[CAP-83] Add StellarValue type representing a skipped ledger (stellar#1904)

* [CAP-83] Add StellarValue type representing a skipped ledger

* Simple copilot typo / phrasing suggestions

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Clarify "backwards incompatibilities" section

* Add mddiffcheck metadata

* Clarify that this is a new extension type

* originalValue -> proposedValue

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: bboston7

core/README.md

@@ -114,6 +114,7 @@
 | [CAP-0060](cap-0060.md) | Update to Wasmi register machine| Graydon Hoare | Accepted |
 | [CAP-0071](cap-0071.md) | Authentication delegation for custom accounts | Dmytro Kozhevin | Draft |
 | [CAP-0072](cap-0072.md) | Contract signers for Stellar accounts | Dmytro Kozhevin | Draft |
+| [CAP-0083](cap-0083.md) | Add `StellarValue` type representing a skipped ledger | Brett Boston | Draft |
 
 ### Rejected Proposals
 | Number | Title | Author | Status |

core/cap-0083.md

@@ -0,0 +1,211 @@
+## Preamble
+
+```
+CAP: 0083
+Title: Add StellarValue type representing a skipped ledger
+Working Group:
+    Owner: Brett Boston <@bboston7>
+    Authors: Brett Boston <@bboston7>
+    Consulted: Nicolas Barry <@MonsieurNicolas>, Giuliano Losa <@nano-o>, Marta Lokhova <@marta-lokhova>
+Status: Draft
+Created: 2026-03-31
+Discussion: https://github.com/orgs/stellar/discussions/1865
+Protocol version: TBD
+```
+
+## Simple Summary
+
+This CAP introduces a new `StellarValue` type to allow validators to explicitly
+skip the ledger that is being voted on.
+
+## Working Group
+
+As specified in the preamble.
+
+## Motivation
+
+Providing a mechanism for validators to explicitly vote to skip ledgers allows
+them to conduct some SCP voting prior to receiving a transaction set. This will
+improve SCP performance, as transaction set dissemination is costly and
+validators can safely make initial progress on consensus while waiting for
+transaction sets.
+
+If, during the PREPARE phase of balloting, a validator has not received the
+transaction set being voted on within a reasonable amount of time, or the
+transaction set is invalid, they may vote to skip the current ledger. This
+prevents consensus from getting stuck waiting for a transaction set that may
+never arrive, as a valid transaction set is required before moving on to the
+CONFIRM phase of balloting.
+
+### Goals Alignment
+
+This CAP is aligned with the following Stellar Network Goal:
+
+* The Stellar Network should run at scale and at low cost to all participants of the network.
+
+## Abstract
+
+This CAP introduces a new `StellarValue` extension type `STELLAR_VALUE_SKIP`.
+With this change, validators may switch their ballot to a `STELLAR_VALUE_SKIP`
+during the PREPARE phase of balloting prior to setting `c`[^1].
+`STELLAR_VALUE_SKIP` includes information about the value that a validator was
+considering before switching to voting to skip the ledger.
+
+## Specification
+
+### XDR changes
+
+To enable ledger skipping, this CAP proposes the following change to
+`Stellar-ledger.x`:
+
+```diff mddiffcheck.base=0a621ec7811db000a60efae5b35f78dee3aa2533
+diff --git a/Stellar-ledger.x b/Stellar-ledger.x
+index a17036b..667f8e7 100644
+--- a/Stellar-ledger.x
++++ b/Stellar-ledger.x
+@@ -13,7 +13,8 @@ typedef opaque UpgradeType<128>;
+ enum StellarValueType
+ {
+     STELLAR_VALUE_BASIC = 0,
+-    STELLAR_VALUE_SIGNED = 1
++    STELLAR_VALUE_SIGNED = 1,
++    STELLAR_VALUE_SKIP = 2
+ };
+
+ struct LedgerCloseValueSignature
+@@ -43,6 +44,14 @@ struct StellarValue
+         void;
+     case STELLAR_VALUE_SIGNED:
+         LedgerCloseValueSignature lcValueSignature;
++    case STELLAR_VALUE_SKIP:
++        struct
++        {
++            Hash txSetHash;
++            Hash previousLedgerHash;
++            uint32 previousLedgerVersion;
++            LedgerCloseValueSignature lcValueSignature;
++        } proposedValue;
+     }
+     ext;
+ };
+```
+
+
+With this change, the full `StellarValue` struct becomes:
+```xdr
+/* StellarValue is the value used by SCP to reach consensus on a given ledger
+ */
+struct StellarValue
+{
+    Hash txSetHash;      // transaction set to apply to previous ledger
+    TimePoint closeTime; // network close time
+
+    // upgrades to apply to the previous ledger (usually empty)
+    // this is a vector of encoded 'LedgerUpgrade' so that nodes can drop
+    // unknown steps during consensus if needed.
+    // see notes below on 'LedgerUpgrade' for more detail
+    // max size is dictated by number of upgrade types (+ room for future)
+    UpgradeType upgrades<6>;
+
+    // reserved for future use
+    union switch (StellarValueType v)
+    {
+    case STELLAR_VALUE_BASIC:
+        void;
+    case STELLAR_VALUE_SIGNED:
+        LedgerCloseValueSignature lcValueSignature;
+    case STELLAR_VALUE_SKIP:
+        struct
+        {
+            Hash txSetHash;
+            Hash previousLedgerHash;
+            uint32 previousLedgerVersion;
