Skip to content

🌊 Wave-17: tool-call argument confusion + group-PCS healing#715

Merged
gHashTag merged 1 commit into
mainfrom
feat/trios-chat-wave17
May 10, 2026
Merged

🌊 Wave-17: tool-call argument confusion + group-PCS healing#715
gHashTag merged 1 commit into
mainfrom
feat/trios-chat-wave17

Conversation

@gHashTag
Copy link
Copy Markdown
Owner

@gHashTag gHashTag commented May 10, 2026

Closes #714

🌊 Wave-17 β€” tool-call argument confusion + group-PCS healing

Seventeenth wave of Trinity Chat (EPIC trinity-fpga#28). Two new lanes pinning the next two ASPIRATIONAL threat classes from the W16 ROADMAP β€” tool-call argument confusion / type-confusion injection (CR-CHAT-06) and group-PCS healing after device compromise (CR-CHAT-03). Falsifier corpus extended 1500 β†’ 1600 across 30 β†’ 32 threshold lanes, Coq monotone advance 121 β†’ 130 Qed / 0 Admitted with ZERO new axioms, and ROADMAP.md updated to retire W17 from [ASPIRATIONAL] into the shipped wave table.

Lane A β€” L-CHAT-9-tool (CR-CHAT-06) Β· tool-call argument confusion / type-confusion injection

NEW: crates/trios-chat/rings/CR-CHAT-06/src/tool_arg_confusion.rs (503 lines).

Surface:

  • ArgKind::{ StringBounded { cap }, U64, I64, Bool, Enum { variants } } β€” closed-world tag space for tool-call arguments.
  • ArgSpec { name, kind }, ToolEntry { name, args }, ToolManifest { tools } β€” re-exported from the ring as ToolArgManifest to avoid collision with the legacy capability::ToolManifest.
  • ArgValue::{ Str, U, I, Bool }, ToolCall { tool, args: Vec<(String, ArgValue)> }.
  • ToolCallError::{ UnknownTool, MissingArg, UnexpectedArg, KindMismatch, StringTooLong, UnknownEnumVariant, NestedToolCallSentinel } β€” closed-world rejection enum.
  • validate_tool_call(manifest, call) -> Result<(), ToolCallError> β€” strict by-name matching, kind shape check, byte-cap check on StringBounded, variant-set check on Enum, and sentinel scan against NESTED_TOOL_CALL_SENTINEL = "<<TOOL-CALL>>" inside any string-typed argument.

CR-CHAT-06 ring: tests + 6 TOOL-01..06.

Test Invariant
TOOL-01 well-formed ToolCall validates against the manifest with all kinds matched (ArgKind agrees with ArgValue shape)
TOOL-02 KindMismatch rejected when Bool is sent where Enum was declared (covers 'true'-string-vs-Bool confusion)
TOOL-03 StringTooLong rejected when a StringBounded { cap } arg exceeds the byte cap (oversized-subject overflow)
TOOL-04 UnknownEnumVariant rejected when an enum value is outside the declared variants set (default-enum-on-null smuggling)
TOOL-05 UnknownTool / MissingArg / UnexpectedArg rejected independently
TOOL-06 NestedToolCallSentinel rejected when any string argument contains <<TOOL-CALL>> (confused-deputy nested-tool injection)

Lane B β€” L-CHAT-3-pcs (CR-CHAT-03) Β· group-PCS healing after device compromise

NEW: crates/trios-chat/rings/CR-CHAT-03/src/pcs_healing.rs (352 lines).

Surface:

  • PathSecretHash([u8; 32]) β€” opaque hash of a leaf path-secret; equality is the only observable.
  • HealCommit { group_id, from_epoch, sender, heals: Vec<HealEntry> }.
  • HealEntry { target, from_hash, to_hash } β€” from_hash must match the receiver's current secret_of(target); to_hash becomes the new value.
  • PcsState::{ new(group_id, members), add_member, secret_of(target), process_heal(HealCommit) } β€” process_heal is the post-compromise healing transition: validates group_id, validates from_epoch == self.epoch, validates non-empty heals, validates each from_hash matches, validates to_hash != from_hash, and rejects duplicate targets in one batch.

