Skip to content

feat: trustless verification tools (verify_chain_tip, check_endpoint_honesty)#58

Draft
dkijania wants to merge 8 commits into
mainfrom
feat/trustless-verification-tools
Draft

feat: trustless verification tools (verify_chain_tip, check_endpoint_honesty)#58
dkijania wants to merge 8 commits into
mainfrom
feat/trustless-verification-tools

Conversation

@dkijania

@dkijania dkijania commented Jun 12, 2026

Copy link
Copy Markdown
Member

Draft — stacked PR. Depends on mina-sdk-js PR #10 (the verify API) being released as @o1-labs/mina-sdk ≥ 0.4.0, and on mina-verify-wasm being published. CI here goes green once both are on npm.

What

Two live-mode tools (devnet/mainnet) that let an agent cryptographically verify the chain instead of trusting the daemon:

  • verify_chain_tip — fetches the canonical precomputed block from the public block bucket and checks its Pickles/kimchi SNARK proof. A valid proof attests the entire chain back to genesis by recursion — no trust in the daemon or the bucket (a forged block won't verify). Returns proof-backed height / state hash / ledger hash.
  • check_endpoint_honesty — reads the daemon's own claims for a block, independently verifies the canonical block's proof, and compares. A mismatch ⇒ the daemon is serving inconsistent or invalid data.

Demo 🎬

npm run demo:honesty (demo/) runs the whole story through the real MCP server:

  1. verify_chain_tip against live devnet → VERIFIED ✓
  2. check_endpoint_honesty against a tampering proxy that lies about the ledger hash → DISHONEST ✗, naming the exact field

See demo/sample-output.txt for a captured run and demo/README.md for presenter talking points. demo/setup-local.sh wires the local (unpublished) packages so it runs today.

How

  • Verification runs through @o1-labs/mina-sdk (verifyPrecomputedBlock / compareToClaims), backed by the optional mina-verify-wasm package. Without it installed, the tools return a clear install hint.
  • GraphQL alone is insufficient — a daemon's protocolState is a lossy projection and can't be re-hashed to verify a proof. The verifiable input is the precomputed block from gs://mina_network_block_data, added as precomputedBlockBaseUrl in networks.ts for devnet/mainnet (the networks with an embedded VK).

Verified

End-to-end against live devnet (the demo + ad-hoc MCP client runs):

  • verify_chain_tip → VERIFIED ✓
  • check_endpoint_honesty → HONEST ✓ on the real daemon; DISHONEST ✗ on the tampering proxy (caught the exact lie)

test:unit (120) and test:mcp (78) pass; the live tool-list assertion includes both tools.

Caveat

Verification is CPU-bound and currently blocks for ~tens of seconds per call — intended for occasional integrity checks, not hot paths. (A threaded mina-verify-wasm backend is the planned perf follow-up.)

🤖 Generated with Claude Code

dkijania and others added 8 commits June 12, 2026 13:59
…honesty)

Add two live-mode tools (devnet/mainnet) that let an agent cryptographically
verify the chain instead of trusting the daemon:

- verify_chain_tip: fetch the canonical precomputed block from the public block
  bucket and check its Pickles/kimchi SNARK proof. A valid proof attests the
  entire chain to genesis by recursion — no trust in the daemon or the bucket
  (a forged block won't verify). Returns proof-backed height/state/ledger hashes.
- check_endpoint_honesty: read the daemon's own claims for a block, independently
  verify the canonical block's proof, and compare. A mismatch means the daemon is
  serving inconsistent/invalid data.

Verification runs through @o1-labs/mina-sdk (verifyPrecomputedBlock /
compareToClaims), backed by the optional mina-verify-wasm package. GraphQL alone
is insufficient (its protocolState is a lossy projection), so the verifiable
input is the precomputed block from gs://mina_network_block_data, added as
precomputedBlockBaseUrl in networks.ts for devnet/mainnet only (the networks with
an embedded VK).

- src/tools/verify.ts: the two tools + bucket fetch + network gating
- src/networks.ts: precomputedBlockBaseUrl for devnet/mainnet
- server-factory.ts + test/mcp/helpers.ts: register the tools
- test/mcp/live.test.ts: expect them in the live devnet tool list
- README: usage + the ~tens-of-seconds blocking caveat

Verified end-to-end against live devnet via the MCP client:
verify_chain_tip -> VERIFIED (tip 527284); check_endpoint_honesty -> HONEST
(daemon claims match the proof). test:unit (120) + test:mcp (78) green.

Depends on @o1-labs/mina-sdk >=0.4.0 (the verify API, mina-sdk-js PR #10) and the
published mina-verify-wasm; both bumped here as (optional) deps.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add `npm run demo:honesty` — an end-to-end demo of the two verification tools,
driven through the real MCP server over an in-memory transport:

  1. verify_chain_tip against live devnet -> VERIFIED (real Pickles/kimchi proof).
  2. check_endpoint_honesty against a DISHONEST endpoint -> DISHONEST, naming the
     exact lied-about field.

demo/tampering-proxy.mts forwards GraphQL to the real devnet daemon but rewrites
the stagedLedgerHash it reports — a lie a trusting client can't see and a verifying
client catches. demo/setup-local.sh wires the local (unpublished) mina-verify-wasm
+ @o1-labs/mina-sdk builds so the demo runs before they're on npm; in production
`npm install mina-verify-wasm` is the whole setup.

Verified run: act 1 VERIFIED (tip 527294, ~78s); act 2 caught the proxy's
stagedLedgerHash lie vs the proof-attested value.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sample-output.txt is a real run (for showing the result without the ~2.5 min of
live proof checks); README adds the narrative/talking points for presenting.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…talled)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- mina-verify is a sibling (../mina-verify), not ../../.
- Copy the wasm pkg into node_modules instead of `npm install` (package.json
  pins the unpublished @o1-labs/mina-sdk@^0.4.0, so npm install can't resolve).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the honest-endpoint check_endpoint_honesty case so the demo covers both
honesty outcomes (good endpoint passes, lying endpoint caught) alongside the tip
verification. Transcript + README updated. Real run: 69s / 62s / 59s.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Avoids shadowing the per-tool `network` argument; matches the repo's
detailArg/txLimitArg naming convention. No behavior change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant