fix(profile): add recompute-content verifier to ManifestCas (Audit #333 H7) by vrogojin · Pull Request #355 · unicity-sphere/sphere-sdk

vrogojin · 2026-05-30T13:12:47Z

Stacked PR. Built atop #354 (H5) → #353 (H4) → #352 (H3) → #351 (H2) → #349 (H1) → #348 (C3) → #347 (C2) → #346 (C1).

Summary

Closes the H7 high finding of audit #333 — ManifestCas.update's precondition check compared observed.rootHash (a string read from the entry) to prev.contentHash (the caller's expected value). Both sides are arbitrary writer-supplied labels — a CAS pass meant "the labels agree", not "the content under the label is the content the caller meant". An attacker writing an entry with a forged rootHash field that doesn't match the actual pool content slipped through unchanged.

Fix

New optional VerifyEntryRootFn hook accepted via the ManifestCas constructor's opts.verifyEntryRoot. When wired, the hook is invoked AFTER the label CAS passes and BEFORE the write. The hook fetches the content the entry's rootHash references (production: the UXF pool element via computeElementHash), recomputes the hash, and asserts it matches the declaration.
New 'integrity-failed' discriminator on ManifestCasResult.reason with structured integrityDetail for triage. The result also carries observed.contentHash so callers can re-read state.
ManifestCidRewriteCasError.casReason widened to surface 'integrity-failed'. The worker's outer retry loop already treats any throw from manifest-cid-rewrite as a hard CAS failure that bubbles up; the new reason rides through unchanged but preserves structure for operator triage.
Skip conditions:
- prev === null (asserts-no-entry) path — no observed entry to verify
- Label-CAS mismatch — the swap has already been rejected, so the verifier short-circuits
Optional shape preserves back-compat: all 9 existing manifest-cas tests and 100% of production callers that do not (yet) supply the verifier continue to behave identically. Production wiring is a follow-up that does not block this PR.

Production wiring

const cas = new ManifestCas(storage, {
  verifyEntryRoot: async (addr, tokenId, entry) => {
    const poolElement = await loadPoolElement(entry.rootHash);
    if (poolElement === undefined) {
      return { ok: false, reason: 'pool-element-missing' };
    }
    const recomputed = computeElementHash(poolElement);
    return {
      ok: recomputed === entry.rootHash,
      reason: recomputed === entry.rootHash ? undefined : `recomputed=${recomputed}`,
    };
  },
});

The audit's gap (the CAS doesn't recompute) is now closed at the engine level; production wiring of the hook is the next step.

Test plan

6 new H7 regression tests in tests/unit/profile/manifest-cas-h7-recompute-integrity.test.ts:
- Back-compat (verifier omitted → label-only CAS as before)
- Happy path (verifier called AFTER label CAS, BEFORE write — explicit ordering assertion)
- Integrity failure → 'integrity-failed', no write, storage unchanged, integrityDetail propagated
- Skip on prev = null (no observed entry to verify)
- Skip on label-CAS-mismatch (short-circuit before verifier — verifier never called)
- 'integrity-failed' has its own discriminator distinct from cas-mismatch / not-found / concurrent-modification
All 9 existing manifest-cas.test.ts tests pass unchanged
All 1512 transfer tests pass
All 450 unit test files (8181 tests) pass
tsc --noEmit clean

Audit traceability

Issue: Audit: integration/all-fixes — money-path subsystems (UXF / Profile / transfer pipeline) #333 (H7)
File / line in audit: profile/manifest-cas.ts:139-171
Audit recommendation followed: promote the integrity-label check to a real recomputed-content integrity check.

Stack summary

This PR completes the actionable High tier from audit #333:

Tier	PRs
Release-gate Criticals	#346 (C1), #347 (C2), #348 (C3)
Highs (this stack)	#349 (H1), #351 (H2), #352 (H3), #353 (H4), #354 (H5), this (H7)
Deferred	H6 (lamport=0 convergence), H8 (reconcile CID compare) — to be filed as follow-up issues; audit specifically flagged these as "reproduce with multi-device test matrix before fix-now"

What's next

Per user direction, H6 and H8 will be filed as deferred follow-up GitHub issues capturing the audit findings + the requirement to build the multi-device reproduction harness first.

…ER test-coverage gap The soak (manual-test-full-recovery.sh) routinely surfaces `[ERROR] [V6-RECOVER] Stranded receive <hex> hit permanent recipient- address mismatch (HD-index recovery exhausted) (no retry): VerificationError: Recipient address mismatch` at §C → §D. The existing unit tests cover helpers in isolation (PaymentsModule.recipient-address-mismatch-recovery.test.ts) and the error CLASSIFIER (PaymentsModule.proof-polling-persistence.test.ts #269), but neither proves the composition: "given a sibling HD index in the recipient's inventory, tryRecover finds it AND the SDK's verifyRecipient agrees on the derived address". This left CI blind to the regression mode where tryRecover returns a false-positive candidate that Token.update later rejects. This commit closes the gap at three layers: L1. Real-SDK integration test (tests/integration/payments/v6-recover-real-sdk-recovery.test.ts): - Replaces the file-level vi.mock for SigningService / UnmaskedPredicate / TokenId / TokenType / HashAlgorithm with REAL SDK imports. - Builds two real HD-derived signing services. - Constructs the sender-targeted DIRECT address via real UnmaskedPredicate.create → reference.toAddress (the EXACT path the SDK's verifyRecipient uses). - Drives `tryRecoverSigningServiceForRecipient` against real TokenId / TokenType / Uint8Array salt. - 4 tests: happy path, no-match negative, deriveAddressInfo throws, and (L2 composition) tryRecover + predicate construction round-trip equals the transferTx target address. L3. CI workflow (.github/workflows/soak-nightly.yml): - Nightly cron + workflow_dispatch trigger. - Probes testnet aggregator + Nostr relay; skip-not-fail when either is unreachable (third-party outages cannot block releases). - Checks out sphere-cli alongside sphere-sdk, links the local build, runs manual-test-full-recovery.sh with SPHERE_DEBUG=*. - Captures soak.log + workspace as artifacts (30-day retention on failure, 7-day on success). - Surfaces metrics in the workflow summary: V6-RECOVER count, Stranded receive count, POINTER_MONOTONICITY_VIOLATION count, bcast_pub>0 count, exit code. What's tested by what (audit roll-up): - SDK address-derivation regression in tryRecover → L1 (real SDK). - tryRecover ↔ predicate-construction composition → L1 composition test (proves verifyRecipient cannot throw against the recovered state). - Cross-process / Nostr / IPFS / multi-daemon regressions → L3 soak. - Helper-level edge cases (mock-friendly) → existing PaymentsModule.recipient-address-mismatch-recovery.test.ts. - Error-classification on hard fail → existing #269 test in PaymentsModule.proof-polling-persistence.test.ts. Tests pass: 4/4 new integration tests + all 8185 unit tests. tsc clean. Refs: #333 (V6-RECOVER test-coverage gap, follow-up to H1-H7 stack). Stacked on #355 (H7) → #354 (H5) → #353 (H4) → #352 (H3) → #351 (H2) → #349 (H1) → #348 (C3) → #347 (C2) → #346 (C1).

…nifestCas ManifestCas.update's precondition check compared `observed.rootHash` (a string read from the entry) to `prev.contentHash` (the caller's expected value). Both sides are arbitrary writer-supplied labels — a CAS pass meant "the labels agree", not "the content under the label is the content the caller meant". An attacker writing an entry with a forged `rootHash` field that doesn't match the actual pool content slipped through unchanged. Fix: - New optional `VerifyEntryRootFn` hook accepted via the ManifestCas constructor's `opts.verifyEntryRoot`. When wired, the hook is invoked AFTER the label CAS passes and BEFORE the write. The hook fetches the content the entry's `rootHash` references (production: the UXF pool element), recomputes the hash, and asserts it matches the declaration. - New `'integrity-failed'` discriminator on `ManifestCasResult.reason` with structured `integrityDetail` for triage. The result also carries `observed.contentHash` so callers can re-read state. - `ManifestCidRewriteCasError.casReason` widened to surface `'integrity-failed'`. The worker's outer retry loop already treats any throw from manifest-cid-rewrite as a hard CAS failure that bubbles up; the new reason rides through unchanged but preserves structure for operator triage. - Skipped on the `prev === null` (asserts-no-entry) path because there is no observed entry to verify. Skipped on label-CAS-mismatch because the swap has already been rejected. - Optional shape preserves back-compat: all 9 existing manifest-cas tests and the 100% of production callers that do not (yet) supply the verifier continue to behave identically. Production wiring is a follow-up that does not block this PR. Tests: 6 new H7 regression tests covering: - Back-compat (verifier omitted → label-only CAS as before) - Happy path (verifier called AFTER label CAS, BEFORE write) - Integrity failure (returns 'integrity-failed', no write happens, storage unchanged, integrityDetail propagated) - Skip on prev=null (no observed entry to verify) - Skip on label-CAS-mismatch (short-circuit before verifier) - 'integrity-failed' has its own discriminator distinct from cas-mismatch / not-found / concurrent-modification All 1512 transfer tests pass. 8181 total unit tests pass. tsc clean. Refs: #333 (H7). Stacked on #354 (H5) → #353 (H4) → #352 (H3) → #351 (H2) → #349 (H1) → #348 (C3) → #347 (C2) → #346 (C1).

