fix(observability): bound the MPC metrics hot path; refuse mock-crypto builds on real networks#1816
Merged
Conversation
…o builds on real networks Three pre-tag items from the 1.2.0 release review: 1. refresh_observability_metrics ran on every ~20ms service iteration and re-emitted per-seq gauge series for EVERY session tracked this epoch — terminal (Completed/Failed) sessions stay in the map until epoch end, so per-tick work and allocations grew with the epoch's cumulative session count, on the same loop that advances MPC sessions (its in-code "bounded by max_active_sessions_buffer" claim was false). Refreshes are now rate-limited to once a second and a terminal session gets exactly one final emission recording its terminal state (re-armed if it ever leaves terminal state); the waiting-on-quorum counter moved to the cheap full-scan loop so its semantics are unchanged. 2. ika_dwallet_checkpoint_user_session_written_at_seq accumulated one labeled series per user session for the process lifetime (nothing ever removed label values). The checkpoint builder is constructed once per epoch, so it now resets the gauge there, bounding the label set to the current epoch. 3. A binary compiled with dwallet-mpc-unsafe-mock now refuses to boot against the ika mainnet/testnet networks (chain derived from the deployed ika system object, as the minimum-CPU gate does) and logs a grep-able insecure_mock_crypto=true error banner elsewhere, so a mocked binary can never pass as real-crypto evidence. CLAUDE.md now documents the verified footgun that WORKSPACE-scope cargo test silently enables the mock across the graph via ika-test-cluster's self-dev-dependency (feature unification) — real-crypto runs need package scope. Also adds decode_deployed_network_key_bytes, an #[ignore]d one-off tool (next to the existing NetworkKeyId derivation tool, sharing its deployed-envs table) that fetches the real mainnet/testnet network-key bytes and decodes them on the exact types the v3 backward-compatible reconfiguration arm consumes — the real-chain-bytes evidence the synthesized-anchor regression tests cannot provide. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
fullnode.testnet.sui.io currently rejects JSON-RPC with a 404, which sank the whole multi-env run at the first unwrap. Each env now carries an ordered endpoint list (canonical Mysten first, public fallback), and connection failure skips the env with a printed reason instead of panicking — one downed endpoint no longer hides the other network's result. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Contributor
Author
Deployed-bytes decode evidence (G1 residual: CLOSED)Ran What this proves, on the actual on-chain bytes (not synthesized test vectors):
This closes the last G1 residual from the release review (the regression tests use synthesized anchors re-encoded under the current crate, so they could not have caught a layout drift against the deployed bytes). Side note captured in the second commit: 🤖 Generated with Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Item 7 of the 1.2.0 pre-tag checklist (release review) — the cheap fixes worth taking before the tag.
1. MPC metrics hot path (hand-verified findings)
refresh_observability_metricsran on every ~20ms service iteration and re-emitted ~11 per-seq gauge series (plus a per-committee-member matrix) for every session tracked this epoch — terminal sessions stay inself.sessionsuntil epoch end (zeroremove/retain), so per-tick work grew with the epoch's cumulative session count, on the same loop that advances MPC sessions. The in-code "bounded by max_active_sessions_buffer" claim was false.OBSERVABILITY_REFRESH_INTERVAL).current_seqsso the existing stale-zeroing block doesn't wipe the terminal record.sessions_with_self_output_no_quorumcounter moved into the cheap unconditional scan — semantics unchanged.2. Checkpoint per-session gauge label leak
ika_dwallet_checkpoint_user_session_written_at_seqaccumulated one labeled series per user session for the process lifetime. The builder is per-epoch, so its constructor nowreset()s the gauge — label set bounded to the current epoch.3. unsafe-mock tripwire
A binary compiled with
dwallet-mpc-unsafe-mocknow refuses to boot against ika mainnet/testnet (chain derived from the deployed ika system object, exactly like #1810's minimum-CPU gate; predicate unit-tested in the same style) and logs a grep-ableinsecure_mock_crypto=trueerror banner on any other network. CLAUDE.md documents the verified footgun that workspace-scopecargo testsilently mocks ika-core's crypto via ika-test-cluster's self-dev-dependency feature unification (verified both directions withcargo tree: dev-graph resolution enables it; plainika-nodebuilds do not).4. Deployed-bytes decode tool (G1 evidence residual)
New
#[ignore]ddecode_deployed_network_key_bytes(sharing the deployed-envs table with the existing NetworkKeyId tool): fetches the real mainnet/testnet network-key bytes and decodes them on the exact types the v3 backward-compatible reconfiguration arm consumes — V1 anchor inner → class-groups DKG output (+ byte-identical re-encode check), V2 reconfiguration output → bwd-compatPublicOutput. This is the real-chain-bytes check the synthesized-anchor regression tests can't provide; run results will be posted on this PR.Verification
cargo clippy -p ika-core --lib --testsclean;cargo fmt --all.runtime::tests4/4 green (newmock_crypto_forbidden_exactly_on_real_networksincluded).🤖 Generated with Claude Code