Bump#48
Open
yapishu wants to merge 91 commits into
Open
Conversation
…w decoding error type
… to reduce fees for power-users
…for examining raw-txs, add batch writes to file driver, add file exts to http driver
* Sync from Nockup development repo. * Change to workspace. * Post with openssl
… some edge-case v0 notes
* Update README to remove status and development notes Removed pre-release status and development notes from README. * Fix URL branch reference in installation command * Add permissions for contents in release workflow
* Post new deploy chain. * Add pruning. * Add protobuf support * Add protobuf support * Add protobuf support * Tweak CI * Tweak CI * Tweak CI * Tweak CI * Fix nockup for new manifest format. * Adjust * Fix so build cleanup doesn't happen on PR.
* Post new deploy chain. * Add pruning. * Add protobuf support * Add protobuf support * Add protobuf support * Tweak CI * Tweak CI * Tweak CI * Tweak CI * Fix nockup for new manifest format. * Adjust * Fix so build cleanup doesn't happen on PR. * Fix install script and update old links to sigilante repo. * Fix last URLs
* Post new deploy chain. * Add pruning. * Add protobuf support * Add protobuf support * Add protobuf support * Tweak CI * Tweak CI * Tweak CI * Tweak CI * Fix nockup for new manifest format. * Adjust * Fix so build cleanup doesn't happen on PR. * Fix install script and update old links to sigilante repo. * Fix last URLs * Fix cleanup logic.
Stop a node that is demonstrably behind the chain tip from originating
any outgoing gossip until it has caught up. Previously every kernel
`%gossip` effect was fanned out to all connected peers unconditionally;
a syncing node would rebroadcast historic blocks, forward local tx
submissions, and emit mining output while still draining its deferred
backlog. This wastes bandwidth on both ends and pollutes the network
with stale/out-of-order traffic from nodes that are not yet at tip.
The suppression is keyed off the existing catch-up signal: gossip is
dropped exactly while `SyncMode::CatchingUp` holds, and resumes once
the node reaches `Tip`. It covers every outbound gossip variant
(heard-block rebroadcasts, heard-tx submission gossip, and future
kinds / mining output) — a catching-up node is intentionally quiet.
Changes by area:
catch_up.rs
- Add `CatchUpSignal::is_catching_up()` — true only in
`SyncMode::CatchingUp`, used as the suppression predicate.
- Add `CatchUpSignal::refresh_mode(now)` — recompute the mode with no
new signal input, so the `CatchingUp -> Tip` hysteresis timer can
expire on a read-side gate instead of only on the next block /
deferred event. Without this, a drained node could stay falsely
suppressed until unrelated traffic arrived.
p2p_state.rs
- Add `P2PState::should_suppress_outgoing_gossip()` — refreshes the
catch-up mode against the current clock (letting hysteresis lapse)
and returns whether we are still catching up.
- Add private `refresh_catch_up_mode(now)` that refreshes, republishes
catch-up metrics, and logs any mode transition.
- Drop the stale "Phase 1 / nothing reads this yet" note on
`catch_up_signal()` now that the driver consumes it.
driver.rs
- Classify the `%gossip` effect head as heard-block / heard-tx /
unknown (was a bare heard-block bool) for cache and logging.
- Under a single state-lock hold, clear the serve caches on a new
heaviest heard-block (unchanged bookkeeping) AND read both the
suppression decision and the behind-tip estimate.
- When suppressing, skip the per-peer SendRequest fan-out, trace the
kind + behind-tip estimate, and bump the new metric. Otherwise
broadcast as before.
metrics.rs
- Add `gossip_suppressed_behind_tip_total` counting effects dropped
due to catch-up suppression; expected to fall to ~0 at tip.
Tests
- catch_up.rs: hysteresis expires via `refresh_mode` with no new
input; `is_catching_up` true only in CatchingUp.
- p2p_state.rs: suppress only while catching up; suppression refreshes
hysteresis before reading.
- driver/tests.rs: generalize the gossip-effect builder to take an
arbitrary tag (`build_gossip_effect_with_tag`); new test asserts a
catching-up node fans out zero block/tx/mining gossip and bumps the
suppression metric by 2.