…ER test-coverage gap The soak (manual-test-full-recovery.sh) routinely surfaces `[ERROR] [V6-RECOVER] Stranded receive <hex> hit permanent recipient- address mismatch (HD-index recovery exhausted) (no retry): VerificationError: Recipient address mismatch` at §C → §D. The existing unit tests cover helpers in isolation (PaymentsModule.recipient-address-mismatch-recovery.test.ts) and the error CLASSIFIER (PaymentsModule.proof-polling-persistence.test.ts #269), but neither proves the composition: "given a sibling HD index in the recipient's inventory, tryRecover finds it AND the SDK's verifyRecipient agrees on the derived address". This left CI blind to the regression mode where tryRecover returns a false-positive candidate that Token.update later rejects. This commit closes the gap at three layers: L1. Real-SDK integration test (tests/integration/payments/v6-recover-real-sdk-recovery.test.ts): - Replaces the file-level vi.mock for SigningService / UnmaskedPredicate / TokenId / TokenType / HashAlgorithm with REAL SDK imports. - Builds two real HD-derived signing services. - Constructs the sender-targeted DIRECT address via real UnmaskedPredicate.create → reference.toAddress (the EXACT path the SDK's verifyRecipient uses). - Drives `tryRecoverSigningServiceForRecipient` against real TokenId / TokenType / Uint8Array salt. - 4 tests: happy path, no-match negative, deriveAddressInfo throws, and (L2 composition) tryRecover + predicate construction round-trip equals the transferTx target address. L3. CI workflow (.github/workflows/soak-nightly.yml): - Nightly cron + workflow_dispatch trigger. - Probes testnet aggregator + Nostr relay; skip-not-fail when either is unreachable (third-party outages cannot block releases). - Checks out sphere-cli alongside sphere-sdk, links the local build, runs manual-test-full-recovery.sh with SPHERE_DEBUG=*. - Captures soak.log + workspace as artifacts (30-day retention on failure, 7-day on success). - Surfaces metrics in the workflow summary: V6-RECOVER count, Stranded receive count, POINTER_MONOTONICITY_VIOLATION count, bcast_pub>0 count, exit code. What's tested by what (audit roll-up): - SDK address-derivation regression in tryRecover → L1 (real SDK). - tryRecover ↔ predicate-construction composition → L1 composition test (proves verifyRecipient cannot throw against the recovered state). - Cross-process / Nostr / IPFS / multi-daemon regressions → L3 soak. - Helper-level edge cases (mock-friendly) → existing PaymentsModule.recipient-address-mismatch-recovery.test.ts. - Error-classification on hard fail → existing #269 test in PaymentsModule.proof-polling-persistence.test.ts. Tests pass: 4/4 new integration tests + all 8185 unit tests. tsc clean. Refs: #333 (V6-RECOVER test-coverage gap, follow-up to H1-H7 stack). Stacked on #355 (H7) → #354 (H5) → #353 (H4) → #352 (H3) → #351 (H2) → #349 (H1) → #348 (C3) → #347 (C2) → #346 (C1).

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from 58c7f0d to df452c5 Compare May 30, 2026 14:39

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from 1d8d5d8 to bd31d05 Compare May 30, 2026 14:39

vrogojin mentioned this pull request May 30, 2026

fix(profile/storage): plug plaintext-seed window in encrypt() (Audit #333 C1) #346

Merged

5 tasks

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from df452c5 to e81e319 Compare May 30, 2026 15:14

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from bd31d05 to c7d2f27 Compare May 30, 2026 15:14

vrogojin mentioned this pull request May 30, 2026

fix(profile/flush-scheduler): probe before destructive oplog reset (Audit #333 C3) #361

Merged

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from e81e319 to 2adc028 Compare May 30, 2026 15:46

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from c7d2f27 to d4efc06 Compare May 30, 2026 15:46

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from 2adc028 to 9d3c19b Compare May 30, 2026 15:53

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from d4efc06 to 06e0572 Compare May 30, 2026 15:53

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from 9d3c19b to 4a3427a Compare May 30, 2026 16:02

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from 06e0572 to 5d624ea Compare May 30, 2026 16:02

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from 4a3427a to ee026b0 Compare May 30, 2026 16:09

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from 5d624ea to 3d725b9 Compare May 30, 2026 16:09

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from ee026b0 to 37d053d Compare May 30, 2026 16:15

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from 3d725b9 to 43ada2d Compare May 30, 2026 16:15

vrogojin force-pushed the fix/issue-333-h5-failed-permanent-source-unlock branch from 37d053d to 620a5ec Compare May 30, 2026 16:22

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from 43ada2d to c211530 Compare May 30, 2026 16:22

vrogojin changed the base branch from fix/issue-333-h5-failed-permanent-source-unlock to main May 30, 2026 16:28

vrogojin force-pushed the fix/issue-333-h7-manifestcas-recompute-hash branch from c211530 to 654edea Compare May 30, 2026 16:28

vrogojin merged commit 35d6010 into main May 30, 2026
3 checks passed

vrogojin deleted the fix/issue-333-h7-manifestcas-recompute-hash branch May 30, 2026 16:35

vrogojin mentioned this pull request May 30, 2026

fix(uxf,payments): bundleCid determinism — lock envelope timestamp across attempts #362

Merged

5 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(profile): add recompute-content verifier to ManifestCas (Audit #333 H7)#355

fix(profile): add recompute-content verifier to ManifestCas (Audit #333 H7)#355
vrogojin merged 1 commit into
mainfrom
fix/issue-333-h7-manifestcas-recompute-hash

vrogojin commented May 30, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

vrogojin commented May 30, 2026

Summary

Fix

Production wiring

Test plan

Audit traceability

Stack summary

What's next

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant