doc: add timestamp and gas limit to Preconf in design doc

Author: linoscope

.claude/settings.local.json

@@ -0,0 +1,11 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(git log:*)",
+      "Bash(git show:*)",
+      "Bash(git ls-tree:*)"
+    ],
+    "deny": [],
+    "ask": []
+  }
+}

docs/permissionless-design-doc.md

@@ -230,6 +230,10 @@ struct Preconfirmation {
     bool eop;
     // Height of the preconfed block
     uint256 blockNumber;
+    // Timestamp of the preconfed block
+    uint256 timestamp
+    // Gas limit for the preconfed block
+    uint256 gasLimit
     // Height of the L1 block chosen as anchor for the preconfed block
     uint256 anchorBlockNumber;
     // Hash of the raw list of transactions included in the parent block
@@ -346,15 +350,33 @@ def verifyPreconf(# CHANGE: Function now takes rawTxList instead of full L2 bloc
     # 6) Verify rawTxList consistency
     assert hash(rawTxList) == preconf.rawTxListHash
 
-    # 7) Reconstruct full L2 block by adding anchor transaction
+    # 7) Verify timestamp and gasLimit
+    # Timestamp must be monotonically increasing
+    assert preconf.timestamp >= localL2Head.timestamp
+    # Timestamp must not drift too far from current time
+    assert abs(preconf.timestamp - now()) <= MAX_TIMESTAMP_DRIFT
+
+    # Gas limit must match deterministic protocol calculation
+    expectedGasLimit = getExpectedGasLimit(
+        parentHash=localL2Head.hash,
+        parentGasLimit=localL2Head.gasLimit,
+        parentGasUsed=localL2Head.gasUsed
+    )
+    assert preconf.gasLimit == expectedGasLimit
+
+    # 8) Reconstruct full L2 block by adding anchor transaction
     anchorHash = L1.getBlockHash(preconf.anchorId)
     anchorTx = constructAnchorTx(anchorHash)
-    l2Block = executeL2Block([anchorTx] + rawTxList)
+    l2Block = executeL2Block(
+        transactions=[anchorTx] + rawTxList,
+        timestamp=preconf.timestamp,
+        gasLimit=preconf.gasLimit
+    )
 
-    # 8) Advance local canonical chain
+    # 9) Advance local canonical chain
     localL2Head = l2Block
 
-    # 9) Handle explicit EOP handoff
+    # 10) Handle explicit EOP handoff
     if preconf.eop:
         currentPreconfer = lookaheadStore.getNextPreconfer()
 
@@ -383,21 +405,21 @@ The preconfers will need to eventually include their preconfed L2 transactions i
 
 Preconf equivocation can be categorized into four categories:
 
-- **RawTxList/anchorID mismatch:** The preconfer failed to honor the transaction ordering and/or anchor ID they preconfed.
+- **Block commitment mismatch:** The preconfer failed to honor the rawTxList, anchor ID, timestamp, or gas limit they preconfed.
 - **Missed submission**: The preconfer did not submit the preconfed block to the Taiko inbox.
 - **Invalid EOP:** The preconfer included additional L2 blocks after their `EOP=true` block.
 - **Missing EOP:** The preconfer did not include set `EOP=true` in their final preconfed block.
 
 Let’s examine each category in detail.
 
-### **RawTxList/anchorID** Mismatch Slashing
+### Block Commitment Mismatch Slashing
 
-Slash when the rawTxList/anchorID for a given L2 block ID differs between:
+Slash when the rawTxList/anchorID/timestamp/gasLimit for a given L2 block ID differs between:
 
 - The block is **preconfed** and published on the P2P network.
 - The block was **submitted** to L1 and later proven.
 
-For example, in this diagram, the preconfed block `B1` (preconfed in P2P) and the submitted block `B1′` (submitted to L1) have different rawTxList/anchorID for the same L2 block ID. 
+For example, in this diagram, the preconfed block `B1` (preconfed in P2P) and the submitted block `B1′` (submitted to L1) have different rawTxList/anchorID/timestamp/gasLimit for the same L2 block ID. 
 
 ![image.png](images/image%205.png)
 
@@ -417,7 +439,7 @@ However, checking `submissionWindowEnd` alone is not sufficient to protect preco
 
 ![image.png](images/image%207.png)
 
-To protect against such cases, we compare not only the `rawTxList` and `anchorId` of the preconfirmed and submitted blocks, but also their **parent** `rawTxList`, `anchorId`, and `submissionWindowEnd` values. If any of these parent values differ, the slashing is not applied to the current preconfer. Instead, the slashing entity is expected to target the parent block. This allows us to trace the divergence back transitively to the original L2 block where the mismatch first occurred.
+To protect against such cases, we compare not only the `rawTxList`, `anchorId`, `timestamp`, and `gasLimit` of the preconfirmed and submitted blocks, but also their **parent** `rawTxList`, `anchorId`, and `submissionWindowEnd` values. If any of these parent values differ, the slashing is not applied to the current preconfer. Instead, the slashing entity is expected to target the parent block. This allows us to trace the divergence back transitively to the original L2 block where the mismatch first occurred.
 
 ### Missed Submission