Fixes:
- Added NULL_PROOF circuit handling (Option 1/2/3)
- Added Verification Key Management section (key hierarchy)
- Added Aggregator Incentives & DoS Mitigation

Now approved with minor revisions.

- Add CAN WE?, WHY?, WHAT?, HOW? motivation sections
- Add explicit dependency on RFC-0106 Deterministic Numeric Tower
- Document numeric types used (DqaScalar, DfpScalar, DVEC, DMAT)
- Update version to 1.1

Per final review feedback:
- Separate Performance Targets into Prover/Network/Verification sections
- Add Appendix A for References (Blueprint template compliance)
- Add additional reference links

RFC-0146 now addresses all review feedback:
- NULL_PROOF padding logic (v1.2)
- Verification Key Management (v1.2)
- Aggregator Incentives & DoS Mitigation (v1.2)
- Performance Targets refinement (v1.4)
- Template compliance (v1.4)

Per additional review feedback:
- Add Fisherman role for aggregator fraud detection
- Clarify Universal VK vs Per-Level VK approach
- Add Worker Penalty for Failed Aggregation (DoS mitigation)
- Add penalty schedule constants

RFC-0146 now comprehensive with all review feedback addressed.

Per comprehensive review feedback:
- Add mathematical proof of associativity
- Select Option 1 (Identity Verification) as canonical padding
- Add Epoch Management section with state machine
- Add Error Handling section with recovery procedures
- Add Fraud Detection Procedures with timeline
- Add Penalty Enforcement mechanism
- Add RFC dependency status section

This addresses all remaining review feedback items.

Per comprehensive review:
- Add terminology consistency note (Use Cases, Missions capitalized)
- Add Research to Governance Stack (0️⃣ layer)
- Clarify agent RFC initiation rules
- Add timeout rationale table

This addresses all Blueprint review feedback.

- Upgrade ASCII diagram to Mermaid for binary tree recursion
- Minor editorial improvements

RFC-0146 ready for acceptance.

Per technical review feedback:
- Add concrete security parameter table (soundness bits, FRI params)
- Add domain separation tag to leaf commitments
- Add Future Work items (FRI multi-folding, Circle STARKs, lookup)
- Add padding inefficiency note with 6-18 month improvement roadmap

Per review feedback:
- Add aggregation circuit definition with constraints
- Add proof binding (aggregate_id computation)
- Add security considerations section
- Add aggregation rewards section
- Add expected proof sizes table
- Expand AggregatedProof struct with program_hash, public_input_root

Per comprehensive review (R-01 through R-07):
- Resolve AggregatedProof struct conflict (single canonical definition)
- Specify add_proof incremental aggregation algorithm
- Fix associativity proof (corrected logical error)
- Add hardware baseline to performance targets
- Add padding security constraints (is_padding as public input)
- Clarify cross-shard aggregation as out of scope

RFC-0146 is now ready for acceptance.

Per final review:
- Clarify Canonical Ordering (Deterministic) vs Associativity
- Fix padding: is_padding is PRIVATE input (maintains O(1))
- Add program_hash governance note
- Clean up duplicate struct definition

RFC-0146 now resolves all known contradictions.

Per final review:
- Remove deprecated struct placeholder
- Add M31 mandatory field requirement
- Add cumulative soundness bound (2^-100)
- Add ZK privacy model for program_hash

Major improvements:
- Add Economic Model section with game-theoretic attack cost analysis
- Add formal theorems (canonical ordering, O(1) verification, soundness)
- Add comprehensive testing requirements and benchmarks
- Add simulation guidelines for agent-based economics
- Add error codes (E001-E007)
- Mandate Poseidon hash for ZK-friendliness
- Add 2024-2026 references (StarkPack, Circle STARKs, Plonky3, Boojum)
- Version bump to 3.0

All 7 fixes from technical audit implemented:

Fix 1: Add Merkle root constraint in aggregation circuit
  - proof_root = MerkleRoot(left_child, right_child) enforced

Fix 2: Define Poseidon parameters
  - Width: 8, Rate: 4, Full rounds: 8, Partial rounds: 56

Fix 3: Replace incremental aggregation with Merkle Mountain Range
  - O(log n) updates, append-only, deterministic

Fix 4: Add unique proof_id with epoch inclusion
  - proof_id = H(worker_pubkey || task_id || nonce || epoch)

Fix 5: Add proof submission receipts for censorship detection
  - ProofSubmissionReceipt enables fisherman fraud proofs

Fix 6: Add network message types
  - SubmitProof, BatchProofs, SubmitAggregate, RequestProof, FraudProof

