feat(importer): manifest library + dkg-importer SKILL.md

[branarakic]

Summary

Implements the resumable-import pattern from ADR 0002 (#641) and gives every agent / human importer a single canonical reference for chunked bulk writes against a DKG node.

`scripts/lib/manifest.mjs` — Resumable-import manifest helpers

• `createImportManifest` writes the import as an RDF assertion in the project's `meta` sub-graph.
• `markPartitionStatus` appends status events (append-only — latest event wins on read).
• `loadImportManifest` + `pendingPartitions` resolve current per-partition status in one SPARQL round-trip, so an interrupted import resumes from the next pending partition.
• Itself respects the ADR 0002 chunking contract by reusing `DkgClient.writeAssertion`.

`scripts/lib/tests/manifest.test.mjs` — Six unit tests for pure helpers (URI encoding, ontology constants, triple building, status filtering). Daemon-roundtrip coverage stays in the repro suite.

`packages/cli/skills/dkg-importer/SKILL.md` (NEW) — Agent-readable manual codifying:

• Chunking contract from ADR 0002 (CHUNK=5000, ROOT_CHUNK=1000)
• Worked examples in TypeScript + Python
• Manifest pattern walk-through
• Canonical URIs from ADR 0003
• Anti-patterns + HTTP error handling
• One-page cheat sheet

`packages/cli/skills/dkg-node/SKILL.md` — One-line cross-reference under the assertion-write tool table, pointing agents to `dkg-importer/SKILL.md` when pushing >5k quads in one go.

Test plan

• `node --test scripts/lib/tests/manifest.test.mjs` → 6/6 pass
• No new linter errors
• Reviewer: confirm `DkgClient.writeAssertion`'s 500-quad default `batchSize` is the right conservative default for the docs to advertise
• Reviewer: confirm the manifest's append-only status pattern is acceptable (SPARQL DELETE/INSERT would be tidier but the daemon doesn't expose it on assertions)

Stack

This PR is stacked on #641 (ADRs). Once #641 lands, this rebases against main.

Related: #596, #636, #640.

Made with Cursor

Update — round 3 (2026-05-25): known caps + manifest hardening

dkg-importer/SKILL.md — Known caps with exact error strings (§1.1)

Adds a new §1.1 reference table calling out the three independent daemon caps an importer must handle, with the verbatim daemon error text for each:

Endpoint	Cap	Constant	Error
POST /api/assertion/<name>/write	10 MB request body	MAX_BODY_BYTES	HTTP 413 "Request body too large (>10485760 bytes)"
POST /api/assertion/<name>/promote	256 KB request body	SMALL_BODY_BYTES	HTTP 413 "Request body too large (>262144 bytes)"
POST /api/assertion/<name>/promote	10 MB gossip message	hard-coded in gossipsub publish	HTTP 500 "Promoted assertion too large for gossip (XXXX KB, limit 10 MB)"

The two /promote caps are independent — same status code (413) for the body cap, but a different limit from /write's — and the 10 MB gossip cap can trip even with a single root URI if that root's transitive triple set is large enough. §5 (Error handling) is rewritten so each failure mode has its own recipe instead of one generic "halve on 413" block.

Numbers and error strings validated empirically during the rc.10 Graphify import. Quoting them inline turns "discover via 413" into "look up before you start", which is the difference between a 5-minute import and a 20-minute import for non-trivial graphs.

scripts/lib/manifest.mjs — round-3 hardening

Three round-3 codex line comments fixed (each with a new unit test, 13/13 pass):

• L222 — createImportManifest not idempotent on already exists: now catches the daemon's "already exists" error from /api/assertion/create and treats it as successful reuse, so a retry / second-process resume of the same import doesn't crash before reading progress.
• L369 — same-millisecond status events: the SPARQL "latest event per partition" filter now includes a deterministic IRI tie-breaker (?ts2 = ?recordedAt && STR(?ev2) > STR(?ev)) so two writes within one ms produce a deterministic ordering instead of nondeterministic status selection.
• L375 — empty bindings ≠ complete: loadImportManifest now throws loudly when the SPARQL returns zero bindings instead of silently returning {partitions: []} (which previously made resume callers think the import was complete when the manifest was actually missing / not yet visible in SWM).

Update — round 4 (2026-05-25 22:50): post-empirical-motivation Codex review

Round-4 review against the round-3 push surfaced five issues — three real bugs that would have shipped, one CodeQL finding, and one runnable-example fix. All addressed inline with new unit-test coverage (18/18 pass).

CRITICAL — loadImportManifest was reading the bare data graph, not SWM (L391)

/api/query with subGraphName alone routes to the bare data graph did:dkg:context-graph:<cg>/<sub>, NOT the SWM tier …/_shared_memory. Since the manifest is created via the assertion API (create → write → promote), it ONLY exists in SWM. So a peer/restart resume calling loadImportManifest would silently see zero bindings even on a healthy import — and the §L375 "loud failure" fix would then throw "manifest is missing" for a manifest that actually exists.

Fix: plumb graphSuffix (and view for completeness) through DkgClient.query. loadImportManifest now passes graphSuffix: '_shared_memory' so the query hits the right graph. The mock client in tests now also routes by graphSuffix, so a regression where the SWM hint is dropped fails the test suite immediately. A new dedicated test pins the call shape.

CRITICAL — statusEventUri same-millisecond ordering was non-deterministic (L84)

The previous shape <ts>-<6-char random> meant two events in the same millisecond would tie on recordedAt AND tie on a random token, leaving SPARQL's lexicographic tie-breaker non-deterministic.

Fix: new shape <ts>-<12-digit monotonic counter>-<6-char random>. The counter is process-local and zero-padded so lexicographic ordering matches call order for same-process same-ms events. Cross-process same-ms collisions fall back to the random component — no worse than before. New regression test asserts strictly-increasing IRIs across 50 back-to-back calls.

CodeQL #90 — double-unescape risk in unquote (L138)

The previous chain of four .replace() passes had a textbook double-unescape pitfall: \\\\n (escaped backslash + literal n) could collapse to a newline because the second pass would re-interpret the \ left behind by the first pass.

Fix: single-pass regex .replace(/\\(["\\nr])/g, replacer) so each escape sequence matches exactly once. New regression test round-trips literal \n, \\, \", mixed strings through lit() / unquote() byte-for-byte.

importId sanitization for default assertion name (L222)

importUri() / partitionUri() percent-encode any importId, but the daemon's validateAssertionName rejects /, whitespace, and other IRI-unsafe characters. A caller passing importId="corpus/2026-q1" would get valid URIs back but /api/assertion/create would 400.

Fix: new exported defaultManifestAssertionName() that maps unsafe character runs to -, length-clamps to the 256-char daemon limit, and throws a descriptive error if nothing valid remains (instead of crashing later with a cryptic 400). Two regression tests: parameterised sanitization assertions + an end-to-end "create/load with an unsafe importId works" check.

Python sample fix (L127)

The Python snippet in dkg-importer/SKILL.md was missing import os and used an undefined port. Fixed: added the import, defaulted port to int(os.environ.get('DKG_PORT', '9200')), switched to a with block for the token file.

Test coverage

5 new tests added (18/18 total pass) — one per fix, all targeted at the exact failure mode codex flagged, so a future regression on any of these would fail CI immediately.

[github-actions]

🔴 Bug: only the import root is promoted here. The partition subjects (urn:dkg:import:...#part:...) stay in WM, so after the promote loadImportManifest() cannot reliably read imp:key / imp:initialStatus from SWM and another node cannot resume the import. Promote the partition URIs alongside the import URI (chunked if needed).

[branarakic]

Addressed on this branch: createImportManifest now promotes the import root and every partition URI, chunked by ROOT_CHUNK.

[github-actions]

🔴 Bug: this appends the status event to the manifest assertion but never promotes it. That leaves progress updates in WM only, so peers will still see the old status and a resume from another node can restart already-finished partitions. Promote the partition/event roots after each status write, or use the direct SWM path if that's the intended visibility.

[branarakic]

Addressed on this branch: markPartitionStatus writes the status event and promotes it so progress becomes visible from SWM.

[github-actions]

🔴 Bug: SAMPLE(?status) is not correlated with MAX(?recordedAt). Once a partition has multiple events, this subquery can return the newest timestamp with an older status, so loadImportManifest() may report pending/failed for a partition that is actually done. Select the row with the max timestamp (for example via ORDER BY DESC(?recordedAt) LIMIT 1 per partition) instead of mixing independent aggregates.

[branarakic]

Addressed on this branch: loadImportManifest uses a latest-row selection pattern instead of SAMPLE plus MAX, so status and timestamp stay correlated.

[github-actions]

🔴 Bug: /api/query returns SPARQL-JSON binding cells ({ value, type, ... }) on the normal path, but this code treats row.key, row.part, row.latestStatus, etc. as raw strings. The returned manifest state will contain objects instead of strings and the sort/comparisons will misbehave. Normalize bindings through .value/.id first, the same way the other daemon clients do.

[branarakic]

Addressed on this branch: query bindings are normalized from SPARQL JSON cells through .value before sorting/comparing.

[github-actions]

🔴 Bug: promoting only evIri does not publish the partIri -> imp:statusEvent -> evIri triple you just wrote on line 266. assertion.promote({ entities: [...] }) only moves quads whose subject is one of those roots, so after a restart or a peer-side resume loadImportManifest() still sees no status events and treats every partition as pending. Promote both partIri and evIri here, or flip the edge so the event points at the partition.