Build / CI (unrelated, batched into this import):
- .gitlab-ci.yml: add a `cargo-clippy` test job (skipped on push to
`open`, run on the MR) using the upstream lint flags.
- Makefile: add `check-cargo-fmt`, `clippy`, and `lint-local` targets.
- Cargo.lock: bump bitflags 2.11.1 -> 2.12.1 and log 0.4.30 -> 0.4.31.
FolderOrigin-RevId: /home/gitlab-runner/builds/Izlke1EJS/1/zorpcorp/nada
Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
Soundness hardening across the transaction/consensus path to remove
signature malleability, non-canonical encodings, and Rust/Hoon
interpretation drift.
Canonical encodings (anti-malleability):
- Hash::from_base58 / decimal_to_base_p reject out-of-domain values
(nonzero high quotient) instead of truncating, and reject
non-canonical base58 spellings (HashDecodeError::NonCanonical).
- CheetahPoint::from_base58 requires the 0x01 format-prefix byte
(CheetahError::BadPrefix) so a point's encoding is unique.
- Schnorr sigs: is_canonical() requires every 32-bit limb < 2^32 and
the verifier enforces 0 < {chal,sig} < g-order before curve math,
mirroring +verify:affine:schnorr; adds NonCanonicalSignature. Shared
belt_schnorr_t8_to_ubig uses the exact rap-5/cat-5 reconstruction.
Rust/Hoon decode parity:
- New collect_zmap_entries_strict errors on malformed treap nodes
instead of silently skipping them; wired into the v0/v1 decoders for
Lock, Balance, Inputs, NoteData, Witness, and Signature so malformed
input fails to decode rather than normalizing to a struct Hoon rejects.
Hoon validation:
- based:belt-schnorr checks each limb < 2^32; tx based arms now validate
note-data and hax-preimage values (not just keys) so malformed leaves
are rejected deterministically instead of crashing the id hash.
- BIP39 from-mnemonic validates word count, wordlist, and checksum;
wallet rejects invalid seed phrases on import.
- Wallet secret hygiene: stop logging raw extended/private keys; warn
on sign-hash signing an opaque digest with the spend key.
Jets:
- New belt-schnorr batch-verify jet (registered in CURVE_JETS) with the
same scalar-range checks; punts to Hoon on out-of-model input.
- tip5 jets guard on the default round count and punt otherwise to
avoid returning a 7-round digest where Hoon returns 5.
Tooling and ops:
- New vet_chain_signatures (read-only signature-invariant audit) and
bench_dumb_validation (validation-path profiling) binaries.
- Drop the poke wall-clock timeout so a slow host cannot turn 'still
validating' into a Nack; genuine livelock now surfaces via the
libp2p watchdog instead of masking as timeout returns.
- CI builds all kernels in parallel; release workflow gated to manual
workflow_dispatch.
FolderOrigin-RevId: /home/gitlab-runner/builds/Izlke1EJS/2/zorpcorp/nada
Co-authored-by: bitemyapp <[email protected]>
Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
Define a shared [workspace.lints] table in the root Cargo.toml that mirrors the flags applied at the CI cargo-clippy / bazel make-lint gates (-D warnings, -D clippy::unwrap_used, -A clippy::missing_safety_doc), and opt every member crate in via [lints] workspace = true. The warnings group is given priority = -1 so the explicit missing_safety_doc allow still wins, matching the -A-after-D-warnings ordering on the CLI. This surfaces the same lints locally and in-editor (cargo, cargo clippy, rust-analyzer) instead of only at the CI/bazel gate. Also guard the sync-to-nockchain workflow so it only runs outside the nockchain/nockchain repo, and bump which 8.0.2 -> 8.0.3 in Cargo.lock. Co-authored-by: bitemyapp <[email protected]> Co-authored-by: Claude Opus 4.8 (1M context) <[email protected]>
