Skip to content

Network participant branch

Searcher Integration

This guide is for searchers that build on TOOL commitments created from OFP or external builder orderflow.

Value Proposition

Searchers can observe an allowed commitment view, build native TOOL bundles on top of source commitments, and compete to add value while TOOL enforces private-orderflow boundaries and callback safety. Callback-safe searcher bundles can be returned to the source; other valid bundles may still be useful for the native TOOL block path.

Searcher Position In The Architecture

Searchers participate inside the TOOL network. They are not source integrators on the same integration plane as OFPs or external builders. The source side submits private flow; TOOL turns valid source flow into commitments; searchers consume the allowed commitment view and submit native TOOL bundles back to TOOL.

flowchart TB
  subgraph SourceSide["External source side"]
    direction TB
    OFP["OFP"]
    Builder["External PBS builder"]
    SourceFlow["Private source orderflow"]
    OFP --> SourceFlow
    Builder --> SourceFlow
  end

  subgraph ToolNetwork["TOOL network"]
    direction TB
    subgraph ToolTEE["TOOL node TEE environment"]
      direction TB
      Intake["Source intake"]
      CommitmentFeed["Commitment feed<br/>policy-controlled view"]
      Validation["Simulation and validation"]
      Routing["Callback and native routing"]
      Intake -->|"create source commitment"| CommitmentFeed
      Validation -->|"accepted enriched commitment"| Routing
    end

    subgraph SearcherContext["Searcher context"]
      direction TB
      Strategy["Searcher / solver logic"]
      Bundle["Native TOOL bundle<br/>source commitments + searcher txs"]
      CommitmentFeed -->|"allowed commitment metadata"| Strategy
      Strategy -->|"construct opportunity"| Bundle
      Bundle -->|"tool_simulateBundle / tool_sendBundle"| Validation
    end
  end

  SourceFlow -->|"eth_sendBundle or source path"| Intake

  style SourceSide fill:#f8fafc,stroke:#64748b,stroke-width:2px
  style ToolNetwork fill:#edf7f5,stroke:#0f8b6f,stroke-width:2px
  style ToolTEE fill:#eef2ff,stroke:#315fbe,stroke-width:2px
  style SearcherContext fill:#fff7ed,stroke:#a56812,stroke-width:2px

Searcher Flow

sequenceDiagram
  autonumber
  participant Source as OFP / builder
  participant TOOL as TOOL
  participant Searcher as Searcher
  participant Callback as Source callback
  participant Native as TOOL block path

  Source->>TOOL: Submit source orderflow
  TOOL->>TOOL: Validate and create source commitment
  TOOL-->>Searcher: Commitment event or allowed view
  Searcher->>TOOL: tool_simulateBundle(native bundle)
  Searcher->>TOOL: tool_sendBundle(enriched bundle)
  TOOL->>TOOL: Validate enriched bundle
  alt same-origin callback-safe
    TOOL->>Callback: Return source txs + searcher txs
  else not callback-safe
    TOOL->>Native: Keep commitment inside TOOL block path
  end

Searcher API Workflow

Searcher integrations usually follow the same API sequence: observe the allowed commitment view, size the opportunity against the current block, simulate when latency allows, then submit before the relevant subslot deadline.

Step Surface
Observe commitments and timing events tool_subscribe
Check current block-building constraints tool_nextBlockParams
Evaluate a native bundle without propagation tool_simulateBundle
Submit a native bundle for validation and routing tool_sendBundle

The native bundle request uses the ToolBundle schema. A typical searcher bundle builds on a source commitment and adds the searcher's backrun or other signed transactions.

Commitment View

The commitment view is policy-controlled. Depending on deployment and access level, a commitment may expose block parent, block time, subslot and expiry metadata, gas and fee metrics, touched accounts or storage-access metadata, transaction hashes, or redacted execution metadata needed to determine whether a strategy can safely build on the commitment.

Raw signed transactions from another private source should not be assumed to be visible. Commitment metadata may be redacted or filtered when it would reveal private orderflow or strategy.

Callback Safety Rule

Searcher bundles may improve blocks internally even when they combine multiple source commitments. External callback exposure is stricter.

Case Callback behavior
Bundle builds on a single source commitment and directly extends that source May be returned to that source if policy allows it.
Bundle combines multiple private origins May be valid internally, but is not returned to a single external source in the initial callback model.
Bundle includes raw signed transactions from another origin Not sent to a different source.
Source callback policy does not allow return Kept inside the native TOOL path if otherwise valid.
flowchart TB
  subgraph SearcherContext["Searcher bundle validation"]
    direction TB
    Bundle["Searcher bundle"]
    Based{"Based on one private source?"}
    Direct{"Directly extends that source?"}
    Bundle -->|"inspect base commitments"| Based
    Based -->|"yes"| Direct
  end

  subgraph PolicyContext["TOOL routing policy"]
    direction TB
    Policy{"Source callback policy allows?"}
    Callback["Eligible for same-origin callback"]
    Internal["Native TOOL path only"]
    Direct -->|"yes"| Policy
    Based -->|"no"| Internal
    Direct -->|"no"| Internal
    Policy -->|"yes"| Callback
    Policy -->|"no"| Internal
  end

  style SearcherContext fill:#fff7ed,stroke:#a56812,stroke-width:2px
  style PolicyContext fill:#eef2ff,stroke:#315fbe,stroke-width:2px

Simulation and Submission Workflow

Subscribe

Use tool_subscribe commitments with filters that match the strategy's target accounts and timing needs.

Build

Create a native TOOL bundle that builds on the source commitment and adds the searcher's signed transactions.

Simulate

Call tool_simulateBundle when latency allows and use the result to avoid invalid or conflicting submissions.

Submit

Call tool_sendBundle before the relevant subslot or expiry deadline, then observe accepted subslots, next headers, or downstream inclusion signals.

Searchers should expect low-latency constraints. Bundle size, simulation cost, and request rate can affect whether a strategy lands before the active deadline.

Authentication and TEE Verification

Searcher authentication and access policy may vary by deployment. Searchers should expect TOOL API access to be authenticated before receiving commitment data or submitting bundles.

TEE verification is optional from the integrator's perspective unless a deployment requires it. Searchers that require end-to-end assurances can verify TOOL attestation or RA-TLS before consuming commitment data or sending strategy transactions.

Failure Modes

Failure mode Behavior
Commitment expires before submission The searcher bundle is stale and should be rejected or ignored.
Bundle references an unknown commitment Reject as invalid or unavailable.
Bundle references mixed-origin commitments May be valid internally, but should not be assumed callback-safe.
Searcher transaction conflicts with base commitment state Simulation or validation should fail.
Searcher submits after the subslot deadline Reject or miss inclusion for that subslot.
Commitment metadata is redacted Searcher must operate with the available view; raw private orderflow should not be assumed.
Simulation capacity is saturated Searcher may need to retry, submit without simulation, reduce request rate, or prioritize opportunities.