LEP 5

[a-ok123]

https://www.notion.so/pastelnetwork/LEP5-Cascade-Availability-Commitment-302df11fee14808e9cb8d745aa71465f?source=copy_link

[roomote-v0]

Rooviewer   See task

Re-reviewed after 4d4f1ce. The devnet/go.mod replace directive is now properly commented out, resolving that issue. No net new issues found in this diff range. Two previously flagged issues remain open: VerifyChunkProofs re-derives expected proof count from current params instead of using the stored commitment, and the simulation bypasses GetSVCParams() in favor of hardcoded constants.

• challenge.DeriveIndices has no iteration cap and can infinite-loop when m approaches numChunks (uint32 counter wraps) -- resolved: package deleted
• devnet/go.mod local replace directive is uncommented -- will break reproducible builds from a clean checkout -- resolved: now commented out in 4d4f1ce
• Challenge indices are client-chosen with no on-chain enforcement of deterministic derivation -- author notes SuperNode must download the whole file to compute correct Merkle proofs regardless of index selection
• .gitignore missing trailing newline and has duplicate .roomodes entry -- trailing newline fixed; duplicate .roomodes on lines 22 and 34 remains but is cosmetic
• VerifyChunkProofs derives expected proof count from current governance params rather than from the stored commitment's ChallengeIndices -- if governance changes svc_challenge_count between registration and finalization, in-flight actions become unfinalizable
• Simulation in lep5_cascade.go uses hardcoded keeper.SVCChallengeCount / keeper.SVCMinChunksForChallenge instead of keeper.GetSVCParams(params) -- would silently fail if governance updates these params

Previous reviews

• 5d071b8: Review #1
• fdcaee1: Review #2
• 9255827: Review #3
• d62110f: Review #4
• 2f97fed: Review #5
• ab81554: Review #6

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[roomote-v0]

This local replace directive (github.com/LumeraProtocol/lumera => ..) is uncommented, which means the devnet module resolves lumera from the parent directory instead of a published version. If merged to master, anyone cloning the repo and running go build or go test in the devnet/ directory will get the local source, which is the intended behavior for local dev but breaks reproducible builds from a clean checkout if the go.sum no longer contains the published module hash (the corresponding go.sum entry for LumeraProtocol/lumera v1.10.0 was also removed in this PR). The existing comment says "uncomment these for local testing" / "Comment lines with github.com/LumeraProtocol/ before releasing" -- this should be re-commented before merge unless the intent is to permanently switch to a monorepo-style build.

_{Fix it with Roo Code or mention @roomote and request a fix.}

[Copilot]

Pull request overview

Implements LEP-5 “Cascade Availability Commitment” by extending Cascade metadata with a chunk-Merkle commitment + challenge indices, and enforcing SuperNode-provided Merkle proofs during Cascade finalization.

Changes:

• Add LEP-5 protobuf types/fields (HashAlgo, AvailabilityCommitment, ChunkProofs) and module params (svc_challenge_count, svc_min_chunks_for_challenge).
• Introduce Merkle + challenge helper packages and keeper-side proof verification wired into Cascade finalization/metadata updates.
• Add unit/E2E tests and documentation for the LEP-5 flow.

Reviewed changes

Copilot reviewed 22 out of 25 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
x/action/v1/types/params.pb.go	Regenerated Params bindings to include SVC params.
proto/lumera/action/v1/params.proto	Adds LEP-5 governance parameters for challenge count/min chunks.
x/action/v1/types/metadata.pb.go	Regenerated metadata bindings: HashAlgo enum, AvailabilityCommitment, ChunkProof, CascadeMetadata extensions.
proto/lumera/action/v1/metadata.proto	Defines LEP-5 enum/messages and extends CascadeMetadata.
x/action/v1/types/metadata_proto_test.go	Round-trip/back-compat protobuf tests for new metadata fields.
x/action/v1/types/events.go	Adds SVC-related event types + attributes.
x/action/v1/types/errors.go	Adds SVC-specific error codes for proof verification failures.
x/action/v1/merkle/merkle.go	Implements BLAKE3 chunk Merkle tree + proof generation/verification.
x/action/v1/merkle/merkle_test.go	Validates Merkle root/proofs (vectors, tamper, scale, edge cases).
x/action/v1/challenge/challenge.go	Implements deterministic challenge-index derivation helper.
x/action/v1/challenge/challenge_test.go	Test vectors and determinism/uniqueness checks for challenge derivation.
x/action/v1/keeper/svc.go	Adds keeper verification for chunk proofs + evidence/pass events.
x/action/v1/keeper/svc_test.go	Unit tests for keeper proof verification and evidence events.
x/action/v1/keeper/finalize_svc_test.go	Integration-style test: finalize Cascade with valid proofs reaches DONE.
x/action/v1/keeper/cascade_commitment_test.go	Registration-time commitment + challenge indices validation tests.
x/action/v1/keeper/action_cascade.go	Enforces commitment validation on request/register; verifies proofs on finalize; persists commitment/proofs.
docs/leps/new-feature-lep5.md	Full LEP-5 technical specification document.
docs/leps/lep5.md	LEP-5 testing guide for devnet flows.
devnet/tests/validator/lep5_test.go	Devnet E2E tests for successful and failing proof finalization (+ variable chunk sizes).
devnet/go.mod	Updates devnet module deps and enables local replace for lumera.
devnet/go.sum	Updates devnet sums to match module dependency changes.
devnet/config/config.json	Disables Hermes in devnet configuration.
buf.lock	Updates Buf dependency lock (cosmos-sdk entry changed).
app/proto_bridge.go	Registers new HashAlgo enum for proto bridge usage.
.gitignore	Adds ignores for various local planning/docs artifacts.

