> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/on-chain-programs/challenges.md). # Domain-separated challenges Every wallet-agnostic action signs a fixed 32-byte challenge. The challenge is not just a random nonce: it is a domain-separated digest that binds the action's identity into the bytes the user signs, so a signature gathered for one action cannot be replayed for another. ## What goes into a challenge A challenge is a hash over, in order: ``` "andromeda::rules-policy::v1" domain tag (version-pinned) op-tag which operation this is dwallet the dWallet address it concerns ... operation-specific fields (for example, the message hash) nonce the per-flow replay nonce member-or-primary slot the 34-byte slot of the signer ``` So a primary-recovery challenge for dWallet A at nonce 7 hashes to something different from a quorum-contribution challenge for the same dWallet, a different member, or a different nonce. Reusing a signature across actions does not work, because the bytes that were signed do not match what the program recomputes. ## Why a domain tag The leading domain string (`andromeda::rules-policy::v1`) ensures these challenges can never collide with bytes a wallet might sign for something else, and the `v1` makes the construction explicit so it can evolve without ambiguity. ## How many There are fourteen distinct challenge constructions in the `rules-policy` program, one per kind of action (primary recovery, the various admin changes, opening a quorum session, contributing to one, finalising, closing, and so on). Each is implemented in the Rust program and mirrored byte-for-byte in the TypeScript that the engine uses to build the `challenge` responses, so what the client signs is exactly what the program will recompute and verify. ## What this means for client builders If you build something that constructs challenges yourself rather than calling the `challenge` endpoint: * You must reproduce the exact byte layout, including the domain tag, the operation tag, the field order, the nonce, and the 34-byte member slot. * You must use the nonce the program currently expects (read it from the chain or from a `challenge` response). * Getting any of this wrong produces a signature the program rejects. In practice, calling the `challenge` endpoint and signing what it returns is the supported path. The construction is documented here so the behaviour is auditable, not so you have to reimplement it. ## Replay protection beyond the challenge The challenge binds the nonce, and the program tracks the nonce on-chain (`next_admin_nonce`, `next_primary_recover_nonce`, `next_session_nonce`), incrementing it as actions succeed. So even a correctly constructed challenge is single-use: once the action runs, the nonce moves and that exact challenge can never be valid again. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/on-chain-programs/challenges.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.