Skip to content

integration/v0.11.0: integrity profiles, P2P smokes, subsystem hardening#646

Draft
bussyjd wants to merge 9 commits into
mainfrom
integration/v0.11.0
Draft

integration/v0.11.0: integrity profiles, P2P smokes, subsystem hardening#646
bussyjd wants to merge 9 commits into
mainfrom
integration/v0.11.0

Conversation

@bussyjd

@bussyjd bussyjd commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

Integration branch for v0.11.0, consolidating the decentralized-subsystems work (inference / fine-tuning / research / monetize) into 8 signed, reviewable blocks. Behavior-preserving where noted; go build/vet/test ./... is green.

Blocks

  1. chore(integration): v0.11-rc — all open PRs ≥605 integrated (base).
  2. fix: harden decentralized subsystems — dataset (x402-verify on paid join + verify signed log on fetch), bounty (reward capture bound to the accepted fulfiller seat), monetize (perMB datasets charged by size + datasetFileHash federated), research (authenticated worker identity, capped threshold payouts, device-code GC), escrow (409 on conflicting settlement terms).
  3. security(x402): secure-transport gate, opt-in via --secure — direct P2P inference accepts plaintext by default; --secure (and the always-behind-TLS cluster verifier) enforce the gate.
  4. feat(dataset): buy --join — pays the x402 join price host-side to mint a version-scoped member token (peer-to-peer, no cluster).
  5. refactor(cli): rename obol datasetobol sell data (dataset kept as an alias; buy dataset unchanged).
  6. refactor(offerkind): declarative per-type integrity-profile registry — single source of truth for each ServiceOffer/Request type's render/discovery shapes, price slot, and IntegrityProfile (payment/content/identity/scope). Routes storefront copy, the bazaar extension, the OpenAPI path shape, and the verifier's 402 metadata dispatch through it; centralizes price-slot detection; adds a CRD-enum drift guard. Behavior-preserving.
  7. fix(x402): base-sepolia USDC EIP-712 domain name"USDC", not "USD Coin"; two offline regression guards (computed domain separator vs the captured on-chain value; catalog↔registry pin). Bites host-side signers only, so the cluster release-smoke never caught it.
  8. test(flows): host-side P2P surface smoke — direct-P2P inference 402 + remote-model proxy, paid dataset join, research membership→submit→payout, real on-chain settlement via a local facilitator, and the --secure transport gate (named-tunnel + tailnet origins). Adds sell data publish --facilitator and the cloudflared 2026.6.0 bump.

Testing

  • go build/vet/test ./... green.
  • flows/p2p-surface-smoke.sh: 13 PASS / 2 SKIP / 0 FAIL with a local facilitator + named tunnel up (the 2 SKIPs need the run host on a tailnet). On-chain settlement and --secure-over-HTTPS were live-validated.

Notes

  • Design notes live under plans/ (gitignored): the integrity-profile design and a full smoke-coverage gap analysis.
  • Top follow-up (per the coverage report): a ServiceBounty / escrow E2E smoke — the one P0 gap with no shell coverage today (controller tests use a fake ledger gateway).

bussyjd added 9 commits June 14, 2026 18:28
@bussyjd
feat(monetize): ServiceOffer type=dataset — CRD, catalog & x402 extra…
380703b 
…s wiring

P1 of the decentralized fine-tuning plan: make a versioned dataset a
first-class type=dataset ServiceOffer so the existing
controller -> Middleware -> HTTPRoute -> ForwardAuth -> catalog pipeline
publishes and gates it with no new serving code. Declarations + pipeline
wiring + parity tests only; the dataset server/versionlog/download client
are later phases.

- CRD: dataset enum value; ServiceOfferDataset{manifestHash,version,
  fileHash,sizeBytes} spec block (mirrors ServiceOfferAgent);
  PriceTable.PerMB; IsDataset(); regenerated serviceoffer-crd.yaml + deepcopy.
- x402: RouteRule.Dataset* fields; routeRuleFromOffer dataset branch
  (hex digests lowercased); effectivePrice perMB; mergeDatasetExtras()
  adds accepts[].extra.dataset{...} to the 402, wired after mergeAgentExtras.
- catalog: schema type enum + perMB priceUnit + additive dataset* properties;
  ServiceCatalogEntry.Dataset*; buildServiceCatalogJSON population; perMB in
  offerPriceRawAndUnit + describeOfferPrice.
- dataset folds to the http render branch in normalizeOfferType (a download
  is not chat-completions): generic 402 copy + bazaarGenericJSON, no bespoke
  copy. Version metadata reaches buyers only via extra.dataset.
- parity tests across CRD fields/block, mergeDatasetExtras, route-rule,
  catalog surface + omitempty, bazaar, fallbackOfferType, describeOfferPrice
  (incl. perMB precedence), and the HTML 402 copy fold.

