audit: add LEP-6 shadow scoring for storage truth

[j-rafique]

Summary

Implements LEP-6 PR3 (shadow scoring) on LEP-6-shadow-scoring (PR #119) by adding storage-truth score execution for ingested storage_proof_results and persisting shadow-only scoring state.

This PR updates state + scoring + observability only. It does not enable enforcement penalties.

Base / Scope

• Base branch: LEP-6-report-ingestion
• Head branch: LEP-6-shadow-scoring
• Mode behavior: scoring executes only when storage-truth mode is SHADOW/SOFT/FULL, with PR3 intent focused on shadow bookkeeping and score evolution.

What Changed

1) Storage-truth score pipeline execution

• MsgSubmitEpochReport now applies storage-truth scoring after report persistence.
• Added keeper scoring engine for per-result deltas:
  • Node suspicion (N)
  • Reporter reliability (R)
  • Ticket deterioration (D)
• Added lazy decay application on read/update paths for all three dimensions.

2) Reporter trust band + bookkeeping state

• Added trust-band enum and persisted trust-band state for reporters.
• Added contradiction counters and bookkeeping fields needed for PR3 behavior:
  • Reporter contradiction tracking
  • Ticket failure-window tracking
  • Ticket contradiction tracking
  • Last observed target/reporter/result/epoch metadata

3) PR3 scoring behavior coverage

• Trust-band-aware scaling for node/ticket deltas.
• Repeated failure escalation across distinct epochs.
• Contradiction detection across epochs for same ticket/target.
• Contradiction penalties for both:
  • current reporter
  • previously contradicting reporter (when applicable)

4) Event observability

• Added storage_truth_score_updated event and attributes for:
  • epoch/reporter/target/ticket/result
  • updated N/R/D values
  • reporter trust band
  • repeated failure count
  • contradiction flags and contradicted reporter

5) PR review hardening fixes included

• Removed redundant repeated GetParams(...).WithDefaults() store reads in inner scoring helpers by threading already-fetched params.
• Made scaling overflow-safe for extreme score values (scaleInt64TowardZero) and added edge-case coverage.

Tests

Added/updated focused tests for:

• Result-class scoring outcomes
• Decay application
• Trust threshold effects
• Repeated failure escalation
• Contradiction detection/penalties
• Event emission attributes
• Query visibility for expanded score state
• Internal math/helper edge cases (including overflow scenarios)

Non-Goals (explicitly deferred)

• No penalty/enforcement activation matrix in this PR.
• No heal/recheck transaction finalization workflow in this PR.
• No slashing behavior changes.

Risk / Compatibility

• Backward-compatible with existing ingestion/report flow.
• Changes are additive to LEP-6 shadow state paths and do not introduce hard enforcement actions in this milestone.

[roomote-v0]

Rooviewer   See task

Both previously flagged issues have been addressed in this revision. Params are now threaded through as parameters (no redundant store reads), and scaleInt64TowardZero uses 128-bit arithmetic via math/bits to handle extreme values safely. No new issues found.

• storage_truth_scoring.go: Redundant GetParams store reads inside applyReporterReliabilityDelta and applyTicketDeteriorationDelta -- params are already fetched in the caller and should be threaded through
• storage_truth_scoring.go: scaleInt64TowardZero can silently overflow on value * numerator for extreme score values, inconsistent with the saturated arithmetic used elsewhere in the scoring pipeline

Previous reviews

• 51ea7b0: Review #1

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[mateeullahmalik]

Production-gate review by Zee — 12 findings

Methodology: full file-by-file read of every non-generated changed file in this PR's diff (pr-119 vs its base branch), cross-checked against:

• LEP-6 spec (Notion source of truth)
• invariant-first-coding skill (write-path enumeration, sibling symmetry, single source of truth, post-fix re-audit)
• Cosmos SDK consensus discipline (no float, no map iteration, bounded EndBlock, genesis round-trip, errorsmod wrapping)