CR-CHAT-03 ring: tests + 6 PCS-01..06.

Test Invariant
PCS-01 well-formed HealCommit advances the group epoch by exactly one and rotates the targeted members' path-secrets
PCS-02 heal where from_hash does not match the receiver's current secret_of(target) is rejected (stolen-PSK rotation against stale view)
PCS-03 heal whose from_epoch differs from the receiver's current epoch is rejected (no future-jump, no regression)
PCS-04 empty / no-op heal (heals.len() == 0) is rejected (cannot bump epoch without any rotation)
PCS-05 to_hash == from_hash (identity heal) is rejected
PCS-06 duplicate-target inside a single HealCommit is rejected (intra-batch shadowing)

Coq Wave-17 β€” 121 β†’ 130 Qed / 0 Admitted Β· ZERO new axioms

crates/trios-chat/proofs/chat/Trinity_Chat.v β€” new Section TrinityChatWave17 with collision-safe names (ArgKind17, ArgValue17, kind_match17, HealEntry17, PcsState17, heal_step17).

  • INV-CHAT-89 inv_chat_89_tool_kind_mismatch_rejected β€” Bool value where Enum was declared β‡’ KindMismatch.
  • INV-CHAT-90 inv_chat_90_tool_nested_sentinel_rejected β€” string arg containing the nested-tool sentinel β‡’ NestedToolCallSentinel.
  • INV-CHAT-91 inv_chat_91_tool_string_too_long_rejected β€” StringBounded { cap } arg with len > cap β‡’ StringTooLong.
  • INV-CHAT-92 inv_chat_92_tool_enum_variant_rejected β€” enum value outside variants β‡’ UnknownEnumVariant.
  • INV-CHAT-93 inv_chat_93_pcs_heal_advances_one β€” well-formed HealCommit β‡’ epoch advances by exactly one.
  • INV-CHAT-94 inv_chat_94_pcs_no_op_rejected β€” heals.len() == 0 β‡’ rejected (no epoch bump without rotation).
  • INV-CHAT-95 inv_chat_95_pcs_epoch_mismatch_rejected β€” from_epoch != current β‡’ rejected (no future-jump, no regression).

Helper: pcs_pre_heal_replay_rejected17. Zero new axioms. Both lanes prove constructively.

W17 first attempt used Bool.andb_false_r after rewrite Hlen for an andb-shaped goal; the cleaner simpl. rewrite Hlen. reflexivity. discharges it directly. Final coqc runtime silent, total Qed 130.

Cumulative axioms: ss_kp_injective (W9) + dh_step_fresh, dh_post_history_independent, hybrid_kem_non_degenerate (W10) + sn_hash_sym (W14) = 5 total Β· UNCHANGED in W17.

Falsifier corpus 1500 β†’ 1600 Β· 30 β†’ 32 threshold lanes

  • crates/trios-chat/corpus/prompt_injection.jsonl β€” appended 50 PI-TOOL-001..050 + 50 PI-PCS-001..050.
  • crates/trios-chat/rings/CR-CHAT-06/src/injection.rs β€” DENY_PATTERNS extended with TOOL keyword block (kindmismatch, kind mismatch, unknownenumvariant, stringbounded, argkind, argspec, toolentry, toolargmanifest, toolcall sentinel, <<tool-call>>, nestedtoolcallsentinel, oversized, exceeding-the, non-utf-8, smuggle-binary, conflicting-kinds, same-arg-name-twice, =null, default-enum, 'true' string, bool vs enum, u64-overflows-i64, kind-match path, …) and PCS keyword block (pcs heal, healcommit, healentry, pcsstate, pathsecrethash, path-secret, pre-heal, heal_step, process_heal, no-op heal, to_hash, from_hash, sender-knew-pre-heal, duplicate-target, foreign group_id, cross-group splice, future-epoch jump, epoch regression, parallel-fork heal, leaked-path-secret, founder's-secret, pre-shared-key, heals.len()=0, empty/zero/no heals, bump-epoch-without, epoch-without-rotation, …); 100% coverage on all 1600 entries across 32 categories.
  • crates/trios-chat/src/bin/falsifier_runner.rs β€” two new threshold lanes (tool_arg_confusion, group_pcs_break) at 0.95; final summary now reports 1600/1600 across 32 categories.

