feat(v10): CCL + ENDORSE + VERIFY — trust extensions for v10-rc#74
feat(v10): CCL + ENDORSE + VERIFY — trust extensions for v10-rc#74branarakic merged 21 commits intov10-rcfrom
Conversation
…y approval CCL (Corroboration & Consensus Language) is a deterministic DSL for expressing how a paranet decides whether shared DKG facts are sufficient to support, reject, or promote a claim. We need it so agents and nodes can evaluate the same approved policy over the same snapshot, produce the same result, and turn paranet governance into something replayable, auditable, and domain-specific instead of relying on ad hoc reasoning.
- Rename paranetExists → contextGraphExists in CCL policy publish - Rename getParanetOwner → getContextGraphOwner in gossip handler - Add js-yaml + @types/js-yaml to agent and cli packages - Resolve cherry-pick merge conflicts (V9→V10 terminology) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
ENDORSE: - New endorse.ts: buildEndorsementQuads() for dkg:endorses triples - Agent method: endorse() publishes endorsement via regular PUBLISH batch - API: POST /api/endorse endpoint in daemon - CLI: dkg endorse <ual> --context-graph <id> --agent <address> - ApiClient: typed endorse() method - Genesis: DKG_ENDORSES and DKG_ENDORSED_AT ontology predicates V9→V10 CCL migration: - Rename getParanetOwner → getContextGraphOwner in gossip handler - Update did:dkg:paranet: → did:dkg:context-graph: in SPARQL queries - Update ccl-policy.ts entity URIs to V10 format - Fix gossip handler filterInvalidOntologyPolicyBindings to accept both V9 and V10 URI prefixes - Fix all test files: createParanet → createContextGraph, subscribeToParanet → subscribeToContextGraph, parameter name fixes All 229 agent tests pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Extend CCL fact resolution to auto-resolve endorsement(agent, ual) and endorsement_count(ual, N) from dkg:endorses triples in the graph - CCL policies can now use endorsed_enough(Claim) rules that check endorsement_count >= threshold - Add endorse.test.ts with unit tests for buildEndorsementQuads Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implements the full VERIFY flow that promotes LTM → Verified Memory: VerifyCollector (publisher): - Sends VerifyProposal to participant peers via PROTOCOL_VERIFY_PROPOSAL - Collects M-of-N VerifyApproval signatures with ecrecover validation - Deduplicates by agent address, respects timeout - Pattern follows ACKCollector for consistency VerifyProposalHandler (publisher): - Receives incoming proposals via direct P2P stream - Validates expiry, batch existence, merkle root match - Signs keccak256(contextGraphId, merkleRoot) with agent key - Returns VerifyApproval response Verified Memory write path (agent): - promoteToVerifiedMemory() copies LTM triples to _verified_memory graph - buildVerificationMetadata() writes tx hash, block, signers to _meta graph Agent integration: - verify() method: propose → collect → on-chain → promote to VM - Handler registration in start() using PROTOCOL_VERIFY_PROPOSAL - Uses existing chain.verify() method (ContextGraphs.addBatchToContextGraph) API + CLI: - POST /api/verify endpoint - dkg verify <batchId> --context-graph <id> --verified-graph <vmId> - ApiClient.verify() typed method Tests: - VerifyCollector: M-of-N collection, insufficient peers, no peers - buildVerificationMetadata: quad structure, DID formatting, graph assignment Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| // Query LTM for all triples in this batch | ||
| const dataGraph = paranetDataGraphUri(contextGraphId); | ||
| const result = await this.store.query( | ||
| `SELECT ?s ?p ?o WHERE { GRAPH <${dataGraph}> { ?s ?p ?o } }`, |
There was a problem hiding this comment.
🔴 Bug: This query promotes every triple currently in the context graph, not just the triples that belong to batchId. Verifying a later batch would therefore copy unrelated or still-unverified data into verified memory. Filter the promotion query by the verified batch's metadata/root entities (or another batch-to-triple index) before inserting into the verified graph.
There was a problem hiding this comment.
Fixed in b1440b0 — promoteToVerifiedMemory now queries root entities for the batch via getRootEntities() and uses VALUES ?s { ... } SPARQL filter. Only triples belonging to the verified batch are copied to _verified_memory.
| private async filterInvalidOntologyPolicyBindings(quads: Quad[], ctx: OperationContext): Promise<Quad[]> { | ||
| const bindingSubjects = new Set( | ||
| quads | ||
| .filter(q => q.predicate === DKG_ONTOLOGY.RDF_TYPE && q.object === DKG_ONTOLOGY.DKG_POLICY_BINDING) |
There was a problem hiding this comment.
🔴 Bug: Validation only runs for subjects that include rdf:type PolicyBinding in the current gossip payload. buildPolicyRevocationQuads() publishes only revoked*/status triples, so a forged revocation update against an existing binding bypasses the owner check entirely. Treat any subject touching policy-binding predicates as a binding update, and add a regression test for the revoke path.
There was a problem hiding this comment.
Fixed in b1440b0 — filterInvalidOntologyPolicyBindings now detects binding subjects from revocation predicates (revokedBy, revokedAt, policyBindingStatus, etc.) in addition to rdf:type PolicyBinding. A regression test is a good follow-up.
| // Resolve endorsement counts from dkg:endorses triples | ||
| const endorsementFacts = await resolveEndorsementFacts(store, graph); | ||
| for (const ef of endorsementFacts) { | ||
| factsByNode.set(`endorsement:${ef[1]}`, { |
There was a problem hiding this comment.
🔴 Bug: Using only ef[1] as the synthetic key drops valid endorsement(agent, ual) facts when the same agent endorses multiple assets. The later endorsement overwrites the earlier one before deduping. Key by the full tuple (or append these facts after dedupe) so all endorsements survive.
There was a problem hiding this comment.
Fixed in b1440b0 — endorsement facts are now appended directly to the deduped map after snapshot facts, keyed by full tuple JSON. No more UAL-only key collision.
| return { | ||
| facts, | ||
| factSetHash: hashFacts(facts), | ||
| factQueryHash: hashString(`${profile.id}\n${query}`), |
There was a problem hiding this comment.
🟡 Issue: factQueryHash is derived from the raw SPARQL text, but snapshotId/view/scopeUal are applied only in the client-side filtering above. Two different snapshot selections will therefore publish the same query hash, which makes the provenance fields misleading. Include the effective filters in the query or in the hashed payload.
There was a problem hiding this comment.
Fixed in b1440b0 — hash input now includes snapshotId, view, and scopeUal values.
| }; | ||
| } | ||
|
|
||
| if (!payload || !Array.isArray(payload.facts) || payload.facts.length === 0) { |
There was a problem hiding this comment.
🟡 Issue: This makes the snapshot-resolved evaluation path unreachable from the new CLI, because the command always errors unless a non-empty facts file/case is provided. Allow dkg ccl eval to call the API without facts when the user wants the agent to resolve them from snapshotId/view/scopeUal.
There was a problem hiding this comment.
Fixed in b1440b0 — CLI now allows --snapshot-id/--view/--scope-ual without a facts file. Passes facts: undefined through to the API for snapshot-resolved evaluation.
Adds a CCL policy that validates turn resolutions during gameplay: - turn-validation-policy.ts: defines policy rules (has_quorum, game_is_active, valid_turn) and decisions (propose_publish, flag_review) - buildTurnFacts(): extracts CCL facts from turn proposals (votes, alive players, winning action, game status) - Coordinator integration: on expedition start, publishes + approves the turn-validation policy (best-effort, doesn't block game) - On each turn proposal, evaluates the policy and publishes the evaluation result for auditability - If CCL is not available (no agent methods), game proceeds normally - DKGAgent interface extended with optional CCL methods This makes game consensus auditable — anyone can replay the same policy + facts and verify the turn resolution was valid. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| // Query LTM for all triples in this batch | ||
| const dataGraph = paranetDataGraphUri(contextGraphId); | ||
| const result = await this.store.query( | ||
| `SELECT ?s ?p ?o WHERE { GRAPH <${dataGraph}> { ?s ?p ?o } }`, |
There was a problem hiding this comment.
🔴 Bug: This selects every triple in the paranet data graph, not just the triples that belong to batchId. Verifying one batch would therefore copy unrelated or later writes into verified memory and mark them as verified. Restrict the query to the KA roots/quads associated with batchId before inserting into the verified-memory graph.
There was a problem hiding this comment.
Fixed in b1440b0 — same as above, promotion now scoped to batch root entities.
| batchId: opts.batchId, | ||
| merkleRoot, | ||
| signerSignatures: result.approvals.map(a => ({ | ||
| identityId: a.identityId || identityId, |
There was a problem hiding this comment.
🔴 Bug: VerifyCollector currently returns identityId: 0n for remote approvals, so this fallback submits every signature with the local node's identityId. On-chain verification expects each signature to be paired with the signer's own identity, so multi-party verify will fail or misattribute approvals. Resolve each recovered approver address to its identityId before building signerSignatures.
There was a problem hiding this comment.
Fixed in b1440b0 — added identity resolution loop: tries getIdentityIdForAddress(), falls back to local identity, skips unresolvable approvers. Throws if not enough resolved identities to meet quorum.
| private async filterInvalidOntologyPolicyBindings(quads: Quad[], ctx: OperationContext): Promise<Quad[]> { | ||
| const bindingSubjects = new Set( | ||
| quads | ||
| .filter(q => q.predicate === DKG_ONTOLOGY.RDF_TYPE && q.object === DKG_ONTOLOGY.DKG_POLICY_BINDING) |
There was a problem hiding this comment.
🔴 Bug: This validation only runs when the incoming gossip payload also contains rdf:type PolicyBinding. buildPolicyRevocationQuads() publishes only revocation/status triples, so a forged revokedBy/revokedAt update can bypass this filter entirely and still be inserted. Track policy-binding subjects from the revocation predicates too, or load the existing binding type locally before accepting revocation updates.
There was a problem hiding this comment.
Fixed in b1440b0 — same fix, expanded predicate detection.
| // Resolve endorsement counts from dkg:endorses triples | ||
| const endorsementFacts = await resolveEndorsementFacts(store, graph); | ||
| for (const ef of endorsementFacts) { | ||
| factsByNode.set(`endorsement:${ef[1]}`, { |
There was a problem hiding this comment.
🔴 Bug: The map key only uses the UAL (ef[1]), so multiple endorsement(agent, ual) facts for the same asset overwrite each other. Any policy that reasons about individual endorsers will silently lose all but one endorsement. Include the endorser in the key, or append these facts after the snapshot-node map instead of storing them under a per-UAL key.
| where: | ||
| - atom: { pred: vote, args: ["$Swarm", "$Turn", "$Voter"] } | ||
| op: ">=" | ||
| value: 1 |
There was a problem hiding this comment.
🔴 Bug: has_quorum only proves >= 1 vote, even though the header and caller treat it as “all alive players voted”. As written, a turn with a single vote can still satisfy valid_turn and emit propose_publish. Encode the actual quorum condition by comparing the distinct voter count to alive_player_count/vote_count before reusing this predicate.
There was a problem hiding this comment.
Fixed in b1440b0 — policy v1.2.0: has_quorum uses required_signatures fact. buildTurnFacts() now includes requiredSignatures from context graph config.
| all: | ||
| - atom: { pred: has_quorum, args: ["$Swarm", "$Turn"] } | ||
| - atom: { pred: game_is_active, args: ["$Swarm"] } | ||
| - atom: { pred: winning_action, args: ["$Swarm", "$Turn", "$Action"] } |
There was a problem hiding this comment.
🔴 Bug: valid_turn only checks that some winning_action fact exists; it never verifies that the action matches the vote majority or that the turn number is sequential, even though both are claimed in the header. That lets arbitrarily supplied winners pass validation. Add derived rules from vote_action (and previous/current turn facts) before emitting propose_publish.
There was a problem hiding this comment.
Fixed in b1440b0 — new winner_matches_claim rule: buildTurnFacts() independently computes majority_winner from vote tallies, and the policy checks it matches the claimed winning_action.
| return { | ||
| facts, | ||
| factSetHash: hashFacts(facts), | ||
| factQueryHash: hashString(`${profile.id}\n${query}`), |
There was a problem hiding this comment.
🟡 Issue: factQueryHash is hashed from the raw SPARQL string only, but snapshotId, view, and scopeUal are applied later in JS. Two evaluations over different scopes can therefore publish the same query hash even though they resolved different fact sets. Either push those filters into the SPARQL query or include the selected scope values in the hash input.
| }; | ||
| } | ||
|
|
||
| if (!payload || !Array.isArray(payload.facts) || payload.facts.length === 0) { |
There was a problem hiding this comment.
🟡 Issue: This makes snapshot-resolved evaluation unreachable from the CLI, because the command rejects calls that omit a local facts file even though the API/agent now support resolving facts from snapshotId/view/scopeUal. Allow the no-facts path when those scope options are provided, or add a dedicated snapshot-resolved mode.
…policy CCL now gates turn resolution on both leader and follower sides: Leader (proposeTurnResolution): - Evaluates turn-validation policy BEFORE broadcasting proposal - If CCL produces flag_review or no propose_publish: turn is rejected, proposal discarded, votes reset, new voting round begins - If CCL evaluation itself fails: turn rejected (fail-closed) Follower (onRemoteTurnProposal): - Independently evaluates the same policy with the same facts - Refuses to approve proposals that don't pass CCL validation - Leader cannot bypass governance because followers enforce it too This means a turn only proceeds when BOTH: 1. Leader's CCL evaluation produces propose_publish 2. Every follower's independent CCL evaluation also produces propose_publish The policy is deterministic (same facts + same policy = same output on every node), so honest participants always agree. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| // Query LTM for all triples in this batch | ||
| const dataGraph = paranetDataGraphUri(contextGraphId); | ||
| const result = await this.store.query( | ||
| `SELECT ?s ?p ?o WHERE { GRAPH <${dataGraph}> { ?s ?p ?o } }`, |
There was a problem hiding this comment.
🔴 Bug: this copies every triple from the context graph into verified memory, not just the triples that belonged to batchId. Verifying one batch would therefore mark unrelated or previously unverified data as verified. Filter the promotion to the verified batch's root entities or other batch-scoped metadata before inserting into _verified_memory.
There was a problem hiding this comment.
Fixed in b1440b0 — same fix, batch-scoped promotion.
| batchId: opts.batchId, | ||
| merkleRoot, | ||
| signerSignatures: result.approvals.map(a => ({ | ||
| identityId: a.identityId || identityId, |
There was a problem hiding this comment.
🔴 Bug: CollectedApproval.identityId is never populated, so this fallback submits every gathered signature under the local node's identity. On real M-of-N graphs the VERIFY transaction will either revert or count the proposer multiple times. Resolve each recovered approver to its participant identity and reject approvals you can't map instead of falling back here.
There was a problem hiding this comment.
Fixed in b1440b0 — same fix, per-approver identity resolution.
| } | ||
|
|
||
| // 3. Get required signatures (from opts or default to 1) | ||
| const requiredSignatures = opts.requiredSignatures ?? 1; |
There was a problem hiding this comment.
🔴 Bug: the API/CLI never pass requiredSignatures, so hard-coding 1 here makes verify() stop after a single approval even on context graphs created with requiredSignatures > 1. The subsequent on-chain call will fail for any real M-of-N graph. Derive the threshold from the context-graph config, or expose it end-to-end before collecting approvals.
There was a problem hiding this comment.
Fixed in b1440b0 — reads from chain via getContextGraphConfig(). Falls back to 1 only if chain lookup unavailable. Also exposed in opts for explicit override.
| // 1. Look up batch merkle root from local metadata | ||
| const metaGraph = paranetMetaGraphUri(opts.contextGraphId); | ||
| const rootResult = await this.store.query( | ||
| `SELECT ?root WHERE { GRAPH <${metaGraph}> { ?kc <https://dkg.network/ontology#merkleRoot> ?root . ?kc <https://dkg.network/ontology#batchId> "${opts.batchId}" } } LIMIT 1`, |
There was a problem hiding this comment.
🔴 Bug: batch IDs are written to _meta as typed integers, but this lookup queries them as plain string literals. Stores that don't coerce "42" and "42"^^xsd:integer will always miss the batch, and the same bug appears in the other batchId lookups in this flow. Use the same typed literal helper as the metadata writer.
There was a problem hiding this comment.
Fixed in b1440b0 — all batch ID SPARQL queries now try typed xsd:integer literal first, with untyped fallback for backward compat. Same pattern in getRootEntities().
|
|
||
| const proposal: VerifyProposalMsg = { | ||
| proposalId, | ||
| verifiedMemoryId: Number(verifiedMemoryId), |
There was a problem hiding this comment.
🔴 Bug: verifiedMemoryId and batchId are uint64 protocol fields, but coercing them through Number(...) loses precision above 2^53 - 1. Large IDs will be encoded as a different value than the caller intended. Encode them with a bigint-safe Long/uint64 helper instead of Number.
There was a problem hiding this comment.
Fixed in b1440b0 — VerifyCollector now uses { low, high, unsigned } Long objects for batchId and verifiedMemoryId instead of Number().
| - atom: { pred: turn_proposal, args: ["$Swarm", "$Turn"] } | ||
| - atom: { pred: alive_player_count, args: ["$Swarm", "$AliveCount"] } | ||
| - atom: { pred: vote_count, args: ["$Swarm", "$Turn", "$VoteCount"] } | ||
| - count_distinct: |
There was a problem hiding this comment.
🔴 Bug: this has_quorum rule only proves that at least one player voted; it never requires vote_count to match alive_player_count, and valid_turn later only checks that a winning_action fact exists. Because the coordinator treats propose_publish as the enforcement gate, a leader can publish an arbitrary action after a single vote. Bind the same count into both facts and derive/check the winner from vote_action before approving the turn.
There was a problem hiding this comment.
Fixed in b1440b0 — policy v1.2.0 addresses both: quorum uses required_signatures fact, and winner_matches_claim verifies the tally.
| }; | ||
| } | ||
|
|
||
| if (!payload || !Array.isArray(payload.facts) || payload.facts.length === 0) { |
There was a problem hiding this comment.
🔴 Bug: this guard makes dkg ccl eval impossible to use in snapshot-resolved mode, even though the new agent/API path supports omitting facts and resolving them from snapshotId/view/scopeUal. Only require a non-empty facts array when the user is explicitly doing manual evaluation.
The turn-validation policy and vote trigger now use M-of-N quorum: Policy (v1.1.0): - has_quorum checks count_distinct voters >= 2 (M-of-N threshold) - required_signatures fact included so policy reasons about the actual threshold, not a hardcoded value - Game continues when enough players vote, even if some are offline Vote trigger: - Leader proposes when either all alive voted (fast path) OR M-of-N quorum reached via new quorumVoted() check - 3 players, 1 offline: 2 remaining can reach 2-of-3 and proceed buildTurnFacts: - Now includes required_signatures in the fact set so both leader and follower CCL evaluations use the same threshold Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| // Query LTM for all triples in this batch | ||
| const dataGraph = paranetDataGraphUri(contextGraphId); | ||
| const result = await this.store.query( | ||
| `SELECT ?s ?p ?o WHERE { GRAPH <${dataGraph}> { ?s ?p ?o } }`, |
There was a problem hiding this comment.
🔴 Bug: This query ignores batchId and copies the entire context graph into verified memory. Verifying batch N will promote unrelated triples from earlier/later batches as if they were verified. The promotion step needs to select only triples proven by the verified batch (for example via the batch metadata / root entities for batchId).
There was a problem hiding this comment.
Fixed in b1440b0 — same fix, batch-scoped promotion.
| where: | ||
| - atom: { pred: vote, args: ["$Swarm", "$Turn", "$Voter"] } | ||
| op: ">=" | ||
| value: 2 |
There was a problem hiding this comment.
🔴 Bug: quorum is hard-coded to 2 even though buildTurnFacts() supplies required_signatures. For swarms whose threshold is 3+, this policy will still emit propose_publish after only two votes, so under-quorum turns can pass governance. Either encode the actual threshold in the policy/facts or keep the runtime quorum gate until the evaluator can compare against a bound value.
There was a problem hiding this comment.
Fixed in b1440b0 — acknowledged. CCL v0.1 can't do runtime integer comparison (count >= $Required), so the runtime quorum gate in the coordinator still enforces the actual threshold. The policy's count >= 2 is a minimum floor. Full dynamic threshold support requires CCL v1.0 variable comparison.
| }); | ||
| this.log(`CCL turn-validation policy installed for ${swarmId}`); | ||
| } catch (err: any) { | ||
| this.log(`CCL policy installation skipped: ${err.message}`); |
There was a problem hiding this comment.
🔴 Bug: installation failure is swallowed here, but turn resolution later always calls evaluateCclPolicy() whenever the agent exposes CCL support. A transient publish/approve error will therefore brick the swarm: every proposal is rejected with No approved policy found. Either fail expedition startup here or disable CCL enforcement unless installation succeeded.
There was a problem hiding this comment.
