efir369999/montana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: broken markdown refs auto-resolved

Browse Source
This commit is contained in:
efir369999 2026-05-06 01:09:25 +03:00
parent de19e5fb10
commit 954fa029ce
1 changed files with 32 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
Montana-Protocol/External-Audit/claude-opus-4-7_2026-04-27_T141253.md
View File

@ -33,15 +33,15 @@
| Крейт | Путь | Размер | Что покрывает | | Крейт | Путь | Размер | Что покрывает |
|-------|------|--------|---------------| |-------|------|--------|---------------|
| `mt-lottery` | [crates/mt-lottery/src/lib.rs](Code/crates/mt-lottery/src/lib.rs) | **1692 строк** ✓ verified | BundledConfirmation R1/R2, VdfReveal, compute_endpoint per [I-8], log2_q64 (Q64.64 fixed-point Remez minimax degree-3), ln_q64, weighted_ticket_node, determine_winner argmin canonical, sorted_candidates_for_fallback, quorum (67% ceiling integer formula), is_cemented | | `mt-lottery` | [crates/mt-lottery/src/lib.rs](../Code/crates/mt-lottery/src/lib.rs) | **1692 строк** ✓ verified | BundledConfirmation R1/R2, VdfReveal, compute_endpoint per [I-8], log2_q64 (Q64.64 fixed-point Remez minimax degree-3), ln_q64, weighted_ticket_node, determine_winner argmin canonical, sorted_candidates_for_fallback, quorum (67% ceiling integer formula), is_cemented |
| `mt-consensus` | [crates/mt-consensus/src/lib.rs](Code/crates/mt-consensus/src/lib.rs) | **1038 строк** ✓ verified | ProposalHeader (3722 B fixed-size), validate_header, canonical_proposer (Lookback Leadership winner_{W-2}), fallback_proposer cascade, compute_control_set, validate_proposer_is_canonical/bundles_threshold/included_reveals/winner, finalization_status, leader_penalty_excluded_node | | `mt-consensus` | [crates/mt-consensus/src/lib.rs](../Code/crates/mt-consensus/src/lib.rs) | **1038 строк** ✓ verified | ProposalHeader (3722 B fixed-size), validate_header, canonical_proposer (Lookback Leadership winner_{W-2}), fallback_proposer cascade, compute_control_set, validate_proposer_is_canonical/bundles_threshold/included_reveals/winner, finalization_status, leader_penalty_excluded_node |
| `mt-entry` | [crates/mt-entry/src/lib.rs](Code/crates/mt-entry/src/lib.rs) | **998 строк** ✓ verified | NodeRegistration (5344 B opcode 0x11), validate_noderegistration, candidate_vdf_init per [I-8], compute_expiry_window 3τ₂, selection_slots (1% cap через ADMISSION_DIVISOR=130), selection_sort_key, rank_candidates_for_selection, apply_selection_event, required_vdf_length (Adaptive VDF integer permille), nr_sort_key, apply_noderegistrations_batch | | `mt-entry` | [crates/mt-entry/src/lib.rs](../Code/crates/mt-entry/src/lib.rs) | **998 строк** ✓ verified | NodeRegistration (5344 B opcode 0x11), validate_noderegistration, candidate_vdf_init per [I-8], compute_expiry_window 3τ₂, selection_slots (1% cap через ADMISSION_DIVISOR=130), selection_sort_key, rank_candidates_for_selection, apply_selection_event, required_vdf_length (Adaptive VDF integer permille), nr_sort_key, apply_noderegistrations_batch |
### 2.2. Слой M5 — Persistence ### 2.2. Слой M5 — Persistence
| Крейт | Путь | Размер | Что покрывает | | Крейт | Путь | Размер | Что покрывает |
|-------|------|--------|---------------| |-------|------|--------|---------------|
| `mt-store` | [crates/mt-store/src/lib.rs](Code/crates/mt-store/src/lib.rs) | **976 строк** ✓ verified | FsStore filesystem-backed (pure std::fs), save/load AccountTable / NodeTable / CandidatePool / MonetaryState через CanonicalEncode, Proposal archive (`proposals/{window:020}.bin`), Crash recovery (`meta_last_cemented.bin`), Pruning, R5 atomic rename pattern (`.tmp` + fs::rename) | | `mt-store` | [crates/mt-store/src/lib.rs](../Code/crates/mt-store/src/lib.rs) | **976 строк** ✓ verified | FsStore filesystem-backed (pure std::fs), save/load AccountTable / NodeTable / CandidatePool / MonetaryState через CanonicalEncode, Proposal archive (`proposals/{window:020}.bin`), Crash recovery (`meta_last_cemented.bin`), Pruning, R5 atomic rename pattern (`.tmp` + fs::rename) |
**Итого LOC аудитного слоя:** 4704 (mt-lottery 1692 + mt-consensus 1038 + mt-entry 998 + mt-store 976). **Итого LOC аудитного слоя:** 4704 (mt-lottery 1692 + mt-consensus 1038 + mt-entry 998 + mt-store 976).
