Add future-timestamp buffer to fixed-spread strategy

[Siddharth2207]

Summary

• Adds a deployer-configurable future-timestamp-buffer binding (default 20 seconds) to st0x-fixed-spread.rain.
• Updates the future publish_time guard to compare against add(now() future-timestamp-buffer) instead of now(), tolerating minor clock skew between Alpaca, the signer, and the chain.
• Updates strategy/registry to point at the new strategy commit.

Rebased onto ST0x-Technology/st0x-oracle-server main.

Test plan

• Deploy or simulate the strategy with default buffer (20s) and confirm orders pass when publish_time is slightly ahead of block.timestamp
• Confirm orders still revert when publish_time exceeds now() + buffer
• Verify GUI shows the new "Future Timestamp Buffer (seconds)" field with default 20

Made with Cursor

Summary by CodeRabbit

Release Notes

• New Features

  • Introduced a new configurable grace period parameter for oracle timestamp validation, enabling more flexible acceptance of oracle data while maintaining security standards.

• Chores

  • Updated strategy component references to the latest versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR introduces a configurable grace period for oracle timestamp validation in the st0x-fixed-spread strategy. A new GUI parameter future-timestamp-buffer (default 20, min 0) is added and wired into the baseline contract's future publish_time guard, allowing oracle timestamps to be up to the specified duration ahead of the current block timestamp rather than strictly in the past.

Changes

Oracle timestamp grace period feature

Layer / File(s)	Summary
Future-timestamp-buffer parameter and validation logic strategy/st0x-fixed-spread.rain	GUI field future-timestamp-buffer is added with default and min constraints, and the oracle baseline contract's future publish_time validation is updated to compare oracle-publish-time <= now() + future-timestamp-buffer instead of strict now().
Registry commit reference update strategy/registry	Three remote reference URLs are updated to point to the new st0x-oracle-server commit hash corresponding to the grace period validation changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• ST0x-Technology/st0x-oracle-server#7: Both PRs modify the st0x-fixed-spread baseline time-safety check— fixed spread #7 initially enforces oracle-publish-time <= now(), while the main PR extends it to oracle-publish-time <= block.timestamp + future-timestamp-buffer (and updates the registry to the corresponding upstream commit).

Poem

A buffer blooms in timestamp-land, 🌱
Oracles get grace with gentle hand,
Twenty blocks to spare, or configure less,
Future-proofing moves with tenderness. 🐰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main change: adding a future-timestamp buffer to the fixed-spread strategy, which aligns with the PR objectives and file summaries.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

strategy/st0x-fixed-spread.rain (1)

134-156: ⚠️ Potential issue | 🔴 Critical | ⚖️ Poor tradeoff

Fix staleness guard reasoning: sub(now() oracle-publish-time) may revert when publish_time is in the future

Rainlang’s integer model doesn’t support negative integers; subtracting below zero is an error unless “saturating”/clamping math is used. With the future-timestamp guard allowing oracle-publish-time > now() (up to future-timestamp-buffer), the staleness ensure at strategy/st0x-fixed-spread.rain:151-156 (sub(now() oracle-publish-time) <= max-staleness) can hit a negative subtraction and revert—contradicting the comment’s claim that a negative value “is always less than max-staleness” and “silently pass.” Update the staleness logic to use saturating/clamped subtraction (or change the logic/comment so it matches actual failure behavior).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@strategy/st0x-fixed-spread.rain` around lines 134 - 156, The staleness ensure
can revert because Rainlang integer subtraction errors on negative results:
change the staleness check to use a saturating/clamped subtraction instead of
raw sub(now() oracle-publish-time). Concretely, compute age =
(oracle-publish-time > now()) ? 0 : sub(now() oracle-publish-time) (or use your
language's saturating-sub helper) and then ensure less-than-or-equal-to(age
max-staleness) ; also update the comment to reflect that we clamp future publish
times to zero for staleness checks. Use the existing symbols
oracle-publish-time, now(), future-timestamp-buffer, max-staleness and the
staleness :ensure block to locate and change the logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@strategy/st0x-fixed-spread.rain`:
- Around line 82-90: The configuration for the "future-timestamp-buffer" binding
lacks an upper bound allowing arbitrarily large values; update the binding named
future-timestamp-buffer to add a max constraint (e.g., max: 60) alongside the
existing min: 0 so the parameter cannot be set to an excessively large number
and still allows a small clock-skew grace period; ensure the change is applied
where the binding is defined (future-timestamp-buffer / "Future Timestamp Buffer
(seconds)") and keep the default at 20.

---

Outside diff comments:
In `@strategy/st0x-fixed-spread.rain`:
- Around line 134-156: The staleness ensure can revert because Rainlang integer
subtraction errors on negative results: change the staleness check to use a
saturating/clamped subtraction instead of raw sub(now() oracle-publish-time).
Concretely, compute age = (oracle-publish-time > now()) ? 0 : sub(now()
oracle-publish-time) (or use your language's saturating-sub helper) and then
ensure less-than-or-equal-to(age max-staleness) ; also update the comment to
reflect that we clamp future publish times to zero for staleness checks. Use the
existing symbols oracle-publish-time, now(), future-timestamp-buffer,
max-staleness and the staleness :ensure block to locate and change the logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fef0d6fc-ee99-4ed0-a1b6-40d208f79806

📥 Commits

Reviewing files that changed from the base of the PR and between 31a8a8e and 27a5edd.

📒 Files selected for processing (2)

• strategy/registry
• strategy/st0x-fixed-spread.rain

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add maximum constraint to future-timestamp-buffer.

The field has min: 0 but no max constraint. Without an upper bound, a deployer could configure an arbitrarily large buffer (e.g., 86400 seconds = 24 hours), effectively disabling the future-timestamp protection. This would allow oracle timestamps far in the future to pass validation, undermining the safety guarantees.

🛡️ Proposed fix to add a reasonable maximum

         - binding: future-timestamp-buffer
           name: Future Timestamp Buffer (seconds)
           description: >
             Grace period (in seconds) added to block.timestamp when
             checking that Alpaca publish_time is not in the future.
             Allows minor clock skew between Alpaca, the signer, and
             the chain without reverting.
           default: 20
           min: 0
+          max: 60

A maximum of 60 seconds should be sufficient for legitimate clock skew while preventing abuse.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@strategy/st0x-fixed-spread.rain` around lines 82 - 90, The configuration for
the "future-timestamp-buffer" binding lacks an upper bound allowing arbitrarily
large values; update the binding named future-timestamp-buffer to add a max
constraint (e.g., max: 60) alongside the existing min: 0 so the parameter cannot
be set to an excessively large number and still allows a small clock-skew grace
period; ensure the change is applied where the binding is defined
(future-timestamp-buffer / "Future Timestamp Buffer (seconds)") and keep the
default at 20.