[branarakic]

Addressed on this branch: markPartitionStatus promotes both partIri and evIri so the partition-to-event edge is visible to loadImportManifest.

[github-actions]

🟡 Issue: this test file only exercises pure helpers, but the risky behavior in this PR is the WM→SWM round-trip through markPartitionStatus()/loadImportManifest(). A regression in promote root selection will pass CI unnoticed. Please add an integration-style test that creates a manifest, marks a partition done, promotes it, and then verifies loadImportManifest() reads done back from shared memory.

[branarakic]

Addressed on this branch: added mock WM/SWM round-trip tests covering create, mark done, promote, and reload from shared memory.

[github-actions]

🔴 Bug: this helper is meant for resumable imports, but /api/assertion/create returns already exists on retries. A transient failure after the create succeeds, or a second process resuming the same import, will now fail before it can load progress. Please treat an existing manifest assertion as a successful reuse (or add an explicit ensure flow) so createImportManifest() is idempotent.

[branarakic]

Addressed in 3b04c99: createImportManifest now treats an existing manifest assertion as idempotent reuse and still runs the additive write/promote healing path.

[github-actions]

🔴 Bug: this "latest event" filter only excludes strictly later timestamps. recordedAt is only millisecond precision, so two status writes in the same ms both survive and you can return duplicate rows for one partition with nondeterministic status selection. Add a deterministic tie-breaker for equal timestamps (for example compare ?ev as a secondary key) or use a monotonic sequence instead of raw ISO timestamps alone.

[branarakic]

Addressed in 3b04c99: latest-event selection now uses the event IRI as a deterministic tie-breaker for equal millisecond timestamps, with a same-ms regression test.

[github-actions]

🔴 Bug: createImportManifest() rejects empty partition lists, so an empty binding set here means the manifest was missing or not visible in SWM, not that the import is complete. Returning { partitions: [] } will make resume callers skip all remaining work on a typo / wrong sub-graph / failed promote. Please fail loudly when no manifest rows are found, or explicitly verify that the import root exists before treating this as success.

[branarakic]

Addressed in 3b04c99: loadImportManifest now throws when no manifest rows are visible instead of returning an empty partition list, with a regression test.

[github-actions]

🔴 Bug: client.query() defaults to working-memory when no view/graph suffix is supplied, so this read will miss the manifest/status triples you just promoted to SWM. On a restart or peer resume, loadImportManifest() will report the manifest as missing even though it exists in shared memory. Plumb view: 'shared-working-memory' (or graphSuffix: '_shared_memory') through DkgClient.query and use it here, then update the mock/test to match the daemon's real default.

[github-actions]

🔴 Bug: the same-millisecond tie-break in loadImportManifest() orders by event IRI, but this suffix is random, not monotonic. If two status updates for the same partition land in one millisecond, the older one can win nondeterministically and regress the visible status. Use an order-preserving suffix (for example timestamp + per-process counter) or persist an explicit sequence field and sort by that instead of a random token.

[github-actions]

🟡 Issue: This copy-paste Python example is not runnable as written: it uses os.path.expanduser(...) without importing os, and it relies on port below without defining it. Add the missing setup (import os, a default port = 9200 or a function parameter) so the sample works when readers try it.

[github-actions]

🔴 Bug: client.query({ sparql, contextGraphId, subGraphName }) uses the legacy data-graph route, which targets did:dkg:context-graph:<cg>/<subGraph> rather than the sub-graph's shared-memory graph. Since this manifest is only written via assertion WM→SWM promotion, a real daemon query here will come back empty even after a successful promote. Route this through the SWM graph explicitly (graphSuffix: '_shared_memory' or equivalent) and add a regression test that matches the real DkgClient.query semantics.

[github-actions]

🔴 Bug: the same-millisecond tie-break in loadImportManifest() relies on later events sorting lexicographically higher by IRI, but this suffix is random. Two markPartitionStatus() calls in the same millisecond can therefore resolve to either status arbitrarily. Use a monotonic suffix/counter (or persist an explicit sequence field) so equal-timestamp events preserve write order.

[github-actions]

🟡 Issue: the default assertion name embeds raw importId, but assertion names reject /, whitespace, and other unsafe characters. importUri()/partitionUri() already accept arbitrary IDs via percent-encoding, so a caller can pass an importId that produces valid manifest URIs but makes /api/assertion/create fail here. Either sanitize the default assertion name or validate importId up front and throw a clear error.

[github-actions]

🔴 Bug: retries/resumes for the same importId will append a fresh imp:startedAt every time, so one manifest can end up with multiple conflicting start timestamps. Because this helper explicitly treats already exists as success, that retry path is normal. Preserve the original start time on reuse (or make it caller-supplied/stable) instead of regenerating it here.