Comments suppressed due to low confidence (4)

docs/leps/lep5.md:3

• This link points to ../new-feature-lep5.md (i.e., docs/new-feature-lep5.md), but the technical specification file added in this PR is docs/leps/new-feature-lep5.md. Update the relative link so it resolves correctly from within docs/leps/.

> **Full design:** [LEP-5 Technical Specification](../new-feature-lep5.md)

devnet/tests/validator/lep5_test.go:70

• Typo in the subtest name: TineFile_4B_ChunkSize_1B reads like it should be TinyFile_4B_ChunkSize_1B (or similar). Renaming makes logs and -run filters clearer.

			name:      "TineFile_4B_ChunkSize_1B",

devnet/config/config.json:37

• This change disables Hermes in the devnet config (enabled: false). Since this can affect IBC-related devnet flows and tests, please confirm it's intentional for LEP-5 and (if so) consider documenting the reason in the devnet docs or making it configurable via env/CLI so other devnet users aren't surprised.

    "hermes": {
        "enabled": false
    }

x/action/v1/keeper/action_cascade.go:45

• In validateAvailabilityCommitment, the error message for a hash algo mismatch uses %q with an enum value (cascadeCommitmentHashAlgo). %q will format the underlying integer as a quoted rune (e.g., '\x01'), which is confusing and not stable. Use %v (or %s with .String()) and ideally include both expected and actual values in the message.

	if commitment.HashAlgo != cascadeCommitmentHashAlgo {
		return fmt.Errorf("availability_commitment.hash_algo must be %q", cascadeCommitmentHashAlgo)
	}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 24 out of 30 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

devnet/tests/validator/lep5_test.go:70

• The function name has a typo: "TineFile" should be "TinyFile". This affects test readability and naming consistency.

			name:      "TineFile_4B_ChunkSize_1B",

tests/systemtests/lep5_action_test.go:101

• The comment has a typo: "systemex" should be "systemtest" or "system". This documentation typo affects clarity when developers read the test code.

	// For the systemex test, we verify the CLI can construct and submit

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[roomote-v0]

VerifyChunkProofs derives expectedCount from the current governance params (lines 60-71), then checks that both the submitted proof count and the stored commitment.ChallengeIndices length match it (lines 73 and 88). If governance changes svc_challenge_count between registration and finalization (e.g. from 8 to 16), in-flight actions become unfinalizable: the commitment was registered with 8 indices, but finalization now expects 16 proofs. The stored commitment's ChallengeIndices is the authoritative source -- it was already validated at registration time. Using len(commitment.ChallengeIndices) as expectedCount here instead of re-deriving from current params would avoid this.

Suggested change

	params := k.GetParams(ctx)
	challengeCount, minChunks := GetSVCParams(params)
	if commitment.NumChunks < minChunks {
	// Small files are out of challenge scope.
	return nil
	}
	expectedCount := challengeCount
	if expectedCount > commitment.NumChunks {
	expectedCount = commitment.NumChunks
	}
	params := k.GetParams(ctx)
	_, minChunks := GetSVCParams(params)
	if commitment.NumChunks < minChunks {
	// Small files are out of challenge scope.
	return nil
	}
	// Use the stored commitment's challenge indices as the authoritative count.
	// These were validated at registration time against the params that were
	// active then; re-deriving from current params would break in-flight
	// actions if governance changes svc_challenge_count.
	expectedCount := uint32(len(commitment.ChallengeIndices))

_{Fix it with Roo Code or mention @roomote and request a fix.}

[roomote-v0]

params is fetched from the keeper on line 29 but the SVC values on lines 30-31 use the hardcoded fallback constants directly instead of keeper.GetSVCParams(params). If governance updates svc_challenge_count or svc_min_chunks_for_challenge, the simulation would generate commitments with the wrong number of challenge indices, causing validateAvailabilityCommitment to reject the registration and the simulation to silently no-op.

Suggested change

	params := k.GetParams(ctx)
	challengeCount := keeper.SVCChallengeCount
	minChunks := keeper.SVCMinChunksForChallenge
	params := k.GetParams(ctx)
	challengeCount, minChunks := keeper.GetSVCParams(params)

_{Fix it with Roo Code or mention @roomote and request a fix.}

[mateeullahmalik]

High-signal correctness issue in x/action/v1/keeper/svc.go:

VerifyChunkProofs derives expectedCount from current params (SvcChallengeCount, SvcMinChunksForChallenge) at finalization time, then requires both len(proofs) and len(commitment.ChallengeIndices) to match that runtime-derived value.

That makes already-registered actions non-deterministically fail if governance updates either SVC param between registration and finalization. The registration commitment is immutable (action.Metadata), but verification semantics become time-dependent.

Concrete failure mode:

1. Action registers with challenge_count=8, commitment stores 8 indices.
2. Governance changes challenge_count to 4 before finalization.
3. Finalization submits proofs for the original 8 committed indices.
4. VerifyChunkProofs now expects 4 and rejects (ErrWrongProofCount / metadata mismatch), even though proofs are valid against the committed root.

Suggested fix direction:

• In verification, treat the stored commitment as canonical for count/index expectations.
• Derive expected proof count from len(commitment.ChallengeIndices) (or directly from stored fields), not from mutable params.
• Keep param-based checks only at registration-time validation (validateAvailabilityCommitment) for new actions.