+            LedgerCloseValueSignature lcValueSignature;
+        } proposedValue;
+    }
+    ext;
+};
+```
+
+
+#### XDR Example
+TBD
+
+### Semantics
+
+#### Skip Value Representation
+
+When the network votes to skip the ledger, validators will externalize a `StellarValue` with fields set as follows:
+
+* `txSetHash` : Set to `0x0`
+* `closeTime` : Set as usual
+* `upgrades` : Set as usual
+* `ext` : Set to `STELLAR_VALUE_SKIP`
+    * `proposedValue` : Details about the original `StellarValue` that a quorum of validators decided to skip.
+        * `proposedValue.txSetHash` : The hash of the transaction set that was insufficiently disseminated or invalid.
+        * `proposedValue.previousLedgerHash` : The hash of the ledger prior to this one. Used to construct an empty transaction set corresponding to this skip value.
+        * `proposedValue.previousLedgerVersion` : The ledger version of the previous ledger. Used to construct an empty transaction set corresponding to this skip value.
+        * `proposedValue.lcValueSignature` : The signature from the original `StellarValue`. Can be used to determine which validator proposed the original `StellarValue`.
+
+#### Skip Value Application
+
+At apply time, ledgers containing a skip value should be treated as ledgers with
+empty transaction sets. In every other way, they should be treated as normal
+`STELLAR_VALUE_SIGNED` ledgers.
+
+## Design Rationale
+
+We considered a few alternative methods to achieve parallel downloading of transaction sets before landing on this protocol change:
+
+* Rather than skipping a ledger on failure to download a transaction set, we looked into rolling back SCP to an earlier phase. However, this would be a large change to SCP, which was not designed to ever step backwards. We decided it was cleaner, and easier to verify the change if validators instead voted to skip the current ledger.
+* We analyzed how far along consensus a validator could safely proceed without a transaction set if there was no skip or rollback mechanism, and decided that the lack of such a mechanism was too limiting. Without some method for validators to agree that a transaction set is unavailable, it is only safe to proceed with early nomination voting.
+
+## Protocol Upgrade Transition
+
+`STELLAR_VALUE_SKIP` values will become valid on the network at the protocol boundary. However, validators will not generate them unless they have enabled parallel transaction set downloading.  Parallel transaction set downloading will initially be disabled by default, and we would like to gradually enable it across the validator network.
+
+
+### Downstream Impact
+
+Downstream consumers of `StellarValue`s may require modification. Specifically, those that reason about `txSetHash` will need to handle the new `0x0` value, and those that reason about `ext` will need to handle the new `STELLAR_VALUE_SKIP` extension.
+
+To help determine if you depend on something that contains a `StellarValue`, transitive dependencies on `StellarValue` are as follows:
+```
+StellarValue
+    │
+    ├──► LedgerHeader.scpValue
+    │    │
+    │    └──► LedgerHeaderHistoryEntry.header
+    │         │
+    │         ├──► LedgerCloseMetaV0.ledgerHeader
+    │         ├──► LedgerCloseMetaV1.ledgerHeader
+    │         └──► LedgerCloseMetaV2.ledgerHeader
+    │              │
+    │              └──► LedgerCloseMeta (union)
+    │                   │
+    │                   └──► LedgerCloseMetaBatch.ledgerCloseMetas
+    │
+    └──► StoredDebugTransactionSet.scpValue
+```
+
+Downstream consumers of `StellarValue`s should treat skipped ledgers as empty ledgers.
+
+### Backwards Incompatibilities
+As detailed in the previous section, downstream consumers of `StellarValue`s may require modification.
+
+### Resource Utilization
+We expect this change to increase throughput on validators by expediting consensus. Simulation has shown this to be manageable. However, we will rollout the parallel downloading portion of this change slowly to ensure that real-world performance data matches simulation.
+
+## Security Concerns
+This CAP introduces a new method by which malicious validators could negatively impact the network. A malicious validator could introduce bad transaction set hashes, which then force the network to skip a ledger after some delay. However, this attack is mitigated by the following factors:
+
+* The attacker would have to win leader election to propose the bad value. This limits the frequency with which this attack can be pulled off.
+* By design, we include the original value that was skipped in the `STELLAR_VALUE_SKIP` struct, including the signature for the value. This enables node operators to easily determine which validators are misbehaving and remove them from their quorum sets.
+
+## Test Cases
+TBD
+
+## Implementation
+TBD
+
+[^1]: See the [SCP IETF draft](https://www.ietf.org/archive/id/draft-mazieres-dinrg-scp-05.txt) for a complete semantics of `c`