[branarakic]

Fixed in 59532a3. On assertion reuse, createImportManifest now detects the 409 and suppresses a fresh imp:startedAt while still healing the root/partition triples. Added a regression that reruns create against an existing assertion and asserts the original startedAt triple is unchanged.

[github-actions]

🔴 Bug: fixed ROOT_CHUNK = 1000 batches can still exceed the daemon's /promote 256 KB body cap when partition URIs are long (deep paths, percent-encoding, GitHub-style keys). That makes manifest creation fail on large imports even though the new skill documents 413-aware splitting as part of the contract. This promote loop should be size-aware or halve-and-retry on 413.

[branarakic]

Fixed in 59532a3. Promote now batches roots by estimated JSON body size under the daemon cap and recursively splits/retries on 413, so long percent-encoded partition URIs do not blow up a nominal 1000-root chunk. Added a mock 413 regression for long partition keys.

[github-actions]

🟡 Issue: this regression test never asserts the sanitized assertion name it claims to cover. makeMockClient.request() drops the request body, so the test would still pass if createImportManifest sent the raw importId or omitted name entirely. Record the create payload in the mock and assert name === "import-manifest-corpus-2026-q1" so the regression is actually pinned.

[branarakic]

Fixed in 59532a3. The mock client now records request() payloads, and the sanitized-name regression asserts the create body sends import-manifest-corpus-2026-q1.

[github-actions]

🔴 Bug: This sanitization is no longer one-to-one. Different importIds such as a/b vs a b (and long IDs that only differ after the 240-char cutoff) both collapse to the same assertion name, so the later import will silently reuse the earlier manifest assertion and mix their progress/lifecycle state. Preserve uniqueness here, for example by appending a stable hash/encoded suffix whenever sanitization or truncation changes the original id.

[github-actions]

🔴 Bug: The new literal codec only escapes \\, ", \n, and \r. Partition keys/status values containing other valid RDF control escapes such as tabs are emitted raw here, which can make the manifest write invalid or read back corrupted. Please reuse the existing shared literal helper or extend both the encode and decode paths to handle the full N-Triples escape set consistently.

[github-actions]

🔴 Bug: markPartitionStatus() never checks that partitionKey was declared in the manifest. If a caller passes a typo or a new key, this write/promote succeeds, but loadImportManifest() will never surface that status because it only walks <import> imp:partition ?part edges created by createImportManifest(). That leaves the real partition looking permanently pending with no obvious error. Please validate membership before writing, or backfill/promote the partition declaration when it is missing.

[github-actions]

🔴 Bug: on the already exists path we blindly append whatever partitions array the caller supplies into the existing assertion. Reusing an importId with a different partition set will silently produce the union of old and new partitions, so resume logic can keep retrying stale entries from a previous run. Consider loading the existing manifest on reuse and failing fast when the partition set differs, or make additive extension an explicit opt-in.

[github-actions]

🟡 Issue: this cross-link is not reachable for installed users right now. The setup/install flows and the public skill endpoint still hardcode only skills/dkg-node/SKILL.md, so agents running via dkg mcp/openclaw/hermes setup will not have ../dkg-importer/SKILL.md available. Either ship the importer skill through those paths too, or keep the bulk-import guidance inline here until the extra skill is actually distributed.

[github-actions]

🔴 Bug: These retry examples check err.statusCode, but scripts/lib/dkg-daemon.mjs sets err.status on failed requests. Copied verbatim, the 413 branch never runs and the sample rethrows instead of halving. Please switch this snippet (and the similar one below) to the actual error shape or document a wrapper that normalizes it.

[github-actions]

🟡 Issue: The raw daemon route does not return 200 on duplicate POST /api/assertion/create; packages/cli/src/daemon/routes/assertion.ts maps already exists to HTTP 400. Only higher-level clients normalize that into an idempotent success. As written, this tells importer authors the wrong wire contract and can lead to broken retry handling.

[github-actions]

🔴 Bug: markPartitionStatus() recomputes the assertion name from importId on every write. If the manifest was originally created with a custom assertionName, a resumed importer that only knows importId will target a different assertion here and /api/assertion/:name/write will fail with not found. Because loadImportManifest() doesn't persist or return the actual assertion name, callers have no way to recover it later. Please either persist the chosen assertion name in the manifest and resolve it here, or remove the public assertionName override so the name is always derivable.

[github-actions]

🟡 Issue: this validates the partition key by loading and sorting the entire manifest on every status update. For the bulk imports this helper targets, that makes status tracking quadratic (in_progress + done across 10k partitions means 20k full SWM queries). Consider caching the declared partition set from createImportManifest()/loadImportManifest(), or replacing this with a narrower existence check / optional validation flag.

[github-actions]

Codex review skipped: filtered diff is 11370 lines (cap: 5,000). Please consider splitting this into smaller PRs for reviewability.