…d fix bridge pending base block handling (#44) This branch adds Roswell public proof conformance, zkVM Form proof verification, bridge withdrawal safety tooling, and expanded Hoon test coverage. Key changes: - Adds the new Roswell kernel and Rust harness: - New `crates/roswell` CLI/library. - New `crates/kernels/roswell` packaged kernel crate. - New `assets/roswell.jam` build target. - README instructions for running Roswell proof generation, proof checking, snapshots, stream windows, continuation assembly, and the public test suite. - Adds Roswell commands for: - Running CI/public Hoon suites. - Running crypto, dumb, wallet, zoon, bridge, and verifier tests. - Generating public puzzle proofs. - Creating proof snapshots and proof stream windows. - Reassembling proofs from streams or continuations. - Verifying complete proof jams. - Introduces native Rust zkVM Form proof support in `zkvm-jetpack`, including proof data structures, transcript/tog handling, FRI/STARK verifier math, Merkle proof checking, preprocessing, proof streaming, and verifier entry points. - Expands bridge withdrawal safety: - Adds optional manual operator approval before authorized withdrawal submission. - Adds sequencer config fields `manual_submit_approval` and `manual_submit_approval_dir`. - Adds `nockchain-bridge-sequencer-ctl` for listing pending approvals, showing approval facts, exporting authorized transactions, and writing approval records. - Stores and exports authorized transaction jams for operator workflows. - Defers withdrawal submission when approval files are missing, malformed, mismatched, or not explicitly approved. - Improves bridge Nockchain gRPC resilience by applying request timeouts to connect/peek operations so stalled private API calls become observable monitoring errors instead of hanging the watcher loop. - preflight incoming Base deposit settlements so missing Nock dependencies latch base-hold before any pending commit is staged. - wire --start bootstrap to peek pending-base-block-commit and send the repair cause when needed - Adds a broad Hoon test corpus under `hoon/tests`, covering bridge flows, withdrawal behavior, crypto primitives, wallet keygen/spend/tx-builder behavior, zkVM verification, zoon structures, consensus/dumbnet behavior, ASERT, h-zoon, transaction logic, and benchmark fixtures. - Updates workspace membership, lockfile/dependencies, Makefile targets, sequencer example config, and bridge/e2e harnesses to wire the new crates and test/proof workflows together. - Fixes the staging sync PR workflow by granting the Actions token pull request permissions and repo-qualifying the `gh pr` commands for `nockchain/nockchain-staging`. Validation: The branch adds Rust tests for Roswell conformance, bridge config parsing, manual approval behavior, authorized transaction export, withdrawal/hold flows, and Nockchain gRPC timeout handling, plus a large Roswell-driven Hoon suite. The full test suite was not run while preparing this commit message. For the CI workflow fix, `git diff --check` passes and the repo-qualified `gh pr list` command resolves the existing PR #44 locally. Co-authored-by: bitemyapp <[email protected]>
Squash the staged Nada bridge import and the sync workflow repair into one update on top of the current nockchain/nockchain master tip. This hardens the bridge withdrawal path across Base event ingestion, peer proposal validation, sequencer retry durability, and bridge-dev diagnostics. Withdrawal correctness: - Ignore refunded Base withdrawal burns in both observer ingestion and sequencer registration paths. - Preserve fixed-width 32-byte base_event_id values through Hoon/Rust atom roundtrips with a semantic BaseEventId type. - Fail closed on Base log/header mismatches instead of accepting ambiguous event provenance. - Require peer withdrawal proposals to reference safe, spendable bridge-owned inputs. Proposal and body validation hardening: - Reject withdrawal retry state that is missing durable authorized_raw_tx bytes instead of reconstructing retry bytes from authorized_transaction_jam. - Require bridge withdrawal lock-merkle proofs to be full LMPs for the single bridge spend condition: full proof, axis 1, empty path, matching witness data, matching metadata, and bridge-root hash consistency. - Enforce exact withdrawal fee conservation by checking recipient output amount, computed bridge withdrawal fee, and transaction fee against the burned amount. - Ground the conservation check in the decoded transaction output seed amount rather than proposal metadata alone. Bridge-dev and sync diagnostics: - Add BRIDGE_DEV_KEEP_RUN_ROOT=1 support so failed or flaky bridge-dev E2E runs can preserve logs and local run state for diagnosis. - Keep the staging sync PR workflow scoped to nockchain/nockchain-staging and grant pull-requests write permission so GITHUB_TOKEN can query existing PRs. Source MR validation: - make -B open/assets/bridge.jam - cargo fmt --check -p bridge - cargo fmt --check -p bridge-dev - git diff --check - cargo check -p bridge --tests - cargo test -p bridge --lib trailing_zero -- --nocapture - cargo test -p bridge --lib withdrawal_id_from_proto_rejects_short_base_event_id -- --nocapture - cargo test -p bridge --lib bridge_kernel_black_box_filters_withdrawal_burns_below_nick_floor -- --nocapture - cargo test -p bridge --lib roundtrip -- --nocapture - cargo test -p bridge --lib refunded_withdrawal -- --nocapture - cargo test -p bridge load_authorized_transaction_for_retry -- --nocapture - cargo test -p bridge --lib withdrawal::validation::tests -- --nocapture - cargo build --release -p bridge -p bridge-dev - cargo build --release -p bridge -p nockchain-bridge-sequencer -p nockchain-wallet - cargo test -p bridge --test withdrawal_tests -- --nocapture - cargo test --release -p bridge-dev --test scenarios withdrawal_happy_path_reaches_executed -- --ignored --test-threads=1 --nocapture - Bridge-dev withdrawal E2E suite passed after rerunning two live-environment restart/readiness flakes individually. Notes: - open/assets/bridge.jam was rebuilt locally for the Hoon change in the source branch, but jam assets are ignored here; deploy and build pipelines must rebuild bridge.jam from committed Hoon source. - R2-backed recovery coverage remains gated by BRIDGE_R2_RUN_E2E=1 and object-store credentials.
Squash the latest Copybara import and the follow-up sync-workflow restore into one staging commit on top of the current nockchain/nockchain master tip. Bazel workspace support: - Add the root Bazel module, pinned Bazel version, Bazel rc defaults, workspace BUILD aliases, and generated MODULE.bazel.lock. - Add Bazel BUILD files across the Rust crates, Hoon sources, kernel jam assets, bridge contracts, test fixtures, and workspace tools. - Wire rules_rust crate_universe to the committed Cargo.toml/Cargo.lock pair and register the pinned nightly Rust toolchain. - Add in-tree Hoon jam rules plus Foundry and protoc toolchains needed by the Bazel graph. - Add Makefile entry points and README docs for bazel build //..., bazel test //..., kernel jam compilation, and optional clippy checks. Export and CI behavior: - Track Bazel output paths and local Bazel overrides in ignore files. - Teach the GitLab open-sync merge-train gate to skip already-validated expensive jobs. - Stop regenerating Cargo.lock during sync-to-staging; require the exported lockfile so Bazel crate_universe sees the same dependency versions. - Restore the GitHub staging sync PR workflow body so this import does not carry the Nada-side workflow text change. Libp2p catch-up hardening: - Release gossip processing claims on kernel ack when no seen effect is emitted, matching the request-response routing path. - Store processing claims with timestamps and expire stale block/tx claims after PROCESSING_CLAIM_TTL so leaked gates degrade into short delays instead of permanently freezing catch-up. - Add coverage for stale processing claim expiry and keep seen-cache dedupe authoritative after expiry. Dependency lockfile: - Carry the lockfile versions exported from the monorepo so the open/staging repository remains aligned with the Bazel dependency graph.
