OT-RFC-38 LU-7/8/9/10 — catchup + verify + attestation + devnet harness

[branarakic]

Summary

Closes the curated-CG verification & late-joiner surface that LU-5 (#608) opened, plus end-to-end devnet validation for the whole Phase A slice. See docs/specs/SPEC_CG_HOSTING_MEMBERSHIP.md §7.1.1 for the implementation-status table and the documented LU-6 gap.

Stacked on: #608 (LU-5 edge publish), which is itself stacked on #595 (SPEC_CG_MEMORY_MODEL LU-1..LU-4). Reviewing in order keeps each diff small.

Source surfaces

• LU-7 POST /api/shared-memory/catchup — caller-initiated SWMCatchupRequest. Single-peer mode or parallel fan-out across all connected peers. Public CGs accept anonymous catchup; curated CGs run authorizePrivateSyncRequest against the requester's signed envelope.
• LU-8 POST /api/shared-memory/{verify-batch,report-batch-rejection} + packages/agent/src/swm/verify-batch.ts — member post-decrypt root recompute using V10's computeFlatKCRootV10 / computeFlatKCMerkleLeafCountV10. Mismatch → structured BatchRejection record gossiped via agent.share() so other members can refetch from a different host.
• LU-9 POST /api/attestation/{mint,verify} + packages/agent/src/swm/member-attestation.ts — member signs an envelope binding (chainId, kavAddress, contextGraphId, batchId, merkleRoot, plaintextLeafHash, attesterAddress, attestedAt) with keccak256(abi.encodePacked(...)) + EIP-191 secp256k1, matching V10 chain-side signature layout so outsiders can hand-verify. Verify route runs signature recovery, signer-matches-attester, optional candidateLeaf rehash, and an optional async membershipResolver chain hook.
• enumerate-cg-hosts (packages/agent/src/swm/enumerate-cg-hosts.ts) — distinct from enumerate-cg-members; returns dialable peer set for LU-7 catchup. Phase A returns all connected peers minus self; Phase B will refine to the sharding-table-eligible subset once shard count > 1.
• packages/cli/src/daemon/routes/assertion.ts — small read surface additions the new attestation flow leans on.

Devnet harness (scripts/devnet-test-rfc38-*.sh)

11 standalone end-to-end scenarios, all driven through the daemon HTTP API (no custom libraries). devnet-test-rfc38-all.sh runs the full suite end-to-end and prints a consolidated pass/fail summary. Covered:

id	what it exercises
lu5-pub	LU-5 public CG regression (edge publishes plaintext to VM, no encryption)
lu5-cur	LU-5 curated CG edge publish (chain-key AEAD wrap + no-attribution VM publish)
lu7	LU-7 SWMCatchupRequest (public anonymous + curated member-auth + outsider denial)
lu8	LU-8 verify-batch + report-batch-rejection (member post-decrypt root recompute + gossip)
lu9	LU-9 member-attestation mint+verify (roundtrip + 3 negative-path scenarios)
lu10	LU-10 public-CG regression sweep (publish + anonymous catchup + verify-batch + attestation, all on a public CG)
e2e	end-to-end lifecycle (LU-5 → LU-7 → LU-8 → LU-9 composed in one user-visible scenario)
xcg	cross-CG isolation (member of CG-A cannot read CG-B; outsider catchup denied; curator can still decrypt its own CGs)
mm	multi-member CG (3 distinct member wallets; each verify-batches the same root; outsider cross-verifies all 3 attestations)
scale	scale probe (50 triples / 25 KAs in one curated batch; full verify + attestation roundtrip)
lj	late-joiner (member-from-curator + member-from-member-with-curator-offline; documented LU-6 cores-only gap as passing fail-soft assertion)

scripts/devnet.sh restart-node N op surface (restart a single node without wiping state). The late-joiner scenario uses it to take the curator offline mid-test and bring it back.

Test plan

Unit:

• packages/agent/test/verify-batch.test.ts — pure recompute helper unit tests
• packages/agent/test/member-attestation.test.ts — mint+verify roundtrip + tamper detection + membership resolver paths
• packages/agent/test/enumerate-cg-hosts.test.ts — dialable-peer enumeration

Devnet — all 11 scenarios PASS against a fresh 6-node devnet (4 cores + 2 edges, all wallets unique + funded, no on-chain identity for the edges):

[ok] lu5-pub  PASS
[ok] lu5-cur  PASS
[ok] lu7      PASS
[ok] lu8      PASS
[ok] lu9      PASS
[ok] lu10     PASS
[ok] e2e      PASS
[ok] xcg      PASS
[ok] mm       PASS
[ok] scale    PASS
[ok] lj       PASS

All 11 scenarios PASSED.

Run instructions

./scripts/devnet.sh start 6          # 4 cores + 2 edges, fresh wallets
./scripts/devnet-test-rfc38-all.sh   # ~10 min, 11 scenarios end-to-end

For UI manual testing — point Vite at any edge node:

DEVNET_UI_NODE=5 ./scripts/devnet.sh ui start
# http://localhost:5173/ui/ now proxies /api/* to node 5 (edge curator)

Deferred (Phase A sub-task, tracked for follow-up)

LU-6 substrate hosting on cores — cores do not yet subscribe to the curated-CG SWM gossip topic via the sharding-table assignment (RFC §5.1 + §5.1.1 pre-registration staging). Today's catchup model works when the curator OR any other current member is online; if every member is offline, a late joiner's catchup against cores returns 0 triples cleanly (no crash). devnet-test-rfc38-late-joiner.sh SCENARIO C asserts this fail-soft shape. Full LU-6 lands the encrypted SWM substrate (the SwmSenderKey two-layer Sender Keys construction already in packages/core/src/crypto/swm-sender-key.ts but not yet wired to the workspace-gossip topic) plus the TTL + byte-cap staging policies in §5.1.1. Path forward documented in docs/specs/SPEC_CG_HOSTING_MEMBERSHIP.md §7.1.1.

Made with Cursor

[github-actions]

🔴 Bug: when quads are omitted this reconstructs the candidate payload from the entire SWM/data graph, but expectedMerkleRoot is for a single KC/batch. As soon as a context graph contains more than one published batch, verify-batch will deterministically report root-mismatch for valid batches because unrelated triples are mixed in. Scope the local read to the requested batch/KC (or require callers to pass the exact batch quads) instead of querying every triple in the graph.

[github-actions]

🔴 Bug: this silently signs attestations with contextGraphId = "0" whenever the local subscription metadata cannot resolve an on-chain id. That produces tokens bound to the wrong domain even though the KC already exists on-chain. Resolve the CG id from chain truth (getKCContextGraphId(BigInt(batchId)) / getContextGraphOnChainId) and fail if it cannot be determined instead of minting an attestation with a placeholder id.

[github-actions]

🔴 Bug: batchId comes from the HTTP body and is interpolated into an RDF literal without escaping. A value containing ", newlines, or RDF syntax will either break the SWM write or let callers smuggle malformed triples through this endpoint. Escape the literal with the existing RDF helper (or reject unsafe input) before passing it to agent.share().

[github-actions]

🟡 Issue: reportedAt is part of the rejection digest, so retries of the same rejection from the same member always mint a new subject URI instead of deduping. That defeats the stated hash-dedupe identical rejection reports behavior and makes idempotent re-reporting impossible. Use a stable digest key derived from the batch/root/rejecter fields and keep reportedAt as metadata outside the digest.

[github-actions]

🔴 Bug: date -r <epoch-seconds> is BSD/macOS syntax; on GNU/Linux -r expects a file path, so the summary step fails on the project's primary dev/CI environment. Use a portable epoch conversion (date -u -d "@${START_TS}" ... on GNU, or a small POSIX-compatible helper) before relying on this runner in Linux devnets.

[github-actions]

🔴 Bug: the durable fallback always reads the root data graph here. If the batch was published from a registered sub-graph, those quads live under the sub-graph data URI, so this path will report empty-quads/root-mismatch after SWM has been drained even though the publish succeeded. Use contextGraphDataUri(contextGraphId, subGraphName) (or equivalent) for the post-publish lookup.

[github-actions]

🔴 Bug: this unconditionally supplies a membership resolver, so /api/attestation/verify returns membership: "unknown" even when the caller did not request chainCheckMembership. That changes the route contract and makes it impossible to distinguish “not checked” from “checked but unavailable”. Only pass a resolver when chainCheckMembership === true; otherwise let the result stay "skipped".

[github-actions]

🔴 Bug: computeAttestationDigest(attestation.payload) runs before any structural validation or try/catch. A malformed payload (chainId, bad hex in roots/addresses, etc.) will throw out of verifyMemberAttestation, which turns the new HTTP verifier into a 500 instead of a clean failed verification. Please validate the payload fields on the verify path as well, or catch digest-construction errors and return ok: false.

[github-actions]

🔴 Bug: this route maps every chain lookup failure to 500. For an unknown KC id, the existing /api/kc/:id/author route already translates the same adapter errors to 404, and callers rely on that distinction to tell “not published yet” from “server failure”. Mirror the same unknown kcId|nonexistent|out-of-bounds handling here instead of always returning 500.

[github-actions]

🔴 Bug: when subGraphName is set and the batch has already been published, this fallback still queries the root CG graph. That misses finalized triples stored under the sub-graph-specific data graph, so verify-batch will report empty-quads / root-mismatch for published sub-graph batches even though the data exists locally. Please resolve the durable graph URI through the same sub-graph-aware helper used elsewhere instead of hardcoding the root graph.

[github-actions]

🔴 Bug: verifyMemberAttestation digests caller-controlled payloads without validating them first. Non-numeric chainId / contextGraphId / attestedAt will throw here, while malformed hex in merkleRoot / plaintextLeafHash / attesterAddress gets coerced to zero bytes by the parsing helpers, so /api/attestation/verify can flip between 500s and false positives on bad input. Please validate the payload before calling computeAttestationDigest and return a structured verification failure for malformed attestations.

[github-actions]

🟡 Issue: this route reimplements host enumeration even though the PR adds createCGHostEnumerator for that exact policy. Once LU-6 makes host selection sharding-aware, /api/shared-memory/catchup will keep probing every connected peer unless both copies are updated in lockstep. Please reuse the shared enumerator here so the hosting-peer policy stays centralized.

[github-actions]

Codex review skipped: filtered diff is 5486 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.

[github-actions]

Codex review skipped: filtered diff is 5537 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.

[branarakic]

Codex R2 follow-up — attestation+KC route hardening

Addressed both route-contract bugs in 44778ff9:

1. /api/attestation/verify always supplied membership resolver (R2 memory.ts:1130)

Old code unconditionally passed membershipResolver: async () => undefined, so every response carried membership: "unknown" regardless of whether the caller asked. Gated on parsed.chainCheckMembership === true; omitting the flag now returns no membership field (route contract preserved), passing true still returns unknown until the Phase B resolver lands.

2. /api/kc/:id unknown-kcId → 500 instead of 404 (R2 assertion.ts:3190)

Old code caught all chain-adapter exceptions and rethrew/returned 500, including the same unknown kcId|nonexistent|out-of-bounds revert that the sibling /api/kc/:id/author route already translates to 404. Callers that branch on "not published yet" vs. "server failure" got the wrong signal. Mirrored the same regex test the sibling uses so both routes are in lockstep.

Sub-graph fallback (R2 memory.ts:810), member-attestation digest order (R2 member-attestation.ts:243), and portable date -r (R1) were already fixed in the integration branch.