Status legend: each finding's status is computed at the PR #122 stack-tip (consensus-gap-fixes commit a51c439), so 'FIXED' means a downstream PR in the stack already addresses it; 'OPEN' means it is still present at the tip and must be fixed before merge / Phase-2 activation. Severity rubric in the charter (~/work/lep6-review/ctx/charter.md): CRITICAL = consensus halt / state corruption / non-determinism in ABCI; HIGH = spec mismatch with economic impact, missing genesis round-trip, replay enabler; MEDIUM = invariant asymmetry without immediate exploit, unbounded loop with practical bound, missing param validation.

Severity breakdown: HIGH=7, MEDIUM=5

---

119-F1 — Decay was linear instead of geometric (spec §14/§15/§16)

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 508-523
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: FIXED in PR feat(audit): finalize LEP-6 consensus gap fixes #122 (decayTowardZero now factor*1000-based exponential per // factorNumerator is the decay factor * 1000 (e.g., 920 means 0.920 per epoch)). Confirm via test that the integer math reproduces spec geometrically over multi-epoch gaps.
• What: At PR audit: add LEP-6 shadow scoring for storage truth #119 head decay was score - decayPerEpoch * elapsedEpochs. Spec demands floor(score * 0.92^k) (or 0.90^k). Wrong shape → wrong band entry rates.

119-F2 — Node-suspicion deltas don't match spec §14 (no symbol/index split, wrong magnitudes)

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 275-322
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: PARTIALLY ADDRESSED in PR feat(audit): finalize LEP-6 consensus gap fixes #122 (deltas restructured) — please verify the §14 magnitudes (symbol HASH_MISMATCH +18, index +26, TIMEOUT +7, OBSERVER_QUORUM_FAIL +4, RECHECK_CONFIRMED_FAIL +15, recent PASS −3, old PASS −2) are now exact, and that ArtifactClass + BucketType bifurcation drives the choice.
• What: At PR audit: add LEP-6 shadow scoring for storage truth #119 head: HASH_MISMATCH=+12 flat (no symbol/index), TIMEOUT=+4, RECHECK_CONFIRMED=+20, OBSERVER_QUORUM_FAIL=+3, PASS=−2 flat. Every delta wrong. Shadow telemetry calibrated against these is unusable for Phase-2 cutover.

119-F3 — Ticket-deterioration deltas don't match spec §16

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 275-322
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: PARTIALLY ADDRESSED in PR feat(audit): finalize LEP-6 consensus gap fixes #122 — verify the nine §16 deltas: symbol fail +5, index fail +12, timeout +3, recheck-confirmed +8, different-holder fail +10, same-holder different-epoch +6, clean pass −2, clean pass different holder −3, failed heal verification +15.
• What: PR audit: add LEP-6 shadow scoring for storage truth #119 used flat HASH_MISMATCH=+12, no holder/epoch decomposition, ad-hoc escalation bonus capping at +6 instead of spec's +10/+15.

119-F4 — Reporter-reliability deltas semantically inverted vs spec §15

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 275-322, 378-381
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: PARTIALLY ADDRESSED in PR feat(audit): finalize LEP-6 consensus gap fixes #122 (collapsed several classes to zero) but the spec §15 trigger semantics are EVENT-driven (overturn-by-recheck +25, 2-pass-corroboration window +12, statistical divergence +8, clean reproducible epoch −4, confirmed correct severe fail −3), not per-result-class. Confirm the per-class deltas are not double-counting against §15.1.
• What: PR audit: add LEP-6 shadow scoring for storage truth #119 attached an R delta to every result class, with sign convention inverted relative to §15 (spec R is a penalty growing on bad behavior; code R was a reputation going negative).

