fix: three pre-mainnet blockers — write-route 500 crashes (#306/#787) + public-CG host-mode ingest (#1124)

packages/agent/src/dkg-agent-crypto.ts

@@ -387,7 +387,11 @@ export class WorkspaceCryptoMethods extends DKGAgentBase {
     for (const record of this.localAgents.values()) {
       if (!record.privateKey) continue;
       const signingRecord = { ...record, privateKey: record.privateKey };
-      if (defaultAddress && record.agentAddress.toLowerCase() === defaultAddress) {
+      // GH #787 — a node-level key record can carry a privateKey but no
+      // agentAddress (operational identity, not an agent). Guard the compare so
+      // it falls through to the fallback signer instead of throwing TypeError
+      // (`toLowerCase` of undefined → HTTP 500 on every SWM write via that token).
+      if (defaultAddress && record.agentAddress?.toLowerCase() === defaultAddress) {
         return signingRecord;
       }
       fallback ??= signingRecord;

packages/agent/src/dkg-agent-swm-host.ts

@@ -678,6 +678,38 @@ export class SwmHostModeMethods extends DKGAgentBase {
     }
   }
 
+  /**
+   * GH #1124 — DEFINITIVE public-CG check for the host-mode ingest gates. Unlike
+   * `!isCuratedForHostMode` (which treats UNKNOWN as public), this returns true
+   * ONLY for a CG we can positively confirm is public (open). Curated AND unknown
+   * both return false, so an in-flight chain-event race (policy not loaded yet)
+   * keeps the conservative ciphertext+allowlist gates and heals via member
+   * catchup — it can NEVER misclassify a curated CG as public and admit an
+   * unauthenticated plaintext envelope into curated storage.
+   */
+  async isConfirmedPublicForHostMode(this: DKGAgent, contextGraphId: string): Promise<boolean> {
+    // Resolve via the SHARED on-chain policy resolver rather than a direct
+    // cleartext `subscribedContextGraphs` lookup. `getContextGraphOnChainPolicy`
+    // re-keys cleartext↔on-chain-id (via subscribedContextGraphs OR
+    // getContextGraphOnChainId), consults the accessPolicy cache + local `_meta`,
+    // AND falls back to a direct chain RPC — so it resolves the policy even for a
+    // host-only core whose subscription is keyed by the wire HASH and that has no
+    // local `_meta` (the exact #1124 sharded topology). A cleartext-only
+    // subscribedContextGraphs probe would miss that entry and wrongly drop the
+    // public envelope.
+    //
+    // accessPolicy === 0 is the ONLY confirmed-public answer. Curated (1) and
+    // unknown (undefined) both → false — the safe bias: keep the ciphertext +
+    // allowlist gates so a curated CG mid chain-event race is never misclassified
+    // as public; it heals via member catchup once the policy resolves.
+    try {
+      const { accessPolicy } = await this.getContextGraphOnChainPolicy(contextGraphId);
+      return accessPolicy === 0;
+    } catch {
+      return false;
+    }
+  }
+
   /**
    * Register the host-mode gossip handler for `contextGraphId` and
    * track its reference so {@link unwireSwmHostModeHandler} can
@@ -1009,7 +1041,13 @@ export class SwmHostModeMethods extends DKGAgentBase {
         isCiphertext = skm.type === SWM_SENDER_KEY_MESSAGE_TYPE;
       } catch { /* fall through */ }
     }
-    if (!isCiphertext) return;
+    // GH #1124 — a curated CG MUST carry ciphertext, so a non-ciphertext
+    // envelope there is garbage → drop early (unchanged). A CONFIRMED-public
+    // (open) CG legitimately gossips PLAINTEXT SWM, so let it through to the
+    // authority + storage path below. Unknown CGs stay on the drop path (safe;
+    // member catchup heals once the policy resolves) — see
+    // isConfirmedPublicForHostMode for why UNKNOWN is treated as not-public.
+    if (!isCiphertext && !(await this.isConfirmedPublicForHostMode(storageCgId))) return;
 
