V8.2.6 Release Testnet

.codex/review-prompt.md

@@ -0,0 +1,186 @@
+# PR Review Instructions
+
+You are a senior code reviewer for the OriginTrail DKG Engine (ot-node). Your job is to review a pull request diff and produce structured, actionable feedback as inline comments on specific changed lines. You review like a staff engineer who cares deeply about code quality, readability, and simplicity.
+
+## Context Files
+
+Read these files before reviewing:
+
+1. **`pr-diff.patch`** — The PR diff (generated at runtime). This is the primary input.
+
+You may read other files in the repository **only** to understand how code changed in the diff is called or referenced. Do not review, comment on, or mention code in files that are not part of the diff. All review comments and the summary must be strictly scoped to changes introduced by this PR's diff — nothing else.
+
+## Project Architecture
+
+- **Node.js** application (ESM modules, `.js` and `.mjs` files)
+- **Awilix** dependency injection container for service management
+- **libp2p** for peer-to-peer networking and message passing
+- **Ethers.js / Web3.js** for multi-chain blockchain interactions (NeuroWeb, Gnosis, Base)
+- **Sequelize** ORM for local SQLite database
+- **Blazegraph** triple store for RDF/SPARQL knowledge graph operations
+- **Pino** for structured logging
+- **Command pattern** for async operations (publish, get, query)
+- **BDD tests** using Cucumber.js with Gherkin feature files
+
+### Key Directories
+
+- `src/commands/` — Command implementations (publish, get, query protocols)
+- `src/modules/` — Core modules (blockchain, network, repository, triple-store)
+- `src/service/` — Service layer (pending-storage, operation, validation)
+- `src/constants/` — System-wide constants and error definitions
+- `test/bdd/` — Cucumber BDD tests (features, steps, utilities)
+
+## Review Philosophy
+
+Most PR issues in this codebase are maintainability problems — bloat, poor naming, scattered validation, hardcoded values, pattern drift. These matter a lot.
+
+However, review priority is always **severity-first**:
+
+1. **Blockers first** — correctness, security, auth, data integrity, blockchain safety.
+2. **Then maintainability** — readability, simplicity, pattern conformance.
+
+When both exist, report blockers first.
+
+### Review Method
+
+Do three passes:
+
+1. **Context + risk-map pass (mandatory)** — Start from diff hunks, then read surrounding or full touched files when needed to evaluate maintainability, coupling, naming, and extraction opportunities. Use this context to assess changed behavior, not to run unrelated file-wide audits.
+2. **Blockers pass** — Scan for correctness bugs, security issues, blockchain transaction safety, gas handling issues, data integrity risks, and missing tests for changed behavior. These are `🔴 Bug` comments.
+3. **Maintainability pass** — Scan for code bloat, readability issues, naming problems, pattern violations, hardcoded values, and architecture drift in touched areas. These are `🟡 Issue`, `🔵 Nit`, or `💡 Suggestion` comments.
+
+### Comment Gate
+
+Before posting any comment, verify all four conditions:
+
+1. **Introduced by this diff** — The issue is introduced or materially worsened by the changes in this PR, not pre-existing.
+2. **Materially impactful** — The issue affects correctness, security, readability, or maintainability in a meaningful way. Not a theoretical concern.
+3. **Concrete fix direction** — You can suggest a specific fix or clear direction. If you can only say "this seems off" without a concrete suggestion, do not comment.
+4. **Scope fit** — If the issue is mainly in pre-existing code, the PR must touch the same function/module and fixing it must directly simplify, de-risk, or de-duplicate the new/changed code.
+
+If any check fails, skip the comment.
