fix(verify): tighten SPEC_CG_MEMORY_MODEL gates; address Codex round-5

Five real findings from Codex round-5 on PR #595, plus two findings
held as Hold-the-Line (backwards-compat we explicitly don't owe) and
one stale finding already fixed in 6a58ae2.

Findings 5 + 6 — Adapter-level fail-open removed
- chain/src/chain-adapter.ts: make `accessPolicy` and `publishPolicy`
  required fields on CreateOnChainContextGraphParams so `{}` can no
  longer silently create a public + open CG (privilege widening).
- chain/src/evm-adapter.ts + mock-adapter.ts: enforce the required
  fields at runtime; refuse with an actionable error when omitted.
- chain/src/evm-adapter.ts: getMinimumRequiredSignatures() now throws
  when ParametersStorage isn't resolvable instead of returning a
  hardcoded 3. The agent+publisher fail-closed guards already throw
  on "missing probe" / "garbage value", but the adapter was silently
  returning the wrong quorum from a null contract ref. Closed.
- Added parity-test coverage for both behaviours.

Finding 8 — Proposer-eligibility math in VerifyCollector
- VerifyCollector.collect() previously hardcoded
  `remoteRequired = requiredSignatures - 1`, assuming the proposer
  always self-counts. After the round-4 sharding-table filter, an
  edge node proposer with identityId=0 gets dropped, leaving 0 sigs
  on a `minimumRequiredSignatures=1` chain → spurious no_quorum.
- New `proposerCountsTowardQuorum?: boolean` (default true) lets the
  agent flag ineligible proposers so the collector demands the FULL
  quorum from remote peers.
- DKGAgent.verify() now computes `proposerEligible` BEFORE calling
  collect() and passes it through.
- Tests pin all three branches (proposer counts, proposer doesn't
  count, mixed) and the still-passing self-sign 1-of-1 path.

Finding 7 — Verify-proposal metadata leak
- The collector was fanning verify proposals (payload includes
  contextGraphId / verifiedMemoryId / batchId / root entities) to
  EVERY connected peer — for curated CGs that leaked CG metadata to
  unrelated peers before the downstream signer filter ran.
- DKGAgent now resolves `getParticipantPeers` via the existing
  CGMemberEnumerator (allowlist for curated CGs, topic-subscribers
  for public, empty for legacy unknown). VerifyCollector accepts an
  async getParticipantPeers signature for this.

Finding 2 — Drop legacy DKG_PARTICIPANT_IDENTITY_ID verify filter
- `getVerifyParticipantIdentityIds` read pre-LU2 `_meta` triples and
  enforced them as a HARD allowlist in verify, which could strand
  already-registered CGs after upgrade when the current sharding
  table doesn't match the old roster (and `registerContextGraph`
  early-returns when onChainId is set, so it can't be re-fixed).
- Deleted the method entirely; sharding-table membership is now the
  only authoritative ACK gate. Trust-degradation now keys off
  "any remote sharding-table-eligible ACK" instead of the legacy
  participant distinction.
- Simplified `resolveVerifyApprovalIdentityId` to drop the legacy
  candidate-set probe; modern responders stamp identityId in the
  approval payload.

Stale / held-the-line
- Finding 3 (sharding-table fail-open) was on commit 269e8a2 and
  was already fixed by `6a58ae2d` (no-method branch throws).
- Findings 1 + 4 (hard-400 on deprecated request fields breaks
  legacy callers) — user explicitly declined backwards compat for
  internal rc.x clients; we're keeping the explicit deprecation
  error so old callers fail loudly rather than silently writing
  CGs with broken assumptions.

Test-callsite ripple
- 19 test call sites updated to pass `accessPolicy`+`publishPolicy`
  explicitly. Existing semantics preserved (public+open where the
  test used to publish openly, curated+curators-only where it used
  the strict path). No new functional behaviour, just explicit args.