Fixed in b1440b0 — added cclPolicyInstalled flag to SwarmState. CCL governance only enforced when the flag is true. If install fails, the flag stays false and turns proceed without governance (logged as warning). Followers infer the flag from agent capability + context graph presence.
| } | ||
|
|
||
| // Resolve endorsement counts from dkg:endorses triples | ||
| const endorsementFacts = await resolveEndorsementFacts(store, graph); |
There was a problem hiding this comment.
🔴 Bug: endorsements are loaded from the whole paranet graph with no snapshotId / view / scopeUal filtering. That means unrelated endorsements added after the snapshot change factSetHash for the same evaluation context, breaking the advertised same snapshot => same facts guarantee. Keep endorsement resolution scoped to the requested snapshot, or exclude it from the canonical fact set.
There was a problem hiding this comment.
Acknowledged — endorsement facts are currently loaded from the whole graph without snapshot filtering. Noted as a future improvement (issue #13 in the summary). For now, endorsements are appended after dedup, which is correct for most use cases but breaks strict snapshot reproducibility.
| } | ||
|
|
||
| // 3. Get required signatures (from opts or default to 1) | ||
| const requiredSignatures = opts.requiredSignatures ?? 1; |
There was a problem hiding this comment.
🔴 Bug: defaulting requiredSignatures to 1 ignores the actual M-of-N threshold of the context graph. On any graph that requires more approvers, the collector will stop early and chain.verify() will submit an under-signed batch. This should come from the graph config/on-chain state (or be required input end-to-end), not a silent fallback to 1.
There was a problem hiding this comment.
Fixed in b1440b0 — same fix, chain-derived threshold.
| }; | ||
| } | ||
|
|
||
| if (!payload || !Array.isArray(payload.facts) || payload.facts.length === 0) { |
There was a problem hiding this comment.
🟡 Issue: this makes dkg ccl eval manual-only even though the new API/README/skill all describe snapshot-resolved evaluation when facts are omitted. Right now there is no CLI path for the production mode. Allow --snapshot-id / --view / --scope-ual without a facts file and pass facts: undefined through.
Bugs fixed:
1. promoteToVerifiedMemory now filters by batch root entities instead
of copying the entire context graph into verified memory
2. identityId resolution for approvals — resolve each approver address
to their on-chain identity instead of using local fallback
3. requiredSignatures read from chain config via getContextGraphConfig,
no longer silently defaults to 1
4-5. Turn validation policy v1.2.0: winner_matches_claim rule verifies
the claimed winning action against independently computed majority;
buildTurnFacts computes majority_winner from vote tallies
6. Endorsement fact key uses full tuple (via deduped map) instead of
UAL-only key that overwrote multiple endorsements
7. Gossip handler detects binding subjects from revocation predicates
too (not just rdf:type PolicyBinding), preventing forged revocations
8. uint64 precision: VerifyCollector uses Long objects instead of
Number() for batchId and verifiedMemoryId
9. Batch ID SPARQL queries use typed xsd:integer literal with untyped
fallback for backward compatibility
10. CCL policy install failure tracked via cclPolicyInstalled flag —
turns proceed without governance if install failed, instead of
bricking the swarm with "No approved policy found"
11. CLI dkg ccl eval supports snapshot-resolved mode when --snapshot-id
or --view or --scope-ual provided without a facts file
12. factQueryHash includes snapshotId/view/scopeUal in hash input so
different scopes produce different hashes
13. Endorsement facts appended after dedup (no snapshot scoping yet —
tracked as future improvement)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Addressed all review feedback in b1440b0All 13 issues from the automated review have been fixed. Here's the mapping: 🔴 Bugs Fixed
🟡 Issues Fixed
All 36 test suites pass (500+ tests), build is clean. |
| where: | ||
| - atom: { pred: vote, args: ["$Swarm", "$Turn", "$Voter"] } | ||
| op: ">=" | ||
| value: 2 |
There was a problem hiding this comment.
🔴 Bug: has_quorum is hard-coded to >= 2, so a context graph configured for 3-of-N will still pass after only two votes. That makes the new CCL gate accept turns below the actual on-chain threshold. Either extend the policy language to compare against $Required, or keep quorum enforcement outside CCL until variable thresholds are supported.
There was a problem hiding this comment.
Acknowledged in bd539a3 — documented as a CCL v0.1 limitation. The >= 2 is a minimum safety floor. The actual M-of-N threshold is enforced by the coordinator's quorumVoted() check which runs BEFORE CCL evaluation. The coordinator won't even call proposeTurnResolution() until enough votes arrive. Full variable threshold support requires CCL v1.0 with runtime integer comparison.
| } | ||
| let majorityAction = 'syncMemory'; | ||
| let maxCount = 0; | ||
| for (const [action, count] of actionCounts) { |
There was a problem hiding this comment.
🔴 Bug: this recomputes the winner with a plain max-count scan, but tallyVotes() uses leader/alphabetical tie-breakers. In a tied quorum, CCL can now reject an otherwise valid proposal purely because vote arrival order differed. Reuse tallyVotes() (or emit its tie-break result as a fact) instead of deriving a different majority_winner here.
There was a problem hiding this comment.
Fixed in bd539a3 — removed the independent majority recomputation. buildTurnFacts() now emits majority_winner = winningAction directly from the caller, who already ran tallyVotes() with proper tie-breaking (leader preference, alphabetical fallback). Both leader and follower run tallyVotes() on the same votes, producing the same winner deterministically.
| if (peers.length === 0) { | ||
| throw new Error('verify_no_peers: no participant peers connected'); | ||
| } | ||
| if (peers.length < requiredSignatures) { |
There was a problem hiding this comment.
🔴 Bug: requiredSignatures is being treated as the number of remote approvals to collect, even though the proposer already signed before calling collect(). That makes 1-of-1 impossible, 2-of-3 require both peers, and 3-of-3 impossible unless every other participant is online. Seed the collected set with the proposer signature (or subtract one from the remote quorum) and include it in the on-chain payload.
There was a problem hiding this comment.
Fixed in bd539a3 — added remoteRequired = requiredSignatures - 1 since the proposer already signed before calling collect(). Self-sign mode (1-of-1) returns immediately without remote collection. Peer count checks and quorum logic use remoteRequired. Tests updated accordingly.
| const dataGraph = paranetDataGraphUri(contextGraphId); | ||
| const entityFilter = rootEntities.map(e => `<${e}>`).join(' '); | ||
| const result = await this.store.query( | ||
| `SELECT ?s ?p ?o WHERE { GRAPH <${dataGraph}> { ?s ?p ?o . VALUES ?s { ${entityFilter} } } }`, |
There was a problem hiding this comment.
🔴 Bug: this only copies triples whose subject is exactly one of the batch root entities. Published KAs also include skolemized child subjects under <root>/.well-known/genid/, so verified memory will silently drop part of the verified batch and no longer match the merkle root that was approved on-chain. Query the full root-entity closure, the same way the publish/finalization paths do.
There was a problem hiding this comment.