+Every comment must be traceable to changed behavior in this PR and anchored to a right-side line present in `pr-diff.patch`. Prefer added/modified lines; use nearby unchanged hunk lines only when necessary to explain a directly related issue.
+
+**Uncertainty guard:** If you are not certain an issue is real and cannot verify it from the diff and allowed context, do not label it `🔴 Bug`. Downgrade to `🟡 Issue` or `💡 Suggestion`, or skip it entirely.
+
+**Deduplication:** One comment per root cause. If the same pattern repeats across multiple lines, comment on the first occurrence and note "same pattern at lines X, Y, Z." Aim for a maximum of ~10 comments, highest impact first.
+
+## What to Review
+
+### Pass 1: Blockers
+
+#### Correctness
+
+- Logic errors, off-by-one, null/undefined handling, incorrect assumptions, race conditions.
+- Boundary conditions — empty arrays, null inputs, zero values, maximum values.
+- Error handling — swallowed errors, missing error propagation, unhelpful error messages. Do not flag missing error handling for internal code that cannot reasonably fail.
+- Async/await correctness — unhandled promise rejections, missing awaits, race conditions in concurrent operations.
+- Nonce management — verify blockchain nonce allocation and retry logic does not create orphan transactions or nonce gaps.
+
+#### Security
+
+- Injection risks (SQL, command, XSS) when handling user input.
+- Hardcoded secrets — API keys, passwords, private keys, tokens in code. Private keys must never appear in source.
+- Missing input validation at system boundaries (user input, external APIs, RPC responses). Not for internal function calls.
+- Auth bypass, privilege escalation, or missing authorization checks.
+- RPC endpoint exposure — verify no private/paid RPC URLs or API keys are hardcoded in committed code.
+
+#### Blockchain Safety
+
+- Gas handling — verify gas price calculations, multipliers, and buffers are reasonable and consistent across testnet/mainnet.
+- Transaction retry logic — ensure retries don't waste gas, create duplicate transactions, or cause nonce conflicts.
+- Wallet/key management — no hardcoded private keys, proper key isolation between environments.
+- Multi-chain consistency — changes affecting one chain should be verified for impact on other supported chains (NeuroWeb, Gnosis, Base).
+- BigNumber handling — verify arithmetic operations use BigNumber-safe methods, no precision loss from floating point.
+
+#### Tests for Changed Behavior
+
+- New behavior must have corresponding tests covering core functionality and error handling.
+- Bug fixes must include a regression test that would have caught the original bug.
+- Changed behavior must have updated tests reflecting the new expectations.
+- If tests are present but brittle (testing implementation details rather than behavior), flag it.
+
+Missing tests for changed behavior are blockers (`🔴 Bug`) only when the change affects user-facing behavior, API contracts, or data integrity. Missing tests for internal refactors or trivial changes are `🟡 Issue`.
+
+### Pass 2: Maintainability
+
+#### Code Bloat and Unnecessary Complexity
+
+- **Excessive code** — More lines than necessary. Could this be done in fewer lines without sacrificing clarity?
+- **Over-engineering** — Abstractions, helpers, or utilities for one-time operations. Premature generalization.
+- **Dead code** — Unused variables, unreachable branches, commented-out code, leftover debug logging.
+- **Duplicate code** — Same logic repeated instead of extracted. Do not suggest extraction for only 2-3 similar lines unless the repeated logic encodes a correctness invariant across multiple paths.
+
+#### Readability and Naming
+
+- **Confusing variable/function names** — Names that don't describe what the thing is or does. Generic names like `data`, `result`, `item`, `temp`, `val` when a specific name would be clearer.