     // Authority check: verify the envelope signature against the
     // curated CG's agent allowlist. Without this, a topic-reachable
@@ -1024,6 +1062,40 @@ export class SwmHostModeMethods extends DKGAgentBase {
     const handler = this.getOrCreateSharedMemoryHandler();
     const verdict = await handler.verifyHostModeEnvelopeAuthority(data, storageCgId, fromPeerId);
     if (!verdict.accepted) {
+      // GH #1124 — a CONFIRMED-public (open) CG has no curated agent allowlist,
+      // so the authority check returns 'no agent allowlist'. Accept it for such
+      // CGs: the envelope is already confirmed SIGNED (verifyHostModeEnvelopeAuthority
+      // rejects unsigned envelopes BEFORE the allowlist check), and public-CG
+      // host-mode storage is bounded by the per-CG byte cap + registration
+      // economics (the same safety net the pre-reg fail-open below relies on).
+      // Scoped to isConfirmedPublicForHostMode so a curated CG mid chain-event
+      // race (also 'no agent allowlist') is NEVER admitted — it stays a drop and
+      // heals via member catchup. Every OTHER rejection reason (decode failure,
+      // unsigned, sig mismatch, peer-not-in-allowlist) still drops for ALL CGs.
+      const noAllowlist = verdict.reasonCode === 'NO_AGENT_ALLOWLIST';
+      // A public CG has no allowlist, so verifyHostModeEnvelopeAuthority returns
+      // NO_AGENT_ALLOWLIST and short-circuits BEFORE its signature check. So
+      // verify self-consistency here: the signature must recover to the claimed
+      // signer. This rejects a forged/garbage signature on the public path
+      // (the unsigned case — null envelope — is already dropped upstream as
+      // UNSIGNED, a different reasonCode that never reaches this branch).
+      let publicSigSelfConsistent = false;
+      if (noAllowlist && envelope.agentAddress && envelope.signature.length > 0) {
+        try {
+          const recovered = ethers.verifyMessage(
+            computeGossipSigningPayload(envelope.type, envelope.contextGraphId, envelope.timestamp, envelope.payload),
+            ethers.hexlify(envelope.signature),
+          );
+          publicSigSelfConsistent = recovered.toLowerCase() === envelope.agentAddress.toLowerCase();
+        } catch { publicSigSelfConsistent = false; }
+      }
+      if (noAllowlist && publicSigSelfConsistent && (await this.isConfirmedPublicForHostMode(storageCgId))) {
+        this.log.debug(
+          ctx,
+          `Host-mode accepting public-CG plaintext SWM cg=${storageCgId} from=${fromPeerId} (#1124; open CG has no curated allowlist; signature self-consistent; per-CG byte cap remains the safety net)`,
+        );
+        // fall through to the rate-limit + store path below
+      } else {
       // "no agent allowlist" is the expected outcome during the brief
       // chain-event race window (cores see the beacon, auto-engage
       // host-mode, then receive ciphertext BEFORE the
@@ -1035,7 +1107,7 @@ export class SwmHostModeMethods extends DKGAgentBase {
       // state operation. Other rejection reasons (sig mismatch, peer
       // not in allowlist, decode failure) remain WARN — those are
       // real authority failures that operators need to see.
-      const isTransientRace = verdict.reason === 'no agent allowlist on context graph';
+      const isTransientRace = verdict.reasonCode === 'NO_AGENT_ALLOWLIST';
       if (isTransientRace) {
         this.log.debug(
           ctx,
@@ -1048,6 +1120,7 @@ export class SwmHostModeMethods extends DKGAgentBase {
         );
       }
       return;
+      }
     }
 
     // OT-RFC-38 / LU-6 Phase B — pre-registration ciphertext rate-
@@ -1112,7 +1185,6 @@ export class SwmHostModeMethods extends DKGAgentBase {
         }
       }
     }
-
     const seqno = await this.swmHostModeStore.append(storageCgId, data);
     this.log.debug(
       ctx,