Fix 7: Add canonical serialization (SSZ) and constants
  - MAX_PROOF_SIZE, MAX_BATCH_SIZE, MAX_PUBLIC_INPUTS

Additional:
- Allow M31, BabyBear, Goldilocks fields (not just M31)
- Specify FRI parameters for 128-bit security
- Add MMR and SSZ references

Fix critical struct schism:
- Unify circuit definition to MMR-only (remove binary tree)
- Replace "Associativity" claims with "Deterministic Append-Only"
- Add MMR-based aggregate_id computation (bag of peaks)
- Update proof binding for MMR peaks
- Remove binary tree references from aggregation circuit

- Fix syntax error: remove orphaned ) block in Proof Binding
- Add MAX_PEAKS constant (32 for SSZ static-length compliance)
- Confirm Union Bound as conservative safety floor for Theorem 3

- Add Sticky Bit definition for 113-bit RNE rounding
- Fix DfpEncoding struct to 24 bytes (no padding)
- Increase DFP_DIV/SQRT gas to 50-100x (prevent DoS)
- Add Consensus Verification Probe (every 100K blocks)

- Fix overflow: use saturating MAX instead of Infinity
- Remove duplicate DfpEncoding struct definition
- Fix mantissa: change from i128 to u128
- Add division by zero: explicit saturating MAX behavior
- Add SQL literals: DFP by default in deterministic mode

Blocking fixes:
- Fix round_to_113: correct algorithm with proper mask calculations
- Fix DFP_MAX: use u128 and add DFP_MAX_MANTISSA constant
- Fix Serialize: unify to use DfpEncoding::to_bytes()
- Fix ordering table: correct mantissa for negative values
- Fix Infinity: clarify NOT used in computed results

Other fixes:
- Fix compiler flags: -Cf → -C
- Add gas limits scope definition

- Add Berkeley SoftFloat reference to implementations
- Add implementation roadmap with test vector requirements
- Add prerequisite: 300+ test vectors before consensus integration
- Add external audit commitment to roadmap

- Fix RNE rounding: correct bit extraction algorithm
- Fix division: add deterministic long division algorithm
- Fix sqrt: use fixed 32 iterations (not convergence-based)
- Fix encoding: add safety comments
- Fix ordering: clarify Infinity not produced in computed results
- Add normalization step after rounding

- Fix round_to_113: return (mantissa, exponent_adjustment) tuple
- Clarify encoding: in-memory may have tail padding
- Confirm duplicate impl block already removed

- Add three golden rules for deterministic execution:
  1. Use u256 for division intermediate
  2. No f64 sqrt seed
  3. No iteration short-circuiting
- Fix sqrt iterations: 16 → 32

- Fix sticky bit mask: (abs_mant >> 114) != 0
- Fix exponent adjustment sign: positive (adding back magnitude)
- Fix division: use two-u128 (hi, lo) decomposition
- Add Infinity class lifecycle note

- Add phased deployment recommendation table
- Restrict DFP to read-only contexts initially
- Define clear scope: queries, views, oracles allowed; state transitions deferred

- Add round_to_113_from_256 function for handling 256-bit quotient
- Fix division algorithm using shift-and-subtract approach
- Clarify Infinity class lifecycle (only for from_f64 conversion)
- Fix multiplication intermediate handling with 256-bit operations

- Fix multiplication: align product so MSB at bit 112 before rounding
- Fix division: align quotient so MSB at bit 112 before rounding
- Remove round_to_113_from_256 (alignment now done in caller)
- Add shift_amount to exponent adjustment to compensate for alignment shift

- Fix DFP ops scope: change "per block" to "per transaction"
- Fix SQRT: capture exponent adjustment from round_to_113

Blocking:
- B1: Fix SQRT - use bit-by-bit algorithm instead of Newton-Raphson
- B2: Fix verification probe - full Dfp struct literals with expected bytes

Significant:
- S1: Fix round_to_113 - handle zero input (return (0, 0))
- S2: Fix comparator - combined (sign, class) ordering, remove duplicate

…icalization

Critical fixes:
- limb_sub: Fix borrow propagation using overflowing_sub chain
- limb_mul: Fix carry propagation (replace |= with proper loop)
- bigint_divmod: Replace buggy binary search with Knuth Algorithm D

High severity fixes:
- bigint_shr: Return ZERO for large shifts (not Err)
- bigint_shl: Handle shift == 0 correctly
- Serialization: Fix byte offsets (num_limbs at byte 4)
- Add is_canonical() checks to all arithmetic functions

Lower severity:
- Add BigIntError::OutOfRange variant
- Add debug_assert for non-empty limbs in BigInt::new()
- Narrow #[allow(arithmetic_overflow)] scope in probe.rs

Regression tests: 69 tests added, 2 previously slow division tests
now enabled (Knuth Algorithm D is O(n) not O(quotient)).

