AgentKeys live ABI acceptance gaps: op_kind filter, root path, and envelope proof

[YoshiyukiSakura]

Context

Follow-up for #12 and merged PR #13.

#12 now uses the Heima mainnet CredentialAudit ABI that is actually deployed and emitting today as the acceptance target:

• Contract: 0x63c4545ac01c77cc74044f25b8edea3880224577
• Chain ID: 212013
• Live event path: AuditAppended(bytes32,bytes32,bytes32,uint8,uint256,bytes32)
• Production API host used for verification: https://explorer-api.heima.network

PR #13 merged useful base support for live AuditAppended rows, but production validation still shows acceptance gaps. This issue tracks the remaining work needed to close the live-ABI AgentKeys audit path end to end.

Production validation snapshot

Verified on 2026-05-26 against production:

• GET https://explorer-api.heima.network/agentkeys/audit/<operator>?limit=50 returns 200 with live AuditAppended rows.
• Returned rows are current live ABI rows with event_name="AuditAppended" and op_kind=0.
• Returned rows currently have envelope_available=false, hash_verified=false, and envelope_fetch_error="agentkeys audit envelope not found".
• GET https://explorer-api.heima.network/agentkeys/audit/<operator>?limit=5&op_kind=0 returns 200 but events=[], even though unfiltered rows have op_kind=0.
• GET https://explorer-api.heima.network/agentkeys/audit/root/0x32301a0bd7c9c1d064f0d3891c78ad00a6d9fa758ebb14a1a0ff64eb4f4ca3aa returns 404 {"error":"not_found"}.
• GET https://audit.litentry.org/v1/audit/envelope/<live_hash> returns HTTP 404 for sampled live hashes.
• Heima RPC over the captured range has 13 current AuditAppended(...) logs and 0 AuditAppendedV2 / AuditRootAppendedV2 logs.

Sample operator:

0x941cb1c3260518bbf40eac7d02663517fc7cff304d9b03e80d2cc54126c6bef2

Sample actor:

0x82a0609ae28527453e7c7654ec11d57f1b66a442e39a2ec5e3b3f76178c87268

Sample live hashes returning worker 404:

• 0xdb927ad4467c02867819a1379c7c0b9a35103452c789badeae6e531b5d2f8e1c
• 0x3d67f9734a38829d9e2289cd9551caa7f50ba66bd521981fb8504be4ab23a223

Required fixes

• Fix op_kind filtering for the current live ABI. ?op_kind=0 must return the same CredStore rows that appear in the unfiltered live-ABI response.
• Implement the current deployed root/batch event path for /agentkeys/audit/root/<merkle_root>. The handler must not be V2-topic-only when live acceptance is based on the deployed current ABI.
• Keep the chain-only row behavior for worker 404s, but make the response explicit and stable: envelope_available=false, hash_verified=false, raw chain identity, op_kind, sequence/index key, block/log/tx fields.
• If the worker later serves a live hash, verify keccak256(canonical_cbor_bytes) == envelope_hash and return envelope_available=true, hash_verified=true, and typed body fields.
• Add production-oriented regression coverage for current AuditAppended(...) logs, including op_kind filtering, pagination/cursor behavior, and chain-only worker-404 rows.
• Add regression coverage for the current root/batch path once the deployed event shape is implemented.

Acceptance checklist

• GET /agentkeys/audit/<operator_omni>?limit=50 returns non-empty live AuditAppended rows on production.
• GET /agentkeys/audit/<operator_omni>?op_kind=0&limit=5 returns non-empty rows matching op_kind=0.
• GET /agentkeys/audit/<operator_omni>?actor_omni=<actor>&limit=5 returns matching actor-filtered rows.
• GET /agentkeys/audit/root/<known_root> returns root metadata and associated row/leaf data for the current deployed root/batch path.
• GET /agentkeys/audit/envelope/<live_hash> returns either canonical CBOR with verified hash, or a documented 404 response while the row API still preserves the chain-only event.
• Production verification evidence is posted with exact curl/API results for rows, op_kind filter, root path, and envelope path.
• PR evidence clearly separates live production proof from fixture-only or hand-crafted proof.

