# DGR-005 — dense-Llama range-aware GGUF ownership evidence Status: done Date: 2026-07-15 Evidence kind: **synthetic-unit + repo checks**. No model download, no GPU, no network, no API credits. ## Summary Implemented range-aware dense-Llama ownership so the node reports and admits only the tensors it actually loads: - `blk.N.*` tensors are selected strictly by assigned layer range. - Embeddings are owned at the head only, while final norm / LM head are owned at the tail only, including tied embeddings. - Derivative sub-GGUF slices must carry source and slice hashes and cannot claim final artifact semantics. - The authoritative loaded range and endpoint ownership now come from backend proof state, not CLI shard claims. - Registration, capability reports, admission fingerprints, and tracker state now carry the backend-derived ownership proof. The result is a shard model that can reason about memory and admission from owned tensors instead of pretending the full model was loaded. ## Files changed - `packages/node/meshnet_node/gguf_ownership.py` - dense-Llama tensor selection and authoritative ownership helpers. - `packages/node/meshnet_node/capability.py` - shard reports now carry endpoint ownership and parse it round-trip. - `packages/node/meshnet_node/doctor.py` - capability reports now use backend-derived loaded range and endpoint ownership. - `packages/node/meshnet_node/testing.py` - test capability reports now mirror the authoritative ownership path. - `packages/node/meshnet_node/admission.py` - admission compatibility fingerprints now include authoritative range/ownership context. - `packages/node/meshnet_node/model_backend.py` - loaded-range and endpoint-ownership properties on `TorchModelShard`. - `packages/node/meshnet_node/startup.py` - registration payloads now use the proof-driven shard range. - `packages/tracker/meshnet_tracker/capability.py` - tracker capability state preserves endpoint ownership. - `tests/test_gguf_ownership.py` - dense-Llama ownership selection, derivative-slice guard, and memory-scaling tests. - `tests/test_node_capability.py` - capability report ownership round-trip tests. - `tests/test_node_admission.py` - backend-loaded range beats CLI claim regression tests. - `tests/test_tracker_capability_admission.py` - tracker capability proof parsing tests. ## Exact commands and real results ### Targeted pytest slices ```bash python -m pytest -q tests/test_gguf_ownership.py tests/test_node_capability.py tests/test_node_admission.py ``` Result: `73 passed` ```bash python -m pytest -q tests/test_tracker_capability_admission.py -k 'test_a_passing_report_that_covers_the_registration_is_admitted or test_a_missing_report_is_absent_not_admitted or test_a_failed_report_is_recorded_as_failed or test_a_report_for_a_different_model_is_a_model_mismatch or test_a_report_for_a_different_shard_is_a_shard_mismatch or test_a_report_for_a_different_recipe_than_the_node_declares_is_a_recipe_mismatch or test_a_report_for_a_different_compatibility_fingerprint_is_a_compatibility_mismatch or test_an_older_recipe_catalogue_is_incompatible or test_an_unparseable_catalogue_version_is_incompatible or test_a_stale_report_is_not_admitted or test_a_future_dated_report_is_not_admitted or test_a_report_from_an_unknown_schema_version_is_invalid or test_a_malformed_report_is_invalid_and_never_admitted or test_recorded_detail_carries_no_credentials_from_node_diagnostics or test_compat_policy_routes_a_legacy_node_but_never_a_broken_proof or test_the_policy_is_read_from_the_environment_and_defaults_to_compat' ``` Result: `22 passed, 13 deselected` ### Python compile check ```bash python -m compileall -q packages tests ``` Result: exit 0 ### Diff hygiene ```bash git diff --check ``` Result: exit 0 ### Full deterministic pytest ```bash python -m pytest -q ``` Result: `211 failed, 428 passed, 13 skipped, 14 warnings, 86 errors in 135.03s` The failing set is not caused by this story. The dominant environment issues were: - tracker and HTTP/socket-backed tests fail with `PermissionError: [Errno 1] Operation not permitted` when the tracker tries to bind sockets in this sandbox - native protocol tests fail early with a protobuf runtime/gencode mismatch: generated code expects protobuf 7.35.0 while the installed runtime is 6.33.6 ## Limitations - This evidence is intentionally deterministic and model-free. - The memory-scaling check is synthetic: it validates that owned tensor bytes scale with selected tensors, not a live GGUF download. - Native C++ code was not changed by this story, so the pinned llama.cpp build validation remains covered by DGR-004 rather than repeated here. ## Compatibility notes - Dense-Llama ownership is range-first: the shard interior is `blk.N.*`, and endpoint tensors are only attributed to the head or tail owner as appropriate. - Derivative GGUF slices are explicitly not final artifacts; they must preserve source and slice hashes if used as a temporary compatibility bridge. - The model proof path is authoritative for reported range and endpoint ownership, so operator CLI claims no longer control what the node advertises. - Admission and tracker state now consume the same proof-derived ownership shape, keeping capability reports aligned end to end. ## Handoff for dependent stories - DGR-006 can reuse `gguf_ownership.py` and the new capability fields to wire the shard protocol to proof-derived ownership without re-deriving tensor names. - DGR-008 and later routing work should continue to treat endpoint ownership as metadata and `blk.N.*` ownership as the core range contract. - If a future temporary slice path is needed, it should keep source/slice hashes visible and avoid claiming final-artifact semantics until a real proof exists.