Skip to main content
Status: Draft spec (Phase 1) Canonical capability ids for target profiles, artifact metadata, and compile-time rejection. Semantic meanings align with the matrix in RFC 0002. Legend: Y supported (planned or implemented), P partial/spike only, N not supported, not applicable.

Relationship to target ids

  • Target ids are recorded in docs/decisions.md and summarized by docs/rfcs/0002-target-implementation-design.md.
  • This registry owns capability ids, not target lifecycle stages.
  • Docs must not invent alternate ids for the same semantics.

Relationship to Contract Intent and Target Extensions

Capability ids are the lower-level protocol used after target selection, not the default user-facing SDK. Portable contracts should normally call the chain-neutral Contract Intent API. The selected target adapter resolves those intents into a capability plan, then checks this registry before lowering. Target Extension SDKs may expose target-specific operations such as Solana PDA/CPI/runtime allocator configuration, Move resources, or UTXO covenant primitives. Those extensions still route through capability ids and target metadata so diagnostics, artifact metadata, and cross-target support checks remain uniform.

Core Capabilities

The Solana column reflects the canonical solana-sbpf-asm route (D-026): direct sBPF assembly codegen. Solana uses crosscall.cpi (not crosscall.invoke) and storage.pda — these are Solana-specific per D-027. The CF Workers column is the off-chain wasm-cloudflare-workers host (D-033); it reinterprets capabilities without consensus or on-chain state.
Capability idPortable meaningEVMNEARCosmWasmSolanaAptosSuiPsy DPNCF Workers
storage.scalarSingle persistent scalarYYYYYYYY
storage.mapKey-value or mapping storageYYYPPPPY
storage.arrayFixed-size indexed storage arrayPNNYNNPP
caller.senderTransaction signer/callerYYYYYYPY
value.nativeNative token attached to callYYYYYYPN
events.emitStructured log/event outputYYYYYYYY
crosscall.invokeCall another contract/programYNYNYYPY
env.blockBlock height/time/chain id readsYYPPPPPP
control.conditionalStatement-level conditional branches with target-supported boolean predicatesPNNYNNPY
control.bounded_loopStatic bounded loops that can be flattened or unrolled by the targetNNNPNNPY
data.fixed_arrayFixed-size array value type, literals, and index expressionsPNNYNNPY
data.structStruct value type, literals, and field accessPNNYNNPY
crypto.hashHost or library hashingYYYYYYYY
assertions.checkRuntime or circuit assertions emitted from portable IR statementsYYNYNNPY
account.explicitNamed account/object/resource bindingPYNYYYPP
storage.pdaProgram-derived address stateNNNYNNNN
runtime.allocatorTarget runtime heap allocator contractNYPYPPPN
runtime.memoryTarget runtime memory operationsNNNYNNNN
runtime.return_dataTarget runtime return-data buffer operationsNNNYNNNN
runtime.compute_unitsTarget runtime compute-budget introspectionNNNPNNNN
crosscall.cpiSolana CPI with account metasNNNYNNNN
zk.circuitCompile entrypoints into target circuit definitionsNNNNNNYN
zk.proofTarget proof generation or verification flowNNNNNNPN

Id Naming Rules

  • Format: <domain>.<operation> or <domain>.<variant> (lowercase, dot-separated).
  • Domains: storage, caller, value, events, crosscall, env, control, data, crypto, assertions, account, runtime, zk.
  • Artifact metadata lists the ids used by a build (see RFC 0002 artifact schema).
  • Diagnostics must cite capability id and target id on rejection.

Candidate Capabilities Not Yet Registered

These candidates are documented for target research only. Do not add them to ProofForge.Target.Capability until a target profile and lowering rules are accepted.

Kaspa Toccata

See Kaspa Toccata target.
Candidate idPortable meaningWhy it is separate
storage.utxoState lives in covenant-controlled UTXOs or state commitmentsNot account/object storage and not EVM-style slots
covenant.lineageSuccessor outputs remain in an authorized covenant familyNeeded for transaction/output validation, not ordinary storage
tx.v1Target uses Kaspa transaction v1 semanticsTransaction projection and payload rules affect correctness
tx.compute_budgetPer-input script compute budget is explicitBudgeting is part of transaction design, not just gas metering
lane.userApp operations can use user lanesNeeded for based-app ordering and proof anchoring
zk.verifyScript verifies an L1-supported proofDifferent from compiling the target itself into a circuit
zk.circuit remains reserved for targets whose primary artifact is a circuit or circuit-oriented source package. Toccata may use proofs, but its base target is a Kaspa covenant package.