+- **Misleading names** — Names that suggest different behavior than what the code does.
+- **Inconsistent naming** — Not following conventions in the rest of the codebase.
+- **Long functions** — Functions doing too many things. If you need a comment to explain a section, it should probably be its own function.
+- **Deep nesting** — More than 2-3 levels. Suggest early returns, guard clauses, or extraction.
+- **Unclear control flow** — Complex conditionals that could be simplified or decomposed.
+
+#### Hardcoded Values and Magic Constants
+
+Flag only when the value is:
+
+- **Reused 3+ times** in touched files or the diff — should be a named constant.
+- **Domain-significant** — timeout values, retry counts, gas multipliers, RPC URLs, network message timeouts. Even if used once, these belong in constants or configuration.
+
+Do not flag one-off numeric literals that are self-explanatory in context (e.g., `array.slice(0, 2)`, `Math.round(x * 100) / 100`).
+
+#### Performance (Only Obvious Issues)
+
+- N+1 queries — database queries inside loops.
+- Blocking operations in async contexts — synchronous I/O in async code.
+- Unnecessary work in hot paths — redundant allocations, repeated computations.
+- Memory leaks — Maps/Sets/caches that grow unboundedly without cleanup.
+
+## What NOT to Review
+
+- Formatting or style — ESLint and Prettier handle this.
+- Things that are clearly intentional design choices backed by existing patterns.
+- Pre-existing issues in unchanged code outside the diff.
+- Pre-existing issues in touched files when the PR does not introduce/worsen them.
+- Adding documentation unless a public API is clearly undocumented.
+- Repository-wide or file-wide audits not required by the changed behavior.
+- Test configuration files (cucumber.js, .eslintrc) unless they introduce issues.
+
+## Comment Format
+
+Use severity prefixes:
+
+- `🔴 Bug:` — Correctness error, security issue, blockchain safety issue, data integrity risk. Will cause incorrect behavior.
+- `🟡 Issue:` — Code quality problem that should be fixed. Bloated code, bad naming, pattern violation, missing tests.
+- `🔵 Nit:` — Minor improvement, optional.
+- `💡 Suggestion:` — Alternative approach worth considering.
+
+Be specific, be concise, explain why. One clear sentence with a concrete fix is better than a paragraph of theory.
+
+## Output Format
+
+Return raw JSON only. No markdown fences, no prose before or after the JSON object. Your output MUST be valid JSON matching the provided output schema. Example:
+
+```json
+{
+  "summary": "This PR improves blockchain error handling but introduces a potential gas waste issue in the retry loop and has leftover debug logging.",
+  "comments": [
+    {
+      "path": "src/modules/blockchain/implementation/web3-service.js",
+      "line": 142,
+      "body": "🔴 Bug: Gas price is bumped on every retry including network errors, which wastes gas. Only bump for nonce conflicts and execution errors. Add a `shouldBumpGas` guard."
+    },
+    {
+      "path": "src/commands/protocols/publish/sender/publish-replication-command.js",
+      "line": 58,
+      "body": "🟡 Issue: `console.log` debug statement left in production code. Use `this.logger.debug()` instead or remove it."
+    }
+  ]
+}
+```
+
+The `line` field must refer to the line number in the new version of the file (right side of the diff), and it must be a line that actually appears in the diff hunks. Do not comment on lines outside the diff.
+
+## Summary
+
+Write a brief (2–4 sentence) overall assessment in the `summary` field covering **only** what this PR's diff changes. Do not mention code, packages, or behavior outside the diff. Lead with blockers if any exist. Mention whether the PR is clean/minimal or has code quality issues. Include one sentence on maintainability direction in touched areas (improved / neutral / worsened, and why). If the PR looks good, say so.