119-F5 — Contradiction penalty applied to BOTH the contradicting and contradicted reporter

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 62, 92-104, 378-381
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: PARTIALLY ADDRESSED — see PR audit: implement storage truth enforcement and self-healing lifecycle #121 Finding 3 (predicate is still direction-agnostic and penalises honest reporters). Confirm at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip.
• What: currentReporterPenalty=-6 AND contradictedReporterDelta=-6 both fire on a contradiction. Spec §15.1 only penalises the overturned reporter. Coordinated attacker can fail-report + confederate-pass-report to drag honest reporters' R.

119-F6 — Trust multiplier 0.25 (LOW_TRUST=0.5, INELIGIBLE=0.25) violates spec §15.4 floor 0.5

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 399-408, 65-66
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: PLEASE CONFIRM at PR feat(audit): finalize LEP-6 consensus gap fixes #122 head — also gate application on Class-A pre-recheck per spec §15.4 (multiplier applies only until recheck confirms the failure, not unconditionally to every delta).
• What: Spec §15.4: trust_multiplier = max(0.5, 1 − R/100). Ineligible band returned 0.25 — below spec floor.

119-F9 — Pattern-escalation predicate counts same-ticket repeats instead of distinct-ticket per node, magnitudes 2/4/6 vs spec 10/15/12

• Severity: HIGH
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 363-369, 490-499
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: PARTIALLY ADDRESSED via fact-indexes in PR audit: implement storage truth enforcement and self-healing lifecycle #121 — confirm at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip that distinct-ticket count is now used and magnitudes are spec-exact (+10 / +15 / +12 for recent∧old).
• What: Spec §14 escalation: 2nd distinct failed ticket → +10; 3rd+ → +15; one-recent-and-one-old in last 14 → +12. PR audit: add LEP-6 shadow scoring for storage truth #119 used min(count-1,3)*2 capped at +6 over same-ticket repeats. Wrong predicate AND wrong magnitudes.

119-F10 — updateRecentFailureEpochCount window uses StorageTruthProbationEpochs (default 3) instead of spec's 14-epoch failure-pattern window

• Severity: MEDIUM
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 477-483
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: OPEN — verify at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip whether a dedicated StorageTruthPatternEscalationWindow=14 param is now used instead of reusing probation epochs.
• What: Probation and pattern-detection are conceptually different windows. Reusing the param at default-3 makes pattern escalation almost never fire.

119-F11 — validateInt64 allows zero/negative decay; decayTowardZero short-circuits on ≤0 — gov can disable decay forever

• Severity: MEDIUM
• File: x/audit/v1/types/params.go (413-415, 419-420), x/audit/v1/keeper/storage_truth_scoring.go (508-511)
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: OPEN at PR feat(audit): finalize LEP-6 consensus gap fixes #122 — validateInt64 still doesn't impose lower bound on the three decay params. Add validateStorageTruthDecay requiring > 0 and a sane upper cap; invoke from Params.Validate().
• What: A single bad governance proposal setting decay=0 disables score decay forever; decay=huge instantly zeroes every score.

119-F12 — InitGenesis on score-states: no LastUpdatedEpoch <= currentEpoch clamp

• Severity: MEDIUM
• File: x/audit/v1/keeper/genesis.go
• Lines: 58-68
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: OPEN at PR feat(audit): finalize LEP-6 consensus gap fixes #122 — also see PR audit: implement storage truth enforcement and self-healing lifecycle #121 Finding 7 (postponement state has no genesis import/export at all).
• What: InitGenesis writes SetNodeSuspicionState/SetReporterReliabilityState/SetTicketDeteriorationState directly with whatever LastUpdatedEpoch is in the JSON. Out-of-bound futures silently accepted; first read computes epochDelta(curr, future)=0 → no decay.

