Reference
Issue
Code
Other Formats
Scenario-driven exhaustive verification for the three-layer development model
nexus-sim implements the same core storage traits as production backends and wraps them in edge-emulating async boundaries. It validates the three-layer development model: consumption scenarios define what must hold true, nexus-sim proves whether the orchestration layer enforces them, and capability gap reports tell the foundation what to provide. Every run produces a cryptographically signed proof artifact.
nexus-sim is the infrastructure that drives this loop on a multi-modal coordinate space covering the record lifecycle domains:
Consumption Scenario (immutable domain requirement)
↓ expressed as
nexus-sim Test Case
↓ run against current stack
PASS → scenario is a permanent regression test
FAIL → gap found:
├── Orchestration layer insufficient → update orchestration → re-run
└── Foundation capability missing → update foundation → re-run
↓
Re-run all prior scenarios → confirm no regression
↓
Commit. The loop tightens with every iteration.
nexus-sim’s test suite is always ahead of the implementation. Every scenario is either passing (verified) or failing (gap identified). There is no gap between what the system should guarantee and what it is tested for. The loop compresses the feedback cycle from “weeks of manual validation” to “seconds of automated verification.”
nexus-sim implements the three-layer development model defined in Development. It serves two functions that are the same mechanism at different depths in the stack:
KeyValueStore, BlobStore, ObjectStore, and SessionExecute. It validates the persistence contracts that production backends implement. A test written against nexus-sim runs unmodified against any real backend.The same trait, two depths. The inner depth tells you the logic is correct. The outer depth tells you the logic survives production conditions.
Instead of implementing a feature and then writing tests, nexus-sim starts from the consumption scenario and works backward:
nexus-sim’s test suite is always ahead of the implementation. Every scenario is either passing or failing. There is no gap between what the system should guarantee and what it is tested for.
The primary consumption scenarios nexus-sim validates are the 7 attack vectors against the exchange contract. These are defined in Proof by Structure: Direct Free-Riding, Evasive Free-Riding, Falsified Contribution, Poison Injection, Intent Spam, Replay Attack, and Sybil Attack. Each scenario has a parameterized agent model, expected outcome, and test at both trait and async-boundary depths. See the Proof by Structure document for the full definition of each scenario.
Alongside the structural violation scenarios, nexus-sim runs a second class of scenarios that test whether the exchange contract produces the intended cooperative equilibrium when agents are free to choose their behavior. These scenarios do not attempt to breach the contract. They test its game-theoretic stability through iterated interactions over multiple turns and generations.
Each scenario executes in an isolated environment — a fresh reference storage runtime instance with a deterministic clock — so that no state leaks between scenarios. This isolation is structurally identical to a virtual machine: the scenario cannot observe outcomes of other scenarios, cannot persist state across runs, and is reset before the next scenario executes.
| Scenario | Agent Strategies | What It Tests | CI Gate |
|---|---|---|---|
| Basic Cooperation | Tit-for-Tat vs Always Defect vs Always Cooperate vs Grudger | Whether cooperative strategies (TFT, Grudger) outscore defectors in a round-robin tournament over 200 turns | score(TFT) > score(AlwaysDefect) |
| Evolutionary Stability | Tit-for-Tat vs Always Defect vs Random (500 generations, population-proportional selection) | Whether cooperation survives evolutionary pressure without external enforcement | extant_strategies contains TFT |
| Generous Forgiveness | Generous TFT vs Always Defect vs Grudger | Whether a forgiving strategy can recover from occasional defection while avoiding exploitation | cooperation_rate > 0.6 |
| FIH Intent Lifecycle | Honest agents vs defectors, each submitting and resolving FIH Intents | Whether honest agents (who faithfully claim, heartbeat, and conclude) outperform defectors (who drop Intents or falsify results) in a storage game | honest_completion_rate > 0.7 and false_conclusion_rate < 0.1 |
Each scenario checks a quantitative bound (cooperation rate, score ratio, completion rate). If the bound is violated, the scenario produces a failing Fact and the CI gate rejects the build.
nexus-sim is neither a helper layer nor a consumer abstraction. It implements the same trait interfaces as every production storage backend, modeled as a tiered state model:
The core storage is the reference storage runtime, which materializes this tiered state model in memory. It implements KeyValueStore, BlobStore, ObjectStore, and SessionExecute — the same trait contracts that all production backends satisfy. A test that passes against the reference storage runtime passes against any real backend without modification, because both speak the same trait contract. There is no adapter layer.
