Merge pull request #502 from OriginTrail/feat/daemon-pca-curated-registration-rebased

feat(context-graph): wire PCA id at registration so PCA agents can publish (rebase of #423)

Author: branarakic

packages/agent/src/dkg-agent.ts

@@ -581,6 +581,13 @@ export interface ChainAdapter {
   extendConvictionLock?(accountId: bigint, additionalEpochs: number): Promise<TxResult>;
   getConvictionDiscount?(accountId: bigint): Promise<{ discountBps: number; conviction: bigint }>;
   getConvictionAccountInfo?(accountId: bigint): Promise<ConvictionAccountInfo | null>;
+  /**
+   * Live owner lookup for a PCA NFT — wraps `DKGPublishingConvictionNFT.ownerOf(accountId)`.
+   * Used by the daemon's curated-CG registration preflight to enforce
+   * `local curator == ownerOf(pcaAccountId)` so an agent wallet cannot
+   * impersonate ownership when tying a CG to a PCA.
+   */
+  getPublishingConvictionAccountOwner?(accountId: bigint): Promise<string>;
   /**
    * Authorize an EOA to draw down on the PCA's discounted publishing
    * allowance. Wraps `PublishingConvictionAccount.addAuthorizedKey(accountId, key)`,

packages/agent/test/agent.test.ts

@@ -2570,6 +2570,13 @@ export class EVMChainAdapter implements ChainAdapter {
     }
   }
 
+  async getPublishingConvictionAccountOwner(accountId: bigint): Promise<string> {
+    await this.init();
+    const nft = await this.resolveContract('DKGPublishingConvictionNFT');
+    const owner = await nft.ownerOf(accountId);
+    return ethers.getAddress(owner);
+  }
+
   async getConvictionDiscount(accountId: bigint): Promise<{ discountBps: number; conviction: bigint }> {
     await this.init();
     if (!this.contracts.publishingConvictionAccount) {

packages/chain/src/chain-adapter.ts

@@ -674,6 +674,22 @@ export class MockChainAdapter implements ChainAdapter {
     return 0;
   }
 
+  /**
+   * Mock owner-lookup for the daemon's curated-CG registration
+   * preflight (`local curator == ownerOf(pcaAccountId)`).
+   *
+   * Mock does not model PCA NFT transfers, so the account `admin`
+   * doubles as the current "owner" for parity-test purposes. Real-chain
+   * tests use `EVMChainAdapter`, which queries `DKGPublishingConvictionNFT.ownerOf`.
+   */
+  async getPublishingConvictionAccountOwner(accountId: bigint): Promise<string> {
+    const acct = this.convictionAccounts.get(accountId);
+    if (!acct) {
+      throw new Error(`Mock: PCA account ${accountId} does not exist`);
+    }
+    return ethers.getAddress(acct.admin);
+  }
+
   // --- Staking Conviction ---
 
   private delegatorLocks = new Map<string, { lockTier: number; startEpoch: number }>();
@@ -768,12 +784,15 @@ export class MockChainAdapter implements ChainAdapter {
     }
     publishAuthority = ethers.getAddress(publishAuthority);
     if (publishPolicy === 0) {
-      if (publishAuthorityAccountId !== 0n) {
-        throw new Error('Mock: PCA publishAuthorityAccountId is not supported');
-      }
       if (publishAuthority === ethers.ZeroAddress) {
         publishAuthority = ethers.getAddress(this.signerAddress);
       }
+      if (publishAuthorityAccountId !== 0n) {
+        const pcaOwner = await this.getPublishingConvictionAccountOwner(publishAuthorityAccountId);
+        if (publishAuthority.toLowerCase() !== pcaOwner.toLowerCase()) {
+          throw new Error('Mock: PCA publishAuthority must match account owner');
+        }
+      }
     } else {
       if (publishAuthority !== ethers.ZeroAddress) {
         throw new Error('Mock: open policy requires zero publishAuthority');