119-F7 — Same-epoch contradictions silently dropped (< instead of <=)

• Severity: MEDIUM
• File: x/audit/v1/keeper/storage_truth_scoring.go
• Lines: PR audit: add LEP-6 shadow scoring for storage truth #119 lines 262-266, 374-383
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: OPEN — verify at PR feat(audit): finalize LEP-6 consensus gap fixes #122 head whether same-epoch contradictions still drop, and whether the multi-witness ledger in PR audit: implement storage truth enforcement and self-healing lifecycle #121's recheck path covers this.
• What: state.LastResultEpoch < epochID strict-less-than gates contradiction detection. Spec §15.1 W=7 is upper bound; same-epoch must count. Attacker can suppress detection by colluding to submit contradicting result in same epoch.

119-F8 — TicketDeteriorationState lacks ValidateBasic on genesis import

• Severity: MEDIUM
• File: x/audit/v1/keeper/genesis.go
• Lines: ~58-68
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: OPEN at PR feat(audit): finalize LEP-6 consensus gap fixes #122 head; the same gap exists for NodeSuspicionState and ReporterReliabilityState.
• What: Genesis InitGenesis trusts imported (LastFailureEpoch, RecentFailureEpochCount, LastUpdatedEpoch) without invariant checks. Malformed genesis (e.g. LastUpdatedEpoch > currentEpoch) silently accepted; lazy epochDelta will treat as 'no decay forever'.

---

This review is posted as a COMMENT (not REQUEST_CHANGES) so it does not block merge mechanically — but the CRITICAL and HIGH items must be triaged before activation. I'm available to walk through any of these in detail.

— Zee

[Copilot]

Pull request overview

Implements LEP-6 PR3 “shadow scoring” for storage-truth by executing scoring on ingested storage_proof_results, persisting additional scoring/bookkeeping state, and emitting a dedicated score-update event.

Changes:

• Add storage-truth scoring pipeline on MsgSubmitEpochReport with node/reporter/ticket score deltas, trust-band scaling, decay-on-update, and contradiction/repeated-failure bookkeeping.
• Extend protobuf state with ReporterTrustBand and additional persisted fields for reporter and ticket scoring/bookkeeping.
• Add/expand tests to cover scoring outcomes, decay, trust thresholds, escalation/contradictions, query visibility, and event attributes.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
x/audit/v1/types/events.go	Introduces storage-truth score update event type and attribute keys.
x/audit/v1/types/audit.pb.go	Regenerated protobuf output to include trust band + added state fields.
x/audit/v1/keeper/storage_truth_scoring.go	Implements storage-truth scoring engine, bookkeeping, decay helpers, and event emission.
x/audit/v1/keeper/msg_submit_epoch_report.go	Hooks scoring execution into epoch report submission flow.
proto/lumera/audit/v1/audit.proto	Adds ReporterTrustBand enum and new persisted bookkeeping fields.
app/proto_bridge.go	Registers the new enum for proto bridge usage.
x/audit/v1/keeper/msg_submit_epoch_report_storage_truth_scores_test.go	Adds end-to-end tests for scoring, decay, scaling, events, escalation, contradictions.
x/audit/v1/keeper/query_storage_truth_test.go	Expands query tests to validate new fields and scored-ingestion visibility.
x/audit/v1/keeper/storage_truth_state_test.go	Updates state round-trip tests for newly persisted fields.
x/audit/v1/keeper/storage_truth_scoring_internal_test.go	Adds focused unit tests for internal math/scoring helpers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In applyTicketDeteriorationDelta, a brand-new ticket failure at epoch 0 won’t set LastFailureEpoch/RecentFailureEpochCount because the failure update is gated by epochID != state.LastFailureEpoch (and state.LastFailureEpoch is 0 for a new/zero-value state). This causes the first failure in epoch 0 to be recorded with RecentFailureEpochCount=0, and the next epoch’s failure will be treated as count=1 (no escalation) rather than count=2.

Consider changing the condition to also treat "not found" as needing initialization (e.g., update failure fields when !found || epochID != state.LastFailureEpoch), and add a test covering the first-ever failure when epochID == 0 to ensure RecentFailureEpochCount becomes 1.