feat: always-on fiduciary/test-threshold-keys subnets; split base topology from --subnet#63
Merged
Conversation
marc0olo
force-pushed
the
feat/default-fiduciary-and-test-threshold-keys
branch
from
3ef4acd to
92bd647
Compare
As of pocket-ic 14.0.0, threshold keys (test_key_1, dfx_test_key) are no longer held by the II or fiduciary subnets — they moved exclusively to the new TestThresholdKeys subnet. This broke any workflow relying on --ii to get threshold signing, which was the prior implicit behavior. Enable both TestThresholdKeys and fiduciary unconditionally (alongside NNS) so threshold keys are always available and mainnet topology is mirrored without requiring extra flags. Also expose TestThresholdKeys as a --subnet=test-threshold-keys option for completeness, and update README and SPEC to reflect the new defaults and the corrected description of where threshold keys come from. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
marc0olo
force-pushed
the
feat/default-fiduciary-and-test-threshold-keys
branch
from
92bd647 to
1d6f14e
Compare
adamspofford-dfinity
approved these changes
Jun 2, 2026
…ion (#64) Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
lwshang
approved these changes
Jun 2, 2026
lwshang
changed the title
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
fiduciaryandTestThresholdKeyssubnets unconditionally (alongside NNS) so they are always present regardless of flagsnns,fiduciary,test-threshold-keys, created unconditionallyapplication,system,verified-application,bitcoin,sns, selected via--subnet--subnetnow controls only workload subnets.nnsandfiduciaryremain accepted as--subnetvalues for backward compatibility but have no effect;test-threshold-keysis not a--subnetvalue (it is always-on only)--bitcoind-addr/--dogecoind-addr— it was only there to provide threshold keys, which are now always available viafiduciaryandTestThresholdKeysBackground: pocket-ic versioning findings
This change is necessitated by a breaking behavior shift in pocket-ic that is already present in the
v13.0.0-2026-05-21-04-45release of this launcher — even though the pocket-ic standalone CHANGELOG only formally documents it under version 14.0.0 (2026-05-26).Why the mismatch? The pocket-ic Rust client library lives in the IC monorepo (
dfinity/ic) and is versioned independently from the standalone pocketic server (dfinity/pocketic). The IC monorepo rev pinned inv13.0.0-2026-05-21-04-45(8115fd2) already carries pocket-ic crate version13.0.0withSubnetKind::TestThresholdKeys,SubnetConfigSet::test_threshold_keys, andPocketIcBuilder::with_test_threshold_keys_subnet()— meaning the bundled server binary from that date already implements the new key distribution, several days before the pocketic CHANGELOG documented it.What changed in pocket-ic:
test_key_1anddfx_test_key(for ECDSA, Schnorr, and VetKd) are no longer held by the II or fiduciary subnets. They are now exclusively held by the newTestThresholdKeyssubnet. Any workflow that relied on--iito get threshold signing capability (including Bitcoin/Dogecoin integration) silently broke with this release.What this fixes
test_key_1was unavailable in the local network even with--iienabled, because the II subnet no longer holds threshold keysDesign decisions
--ii, without requiring any flag changes from existing usersfiduciaryas a singletonOption<SubnetSpec>(same asnns), so it can only ever be present once — grouping it with the always-on singletons matches what the API can expressnns/fiduciary/test-threshold-keysare created unconditionally and are not meaningful--subnetselections (selecting them is either a no-op or redundant). Keeping them in the--subnetenum conflated "always-on infrastructure" with "subnets the user picks" and produced contradictory docs.--subnetnow means exactly one thing: which workload subnets to addnns/fiduciarykept as accepted-but-ignored--subnetvalues for backward compatibility;test-threshold-keysis new here so it was never exposed as a--subnetvalue--bitcoind-addr/--dogecoind-addr: the only reason II was implicitly enabled for Bitcoin/Dogecoin was to providetest_key_1for threshold ECDSA signing. SinceTestThresholdKeysis now always on, that implicit is no longer needed. Users who also want the II canister for Bitcoin/Dogecoin testing can still pass--iiexplicitlyTest plan
test_key_1is accessible--subnet=system(no application subnet) — verifytest_key_1is still accessible (threshold keys are independent of--subnet)--ii— verify II canister installs and threshold keys are accessible--bitcoind-addr=...— verify no II subnet is created and threshold signing still works--subnet=nns/--subnet=fiduciaryare accepted (no error) and--subnet=test-threshold-keysis rejectedcargo checkpasses (already verified locally)🤖 Generated with Claude Code