Import the bridge hardening and Bythos withdrawal coverage from zorpcorp/nada!2632, then adjust the staging sync workflow copy to identify Copybara-generated PRs. Key changes: - Make base block commit ACK pokes blocking and remove the local ACK timeout. While an ACK is outstanding, heartbeat warnings keep operator liveness visible during long-running pokes. - Remove the stale pending-base-commit repair poke/cause and the pending-ACK retry/backoff path. On boot, pending unacked commits are recovered by peeking durable pending state, tracking the affected withdrawals, and issuing the normal blocking ACK path. - Replace string-coupled retry classification with typed runtime transport errors. Channel closure and dropped-response failures now surface as concrete runtime transport errors instead of blanket withdrawal retry behavior. - Accept legacy stub bridge withdrawal lock-Merkle proofs while preserving bridge-lock validation. Withdrawal raw transactions are canonicalized through protobuf before submission, and stub proof raw-tx hashing now aligns with canonical tuple hashing. - Expand wallet word-count and fee coverage for stub, full, mixed stub/full, and minimum-fee-floor cases, including Hoon oracle coverage for create-withdrawal-tx mixed-input withdrawal spends. - Add bridge-dev Bythos-phase plumbing and ignored live scenarios for pre-Bythos deposits, post-Bythos deposits, and mixed pre/post-Bythos withdrawal inputs. - Update the staging sync PR workflow body text so automated sync PRs identify Copybara as the upstream import mechanism. Upstream validation from zorpcorp/nada!2632: - make -B open/assets/bridge.jam - make -B open/assets/roswell.jam - make -B open/assets/bridge.jam open/assets/roswell.jam assets/roswell.jam - cargo build --release -p bridge -p nockchain-bridge-sequencer -p nockchain-wallet - cargo fmt --check -p bridge -p bridge-dev -p nockchain-types -p wallet-tx-builder - cargo fmt --check -p bridge - cargo test -p bridge canonicalize_raw_tx_for_submission_recomputes_embedded_id -- --nocapture - cargo test -p nockchain-types lock_merkle_proof_stub_raw_tx_hash_ignores_axis_but_full_includes_it -- --nocapture - cargo test -p wallet-tx-builder lmp -- --nocapture - cargo test -p wallet-tx-builder pre_bythos_bridge_multisig_stub_fixture_fee_matches_hoon_oracle -- --nocapture - cargo test -p bridge-dev activation_height_overrides_parse_optional_u64s -- --nocapture - cargo test -p bridge --test withdrawal_tests test_withdrawal_suite -- --nocapture - cargo test -p bridge blocking_poke -- --nocapture - cargo test -p bridge --lib base_block_commit_ack_heartbeat -- --nocapture - cargo test -p bridge pending_base_commit -- --nocapture - cargo test -p bridge validate_withdrawal_transaction_body_accepts_stub_lock_merkle_proof -- --nocapture - cargo test -p bridge send_base_block_withdrawals_committed_waits_for_blocking_ack -- --nocapture - cargo test -p bridge recover_pending_base_block_commit -- --nocapture - cargo test -p bridge bootstrap_start_recovers_pending_with_tracking_and_ack -- --nocapture - BRIDGE_DEV_RUN_E2E=1 BRIDGE_DEV_KEEP_RUN_ROOT=1 BRIDGE_DEV_E2E_PORT_OFFSET=24526 cargo test -p bridge-dev --test scenarios withdrawal_happy_path_spends_mixed_pre_and_post_bythos_bridge_deposits -- --ignored --nocapture --test-threads=1 - git diff --check Source: https://gitlab.com/zorpcorp/nada/-/merge_requests/2632 FolderOrigin-RevId: /home/gitlab-runner/builds/Izlke1EJS/1/zorpcorp/nada Co-authored-by: bitemyapp <[email protected]>
Recover withdrawal proposals that can become stranded when local bridge state drifts from the sequencer-owned pending epoch or when a provisional prepared attempt times out before canonicalization. Summary: - Reconcile bridge-local pending rows with the sequencer's pending epoch before local assembly chooses the next request to stage. - Reconcile provisional prepared rows against the sequencer's pending epoch and handoff metadata before proposing locally or validating peer proposals. - Advance the sequencer-owned pre-canonical handoff when a prepared attempt times out, allowing the next owner to retry in the same epoch behind a shared handoff barrier. - Keep same-epoch prepared hash replacement rejected until handoff reconciliation explicitly clears the stale prepared row. - Reset prepared rows with local-only epoch drift back to the sequencer's pending epoch so replacements do not get stuck behind stale local bookkeeping. - Update the withdrawal design notes to document same-epoch