Stellar Soroban

See Stellar Soroban target. Most Soroban behavior can start from the existing Wasm-host capability set, but several target semantics are not covered by the current registry.
Candidate idPortable meaningWhy it is separate
auth.requireA contract requires an address-level authorization payloadStronger and more structured than reading a caller/sender
auth.account_contractA contract account validates authorization through target-native account logicNeeded for Soroban account-contract flows
storage.ttlState entries have TTL extension, archival, and restoration behaviorNot captured by scalar/map storage alone
artifact.contract_specBuild output includes contract interface/spec metadata used by tooling and bindingsArtifact-level requirement, not runtime storage
asset.stellarContract uses Stellar Asset Contract or token-interface integrationNative asset surface differs from generic value.native

Internet Computer

See Internet Computer target. ICP canisters overlap with the Wasm-host family, but several canister semantics need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
abi.candidBuild emits and validates a Candid service interfacePublic ABI is not only exported Wasm symbols
canister.method_modeEntry points distinguish update, query, and composite query methodsCall mode affects persistence, consensus, and call restrictions
storage.stable_memoryState uses stable memory or stable structures across upgradesNot captured by scalar/map storage alone
storage.orthogonal_persistenceState follows Motoko-style orthogonal persistence semanticsDifferent from explicit key-value stores
principal.idCaller/canister/user identity is a PrincipalNot an EVM address or generic account id
cycles.manageTarget can inspect, accept, send, or account for cyclesCycles are resource accounting, not ordinary value.native
crosscall.asyncCross-canister calls are asynchronous message flowsDifferent from synchronous contract calls
canister.lifecycleTarget supports install, upgrade, stop/start, and lifecycle hooksLifecycle is part of deployment and state safety
certified.dataTarget exposes certified variables or certified data responsesNeeded for IC certification patterns
management.canisterTarget can call the virtual management canisterSystem lifecycle APIs are target-native

Algorand AVM

See Algorand AVM target. Algorand overlaps with generic contract capabilities, but AVM programs, storage classes, transaction groups, and explicit resource references need separate representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
avm.applicationTarget emits stateful application approval and clear-state programsApplication artifacts have two AVM programs and app lifecycle semantics
avm.logicsigTarget emits a stateless LogicSig programLogicSig is a separate stateless authorization artifact, not an app call
abi.arc4Build emits or validates ARC-4 ABI/app-spec metadataPublic method shape is tooling-visible metadata, not only exported code
storage.globalContract uses application global stateDifferent limits and access rules from local or box state
storage.localContract uses account-local application stateState is keyed by account and app, not by a global contract map
storage.boxContract uses box storage with explicit box referencesBox access requires resource references and budget planning
tx.groupContract depends on atomic transaction group ordering or inspectionGroup semantics are target-native transaction context
tx.resource_refsApp call requires explicit accounts, assets, apps, or boxes referencesResource availability affects whether AVM execution can access data
itxn.submitApplication submits inner transactionsInner effects are transaction-level, not synchronous method calls
asset.asaContract handles Algorand Standard AssetsNative asset model differs from generic value.native
gas.avm_budgetLowering tracks AVM opcode budget, costs, and program limitsAVM budget constraints are not EVM gas or Wasm host fuel
artifact.algokitBuild emits AlgoKit/Puya app artifacts and validation metadataTarget tooling requires app spec and bytecode package metadata

Cardano Plutus/Aiken

See Cardano Plutus/Aiken target. Cardano overlaps with UTXO covenant targets, but eUTXO validator roles, datum, redeemer, script context, execution units, and Plutus blueprint metadata need separate representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
storage.eutxoState and value live in eUTXO outputsNot account/object storage or global contract state
validator.spendTarget emits a spending validatorSpending validators have datum/redeemer/script-context semantics
validator.mintTarget emits a minting policyMinting policy semantics differ from spending validation
validator.withdrawTarget emits a withdrawal validatorWithdrawal validation has a distinct Cardano role
datum.inlineContract depends on inline datum encodingDatum placement affects transaction construction and validation
redeemer.inputEntrypoint arguments are redeemersArguments arrive as transaction redeemers, not method calldata
tx.script_contextValidator reads Cardano script contextContext is central to validation correctness
tx.validity_rangeValidator constrains slot/time validityValidity ranges differ from generic block reads
tx.balancingValidation includes transaction balancing and fee handlingOff-chain transaction construction is part of practical correctness
asset.native_tokenContract handles Cardano native multi-assetsNative asset model differs from generic value.native
budget.exunitsArtifact records Plutus execution unitsExecution-unit budgeting is target-specific
artifact.plutus_blueprintBuild emits CIP-57 blueprint metadataBlueprint metadata is part of the Cardano tooling surface

Tezos Michelson/LIGO

See Tezos Michelson/LIGO target. Tezos overlaps with generic contract storage and entrypoints, but Michelson’s typed data, operation-list effects, views, events, tickets, and gas/storage-burn semantics need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
vm.michelsonTarget emits or validates Michelson codeMichelson is a typed stack VM with target-specific constraints
abi.entrypointBuild emits entrypoint/parameter schema metadataPublic entrypoint shape is target-visible metadata
storage.michelineStorage is encoded as typed Micheline dataNot EVM slots or generic JSON
storage.big_mapContract uses Tezos big_map storagebig_map persistence/indexing differs from ordinary maps
operation.listEntrypoint returns a list of Tezos operationsEffects are returned data, not direct synchronous calls
view.contractContract exposes Tezos viewsViews are a separate public read surface
events.tezosContract emits Tezos eventsEvent payload and indexing semantics are target-native
ticket.handleContract creates, transfers, or consumes ticketsTickets are native linear assets, not generic tokens
privacy.saplingContract uses Sapling state or transactionsPrivacy state is target-native and non-generic
delegate.setContract can change or clear delegationDelegation is a Tezos-specific operation
gas.tezosArtifact records Tezos gas/storage-burn constraintsFee model differs from EVM gas and Wasm fuel
artifact.ligoBuild emits LIGO and compiled Michelson metadataTarget tooling requirement

Starknet Cairo

See Starknet Cairo target. Starknet overlaps with contract storage, events, and calls, but Cairo/Sierra/CASM artifacts, class hashes, account abstraction, syscalls, and L1/L2 messaging need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
vm.cairoTarget emits Cairo source for StarknetCairo is the source language and execution model boundary
artifact.sierraBuild emits Sierra contract class artifactsSierra is required intermediate contract class metadata
artifact.casmBuild emits CASM artifactsCASM is a target artifact distinct from source and ABI
class.declareDeployment flow includes class declarationStarknet separates declaring a class from deploying an instance
class.hashArtifact records class hash and class identityClass hash is part of deployment and upgrade semantics
abi.starknetBuild emits Starknet ABI and selector metadataABI shape is not EVM ABI
storage.starknetContract uses Starknet storage paths/maps/componentsStorage paths and components are target-native
account.abstractionTarget depends on Starknet account-contract semanticsAccounts are contract-level protocol participants
syscall.starknetContract uses Starknet syscallsCalls, deploys, events, storage, and messaging use syscall surfaces
message.l1_l2Contract sends or consumes L1/L2 messagesMessaging differs from ordinary contract calls
fee.starknetArtifact records Starknet fee/resource constraintsFee/resource model is target-specific
test.snforgeValidation uses Starknet Foundry or devnetLocal smoke tooling is part of target validation

Aleo Leo

See Aleo Leo target and docs/superpowers/specs/2026-07-01-aleo-leo-design.md. Aleo overlaps with source-generation and ZK targets, but its contract model has an explicit proof/finalization split. Private execution creates transitions and proofs; public finalization updates mappings or storage on-chain. Records, program ids, imports, Aleo Instructions, Aleo VM bytecode, ABI, prover/verifier artifacts, fees, and devnet validation need explicit representation before a target profile is added.

Canonical capabilities (Road 1 spike)

These capabilities are accepted for the first aleo-leo spike and are listed in Aleo artifact metadata produced by scripts/aleo/counter-smoke.sh. They are not added to ProofForge.Target.Capability until the target profile and proof/finalization split are reviewed.
Capability idPortable meaningWhy it is separate
lang.leoTarget emits Leo source packagesLeo is the first stable sourcegen boundary
vm.aleo_avmTarget runs on the Aleo VMAvoids ambiguity with Algorand AVM
artifact.avmBuild emits Aleo VM bytecodeDeployment artifact is target-native
artifact.aleo_abiBuild emits Aleo ABI metadataABI shape follows Aleo program interfaces
execution.finalizeProgram has public on-chain finalization logicFinalization is public and validator-executed
state.mappingPublic state is held in mappingsMappings are on-chain public key-value state
input.publicFunction input is public dataPublic inputs are visible in transaction context
output.publicFunction output is publicPublic outputs need explicit metadata
test.leoValidation uses Leo testsLocal validation is target tooling

Research candidate capabilities (future spikes)