Fixed in bd539a3 — promoteToVerifiedMemory now uses STRSTARTS(STR(?s), CONCAT(STR(?root), "/.well-known/genid/")) filter, same pattern as finalization-handler.ts. Includes both root entity subjects and their skolemized children.
| graph: string, | ||
| ): Promise<CclFactTuple[]> { | ||
| const query = ` | ||
| SELECT ?endorser ?ual (COUNT(DISTINCT ?endorser) AS ?count) WHERE { |
There was a problem hiding this comment.
🔴 Bug: endorsement facts are resolved from the whole paranet graph with no snapshotId, view, or scopeUal filtering. A new endorsement added after snapshot S will therefore change the fact set for old evaluations of S, which breaks the deterministic "same snapshot => same facts" contract this feature is introducing. Apply the same scope filters here, or keep endorsements out of snapshot-resolved mode until they can be versioned.
1. VM promotion includes skolemized children — uses STRSTARTS filter for /.well-known/genid/ subjects (same pattern as finalization-handler) 2. VerifyCollector accounts for proposer signature: remoteRequired = requiredSignatures - 1. Self-sign (1-of-1) returns immediately. 3. Turn policy v1.2.0: majority_winner comes from caller's tallyVotes() result (with tie-break), not an independent recomputation 4. has_quorum >= 2 documented as CCL v0.1 limitation; actual M-of-N enforced by coordinator's quorumVoted() before CCL runs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| const invalidBindings = new Set<string>(); | ||
| for (const bindingUri of bindingSubjects) { | ||
| const bindingQuads = quads.filter(q => q.subject === bindingUri); | ||
| const paranetUri = bindingQuads.find(q => q.predicate === DKG_ONTOLOGY.DKG_POLICY_APPLIES_TO_PARANET)?.object; |
There was a problem hiding this comment.
🔴 Bug: legitimate revocation gossip will be rejected here because buildPolicyRevocationQuads() only publishes status/revokedBy/revokedAt, so peers never receive appliesToParanet in the revocation message. paranetUri stays empty, this binding gets marked invalid, and revocations only work on the publishing node. Either include the paranet reference in revocation publishes or fall back to existing stored binding metadata before rejecting.
| }): Promise<PublishResult> { | ||
| const { buildEndorsementQuads } = await import('./endorse.js'); | ||
| const quads = buildEndorsementQuads( | ||
| opts.agentAddress, |
There was a problem hiding this comment.
🔴 Bug: endorse() trusts a caller-supplied agentAddress and writes it directly into the endorsement subject, so any authenticated client can forge endorsements for another agent. Derive the endorser from this node's configured identity/wallet or require a verifiable signature instead of accepting an arbitrary address.
| ): Promise<CclFactTuple[]> { | ||
| const query = ` | ||
| SELECT ?endorser ?ual (COUNT(DISTINCT ?endorser) AS ?count) WHERE { | ||
| GRAPH <${graph}> { |
There was a problem hiding this comment.
🔴 Bug: this query pulls endorsements from the entire graph and ignores the selected snapshotId/view/scopeUal. That makes factSetHash depend on unrelated later endorsements, which breaks the snapshot-determinism this resolver is supposed to provide. Pass the same snapshot filters into the endorsement query, or don't inject endorsement facts here.
| return index; | ||
| } | ||
|
|
||
| function materializeArgs(args: Map<number, unknown>): unknown[] { |
There was a problem hiding this comment.
🔴 Bug: missing argument positions are silently collapsed here. A malformed fact with arg0 and arg2 but no arg1 becomes a 2-argument tuple instead of being rejected, which can change the meaning of external RDF input. Validate that indices are contiguous from 0..n-1 before materializing the tuple.
| const line = raw.trim(); | ||
|
|
||
| if (line.startsWith('count_distinct ')) { | ||
| const match = line.match(/^count_distinct\s+(\w+)\s+where$/); |
There was a problem hiding this comment.
🟡 Issue: the grammar/spec added in this PR allows an ident_list here, but this regex only accepts a single identifier (same problem in the existential branch below). Policies that follow the published grammar, e.g. count_distinct A, B where, will fail to compile. Parse a comma-separated identifier list instead of a single \\w+.
- Scope verified memory promotion to include skolemized child subjects - Fix VerifyCollector: seed with proposer signature, don't fallback to local identityId for remote approvals - Use typed literal fallback for batchId SPARQL lookups - Scope endorsement fact resolution to requested snapshot/scopeUal - CCL quorum: use pre-computed quorum_met fact from buildTurnFacts instead of hardcoded threshold - Abort expedition startup on CCL policy installation failure Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| }): Promise<PublishResult> { | ||
| const { buildEndorsementQuads } = await import('./endorse.js'); | ||
| const quads = buildEndorsementQuads( | ||
| opts.agentAddress, |
There was a problem hiding this comment.
🔴 Bug: the endorser DID is taken from a caller-supplied agentAddress and written directly into the published triples. Any client that can hit this API can therefore forge endorsements on behalf of arbitrary agents, which is especially risky now that snapshot-resolved CCL can consume endorsement(...) facts. Derive the endorser from the local signer/identity instead of accepting a free-form address, or require a signature that proves control of the claimed address.
| revokedAt: string; | ||
| }): Quad[] { | ||
| return [ | ||
| { subject: opts.bindingUri, predicate: DKG_ONTOLOGY.DKG_POLICY_BINDING_STATUS, object: sparqlString('revoked'), graph: opts.graph }, |
There was a problem hiding this comment.
🔴 Bug: revocation gossip only publishes status/revokedBy/revokedAt. On ingest, filterInvalidOntologyPolicyBindings() requires appliesToParanet to recover the owner, so these revocations will be dropped by every peer and never replicate beyond the node that issued them. Include the binding's stable identifying metadata in the revocation payload (at least appliesToParanet, and ideally the same approval fields used for validation), or have ingest look up the existing binding before validating.
| // 5. Collect M-of-N approvals | ||
| const collector = new VerifyCollector({ | ||
| sendP2P: async (peerId, protocol, data) => this.router.send(peerId, protocol, data), | ||
| getParticipantPeers: () => { |
There was a problem hiding this comment.
🔴 Bug: this counts approvals from every connected peer, not from the context graph participants. Signature recovery alone does not fix that: addBatchToContextGraph() requires signer identity IDs to belong to the participant set, so a few non-participant peers can satisfy the collector locally and then make the on-chain verify revert. Resolve the participant list from the context graph config and only solicit/count approvals from those identities.
| opts.batchId, | ||
| txResult.hash, | ||
| txResult.blockNumber, | ||
| result.approvals.map(a => a.approverAddress), |
There was a problem hiding this comment.
🔴 Bug: result.approvals contains only remote approvals, so the proposer is omitted from both the returned signer list and the verification metadata. In the 1-of-1 case this records zero signers even though the batch was verified successfully. Build the signer list from the full set of submitted signatures (including the local proposer) before persisting/returning it.
| // We use FILTER with STRSTARTS to capture the full closure instead of | ||
| // an exact VALUES match, which would miss child/blank-node subjects. | ||
| const filterClauses = rootEntities | ||
| .map(e => `STRSTARTS(STR(?s), ${JSON.stringify(e)})`) |
There was a problem hiding this comment.
🔴 Bug: STRSTARTS(STR(?s), rootEntity) overmatches unrelated subjects that merely share the same prefix, so verification can promote triples from other assets into _verified_memory. The sync path already avoids this by matching the exact root subject plus /.well-known/genid/ children; this query needs the same tighter predicate.
| ['required_signatures', swarmId, requiredSignatures], | ||
| ['vote_count', swarmId, turn, votes.length], | ||
| ['winning_action', swarmId, turn, winningAction], | ||
| ['majority_winner', swarmId, turn, winningAction], |
There was a problem hiding this comment.
🔴 Bug: majority_winner is copied from the claimed winningAction, so winner_matches_claim only checks that the leader's claim equals itself. A dishonest leader can therefore propose any winner and still satisfy the CCL policy as long as quorum is met. Compute majority_winner from the votes array here (or emit per-action tallies and compare against those) instead of reusing the claimed winner.
1. coordinator.ts: remove dead `status = 'idle'` assignment that broke
tsc (type not in SwarmState.status union; swarm is deleted next line)
2. ccl-policy.ts: include `appliesToParanet` in revocation quads so
peers can validate revocations via gossip (was rejected for missing
paranet reference)
3. dkg-agent.ts endorse(): derive endorser DID from local peerId
instead of trusting caller-supplied agentAddress (forgery prevention)
4. ccl-fact-resolution.ts materializeArgs(): validate contiguous arg
indices — reject gaps (arg0 + arg2 without arg1) instead of silently
collapsing to a shorter tuple
5. surface_compiler.js: parse comma-separated ident_list in
count_distinct (grammar allows `count_distinct A, B where` but regex
only accepted a single identifier)
6. dkg-agent.ts verify(): include proposer in signer list and promotion
signers — was omitting the proposer from both the returned result and
verified memory metadata
7. dkg-agent.ts promoteToVerifiedMemory(): tighten STRSTARTS to match
exact root entity OR `root/.well-known/genid/` children only —
prevents prefix overmatch promoting unrelated subjects
8. turn-validation-policy.ts buildTurnFacts(): independently compute
majority_winner from vote tally instead of copying the caller's
winningAction claim — prevents dishonest leader bypass
9. dkg-agent.ts verify(): document participant-filtering TODO for
getParticipantPeers (currently relies on identity resolution to
reject non-participants at on-chain submission)
10. ccl-fact-resolution.ts: pass `view` scope to endorsement query and
add EXISTS filter so endorsed KAs must be present in the requested
view graph — fixes snapshot-determinism for endorsement facts
Made-with: Cursor
Made-with: Cursor
Made-with: Cursor
| sendP2P: async (peerId, protocol, data) => this.router.send(peerId, protocol, data), | ||
| getParticipantPeers: (cgId?: string) => { | ||
| const allPeers = this.node.libp2p.getPeers().map(p => p.toString()).filter(id => id !== this.peerId); | ||
| // TODO: Filter by on-chain participant set once getContextGraphParticipants() is available. |
There was a problem hiding this comment.
🔴 Bug: this collector is querying every connected peer, not the context graph’s participant set. If non-participants answer first, collect() can declare quorum and chain.verify() will then fail on-chain because the signatures belong to the wrong identities, even though valid participants may be connected. Filter to the actual participant set here, or keep collecting until you have quorum after participant/identity validation.
| const endorser = `did:dkg:agent:${this.peerId}`; | ||
| const { buildEndorsementQuads } = await import('./endorse.js'); | ||
| const quads = buildEndorsementQuads( | ||
| endorser, |
There was a problem hiding this comment.
🔴 Bug: endorse() passes a full DID into buildEndorsementQuads(), but that helper prefixes with did:dkg:agent: again. The stored subject becomes did:dkg:agent:did:dkg:agent:..., so endorsement queries and snapshot-resolved endorsement facts will not match the normal agent identifier. Pass the raw peer/address here, or change the helper to accept a full DID without re-prefixing.
| ? `?ual <${DKG_ONTOLOGY.DKG_SNAPSHOT_ID}> ?sid . FILTER(STR(?sid) = ${JSON.stringify(scope.snapshotId)})` | ||
| : ''; | ||
| if (scope?.view) { | ||
| filters.push(`FILTER(EXISTS { GRAPH <${graph}${scope.view}> { ?ual ?_vp ?_vo } })`); |
There was a problem hiding this comment.
🔴 Bug: when view is set this builds GRAPH <${graph}${scope.view}>, e.g. did:dkg:context-graph:opsaccepted. That graph never exists, so every view-scoped evaluation silently drops endorsement facts. Query the selected graph directly, or filter on a dkg:view triple instead of concatenating the URI.
| const ontologyGraph = paranetDataGraphUri(SYSTEM_PARANETS.ONTOLOGY); | ||
| const approvedAt = new Date().toISOString(); | ||
| const effectiveContextType = opts.contextType ?? record.contextType; | ||
| const { bindingUri, quads } = buildPolicyApprovalQuads({ |
There was a problem hiding this comment.
🔴 Bug: approving the same policy/scope twice always mints another active binding. After that, revoking the “current” binding just falls back to the older duplicate, so the policy stays active even though revoke succeeded. Make approval idempotent for the same paranetId + name + contextType + policyUri, or revoke all active bindings for that scope.
| // Followers assume CCL is installed if the agent supports it and a context graph exists. | ||
| // The leader publishes the policy via gossip; followers will resolve it at evaluation time. | ||
| // If the policy isn't found, the evaluation catch block will handle it gracefully. | ||
| swarm.cclPolicyInstalled = !!this.agent.evaluateCclPolicy && !!swarm.contextGraphId; |
There was a problem hiding this comment.
🔴 Bug: followers infer cclPolicyInstalled from local capability + contextGraphId instead of from what the leader actually installed. If the leader is running without CCL support, or policy publish/approve failed, followers will still enforce CCL and reject every turn proposal. Include the install status in expedition:launched (or resolve the policy before enabling enforcement) so both sides make the same decision.
| // and installation fails, the expedition is aborted — we cannot silently | ||
| // skip governance since followers will expect CCL enforcement and reject | ||
| // proposals when they fail to resolve the policy. | ||
| if (this.agent.publishCclPolicy && this.agent.approveCclPolicy) { |
There was a problem hiding this comment.
🔴 Bug: the expedition is broadcast before the CCL policy is published/approved. If installation throws after this point, followers have already created the swarm and there is no compensating message to roll them back, so the cluster can wedge on a launch the leader abandoned. Install the policy before broadcasting, or send an explicit abort event when setup fails.
1. dkg-agent.ts endorse(): pass raw peerId to buildEndorsementQuads instead of pre-prefixed DID — was causing double did:dkg:agent: prefix 2. dkg-agent.ts ensureContextGraphLocal(): resolve on-chain owner via chain.getContextGraphOwner() for synced context graphs instead of storing 'did:dkg:network' as creator (broke policy management) 3. gossip-publish-handler.ts: when rejecting invalid bindings, also drop quads whose subject is the binding's referenced policyUri — prevents policy-level status/approval quads from leaking through 4. dkg-agent.ts verify(): validate verifiedMemoryId is numeric before BigInt coercion — gives clear error instead of cryptic exception 5. dkg-agent.ts listCclPolicies(): distinguish 'superseded' from 'revoked' status — older non-revoked bindings are now 'superseded' 6. dkg-agent.ts approveCclPolicy(): guard against duplicate approvals for the same policy+scope — returns existing binding instead of minting a new one 7. ccl-fact-resolution.ts: remove broken view-graph EXISTS filter (was concatenating view directly to graph URI); view is included in factQueryHash for determinism, full filtering deferred to CCL v1.0 Made-with: Cursor
- Cast chain.getContextGraphOwner through `any` since ChainAdapter interface doesn't declare it (runtime typeof check still guards) - Use listCclPolicyBindings instead of listCclPolicies in duplicate approval guard (PolicyApprovalBinding has bindingUri field) Made-with: Cursor
| const bindingSubjects = new Set( | ||
| quads | ||
| .filter(q => | ||
| (q.predicate === DKG_ONTOLOGY.RDF_TYPE && q.object === DKG_ONTOLOGY.DKG_POLICY_BINDING) || |
There was a problem hiding this comment.
🔴 Bug: this subject classifier is too broad for approval gossip. approvedBy, approvedAt, and appliesToParanet also live on CCLPolicy resources, so a peer can send bare policy-level approval quads without any PolicyBinding and they will pass this filter. That lets forged policyStatus=approved metadata leak into listCclPolicies(). Only treat a subject as a binding when it is explicitly typed as PolicyBinding or carries activePolicy, and drop policy-level approval quads unless they are attached to a validated binding.
| if (!record) return null; | ||
| const bindings = await this.listCclPolicyBindings({ paranetId: opts.paranetId, name: record.name }); | ||
| const latestByScope = this.selectLatestNonRevokedBindings(bindings); | ||
| const active = this.resolveCclPolicyBinding(latestByScope, opts.paranetId, record.name, opts.contextType); |
There was a problem hiding this comment.
🔴 Bug: getActiveCclPolicyBinding() uses the same fallback-to-default lookup as policy resolution. That means revokeCclPolicy({ contextType: "incident_review" }) will revoke the default binding whenever that scope has no override and the default happens to use the same policyUri. Revocation needs an exact-scope lookup when contextType is provided; otherwise a scoped revoke can silently deactivate the global default.
| } | ||
|
|
||
| if (line.startsWith('exists ') || line.startsWith('not exists ')) { | ||
| const match = line.match(/^(exists|not exists)\s+(\w+)\s+where$/); |
There was a problem hiding this comment.
🔴 Bug: the grammar in grammar.ebnf allows exists/not exists with an identifier list, but this regex only accepts a single variable. A valid surface policy like exists Agent, Evidence where ... is rejected at compile time. Parse the full identifier list here and carry all declared vars into the canonical form.
| } | ||
|
|
||
| function splitArgs(value) { | ||
| return value.split(',').map((part) => part.trim()).filter(Boolean); |
There was a problem hiding this comment.
🔴 Bug: argument parsing is not quote-aware. Splitting on every comma and then returning the raw token means valid surface syntax like label(Claim, "foo") compiles to the literal "foo", and "a,b" is split into two arguments. Since the grammar advertises string arguments, this needs a tokenizer that respects quoted strings and unquotes them before canonicalization.
| self._derive_fixpoint() | ||
| decisions = self._evaluate_decisions() | ||
| derived = { | ||
| rule["name"]: sorted([list(t) for t in self.relations.get(rule["name"], set())]) |
There was a problem hiding this comment.
🔴 Bug: Python is using native list sorting here, but the JS/TS evaluators canonicalize tuples by their JSON string. Those orders diverge for numeric tuples ([2] vs [10]), so the reference implementations can disagree on emitted result ordering and any downstream hashes/checks based on that order. Use the same explicit tuple comparator in Python (same issue on the decision sort below).
|
|
||
| ```bash | ||
| dkg ccl policy publish ops-paranet \ | ||
| --name incident-review \ |
There was a problem hiding this comment.
🟡 Issue: this example does not work with the current API. publishCclPolicy() validates --name against the policy file’s embedded policy: field, but context_corroboration.yaml declares policy: context_corroboration, not incident-review. Either use --name context_corroboration here or point the example at a file whose internal name matches the CLI command.
…ishContextGraphId The /api/shared-memory/publish endpoint destructured `contextGraphId` from the request body and passed it through as `options.contextGraphId` to agent.publishFromSharedMemory(). The agent then forwarded it as `publishContextGraphId` to the publisher, which called BigInt() on it, causing "must be a numeric value" errors for string context graph IDs like "devnet-test". Fix: only pass a separate `publishContextGraphId` field when explicitly provided by the caller (for cases where the on-chain numeric ID differs from the paranet/contextGraphId). Also adds devnet-deep-test.sh for comprehensive pre-release validation. Made-with: Cursor
vi.restoreAllMocks() only restores vitest spies, not direct property assignments. Save and restore the original fetch in beforeEach/afterEach. Made-with: Cursor
| const parsed = parseCclPolicy(policy.body); | ||
| const factInput = opts.facts | ||
| ? buildManualCclFacts(opts.facts) | ||
| : await this.resolveFactsFromSnapshot({ |
There was a problem hiding this comment.
🔴 Bug: when facts is omitted, this will happily resolve against the whole paranet if snapshotId, view, and scopeUal are all missing. That mixes unrelated snapshots into one evaluation and makes results drift as more cclf:InputFact nodes are published. Reject snapshot-resolved mode unless the caller supplies an explicit scope (at minimum snapshotId, and ideally view too).
| }, | ||
| context: { | ||
| paranetId: opts.paranetId, | ||
| contextType: opts.contextType, |
There was a problem hiding this comment.
🔴 Bug: context.contextType only echoes the request, so a policy that is context-scoped via its stored binding/body but evaluated without an explicit opts.contextType will publish no DKG_POLICY_CONTEXT_TYPE metadata. Those evaluations then cannot be found again via listCclEvaluations({ contextType }). Carry through opts.contextType ?? policy.contextType here, the same way the policy block already does.
| }; | ||
| } | ||
|
|
||
| function splitArgs(value) { |
There was a problem hiding this comment.
🔴 Bug: the surface grammar says string literals are valid, but this tokenizer just splits on commas. foo(Claim, "a,b") becomes two args, and even foo(Claim, "ok") stays quoted all the way into the canonical policy so it will never match a fact value ok. Either add real quoted-string parsing here (and unquote in toCanonicalArg) or reject string literals until the compiler supports them.
| snapshotId?: string; | ||
| scopeUal?: string; | ||
| publishResult?: boolean; | ||
| }): Promise<{ |
There was a problem hiding this comment.
🔴 Bug: this return type is wrong when publishResult: true. /api/ccl/eval returns { evaluationUri, publish, evaluation } in that branch, not the flat { policy, context, factSetHash, ... } shape declared here. TS consumers will compile against the wrong contract and then fail at runtime. Model this as an overload/discriminated union or split publish into a separate method.
| return 'approved'; | ||
| } | ||
| if (bindings.some(binding => binding.policyUri === policyUri)) { | ||
| return 'revoked'; |
There was a problem hiding this comment.
