feat(l2ps): SR-4 WI-C — finalizeRfq transcript anchor on terminal#97
feat(l2ps): SR-4 WI-C — finalizeRfq transcript anchor on terminal#97Shitikyan wants to merge 1 commit into
Conversation
Ties WI-B's terminal state to WI-3's transcript anchor: on an agreed (accepted) negotiate-rfq, export the signed channel transcript and — per the disclosure policy (DACS-3 §8.7) — anchor an encrypted copy, returning the channelTranscriptRef the rfq output carries. finalizeRfq orchestrates exportTranscript (sign the ordered messages) → anchorEncryptedTranscript (encrypt-to-members + SR-2 anchor). Policy: - none: transcript stays local, nothing anchored - encrypted-anchored-recommended: anchor only on explicit consent - encrypted-anchored-required: MUST anchor; a null result throws (the phase fails, §8.7) Refuses to finalize a non-accepted negotiation; requires an L2PS instance when the policy actually anchors. The anchor call is injectable so the orchestration is unit-tested without a live node (the real anchor deploys an SR-2 storage program). 6 tests cover all four policy paths + the two guards, using a real signed offer→counter→accept so the exported transcript is genuinely CCI-signed. WI-D (AgreementDocument co-sign) needs DACS-3 §8.5.1; WI-E (devnet E2E) needs a node running the messaging server. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
More reviews will be available in 10 minutes and 25 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR adds
Confidence Score: 3/5The orchestration is mostly correct, but a guard is ordered before a consent check, causing the The
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A([finalizeRfq called]) --> B{rfq.state\n=== 'accepted'?}
B -- No --> E1([throw: not accepted])
B -- Yes --> C[exportTranscript\nsign with opts.signer]
C --> D{policy}
D -- none --> R1([return transcript\nref = null])
D -- recommended\nor required --> F{opts.l2ps\npresent?}
F -- No --> E2([throw: requires L2PS\n⚠ fires even for\nrecommended+no consent])
F -- Yes --> G[anchorFn called]
G --> H{policy ===\nrequired AND\nref === null?}
H -- Yes --> E3([throw: phase fails])
H -- No --> R2([return transcript\n+ channelTranscriptRef])
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A([finalizeRfq called]) --> B{rfq.state\n=== 'accepted'?}
B -- No --> E1([throw: not accepted])
B -- Yes --> C[exportTranscript\nsign with opts.signer]
C --> D{policy}
D -- none --> R1([return transcript\nref = null])
D -- recommended\nor required --> F{opts.l2ps\npresent?}
F -- No --> E2([throw: requires L2PS\n⚠ fires even for\nrecommended+no consent])
F -- Yes --> G[anchorFn called]
G --> H{policy ===\nrequired AND\nref === null?}
H -- Yes --> E3([throw: phase fails])
H -- No --> R2([return transcript\n+ channelTranscriptRef])
Reviews (1): Last reviewed commit: "feat(l2ps): SR-4 WI-C — finalizeRfq tran..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| if (opts.rfq.state !== "accepted") { | ||
| throw new Error( | ||
| `finalizeRfq: negotiation is "${opts.rfq.state}", not "accepted" — ` + | ||
| "only an agreed RFQ produces a transcript anchor", | ||
| ) | ||
| } | ||
|
|
||
| const transcript = await exportTranscript({ | ||
| channelId: opts.session.channelId, | ||
| members: [...opts.session.members], | ||
| messages: opts.session.messages(), |
There was a problem hiding this comment.
recommended + no consent still requires l2ps
The !opts.l2ps guard fires unconditionally for every non-none policy, but DACS-3 §8.7 says recommended without consent produces no anchor — the transcript stays local, same as none. A caller who correctly omits l2ps (because they know consent is withheld and the real anchor won't run) receives a misleading "requires an L2PS instance to encrypt the transcript" error instead of { transcript, channelTranscriptRef: null }. The test suite covers recommended+no-consent with a dummy l2ps: {} as never; the case of recommended+no-consent+no-l2ps is not exercised and throws today.
| readonly state: RfqState | ||
| outcome(): RfqOutcome | ||
| } | ||
|
|
There was a problem hiding this comment.
RfqLike.outcome() is declared but never used
finalizeRfq only reads rfq.state; it never calls rfq.outcome(). Keeping outcome() in the structural interface forces every test stub and future implementor to provide a method that this function ignores. Dropping it from RfqLike (while keeping outcome() on RfqSession itself) would be the leaner contract.
Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
|
2 participants
Stacked on #96 (WI-B). Ties the terminal negotiate-rfq state to the WI-3 transcript anchor.
finalizeRfqorchestratesexportTranscript→anchorEncryptedTranscriptwith DACS-3 §8.7 disclosure-policy semantics:none— transcript local, nothing anchoredencrypted-anchored-recommended— anchor on explicit consentencrypted-anchored-required— MUST anchor; null result fails the phaseGuards: refuses non-accepted negotiations; requires an L2PS instance when anchoring. The anchor call is injectable so the orchestration is unit-tested without a node (the real anchor deploys an SR-2 storage program). 6/6 tests across all four policy paths + both guards, using a real signed offer→counter→accept transcript.
Remaining: WI-D (AgreementDocument co-sign) needs DACS-3 §8.5.1; WI-E (devnet E2E) needs a node running the messaging server. Rebase onto main once #95/#96 land.