wip: ucan1 integration snapshot for smelt e2e

Snapshots a working end-to-end upload flow through the smelt local-dev
stack. See smelt/docs/HANDOFF.md for full context.

Author: frrist

cmd/cli/root.go

@@ -114,6 +114,7 @@ func initConfig() {
 }
 
 func initLogging() {
+	logLevel = "info"
 	if logLevel != "" {
 		ll, err := logging.LevelFromString(logLevel)
 		cobra.CheckErr(err)

cmd/cli/setup/register.go

@@ -18,7 +18,6 @@ import (
 	"github.com/fil-forge/ucantone/did"
 	"github.com/fil-forge/ucantone/principal"
 	"github.com/fil-forge/ucantone/ucan/container"
-	"github.com/fil-forge/ucantone/ucan/delegation"
 	logging "github.com/ipfs/go-log/v2"
 	"github.com/samber/lo"
 	"github.com/spf13/cobra"
@@ -820,51 +819,42 @@ func registerWithDelegator(ctx context.Context, cmd *cobra.Command, cfg *appcfg.
 		return "", "", fmt.Errorf("missing proofs from delegator")
 	}
 
-	indexerProof, err := extractDelegationFromContainer(res.Proofs.Indexer)
+	indexerProof, err := encodeProofChain(res.Proofs.Indexer)
 	if err != nil {
-		return "", "", fmt.Errorf("extracting indexer delegation: %w", err)
+		return "", "", fmt.Errorf("encoding indexer proof chain: %w", err)
 	}
-	egressTrackerProof, err := extractDelegationFromContainer(res.Proofs.EgressTracker)
+	egressTrackerProof, err := encodeProofChain(res.Proofs.EgressTracker)
 	if err != nil {
-		return "", "", fmt.Errorf("extracting egress tracker delegation: %w", err)
+		return "", "", fmt.Errorf("encoding egress tracker proof chain: %w", err)
 	}
 
 	cmd.PrintErrln("✅ Received proofs from delegator")
 
 	return indexerProof, egressTrackerProof, nil
 }
 
-// extractDelegationFromContainer decodes a gzipped ucantone container and
-// returns the *leaf* delegation's CBOR bytes (the last entry — delegator →
-// storage node), encoded as plain CBOR.
+// encodeProofChain takes the gzipped ucantone container returned by the
+// delegator (which carries a chain: root proof e.g. indexing → delegator, then
+// leaf delegator → storage node) and re-encodes the whole container as a
+// base64 string suitable for TOML storage. Piri needs every link in the chain
+// when invoking /claim/cache (or /space/egress/track) so that the indexing /
+// egress-tracker service can validate the operator's authority back through
+// the delegator. The consumer (pkg/config/services.go's decodeProofChain)
+// base64-decodes and runs container.Decode to recover the chain.
 //
-// TODO(ucan1, chain): the container actually carries a chain — the root proof
-// (e.g. indexing → delegator) followed by the leaf (delegator → storage
-// node). See delegator/internal/services/registrar/delegator.go
-// generateIndexerDelegation. Piri needs the whole chain to invoke /claim/cache
-// successfully, but the downstream consumer (pkg/config/services.go) is still
-// typed as `ucan.Delegation` (singular). Returning the leaf only is enough
-// to make registration unblock; once services.go is migrated to accept a
-// container or []ucan.Delegation, return the encoded container instead.
-func extractDelegationFromContainer(b []byte) (string, error) {
-	ct, err := container.Decode(b)
+// Raw CBOR bytes are not UTF-8 safe and break TOML round-trip with
+// "invalid character U+..." — base64 keeps the payload TOML-safe.
+func encodeProofChain(wire []byte) (string, error) {
+	// Sanity check: ensure the wire bytes are decodable so we fail at init
+	// time rather than at first invocation.
+	ct, err := container.Decode(wire)
 	if err != nil {
 		return "", fmt.Errorf("decoding container: %w", err)
 	}
-	dlgs := ct.Delegations()
-	if len(dlgs) == 0 {
+	if len(ct.Delegations()) == 0 {
 		return "", fmt.Errorf("no delegations in container")
 	}
-	leaf := dlgs[len(dlgs)-1]
-	encoded, err := delegation.Encode(leaf)
-	if err != nil {
-		return "", fmt.Errorf("encoding delegation: %w", err)
-	}
-	// CBOR is raw binary, not UTF-8 — putting it directly into a TOML string
-	// triggers a parse error on read ("invalid character U+..."). Base64 keeps
-	// the proof TOML-safe. The consumer (pkg/config/services.go) base64-decodes
-	// before calling delegation.Decode.
-	return base64.StdEncoding.EncodeToString(encoded), nil
+	return base64.StdEncoding.EncodeToString(wire), nil
 }
 
