline

An aggregator should accept only well-shaped inputs. Intake checks can include payload size, supported version, object domain, declared network, expected encoding, authentication or rate policy, replay-sensitive fields, and whether the request is compatible with the aggregator’s role. Intake should reject obvious junk before it becomes a batch.

Those checks are not full validation. A package can be well-formed but still fail replay, proof, state, or policy checks later. Aggregator docs should use “admitted for publication” or “accepted for batching” instead of “valid” when deeper validation has not occurred.

Batch Discipline

Batching is useful when it is deterministic and explainable. The Main Whitepaper’s publication vocabulary separates work items, ordered batches, publication requests, published batches, publication records, and soft confirmation. Aggregator implementations should preserve those distinctions. A batch should have a clear input set, ordering rule, timestamp or epoch context where relevant, publication target, and failure behavior.

If two aggregators produce different candidate batches, the network should be able to explain why. Hidden local ordering rules, arbitrary manual edits, or service-specific priority queues can become fairness and replay risks. If priority rules exist, they should be part of policy and evidence, not an operator secret.

Useful-Work Boundary

The Proof-of-Useful-Work papers add work packages, proofs, evidence, fact consensus, value consensus, reward authorization, challenges, and appeals. Aggregators may carry useful-work packages or batch useful-work evidence, but that does not make them reward authorities. A useful-work evaluator may assess evidence; a treasury or protocol process may authorize rewards. Aggregation should not collapse those steps.

For documentation, the safe wording is: aggregators can help move useful-work evidence into the publication pipeline. They do not decide whether the work was valuable enough for reward unless a separate, implemented protocol role grants that authority and tests prove it.

Non-Custodial Posture

Aggregators should not take custody of user assets or rights. A user may submit a package, but the aggregator should not learn wallet-local secrets or gain spend authority. If an aggregator requires plaintext private context to operate, the design has likely crossed a boundary that should be rejected or escalated.

Legal architecture matters here. Operator docs should avoid language that makes aggregators sound like custodians, exchanges, brokers, or final arbiters. They are infrastructure actors. If a future deployment adds an operator business model, legal and compliance documentation must describe that model explicitly instead of letting technical docs imply it.

Failure and Challenge Boundaries

Aggregator failures should be visible. Failure classes include malformed input, unsupported version, rate limit, duplicate request, DA publication failure, batch construction error, stale epoch, privacy redaction failure, and conflict candidate. Some failures are user-correctable. Some indicate operator health. Some should become watcher alerts.

Challenge paths should not be hidden. If an aggregator publishes conflicting work or withholds data, watchers and validators need evidence. Linked liability concepts such as fraud proof extraction, lock registries, bonds, quarantine, and appeal paths belong downstream of aggregation but should influence how aggregation records evidence.

Operator Signals

Safe aggregator metrics include queue length, batch age, rejection class, publication latency, DA success rate, and version distribution. Risky metrics include wallet identifiers, user-specific timing, private policy descriptions, raw support evidence, or route intent. The Privacy Threat Model’s service and telemetry guidance should apply before any dashboard is exposed.

Current Repository Boundary

This repository does not run aggregators. It contains documentation and the whitepaper corpus. This page is an operator guide for target architecture. A future implementation should add source files, tests, configuration docs, and operational runbooks before any deployment-specific instructions appear here.

Aggregator Evidence Checklist

A future aggregator should record enough evidence for later stages to verify its work without trusting its private database. Useful records include intake time, input artifact reference, schema version, network domain, rejection class, batch identifier, ordering rule, publication target, DA reference, and retry history. The record should avoid wallet-local meaning and should keep user identifiers out unless the user has explicitly disclosed them for a bounded purpose.

The checklist should be deterministic. If an aggregator says a package was rejected, another component should know whether the rejection was malformed input, unsupported version, wrong domain, duplicate submission, privacy policy failure, or downstream outage. If an aggregator says a batch was published, the record should point to the DA or publication evidence that validators and watchers can later inspect.

Anti-Overclaim Language

Aggregator pages should prefer narrow verbs. Use admit, queue, batch, publish, retry, reject, and quarantine. Avoid settle, own, custody, approve reward, or finalize unless a separate protocol source grants that authority. This vocabulary matters because operator role pages are often copied into SDK docs, support docs, and public status text.

If an aggregator implementation later includes stronger powers, those powers should be documented as explicit exceptions with tests and legal review. They should not emerge accidentally from broad wording in a docs page.

Privacy Review

Aggregation can create metadata concentration. Even if payloads are private, batch timing, retry behavior, source IPs, route metadata, or service accounts can reveal patterns. Aggregator deployments should minimize logs, aggregate metrics, and avoid exposing user-specific timing in public dashboards. Watchers and status pages should receive redacted evidence, not raw intake streams.

Implementation Readiness

An aggregator implementation is ready for operator docs only after it has fixtures for intake, batching, publication, DA handoff, duplicate handling, reject classes, retry behavior, and privacy redaction. Tests should prove that accepted-for-batch does not become accepted-for-settlement. They should also prove that a malformed package, a missing DA adapter, and a downstream validation reject produce different evidence.

Configuration should name the aggregator’s limits. Does it accept useful-work packages? Does it batch only one object class? Does it support OnionNet ingress? Does it keep queue history? Does it expose public metrics? Each answer changes the privacy and authority review. Without those answers, public docs should remain architecture-level.

Support Boundary

Support teams may receive aggregator receipts during user questions. Those receipts should be explained as publication evidence, not proof of ownership or settlement. If support needs more, it should request scoped evidence from the wallet or protocol artifact path, not raw aggregator logs.

Release Gate

Aggregator docs should become operational only after the implementation proves queue behavior, batch determinism, publication receipts, DA handoff, redaction, and reject classes. Until then, examples should remain conceptual. A command that appears before those tests exists would teach operators to trust a role that the repo has not actually shipped.

When an implementation is still missing, the better tutorial is an artifact walkthrough: show what evidence an aggregator should produce, which source paper defines it, and which future test must prove it.

Reader safety note: an aggregator receipt is not a wallet balance, custody record, reward approval, or settlement certificate. It is one piece of publication evidence inside a longer pipeline.

Evidence and Further Reading

Use the source bullets below as an audit checklist, not decoration: when reusing this page, preserve the named section scope, the responsible actor, and the split between live repository evidence, target architecture, and open design work.