packages/agent/test/swm/host-mode-public-ingest-1124.test.ts

@@ -0,0 +1,163 @@
+/**
+ * GH #1124 — public context graphs must be able to publish to Verifiable Memory.
+ *
+ * Host-mode cores dropped a PUBLIC CG's plaintext SWM share at two gates in
+ * `ingestSwmHostModeEnvelope` (the `isCiphertext` sniff + the curated-agent
+ * authority check), so a public CG's storage-ACK quorum was unreachable on a
+ * host-mode sharded topology. The fix opens BOTH gates — but ONLY for a CG that
+ * can be positively confirmed public via `isConfirmedPublicForHostMode`.
+ *
+ * The SECURITY-CRITICAL property is that helper's bias: a curated CG (including
+ * one whose on-chain policy hasn't loaded yet — the chain-event race) must NEVER
+ * be misclassified as public, because that would admit an unauthenticated
+ * plaintext envelope into curated storage. `isConfirmedPublicForHostMode`
+ * delegates to the shared `getContextGraphOnChainPolicy` resolver (cache + _meta
+ * + chain RPC, key-independent) and treats ONLY `accessPolicy === 0` as public;
+ * curated (1) and unknown (undefined/throw) both → false.
+ */
+import { afterEach, describe, expect, it } from 'vitest';
+import { ethers } from 'ethers';
+import { mkdtemp, rm } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { encodeWorkspacePublishRequest } from '@origintrail-official/dkg-core';
+import { DKGAgent, agentFromPrivateKey, type AgentKeyRecord } from '../../src/index.js';
+import { SwmHostModeStore } from '../../src/swm/host-mode-store.js';
+
+interface ClassifierInternals {
+  isConfirmedPublicForHostMode(cgId: string): Promise<boolean>;
+  getContextGraphOnChainPolicy(cgId: string): Promise<{ accessPolicy?: number; publishPolicy?: number }>;
+}
+
+interface IngestInternals {
+  isConfirmedPublicForHostMode(cgId: string): Promise<boolean>;
+  encodeWorkspaceGossipMessage(contextGraphId: string, message: Uint8Array): Promise<Uint8Array>;
+  ingestSwmHostModeEnvelope(contextGraphId: string, data: Uint8Array, fromPeerId: string): Promise<void>;
+  swmHostModeStore?: SwmHostModeStore;
+  localAgents: Map<string, AgentKeyRecord>;
+  defaultAgentAddress?: string;
+  getSwmHostModeStats(): Promise<{ perCg?: Record<string, { entries: number; bytes: number }> } | undefined>;
+}
+
+describe('GH #1124 — isConfirmedPublicForHostMode safety bias (only accessPolicy===0 is public)', () => {
+  const tempDirs: string[] = [];
+  const agents: DKGAgent[] = [];
+  afterEach(async () => {
+    await Promise.all(agents.splice(0).map((a) => a.stop().catch(() => {}).then(() => a.store.close().catch(() => {}))));
+    await Promise.all(tempDirs.splice(0).map((d) => rm(d, { recursive: true, force: true })));
+  });
+
+  async function makeCore(): Promise<DKGAgent> {
+    const dataDir = await mkdtemp(join(tmpdir(), 'dkg-1124-'));
+    tempDirs.push(dataDir);
+    const core = await DKGAgent.create({ name: 'Pub1124Core', listenHost: '127.0.0.1', dataDir, nodeRole: 'core' });
+    agents.push(core);
+    return core;
+  }
+
+  it('on-chain accessPolicy === 0 → public', async () => {
+    const g = (await makeCore()) as unknown as ClassifierInternals;
+    g.getContextGraphOnChainPolicy = async () => ({ accessPolicy: 0 });
+    expect(await g.isConfirmedPublicForHostMode('cg')).toBe(true);
+  });
+
+  it('on-chain accessPolicy === 1 (curated) → NOT public', async () => {
+    const g = (await makeCore()) as unknown as ClassifierInternals;
+    g.getContextGraphOnChainPolicy = async () => ({ accessPolicy: 1 });
+    expect(await g.isConfirmedPublicForHostMode('cg')).toBe(false);
+  });
+
+  it('UNKNOWN policy (accessPolicy undefined — chain-event race) → NOT public (the misclassification guard)', async () => {
+    const g = (await makeCore()) as unknown as ClassifierInternals;
+    g.getContextGraphOnChainPolicy = async () => ({}); // unresolved
+    expect(await g.isConfirmedPublicForHostMode('cg')).toBe(false);
+  });
+
+  it('policy resolver THROWS → NOT public (fail-safe)', async () => {
+    const g = (await makeCore()) as unknown as ClassifierInternals;
+    g.getContextGraphOnChainPolicy = async () => { throw new Error('chain unavailable'); };
+    expect(await g.isConfirmedPublicForHostMode('cg')).toBe(false);
+  });
+});
+