 func requestContractApproval(ctx context.Context, id principal.Signer, flags *initFlags, ownerAddress common.Address) error {

go.mod

@@ -12,12 +12,12 @@ require (
 	github.com/deckarep/golang-set/v2 v2.6.0
 	github.com/docker/docker v28.5.1+incompatible
 	github.com/ethereum/go-ethereum v1.16.7
-	github.com/fil-forge/delegator v0.0.0-20260526203620-bd1a34ac0f0c
+	github.com/fil-forge/delegator v0.0.0-20260527145843-e103ee9f563f
 	github.com/fil-forge/filecoin-services/go v0.0.0-20260507172456-36ebe4467390
 	github.com/fil-forge/go-ipni-tools v0.0.0-20260519194815-545b9421aec0
-	github.com/fil-forge/libforge v0.0.0-20260527084616-1c83212df033
+	github.com/fil-forge/libforge v0.0.0-20260527182359-ebb22552c348
 	github.com/fil-forge/piri-signing-service v0.0.0-20260527011208-918512802357
-	github.com/fil-forge/ucantone v0.0.0-20260522152152-eda937bc2684
+	github.com/fil-forge/ucantone v0.0.0-20260527115858-517b03bc3c72
 	github.com/filecoin-project/go-address v1.2.0
 	github.com/filecoin-project/go-commp-utils v0.1.4
 	github.com/filecoin-project/go-commp-utils/nonffi v0.0.0-20240802040721-2a04ffc8ffe8

go.sum

@@ -545,8 +545,8 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/ferranbt/fastssz v0.1.4 h1:OCDB+dYDEQDvAgtAGnTSidK1Pe2tW3nFV40XyMkTeDY=
 github.com/ferranbt/fastssz v0.1.4/go.mod h1:Ea3+oeoRGGLGm5shYAeDgu6PGUlcvQhE2fILyD9+tGg=
-github.com/fil-forge/delegator v0.0.0-20260526203620-bd1a34ac0f0c h1:tNEZlnoiu/f0tP7QnjwCgyKLdhxzKEe6j/MMsS701p8=
-github.com/fil-forge/delegator v0.0.0-20260526203620-bd1a34ac0f0c/go.mod h1:IRZ6E9Vg3Z7UeWMgHUVb94Pn1wELAHKTPTpBigfH+WI=
+github.com/fil-forge/delegator v0.0.0-20260527145843-e103ee9f563f h1:ZPyzLZcgT6VIiM/5BGM+JdtB2MaQk3kS+za0pXFrfzo=
+github.com/fil-forge/delegator v0.0.0-20260527145843-e103ee9f563f/go.mod h1:IRZ6E9Vg3Z7UeWMgHUVb94Pn1wELAHKTPTpBigfH+WI=
 github.com/fil-forge/filecoin-services/go v0.0.0-20260507172456-36ebe4467390 h1:h7SZVboCO1iPDtdxPJjs1fj4IVFq/dpDWFevkXtwgps=
 github.com/fil-forge/filecoin-services/go v0.0.0-20260507172456-36ebe4467390/go.mod h1:ur5fRrG8v9twwwRFdX7lquGza4liT6x/xAFW7T4XVIc=
 github.com/fil-forge/go-ipni-tools v0.0.0-20260519194815-545b9421aec0 h1:HAfXUPvtPjK9UAzofbDSzW0mSXsbubMtIFCEh0SJ2ow=
@@ -555,10 +555,14 @@ github.com/fil-forge/go-ucanto v0.0.0-20260507172450-5cb5d073f8ab h1:2J2cDThqTKP
 github.com/fil-forge/go-ucanto v0.0.0-20260507172450-5cb5d073f8ab/go.mod h1:lZF3UXZ2hGLKYmXdquG50JqI9pRlUrV6lubGtgOYfwc=
 github.com/fil-forge/libforge v0.0.0-20260527084616-1c83212df033 h1:Orw344bJoiOnYYXVkt6sH573hYBl/hpyuNri6CeArNY=
 github.com/fil-forge/libforge v0.0.0-20260527084616-1c83212df033/go.mod h1:1ytnrneNEeJcskEbsRDtNZY/Jvgo2Yw5szIUI/9EWPk=
+github.com/fil-forge/libforge v0.0.0-20260527182359-ebb22552c348 h1:roYe4llNv0fpQnvXMontrdt/hy9kH5K/cnNsXmhqId4=
+github.com/fil-forge/libforge v0.0.0-20260527182359-ebb22552c348/go.mod h1:1ytnrneNEeJcskEbsRDtNZY/Jvgo2Yw5szIUI/9EWPk=
 github.com/fil-forge/piri-signing-service v0.0.0-20260527011208-918512802357 h1:sTK8Yc/kds7MkG0cpK5DGDtDCtU1ZwgQWc4OzRf3ZP4=
 github.com/fil-forge/piri-signing-service v0.0.0-20260527011208-918512802357/go.mod h1:fgg5hE/BlnFlR5qXsT0POv6GWVu7cj526s7v2+mdJXo=
 github.com/fil-forge/ucantone v0.0.0-20260522152152-eda937bc2684 h1:kWJLKVltJXPXO7tKS1z0GhzA+c59gwhediGyByEXE0o=
 github.com/fil-forge/ucantone v0.0.0-20260522152152-eda937bc2684/go.mod h1:XAVqsZwYoZ9vncjZoRUAJ+mL/ApLMFn9HHX7ipohVdY=
+github.com/fil-forge/ucantone v0.0.0-20260527115858-517b03bc3c72 h1:FFK4CC7IfLfwa5ZQExdkZayPc6Tg0JgVK4jhn2hd2cY=
+github.com/fil-forge/ucantone v0.0.0-20260527115858-517b03bc3c72/go.mod h1:xQ1oQ2UgA8xFpNxpyj2v+jiW2KVDAi90xjy1OjUkNXI=
 github.com/filecoin-project/filecoin-ffi v1.34.0 h1:OvcsvsFUCwzLOGT949dsJEqSLyGx4d8TPPRrmrzlQbk=
 github.com/filecoin-project/filecoin-ffi v1.34.0/go.mod h1:AXLJk1PscWAwEa9CdqdiFwj1ttVJ+UIm8YQDPpTqBjg=
 github.com/filecoin-project/go-address v0.0.3/go.mod h1:jr8JxKsYx+lQlQZmF5i2U0Z+cGQ59wMIps/8YW/lDj8=

