Release 1.2.0#1787
Conversation
Co-authored-by: dehed <david.lachmish@gmail.com> Co-authored-by: Itay Levy <itaylevy134@gmail.com>
…ly when some validators receive the start event before receiving the network key (#1425)
…ive session's message before its start event (#1427)
… in the threshold not reached test (#1450)
…ined the committee in the epoch switch test (#1460)
Deep review of the 1.2.0 release diffProduced by a 14-dimension multi-agent review of the full ika 1.2.0 Release Review — origin/main...origin/dev (final report)Scope: full release diff (~45 PRs), fourteen subsystem reviews, adversarially verified findings, plus targeted re-verification done for this report (chain-anchor tags, blending first-element in cryptography-private @ Bottom line: dev is NOT ready to merge to main as 1.2.0. Two confirmed blockers would take down the live network — one wedges mainnet/testnet in a network-wide crash loop at the first epoch reconfiguration, the other breaks consensus interop with 1.1.8 peers within seconds of the first upgraded validator restarting. Both have small, well-understood fixes. Two more must-fix items (a v3 behavior change in Schnorr presign timing, and the version bump the tag pipeline hard-requires) round out the gate list. 1. Final ranked findingsDuplicates merged across dimensions (noted per entry). Severity reflects verifier votes where they adjusted. GATES = must fix before dev merges to main; ROLLOUT = must be done before the mainnet tag/restart but can land as release-process work; v4-GATE / v5-GATE / OCS-GATE = must fix before that feature ever activates (ships dark in 1.2.0); FOLLOW-UP = fix on normal cadence. 1.1 Release-gating (GATES / ROLLOUT)G1. BLOCKER (confirmed, chain-verified twice) — Deployed network keys are V1-tagged on chain; both reconfiguration input builders panic on them. G2. BLOCKER (confirmed twice, independently by two dimensions) — Ungated G3. MAJOR (confirmed) — G4. MAJOR (confirmed) — Release cannot be tagged: workspace version is 1.1.9 and G5. MAJOR (confirmed twice) — No automated coverage of the exact rollout-day combination: 1.2.0 binary + 1.1.8-era old-style config. G6. MINOR (confirmed) — Systemic pattern behind G2/G3: all ~45 new config values injected into the base config (visible at v1..3), contra the file's own "never modify a pre-existing protocol version" invariant. 1.2 Must fix before protocol v4 activates (ships dark in 1.2.0)V1. MAJOR (confirmed 4x) — Freeze carry-forward silently degrades to announce-only on a missing/unreadable prior-epoch handoff cert; async, non-retrying joiner bootstrap lets the freeze fork the frozen set. V2. MAJOR (confirmed) — Ready-signal canonicalization filters against the wall-clock-timed local announcements table; recorded freeze inputs diverge for relayed joiners. V3. MAJOR (confirmed) — Restart after own EndOfPublishV2 sequenced permanently loses the expected-attestation install; post-restart peer signatures buffer forever, close round diverges. V4. MAJOR (confirmed; one verifier: minor) — v4 close's handoff-cert gate is not a pure function of the consensus sequence; a divergent-attestation validator closes at the grace×4 backstop and forks its local final checkpoints. V5. MAJOR (confirmed; one verifier: minor) — One unverifiable V6. MINOR (confirmed; verifier-downgraded from major) — Process-static NetworkKeyId mapping wedges cert-gated adoption for any non-seeded key after a restart. V7. MINOR (confirmed; both verifiers downgraded from major) — V8. MINOR (confirmed) — Internal-presign refill gate has no release path on a permanently failed session; MINOR — NOA-signing-key selection tie-breaks on HashMap iteration order. V9. MINOR (confirmed) — VSS derivation 1.3 Before the NOA/v5 flag ever ships (not deployed at all)N1. MAJOR (confirmed) — NOA store status-transition panics assume local lockstep with quorum; the documented restart-replay recovery path deterministically panics. N2. MINOR (confirmed; verifiers downgraded from major) — N3. MINOR (confirmed) — remaining NOA items, batched: no domain separation in signable bytes ( 1.4 OCS opt-in verified-reads paths (config-shape gated; not active on mainnet configs)O1. MAJOR (confirmed) — Direct-node fold caches object bytes not bound to the proven object ref: malicious-fullnode cache poisoning, sticky forged state, permanent read wedge. O2. MAJOR (confirmed) — Changeset currency gate silently dead on any pruned (i.e. real) chain, O5. MINOR (confirmed/unverified) — OCS hardening batch: pusher permanently skips a checkpoint on any transient fetch error at debug level ( 1.5 Test-infra: fix before a green run is used as upgrade evidenceT1. MAJOR (confirmed) — Malicious-cross-binary detection is satisfiable by the faulty validator's self-report; honest 1.1.8 binaries don't even export the gauge. T2. MAJOR (confirmed) — Sign-flow integration tests never check T3. MAJOR (confirmed) — v118 "pre-activation-window" probe is not pinned to protocol v3; timing drift silently degrades the mainnet-deadlock rehearsal into an ordinary v4 pool test. T4. MINOR (confirmed) — test hygiene batch: removal test asserts nothing about removal and 1.6 SDK / docs / CI hygieneS1. MAJOR (confirmed; gates next npm publish, not the validator release) — S2. MINOR (confirmed) — SDK/docs batch: default poll timeout silently 30s→10min for all S3. MINOR (confirmed) — CI/docs batch: main-only S4. MINOR (confirmed) — Spec-staleness batch (one docs PR): merged: both handoff deferred-close drift findings + the remaining specs-vs-code minors. Update 1.7 Disputed / refuted — recorded so they aren't re-litigatedD1. DISPUTED→effectively refuted — external presign D2. DISPUTED — validator accepts v4/v5-only consensus kinds at any protocol version. Refuted-on-verification suspicions retained in the record (no action): bootstrap 2. Cross-PR interaction analysisRisks that exist only because of combinations of changes in this release:
