audit: ingest LEP-6 storage proof results

[j-rafique]

PR#118 Summary (LEP-6-report-ingestion)

Title

audit: ingest LEP-6 storage proof results

Overview

This PR implements the LEP-6 report ingestion milestone on top of LEP-6-foundation by wiring storage_proof_results into MsgSubmitEpochReport validation and persistence paths.

What’s Included

1. Tx surface update

• MsgSubmitEpochReport now includes:
  • repeated StorageProofResult storage_proof_results = 5;
• Regenerated protobuf bindings (tx.pb.go).

2. Ingestion validation

• Added dedicated validation flow for storage proof results.
• Validation enforces:
  • Reporter eligibility (must be a prober for the epoch).
  • Target assignment must match reporter’s allowed targets.
  • Reporter/target/challenger consistency rules.
  • Required transcript/result fields.
  • Allowed enum values for bucket/artifact/result classes.
  • Result-class-specific constraints:
    • NO_ELIGIBLE_TICKET rules (ticket/artifact fields constrained/empty).
    • RECHECK_CONFIRMED_FAIL requires RECHECK bucket.
  • Duplicate descriptor detection within a report.

3. Persistence

• storage_proof_results are now stored in EpochReport during SubmitEpochReport.

4. Error model

• Added new typed module error:
  • ErrInvalidStorageProofs (code 9).

Test Coverage Added

• Storage proof results persist correctly in submitted reports.
• Non-prober reporters are rejected when submitting storage proof results.
• Malformed payload scenarios are rejected (challenger mismatch, missing ticket, invalid recheck bucket pairing, duplicate descriptors, etc.).
• Existing epoch report validation coverage remains intact.

Scope / Non-Goals

• This PR is ingestion-only.
• No scoring (N/R/D) updates, no enforcement/penalty activation, and no heal/recheck execution logic changes yet.

[roomote-v0]

Rooviewer   See task

Reviewed af4c9fc (commit since last review). Both findings from Zee's production-gate review (118-F1 dedup bypass via artifact_key, 118-F2 unbounded StorageProofResults) are addressed in this commit. The storageProofDescriptorKey now correctly excludes artifact_key, and MaxStorageProofResultsPerReport = 16 caps per-report entries. Validation logic, persistence, error model, and test coverage are all clean. No new issues found.

• 118-F1 (HIGH): Duplicate-descriptor key dedup bypass via artifact_key -- fixed, artifact_key excluded from descriptor key
• 118-F2 (MEDIUM): No upper bound on len(StorageProofResults) -- fixed, capped at 16 via MaxStorageProofResultsPerReport

Previous reviews

• cb16594: Review #1

_{Mention @roomote in a comment to request specific changes to this pull request or fix all unresolved issues.}

[mateeullahmalik]

Production-gate review by Zee — 2 findings

Methodology: full file-by-file read of every non-generated changed file in this PR's diff (pr-118 vs its base branch), cross-checked against:

• LEP-6 spec (Notion source of truth)
• invariant-first-coding skill (write-path enumeration, sibling symmetry, single source of truth, post-fix re-audit)
• Cosmos SDK consensus discipline (no float, no map iteration, bounded EndBlock, genesis round-trip, errorsmod wrapping)

Status legend: each finding's status is computed at the PR #122 stack-tip (consensus-gap-fixes commit a51c439), so 'FIXED' means a downstream PR in the stack already addresses it; 'OPEN' means it is still present at the tip and must be fixed before merge / Phase-2 activation. Severity rubric in the charter (~/work/lep6-review/ctx/charter.md): CRITICAL = consensus halt / state corruption / non-determinism in ABCI; HIGH = spec mismatch with economic impact, missing genesis round-trip, replay enabler; MEDIUM = invariant asymmetry without immediate exploit, unbounded loop with practical bound, missing param validation.

Severity breakdown: HIGH=1, MEDIUM=1

---

118-F1 — Duplicate-descriptor key includes attacker-controlled artifact_key — dedup bypass

• Severity: HIGH
• File: x/audit/v1/keeper/msg_submit_epoch_report_storage_proofs.go
• Lines: 11-18, 111-122
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: NOT VERIFIED FIXED in PR feat(audit): finalize LEP-6 consensus gap fixes #122 — please confirm. The descriptor identity per spec §10 is (ticket_id, artifact_class, artifact_ordinal); artifact_key is a deterministic function of that tuple, not an independent field.
• What: storageProofDescriptorKey includes artifactKey. A prober can submit two contradictory results with the same (target,bucket,ticket,class,ord) but two different artifact_key strings; both pass dedup and are persisted. Once scoring lands, the same logical descriptor double-counts. Existing duplicate descriptors test only exercises identical entries.