pkg/config/app/services.go

@@ -18,17 +18,21 @@ type ExternalServicesConfig struct {
 }
 
 // IndexingServiceConfig contains indexing service connection and proof(s) for
-// using the service
+// using the service. Proofs is an ordered chain (root → leaf) — the delegator
+// returns a chain (indexing-service → delegator → operator) and every link
+// must be attached to invocations to satisfy the indexer's validator.
 type IndexingServiceConfig struct {
 	DID    did.DID
 	Client execution.Executor
-	Proofs ucan.Delegation
+	Proofs []ucan.Delegation
 }
 
 type EgressTrackerServiceConfig struct {
-	DID                  did.DID
-	Client               execution.Executor
-	Proofs               ucan.Delegation
+	DID    did.DID
+	Client execution.Executor
+	// Proofs is an ordered chain (root → leaf), same shape as
+	// IndexingServiceConfig.Proofs.
+	Proofs               []ucan.Delegation
 	ReceiptsEndpoint     *url.URL
 	MaxBatchSizeBytes    int64
 	CleanupCheckInterval time.Duration

pkg/config/services.go

@@ -8,24 +8,96 @@ import (
 
 	"github.com/fil-forge/ucantone/client"
 	"github.com/fil-forge/ucantone/did"
-	"github.com/fil-forge/ucantone/ucan/delegation"
+	"github.com/fil-forge/ucantone/ucan"
+	"github.com/fil-forge/ucantone/ucan/container"
 	"github.com/ipni/go-libipni/maurl"
 
 	"github.com/fil-forge/piri/lib"
 	"github.com/fil-forge/piri/pkg/config/app"
 )
 
-// decodeProof base64-decodes a TOML-stored proof string into the raw CBOR
-// bytes ready for `delegation.Decode`. The encoder side lives in
-// cmd/cli/setup/register.go's extractDelegationFromContainer; both ends MUST
-// agree on the encoding. Falls back to treating the string as raw bytes if it
-// fails to base64-decode — covers older configs written before the encoding
-// was introduced.
-func decodeProof(s string) []byte {
-	if b, err := base64.StdEncoding.DecodeString(s); err == nil {
-		return b
-	}
-	return []byte(s)
+// decodeProofChain base64-decodes a TOML-stored proof string into the
+// delegation chain it encodes. The encoder side lives in
+// cmd/cli/setup/register.go's encodeProofChain; both ends MUST agree on the
+// encoding. The chain is logically ordered root → leaf (e.g.
+// indexing-service → delegator → operator). All links must travel together
+// when the operator invokes against the indexing/egress-tracker services —
+// single-delegation storage was insufficient and produced "delegation issuer
+// is did:web:indexer not did:web:delegator" errors in piri's publisher when
+// only the leaf or only the root made it through.
+//
+// TODO(forrest)[ucan1]: remove orderProofChain once
+// https://github.com/fil-forge/ucantone/issues/29 lands. The ucan-wg/container
+// spec sorts tokens bytewise on encode for deterministic output (see
+// ucantone/ucan/container/container.go encodeTokens), so ct.Delegations()
+// returns them in bytewise order, not in chain order. The ucan-wg/invocation
+// spec requires the invocation's `prf` field to be "an array of CIDs ...
+// starting from the root Delegation ... in strict sequence where the aud of
+// the previous Delegation matches the iss of the next Delegation" — so
+// downstream consumers (publisher.go's CacheClaim) cannot just forward
+// ct.Delegations() into WithProofs. We reorder here to bridge between the
+// transport-layer container and the invocation-layer ordering requirement.
+func decodeProofChain(s string) ([]ucan.Delegation, error) {
+	raw, err := base64.StdEncoding.DecodeString(s)
+	if err != nil {
+		return nil, fmt.Errorf("base64-decoding proof: %w", err)
+	}
+	ct, err := container.Decode(raw)
+	if err != nil {
+		return nil, fmt.Errorf("decoding proof container: %w", err)
+	}
+	return orderProofChain(ct.Delegations())
+}
+
+// orderProofChain returns dlgs reordered root → leaf so that for each
+// adjacent pair (a, b), a.Audience() == b.Issuer(). The root is the
+// delegation whose issuer is not the audience of any other delegation in the
+// set; from there we walk forward following audience → issuer until the set
+// is exhausted. Errors if the chain is disconnected, branched, or cyclic.
+func orderProofChain(dlgs []ucan.Delegation) ([]ucan.Delegation, error) {
+	if len(dlgs) <= 1 {
+		return dlgs, nil
+	}
+
+	byIssuer := make(map[did.DID]ucan.Delegation, len(dlgs))
+	audiences := make(map[did.DID]struct{}, len(dlgs))
+	for _, d := range dlgs {
+		if _, dup := byIssuer[d.Issuer()]; dup {
+			return nil, fmt.Errorf("proof chain has two delegations with the same issuer %s (branched chain)", d.Issuer())
+		}
+		byIssuer[d.Issuer()] = d
+		audiences[d.Audience()] = struct{}{}
+	}
+
+	var root ucan.Delegation
+	for _, d := range dlgs {
+		if _, isAudience := audiences[d.Issuer()]; isAudience {
+			continue
+		}
+		if root != nil {
+			return nil, fmt.Errorf("proof chain has multiple roots (issuers %s and %s have no incoming edge)", root.Issuer(), d.Issuer())
+		}
+		root = d
+	}
+	if root == nil {
+		return nil, fmt.Errorf("proof chain has no root (cycle)")
+	}
+
+	ordered := make([]ucan.Delegation, 0, len(dlgs))
+	cur := root
+	for cur != nil {
+		ordered = append(ordered, cur)
+		next, ok := byIssuer[cur.Audience()]
+		if !ok {
+			break
+		}
+		cur = next
+	}
+
+	if len(ordered) != len(dlgs) {
+		return nil, fmt.Errorf("proof chain is disconnected: %d delegations supplied but only %d form a contiguous chain", len(dlgs), len(ordered))
+	}
+	return ordered, nil
 }
 
 type ServicesConfig struct {
@@ -102,13 +174,16 @@ func (s *IndexingServiceConfig) ToAppConfig() (app.IndexingServiceConfig, error)
 		DID:    sdid,
 		Client: c,
 	}
-	// Parse indexing service proofs if provided
+	// Parse indexing service proof chain if provided
 	if s.Proof != "" {
-		dlg, err := delegation.Decode(decodeProof(s.Proof))
+		chain, err := decodeProofChain(s.Proof)
 		if err != nil {
 			return app.IndexingServiceConfig{}, fmt.Errorf("parsing indexing service proof: %w", err)
 		}
-		out.Proofs = dlg
+		if len(chain) == 0 {
+			return app.IndexingServiceConfig{}, fmt.Errorf("indexing service proof container is empty")
+		}
+		out.Proofs = chain
 	} else {
 		// TODO(forrest): in the event a node is run without an indexing service proof, it will
 		// almost always fail to index...obviously.
@@ -174,13 +249,16 @@ func (c *EgressTrackerServiceConfig) ToAppConfig() (app.EgressTrackerServiceConf
 		CleanupCheckInterval: 1 * time.Hour,
 	}
 
-	// Parse egress tracker service proofs if provided
+	// Parse egress tracker service proof chain if provided
 	if c.Proof != "" {
-		dlg, err := delegation.Decode(decodeProof(c.Proof))
+		chain, err := decodeProofChain(c.Proof)
 		if err != nil {
 			return app.EgressTrackerServiceConfig{}, fmt.Errorf("parsing egress tracker service proof: %w", err)
 		}
-		out.Proofs = dlg
+		if len(chain) == 0 {
+			return app.EgressTrackerServiceConfig{}, fmt.Errorf("egress tracker service proof container is empty")
+		}
+		out.Proofs = chain
 	} else {
 		log.Warn("no egress tracker service proof provided, egress tracking is disabled")
 	}

pkg/service/egresstracker/service.go

@@ -20,7 +20,6 @@ import (
 	"github.com/fil-forge/ucantone/did"
 	"github.com/fil-forge/ucantone/principal"
 	"github.com/fil-forge/ucantone/ucan"
-	"github.com/fil-forge/ucantone/ucan/delegation"
 	"github.com/fil-forge/ucantone/ucan/invocation"
 	"github.com/ipfs/go-cid"
 	cidlink "github.com/ipld/go-ipld-prime/linking/cid"
@@ -40,7 +39,11 @@ const journalRotationPeriod = time.Hour * 12
 type Service struct {
 	id                   principal.Signer
 	egressTrackerDID     did.DID
-	egressTrackerProofs  ucan.Delegation
+	// egressTrackerProofs is the ordered chain (root → leaf) issued by the
+	// delegator for the egress-tracker service. Every link must accompany
+	// each /space/egress/track invocation for the egress-tracker validator
+	// to walk the chain back to the originating authority.
+	egressTrackerProofs  []ucan.Delegation
 	egressTrackerConn    client.Connection
 	batchEndpoint        *url.URL
 	journal              retrievaljournal.Journal
@@ -56,7 +59,7 @@ type Service struct {
 func New(
 	id principal.Signer,
 	egressTrackerConn client.Connection,
-	egressTrackerProofs delegation.Delegation,
+	egressTrackerProofs []ucan.Delegation,
 	batchEndpoint *url.URL,
 	journal retrievaljournal.Journal,
 	consolidationStore consolidationstore.Store,
@@ -123,14 +126,21 @@ func (s *Service) enqueueEgressTrackTask(ctx context.Context, batchCID cid.Cid)
 }
 
 func (s *Service) egressTrack(ctx context.Context, batchCID cid.Cid) error {
+	if len(s.egressTrackerProofs) == 0 {
+		return fmt.Errorf("no proofs configured for egress tracker invocation")
+	}
+	proofLinks := make([]cid.Cid, len(s.egressTrackerProofs))
+	for i, d := range s.egressTrackerProofs {
+		proofLinks[i] = d.Link()
+	}
 	trackInv, err := egress.Track.Invoke(
 		s.id,
 		s.egressTrackerDID,
 		&egress.TrackArguments{
 			Receipts: batchCID,
 			Endpoint: capabilities.CborURL(*s.batchEndpoint),
 		},
-		invocation.WithProofs(s.egressTrackerProofs.Link()),
+		invocation.WithProofs(proofLinks...),
 		invocation.WithNoExpiration(),
 	)
 	if err != nil {

pkg/service/publisher/options.go

@@ -16,7 +16,7 @@ type options struct {
 	announceAddr          multiaddr.Multiaddr
 	announceURLs          []url.URL
 	indexingService       app.IndexingServiceConfig
-	indexingServiceProofs ucan.Delegation
+	indexingServiceProofs []ucan.Delegation
 }
 
 type Option func(*options) error
@@ -54,11 +54,14 @@ func WithIndexingService(conn app.IndexingServiceConfig) Option {
 	}
 }
 
-// WithIndexingServiceProof configures proofs for UCAN invocations to the
-// indexing service.
-func WithIndexingServiceProof(proof ucan.Delegation) Option {
+// WithIndexingServiceProof configures the proof chain (root → leaf) for UCAN
+// invocations to the indexing service. Every delegation in the chain is
+// attached to each /claim/cache invocation; passing only the leaf yields
+// "delegation issuer is X not Y" failures inside the indexer's validator
+// because the chain back to the original authority is broken.
+func WithIndexingServiceProof(proofs []ucan.Delegation) Option {
 	return func(opts *options) error {
-		opts.indexingServiceProofs = proof
+		opts.indexingServiceProofs = proofs
 		return nil
 	}
 }