docs(proposals): fiber/asset authoring ergonomics + F7 auth-gap test#192
Open
ottobot-ai wants to merge 1 commit into
Open
docs(proposals): fiber/asset authoring ergonomics + F7 auth-gap test#192ottobot-ai wants to merge 1 commit into
ottobot-ai wants to merge 1 commit into
Conversation
Improvement program from the friction discovered authoring the riverdale-economy e2e (6 fibers, 2 versioned packages, real asset custody, all hand-written JSON-Logic). docs/proposals/fiber-ergonomics/: - README.md — findings catalog (F1-F10), proposal index, and a risk-ascending safe-improvement roadmap (P0 docs → P1 validator → P2 SDK templates → P3 genesis std-lib → P4 targeted model changes) with the signed-canonical (rule #1) + combine-only-lineage (rule #3) + additive-first guardrails. - 00-sdk-stdlib-and-templates.md — the SDK-repo HANDOFF: typed builders that emit canonical defs/policies/effects + a genesis-loaded std-lib so apps stop hand-rolling. (Reframed: the SDK already ships defineFiberApp/effect/guard builders — extend + adopt, not build-from-zero.) - 01-authoring-safety.md — offline definition validator (var-path resolution, reserved-_-key validation, reachability, conformance) + state-shape defaults. - 02-asset-effect-ergonomics.md — canonicalize the _transferAsset recipient, illuminate the fiber/wallet custody boundary (without removing R1). - 03-cross-fiber-and-authorization.md — the auth matrix, the trigger-vs-read dependency asymmetry, and the F7 enforcement gap (below). KEY FINDING (F7) — a likely transition-authorization gap, settled by test: the owner gate DIVERGES by code path. Validator.validateSignedUpdate REJECTS a non-owner transition, but Combiner.insert APPLIES it (no owner check; guard is the only gate). The live ML0 path follows the combiner, so in production transitions are effectively guard-only-gated. Confirmed by the new TransitionOwnerGateDivergenceSuite (passes); the pre-existing MultiPartyTransitionSigningSuite already encodes both halves and is self-contradictory. Proposed fix: enforce signer-auth in the COMBINER (graceful CombineRejected, rule #3-safe), then layer an opt-in transitionPolicy dial — with the breaking-change default-choice left as the lead open question. Docs only (+ one regression test). No chain behavior changed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01R5TUSJPD8FCtJagf7siXgt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A proposal program to fix the authoring friction discovered building the
riverdale-economye2e (6 fibers, 2 versioned packages, real asset custody — all hand-written JSON-Logic). Docs only, plus one regression test. No chain behavior changed.docs/proposals/fiber-ergonomics/defineFiberApp/effect/guard builders — so it's extend + adopt, not build-from-zero._-key validation, reachability, conformance) + state-shape defaults. The static conformance checkstrong-typing-and-conformance.md §3specified but was never built._transferAssetrecipient (bare string → also accept theAssetHolderobject), illuminate the fiber/wallet custody boundary (without removing R1). Found a third holder encoding (holderJlv).The owner gate diverges by code path:
Validator.validateSignedUpdate(non-owner transition)→ Invalid (gate enforced here)Combiner.insert(same transition)→ applied (no owner check; the guard is the only gate)The live ML0 path follows the combiner, and the riverdale e2e (distinct keys: alice creates, bob transitions) saw bob's transition apply — so in production, primary transitions are effectively guard-only-gated; the validator's owner gate isn't reached/enforced before combine.
TransitionOwnerGateDivergenceSuite(passes: validator rejects bob, combiner applies bob) — runs in the Unit Tests lane.MultiPartyTransitionSigningSuitealready encodes both halves and is self-contradictory ("a counterparty can sign" via the combiner vs "an unauthorized third party cannot" via the validator).Proposed fix: enforce signer-auth in the combiner (graceful
CombineRejected, rule #3-safe), then layer an opt-intransitionPolicydial there. The breaking-change default-choice (today's live behavior is guard-only; tightening to owners-or-participants would break the multi-party "counterparty can sign" design) is left as the lead open question for maintainers.This finding is the product of the parallel/adversarial review — a single pass would have published it wrong either way (my "not gated" vs the first draft's "gated"). The test-confirmed truth is the gate exists but isn't enforced where it counts.
🤖 Generated with Claude Code