References

• Original issue: AgentKeys: decoder + per-op_kind renderer for AuditEnvelope v1 (Phases D + E) #12
• Merged base PR: AgentKeys AuditEnvelope v1 decoder #13
• Prior evidence comment: AgentKeys AuditEnvelope v1 decoder #13 (comment)

[crossagent-production-app]

CrossAgent status

Status: request changes
Task: github-litentry-subscan-essentials-42
Runtime task: task_71cdb7cc4e3a4433
Base branch: crossagent
Planning: ready size=m priority=p0
Resource queue: deploy
Small-model eligible: yes
Suggested labels: crossagent:size/m, crossagent:priority/p0, crossagent:resource/deploy, crossagent:root-cause
Suggested sub-issues: none
Created child issues: none

Identity mode. Posted by the configured GitHub API identity (mode=github-app-installation-token, source=github-app-installation-token, login=crossagent-production-app[bot]).

Issue: #42
PR: #43

Operator Links

• Admin Panel task trace: /api/tasks/task_71cdb7cc4e3a4433
• Evidence gate: /api/tasks/task_71cdb7cc4e3a4433/completion-check

Detected By

• GitHub PR Fix AgentKeys live ABI audit paths #43 references this issue, but completion-check failed.

Problem

• PR evidence gate failed: claim claim-task-outcome failed: The image shows a generic contract verification user interface within 'Heima Explorer'. However, the claim is highly specific about 'AgentKeys live ABI acceptance gaps' related to 'op_kind filter, root path, and envelope proof'. The screenshot does not contain any visual elements or information that directly demonstrate these specific aspects of the task's delivery. Therefore, it does not visibly support the detailed claim. confidence=0. PR: Fix AgentKeys live ABI audit paths #43. CrossAgent will not mark this issue as PR-created until completion-check passes with a valid delivery evidence summary and required visual evidence.

Next Owner

• Visual Evidence Reviewer / Evidence publisher agent

Next Action

• Review whether the screenshot actually proves the requested UI/data state, then repair the delivery evidence package and rerun completion-check.

Generated at: 2026-05-27T02:03:00.510Z

[crossagent-production-app]

PR #43 修复了当前 live AuditAppended(...) 路径的 op_kind=0 过滤问题，但 /agentkeys/audit/root/<merkle_root> 仍不能安全实现为当前 live root/batch 路径，原因是仓库和 #12/#42 当前只给出了过时的 AuditRootAppendedV2(bytes32,bytes32,bytes32,uint64)，没有当前已部署 root/batch 事件 ABI。

需要协议/合约 owner 确认的具体问题：0x63c4545ac01c77cc74044f25b8edea3880224577 当前 root/batch 事件的完整 Solidity 签名是什么？哪些字段是 indexed topics？merkle_root 位于哪个 topic/data word？以及 root/batch 事件如何关联 leaf AuditAppended(...) rows（按 operator、sequence range、block/log boundary、indexed key，还是其他规则）？

在这些信息确认前，不应猜测 root 事件 shape 或把 V2-only root handler 声明为满足当前 live ABI 验收。

[crossagent-production-app]

CrossAgent status

Status: request changes
Task: github-litentry-subscan-essentials-42
Runtime task: task_71cdb7cc4e3a4433
Base branch: crossagent
Planning: ready size=m priority=p0
Resource queue: deploy
Small-model eligible: yes
Suggested labels: crossagent:size/m, crossagent:priority/p0, crossagent:resource/deploy, crossagent:root-cause
Suggested sub-issues: none
Created child issues: none

Identity mode. Posted by the configured GitHub API identity (mode=github-app-installation-token, source=github-app-installation-token, login=crossagent-production-app[bot]).

Issue: #42
PR: #43

Operator Links

• Admin Panel task trace: /api/tasks/task_71cdb7cc4e3a4433
• Evidence gate: /api/tasks/task_71cdb7cc4e3a4433/completion-check

Detected By

• GitHub PR Fix AgentKeys live ABI audit paths #43 references this issue, but completion-check failed.

