If Alice wants to ensure that both her and Bob need to agree on merges

to the default branch, she must set the `threshold` to `2` when adding

Bob as a delegate:

``` ~alice (fails)

$ rad id update --repo rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji --title "Add Bob" --description "" --threshold 2 --delegate did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk --no-confirm -q

✗ Error: failed to verify delegates for rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji

✗ Error: a threshold of 2 delegates cannot be met, found 1 delegate(s) and the following delegates are missing [did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk]

✗ Hint: run `rad follow did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk` to follow this missing peer

✗ Hint: run `rad sync -f` to attempt to fetch the newly followed peers

✗ Error: fatal: refusing to update identity document

```

We can see that `a threshold of 2 delegates cannot be met` when Alice

attempts to do this. This is because she requires Bob's default branch

to ensure that the threshold can be met and the canonical version of

the default branch (`refs/heads/<default branch>` at the top-level of

the storage) can be updated.

So, instead Alice needs to first follow Bob and fetch his references:

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MkvVv…Z1Ct4tD..

✓ Synced with 1 node(s)

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MkvVv…Z1Ct4tD..

✓ Synced with 3 node(s)

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MkvVv…Z1Ct4tD..

✓ Synced with 1 node(s)

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MkvVv…Z1Ct4tD..

Bob then adds Eve as a delegate:

✓ Synced with 3 node(s)

Notice how there was no need to follow Eve right away in this case?

This is because Bob can meet the threshold of 2 without Eve, he

has Alice and his default reference.

Since there are two delegates when Bob adds Eve, Alice needs to accept

the change to meet a quorum of votes (`votes >= (delegates / 2) + 1`):

✓ Nothing to announce, already in sync with 3 node(s) (see `rad sync status`)

At this point, when Alice runs `rad sync`, she will fetch Eve's fork

since she has become a delegate:

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MkvVv…Z1Ct4tD..

✓ Fetched repository from 2 seed(s)

✓ Synced with 3 node(s)

✓ Synced with 3 node(s)

╭─────────────────────────────────────────────────────────────────────────────────────────────────╮

│ ●   Node                            Address                        Status   Tip       Timestamp │

├─────────────────────────────────────────────────────────────────────────────────────────────────┤

│ ●   eve           (you)                                                     95cd447   now       │

│ ●   bob           z6Mkt67…v4N1tRk                                  synced   95cd447   now       │

│ ●   distrustful   z6MkvVv…Z1Ct4tD   distrustful.radicle.xyz:8776   synced   95cd447   now       │

│ ●   seed          z6MkuPZ…xEuaPUp   seed.radicle.xyz:8776          synced   95cd447   now       │

╰─────────────────────────────────────────────────────────────────────────────────────────────────╯

In the attempt below, to update the identity, we can see that `a

threshold of 2 delegates cannot be met` when Alice attempts to do

this. This is because she requires Bob's default branch to ensure that

the threshold can be met and the canonical version of the default

branch (`refs/heads/<default branch>` at the top-level of the storage)

can be updated.

``` ~alice (fail)

$ rad id update --title "Add Bob" --description "Add Bob as a delegate" --delegate did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk --threshold 2

✗ Error: failed to verify delegates for rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji

✗ Error: a threshold of 2 delegates cannot be met, found 1 delegate(s) and the following delegates are missing [did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk]

✗ Hint: run `rad follow did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk` to follow this missing peer

✗ Hint: run `rad sync -f` to attempt to fetch the newly followed peers

✗ Error: fatal: refusing to update identity document

```

Instead, Alice can simply keep the `threshold` as `1` and still add Bob as a delegate:

``` ~alice

$ rad id update --title "Add Bob" --description "Add Bob as a delegate" --delegate did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk

✓ Identity revision 7be665f9fccba97abb21b2fa85a6fd3181c72858 created

╭────────────────────────────────────────────────────────────────────────╮

│ Title    Add Bob                                                       │

│ Revision 7be665f9fccba97abb21b2fa85a6fd3181c72858                      │

│ Blob     93d3009787e5d8a481dffc4dd248ea46af592466                      │

│ Author   did:key:z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi      │

│ State    accepted                                                      │

│ Quorum   yes                                                           │

│                                                                        │

│ Add Bob as a delegate                                                  │

├────────────────────────────────────────────────────────────────────────┤

│ ✓ did:key:z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi alice (you) │

╰────────────────────────────────────────────────────────────────────────╯

@@ -1,13 +1,14 @@

 {

   "payload": {

     "xyz.radicle.project": {

       "defaultBranch": "master",

       "description": "Radicle Heartwood Protocol & Stack",

       "name": "heartwood"

     }

   },

   "delegates": [

-    "did:key:z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi"

+    "did:key:z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi",

+    "did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk"

   ],

   "threshold": 1

 }