These remain candidates until private records, transitions, proofs, imports, deployment, or devnet validation are scoped.
Candidate idPortable meaningWhy it is separate
ir.aleo_instructionsBuild emits or consumes Aleo InstructionsLower-level Aleo compiler target distinct from Leo
proof.prover_keyBuild or execute flow produces prover artifactsProof generation has target-owned artifacts
proof.verifier_keyBuild or deploy flow records verifier artifactsVerification keys are part of deployment/execution metadata
execution.transitionEntry execution produces a transition and proofTransition is the Aleo function-call unit
state.recordPrivate state is held in encrypted recordsRecords are UTXO-like and not EVM storage
state.storagePublic state may use storage variables or storage vectorsAleo storage differs from mappings and private records
input.privateFunction input is private proof-context dataPrivacy is part of the function signature
output.privateFunction output is private by defaultOutput visibility is target semantics
program.importProgram imports and calls another Aleo programCross-program calls produce composed transitions/finalization
program.upgradeDeployment may support explicit program upgradesUpgrade rules are program/deploy metadata
transaction.executeValidation can produce an execute transactionExecute transactions carry transitions and proofs
transaction.deployValidation can produce or inspect a deploy transactionDeploy publishes program code and verification metadata
fee.creditsFees are paid in Aleo Credits, publicly or privatelyFee visibility and source affect privacy and validation
test.aleo_devnetValidation uses Leo devnet or devnode-backed flowsNetwork-backed smoke differs from local compile/test
The existing zk.circuit capability is not enough for Aleo. It may describe part of the proof surface, but Aleo also needs program, transaction, state-record, finalization, and artifact capabilities.

TON TVM

See TON TVM target. TON overlaps with generic contract capabilities, but TVM cells, messages, and actions need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
storage.cellContract state is encoded as TVM cells, slices, and buildersNot EVM slot storage or host KV
abi.tlbBuild emits or validates TL-B/cell layout metadataPublic data shape is cell-oriented
message.recvContract handles internal or external inbound messagesEntrypoint shape is message-driven
message.sendContract emits outbound messages through action semanticsNot synchronous cross-contract calls
method.getContract exposes off-chain get methodsDifferent from state-changing message handlers
action.listTarget effects are accumulated in TVM action listsNeeded for send/deploy/reserve effects
state.initDeployment requires code/data StateInit handlingDeployment artifact is target-native
account.statusAccount lifecycle/status affects behaviorNeeded for uninit/active/frozen/deleted handling
gas.tvmTVM gas and fee model is explicitNot generic EVM gas or host fee metering
asset.jettonContract integrates TON jetton/token standardsNative token standards differ from value.native

Bitcoin Script/Miniscript

See Bitcoin Script/Miniscript target. Bitcoin overlaps with UTXO script targets, but base-layer Script is best modeled as spending policy rather than general contract execution. Miniscript, descriptors, Taproot/Tapscript, PSBT flows, standardness, and weight/fee checks need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
script.bitcoinTarget emits Bitcoin Script or script fragmentsBitcoin Script has distinct consensus and standardness rules
script.miniscriptTarget emits analyzable Miniscript policySafer first artifact than raw Script for spending policies
descriptor.outputTarget emits Bitcoin Core output descriptorsDescriptors drive wallet/address/script workflows
script.segwitTarget emits SegWit v0 script paths such as P2WPKH/P2WSHSegWit witness semantics differ from legacy script paths
script.taprootTarget emits Taproot key-path or script-path outputsTaproot changes address, commitment, and spend semantics
script.tapscriptTarget emits or validates Tapscript semanticsTapscript changes opcode and signature behavior
witness.stackArtifact declares required witness stack itemsUnlocking data is part of spend validation
sighash.modeSignature semantics depend on explicit sighash flagsSighash choice affects what the signature commits to
hashlock.preimageSpending policy depends on revealing hash preimagesCommon Bitcoin contract primitive
multisig.thresholdSpending policy uses threshold signatures or multisig structureNot equivalent to account-level authorization
psbt.flowValidation uses PSBT creation, signing, and finalizationPractical Bitcoin workflows are transaction-construction heavy
policy.standardnessArtifact checks relay/mining standardness policyConsensus-valid scripts may still be non-standard
fee.weightArtifact records transaction weight, vbytes, fee, and dust constraintsFee and relay viability are part of practical correctness
test.bitcoin_coreValidation uses Bitcoin Core regtest or RPC checksTarget validation depends on Bitcoin Core behavior
Bitcoin should reuse existing UTXO candidate ids where the semantics match, including storage.utxo, script.p2sh, script.unlocker, timelock.locktime, signature.checksig, and tx.builder.

Zcash Shielded

See Zcash Shielded target. Zcash overlaps with Bitcoin-derived UTXO flows, but its shielded pools are not ordinary Bitcoin Script or a generic ZK circuit target. Sapling/Orchard notes, nullifiers, commitment tree anchors, value-balance constraints, viewing-key disclosure, and protocol-defined proofs need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
privacy.shieldedTarget uses a shielded value poolPrivacy is a transaction construction property, not only a proof flag
privacy.transparentTarget also handles transparent Zcash inputs or outputsTransparent and shielded pools leak different information
pool.saplingTarget uses Sapling shielded semanticsSapling has distinct notes, keys, and proof semantics
pool.orchardTarget uses Orchard shielded semanticsOrchard has action bundles and Halo 2 proof semantics
note.shieldedState/value unit is a shielded noteNot EVM storage, account state, or plain UTXO script data
note.commitmentArtifact records note commitment semanticsNeeded for tree membership and output construction
nullifier.revealSpend reveals a nullifier as the double-spend guardPublic nullifiers are core to shielded spend validity
anchor.commitment_treeSpend proves membership against a commitment tree anchorMembership anchor is part of the public proof statement
zk.zcash_proofTransaction carries a Zcash protocol proofThe circuit is protocol-defined, not arbitrary application code
zk.witnessBuild requires private witness data for provingWitness data must stay off-chain and auditable as a boundary
value.balanceArtifact records shielded value-balance constraintsConservation across shielded pools and transparent turnstiles is target-specific
key.viewingValidation/disclosure can use viewing keysOff-chain observability is not contract state
address.unifiedTarget handles unified addresses and receiver selectionAddress semantics affect pool choice and recipient leakage
privacy.policyArtifact records allowed information leakagezcashd exposes privacy-policy choices during transaction construction
test.zcashdValidation uses zcashd RPC or a compatible local libraryTarget validation depends on Zcash tooling, not Bitcoin Core alone
Zcash should reuse existing UTXO candidate ids for transparent flows where the semantics match, including storage.utxo, tx.builder, signature.checksig, and fee.weight. The existing zk.circuit capability is not the right first abstraction for ordinary Zcash shielded transfers; it only fits future auxiliary proof-program work outside the Zcash consensus proof system.

Bitcoin Cash CashScript

See Bitcoin Cash CashScript target. BCH/CashScript overlaps with UTXO covenant targets, but its CashVM, transaction-introspection, CashTokens, and transaction-builder semantics need explicit representation before a target profile is added.
Candidate idPortable meaningWhy it is separate
storage.utxoState and value live in spendable UTXOsNot account/object storage or global contract state
script.p2shContract deployment/addressing uses P2SH locking scriptsDeployment/address surface is target-native
script.unlockerContract calls are unlocking scripts for selected UTXOsNot ordinary method dispatch
tx.introspectionContract reads current transaction inputs/outputs and active input dataCore covenant mechanism in BCH CashVM
covenant.introspectionContract constrains successor outputs through introspectionNeeded for covenant-style state transitions
storage.local_stateLocal state is simulated through script data or CashTokens commitmentsNot persistent global storage
asset.cashtokenContract handles CashTokens category, capability, NFT commitment, and token amountNative asset model differs from generic value.native
timelock.locktimeContract depends on locktime, sequence, or age checksSeparate from ordinary block reads
signature.checksigContract verifies signatures as spend conditionsUTXO spend authorization is script-level
artifact.cashscriptBuild emits a CashScript artifact JSON and bytecode metadataTarget tooling requirement
tx.builderValidation includes building and evaluating a spend transactionPractical target semantics require transaction construction

EVM Mapping (baseline)

Capability idEVM lowering
storage.scalarStorage.load / Storage.store (sload/sstore)
storage.mapStorage.mapLoad / Storage.mapStore
caller.senderEnv.sender
value.nativeEnv.value
events.emitlog0log4
crosscall.invokecall, staticcall, delegatecall, create, create2
env.blockEnv.blockNumber, etc.
Implemented today via ProofForge.Evm / Lean.Evm — see targets/evm.md.

Phase 1 Acceptance Criteria

  • Every id in this table appears in TargetProfile.capabilities for at least one target.
  • EVM Counter build lists storage.scalar (and others used) in artifact metadata.
  • Attempting storage.pda on EVM fails with capability unsupported diagnostic.
  • Registry stays in sync when RFC 0002 semantic matrix changes.

Changelog

DateChange
2026-06-30Initial registry; supersedes ad hoc ids in Chinese technical plan
2026-06-30Added Psy DPN research column and ZK capability ids