Suites green locally:
- packages/chain mock-adapter-parity      15/15
- packages/publisher verify-collector     14/14
- packages/publisher workspace + sigcoll  93/93
- packages/agent e2e-publish-protocol     13/13
- packages/agent agent.test               115/115
- packages/agent swm-ack-quorum           31/31
- packages/cli daemon-http-behavior-extra 50/50
- swm-snapshot-sync flake (pre-existing) unrelated.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 2 people

packages/agent/src/dkg-agent.ts

@@ -11717,6 +11717,56 @@ export class DKGAgent {
     const proposerAddress = ethers.computeAddress(signingKey.publicKey);
 
     // 5. Collect M-of-N approvals
+    // SPEC_CG_MEMORY_MODEL §4.3: sharding-table membership is the only
+    // authoritative gate for who can ACK a VM publish. Adapters that
+    // don't implement the membership probe are a misconfiguration here
+    // (real EVM and the in-tree mock both implement it). Cache decisions
+    // per batch to avoid hammering the RPC for repeated approvers.
+    if (typeof this.chain.isShardingTableMember !== 'function') {
+      throw new Error(
+        'verify: chain adapter does not implement `isShardingTableMember()`. ' +
+        'Cannot enforce SPEC_CG_MEMORY_MODEL §4.3 sharding-table ACK eligibility — refusing fail-open.',
+      );
+    }
+    const shardingMembershipCache = new Map<string, boolean>();
+    const probeShardingTableMembership = async (identityId: bigint): Promise<boolean> => {
+      if (identityId <= 0n) return false;
+      const key = identityId.toString();
+      const cached = shardingMembershipCache.get(key);
+      if (cached !== undefined) return cached;
+      try {
+        const ok = await this.chain.isShardingTableMember!(identityId);
+        shardingMembershipCache.set(key, ok);
+        return ok;
+      } catch (err: any) {
+        this.log.warn(
+          ctx,
+          `[verify] isShardingTableMember(${identityId}) probe failed (${err?.message ?? err}); ` +
+          `dropping that signer's approval as fail-closed`,
+        );
+        shardingMembershipCache.set(key, false);
+        return false;
+      }
+    };
+
+    // Proposer eligibility computed BEFORE collect() so VerifyCollector
+    // can require the full `requiredSignatures` remote ACKs (instead of
+    // `requiredSignatures - 1`) when the proposer can't self-count.
+    // Edge nodes have identityId=0 and aren't in the sharding table, so
+    // they always need every ACK to come from a member peer.
+    const proposerEligible =
+      this.identityId > 0n && await probeShardingTableMembership(this.identityId);
+
+    // CG-visible peer set for verify-proposal fan-out:
+    // SPEC_CG_MEMORY_MODEL §4.4 — the verify proposal payload includes
+    // contextGraphId, verifiedMemoryId, batchId, and root entities; for
+    // curated CGs that's metadata only allowlisted members may see. Run
+    // every recipient through `getOrCreateCGMemberEnumerator()` so
+    // unrelated peers don't receive the proposal. Public CGs fall
+    // through to the topic-subscribers set; legacy CGs with no member
+    // signal return an empty set (verify just degrades to no-quorum).
+    const cgMemberEnumerator = this.getOrCreateCGMemberEnumerator();
+
     const collector = new VerifyCollector({
       // rc.9 PR-11: route through messenger.sendReliable so
       // /dkg/10.0.1/verify-proposal gets envelope wrap + sender-side
@@ -11731,13 +11781,10 @@ export class DKGAgent {
         }
         return sendResult.response;
       },
-      getParticipantPeers: (cgId?: string) => {
-        const allPeers = this.node.libp2p.getPeers().map(p => p.toString()).filter(id => id !== this.peerId);
-        // LU-2: per SPEC_CG_MEMORY_MODEL there is no per-CG hosting
-        // committee — any sharding-table member can ACK. We pass all
-        // connected peers; signer eligibility is enforced via
-        // signature recovery + identityId resolution downstream.
-        return allPeers;
+      getParticipantPeers: async (cgId?: string) => {
+        const targetCg = cgId ?? opts.contextGraphId;
+        const enumeration = await cgMemberEnumerator.enumerate(targetCg);
+        return enumeration.members;
       },
       log: (msg: string) => this.log.info(ctx, msg),
     });
@@ -11756,86 +11803,38 @@ export class DKGAgent {
       entities,
       proposerSignature: { r: ethers.getBytes(proposerSig.r), vs: ethers.getBytes(proposerSig.yParityAndS) },
       requiredSignatures,
+      proposerCountsTowardQuorum: proposerEligible,
       timeoutMs: opts.timeoutMs ?? 30 * 60 * 1000, // 30 min default; VerifyCollector also enforces this as its max.
       allowPartial: true,
     });
 