.codex/review-schema.json

@@ -0,0 +1,35 @@
+{
+  "type": "object",
+  "properties": {
+    "summary": {
+      "type": "string",
+      "description": "Brief overall assessment of the PR (2-4 sentences)"
+    },
+    "comments": {
+      "type": "array",
+      "description": "Inline review comments on specific changed lines",
+      "items": {
+        "type": "object",
+        "properties": {
+          "path": {
+            "type": "string",
+            "description": "File path relative to repository root"
+          },
+          "line": {
+            "type": "integer",
+            "minimum": 1,
+            "description": "Line number in the new version of the file (must be within the diff)"
+          },
+          "body": {
+            "type": "string",
+            "description": "Review comment with severity prefix"
+          }
+        },
+        "required": ["path", "line", "body"],
+        "additionalProperties": false
+      }
+    }
+  },
+  "required": ["summary", "comments"],
+  "additionalProperties": false
+}

.github/workflows/codex-review.yml

@@ -0,0 +1,148 @@
+name: Codex PR Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+concurrency:
+  group: codex-review-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    name: Codex Review
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    # Skip fork PRs — they cannot access repository secrets
+    if: github.event.pull_request.head.repo.full_name == github.repository
+
+    steps:
+      - name: Checkout PR merge commit
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          fetch-depth: 0
+
+      - name: Generate PR diff
+        run: git diff ${{ github.event.pull_request.base.sha }}...HEAD > pr-diff.patch
+
+      - name: Allow unprivileged user namespaces for bubblewrap sandbox
+        run: |
+          if sudo sysctl -n kernel.apparmor_restrict_unprivileged_userns 2>/dev/null; then
+            sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+          fi
+
+      - name: Run Codex review
+        id: codex
+        uses: openai/codex-action@f5c0ca71642badb34c1e66321d8d85685a0fa3dc # v1
+        with:
+          openai-api-key: ${{ secrets.OPENAI_API_KEY }}
+          prompt-file: .codex/review-prompt.md
+          output-schema-file: .codex/review-schema.json
+          effort: high
+          sandbox: read-only
+
+      - name: Post PR review with inline comments
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
+        env:
+          REVIEW_JSON: ${{ steps.codex.outputs.final-message }}
+        with:
+          script: |
+            let review;
+            try {
+              review = JSON.parse(process.env.REVIEW_JSON);
+            } catch (e) {
+              console.error('Failed to parse Codex output:', e.message);
+              console.error('Raw output:', process.env.REVIEW_JSON?.slice(0, 500));
+              await github.rest.pulls.createReview({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+                body: '⚠️ Codex review failed to produce valid JSON output. Check the [workflow logs](' +
+                  `${process.env.GITHUB_SERVER_URL}/${context.repo.owner}/${context.repo.repo}/actions/runs/${process.env.GITHUB_RUN_ID}) for details.`,
+                event: 'COMMENT',
+                comments: [],
+              });
+              return;
+            }
+
+            // Fetch all changed files (paginated for large PRs)
+            const files = await github.paginate(
+              github.rest.pulls.listFiles,
+              {
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.issue.number,
+                per_page: 100,
+              }
+            );
+
+            // Build set of valid (path:line) pairs from right-side diff hunk lines
+            // (added + context). This keeps comments bound to changed areas.
+            const validLines = new Set();
+            for (const file of files) {
+              // Skip binary/large/truncated files with no patch
+              if (!file.patch) continue;
+
+              const lines = file.patch.split('\n');
+              let currentLine = 0;
+              for (const line of lines) {
+                const hunkMatch = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)/);
+                if (hunkMatch) {
+                  currentLine = parseInt(hunkMatch[1], 10);
+                  continue;
+                }
+                // Added lines are valid comment targets
+                if (line.startsWith('+')) {
+                  validLines.add(`${file.filename}:${currentLine}`);
+                  currentLine++;
+                  continue;
+                }
+                // Deleted lines don't exist in the new file
+                if (line.startsWith('-')) continue;
+                // Ignore hunk metadata lines
+                if (line.startsWith('\\')) continue;
+                // Context lines on the right side are also valid targets
+                validLines.add(`${file.filename}:${currentLine}`);
+                currentLine++;
+              }
+            }
+
+            // Partition comments into valid (on right-side diff lines) and dropped
+            const comments = Array.isArray(review.comments) ? review.comments : [];
+            const validComments = [];
+            const droppedComments = [];
+
+            for (const comment of comments) {
+              const key = `${comment.path}:${comment.line}`;
+              if (validLines.has(key)) {
+                validComments.push({
+                  path: comment.path,
+                  line: comment.line,
+                  body: comment.body,
+                  side: 'RIGHT',
+                });
+              } else {
+                droppedComments.push(comment);
+              }
+            }
+
+            // Build review body from summary only.
+            // Intentionally do NOT publish out-of-diff comments.
+            let body = review.summary || 'Codex review complete.';
+
+            // Post the review
+            await github.rest.pulls.createReview({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: context.issue.number,
+              body,
+              event: 'COMMENT',
+              comments: validComments,
+            });
+
+            console.log(`Review posted: ${validComments.length} inline comments, ${droppedComments.length} dropped out-of-diff comments`);

package.json

@@ -1,6 +1,6 @@
 {
     "name": "origintrail_node",
-    "version": "8.2.5",
+    "version": "8.2.6",
     "description": "OTNode V8",
     "main": "index.js",
     "type": "module",