DualStorage and PetgraphStorage remain available as optional or legacy implementations but are no longer the primary storage. The reference storage runtime is the reference implementation that all new scenarios target.
On top of the reference storage runtime, the async IO bridge wraps the same storage behind an async HTTP boundary. The HTTP layer faithfully reproduces the exact I/O patterns, latency distributions, failure modes, and concurrency semantics of the target deployment. The same trait, the same test, now exercised under production-like conditions. Delta rollup is the delta accumulation mechanism: each session accumulates state-space deltas and flushes them as a single atomic commit, mimicking the write path of cold storage rollups.
Each simulated agent is parameterized with two axes: an outer role and an inner game-theoretic strategy. The role defines what FIH operations the agent is permitted to perform. The strategy defines how the agent decides, on each turn, whether to cooperate or defect.
| Parameter | Values | Description |
|---|---|---|
| Role | honest, free-rider, poisoner, spammer, Sybil | Behavioral profile defining permitted FIH operations |
| Game strategy | Tit-for-Tat, Always Defect, Always Cooperate, Grudger, Pavlov, Random | Moment-to-moment decision function: (history, context) -> Action mapped to Cooperate / Defect |
| API surface | trait-level (direct), overlay (exchange_fact), async-boundary (HTTP) |
Which depth of the stack the agent targets |
| Signature key | valid, forged, missing | Cryptographic identity |
| Data payload | valid, empty, structurally invalid, replayed | What the agent commits |
Depth 1 — Trait level (sync, in-process, no I/O):
nexus-sim implements the reference storage runtime (tiered state model)
→ Consumer calls trait methods directly
→ Deterministic, sub-millisecond
Depth 2 — Async boundary (HTTP, with emulated production I/O):
nexus-sim storage → async IO bridge HTTP server
→ Consumer sends HTTP request
→ Server injects target-specific latency, contention, failure
The same test suite runs at both depths. Depth 1 proves logical correctness. Depth two proves the orchestration survives production I/O.
Within the nexus monorepo. Planned to graduate to a dedicated nexus-sim workspace when the suite covers multiple domains.
The reference storage runtime as the in-memory core, backed by KeyValueStore, BlobStore, ObjectStore, and SessionExecute. This is the foundation that every emulator wraps.
Deliverable: All phases 0-3 complete. Reference storage runtime passes foundation tests, persistence contract satisfaction, WASM build, and Time Machine compatibility.
The trait implementations wrapped behind an async HTTP boundary, with production I/O emulation for CF Workers.
| Component | Priority | Depends On |
|---|---|---|
| KV endpoint (GET/PUT/DELETE) | Immediate | Phase 0 |
| R2 blob endpoint (PUT/GET/DELETE) | Immediate | Phase 0 |
| DO CAS endpoint (POST with compare-and-swap) | Immediate | Phase 0 |
| Failure injection (latency, timeout, CAS conflict) | Phase 0.5 | Phase 0 |
| Multi-worker contention (two clients, same CAS key) | Phase 0.5 | Phase 0 |
Deliverable: HTTP server. Existing tests pass through it. Failure injection operational.
| Component | Priority | Depends On |
|---|---|---|
| Agent model with parameterized roles and game strategies | Phase 1 | Phase 0 |
| 7 attack scenarios as automated tests | Phase 1 | Agent model |
| 4 game-theoretic scenarios as automated tests | Phase 1 | Agent model |
exchange_fact() mock overlay |
Phase 1 | — |
| Violation matrix output | Phase 1 | All scenarios |
| Both depths (trait-level + HTTP) for all scenarios | Phase 1 | Phase 0.5 |
Deliverable: All 7 structural + 4 game-theoretic scenarios executable at both depths. Violation matrix and cooperation statistics generated per run.
| Component | Priority | Depends On |
|---|---|---|
| Orchestration layer introduced as single test target | Phase 2 | Phase 1 |
| Scenario failure at trait depth → orchestration change → pass | Phase 2 | Phase 1 |
| Scenario failure at HTTP depth → orchestration change → pass | Phase 2 | Phase 0.5 |
| Foundation capability gap reporter | Phase 2 | — |
| Full regression suite on every change (both depths) | Phase 2 | — |
| CI integration: PR blocked if any scenario fails | Phase 2 | — |
Deliverable: CI enforces three-layer model. No commit can break a consumption scenario without being caught.