     // 6. Resolve identity IDs for each approver before on-chain submission.
-    const participantIdentityIds = await this.getVerifyParticipantIdentityIds(
-      opts.contextGraphId,
-      contextGraphIdOnChain,
-    );
-    const isEligibleParticipant = (identityId: bigint): boolean =>
-      participantIdentityIds === null || participantIdentityIds.has(identityId);
-
-    // Sharding-table eligibility: SPEC_CG_MEMORY_MODEL §4.3 promises
-    // that only sharding-table members can ACK a VM publish. Probe
-    // membership for every resolved signer and drop non-members
-    // fail-closed. Adapters that don't implement the probe are a
-    // misconfiguration in this code path (real EVM and the in-tree
-    // mock both implement it) — fail loudly instead of silently
-    // accepting any signer. Cache per batch to avoid repeated RPCs.
-    if (typeof this.chain.isShardingTableMember !== 'function') {
-      throw new Error(
-        'verify: chain adapter does not implement `isShardingTableMember()`. ' +
-        'Cannot enforce SPEC_CG_MEMORY_MODEL §4.3 sharding-table ACK eligibility — refusing fail-open.',
-      );
-    }
-    const shardingMembershipCache = new Map<string, boolean>();
-    const probeShardingTableMembership = async (identityId: bigint): Promise<boolean> => {
-      if (identityId <= 0n) return false;
-      const key = identityId.toString();
-      const cached = shardingMembershipCache.get(key);
-      if (cached !== undefined) return cached;
-      try {
-        const ok = await this.chain.isShardingTableMember!(identityId);
-        shardingMembershipCache.set(key, ok);
-        return ok;
-      } catch (err: any) {
-        this.log.warn(
-          ctx,
-          `[verify] isShardingTableMember(${identityId}) probe failed (${err?.message ?? err}); ` +
-          `dropping that signer's approval as fail-closed`,
-        );
-        shardingMembershipCache.set(key, false);
-        return false;
-      }
-    };
-
     const resolvedSignatures: Array<{ identityId: bigint; r: Uint8Array; vs: Uint8Array }> = [];
     const resolvedSignerAddresses: string[] = [];
-    if (
-      this.identityId > 0n
-      && isEligibleParticipant(this.identityId)
-      && await probeShardingTableMembership(this.identityId)
-    ) {
+    if (proposerEligible) {
       resolvedSignatures.push({
         identityId: this.identityId,
         r: ethers.getBytes(proposerSig.r),
         vs: ethers.getBytes(proposerSig.yParityAndS),
       });
       resolvedSignerAddresses.push(proposerAddress);
     }
-    const participantResolvedRemoteAddresses: string[] = [];
     for (const a of result.approvals) {
-      let id = a.identityId || await this.resolveVerifyApprovalIdentityId(
-        a.approverAddress,
-        participantIdentityIds,
-      );
+      let id = a.identityId || await this.resolveVerifyApprovalIdentityId(a.approverAddress);
       if (!id || id === 0n) continue;
-      if (!isEligibleParticipant(id)) continue;
       if (!(await probeShardingTableMembership(id))) continue;
       resolvedSignatures.push({ identityId: id, r: a.signatureR, vs: a.signatureVS });
       resolvedSignerAddresses.push(a.approverAddress);
-      if (participantIdentityIds !== null && participantIdentityIds.has(id)) {
-        participantResolvedRemoteAddresses.push(a.approverAddress);
-      }
     }
     if (!result.quorumReached || resolvedSignatures.length < requiredSignatures) {
-      const trustLevel = participantResolvedRemoteAddresses.length > 0
+      // Trust degradation: any remote sharding-table-eligible ACK we
+      // collected (i.e. any signer past the proposer slot) lifts the
+      // batch to PartiallyVerified; otherwise it's self-attested.
+      const remoteCount = resolvedSignatures.length - (proposerEligible ? 1 : 0);
+      const trustLevel = remoteCount > 0
         ? TrustLevel.PartiallyVerified
         : TrustLevel.SelfAttested;
-      const status = participantResolvedRemoteAddresses.length > 0 ? 'partial' : 'no_quorum';
+      const status = remoteCount > 0 ? 'partial' : 'no_quorum';
       await this.stampBatchTrustLevel(
         opts.contextGraphId,
         opts.batchId,
@@ -11845,8 +11844,8 @@ export class DKGAgent {
       this.log.info(
         ctx,
         `Verify batch ${opts.batchId} did not reach quorum ` +
-          `(${resolvedSignatures.length}/${requiredSignatures} identity-resolved signers, ` +
-          `${participantResolvedRemoteAddresses.length}/${result.requiredRemoteApprovals} participant remote approvals) — ` +
+          `(${resolvedSignatures.length}/${requiredSignatures} sharding-table-eligible signers, ` +
+          `${remoteCount}/${result.requiredRemoteApprovals} remote approvals) — ` +
           `stamped trustLevel=${trustLevel} without chain tx`,
       );
       return {
@@ -11908,81 +11907,23 @@ export class DKGAgent {
     };
   }
 