Add comprehensive documentation to the BigIntProbeValue enum explaining
when to use each variant. This prevents the bug where Int(MAX_U64)
and Max encode to different bytes in the compact probe format.

Key points:
- Max encodes to ff ff ff ff ff ff ff ff (4096-bit sentinel)
- Int(MAX_U64) encodes to hash-ref bytes (integer operand)
- Trap encodes to de ad de ad de ad de ad (TRAP sentinel)
- Int(TRAP) encodes to hash-ref bytes (integer operand)

The fix log comment is now visible at the variant definition site,
not just in the module docstring.

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4 to 7.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@v4...v7)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

- Update probe entry count from 64 to 56 in changelog
- Change MUL from pre-check to post-check overflow validation
  - Pre-check incorrectly rejected valid computations
  - Now only traps if result.bit_length() > MAX_BIGINT_BITS
- Steps renumbered from 1-8 to 1-7

Critical bug fix: The original i128 cast `q_hat * v[i] as i128` could
overflow when q_hat * v[i] > 2^127 (roughly 1 in 2^64 cases).

Solution: Two-pass approach using pure u128 arithmetic:
1. Pass 1: Compute q_hat * v[] into temporary qv[]
2. Pass 2: Subtract qv[] from u[] with overflow tracking

Also syncs RFC-0110 fixes:
- Probe entry count: 64 → 56
- MUL: pre-check → post-check overflow validation

…ies-6

chore(deps)(deps): update directories requirement from 5 to 6

…0.13

chore(deps)(deps): update reqwest requirement from 0.12 to 0.13

…/actions/checkout-6

chore(ci)(deps): bump actions/checkout from 4 to 6

…/actions/upload-artifact-7

chore(ci)(deps): bump actions/upload-artifact from 4 to 7

Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v5...v6)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

- FIXED: Entry 1 label (2^64 + 1 → 2^64) - matches Python/Rust reference
- FIXED: Rule 4 DIV iteration count - now correctly states m+1
  where m = dividend.len() - divisor.len()
- FIXED: Removed unnecessary j=0 special case - standard D1 formula
  works with implicit r[-1] = 0
- Updated version to v2.13

- Version: 2.12 → 2.13
- Date: 2026-03-15 → 2026-03-16

bigint.rs:
- Update doc comment to match RFC v2.13: "m+1 outer iterations
  where m = dividend.len() - divisor.len()" instead of "a_norm.limbs.len()"

probe.rs:
- Fix entry 1 description: "2^64 + 1" → "2^64"
- Fix stale python_hashes: entries 52, 54, 55
- Add assert_eq!(mismatches, 0) to fail loudly on future regressions

Implementation exists in determin/src/probe.rs:
- 56 probe entries with correct encoding
- SHA-256 hashing and Merkle tree
- Reference root: c447fa82...
- All verification tests pass

- Add Display trait implementation for decimal and hex output
- Add LowerHex and UpperHex for {:#x} format
- Add FromStr trait for parsing decimal and hex strings
- Support 0x prefix for hex, -/+ prefix for signed numbers
- Add InvalidString error variant
- Mark slow decimal tests as #[ignore]

All phases complete:
- Phase 1: Primitive conversions (i64, i128, u64, u128)
- Phase 2: String conversions (Display, FromStr, hex support)
- Phase 3: Serialization (BigIntEncoding wire format)
- Phase 4: i128 round-trip conversion

Agent/bigint core algorithms

- Entry 1 label: 2^64 + 1 → 2^64
- Rule 4 DIV iteration: m+1 where m = dividend.len() - divisor.len()
- Remove unnecessary j=0 special case
- Version: 2.12 → 2.13

- 0110-bigint-verification-probe: marked done
- 0110-bigint-conversions-serialization: marked done

Fix invalid action reference: dtolnay/rust-action → dtolnay/rust-toolchain

maturin develop requires a virtual environment. Add virtual-environment
setup to setup-python action and activate it in each step.

…/actions/setup-python-6

chore(ci)(deps): bump actions/setup-python from 5 to 6

Set AWS_LC_SYS_CMAKE_BUILDER=1 to avoid GCC memcmp optimization bug
that causes aws-lc-sys build failures on systems with affected GCC versions.

See: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189