Skip to content

[Governance 4/4] Runtime wiring#2808

Open
l0r1s wants to merge 2 commits into
governance-referendafrom
governance-wiring
Open

[Governance 4/4] Runtime wiring#2808
l0r1s wants to merge 2 commits into
governance-referendafrom
governance-wiring

Conversation

@l0r1s

@l0r1s l0r1s commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Final part of #2804.

Wires the generic governance pallets into the Subtensor runtime and defines Subtensor's concrete on-chain governance model.

Root calls now go through a two-stage process: Proposers submit to the Triumvirate track, and approved calls move into a review track where the Economic and Building collectives can fast-track, delay, or cancel enactment.

What Changed

  • Wired pallet-multi-collective, pallet-signed-voting, and pallet-referenda into the runtime.
  • Added runtime/src/governance with track definitions, collective definitions, voter-set handling, term rotation, EMA selection, benchmarks, and weights.
  • Defined five collectives: Proposers, Triumvirate, Economic, Building, and EconomicEligible.
  • Defined two governance tracks:
    • Track 0, triumvirate: 7-day approve/reject decision by the Triumvirate.
    • Track 1, review: Economic + Building review with fast-track, delay, and cancel behavior.
  • Added Subtensor root-registration tracking for Economic eligibility.
  • Added EMA sampling for root-registered validator stake value.
  • Added Building selection from mature subnet owners.
  • Added migration support, try-state checks, documentation, benchmark script updates, and TypeScript E2E governance tests.

Detailed Reference

See docs/governance/README.md for the end-to-end governance model and runtime/src/governance/README.md for the concrete runtime configuration. Together they cover the two-track flow, collective roles, Economic and Building selection, review delay formula, referendum lifecycle, storage/audit trail, runtime constants, and operational notes.

Reviewers may want to focus on the runtime invariants: track 1 is not directly submittable, review voters are the deduplicated union of Economic and Building, active polls use snapshot-based eligibility, and rotating collectives leave the previous member set in place if a full 16-member selection cannot be produced.

Behavioral Impact

This is the PR that activates the governance stack in the runtime.

The review track is not directly submittable. It can only be reached after Triumvirate approval, which prevents bypassing the first governance gate. Voting uses snapshot-based voter sets, so active referenda are not affected by later collective rotations.

Migration / Spec Version

Includes a migration to initialize root-registered hotkey counts from existing state. This PR adds runtime storage and should be merged with the appropriate runtime release/spec-version handling for the target base branch.

Testing

Coverage includes Rust unit/integration tests for the new Subtensor root-registration logic and TypeScript governance E2E suites under:

ts-tests/suites/dev/subtensor/governance
ts-tests/suites/dev_fast/governance

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: established contributor with write permission and substantive prior merged PRs; no Gittensor allowlist match found; branch governance-wiring -> governance-referenda.

Reviewed the prefetched diff as authoritative. No .github/ai-review/* or .github/copilot-instructions.md changes are present. Static review only; no build or test commands were run under Skeptic rules.

Findings

Sev File Finding
HIGH pallets/subtensor/src/coinbase/root.rs:165 Root eligibility updates even when replacement is skipped inline

Conclusion

The PR is vulnerable because the new root-registration bookkeeping can grant governance eligibility without an actual root registration in a replacement edge case.


🔍 AI Review — Auditor (domain review)

VERDICT: 👎

l0r1s is an established repository contributor with write access; no curated/on-chain Gittensor match found in the trusted allowlists.

Description discrepancy: the PR body still describes this as a placeholder with no runtime or pallet changes and no testing. The current diff now wires the governance runtime, adds root-registration EMA/indexing, introduces a migration, updates weights/benchmarks, and adds Rust plus TypeScript governance coverage.

Duplicate-work check: the overlap data includes the prerequisite governance-stack PRs (#2805-#2807) and common-file overlaps, but none appears to be a better duplicate of this runtime-wiring PR.

Findings

Sev File Finding
HIGH runtime/src/governance/collectives.rs:86 Partially populated collectives are treated as live governance quorums inline
LOW PR body PR body still describes a placeholder (off-diff)

Other findings

  • [LOW] PR body still describes a placeholder (PR body) — The current PR body says there are no runtime or pallet changes and testing has not run, but the diff now contains the governance runtime wiring and extensive test additions. Update the description before merge so reviewers and release notes reflect the real behavioral impact, spec-version considerations, and tests performed.

Prior-comment reconciliation

  • 0b7767e6: no longer applies — The current prefetched PR context now contains a non-empty diff with 60 changed files; the earlier placeholder-only finding is superseded.

Conclusion

Blocking because the runtime currently treats partially populated governance collectives as live voter sets, which can reduce the documented Triumvirate/review quorums before root dispatch. Rerun after the minimum-size invariant is enforced and the stale PR body is updated.


📜 Previous run (superseded)
Sev File Finding Status
MEDIUM PR diff PR has no reviewable diff ⏭️ No longer applies
The current prefetched PR context now contains a non-empty diff with 60 changed files; the earlier placeholder-only finding is superseded.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

@l0r1s l0r1s force-pushed the governance-referenda branch from 6b00274 to f11a3bb Compare June 30, 2026 23:28
@l0r1s l0r1s force-pushed the governance-wiring branch from 444b1b8 to 2bd4f8d Compare June 30, 2026 23:28
@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

eco-tests changed — indexer review required

This PR modifies files under eco-tests/. and may affect downstream indexing.
cc @evgeny-s — please review manually

Changed files
  • eco-tests/src/mock.rs

@github-actions github-actions Bot requested a review from evgeny-s July 1, 2026 12:57

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +83 to +86
id: CollectiveId::Triumvirate,
info: CollectiveInfo {
name: pad_name(b"triumvirate"),
min_members: 3,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Partially populated collectives are treated as live governance quorums

These min_members values do not protect the referendum path. pallet_multi_collective::add_member permits building a collective below min_members, while pallet_referenda only checks that the voter set is non-empty. That means a single Triumvirate member can satisfy a 2/3 approval threshold as 1-of-1, and an undersized Economic/Building review set can fast-track root dispatch with far fewer than the documented seats. Enforce the configured minimum size before a collective is considered usable for MemberSet/referenda, or require atomic set_members initialization and reject partially initialized voter sets. Add tests for one-member Triumvirate and one-sided/undersized Economic/Building review snapshots.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

@l0r1s l0r1s mentioned this pull request Jul 1, 2026
@l0r1s l0r1s marked this pull request as ready for review July 1, 2026 13:44

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

Comment on lines +163 to +165
let replaced_owner = Owner::<T>::get(&replaced_hotkey);
Self::decrement_root_registered_hotkey_count(&replaced_owner);
Self::increment_root_registered_hotkey_count(&coldkey);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Root eligibility updates even when replacement is skipped

replace_neuron can return without replacing when the selected UID is the protected subnet-owner hotkey, but these new lines still decrement the previous owner and increment the caller. In that case root_register succeeds without adding the caller's hotkey to Keys[ROOT], while RootRegisteredHotkeyCount and EconomicEligible are updated as if it had. A caller with higher stake than the protected lowest root UID can therefore enter the Economic eligibility pool without actually being root-registered, and the real root owner can be removed from eligibility. Make replace_neuron report whether it actually replaced, or re-read Keys[ROOT, lowest_uid] after the call and only update the counters when the stored hotkey changed; otherwise return an error.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant