fix(dacs-directory): harden strict bundle verification#15
Conversation
|
One verifier edge case looks worth fixing before this lands. Finding:
But top-level Why it matters: a normal vetted bundle whose vet phase Suggested fix: include verified Other local validation on head
|
|
Good catch — fixed in |
mj-deving
left a comment
There was a problem hiding this comment.
Verified the ec82fb2 fix for my earlier finding.
The important path is now covered: verifiedPhaseRefs includes verified composite artifacts, and the new regression exercises a bundle whose phase attestationRef points at vetRecords[0].
Local validation on the PR head:
bun run setupbun run test-> 38 passedbun run typecheckgit diff --check origin/main...HEAD
Submission checklist
reference-implementations/.exercises-spec.What & why
Hardens the DACS directory’s strict deal verifier so signed artifacts count only when signer coverage, registered-copy identity, positional references, graph closure, and job/party bindings all agree. It also makes the browser verdict honest when cryptography is internally consistent but the copy has no registered address-role binding.
Changes
anchoredByRoleplus buyer/seller claims to the registered copy. Unregistered but internally consistent bundles show a neutrallimitedstate, not a verified result.Compatibility boundaries
The pinned legacy SDK cannot resolve/report non-empty ratings or amendments, so those legacy cases fail closed. Its strict helper still requires a phase
attestationRef; the current-profile graph honors the current contract’s optionality.Integration note
This branch was built and reviewed from
mainat07a008ain parallel with #14. The branches overlap in the indexer/evidence-graph tests; if #14 lands first, this branch will be rebased, conflicts resolved, and all validation repeated before merge.Validation
npm test— 37/37 passnpm run typecheck— passnpm run build— passTake or leave as useful.