Module 1
WardClient
High-level SDK entrypoint for institutions and integrators.
Protocol specification
Engineering reference for Ward Protocol: architecture, claim validation, signer-boundary guarantees, settlement behavior, and the controls that make conformance reviewable.
Specification snapshot
Core invariant
ward_signed = False
Decision source
Authoritative on-ledger state only
Settlement role
Ward returns unsigned payloads only
Primary assurance surface
Nine-step claim validation
Architecture
Module 1
High-level SDK entrypoint for institutions and integrators.
Module 2
WebSocket default detection with authoritative ledger re-verification.
Module 3
Nine-step deterministic on-chain claim validation.
Module 4
Unsigned escrow lifecycle for controlled institutional execution.
Module 5
Coverage ratio and reserve accounting for pool safety.
Claim validation
These steps are intentionally explicit. They define the evidence path institutions can inspect and the basis for every conformant result.
Step 1
NFT existence and taxon enforcement (WARD_POLICY_TAXON = 281)
Step 2
Policy validity using XRPL ledger close_time, never server clock
Step 3
Vault address binding: metadata vault must equal defaulted_vault
Step 4
LSF_LOAN_DEFAULT flag on LedgerEntry(index=loan_id)
Step 5
Vault loss must be greater than zero drops
Step 6
Pool usable balance must exceed the validated loss amount
Step 7
Replay protection: policy NFT must still be live
Step 8
Claimant must still hold the policy NFT on ledger
Step 9
Pool solvency and rate limits must still hold at settlement
Protocol details
Ward Protocol is an open specification and SDK for deterministic default protection on institutional lending vaults. Core invariant: ward_signed = False. Ward constructs unsigned transactions. Institutions sign. The chain settles. Ward never holds, touches, or stores private keys.
VaultMonitor subscribes to XRPL ledger events over TLS, treats incoming transaction messages as hints only, and confirms default through independent LedgerEntry reads. Default status is only promoted after repeated authoritative confirmation.
Ward never receives the claimant preimage. Institutions sign EscrowCreate, claimants sign EscrowFinish, and policy NFTs are burned on settlement to prevent replay. ward_signed = False is preserved across the entire settlement path.
Shared primitives live in ward/primitives.py, ward/constants.py, and ward/tx_builder.py so address validation, reserve accounting, payload construction, and signer-boundary guarantees stay consistent across the protocol surface.
Attack-vector mitigations
Protocol constants
| Constant | Value |
|---|---|
| WARD_POLICY_TAXON | 281 |
| WARD_CREDENTIAL_TAXON | 282 |
| TF_BURNABLE | 0x00000001 |
| LSF_LOAN_DEFAULT | 0x00010000 |
| MIN_COVERAGE_RATIO | 1.5 |
| CLAIM_RATE_LIMIT_MAX | 3 |
| CLAIM_RATE_LIMIT_WINDOW_S | 300 |
| MONITOR_HEARTBEAT_TIMEOUT_S | 60 |
| XRPL_BASE_RESERVE_DROPS | 20_000_000 |
| XRPL_OWNER_RESERVE_DROPS | 2_000_000 |
Signer boundary reminder
No Ward class stores a wallet, no Ward method calls submit_and_wait, and build_unsigned_tx() is the transaction construction path that preserves ward_signed = False.
Navigation flow
The spec should feed directly into a conformance review, a live sandbox run, or an implementation surface. No dead ends, no broken buttons, and no ambiguity about the next institutional step.