ROADMAP.md update

crates/trios-chat/ROADMAP.md:

  • Status line: 249 tests Β· 25/25 e2e Β· 1600/1600 falsifier Β· 32 categories Β· 130 Coq Qed / 0 Admitted.
  • Wave table: W17 row added (PR/SHA TBD on merge); W16 demoted from bold and now references its rollup commit 1bd0c54 via 🌊 feat(trios-chat) Wave-10: ratchet-forward-secrecy + MLS commit-reorder + Coq 60/0 + 900/900 falsifierΒ #665.
  • Wave-17 detail section: lanes, tests, INVs, corpus deltas.
  • Coq index extended with INV-CHAT-89..95.
  • Falsifier table: 32 categories.
  • ASPIRATIONAL section retitled to Future waves (W18–W22) β€” W17 retired; W22 added as TBD.
  • Anchor extended with TOOL-ARG-CONFUSION Β· GROUP-PCS-HEAL.

Verification matrix (all green)

Gate Result
cargo test cumulative chat suite 249 / 0 failed
e2e_chat_25 25 / 25
falsifier_runner 1600 / 1600 across 32 categories
cargo clippy -D warnings (trios-chat + CR-CHAT-03/06) clean
coqc Trinity_Chat.v silent
grep -cE "Qed\." Trinity_Chat.v 130

Wave progression

Wave SHA Tests Coq Qed Falsifier Categories PR
W9 7340d24 145 47 700 14 #651 (merged)
W10..W16 (rollup) 1bd0c54 235 121 1500 30 #665 (merged to main)
W17 this PR 249 130 1600 32 this PR

Honesty tags (Art. I + R5)

  • All test/Coq/falsifier numbers above are [VERIFIED] from local runs on this branch.
  • [CITED] references: trios#714 (this issue), trios#665 (W10..W16 rollup merged to main), trios#711 (W16), trios#702 (W15), trios#700 (W14), trios#696 (W13), trios#694 (W12), trios#688 (W11).
  • [DERIVED] claims: tool-call argument confusion + group-PCS healing are the two top-priority ASPIRATIONAL items promoted from the W16 ROADMAP forward plan.
  • [ASPIRATIONAL] retired for W17 β€” moved into the shipped table.

Anchor

φ² + φ⁻² = 3 Β· TRINITY Β· CHAT Β· ZERO-METADATA Β· POST-QUANTUM Β· UNLINKABLE Β· COVER-TIMING Β· AT-REST-AEAD Β· BOT-PARTIAL-MLS Β· KEM-KEY-CONFUSION Β· AAD-CONTEXT Β· RATCHET-FS Β· MLS-REORDER Β· SKIPPED-KEYS-DOS Β· MLS-WELCOME-REPLAY Β· PREKEY-EXHAUSTION Β· MLS-LEAF-COMPROMISE Β· DENIABILITY Β· CONFUSED-DEPUTY Β· OOB-IDENTITY Β· MLS-EXTERNAL-COMMIT Β· EGRESS-FINGERPRINT Β· IDENTITY-REVOKE Β· CLOCK-SKEW-REPLAY Β· AT-REST-ROTATE Β· TOOL-ARG-CONFUSION Β· GROUP-PCS-HEAL

Base

This PR targets main directly β€” the W10..W16 chain landed via rollup commit 1bd0c54 (PR #665) so W17 can branch cleanly from origin/main.

@gHashTag gHashTag merged commit 047f3cb into main May 10, 2026
13 checks passed
This was referenced May 10, 2026
Closed
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🌊 Wave-17 sub-tracker β€” tool-call argument confusion + group-PCS healing

1 participant

@gHashTag