Proof-of-Infrastructure (PoI) Integration with .mod Capsules

Proof-of-Infrastructure (PoI) Integration with `.mod` Capsules

NØN-OS binds execution and infrastructure into a single verifiable flow. Every capsule run can (optionally) attach a PoI snapshot proving the operator’s local capacity at or near execution time. The PoI engine (see cli/src/nonosctl/depin.rs) measures compute, bandwidth, and storage; packages a snapshot; signs it with the node’s ed25519 key; and exposes it to the mesh (and, asynchronously, to on-chain settlement).

Measurement Model

At interval Δ (configurable; default 15–60s) or upon capsule events:

.Compute: logical CPU count, recent load/windowed CPU time, throttling indicators.

.Memory: total, available; cgroup limits when capsule-scoped.

.Storage: free space, read/write throughput samples, fs errors.

.Network: egress/ingress bytes over mesh interface(s), RTT samples to quorum peers.

Let the raw vector be:

m_t = \{ cpu, cpu_{max}, mem_{tot}, mem_{free}, disk_{free}, io_{r/w}, net_{tx/rx}, rtt_{p50/p90} \}

We compute a canonical digest:

h_t = \mathrm{SHA3\!-\!256}(\mathrm{CBOR}(m_t \parallel capsule\_id? \parallel policy\_tag?))

Snapshot & Signature

The PoI snapshot structure (serialized JSON/CBOR):

/{"node_id": "<b58(ed25519_pub)>",
  "ts": "2025-08-09T12:34:56Z",
  "capsule": "optional::<capsule_id>@<semver>",
  "metrics": { "cpu_logical": 8, "mem_total_mb": 16384, "mem_free_mb": 10200,
               "disk_free_mb": 250000, "net_up_ms": 1234567, "io_rbps": 12.3, "io_wbps": 7.9 },
  "runtime_hash": "<beacon_state_hash>",
  "digest": "<hex(sha3-256(metrics+context))>",
  "sig": "<hex(ed25519_signature(digest))>",
  "ver": "poi-v1"
}

Key handling:

Node keypair generated once, stored under /var/nonos/keys/node.ed25519 (non-exported).

All signatures verify locally and by peers (beacon/verify).

Capsule-Bound PoI

When a .mod declares requires_poi = true (manifest policy), the executor invokes PoI pre/post hooks:

Pre-exec: capture mt− \mathbf{m}_{t-}mt−, produce poi_pre.

Execute: sandboxed payload; resource limits enforced.

Post-exec: capture mt+ \mathbf{m}_{t+}mt+, produce poi_post.

Receipt: compose execution receipt:

{
  "capsule_id": "...", "run_id": "<uuid>",
  "node_id": "...", "started": "...", "ended": "...",
  "poi": { "pre": {...}, "post": {...} },
  "policy_ok": true,
  "status": "ok|fail",
  "hash_state": "<runtime_state_hash>"
}

Broadcast receipt via mesh gossip to N-of-M verification committee.>

Mesh Verification (Quorum Receipts)

Each node maintains a rotating committee of size M (e.g., 7–13) chosen by proximity and trust score.

Committee members validate:
- Signature correctness over poi.digest
- Timeliness (|now − ts| ≤ drift window)
- Monotonicity (reject backwards capacity unless flagged as throttled)
- Capsule linkage (if requires_poi)

On success, each member returns a receipt signature σi\sigma_iσi over:

r = \mathrm{SHA3\!-\!256}(\mathrm{run\_id} \parallel \mathrm{node\_id} \parallel \mathrm{poi\_post.digest})

The operator aggregates N receipts (e.g., N = 5 of M) → Mesh Finality Bundle:

{ "run_id": "...", "root": "<merkle_root_of_receipts>", "signers": ["peerA","peerB",...], "sigset": ["...","..."] }

Mesh finality is UX finality; chain anchoring is a durability checkpoint.

Adaptive Anchoring (Anti-Latency)

Anchoring to L2 (e.g., zkSync) runs off the hot path:

Batch receipts into a Merkle tree; anchor the root.

Adaptive batcher: target wall-clock T_max; shrink/grow batch by EWMA mempool delay.

Idempotent anchors keyed by (epoch, root) avoid duplicates.

Backpressure policy: if chain congested, continue issuing notarized mesh receipts; anchor later.

Micro-Fee Accounting & Routing

The operator ledger (/var/nonos/ledger.json) records per-event economics:

{ "ts": "...", "module": "capsule-id", "fee_nonos": 0.0001,
  "capsule": "[email protected]", "tx_hash": null }

On settlement, the FeeRouter contract (or off-chain splitter) applies a programmable split (example baseline):

60% → capsule publisher

30% → executing operator

10% → protocol treasury

Receipts reference the anchored root for auditability.

Anti-Gaming & Sybil Resistance

Temporal consistency: rate-limit snapshots; reject “too frequent” PoI (spam).

Cross-feature coherence: CPU vs. throughput vs. IO must remain within plausible bounds; outliers penalized by trust.rs.

Diversity challenge: committee selection avoids repeated signers; rotating seeds from beacon state hash.

Stake-weighted quorum (optional): signers below minimum stake count with reduced weight.

Replay protection: (node_id, ts) tuple uniqueness; receipts include run-scoped nonces.

Failure Modes & Recovery

Mesh Partition: PoI stored locally; side-loads permitted; backfill on reconnection.

Clock Skew: bounded acceptance window with peer-drift hints; recommend monotonic clock.

Sandbox Breach Attempt: policy violation elevates alert; trust score decrement; gossip an incident record.

Key Loss: roll keys with on-device attestation to prior hardware identity hash; peers update trust graph.

Operator Controls

nonosctl depin proof — emit and print latest PoI; drop JSON to /var/nonos/mesh/outbox/.

nonosctl depin ledger — summarize fees, totals, epoch stats.

nonosctl capsule run --with-poi <capsule.mod> — force pre/post PoI binding.

TUI panel: live PoI metrics, last receipts, quorum status.

Interfaces (for SDKs & Contracts)

Outbox format (PROOF_OUTBOX/*.json): stable JSON schema (above).

Mesh topic: /nonos/poi/v1 (binary CBOR w/ length prefix).

Anchor contract (L2):

submitRoot(bytes32 root, uint64 epoch) → Anchor(root, epoch, msg.sender)

claimFee(bytes32 runId, proof) verifies inclusion + split payout.

Result: PoI turns NØN-OS from a “private OS” into a verifiable infrastructure fabric: every execution can be tied to a measurable contribution, priced via micro-fees, finalized by a peer quorum, and durably anchored without ever blocking the user experience.

Previous.mod Capsule Format Specification NextzkProof-Bound Execution & Identity

Last updated 1 month ago