```

Alice can still make changes to her working copy, change the canonical

head, and make patches -- as we can see below:

``` ~alice

$ touch REQUIREMENTS

$ git add REQUIREMENTS

$ git commit -v -m "Define power requirements"

[master 3e674d1] Define power requirements

 1 file changed, 0 insertions(+), 0 deletions(-)

 create mode 100644 REQUIREMENTS

```

``` ~alice (stderr) RAD_SOCKET=/dev/null

$ git push rad master

✓ Canonical head updated to 3e674d1a1df90807e934f9ae5da2591dd6848a33

To rad://z42hL2jL4XNk6K8oHQaSWfMgCL7ji/z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi

   f2de534..3e674d1  master -> master

```

``` ~alice

$ rad sync -a

✓ Synced with 1 node(s)

```

``` ~alice

$ git checkout -b add-readme

$ touch README.md

$ git add README.md

$ git commit -v -m "Add README file"

[add-readme 964513c] Add README file

 1 file changed, 0 insertions(+), 0 deletions(-)

 create mode 100644 README.md

```

``` ~alice (stderr) RAD_SOCKET=/dev/null

$ git push rad HEAD:refs/patches

✓ Patch b09b2aa0ee055671c811e9ad4ba73eed211ebaa3 opened

To rad://z42hL2jL4XNk6K8oHQaSWfMgCL7ji/z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi

 * [new reference]   HEAD -> refs/patches

```

Any other seeds can also still fetch changes from Alice without any

errors:

``` ~seed

$ rad sync rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji -f

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MknSL…StBU8Vi..

✓ Fetched repository from 1 seed(s)

```

We can also inspect the repository to ensure all the data is

consistent with the change made to the identity.

The identity has the new delegate, while the `threshold` is still `1`

``` ~alice

$ rad inspect --identity

{

  "payload": {

    "xyz.radicle.project": {

      "defaultBranch": "master",

      "description": "Radicle Heartwood Protocol & Stack",

      "name": "heartwood"

    }

  },

  "delegates": [

    "did:key:z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi",

    "did:key:z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk"

  ],

  "threshold": 1

}

```

Alice only sees her refs, since she has not synced with Bob's

references yet:

``` ~alice

$ rad inspect --refs

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi

└── refs

    ├── cobs

    │   ├── xyz.radicle.id

    │   │   └── 0656c217f917c3e06234771e9ecae53aba5e173e

    │   └── xyz.radicle.patch

    │       └── b09b2aa0ee055671c811e9ad4ba73eed211ebaa3

    ├── heads

    │   ├── master

    │   └── patches

    │       └── b09b2aa0ee055671c811e9ad4ba73eed211ebaa3

    └── rad

        ├── id

        └── sigrefs

```

Similarly, she still does not have Bob's `rad/sigrefs`:

``` ~alice

$ rad inspect --sigrefs

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi 7ffed605e4871bb0640ee1538181640e239b182c

```

And she can still list the project, without any worries:

``` ~alice

$ rad ls

╭───────────────────────────────────────────────────────────────────────────────────────────────────────────╮

│ Name        RID                                 Visibility   Head      Description                        │

├───────────────────────────────────────────────────────────────────────────────────────────────────────────┤

│ heartwood   rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji   public       3e674d1   Radicle Heartwood Protocol & Stack │

╰───────────────────────────────────────────────────────────────────────────────────────────────────────────╯

```

Once Bob clones the repository and creates a fork, i.e. creates a

branch to `refs/heads/master` for this project, she can then use `rad

sync` and fetch his references:

``` ~bob

$ rad clone rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji

✓ Seeding policy updated for rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji with scope 'all'

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6MknSL…StBU8Vi..

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6Mkux1…nVhib7Z..

✓ Creating checkout in ./heartwood..

✓ Remote alice@z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi added

✓ Remote-tracking branch alice@z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi/master created for z6MknSL…StBU8Vi

✓ Repository successfully cloned under [..]/bob/heartwood/

╭────────────────────────────────────╮

│ heartwood                          │

│ Radicle Heartwood Protocol & Stack │

│ 0 issues · 1 patches               │

╰────────────────────────────────────╯

Run `cd ./heartwood` to go to the repository directory.

```

``` ~bob

$ cd heartwood

$ rad fork

✓ Forked repository rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji for z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk

```

``` ~alice

$ rad sync -f

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6Mkt67…v4N1tRk..

✓ Fetching rad:z42hL2jL4XNk6K8oHQaSWfMgCL7ji from z6Mkux1…nVhib7Z..

✓ Fetched repository from 2 seed(s)

$ rad inspect --sigrefs

z6MknSLrJoTcukLrE435hVNQT4JUhbvWLX4kUzqkEStBU8Vi 7ffed605e4871bb0640ee1538181640e239b182c

z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk cc068d93ee77dc134518d7d0fbe55b39804baf53

```

                if let Some(errs) = verify_delegates(&proposal, &repo)? {

    InsufficientDelegates {

        threshold: usize,

        met: usize,

        missing: Vec<Did>,

    },

            VerificationError::InsufficientDelegates {

                threshold,

                met,

                missing,

            } => {

                term::error(format!(

                    "a threshold of {threshold} delegates cannot be met, found {met} delegate(s) and the following delegates are missing [{}]",

                    missing.iter().map(|did| did.to_string()).collect::<Vec<_>>().join(","),

                ));

                for did in missing {

                    term::hint(format!(

                        "run `rad follow {did}` to follow this missing peer"

                    ));

                }

                term::hint("run `rad sync -f` to attempt to fetch the newly followed peers")

            }

fn verify_delegates<S, V>(

    proposal: &Doc<V>,

    let dids = &proposal.delegates;

    let threshold = proposal.threshold;

    let mut local_delegates = 0;

    let mut missing = Vec::with_capacity(dids.len());

                missing.push(*did);

                } else {

                    local_delegates += 1;

    if local_delegates < threshold {

        errors.push(VerificationError::InsufficientDelegates {

            threshold,

            met: local_delegates,

            missing,

        });

    }

fn rad_id_threshold() {

    let mut environment = Environment::new();

    let alice = environment.node(config::node("alice"));

    let bob = environment.node(config::node("bob"));

    let seed = environment.node(config::node("seed"));

    let working = tempfile::tempdir().unwrap();

    let working = working.path();

    let acme = RepoId::from_str("z42hL2jL4XNk6K8oHQaSWfMgCL7ji").unwrap();

    // Setup a test repository.

    fixtures::repository(working.join("alice"));

    test(

        "examples/rad-init.md",

        working.join("alice"),

        Some(&alice.home),

        [],

    )

    .unwrap();

    let mut alice = alice.spawn();

    let mut seed = seed.spawn();

    let mut bob = bob.spawn();

    seed.handle.seed(acme, Scope::All).unwrap();

    alice.handle.seed(acme, Scope::Followed).unwrap();

    alice

        .handle

        .follow(seed.id, Some(Alias::new("seed")))

        .unwrap();

    alice.connect(&seed);

    bob.connect(&seed).connect(&alice);

    alice.routes_to(&[(acme, seed.id)]);

    seed.handle.fetch(acme, alice.id, DEFAULT_TIMEOUT).unwrap();

    formula(&environment.tmp(), "examples/rad-id-threshold.md")

        .unwrap()

        .home(

            "alice",

            working.join("alice"),

            [("RAD_HOME", alice.home.path().display())],

        )

        .home(

            "bob",

            working.join("bob"),

            [("RAD_HOME", bob.home.path().display())],

        )

        .home(

            "seed",

            working.join("seed"),

            [("RAD_HOME", seed.home.path().display())],

        )

        .run()

        .unwrap();

}

#[test]

    /// Load the sigrefs for each remote in `remotes`.

    /// If the sigrefs are missing for a given remote, regardless of delegate

    /// status, then that remote is filtered out.

    pub(crate) fn load<'a, S>(

        remotes: impl Iterator<Item = &'a PublicKey>,

        remotes

            .filter_map(|id| match cached.load(id) {

                Ok(None) => None,

                Ok(Some(sr)) => Some(Ok((id, sr))),

                Err(e) => Some(Err(e)),

            })

        #[error("expected threshold of {threshold} of references, missing: {missing:?}")]

        InsufficientRefs {

            threshold: usize,

            missing: Vec<String>,

        },

    /// The threshold of delegates that needs to be fetched.

    pub threshold: usize,

        ensure_threshold(

            self.threshold,

fn ensure_threshold<T>(

    wants: BTreeSet<T>,

    haves: BTreeSet<T>,

    threshold: usize,

) -> Result<(), error::Layout>

where

    T: Ord + ToString,

    T: std::fmt::Debug,

{

    // N.b. there's no threshold to meet. This generally means that

    // the local peer is a delegate and the original threshold is 1,

    // so they don't require the other peer.

    if threshold == 0 {

        return Ok(());

    }

    if wants.is_empty() {

        return Ok(());

    }

    if haves.len() < threshold {

        let missing = wants

            .difference(&haves)

            .map(|ns| ns.to_string())

            .collect::<Vec<_>>();

        return Err(error::Layout::InsufficientRefs { threshold, missing });

    }

    Ok(())

}

use radicle::identity::{Did, Doc, DocError};

        #[error("failed to get remote namespaces: {0}")]

        RemoteIds(#[source] radicle::git::raw::Error),

        /// Any validation errors that were found while fetching.

        validations: sigrefs::Validations,

        /// The threshold that needed to be met.

        threshold: usize,

        /// The offending delegates.

        delegates: BTreeSet<PublicKey>,

        /// Validation errors that were found while fetching.

        validations: sigrefs::Validations,

    #[allow(clippy::too_many_arguments)]

        threshold: usize,

                    delegates: delegates.clone(),

                    refs_at: refs_at.clone(),

                let remotes = refs_at.iter().map(|r| &r.remote);

                let signed_refs = sigrefs::RemoteRefs::load(&self.as_cached(handle), remotes)?;

                    threshold,

                    fetched.iter().chain(delegates.iter()),

        let is_delegate = anchor.delegates.contains(&Did::from(handle.local()));

        // The local peer does not need to count towards the threshold

        // since they must be valid already.

        let threshold = if is_delegate {

            anchor.threshold - 1

        } else {

            anchor.threshold

        };

            threshold,

        // The valid delegates start with all delegates that this peer

        // currently has valid references for

        let mut valid_delegates = handle

            .repository()

            .remote_ids()

            .map_err(error::Protocol::RemoteIds)?

            .filter_map(|id| id.ok())

            .filter(|id| delegates.contains(id))

            .collect::<BTreeSet<_>>();

        let mut failed_delegates = BTreeSet::new();

                log::trace!(target: "fetch", "Skipping blocked remote {remote}");

            let remote = sigrefs::DelegateStatus::empty(*remote, &delegates)

                .load(&self.as_cached(handle))?;

            match remote {

                    failures.push(sigrefs::Validation::MissingRadSigRefs(remote));

                    self.prune(&remote);

                    self.prune(&remote);

                    // This delegate has removed their `rad/sigrefs`.

                    // Technically, we can continue with their

                    // previous `rad/sigrefs` but if this occurs with

                    // enough delegates also failing validation we

                    // would rather surface the issue and fail the fetch.

                    valid_delegates.remove(&remote);

                    failed_delegates.insert(remote);

                        failures.append(warns);

                            log::trace!(target: "fetch", "Advertised `rad/sigrefs` {} is behind {at} for {remote}", sigrefs.at);

                    let mut fails = Validations::default();

                    fails.extend(branch_validation.into_iter());

                    let validations = sigrefs::validate(&cache, sigrefs)?;

                    fails.extend(validations.into_iter().flatten());

                    if !fails.is_empty() {

                        valid_delegates.remove(&remote);

                        failed_delegates.insert(remote);

                        valid_delegates.insert(remote);

        // N.b. only apply to Git repository if there are enough valid

        // delegates that pass the threshold.

        if valid_delegates.len() >= threshold {

                validations: failures,

                "Fetch failed: {} failure(s) ({}ms)",

            Ok(FetchResult::Failed {

                threshold,

                delegates: failed_delegates,

                validations: failures,

            })

            radicle_fetch::FetchResult::Failed {

                threshold,

                delegates,

                validations,

            } => {

                for fail in validations.iter() {

                Err(error::Fetch::Validation {

                    threshold,

                    delegates: delegates.into_iter().map(|key| key.to_string()).collect(),

                })

                applied,

                remotes,

                validations,

                for warn in validations {

                    log::warn!(target: "worker", "Validation error: {}", warn);

                }

    #[error("validation of the storage repository failed: the delegates {delegates:?} failed to validate to meet a threshold of {threshold}")]

    Validation {

        threshold: usize,

        delegates: Vec<String>,

    },

    /// Quorum error.

    #[error(transparent)]

    Quorum(#[from] radicle::storage::git::QuorumError),

            let r = match self.reference_oid(delegate, &branch_ref) {

                Ok(oid) => oid,

                Err(e) if ext::is_not_found_err(&e) => {

                    log::warn!(

                        target: "radicle",

                        "Missing `refs/namespaces/{delegate}/{branch_ref}` while calculating the canonical head"

                    );

                    continue;

                }

                Err(e) => return Err(e.into()),

            };

        let oid = self::quorum(&heads, doc.threshold, raw)?;

        Ok((branch_ref, oid))

    fn head(&self) -> Result<(Qualified, Oid), RepositoryError> {

    fn canonical_head(&self) -> Result<(Qualified, Oid), RepositoryError> {