-  private async resolveVerifyApprovalIdentityId(
-    approverAddress: string,
-    participantIdentityIds: Set<bigint> | null,
-  ): Promise<bigint> {
-    if (typeof (this.chain as any).getIdentityIdForAddress === 'function') {
-      try {
-        const id = await (this.chain as any).getIdentityIdForAddress(approverAddress);
-        if (id && id !== 0n) return BigInt(id);
-      } catch {
-        // Fall through to participant-set probing below.
-      }
-    }
-
-    if (participantIdentityIds === null || participantIdentityIds.size === 0) return 0n;
-    if (typeof this.chain.verifyACKIdentity === 'function') {
-      for (const candidateIdentityId of participantIdentityIds) {
-        try {
-          if (await this.chain.verifyACKIdentity.call(this.chain, approverAddress, candidateIdentityId)) {
-            return candidateIdentityId;
-          }
-        } catch {
-          // Ignore individual lookup failures; another participant may still match.
-        }
-      }
-    }
-
-    if (typeof this.chain.isOperationalWalletRegistered !== 'function') return 0n;
-    for (const candidateIdentityId of participantIdentityIds) {
-      try {
-        if (await this.chain.isOperationalWalletRegistered.call(this.chain, candidateIdentityId, approverAddress)) {
-          return candidateIdentityId;
-        }
-      } catch {
-        // Ignore individual lookup failures; another participant may still match.
-      }
-    }
-    return 0n;
-  }
-
-  private async getVerifyParticipantIdentityIds(
-    contextGraphId: string,
-    contextGraphIdOnChain: bigint,
-  ): Promise<Set<bigint> | null> {
-    // LU-2: on-chain CGs no longer carry per-CG hosting committees, so
-    // there is no `chain.getContextGraphParticipants()` to consult.
-    // Any sharding-table member can ACK; participant gating is removed.
-    // We still return locally-cached participant identity IDs (legacy
-    // `_meta` triples written before LU-2) when present, so existing
-    // CGs that pre-date this change continue to filter signers the same
-    // way until they're re-registered.
-    void contextGraphIdOnChain;
-    const metaGraph = assertSafeIri(contextGraphMetaGraphUri(contextGraphId));
-    const contextGraphUri = assertSafeIri(`did:dkg:context-graph:${contextGraphId}`);
-    const result = await this.store.query(
-      `SELECT ?identityId WHERE {
-        GRAPH <${metaGraph}> {
-          <${contextGraphUri}> <${DKG_ONTOLOGY.DKG_PARTICIPANT_IDENTITY_ID}> ?identityId
-        }
-      }`,
-    );
-    if (result.type !== 'bindings' || result.bindings.length === 0) {
-      return null;
+  private async resolveVerifyApprovalIdentityId(approverAddress: string): Promise<bigint> {
+    // Post-SPEC_CG_MEMORY_MODEL: identity resolution is whatever the
+    // chain adapter exposes via `getIdentityIdForAddress`. The legacy
+    // candidate-set probe against per-CG `participantIdentityId`
+    // triples was a pre-LU2 affordance and has been removed (Codex
+    // PR #595 round-5: stop using legacy roster as a verify filter).
+    // Modern responders that want to be counted MUST stamp their
+    // identityId in the VerifyApproval payload.
+    if (typeof (this.chain as any).getIdentityIdForAddress !== 'function') {
+      return 0n;
     }
-    const ids = new Set<bigint>();
-    for (const row of result.bindings as Record<string, string>[]) {
-      const raw = row.identityId?.replace(/^"|"$/g, '');
-      if (!raw) continue;
-      try {
-        const parsed = BigInt(raw);
-        if (parsed > 0n) ids.add(parsed);
-      } catch {
-        // Ignore malformed local metadata; it is not usable for trust elevation.
-      }
+    try {
+      const id = await (this.chain as any).getIdentityIdForAddress(approverAddress);
+      return id ? BigInt(id) : 0n;
+    } catch {
+      return 0n;
     }
-    return ids.size > 0 ? ids : null;
   }
 
   private async promoteToVerifiedMemory(

packages/agent/test/e2e-chain.test.ts

@@ -112,7 +112,10 @@ describe('E2E: DKGAgent with real blockchain', () => {
     const chainAdapter = new EVMChainAdapter(
       makeAdapterConfig(ctx.rpcUrl, ctx.hubAddress, HARDHAT_KEYS.EXTRA1),
     );
-    const cgResult = await chainAdapter.createOnChainContextGraph({});
+    const cgResult = await chainAdapter.createOnChainContextGraph({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
     CONTEXT_GRAPH_ID = String(cgResult.contextGraphId);
 
     await agents[0].createContextGraph({
@@ -222,7 +225,10 @@ describe('E2E: DKGAgent with real blockchain', () => {
     const chainAdapter = new EVMChainAdapter(
       makeAdapterConfig(ctx.rpcUrl, ctx.hubAddress, HARDHAT_KEYS.EXTRA1),
     );
-    const cgResult = await chainAdapter.createOnChainContextGraph({});
+    const cgResult = await chainAdapter.createOnChainContextGraph({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
     const secondCG = String(cgResult.contextGraphId);
 
     await agents[0].createContextGraph({
@@ -315,7 +321,10 @@ describe('E2E: DKGAgent with real blockchain', () => {
     const chainAdapter = new EVMChainAdapter(
       makeAdapterConfig(ctx.rpcUrl, ctx.hubAddress, HARDHAT_KEYS.EXTRA1),
     );
-    const cgResult = await chainAdapter.createOnChainContextGraph({});
+    const cgResult = await chainAdapter.createOnChainContextGraph({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
     const gossipCG = String(cgResult.contextGraphId);
 
     await agents[0].createContextGraph({

packages/agent/test/e2e-context-graph.test.ts

@@ -79,7 +79,10 @@ describe('E2E: context graph publish + finalization (shared chain)', () => {
   }, 15_000);
 
   it('creates a context graph on the shared chain', async () => {
-    const result = await nodeA.registerContextGraphOnChain({});
+    const result = await nodeA.registerContextGraphOnChain({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
 
     contextGraphId = result.contextGraphId;
     expect(contextGraphId).toBeDefined();

packages/agent/test/e2e-publish-protocol.test.ts

@@ -255,7 +255,10 @@ describe('E2E: Context graph publish with receiver + participant signatures', ()
     await sleep(1500);
 
     // Both A and B are participants
-    const result = await nodeA.registerContextGraphOnChain({});
+    const result = await nodeA.registerContextGraphOnChain({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
     contextGraphId = result.contextGraphId;
     expect(Number(contextGraphId)).toBeGreaterThan(0);
   }, 20_000);
@@ -448,7 +451,10 @@ describe('E2E: Context graph registration rejected with insufficient participant
     nodeA.subscribeToContextGraph(CONTEXT_GRAPH);
 
     // Context graph requires 2 signatures, but only 1 node available
-    const cgResult = await nodeA.registerContextGraphOnChain({});
+    const cgResult = await nodeA.registerContextGraphOnChain({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
     const contextGraphId = cgResult.contextGraphId;
 
     await nodeA.share(CONTEXT_GRAPH, [
@@ -524,7 +530,10 @@ describe('E2E: Edge node participates in context graph governance', () => {
     const coreIdentity = await chainCore.getIdentityId();
     expect(coreIdentity).toBeGreaterThan(0n);
 
-    const cgResult = await coreNode.registerContextGraphOnChain({});
+    const cgResult = await coreNode.registerContextGraphOnChain({
+      accessPolicy: 0,
+      publishPolicy: 1,
+    });
     contextGraphId = cgResult.contextGraphId;
 
     // Core writes data

packages/agent/test/e2e-security.test.ts

@@ -288,6 +288,7 @@ describe('Access protocol denial', () => {
     }), chainA);
 
     const cgResult = await chainA.createOnChainContextGraph({
+      accessPolicy: 0,
       publishPolicy: 1,
     });
 
@@ -420,6 +421,7 @@ describe('Access protocol round-trip', () => {
     }), chainA);
 
     const cgResult = await chainA.createOnChainContextGraph({
+      accessPolicy: 0,
       publishPolicy: 1,
     });
     const onChainCgId = cgResult.contextGraphId.toString();