Five transactions. One mold.
Sigil contracts are deterministic WASM modules executed under Organization Zones. Bytecode is content-addressed by BLAKE3. Deployment is a cast — bytecode poured into a contract account with a controller DID, an upgrade policy, and an explicit allowlist of ANVIL host functions. Five typed transactions cover register, deploy, call, upgrade, and policy.
Compose
Source compiles to canonical bytecode.
A Rust crate compiled to wasm32-unknown-unknown produces a deterministic byte sequence. Same source, same toolchain, same hash. The bytecode is a composition of typed pieces — functions, state cells, events, host-function bindings, storage. The hash is the canonical name.
Register
RegisterContractCode anchors the mold.
The bytecode is hashed with BLAKE3 and persisted alongside license metadata — source URL, license tag, audit references. The code hash, not the controller, is the identity of the artifact. Two organisations can deploy the same audited bytecode at different addresses without re-registering.
Deploy
DeployContract pours the cast.
A contract account is created at contract_did, bound to controller_did, code_hash, an upgrade_policy, an optional call_policy, and an explicit allowed_host_functions allowlist. The molten bytecode cools into a finished slug. Capability-bearing host fns must be listed by name or the contract simply cannot call them.
Call
CallContract slots a method.
An invocation arrives with a function name, typed args, a declared read_set / write_set for deterministic optimistic execution, and a gas_budget. A mandate_id is required when the call touches capability-bearing host fns. Execution is deterministic; every validator re-runs the same call under MACA.
Upgrade
UpgradeContract recasts.
The contract is recast against a new code hash under the recorded upgrade_policy. State persists across the swap; the new code observes the old keys. An optional model_receipt_id binds the upgrade to a settled compute receipt — model artifacts roll forward in the same chained ledger.
Policy
SetContractPolicy sets the rim.
The controller adjusts upgrade_policy, call_policy, the host-function allowlist, or the Vigils-callback opt-in. Shrinking the capability surface is always permitted; growing it routes back through the upgrade policy. Every change is a signed, height-stamped record.
The five lifecycle transactions
Every state change is one signed transaction.
There is no admin override, no out-of-band upgrade path, and no implicit capability grant. The contract code is content-addressed. The controller is on-chain. The host-function allowlist is explicit. Every change is a height-stamped record under MACA single-block finality.
Transaction Types
5
Runtime
WASM
Code Hash
BLAKE3
Controller Auth
Ed25519
Host functions are closed by default
Capabilities are listed. Or they don't exist.
DeployContract takes an explicit allowed_host_functions vector. Capability-bearing host fns — dispatch_compute, record_mandate_spend, send_zone_message — must be listed by name. Shrinking the list is always permitted. Growing the list routes back through the recorded upgrade_policy.
Optimistic execution
read_set and write_set are declared, not discovered.
Every CallContract declares the keys it intends to read and write. Validators schedule independent calls in parallel and re-verify the declared sets against the actual access pattern. Mis-declaration fails the call deterministically — no silent reorders, no surprise contention.
Compile. Hash. Sign. Ship.
A Rust crate, a BLAKE3 digest, a controller key, and five signed transactions. The contracts platform does not need a new language, a new VM, or a new identity layer. It uses the ones Sigil already has.