fix(random-sampling): resolve CG names with "/" so v9-style <owner>/<slug> CGs sync

[branarakic]

Summary

Hotfix for an issue that suppressed every Random Sampling proof on testnet despite challenges firing correctly.

resolveContextGraphNameFromOnChainId in kc-extractor.ts was rejecting any context-graph name containing /. Real CGs are commonly registered with owner-prefixed names like 0xb08A0F66d5A225D57Dee5fFa6C442e4DC2a4794c/laptop-smoke — the v9 <owner_address>/<slug> namespacing pattern. The resolver returned null, so extractV10KCFromStore threw KCNotFoundError for every KC in the CG, even after FinalizationHandler had already promoted the SWM snapshot to canonical.

Reproduction (live testnet, beacon-04)

After publishing KC #6 + #7 to context graph 12 (cgName 0xb08…4794c/laptop-smoke):

08:19:35 [FinalizationHandler] Finalization: promoted SWM snapshot to context graph 12 for did:dkg:base:84532/0xb08…4794c/5000001 (tx=0x2a7328ba…)
08:22:27 [FinalizationHandler] Finalization: promoted SWM snapshot to context graph 12 for did:dkg:base:84532/0xb08…4794c/6000001 (tx=0x79b10bdd…)
08:22:48 [DKGAgent] [rs.tick.kc-not-synced] {"kcId":"6","cgId":"12","err":"KCNotFoundError"} [WARN]
   …repeats every ~30s for 40+ minutes…

A 10-minute on-chain event watcher across all four beacons observed:

• 6 ChallengeGenerated events within 5 seconds (every beacon picked up KC Refactor autoupdater #6/Swarm syncing not working #7)
• 0 ValidProofSubmitted events — proofs never get computed because the extractor short-circuits before even trying to read _meta

Fix

Replace the over-tight name-level allowlist with assertSafeIri on the derived meta-graph URI, which is the actual SPARQL-injection surface:

// Before
if (!name || name.includes('/') || name.includes(' ')) return null;

// After
if (!name) return null;
try {
  assertSafeIri(contextGraphMetaUri(name, '0'));
} catch {
  return null;
}

This still rejects <>"{}|\^ and control chars (poisoned ontology entries also can't land in OxigraphStore in the first place), but admits legitimate path-style names. Both ends of the writer/reader handshake (FinalizationHandler.promoteSharedMemoryToCanonical writes via contextGraphMetaUri(contextGraphId, ctxGraphId); the extractor now reads via the same helper with the resolved name) end up at the same URI.

Regression coverage

Two layers of test, both reverse-validated by temporarily restoring the name.includes('/') rejection — both fail loud:

1. Unit (kc-extractor.test.ts) — seeds a CG named 0xb08…4794c/laptop-smoke and asserts extractV10KCFromStore returns triples. With the bug present this throws the EXACT error from testnet: KCNotFoundError: KC 6 not found in _meta for context graph 12.
2. E2E hardhat (e2e-hardhat-chain.test.ts) — switches the local cgName from cg-<cgIdStr> to 0xb08…4794c/cg-<cgIdStr> so the chain-publish → local-store → prover-tick path is run with the v9-style namespacing pattern. Pre-fix the prover returns kc-not-synced; post-fix it returns submitted.

Devnet validation

Brought up local devnet (./scripts/devnet.sh start 6) with the fixed code, ran the existing baseline ./scripts/devnet-test-random-sampling.sh (passes against the no-/ devnet-test CG), then created an additional CG with a /-name via POST /api/context-graph/create:

$ curl -X POST .../api/context-graph/create -d '{"id":"0xdeadbeef…/devnet-slash-test","name":"slash test","register":true}'
{"created":"0xdeadbeef…/devnet-slash-test","registered":true,"onChainId":"3"}

Published a KC into it (became kcId=2), advanced the chain past the proofing-period boundary, and tailed each prover's WAL:

=== node 1 ===  kc-not-synced count: 0
  status=challenge  cgId=3 kcId=2 tx=
  status=extracted  cgId=3 kcId=2 tx=
  status=built      cgId=3 kcId=2 tx=
  status=submitted  cgId=3 kcId=2 tx=0xe3f45c0f1ffd3ad7…   ← slash-CG proof submitted!
=== node 3 ===  kc-not-synced count: 0
  status=challenge  cgId=3 kcId=2 tx=
  status=extracted  cgId=3 kcId=2 tx=
  status=built      cgId=3 kcId=2 tx=
  status=submitted  cgId=3 kcId=2 tx=0x0fbf607383774826…   ← slash-CG proof submitted!

getNodeChallenge(idId).solved == true for all four identities; identities 1 and 3 picked the slash-CG (cgId=3 / kcId=2). Zero kc-not-synced warnings on any node — the bug signature is fully gone in a real-daemon environment.

Devnet-side fix bundled in

To get devnet running, this PR also fixes three unrelated quoting bugs in scripts/devnet.sh introduced in c09e0261 (Codex round 7 on PR #368) where embedded "..." substrings inside JS comments inside multi-line node -e "…" blocks made bash truncate the script body — ./scripts/devnet.sh start was failing 100% of the time with SyntaxError: Unexpected end of input. Pure quoting refactor; comment meaning unchanged. Without this, the random-sampling devnet validation above can't be run.

Test plan

• Unit + e2e regression tests reverse-validated (both fail without fix, pass with fix).
• All 47 random-sampling tests pass (pnpm --filter @origintrail-official/dkg-random-sampling test).
• Local devnet end-to-end: /-named CG submits proof through full RS pipeline.
• After merge, redeploy to a beacon and confirm rs.tick.kc-not-synced clears + ValidProofSubmitted lands on chain for the existing testnet 0xb08…4794c/laptop-smoke CG.

Notes for reviewers

• This is independent of fix(publisher): drop random fallback wallet + audit Wallet.createRandom #371 / publisher: fall back to ChainAdapter signer when publisherPrivateKey is absent #373 (publisher operational-key discipline) and the planned operator-hardening PR (--epochs N flag, /api/rs/status, StorageACK success logging, TooLowBalance preflight).
• The No assertSafeIri on derived URIs comment in extractV10KCFromStore is updated to reflect that the resolver now does the gate.

[github-actions]

Codex review completed — no issues found.

[github-actions]

Codex review completed — no issues found.

[github-actions]

Codex review completed — no issues found.