3. Top refactor suggestions (value ÷ effort, descending)
4. Release verdictNot ready to merge. Required before dev → main: Must-fix code changes (GATES):
Release-process requirements (ROLLOUT):
CI suites that MUST be green on the fixed dev head before merge (workflow file → scenario/filter, all present on dev):
( After merge, tracked follow-ups by activation gate: V1–V9 before any protocol-v4 activation vote; O1–O5 before any OCS opt-in deployment (take O1's one-line fix now); N1–N3 before the v5/NOA flag; S1 hard-gates the next npm publish of the SDK; T-batch before the next time these suites are cited as upgrade evidence. The underlying engineering in this release is largely disciplined — the verified-reads trust chain, the epoch-close lock gating, the batch-loop and silent-skip hygiene, and the deterministic-tally fixes all held up under adversarial review. The two blockers are both single-point gating omissions against a correctly-gated backdrop, which is exactly why they are fixable in days: the patterns to copy are already in the same files.Appendix: completeness audit (files outside the 14 review scopes)One flagged question is already resolved: Remaining checks the review scopes did not own:
All other changed files fall inside the 14 dimension scopes; with the items above, coverage is complete. 🤖 Generated with Claude Code |
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
# Conflicts: # .github/workflows/integration-tests-ci.yaml # .github/workflows/test-cluster.yaml # .github/workflows/ts-integration-tests.yaml # .github/workflows/upgrade-test.yaml
…doption deadlock (#1789) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
…they claim (#1790) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
#1791) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
…yle YAMLs for every role (#1792) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
…ead fork-residue metrics (#1793) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
… dev (#1794) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
…tor_info fails to decode (#1795) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
… reconfiguration path (G1) (#1798) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
… (G2+G3) (#1797) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
…main (v4) reconfiguration path + one-time V1->V3 anchor migration (#1799) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
#1796) Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
…cryptography-private Point the seven crypto crates (mpc, proof, class_groups, commitment, twopc_mpc, group, homomorphic_encryption) at dwallet-labs/inkrypto @ 0572d6c (latest main) rather than cryptography-private @ 32a27aa. inkrypto main mirrors the latest cryptography-private file-by-file, so the full workspace builds unchanged against it — no source changes required (dev already carries the Blake2b256 HashScheme handling). Repoint both workspace locks (root Cargo.lock and the excluded sdk/ika-wasm/Cargo.lock) to inkrypto, and update the CI/Docker url.<ssh>.insteadOf rewrites (setup-ssh action, release workflow, all three Dockerfiles) plus the release-doc deploy-key note so private-repo cloning targets inkrypto. NOTE: the CI GH_DEPLOY_KEY must be granted read access to dwallet-labs/inkrypto for CI/Docker builds to fetch it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Closing — superseded. |
Release 1.2.0: merges everything on
devintomainfor the mainnet binary upgrade 1.1.8 -> 1.2.0 (~45 PRs).Upgrade-compatibility posture
v118_upgrade/v118_churnscenarios.What's in this release
Network-key lifecycle & reconfiguration
NetworkKeyIdfor the cross-epoch handoff (feat(dwallet-mpc): content-derived NetworkKeyId for the cross-epoch handoff #1773)Off-chain validator metadata & committee
OCS — verified Sui reads over an untrusted relay
Signing & presign
Robustness fixes
Test & CI infrastructure
dev-docs/engineering knowledge base with behavioral specs (docs: dev-docs/ engineering knowledge base, slimmer CLAUDE.md, enforced Sui-pin consistency #1738)Pre-merge validation
A deep multi-agent code review of this full diff is running; findings will be posted as a comment on this PR. Required green before merge (on
devafter the prep PR lands):upgrade-test.yaml— scenariosv118_upgrade,v118_churn,cross_binarytest-cluster.yaml— full cluster suiteintegration-tests-ci.yaml— Rust integration suitets-integration-tests.yaml— full TS suite against a localnet🤖 Generated with Claude Code