118-F2 — No upper bound on len(StorageProofResults) — unbounded validation work and on-chain growth

• Severity: MEDIUM
• File: x/audit/v1/keeper/msg_submit_epoch_report.go (~124), msg_submit_epoch_report_storage_proofs.go (~20)
• Status at PR feat(audit): finalize LEP-6 consensus gap fixes #122 tip: OPEN — no per-message cap visible at PR feat(audit): finalize LEP-6 consensus gap fixes #122 head.
• What: Spec §6–§7 implies a small bounded count per prober per epoch (1 target × 2 buckets + small recheck/probation budget). No params-driven cap; gated only by tx gas. Each entry persists permanently in EpochReport.

---

This review is posted as a COMMENT (not REQUEST_CHANGES) so it does not block merge mechanically — but the CRITICAL and HIGH items must be triaged before activation. I'm available to walk through any of these in detail.

— Zee

[Copilot]

Pull request overview

Implements LEP-6 “storage proof results” ingestion for the audit module by extending MsgSubmitEpochReport to accept, validate, and persist storage_proof_results, and introduces foundational “storage-truth” state/query/genesis/params plumbing (plus placeholder tx endpoints).

Changes:

• Extend MsgSubmitEpochReport/EpochReport with storage_proof_results and add validation + persistence in SubmitEpochReport.
• Add storage-truth params (incl. enforcement mode enum), genesis fields, and keeper state storage for node/reporter/ticket/heal-op state.
• Add new storage-truth query endpoints, AutoCLI wiring, and placeholder tx messages/handlers (returning ErrNotImplemented).

Reviewed changes

Copilot reviewed 29 out of 32 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
x/audit/v1/types/query.pb.gw.go	Regenerated gRPC-gateway bindings for new query endpoints.
x/audit/v1/types/params_test.go	Adds tests covering new storage-truth param defaults and validation.
x/audit/v1/types/params.pb.go	Regenerated protobuf bindings for new params + enum.
x/audit/v1/types/params.go	Adds storage-truth param keys/defaults/validation and ParamSetPairs.
x/audit/v1/types/keys.go	Adds KV key prefixes/helpers for storage-truth state and heal-op indexing.
x/audit/v1/types/genesis.pb.go	Regenerated protobuf bindings for expanded genesis state.
x/audit/v1/types/genesis.go	Sets NextHealOpId default in genesis.
x/audit/v1/types/errors.go	Adds ErrInvalidStorageProofs and ErrNotImplemented.
x/audit/v1/types/codec.go	Registers new msg types for interface unpacking.
x/audit/v1/simulation/submit_evidence_test.go	Tests simulation op for submit evidence returns NoOp msg.
x/audit/v1/module/simulation_test.go	Ensures module weighted ops include submit evidence op.
x/audit/v1/module/autocli.go	Adds AutoCLI commands for new queries and placeholder tx methods.
x/audit/v1/keeper/storage_truth_state_test.go	Tests round-trip persistence for new storage-truth KV state.
x/audit/v1/keeper/storage_truth_state.go	Implements KV CRUD for storage-truth states + heal-op indices/counter.
x/audit/v1/keeper/query_storage_truth_test.go	Tests new storage-truth query server endpoints.
x/audit/v1/keeper/query_storage_truth.go	Implements new storage-truth query server endpoints with pagination.
x/audit/v1/keeper/msg_submit_epoch_report_test.go	Adds tests for storage proof result persistence + validation failures.
x/audit/v1/keeper/msg_submit_epoch_report_storage_proofs.go	Adds storage_proof_results validation (eligibility, fields, enums, duplicates).
x/audit/v1/keeper/msg_submit_epoch_report.go	Wires storage proof validation and persistence into report submission.
x/audit/v1/keeper/msg_storage_truth_placeholders_test.go	Tests placeholder msg handlers return validation/not-implemented errors.
x/audit/v1/keeper/msg_storage_truth_placeholders.go	Adds placeholder msg handlers returning ErrNotImplemented.
x/audit/v1/keeper/genesis_test.go	Extends genesis round-trip tests for new genesis fields.
x/audit/v1/keeper/genesis.go	Imports/exports new storage-truth state and next heal-op ID in genesis.
proto/lumera/audit/v1/tx.proto	Extends MsgSubmitEpochReport; adds new storage-truth tx messages/RPCs.
proto/lumera/audit/v1/query.proto	Adds new storage-truth query RPCs and request/response messages.
proto/lumera/audit/v1/params.proto	Adds storage-truth params and enforcement mode enum.
proto/lumera/audit/v1/genesis.proto	Adds storage-truth state lists and next heal-op ID to genesis.
proto/lumera/audit/v1/audit.proto	Adds storage proof result types and storage-truth state/heal-op types; adds storage proof results to EpochReport.
devnet/go.sum	Updates dependency checksums.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.