Function compute_state_root_from_delta 

pub fn compute_state_root_from_delta(
    additions: &[Coin],
    removals: &[Bytes32],
) -> Bytes32

Compute the crate::EMPTY_ROOT-anchored state-delta root for a block’s additions + removals (STV-007, SPEC §7.5.6).

Formula

• If additions AND removals are both empty: returns crate::EMPTY_ROOT.
• Else: SHA256(0x01 || sorted_addition_ids_concat || 0x02 || sorted_removal_ids_concat) where:
  • sorted_addition_ids = additions.iter().map(|c| c.coin_id()).sorted()
  • sorted_removal_ids = removals.iter().sorted()
  • 0x01 and 0x02 are domain separators borrowed from crate::HASH_LEAF_PREFIX / crate::HASH_TREE_PREFIX (HSH-007) so this value cannot be confused with other Merkle digests.

Sort-before-hash ensures determinism across insertion orders — proposer and validator agree even if their aggregation sequences differ.

Interim vs full sparse-Merkle state root

NORMATIVE STV-007 envisions a sparse-Merkle / Patricia-trie state computation reading from a parent state commitment exposed via crate::CoinLookup. dig_block does not yet require callers to expose get_state_tree(); this function provides a deterministic delta hash that satisfies the STV-007 acceptance criteria (match / mismatch / empty / ordering) for blocks whose parent state root is committed in header fields, letting producers and validators converge on the same header.state_root value. Adopters running a full state tree can shadow this function with their own root computation and keep the same header semantics.

Why a single SHA-256, not a Merkle tree

The delta is unordered sets of coin ids, not ordered leaves with membership proofs. A flat SHA-256 over sorted concatenation is enough for determinism + tamper detection at block-validation time. The header’s Merkle roots for additions / removals (HSH-004 / HSH-005) already give light clients membership proofs — state_root is a separate commitment covering the net state transition.