packages/chain/src/evm-adapter.ts

@@ -49,6 +49,7 @@ export class NoChainAdapter implements ChainAdapter {
   async isOperationalWalletRegistered(_identityId: bigint, _address: string): Promise<boolean> { return false; }
   async getKnowledgeAssetsV10Address(): Promise<string> { noChain(); }
   async getEvmChainId(): Promise<bigint> { noChain(); }
+  async getPublishingConvictionAccountOwner(_accountId: bigint): Promise<string> { noChain(); }
   isV10Ready(): boolean { return false; }
   isRandomSamplingReady(): boolean { return false; }
 }

packages/chain/src/mock-adapter.ts

@@ -284,12 +284,34 @@ describe('MockChainAdapter API parity with EVMChainAdapter [CH-8]', () => {
       ...base,
       publishPolicy: 0,
       publishAuthorityAccountId: 1n,
-    })).rejects.toThrow(/PCA publishAuthorityAccountId is not supported/);
+    })).rejects.toThrow(/PCA account 1 does not exist/);
+
+    const { accountId } = await mock.createConvictionAccount(1n, 1);
 
     await expect(mock.createOnChainContextGraph({
       ...base,
       publishPolicy: 0,
+      publishAuthority: '0x2222222222222222222222222222222222222222',
+      publishAuthorityAccountId: accountId,
+    })).rejects.toThrow(/PCA publishAuthority must match account owner/);
+
+    await expect(mock.createOnChainContextGraph({
+      ...base,
+      publishPolicy: 0,
+      publishAuthority: '0x1111111111111111111111111111111111111111',
+      publishAuthorityAccountId: accountId,
     })).resolves.toMatchObject({ contextGraphId: 1n });
+
+    await expect(mock.createOnChainContextGraph({
+      ...base,
+      publishPolicy: 0,
+      publishAuthorityAccountId: accountId,
+    })).resolves.toMatchObject({ contextGraphId: 2n });
+
+    await expect(mock.createOnChainContextGraph({
+      ...base,
+      publishPolicy: 0,
+    })).resolves.toMatchObject({ contextGraphId: 3n });
   });
 
   it('requires explicit mock support for address-specific V10 publishing', async () => {

packages/chain/src/no-chain-adapter.ts

@@ -896,9 +896,43 @@ export class ApiClient {
     participantAgents?: string[];
     participantIdentityIds?: Array<string | number | bigint>;
     requiredSignatures?: number;
+    /**
+     * Atomic combined-flow flag. When `true`, the daemon registers the
+     * CG on-chain in the same call after the local create step
+     * succeeds. Required when `pcaAccountId` is supplied (a standalone
+     * `createContextGraph` does NOT persist PCA ids — Codex PR #502
+     * round-3).
+     */
+    register?: boolean;
+    /**
+     * Publish policy override forwarded to `registerContextGraph` in
+     * the combined-flow path. Only meaningful together with
+     * `register: true`. The agent otherwise defaults
+     * `publishPolicy = curated (0)` for curated/private CGs and
+     * `publishPolicy = open (1)` for public CGs — which makes the
+     * valid `{ accessPolicy: 0 (public), publishPolicy: 0 (curated),
+     * pcaAccountId }` combo unreachable unless the caller can pin
+     * `publishPolicy` explicitly. Codex PR #502 round-10 (raised by
+     * @branarakic).
+     */
+    publishPolicy?: number;
+    /**
+     * Publishing Conviction Account id for PCA-curated registration.
+     * Only meaningful together with `register: true`. The daemon
+     * rejects the create-only-with-pcaAccountId combo with a 400
+     * (Codex PR #502 round-5). For a two-step flow, use
+     * {@link registerContextGraph} instead.
+     */
+    pcaAccountId?: string | number | bigint;
   }, allowedPeers?: string[]): Promise<{
     created: string;
     uri: string;
+    /** Present only when caller passed `register: true`. */
+    registered?: boolean;
+    onChainId?: string;
+    /** Present when `register: true` was requested but the register leg failed. */
+    registerError?: string;
+    hint?: string;
   }> {
     return this.post('/api/context-graph/create', {
       id,
@@ -913,6 +947,9 @@ export class ApiClient {
         ? { participantIdentityIds: options.participantIdentityIds.map((id) => id.toString()) }
         : {}),
       ...(options?.requiredSignatures != null ? { requiredSignatures: options.requiredSignatures } : {}),
+      ...(options?.register === true ? { register: true } : {}),
+      ...(options?.publishPolicy != null ? { publishPolicy: options.publishPolicy } : {}),
+      ...(options?.pcaAccountId != null ? { pcaAccountId: options.pcaAccountId.toString() } : {}),
     });
   }
 