go build/vet, full go test ./..., and just generate (idempotent) all green.
@bussyjd
chore(integration): v0.11-rc — all open PRs >=605 integrated
0d8b2d6 
Squashed integration of every >=605 feature PR for combined-stack testing,
rebuilt on top of the clean #640 so the history carries no third-party name.
Tree-equivalent to merging:

- #640 type=dataset CRD/catalog/x402 wiring
- #632 skill marketplace; #634 ServiceBounty eval-market; #635 escrow
- #633 sell smoke-test agent; #636 flow-12 portability
- #638 BYOK provider registry
- #639 decentralized auto-research; #641 dataset subsystem (P2-P6)
- #637 obol node multinode
- #605/#606/#608 MPP credit-card path (import repointed to x402-foundation)

Excludes #617 (codex/) and the obol-router (separate fork lineage). Local
rc staging branch. Full build + monetize/x402/dataset/embed test surface green.
@bussyjd
fix: harden decentralized subsystems (dataset, bounty, monetize, rese…
6f0998b 
…arch, escrow)

Squash of the v0.11-rc High/Critical fixes: dataset x402-verifies paid join + verifies the signed log on fetch; bounty reward-capture bound to the accepted fulfiller seat; monetize charges perMB datasets by size + federates datasetFileHash; research authenticates worker identity, caps threshold payouts, GCs device codes; escrow returns 409 on reserve with conflicting settlement terms.
@bussyjd
security(x402): gate payment proofs on secure transport, opt-in via -…
f9175df 
…-secure

Direct peer-to-peer inference accepts plaintext by default; 'obol sell inference --secure' sets RequireSecurePayment and the always-behind-TLS cluster verifier enforces the gate. (Squashes the original always-on gate with its reversal to opt-in.)
@bussyjd
feat(dataset): buy --join pays x402 to mint a member token
d52747a 
Adds a host-side x402 signer (SignExactPayment, EIP-3009 TransferWithAuthorization) and dataset.JoinPaid so 'obol buy dataset --join' probes the seller's 402 paid-join challenge, signs the payment locally, and mints a version-scoped member token — fully peer-to-peer, no cluster, sidecar, or remote signer. --max-price caps the price before signing; the buyer wallet auto-creates at <config>/dataset-serve/buyer.key.

Note: one cosmetic 'approve' help-string rename rides along here (it shares a print block with the --join output).
@bussyjd
refactor(cli): rename 'obol dataset' to 'obol sell data'
271a9d9 
Moves the seller-side dataset command group under 'obol sell' as 'data' (with 'dataset' kept as an alias). 'obol buy dataset' is unchanged. Updates help/error strings, the monetize-dataset guide, the dataset-anonymize skill, and the hf-surface smoke flow.
@bussyjd
refactor(offerkind): declarative per-type integrity-profile registry
c5beb5c 
internal/offerkind is the single source of truth for what each ServiceOffer/Request type means — render/discovery shapes, price slots, capability flags, and a declarative IntegrityProfile per type. Routes x402 storefront copy + bazaar, the OpenAPI path shape, and the verifier's 402 integrity-metadata dispatch through it; centralizes price-slot detection in monetizeapi.Price.RawAndSlot(); adds a buy-side owner-pin nudge and a CRD-enum drift guard. Behavior-preserving.
@bussyjd
fix(x402): base-sepolia USDC EIP-712 domain name is "USDC", with offl…
b11330c 
…ine guards

Base-Sepolia USDC (FiatTokenV2_2) signs its EIP-712 domain under name "USDC", not the mainnet "USD Coin" — verified: the on-chain DOMAIN_SEPARATOR() equals the domain built with "USDC". chains.go advertised "USD Coin", so the 402 a standalone seller emits made every host-side EIP-3009 signature fail a REAL facilitator (the cluster buyer buy.py and the catalog renderer already hardcoded "USDC", which is why only host-side buyers broke and the stub facilitator masked it).

Two offline guards so it cannot recur — the recurring root cause was the name being hand-maintained in several independent places that drifted: TestUSDCDomainSeparatorsMatchOnChain pins each chain to its captured on-chain DOMAIN_SEPARATOR (via the same apitypes path the signer uses); TestCatalogUSDCMatchesVerifierChain pins the catalog renderer and the x402 registry to each other.

Surfaced by flows/p2p-surface-smoke.sh against a live x402-rs facilitator.
@bussyjd
test(flows): host-side P2P surface smoke — settlement, paid dataset j…
e496caa 
…oin, research, --secure

flows/p2p-surface-smoke.sh covers the host-P2P gaps release-smoke never touches: direct-P2P inference 402 + remote-model proxy, paid dataset /join/paid, research membership->submit->payout, on-chain settlement (1d/2e) via a local facilitator, and the --secure transport gate (named-tunnel 4a, tailnet 4b/4c). Adds 'obol sell data publish --facilitator' and the cloudflared 2026.6.0 bump. 13 PASS / 2 SKIP with facilitator + tunnel up.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bussyjd