feat(mandala)!: remove the unguarded 'recover' admin action kind#263
Merged
Conversation
'recover' credited issuance like 'issue' but had no reissue guard and no reducer handler — an arbitrary issuer mint with no tie to a frozen output and no eviction. Presenting it as "recover a frozen output" let an issuer mint a different amount than the frozen value and silently change circulating supply. Frozen-output recovery is 'reissue', which is fully guarded: target outpoint must be frozen, minted amount must equal the frozen row's amount, zero FT inputs of the asset, and the reducer evicts the outpoint — so circulation is conserved. 'recover' was redundant with that (for legitimate seizure) and with 'issue' (for plain minting), so remove it entirely. - @bsv/templates: drop 'recover' from MandalaActionKind. - @bsv/overlay-topics: stop crediting 'recover' as issuance in the admit path (a stray 'recover'-labelled mint now fails the conservation check), update the Gate-1 comment, and adjust the reducer comment. - Tests: retitle/retarget the two cases that referenced 'recover' (the frozen-input-spend rejection is kind-agnostic; the forged-admin case uses a still-valid kind). BREAKING CHANGE: 'recover' is no longer a valid MandalaActionKind. Nothing in the stack emits it; frozen-output recovery uses 'reissue'. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AbNQBGybrgwd9Af2Zmurq8
…cs 1.4.1 Roll both package versions so the 'recover' removal can be tagged and published. overlay-topics consumes templates via workspace:^, resolved to the new version at publish. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AbNQBGybrgwd9Af2Zmurq8
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Why
The Mandala protocol had two admin actions that both looked like "recover a frozen output," but only one conserved supply:
reissue— fully guarded frozen-output recovery.MandalaTopicManagerenforces: target outpoint must be frozen, minted amount must equal the frozen row's amount (reissueGuardFailsb), zero FT inputs of the asset; the reducer then evicts the outpoint. Circulation is conserved.recover— credited issuance likeissue, but with no reissue guard and no reducer handler. An arbitrary issuer mint, untied to any frozen output, with no eviction. In the demo app its UI was labelled "recover a frozen output · net supply unchanged," so recovering less than the frozen value silently dropped circulating supply.recoverwas redundant withreissue(legitimate seizure) and withissue(plain minting), and it was a footgun. Remove it so it can't be used by accident.Changes
'recover'fromMandalaActionKind.'recover'as issuance in the admit path; a stray'recover'-labelled mint now fails the conservation check (belt-and-suspenders). Update the Gate-1 and reducer comments.recover: the frozen-input-spend rejection is kind-agnostic, and the forged-admin-entry case uses a still-valid kind.Verification
@bsv/templates: build ✓, 46 tests pass.@bsv/overlay-topics: build ✓, 277 pass / 1 skipped.Breaking change
recoveris no longer a validMandalaActionKind. Nothing in the stack emits it — the demo app already routes recovery throughreissue. Warrants a version bump at publish time (your call on major/minor, per the usual manual tag + publish).🤖 Generated with Claude Code