prepared handoff, pending epoch reconciliation, and stale prepared-row clearing. Coverage: - Add restart coverage for same-epoch replacement rejection before handoff reconciliation and acceptance after stale prepared rows are cleared. - Add assembly tests for stranded pending and prepared rows reconciling to the sequencer epoch. - Add transport tests that peer proposal validation reconciles stale pending epochs and accepts replacement proposals only after sequencer handoff state allows it. Validation: - cargo fmt --check -p bridge - cargo test -p bridge withdrawal::proposals -- --nocapture - cargo test -p bridge withdrawal::transport -- --nocapture - cargo test -p bridge withdrawal_assembly_tick -- --nocapture - No Hoon changes; jam assets were not rebuilt. Co-authored-by: bitemyapp <[email protected]>
Add cross-compilation support for Linux x86_64 release binaries from any host (notably macOS) via cargo-zigbuild, plus a tidy-up of the Docker build assets. Cross-compilation (tools/zig/ + Makefile): - zig_cc_linker.sh: zig cc/linker wrapper that resolves a hermetic Zig (ZIG_EXE -> Bazel-staged rules_zig -> zig on PATH), sets writable cache dirs for sandboxed builds, normalizes Rust-style target triples, and strips/translates GCC-specific linker flags that zig cc rejects. - zig_ar.sh / zig_ranlib.sh: AR/RANLIB wrappers around Zig's LLVM ar/ranlib. tikv-jemalloc-sys builds via autotools that read plain AR/RANLIB, so without these the host (macOS) ar silently drops cross-compiled ELF objects, yielding an empty libjemalloc.a and undefined mallocx/rallocx/sdallocx at link time. - Makefile: wire the wrappers in via zigbuild_aws_lc_env and add targets zig-build (nockchain w/ jemalloc, wallet, peek), zig-build-nockchain-api, zig-build-nockchain-bridge-sequencer, zig-build-bridge, and zig-build-roswell, all against the glibc 2.39 floor (ubuntu:24.04). Docker reorganization: - Move Dockerfile, docker-compose.metrics.yml, and telegraf.conf into docker/; add docker/Dockerfile.dockerignore; drop the root .dockerignore. - Update Makefile (docker build -f docker/Dockerfile, DOCKER_METRICS_COMPOSE path) and the NOCK-PMA.md doc reference accordingly. FolderOrigin-RevId: /home/gitlab-runner/builds/Izlke1EJS/0/zorpcorp/nada
Increase the per-peer request rate-limit threshold (and the per-IP-bucket request admission limit it feeds via IP_BUCKET_REQUEST_ADMISSION_LIMIT) from 60 to 256 requests per REQUEST_HIGH_RESET window. The previous value of 60 was too low and throttled legitimate peers during normal request/response traffic.
Two unrelated changes from the upstream import: nockchain-libp2p-io (driver.rs, tests.rs): - Drop the finite initial-peer retry budget (initial_peer_retries / initial_peer_retries_remaining). With zero connected peers we now redial seed peers forever instead of giving up after N attempts. - Replace the fixed retry count with exponential backoff between redial attempts, capped at INITIAL_PEER_REDIAL_MAX_INTERVAL (1h). reset_after is called every tick to hold the backoff cadence; the backoff resets to the base interval once peers connect (so a later disconnect retries promptly again). - Update should_redial_initial_peers and its tests to drop the retry-budget argument. hoon/apps/dumbnet (inner.hoon, lib/asert, consensus, derived, miner): - Add ~% / ~/ jet-registration hints across the inner kernel arms and the asert, consensus, derived, and miner libraries so these gates can be jetted. - Restructure +poke to wrap its body in a ~%-hinted %poke-helpers core (=< $ over |% ++ $) so the arm and its helpers carry jet hints. FolderOrigin-RevId: /home/gitlab-runner/builds/Izlke1EJS/0/zorpcorp/nada Co-Authored-By: Claude Opus 4.8 <[email protected]>
The node deleted .nockchain_identity and generated a fresh peer ID on every boot (no_new_peer_id defaulted to false). Peers that still mapped the node's IP to its old peer ID rejected it with wrong-peer-id and IP-banned it (repeated-wrong-peer-id, up to 6h), isolating the node from the network and stalling it behind the chain tip. Default to persisting the existing identity. Add --new-peer-id to force a fresh one; keep --no-new-peer-id as a backward-compatible no-op (now the default). Co-Authored-By: Claude Opus 4.8 <[email protected]>