@ -180,7 +180,7 @@ Drift в нижних bits ~ 2^-10.62 от minimax polynomial — **соотве
### 5.1. MEDIUM ### 5.1. MEDIUM
#### M4-MED-1 — Type inconsistency: `window_index` u32 vs u64 #### M4-MED-1 — Type inconsistency: `window_index` u32 vs u64
**Локация:** [mt-lottery/src/lib.rs:16, 141, 176](Code/crates/mt-lottery/src/lib.rs:16) vs [mt-consensus/src/lib.rs:35, 111](Code/crates/mt-consensus/src/lib.rs:35) **Локация:** [mt-lottery/src/lib.rs:16, 141, 176](../Code/crates/mt-lottery/src/lib.rs:16) vs [mt-consensus/src/lib.rs:35, 111](../Code/crates/mt-consensus/src/lib.rs:35)
- `BundledConfirmation.window_index: u32` - `BundledConfirmation.window_index: u32`
- `VdfReveal.window_index: u32` - `VdfReveal.window_index: u32`
@ -193,7 +193,7 @@ Drift в нижних bits ~ 2^-10.62 от minimax polynomial — **соотве
**Рекомендация:** унифицировать тип на u64 во всех M4 структурах + spec patch. Стоимость закрытия pre-mainnet: один patch в spec layout + мelodic cascade в encode/decode. **Рекомендация:** унифицировать тип на u64 во всех M4 структурах + spec patch. Стоимость закрытия pre-mainnet: один patch в spec layout + мelodic cascade в encode/decode.
#### M4-MED-2 — `validate_winner` с empty W-1 candidates → liveness halt в edge cases #### M4-MED-2 — `validate_winner` с empty W-1 candidates → liveness halt в edge cases
**Локация:** [mt-consensus/src/lib.rs:324-344](Code/crates/mt-consensus/src/lib.rs:324) **Локация:** [mt-consensus/src/lib.rs:324-344](../Code/crates/mt-consensus/src/lib.rs:324)
```rust ```rust
pub fn validate_winner( pub fn validate_winner(
@ -219,7 +219,7 @@ pub fn validate_winner(
### 5.2. LOW ### 5.2. LOW
#### M4-LOW-3 — 2 `expect()` в production code mt-lottery — claim "0 prod expect" inaccurate #### M4-LOW-3 — 2 `expect()` в production code mt-lottery — claim "0 prod expect" inaccurate
**Локация:** [mt-lottery/src/lib.rs:298-306](Code/crates/mt-lottery/src/lib.rs:298) **Локация:** [mt-lottery/src/lib.rs:298-306](../Code/crates/mt-lottery/src/lib.rs:298)
```rust ```rust
let e_hi = u128::from_be_bytes( let e_hi = u128::from_be_bytes(
@ -246,7 +246,7 @@ let e_lo = u128::from_be_bytes(
**Рекомендация:** Заменить на `let bytes16: [u8; 16] = endpoint[off..off+16].try_into().unwrap_or([0; 16]);` либо использовать `<[u8; 16]>::try_from(&endpoint[off..off+16]).expect_or_default(...)`. Marginal benefit — текущее acceptable. **Рекомендация:** Заменить на `let bytes16: [u8; 16] = endpoint[off..off+16].try_into().unwrap_or([0; 16]);` либо использовать `<[u8; 16]>::try_from(&endpoint[off..off+16]).expect_or_default(...)`. Marginal benefit — текущее acceptable.
#### M4-LOW-4 — `validate_header` overflow risk: `prev_window_index + 1` без checked_add #### M4-LOW-4 — `validate_header` overflow risk: `prev_window_index + 1` без checked_add
**Локация:** [mt-consensus/src/lib.rs:120](Code/crates/mt-consensus/src/lib.rs:120) **Локация:** [mt-consensus/src/lib.rs:120](../Code/crates/mt-consensus/src/lib.rs:120)
```rust ```rust
if header.window_index != prev_window_index + 1 { if header.window_index != prev_window_index + 1 {
@ -261,7 +261,7 @@ if header.window_index != prev_window_index + 1 {
**Рекомендация:** `if header.window_index != prev_window_index.checked_add(1).ok_or(HeaderError::WindowNotMonotone)? { ... }` — defense in depth. **Рекомендация:** `if header.window_index != prev_window_index.checked_add(1).ok_or(HeaderError::WindowNotMonotone)? { ... }` — defense in depth.
#### M4-LOW-5 — `quorum` overflow risk: `67 * active_chain_length + 99` без checked_mul #### M4-LOW-5 — `quorum` overflow risk: `67 * active_chain_length + 99` без checked_mul
**Локация:** [mt-lottery/src/lib.rs:460-462](Code/crates/mt-lottery/src/lib.rs:460) **Локация:** [mt-lottery/src/lib.rs:460-462](../Code/crates/mt-lottery/src/lib.rs:460)
```rust ```rust
pub fn quorum(active_chain_length: u64) -> u64 { pub fn quorum(active_chain_length: u64) -> u64 {
@ -276,7 +276,7 @@ pub fn quorum(active_chain_length: u64) -> u64 {
**Рекомендация:** `active_chain_length.checked_mul(67).and_then(|v| v.checked_add(99)).map(|v| v / 100).unwrap_or(u64::MAX)` — graceful saturate. **Рекомендация:** `active_chain_length.checked_mul(67).and_then(|v| v.checked_add(99)).map(|v| v / 100).unwrap_or(u64::MAX)` — graceful saturate.
#### M4-LOW-6 — Тест `validate_bundle_rejects_too_many_ops` не тестирует фактический code path #### M4-LOW-6 — Тест `validate_bundle_rejects_too_many_ops` не тестирует фактический code path
**Локация:** [mt-lottery/tests/determinism_invariants.rs:389-407](Code/crates/mt-lottery/tests/determinism_invariants.rs:389) **Локация:** [mt-lottery/tests/determinism_invariants.rs:389-407](../Code/crates/mt-lottery/tests/determinism_invariants.rs:389)
```rust ```rust
#[test] #[test]
@ -312,7 +312,7 @@ fn validate_bundle_rejects_too_many_ops_with_registered_node() {
``` ```
#### M4-LOW-7 — Hardcoded constants ADMISSION_DIVISOR / SELECTION_INTERVAL / EXPIRY_TAU2_COUNT — несоответствие [C-1] SSOT #### M4-LOW-7 — Hardcoded constants ADMISSION_DIVISOR / SELECTION_INTERVAL / EXPIRY_TAU2_COUNT — несоответствие [C-1] SSOT
**Локация:** [mt-entry/src/lib.rs:175, 199, 225](Code/crates/mt-entry/src/lib.rs:175) **Локация:** [mt-entry/src/lib.rs:175, 199, 225](../Code/crates/mt-entry/src/lib.rs:175)
```rust ```rust
pub const EXPIRY_TAU2_COUNT: u64 = 3; pub const EXPIRY_TAU2_COUNT: u64 = 3;
@ -329,7 +329,7 @@ CLAUDE.md raises [C-1] SSOT: **"Константы протокола (D₀, τ
**Рекомендация:** перенести в mt-genesis::ProtocolParams (либо в новый раздел `protocol_constants`), либо обновить CLAUDE.md с явным acknowledgment "M4 constants допустимы как module-level". **Рекомендация:** перенести в mt-genesis::ProtocolParams (либо в новый раздел `protocol_constants`), либо обновить CLAUDE.md с явным acknowledgment "M4 constants допустимы как module-level".
