Conversation
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
commonware-mcp | 1b394ff | Mar 06 2026, 07:04 PM |
Deploying monorepo with
|
| Latest commit: |
1b394ff
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://9bbb527c.monorepo-eu0.pages.dev |
| Branch Preview URL: | https://cl-twins.monorepo-eu0.pages.dev |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
## Overview This revision upgrades the simplex twins harness to follow the campaign model from Twins: BFT Systems Made Robust (https://arxiv.org/abs/2004.10617, especially Section 5.2), replacing the previous hand-picked strategy tests with a deterministic scenario generator and executor that systematically explores adversarial schedules. At generation time, the framework now builds partition scenarios first, then leader-plus-partition round scenarios, then multi-round arrangements, and finally executes the Cartesian product of arrangements and compromised-node assignments. This preserves deterministic reproducibility while materially increasing adversarial coverage over the old fixed/alternating/random strategy families. For partition generation, the harness now supports configurable partition cardinality via `max_partitions` (bounded by participant count) instead of hard-coding only canonical two-way splits. Round scenarios are derived from these partitions and combine a designated leader with explicit twin routing masks, allowing each round to model richer communication asymmetries. Routing now explicitly returns `SplitTarget::None` when a sender is outside both selected recipient groups, making sparse partition scenarios representable without panicking. For arrangement generation (paper Step-3), the harness now enumerates the full round-wise arrangement space when feasible and applies deterministic pruning by sampling unique arrangements when bounded by `max_scenarios`. This removes the previous lexicographic-prefix bias where early rounds could remain effectively fixed under small caps, and ensures pruned campaigns still vary across round positions. Compromised-node selection remains deterministic and now composes with the richer scenario space: campaigns execute all generated scenario/compromised-set combinations (subject to caps), and seeds are derived per case for reproducible replay. Execution semantics were also tightened. Twins use scenario-scripted leaders during adversarial rounds, then transition into a synchronous suffix with honest-only leader rotation to model post-attack liveness more faithfully. Resolver traffic remains delivered to both twins to avoid eliminating side-channel recovery paths entirely during adversarial scheduling. Validation checks were strengthened around honest replicas: liveness waits only on honest reporters, safety asserts no conflicting finalizations among honest replicas, invalid-signature counters must remain zero, and detected faults must attribute to twin identities. This makes campaign outcomes easier to interpret and aligns checks with adversarial accountability goals. The test suite now includes targeted regressions for deterministic case generation, partition-space expansion with higher partition counts, full-permutation coverage in unbounded mode, round-position diversity under bounded pruning, and explicit `SplitTarget::None` routing behavior for sparse partition selections. Finally, campaign plumbing in simplex tests was updated to pass `max_partitions`, and large twins campaigns now use the same `required_containers` target (`View::new(100)`) as the core campaign tests, improving consistency while preserving deterministic execution. Co-authored-by: Codex <codex@openai.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| let mut current = vec![0usize; n]; | ||
| generate(1, n, 1, max_partitions, &mut current, &mut out); | ||
| out | ||
| } |
There was a problem hiding this comment.
Unbounded partition enumeration causes OOM for moderate n
Medium Severity
partition_scenarios enumerates all ways to assign n elements into up to max_partitions groups — this count is the sum of Stirling numbers S(n, 2..max_partitions), which grows exponentially with n. For example, S(30, 2) alone is ~537 million. round_scenarios and generate_scenarios call this unconditionally before any max_scenarios cap is applied, so the Framework parameters give a false sense of bounded memory usage. Even moderate n values (20–30) can OOM despite small max_scenarios.
Additional Locations (2)
| .into_iter() | ||
| .map(|idx| combination_from_rank(n, faults, idx)) | ||
| .collect() | ||
| } |
There was a problem hiding this comment.
Compromised sets eagerly materialize all combinations ignoring cap
Medium Severity
compromised_sets eagerly enumerates all C(n, faults) combinations via choose when total <= max_sets, ignoring max_sets as an effective memory bound. For configurations like n=30, faults=10, this materializes ~30 million vectors even if only a few are needed. The max_compromised_sets parameter in Framework creates a misleading safety guarantee since it only activates the sampling path when the combination count exceeds it, rather than always capping the output.
Codecov Report❌ Patch coverage is
@@ Coverage Diff @@
## main #3281 +/- ##
==========================================
- Coverage 93.02% 93.02% -0.01%
==========================================
Files 418 418
Lines 142894 143289 +395
Branches 3416 3432 +16
==========================================
+ Hits 132930 133295 +365
- Misses 8875 8900 +25
- Partials 1089 1094 +5
... and 2 files with indirect coverage changes Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
2 participants
Overview
Upgrades the simplex twins harness to follow the campaign model from Twins: BFT Systems Made Robust (https://arxiv.org/abs/2004.10617, especially Section 5.2), replacing the previous hand-picked strategy tests with a deterministic scenario generator and executor that systematically explores adversarial schedules.
At generation time, the framework now builds partition scenarios first, then leader-plus-partition round scenarios, then multi-round arrangements, and finally executes the Cartesian product of arrangements and compromised-node assignments. This preserves deterministic reproducibility while materially increasing adversarial coverage over the old fixed/alternating/random strategy families.
For partition generation, the harness now supports configurable partition cardinality via
max_partitions(bounded by participant count) instead of hard-coding only canonical two-way splits. Round scenarios are derived from these partitions and combine a designated leader with explicit twin routing masks, allowing each round to model richer communication asymmetries. Routing now explicitly returnsSplitTarget::Nonewhen a sender is outside both selected recipient groups, making sparse partition scenarios representable without panicking.For arrangement generation (Step-3), the harness now enumerates the full round-wise arrangement space when feasible and applies deterministic pruning by sampling unique arrangements when bounded by
max_scenarios. This removes the previous lexicographic-prefix bias where early rounds could remain effectively fixed under small caps, and ensures pruned campaigns still vary across round positions.Compromised-node selection remains deterministic and now composes with the richer scenario space: campaigns execute all generated scenario/compromised-set combinations (subject to caps), and seeds are derived per case for reproducible replay.
Execution semantics were also tightened. Twins use scenario-scripted leaders during adversarial rounds, then transition into a synchronous suffix with honest-only leader rotation to model post-attack liveness more faithfully. Resolver traffic remains delivered to both twins to avoid eliminating side-channel recovery paths entirely during adversarial scheduling.
Validation checks were strengthened around honest replicas: liveness waits only on honest reporters, safety asserts no conflicting finalizations among honest replicas, invalid-signature counters must remain zero, and detected faults must attribute to twin identities. This makes campaign outcomes easier to interpret and aligns checks with adversarial accountability goals.