The tx-admission check materialized the entire key-set of the heaviest block's balance (the full UTXO set) via ~(key h-by ...) on every heard transaction, then silted the tx's few inputs and diffed against it -- O(n log n) plus n allocations per tx, work proportional to the whole chain's notes rather than to the transaction. Probe the balance map directly instead: ~(all z-in input-names) with a jetted ~(has h-by balance) lookup per input. O(k log n) where k is the tx's input count (tiny) and n is the UTXO set. The same hoist applies to the dropable-txs GC fold, which no longer builds the key-set at all. Semantically equivalent: "input present in balance map" is identical to "input name in key-set of balance map", since the set was exactly ~(key h-by balance). Empty input lists stay vacuously true; duplicate input names are probed independently. The now-unused get-cur-balance-names arm is removed. Validated: roswell test-dumb 252/252 OK, including test-pending-accepts-inputs-in-heaviest-balance and the v1 variant. Co-Authored-By: Claude Opus 4.8 <[email protected]>
Report of changes: - Expose additional open zkVM hot-state jets for base58 encoding, Cheetah point serialization, array/Mary helpers, base-field and extension-field arithmetic, polynomial FFT/IFFT/intercosation, Tip5 hashing, Merkle heap construction, and Zoon map/set operations. - Add backing nockchain-math primitives for base and extension polynomials: inverse FFTs, intercosation, fast extension-field multiplication, quotient helpers, Mary layout/conversion helpers, and direct Tip5 hash/sponge entry points. - Optimize Tip5 by adding direct ten-cell and varlen hashing paths, shared absorb/squeeze helpers, Montgomery round constants, and a cyclotomic MDS implementation covered against the dense reference. - Refactor zkVM prover/verifier math so NTT precomputation, degree processing, Merkle heap building, challenge decoding, and composition evaluation are reusable from the open jet layer. - Harden compute_deep and related jets with explicit input-shape errors/fallbacks instead of panics, keep non-default Tip5 round vectors on the interpreted path, and remove the open verifier backend selector that only resolved to baseline. - Add Roswell proof-snapshot-for so callers can create proof snapshots for caller-supplied version/header/nonce/length inputs. - Update build/toolchain support for nightly-2026-04-03 / rustc 1.96, align Clippy allowances between Cargo and Bazel, add smallvec to nockchain-math, and patch Bazel crate builds for aws-lc-sys and tracy-client-sys under macOS/Nix/Bazel. - Clean up now-unneeded feature gates, tune an e2e dead-process test timeout, and silence an unused retry error binding. Diffstat: - 54 files changed - 3,425 insertions - 1,171 deletions Validation: - Not run locally in this metadata-only amend. FolderOrigin-RevId: /home/gitlab-runner/builds/Izlke1EJS/0/zorpcorp/nada Co-authored-by: bitemyapp <[email protected]>
Introduce a backbone module and round-robin dialing for built-in backbone peers. Added crate::backbone with BACKBONE_NODES and DEFAULT_BACKBONE_PEER_COUNT (and tests). Updated the libp2p driver to accept backbone_peers and backbone_dial_count, pick a randomized start cursor, and dial a rotating window via next_backbone_window; redial logic now considers backbone peers as well. Removed the old REALNET_BACKBONE_NODES constant from config and wired backbone peers into init. Also added unit tests for the new windowing behavior and updated wallet defaults (README and CLI default public endpoint) to 23.252.122.18:5556.
Introduce CLI commands to list notes for a watched multisig in CSV and to show its aggregate balance. Rust changes: add Commands variants (ListNotesByMultisigCsv, ShowBalanceMultisig), wire them into main dispatch, implement Wallet helpers (watch_multisig, build_multisig_args, list_notes_by_multisig_csv, show_balance_multisig) and adjust TAS/slab handling and validation for multisig args. Hoon changes: add new tags in types, a resolver (watch-first-name-by-b58), reuseable multisig-first-name builder, update do-watch-address-multisig to use it, and add do-list-notes-by-multisig-csv and do-show-balance-multisig implants to produce CSV output and a balance summary for watched multisigs. Also update .gitignore to ignore .DS_Store and notes-*.csv.
Add a .githooks/pre-commit hook that runs cargo fmt and (unless SKIP_CLIPPY=1) cargo clippy --fix on staged Rust files, then stages any fixes so they land in the commit. Add Makefile targets: clippy-fix (apply clippy autofixes) and install-hooks (set core.hooksPath -> .githooks). Apply minor style/import/formatting cleanup across crates (driver.rs, wallet/src/main.rs, backbone.rs) consistent with rustfmt/clippy fixes.