@@ -928,6 +965,7 @@ export class ApiClient {
     revealOnChain?: boolean;
     accessPolicy?: number;
     publishPolicy?: number;
+    pcaAccountId?: string | number | bigint;
   }): Promise<{
     registered: string;
     onChainId: string;
@@ -937,6 +975,7 @@ export class ApiClient {
       id,
       ...(opts?.accessPolicy != null ? { accessPolicy: opts.accessPolicy } : {}),
       ...(opts?.publishPolicy != null ? { publishPolicy: opts.publishPolicy } : {}),
+      ...(opts?.pcaAccountId != null ? { pcaAccountId: opts.pcaAccountId.toString() } : {}),
     });
   }
 

packages/chain/test/mock-adapter-parity.test.ts

@@ -1327,6 +1327,12 @@ contextGraphCmd
 
       const participantIdentityIds = (opts.participantIdentityId as string[] | undefined) ?? [];
       const allowedAgents = (opts.allowedAgent as string[] | undefined) ?? [];
+      // pcaAccountId is intentionally NOT a flag on `create` —
+      // `createContextGraph` no longer persists the id, so a
+      // create-time flag would silently drop the PCA configuration
+      // before `register <id>` is run (Codex PR #502 round-4). Users
+      // who want PCA-curated registration pass `--pca-account-id` on
+      // `dkg context-graph register <id>` instead.
       const accessPolicy = allowedAgents.length > 0 ? 1 : (opts.accessPolicy as number | undefined);
 
       const result = await client.createContextGraph(id, opts.name ?? id, opts.description, {
@@ -1385,19 +1391,28 @@ contextGraphCmd
   .option('--reveal', 'Deprecated: V10 ContextGraphs registration does not reveal cleartext metadata on-chain')
   .option('--access-policy <n>', 'Access policy: 0 = public/discoverable, 1 = private/curated', parseInt)
   .option('--publish-policy <n>', 'Publish policy: 0 = curated, 1 = open', parseInt)
+  .option('--pca-account-id <id>', 'Publishing Conviction Account id for PCA-curated registration')
   .action(async (id: string, opts: ActionOpts) => {
     try {
       const client = await ApiClient.connect();
       if (opts.reveal) {
         console.warn('--reveal is deprecated and ignored for V10 ContextGraphs registration.');
       }
+      const pcaAccountId = opts.pcaAccountId as string | undefined;
+      if (pcaAccountId && !/^[1-9]\d*$/.test(pcaAccountId)) {
+        throw new Error('--pca-account-id must be a positive decimal integer');
+      }
       const result = await client.registerContextGraph(id, {
         accessPolicy: opts.accessPolicy != null ? Number(opts.accessPolicy) : undefined,
         publishPolicy: opts.publishPolicy != null ? Number(opts.publishPolicy) : undefined,
+        pcaAccountId,
       });
       console.log(`Context graph registered on-chain:`);
       console.log(`  ID:         ${id}`);
       console.log(`  On-chain:   ${result.onChainId}`);
+      if (pcaAccountId) {
+        console.log(`  PCA account id: ${pcaAccountId}`);
+      }
       console.log(`  ${result.hint ?? 'You can now publish SWM to Verified Memory.'}`);
     } catch (err) {
       console.error(toErrorMessage(err));