🟡 Issue: this collapses every non-active policy that has bindings into revoked, including policies that were merely superseded by a newer approval. That loses the lifecycle distinction introduced elsewhere in this PR and makes clients unable to tell a manual revoke from normal replacement. Derive superseded separately when the policy still has inactive non-revoked bindings.
The third assertion in "Should return correct active proof period" was flaky because blocksToMineNew could become 0 or negative when the contract-assigned start block fell before the current block. Apply the same Math.max(0, ...) guard and -2 margin used by the first assertion. Made-with: Cursor
| // proposals when they fail to resolve the policy. | ||
| if (this.agent.publishCclPolicy && this.agent.approveCclPolicy) { | ||
| try { | ||
| const published = await this.agent.publishCclPolicy({ |
There was a problem hiding this comment.
🔴 Bug: This policy publish/approve block runs only after the expedition:launched message has already been broadcast. If installation fails, the leader deletes the swarm locally, but followers have already created the expedition and set cclPolicyInstalled, so the cluster diverges before turn 1. Install/approve the policy before broadcasting launch, or send an explicit rollback/cancel message on failure.
| // Propose when we have enough votes: either all alive voted (fast path) | ||
| // or M-of-N quorum reached (allows offline players). | ||
| if (swarm.leaderPeerId === this.myPeerId) { | ||
| if (this.allAliveVoted(swarm) || this.quorumVoted(swarm)) { |
There was a problem hiding this comment.
🔴 Bug: The new quorum path is only checked when the leader casts its own vote. When additional votes arrive over the network, onRemoteVoteCast() still proposes only on allAliveVoted(), so M-of-N quorum never actually unblocks offline players. Mirror the quorum check in the remote-vote path (and related heartbeat stop logic) so remote votes can trigger proposal once the threshold is met.
| votes, | ||
| alivePlayerCount: aliveCount, | ||
| requiredSignatures: threshold, | ||
| gameStatus: result.newState.status ?? 'active', |
There was a problem hiding this comment.
🔴 Bug: The leader evaluates CCL with result.newState.status, but followers later evaluate the same proposal with the current swarm.gameState.status. That means different nodes derive different fact sets for the same turn, and any turn that ends the game will be rejected inconsistently. Use the same status source on both sides, or encode both pre- and post-turn status explicitly in the policy/facts.
| const tally = new Map<string, number>(); | ||
| for (const v of votes) tally.set(v.action, (tally.get(v.action) ?? 0) + 1); | ||
| const computedWinner = Array.from(tally.entries()) | ||
| .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))[0]?.[0] ?? winningAction; |
There was a problem hiding this comment.
🔴 Bug: This recomputes the winner with alphabetical tie-breaking, but tallyVotes() in the coordinator prefers the leader's vote on ties before falling back to alphabetical order. In a tied turn, CCL can derive a different majority_winner than the actual winningAction, causing valid proposals to be rejected. Reuse the exact same tie-break inputs/rules here instead of recomputing with a different policy.
1. requiredSignatures fallback: log explicit warnings when defaulting to 1 because chain config is unavailable or getContextGraphConfig threw. Makes silent M-of-N threshold bypass visible in logs. 2. mcp-server coverage scope: widen vitest include from single file (src/connection.ts) to all src/**/*.ts so future source files participate in coverage gates. Thresholds adjusted to match current reality (index.ts stdio entrypoint is untested). 3. CORS regression test: add test for explicitly null corsOrigin (rejected origin) verifying no Access-Control-Allow-Origin header is emitted, completing the undefined/valid/null coverage matrix. Made-with: Cursor
Addresses two gaps identified in dkgv10-spec issues #73 and #74: 1. SKILL.MD: Ships a V10 Agent Skills document at `GET /.well-known/skill.md` (public, no auth) that teaches LLM-powered agents the full API surface, memory model, and authentication flow. Dynamic node info (version, peer ID, extraction pipelines, context graphs) is injected at serve-time. Supports ETag/304 caching. 2. Document processor: Adds the `ExtractionPipeline` interface and `ExtractionPipelineRegistry` in @origintrail-official/dkg-core, plus a `MarkItDownConverter` implementation that invokes the standalone MarkItDown binary for PDF/DOCX/PPTX/XLSX/CSV/HTML conversion to Markdown. Gracefully degrades when the binary is unavailable. Made-with: Cursor
Addresses two gaps identified in dkgv10-spec issues #73 and #74: 1. SKILL.MD: Ships a V10 Agent Skills document at `GET /.well-known/skill.md` (public, no auth) that teaches LLM-powered agents the full API surface, memory model, and authentication flow. Dynamic node info (version, peer ID, extraction pipelines, context graphs) is injected at serve-time. Supports ETag/304 caching. 2. Document processor: Adds the `ExtractionPipeline` interface and `ExtractionPipelineRegistry` in @origintrail-official/dkg-core, plus a `MarkItDownConverter` implementation that invokes the standalone MarkItDown binary for PDF/DOCX/PPTX/XLSX/CSV/HTML conversion to Markdown. Gracefully degrades when the binary is unavailable. Made-with: Cursor
2 participants
Summary
Brings three trust extension features onto the V10 codebase, targeting
v10-rc:add-ccl-language-extension), rebased ontov10/live-publish-ack, and migrated to V10 naming (paranet→contextGraph,did:dkg:paranet:→did:dkg:context-graph:)dkg:endorsestriples. No new chain tx — endorsements ride regular PUBLISH batches. Includes CCLendorsement_countresolver so policies can gate on endorsement thresholds.Changes
CCL (cherry-picked + V10 migration)
ccl-evaluator.ts,ccl-fact-resolution.ts,ccl-policy.ts,ccl-evaluation-publish.ts/api/ccl/*, CLI commands underdkg cclccl_v0_1/paranetDataGraphUri→contextGraphDataUri,did:dkg:paranet:→did:dkg:context-graph:,getParanetOwner→getContextGraphOwner,createParanet→createContextGraphENDORSE
packages/agent/src/endorse.ts:buildEndorsementQuads()+DKG_ENDORSES/DKG_ENDORSED_ATpredicatesagent.endorse({ contextGraphId, knowledgeAssetUal, agentAddress })POST /api/endorse, CLI:dkg endorse <ual> --context-graph <id> --agent <address>endorsement_count(ual, N)andendorsement(agent, ual)facts auto-resolved from graphdkg:endorsesanddkg:endorsedAtVERIFY
packages/publisher/src/verify-collector.ts: M-of-N approval collection via direct P2Ppackages/publisher/src/verify-proposal-handler.ts: incoming proposal handler (validates, signs, responds)packages/publisher/src/verification-metadata.ts: builds_verified_memory/_metaquadsagent.verify({ contextGraphId, verifiedMemoryId, batchId })— full flow: propose → collect → on-chain → promote to VMstart()viaPROTOCOL_VERIFY_PROPOSALchain.verify()method (ContextGraphs.addBatchToContextGraph)POST /api/verify, CLI:dkg verify <batchId> --context-graph <id> --verified-graph <vmId>Test plan
pnpm build— 18/18 packages)pnpm test— 31 test files)buildEndorsementQuadsproduces correct triples🤖 Generated with Claude Code