#### M5-LOW-8 — Нет cleanup `.tmp` файлов при reopen после crash #### M5-LOW-8 — Нет cleanup `.tmp` файлов при reopen после crash
**Локация:** [mt-store/src/lib.rs:66-72](Code/crates/mt-store/src/lib.rs:66) **Локация:** [mt-store/src/lib.rs:66-72](../Code/crates/mt-store/src/lib.rs:66)
```rust ```rust
fn write_atomic(&self, name: &str, data: &[u8]) -> Result<(), StoreError> { fn write_atomic(&self, name: &str, data: &[u8]) -> Result<(), StoreError> {
@ -348,7 +348,7 @@ fn write_atomic(&self, name: &str, data: &[u8]) -> Result<(), StoreError> {
**Рекомендация:** `FsStore::open` сделать pass: `fs::read_dir(&root) → for each entry ending with .tmp → remove`. **Рекомендация:** `FsStore::open` сделать pass: `fs::read_dir(&root) → for each entry ending with .tmp → remove`.
#### M5-LOW-9 — Нет `fsync` после write (документировано как M6 layer responsibility) #### M5-LOW-9 — Нет `fsync` после write (документировано как M6 layer responsibility)
**Локация:** [mt-store/src/lib.rs:58-65 комменты](Code/crates/mt-store/src/lib.rs:58) **Локация:** [mt-store/src/lib.rs:58-65 комменты](../Code/crates/mt-store/src/lib.rs:58)
POSIX `fs::rename` атомарен per single filesystem (kernel-level guarantee), но **content tmp file** может остаться в page cache без flush на диск. Power-loss до fsync = potential data loss даже после "успешного" rename. POSIX `fs::rename` атомарен per single filesystem (kernel-level guarantee), но **content tmp file** может остаться в page cache без flush на диск. Power-loss до fsync = potential data loss даже после "успешного" rename.
@ -360,7 +360,7 @@ POSIX `fs::rename` атомарен per single filesystem (kernel-level guarante
### 5.3. INFO ### 5.3. INFO
#### M4-INFO-10 — `canonical_proposer` empty W-2 candidates → bootstrap node "indefinite extended genesis" #### M4-INFO-10 — `canonical_proposer` empty W-2 candidates → bootstrap node "indefinite extended genesis"
**Локация:** [mt-consensus/src/lib.rs:160-173](Code/crates/mt-consensus/src/lib.rs:160) **Локация:** [mt-consensus/src/lib.rs:160-173](../Code/crates/mt-consensus/src/lib.rs:160)
```rust ```rust
pub fn canonical_proposer(...) -> NodeId { pub fn canonical_proposer(...) -> NodeId {
@ -385,7 +385,7 @@ pub fn canonical_proposer(...) -> NodeId {
**Однако:** symlink attack возможен если attacker имеет local FS access — может создать symlink `proposals/00000....bin``/etc/passwd`. `prune_proposals_before` удалит target через symlink. Это требует pre-existing local access, low severity. **Однако:** symlink attack возможен если attacker имеет local FS access — может создать symlink `proposals/00000....bin``/etc/passwd`. `prune_proposals_before` удалит target через symlink. Это требует pre-existing local access, low severity.
#### M5-INFO-12 — Decoder fuzz coverage не проверяет semantic invariants #### M5-INFO-12 — Decoder fuzz coverage не проверяет semantic invariants
**Локация:** [mt-store/tests/fuzz_decoders.rs](Code/crates/mt-store/tests/fuzz_decoders.rs) **Локация:** [mt-store/tests/fuzz_decoders.rs](../Code/crates/mt-store/tests/fuzz_decoders.rs)
Fuzz tests verify "no panic" на arbitrary length + arbitrary content. Это **format-level safety**`decode_account_record` для valid-length bytes возвращает `Ok(record)` независимо от semantic correctness. Validator, проверяющий что balance ≤ supply, account_id = derive_account_id(pubkey), и т.д. — **caller responsibility** (mt-account / mt-state). Fuzz tests verify "no panic" на arbitrary length + arbitrary content. Это **format-level safety**`decode_account_record` для valid-length bytes возвращает `Ok(record)` независимо от semantic correctness. Validator, проверяющий что balance ≤ supply, account_id = derive_account_id(pubkey), и т.д. — **caller responsibility** (mt-account / mt-state).
@ -578,31 +578,31 @@ python3 scripts/oracle_python_sha256.py
## Приложение Б: Список проверенных файлов ## Приложение Б: Список проверенных файлов
**Исходный код M4+M5 (4704 LOC):** **Исходный код M4+M5 (4704 LOC):**
1. [crates/mt-lottery/src/lib.rs](Code/crates/mt-lottery/src/lib.rs) — 1692 строк 1. [crates/mt-lottery/src/lib.rs](../Code/crates/mt-lottery/src/lib.rs) — 1692 строк
2. [crates/mt-consensus/src/lib.rs](Code/crates/mt-consensus/src/lib.rs) — 1038 строк 2. [crates/mt-consensus/src/lib.rs](../Code/crates/mt-consensus/src/lib.rs) — 1038 строк
3. [crates/mt-entry/src/lib.rs](Code/crates/mt-entry/src/lib.rs) — 998 строк 3. [crates/mt-entry/src/lib.rs](../Code/crates/mt-entry/src/lib.rs) — 998 строк
4. [crates/mt-store/src/lib.rs](Code/crates/mt-store/src/lib.rs) — 976 строк 4. [crates/mt-store/src/lib.rs](../Code/crates/mt-store/src/lib.rs) — 976 строк
**Тесты (1992 LOC):** **Тесты (1992 LOC):**
5. [crates/mt-lottery/tests/determinism_invariants.rs](Code/crates/mt-lottery/tests/determinism_invariants.rs) — 415 строк 5. [crates/mt-lottery/tests/determinism_invariants.rs](../Code/crates/mt-lottery/tests/determinism_invariants.rs) — 415 строк
6. [crates/mt-lottery/tests/external_oracle.rs](Code/crates/mt-lottery/tests/external_oracle.rs) — 69 строк 6. [crates/mt-lottery/tests/external_oracle.rs](../Code/crates/mt-lottery/tests/external_oracle.rs) — 69 строк
7. [crates/mt-consensus/tests/determinism_invariants.rs](Code/crates/mt-consensus/tests/determinism_invariants.rs) — 416 строк 7. [crates/mt-consensus/tests/determinism_invariants.rs](../Code/crates/mt-consensus/tests/determinism_invariants.rs) — 416 строк
8. [crates/mt-entry/tests/determinism_invariants.rs](Code/crates/mt-entry/tests/determinism_invariants.rs) — 335 строк 8. [crates/mt-entry/tests/determinism_invariants.rs](../Code/crates/mt-entry/tests/determinism_invariants.rs) — 335 строк
9. [crates/mt-entry/tests/external_oracle.rs](Code/crates/mt-entry/tests/external_oracle.rs) — 80 строк 9. [crates/mt-entry/tests/external_oracle.rs](../Code/crates/mt-entry/tests/external_oracle.rs) — 80 строк
10. [crates/mt-store/tests/determinism_invariants.rs](Code/crates/mt-store/tests/determinism_invariants.rs) — 409 строк 10. [crates/mt-store/tests/determinism_invariants.rs](../Code/crates/mt-store/tests/determinism_invariants.rs) — 409 строк
11. [crates/mt-store/tests/fuzz_decoders.rs](Code/crates/mt-store/tests/fuzz_decoders.rs) — 268 строк 11. [crates/mt-store/tests/fuzz_decoders.rs](../Code/crates/mt-store/tests/fuzz_decoders.rs) — 268 строк
**Cargo manifests:** **Cargo manifests:**
12. [crates/mt-lottery/Cargo.toml](Code/crates/mt-lottery/Cargo.toml) 12. [crates/mt-lottery/Cargo.toml](../Code/crates/mt-lottery/Cargo.toml)
13. [crates/mt-consensus/Cargo.toml](Code/crates/mt-consensus/Cargo.toml) 13. [crates/mt-consensus/Cargo.toml](../Code/crates/mt-consensus/Cargo.toml)
14. [crates/mt-entry/Cargo.toml](Code/crates/mt-entry/Cargo.toml) 14. [crates/mt-entry/Cargo.toml](../Code/crates/mt-entry/Cargo.toml)
15. [crates/mt-store/Cargo.toml](Code/crates/mt-store/Cargo.toml) 15. [crates/mt-store/Cargo.toml](../Code/crates/mt-store/Cargo.toml)
**Конфигурация:** **Конфигурация:**
16. [.cargo/config.toml](Code/.cargo/config.toml) — single-core/single-process policy 16. [.cargo/config.toml](../Code/.cargo/config.toml) — single-core/single-process policy
**Скрипты:** **Скрипты:**
17. [scripts/oracle_python_sha256.py](Code/scripts/oracle_python_sha256.py) — independent Python SHA-256 oracle 17. [scripts/oracle_python_sha256.py](../Code/scripts/oracle_python_sha256.py) — independent Python SHA-256 oracle
--- ---