feat: trustless verification tools (verify_chain_tip, check_endpoint_honesty)#58
Draft
dkijania wants to merge 8 commits into
Draft
feat: trustless verification tools (verify_chain_tip, check_endpoint_honesty)#58dkijania wants to merge 8 commits into
dkijania wants to merge 8 commits into
Conversation
…honesty) Add two live-mode tools (devnet/mainnet) that let an agent cryptographically verify the chain instead of trusting the daemon: - verify_chain_tip: fetch the canonical precomputed block from the public block bucket and check its Pickles/kimchi SNARK proof. A valid proof attests the entire chain to genesis by recursion — no trust in the daemon or the bucket (a forged block won't verify). Returns proof-backed height/state/ledger hashes. - check_endpoint_honesty: read the daemon's own claims for a block, independently verify the canonical block's proof, and compare. A mismatch means the daemon is serving inconsistent/invalid data. Verification runs through @o1-labs/mina-sdk (verifyPrecomputedBlock / compareToClaims), backed by the optional mina-verify-wasm package. GraphQL alone is insufficient (its protocolState is a lossy projection), so the verifiable input is the precomputed block from gs://mina_network_block_data, added as precomputedBlockBaseUrl in networks.ts for devnet/mainnet only (the networks with an embedded VK). - src/tools/verify.ts: the two tools + bucket fetch + network gating - src/networks.ts: precomputedBlockBaseUrl for devnet/mainnet - server-factory.ts + test/mcp/helpers.ts: register the tools - test/mcp/live.test.ts: expect them in the live devnet tool list - README: usage + the ~tens-of-seconds blocking caveat Verified end-to-end against live devnet via the MCP client: verify_chain_tip -> VERIFIED (tip 527284); check_endpoint_honesty -> HONEST (daemon claims match the proof). test:unit (120) + test:mcp (78) green. Depends on @o1-labs/mina-sdk >=0.4.0 (the verify API, mina-sdk-js PR #10) and the published mina-verify-wasm; both bumped here as (optional) deps. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add `npm run demo:honesty` — an end-to-end demo of the two verification tools,
driven through the real MCP server over an in-memory transport:
1. verify_chain_tip against live devnet -> VERIFIED (real Pickles/kimchi proof).
2. check_endpoint_honesty against a DISHONEST endpoint -> DISHONEST, naming the
exact lied-about field.
demo/tampering-proxy.mts forwards GraphQL to the real devnet daemon but rewrites
the stagedLedgerHash it reports — a lie a trusting client can't see and a verifying
client catches. demo/setup-local.sh wires the local (unpublished) mina-verify-wasm
+ @o1-labs/mina-sdk builds so the demo runs before they're on npm; in production
`npm install mina-verify-wasm` is the whole setup.
Verified run: act 1 VERIFIED (tip 527294, ~78s); act 2 caught the proxy's
stagedLedgerHash lie vs the proof-attested value.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
sample-output.txt is a real run (for showing the result without the ~2.5 min of live proof checks); README adds the narrative/talking points for presenting. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…talled) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
- mina-verify is a sibling (../mina-verify), not ../../. - Copy the wasm pkg into node_modules instead of `npm install` (package.json pins the unpublished @o1-labs/mina-sdk@^0.4.0, so npm install can't resolve). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add the honest-endpoint check_endpoint_honesty case so the demo covers both honesty outcomes (good endpoint passes, lying endpoint caught) alongside the tip verification. Transcript + README updated. Real run: 69s / 62s / 59s. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Avoids shadowing the per-tool `network` argument; matches the repo's detailArg/txLimitArg naming convention. No behavior change. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two live-mode tools (devnet/mainnet) that let an agent cryptographically verify the chain instead of trusting the daemon:
verify_chain_tip— fetches the canonical precomputed block from the public block bucket and checks its Pickles/kimchi SNARK proof. A valid proof attests the entire chain back to genesis by recursion — no trust in the daemon or the bucket (a forged block won't verify). Returns proof-backed height / state hash / ledger hash.check_endpoint_honesty— reads the daemon's own claims for a block, independently verifies the canonical block's proof, and compares. A mismatch ⇒ the daemon is serving inconsistent or invalid data.Demo 🎬
npm run demo:honesty(demo/) runs the whole story through the real MCP server:verify_chain_tipagainst live devnet → VERIFIED ✓check_endpoint_honestyagainst a tampering proxy that lies about the ledger hash → DISHONEST ✗, naming the exact fieldSee
demo/sample-output.txtfor a captured run anddemo/README.mdfor presenter talking points.demo/setup-local.shwires the local (unpublished) packages so it runs today.How
@o1-labs/mina-sdk(verifyPrecomputedBlock/compareToClaims), backed by the optionalmina-verify-wasmpackage. Without it installed, the tools return a clear install hint.protocolStateis a lossy projection and can't be re-hashed to verify a proof. The verifiable input is the precomputed block fromgs://mina_network_block_data, added asprecomputedBlockBaseUrlinnetworks.tsfor devnet/mainnet (the networks with an embedded VK).Verified
End-to-end against live devnet (the demo + ad-hoc MCP client runs):
verify_chain_tip→ VERIFIED ✓check_endpoint_honesty→ HONEST ✓ on the real daemon; DISHONEST ✗ on the tampering proxy (caught the exact lie)test:unit(120) andtest:mcp(78) pass; the live tool-list assertion includes both tools.Caveat
Verification is CPU-bound and currently blocks for ~tens of seconds per call — intended for occasional integrity checks, not hot paths. (A threaded
mina-verify-wasmbackend is the planned perf follow-up.)🤖 Generated with Claude Code