| Component | Priority | Depends On |
|---|---|---|
| Flush lifecycle management for the reference storage runtime | Phase 3 | Reference storage runtime (Phase 0) |
| Cold storage support + scan + time range capabilities | Phase 3 | Flush lifecycle |
| Time Machine tests (retrograde query, historical freeze) | Phase 3 | Cold storage support |
| Delta rollup as accumulation over the tiered state model | Phase 3 | Flush lifecycle |
| WASM build target for the reference storage runtime | Phase 3 | Phase 0-2 |
| Full validation across all phases | Phase 3 | All prior |
Deliverable: Persistence contract satisfaction. Time Machine temporal query support. WASM build succeeds. All validation passes.
| Domain | Emulated Backend | Real Binding | Priority |
|---|---|---|---|
| Edge compute | VECompositeStorage HTTP | CF Workers KV / R2 / DO | Phase 0.5 |
| Robotics | ROS2 topic pub/sub over simulated nodes | Real ROS2 Humble | Phase 4 |
| Blockchain | Simulated validator with SessionExecute | On-chain WASM runtime | Phase 4 |
| Edge AI | Fake ONNX runtime returning canned results | Real NPU / GPU inference | Phase 4 |
| Distributed tx | Local 2PC coordinator with injected failures | Global consensus | Phase 4 |
Each domain wraps the same trait implementations. The core never changes.
Deliverable: Dedicated nexus-sim workspace with per-domain CI pipeline.
Every PR:
└── Phase 0 tests (trait-level, both depths)
└── Phase 1 scenarios (all 7 structural + 4 game-theoretic, both depths)
└── Phase 2 regression (all prior scenarios, both depths)
└── Failure if any scenario fails at trait depth
└── Warning if scenario fails at HTTP depth (orchestration gap)
Every release:
└── Full suite at all depths
└── C2PA-signed proof artifact generated
└── Proof attached to release metadata
After exhaustive simulation across all scenarios at both depths, nexus-sim produces:
Depth: trait-level (in-memory, no I/O)
Scenario | Strategy | Result
----------------------------|----------------|--------
Direct Free-Riding | read_fact() | BLOCKED (no such API)
Evasive Free-Riding | empty data | BLOCKED (commit rejected)
...
Depth: async-boundary (HTTP, CF Workers profile)
Scenario | Strategy | Result
----------------------------|----------------|--------
Direct Free-Riding | read_fact() | BLOCKED (no such API)
Evasive Free-Riding | empty data | BLOCKED (commit rejected)
...
A C2PA-signed manifest certifying that no scenario at either depth resulted in successful data extraction without valid contribution.
New governance rules (Hint) derived from simulation patterns, applied to the live Blackboard. If Intent Spam reveals a degradation threshold at the HTTP depth that does not appear at the trait depth, a Hint is generated to throttle at that threshold — the discovery of a production condition the trait test could not reveal.
The architecture nexus-sim defines — scenario-driven exhaustive verification with parameterized agent models, depth selection, violation matrices, and cryptographic proof aggregation — is domain-agnostic. It applies identically to any verification loop where a consumption scenario must be proven against an implementation.
| Component | nexus-sim (infrastructure) | ev (silicon verification) |
|---|---|---|
| Scenario | 7 exchange-contract attack vectors + 4 game-theoretic scenarios | XIF constraint specification |
| Agent model | roles (honest, free-rider, poisoner, spammer, Sybil) + game strategies (TFT, AlwaysDefect, Grudger, Pavlov, Random) | ISA combinations, pipeline depths, cache configs |
| Depth | trait-level / async-boundary HTTP | behavioral / RTL / gate-level |
| Output | violation matrix | coverage matrix |
| Proof | C2PA-signed scenario coverage | C2PA-signed verification proof |
The scenario runner, violation matrix generator, depth selection mechanism, and C2PA proof aggregator are shared infrastructure. Only the agent model and the storage backends change per domain. This is F-I-H recursion applied to verification itself — the infrastructure that verifies the system uses the same pattern the system provides to domain verifiers.
A future version of nexus-sim may directly host ev’s scenario definitions, running silicon verification scenarios through the same harness that runs exchange-contract scenarios today. The core loop is identical.
| Issue | Component | Needed By |
|---|---|---|
| #66 | IoBufferSession | Phase 0 |
| #71 | Merkle chain + cryptographic signatures | Phase 3 |
| #7 | StorageRead, FactCapable, IntentCapable, HintCapable traits | All phases |