fix(daemon): Codex PR #595 round-2 — explicit deprecation for legacy multisig-only /create body

Pre-LU2 the route had a dedicated branch that accepted
`{ participantIdentityIds, requiredSignatures }` (no id/name) and called
`agent.registerContextGraphOnChain()` directly. LU-2 deleted that branch
but only stripped the dead fields, so legacy multisig-only callers
silently fell through to "Missing id or name" — a misleading 400 that
hides the fact that the entire flow was retired in SPEC_CG_MEMORY_MODEL.

Now those callers get an explicit 400 with code
`DEPRECATED_MULTISIG_CREATE_FLOW` pointing at the new
`{ id, name, ... }` + optional `/api/context-graph/register` flow.
Modern clients that send the deprecated fields alongside a valid
`{ id, name }` body keep working (warned + stripped) as before.

Two HTTP-level tests pin both branches:
  - modern body with deprecated extras still creates the CG
  - legacy multisig-only body returns the explicit deprecation error

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 2 people

packages/cli/src/daemon/routes/context-graph.ts

@@ -425,17 +425,33 @@ export async function handleContextGraphRoutes(ctx: RequestContext): Promise<voi
 
   // POST /api/context-graph/create — context graph definition create.
   // LU-2: per SPEC_CG_MEMORY_MODEL the legacy multisig-creation branch
-  // (driven by a `participantIdentityIds`-only body) is gone. CGs no
-  // longer carry per-CG hosting committees or quorum overrides; hosts
-  // are picked from the network sharding table at publish time and the
-  // ACK quorum is `parametersStorage.minimumRequiredSignatures()`. We
-  // accept the legacy body for backward compatibility but drop the dead
-  // fields with a one-line deprecation warning so older clients keep
-  // working.
+  // (driven by a `participantIdentityIds`-only body, no id/name) is gone.
+  // CGs no longer carry per-CG hosting committees or quorum overrides;
+  // hosts are picked from the network sharding table at publish time
+  // and the ACK quorum is `parametersStorage.minimumRequiredSignatures()`.
+  //
+  // Two client groups exist for these deprecated fields:
+  //   (a) modern clients that send the full `{ id, name, participantIdentityIds, requiredSignatures }`
+  //       body — we strip the dead fields and continue.
+  //   (b) legacy multisig-only clients that send `{ participantIdentityIds, requiredSignatures }`
+  //       with no `id`/`name` — there is no automatic translation that
+  //       preserves caller intent (we can't synthesise a meaningful slug),
+  //       so we fail with an explicit 410-style deprecation error pointing
+  //       at the new combined flow instead of letting the request fall
+  //       through to a generic "Missing id or name" 400.
   if (req.method === "POST" && path === "/api/context-graph/create") {
     const body = await readBody(req, SMALL_BODY_BYTES);
     const parsed = JSON.parse(body);
     if (parsed.participantIdentityIds !== undefined || parsed.requiredSignatures !== undefined) {
+      const isLegacyMultisigOnly =
+        typeof parsed.id !== 'string' && typeof parsed.name !== 'string';
+      if (isLegacyMultisigOnly) {
+        return jsonResponse(res, 400, {
+          error:
+            'The multisig-only POST /api/context-graph/create flow (participantIdentityIds without id/name) was removed in SPEC_CG_MEMORY_MODEL. Per-CG hosting committees and per-CG quorum overrides no longer exist. Send a regular `{ id, name, accessPolicy?, publishPolicy? }` body and (if you want chain registration) follow up with POST /api/context-graph/register.',
+          code: 'DEPRECATED_MULTISIG_CREATE_FLOW',
+        });
+      }
       console.warn(
         '[DKG-Daemon] WARN: POST /api/context-graph/create — `participantIdentityIds` and `requiredSignatures` are deprecated and ignored; per-CG hosting committees and quorums were removed in SPEC_CG_MEMORY_MODEL.',
       );

packages/cli/test/daemon-http-behavior-extra.test.ts

@@ -724,6 +724,53 @@ describe('CLI-7 — SPARQL endpoint 4xx matrix', () => {
     // message — callers should see something human-readable.
     expect(body.error).not.toMatch(/^0x[0-9a-fA-F]+$/);
   });
+
+  // SPEC_CG_MEMORY_MODEL / Codex PR #595 round-2: per-CG hosting
+  // committees and per-CG quorum overrides were removed. Two paths
+  // exist for legacy clients:
+  //   (a) modern `{ id, name, ...deprecated }` body — the daemon
+  //       strips the dead fields and the request succeeds.
+  //   (b) legacy multisig-only `{ participantIdentityIds, requiredSignatures }`
+  //       body with no `id`/`name` — pre-LU2 there was a dedicated
+  //       branch that bypassed id/name; post-LU2 we MUST fail with an
+  //       explicit deprecation error pointing at the new combined flow
+  //       rather than silently falling through to the generic
+  //       "Missing id or name" 400 (which doesn't tell the caller
+  //       their request shape was retired).
+  it('strips deprecated participantIdentityIds/requiredSignatures from a modern body and still creates the CG', async () => {
+    const d = daemon!;
+    const cgId = 'depr-fields-modern-' + Math.random().toString(36).slice(2, 8);
+    const res = await fetch(urlFor(d, '/api/context-graph/create'), {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', ...authHeaders(d) },
+      body: JSON.stringify({
+        id: cgId,
+        name: cgId,
+        participantIdentityIds: ['1', '2', '3'],
+        requiredSignatures: 2,
+      }),
+    });
+    expect([200, 201]).toContain(res.status);
+    const body = (await res.json()) as { created?: string };
+    expect(body.created).toBe(cgId);
+  });
+
+  it('rejects legacy multisig-only POST /api/context-graph/create (no id/name) with an explicit deprecation 400', async () => {
+    const d = daemon!;
+    const res = await fetch(urlFor(d, '/api/context-graph/create'), {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', ...authHeaders(d) },
+      body: JSON.stringify({
+        participantIdentityIds: ['1', '2'],
+        requiredSignatures: 1,
+      }),
+    });
+    expect(res.status).toBe(400);
+    const body = (await res.json()) as { error?: string; code?: string };
+    expect(body.code).toBe('DEPRECATED_MULTISIG_CREATE_FLOW');
+    expect(body.error ?? '').toMatch(/SPEC_CG_MEMORY_MODEL/);
+    expect(body.error ?? '').toMatch(/id.*name/);
+  });
 });
 
 describe('DKG-419 — lazy context graph metadata from SWM writes', () => {