Replace references to the old GitHub organization 'zorp-corp' with 'nockchain' across documentation. Updates include the repo clone URL and internal nockvm links in README.md, crates/nockapp/README.md, and crates/nockvm/rust/murmur3/README.md to reflect the repository/organization rename; no functional code changes.
Add a new CLI command (create-multisig-tx) and plumbing to support planner-backed m-of-n multisig spends. Introduces MultisigLockContext and parsing/validation of --threshold and --participants, reconstructing the canonical SpendCondition and lock_root; builds a multisig payload passed to the kernel so notes whose data omit the lock can be spent. Adjust create_tx planner flow to use a LockRootLockMatcher when multisig context is present, and default refund behavior to return change to the multisig lock when no refund PKH is supplied. Add multisig noun encoding for the kernel, hoon types and wallet changes to accept a supplied input lock, and unit tests validating multisig lock reconstruction and input validation.
Support protocol-fund (014-aletheia) coinbase notes that carry an unsatisfiable wrapped %pkh first-name by adding a canonical fund-note-firstname constant and the corresponding fund-multisig-lock. Route spends whose on-chain first-name matches this constant to a new check-multisig-lock routine that binds the witness-revealed spend-condition to the expected fund lock-root and validates its m-of-n primitive. Update wallet and utils to watch and resolve the wrapped fund note first-name to the real multisig for signing. Add a script to regenerate the fund-note-firstname, and extend unit tests to pin the firstname/multisig constants and exercise valid/invalid recovery flows. Also ignore /txs in .gitignore.
Adds a `--notes-csv` option to `create-tx` and `create-multisig-tx` that reads candidate notes from a previously-downloaded CSV (written by `list-notes-by-address-csv` / `list-notes-by-multisig-csv`) instead of re-downloading the balance. After the transaction is created, notes actually spent are removed from the CSV so they are not reselected on a future run. Also adds bridge-deposit recipient support to the CLI help text and updates the `--recipient` argument description to document all supported JSON kinds (p2pkh, multisig, bridge-deposit).
Extend `LockRootLockMatcher` to optionally accept protocol-fund coinbase-wrapped first-names derived from multisig lock roots, and use that path in wallet tx planning for multisig spends. This fixes note selection for fund notes while preserving direct lock-root matching behavior, with focused tests covering wrapped-name derivation, selection, regressions, and opt-in behavior. Also reduce log noise by downgrading PMA shutdown flush logs to `debug` and removing redundant "Command executed successfully" info logs in the wallet CLI.
Add a fail-fast block-size guard for create-tx planning and only commit notes-CSV reservations when a real `.tx` file was written. This prevents spending time building unmineable oversized transactions and avoids dropping notes when the kernel rejects the poke without producing output.
Update the wallet tx builder to split v1 fees evenly per input note (with ceiling division) and charge each note before gift allocation, while preserving at least one seedable unit per spent note. This fixes cases where fee-only notes were previously dropped without crediting fee, causing false "insufficient funds" failures. Tests were updated across spend, edge-case, m-to-n, and multisig suites to reflect the new behavior and assert fee totals and conservation instead of expecting those failures.
Implements and registers a new `sign_affine_jet` for `+sign:affine:schnorr:cheetah`, including deterministic signing logic that mirrors Hoon semantics and punts on guard/input mismatches to avoid divergence. Adds comprehensive Rust tests (known-answer vectors, sign/verify roundtrips, guard violations, and jet wrapper coverage) and introduces matching Hoon KAT fixtures/tests to pin byte-identical `[chal sig]` outputs.
Replace tape/string interpolation with cord-based concatenation (rap/cat, bloq 3) in +transaction display. String interpolation with {} on large note cords dominated create-tx time (~22s at 100 inputs); cord concatenation is linear.
Also adds +format-nocks to render amounts as 'X nocks Y nicks' instead of raw nicks, updates note display accordingly, and adds jet hints (~%/~/) throughout wallet-utils for performance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.