Problem

• PR evidence gate failed: claim claim-task-outcome failed: The image shows a general contract verification page within 'Heima Explorer'. There are no specific visual cues or UI elements in the image that directly relate to or demonstrate the delivery of the task concerning 'AgentKeys live ABI acceptance gaps: op_kind filter, root path, and envelope proof'. Therefore, the image does not visibly support the specific delivery claim. confidence=0. PR: Fix AgentKeys live ABI audit paths #43. CrossAgent will not mark this issue as PR-created until completion-check passes with a valid delivery evidence summary and required visual evidence.

Next Owner

• Visual Evidence Reviewer / Evidence publisher agent

Next Action

• Review whether the screenshot actually proves the requested UI/data state, then repair the delivery evidence package and rerun completion-check.

Generated at: 2026-05-26T14:14:53.898Z

[crossagent-production-app]

CrossAgent status

Status: request changes
Task: github-litentry-subscan-essentials-42
Runtime task: task_71cdb7cc4e3a4433
Base branch: crossagent
Planning: ready size=m priority=p0
Resource queue: deploy
Small-model eligible: yes
Suggested labels: crossagent:size/m, crossagent:priority/p0, crossagent:resource/deploy, crossagent:root-cause
Suggested sub-issues: none
Created child issues: none

Identity mode. Posted by the configured GitHub API identity (mode=github-app-installation-token, source=github-app-installation-token, login=crossagent-production-app[bot]).

Issue: #42
PR: #43

Operator Links

• Admin Panel task trace: /api/tasks/task_71cdb7cc4e3a4433
• Evidence gate: /api/tasks/task_71cdb7cc4e3a4433/completion-check

Detected By

• GitHub PR Fix AgentKeys live ABI audit paths #43 references this issue, but completion-check failed.

Problem

• PR evidence gate failed: claim claim-task-outcome failed: The image shows a generic contract verification user interface within 'Heima Explorer'. However, the claim is highly specific about 'AgentKeys live ABI acceptance gaps' related to 'op_kind filter, root path, and envelope proof'. The screenshot does not contain any visual elements or information that directly demonstrate these specific aspects of the task's delivery. Therefore, it does not visibly support the detailed claim. confidence=0. PR: Fix AgentKeys live ABI audit paths #43. CrossAgent will not mark this issue as PR-created until completion-check passes with a valid delivery evidence summary and required visual evidence.

Next Owner

• Visual Evidence Reviewer / Evidence publisher agent

Next Action

• Review whether the screenshot actually proves the requested UI/data state, then repair the delivery evidence package and rerun completion-check.

Generated at: 2026-05-27T02:33:02.043Z

[crossagent-production-app]

CrossAgent status

Status: request changes
Task: github-litentry-subscan-essentials-42
Runtime task: task_71cdb7cc4e3a4433
Base branch: crossagent
Planning: ready size=m priority=p0
Resource queue: deploy
Small-model eligible: yes
Suggested labels: crossagent:size/m, crossagent:priority/p0, crossagent:resource/deploy, crossagent:root-cause
Suggested sub-issues: none
Created child issues: none

Identity mode. Posted by the configured GitHub API identity (mode=github-app-installation-token, source=github-app-installation-token, login=crossagent-production-app[bot]).

Issue: #42
PR: #43

Operator Links

• Admin Panel task trace: /api/tasks/task_71cdb7cc4e3a4433
• Evidence gate: /api/tasks/task_71cdb7cc4e3a4433/completion-check

Detected By

• Completion-check blocked the linked PR evidence package.

Problem

• PR evidence gate failed: claim claim-task-outcome failed: The image shows a general contract verification page within 'Heima Explorer'. There are no specific visual cues or UI elements in the image that directly relate to or demonstrate the delivery of the task concerning 'AgentKeys live ABI acceptance gaps: op_kind filter, root path, and envelope proof'. Therefore, the image does not visibly support the specific delivery claim. confidence=0. PR: Fix AgentKeys live ABI audit paths #43. CrossAgent will not mark this issue as PR-created until completion-check passes with a valid delivery evidence summary and required visual evidence.

Next Owner

• Evidence publisher agent

Next Action

• Repair the PR evidence package only: complete checks, upload/render screenshot evidence when required, then rerun completion-check.

Generated at: 2026-05-27T02:57:49.058Z