+describe('GH #1124 — ingestSwmHostModeEnvelope gate behaviour (signed plaintext gossip end-to-end)', () => {
+  const tempDirs: string[] = [];
+  const agents: DKGAgent[] = [];
+  afterEach(async () => {
+    await Promise.all(agents.splice(0).map((a) => a.stop().catch(() => {}).then(() => a.store.close().catch(() => {}))));
+    await Promise.all(tempDirs.splice(0).map((d) => rm(d, { recursive: true, force: true })));
+  });
+
+  async function makeHostCore(): Promise<DKGAgent> {
+    const dataDir = await mkdtemp(join(tmpdir(), 'dkg-1124-ingest-'));
+    tempDirs.push(dataDir);
+    const core = await DKGAgent.create({ name: 'Ingest1124Host', listenHost: '127.0.0.1', dataDir, nodeRole: 'core', swmHostMode: { enabled: true } });
+    agents.push(core);
+    const store = new SwmHostModeStore({ dataDir: join(dataDir, 'swm-host'), ...SwmHostModeStore.defaultLimits() });
+    await store.init();
+    const g = core as unknown as IngestInternals;
+    g.swmHostModeStore = store;
+    // Register a local signing agent so encodeWorkspaceGossipMessage produces a
+    // real SIGNED gossip envelope (otherwise it returns the raw, undecodable payload).
+    const signer = agentFromPrivateKey(ethers.Wallet.createRandom().privateKey, 'signer');
+    g.localAgents.set(signer.agentAddress, signer);
+    g.defaultAgentAddress = signer.agentAddress;
+    return core;
+  }
+
+  const PEER = '12D3KooWHostModePublisherPeerForIngestTest';
+  // A valid PLAINTEXT WorkspacePublishRequest (public SWM share) — not ciphertext,
+  // and decodable by the host's verifyHostModeEnvelopeAuthority path.
+  const plaintextRequest = (cg: string): Uint8Array => encodeWorkspacePublishRequest({
+    contextGraphId: cg,
+    nquads: new TextEncoder().encode('<urn:p01124:s> <http://schema.org/name> "Public1124" .'),
+    manifest: [{ rootEntity: 'urn:p01124:s' }],
+    publisherPeerId: PEER,
+    shareOperationId: `op-1124-${cg}`,
+    timestampMs: 1_700_000_000_000,
+  });
+
+  async function entriesFor(g: IngestInternals, cg: string): Promise<number> {
+    const stats = await g.getSwmHostModeStats();
+    return stats?.perCg?.[cg]?.entries ?? 0;
+  }
+
+  it('CONFIRMED-PUBLIC: a signed plaintext SWM envelope is STORED (was dropped pre-#1124)', async () => {
+    const g = (await makeHostCore()) as unknown as IngestInternals;
+    const cg = 'cg-ingest-public';
+    g.isConfirmedPublicForHostMode = async () => true; // positively public
+    const env = await g.encodeWorkspaceGossipMessage(cg, plaintextRequest(cg));
+    await g.ingestSwmHostModeEnvelope(cg, env, PEER);
+    expect(await entriesFor(g, cg)).toBe(1);
+  });
+
+  it('CURATED: a plaintext envelope is DROPPED (Gate 1 — curated must be ciphertext)', async () => {
+    const g = (await makeHostCore()) as unknown as IngestInternals;
+    const cg = 'cg-ingest-curated';
+    g.isConfirmedPublicForHostMode = async () => false; // curated/not-public
+    const env = await g.encodeWorkspaceGossipMessage(cg, plaintextRequest(cg));
+    await g.ingestSwmHostModeEnvelope(cg, env, PEER);
+    expect(await entriesFor(g, cg)).toBe(0);
+  });
+
+  it('UNKNOWN policy: a plaintext envelope is DROPPED (safe default — heals via catchup)', async () => {
+    const g = (await makeHostCore()) as unknown as IngestInternals;
+    const cg = 'cg-ingest-unknown';
+    g.isConfirmedPublicForHostMode = async () => false; // unknown resolves to not-public
+    const env = await g.encodeWorkspaceGossipMessage(cg, plaintextRequest(cg));
+    await g.ingestSwmHostModeEnvelope(cg, env, PEER);
+    expect(await entriesFor(g, cg)).toBe(0);
+  });
+
+  it('PUBLIC but TAMPERED signature: DROPPED (public path verifies signature self-consistency)', async () => {
+    const g = (await makeHostCore()) as unknown as IngestInternals;
+    const cg = 'cg-ingest-public-forged';
+    g.isConfirmedPublicForHostMode = async () => true; // public, but…
+    const env = await g.encodeWorkspaceGossipMessage(cg, plaintextRequest(cg));
+    // Corrupt the trailing signature bytes so it no longer recovers to the signer.
+    const tampered = Uint8Array.from(env);
+    for (let i = 1; i <= 8 && i <= tampered.length; i++) tampered[tampered.length - i] ^= 0xff;
+    await g.ingestSwmHostModeEnvelope(cg, tampered, PEER);
+    expect(await entriesFor(g, cg)).toBe(0);
+  });
+});

packages/cli/src/daemon/http-utils.ts

@@ -100,6 +100,26 @@ export function isPublishQuad(value: unknown): value is PublishQuad {
   );
 }
 
+/**
+ * GH #306 / #787 — shape guard for the WRITE routes (wm/write,
+ * shared-memory/write). Unlike {@link isPublishQuad} the `graph` term is
+ * OPTIONAL here: those routes legitimately accept `{subject,predicate,object}`
+ * and fill the graph internally. Without this guard, a string-shaped quad
+ * (e.g. an N-Quad line `"<s> <p> <o> ."`) slips past a bare `Array.isArray`
+ * check and crashes the agent write path with a TypeError → HTTP 500 instead
+ * of an actionable 4xx.
+ */
+export function isWritableQuad(value: unknown): boolean {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+  const v = value as Record<string, unknown>;
+  return (
+    typeof v.subject === "string" &&
+    typeof v.predicate === "string" &&
+    typeof v.object === "string" &&
+    (v.graph === undefined || typeof v.graph === "string")
+  );
+}
+
 function validatePublishQuadObjectTerms(
   label: string,
   quads: PublishQuad[],

packages/cli/src/daemon/routes/knowledge-assets.ts

@@ -35,6 +35,7 @@ import {
   validateOptionalSubGraphName,
   validateRequiredContextGraphId,
   parsePublishRequestBody,
+  isWritableQuad,
   normalizeContextGraphIdOrUri,
   resolveRequiredWriteContextGraphId,
 } from "../http-utils.js";
@@ -938,6 +939,11 @@ export async function handleKnowledgeAssetsRoutes(ctx: RequestContext): Promise<
     if (layer === "wm") {
       if (verb === "write") {
         if (!Array.isArray(parsed.quads)) return jsonResponse(res, 400, { error: 'Missing "quads"' });
+        // GH #306 — reject string-shaped / malformed quads here (4xx) instead of
+        // letting them crash the agent write path with a TypeError (HTTP 500).
+        if (!parsed.quads.every(isWritableQuad)) {
+          return jsonResponse(res, 400, { error: '"quads" must be an array of { subject, predicate, object } objects (graph optional); string-shaped quads are not accepted' });
+        }
         // A bare write to a name that was never created used to fall through to
         // the legacy `/assertion/{addr}/{name}` graph and produce a KA that is
         // permanently 404 in the descriptor API (no `_meta` lifecycle record,

packages/cli/src/daemon/routes/memory.ts

@@ -197,6 +197,7 @@ import {
 import {
   resolveNameToPeerId,
   isPublishQuad,
+  isWritableQuad,
   parsePublishRequestBody,
   jsonResponse,
   safeDecodeURIComponent,
@@ -1641,6 +1642,10 @@ WHERE {
     const contextGraphId = parsed.contextGraphId;
     if (!quads?.length)
       return jsonResponse(res, 400, { error: 'Missing "quads"' });
+    // GH #787 / #306 — reject string-shaped / malformed quads here (4xx) instead
+    // of crashing the SWM write path with a TypeError (HTTP 500).
+    if (!Array.isArray(quads) || !quads.every(isWritableQuad))
+      return jsonResponse(res, 400, { error: '"quads" must be an array of { subject, predicate, object } objects (graph optional); string-shaped quads are not accepted' });
     const resolvedContextGraphId = await resolveRequiredWriteContextGraphId(
       agent,
       contextGraphId,
@@ -2210,6 +2215,9 @@ WHERE {
     const contextGraphId = parsed.contextGraphId;
     if (!quads?.length)
       return jsonResponse(res, 400, { error: 'Missing "quads"' });
+    // GH #787 / #306 — reject string-shaped / malformed quads (4xx, not a 500 crash).
+    if (!Array.isArray(quads) || !quads.every(isWritableQuad))
+      return jsonResponse(res, 400, { error: '"quads" must be an array of { subject, predicate, object } objects (graph optional); string-shaped quads are not accepted' });
     const resolvedContextGraphId = await resolveRequiredWriteContextGraphId(
       agent,
       contextGraphId,