Summary
The IndexedDB credential schema must be extended to store two-tree credential data: cell ID, dual Merkle paths (user tree + cell map tree), district array, and the two tree roots.
Severity: Required for two-tree deployment
Source: Two-Tree Architecture Spec
Related voter-protocol tracking: Phase 5 remaining items
Schema Changes
Current Credential Schema
{
user_secret: encrypted,
district_id: string,
authority_level: number,
salt: bigint,
merkle_path: { siblings: string[], pathIndices: number[] },
merkle_root: string,
leaf_index: number,
expires_at: number,
credential_type: 'single-tree' // NEW: type discriminator
}New Two-Tree Credential Schema
{
user_secret: encrypted,
cell_id: encrypted, // More sensitive than district_id
salt: bigint,
districts: bigint[24], // Cell's district memberships
user_tree_path: { siblings: string[], pathIndices: number[] },
user_tree_root: string,
cell_map_path: { siblings: string[], pathBits: number[], attempt: number },
cell_map_root: string,
leaf_index: number,
expires_at: number,
credential_type: 'two-tree'
}Migration Strategy
- Existing
single-tree credentials remain valid until expires_at
- New credentials created as
two-tree type
- Credential loading code checks
credential_type and routes to appropriate prover
- IndexedDB schema version bump with backward-compatible migration
Pitfalls
cell_id must be encrypted at rest (finer geographic granularity than district)districts[24] array must match the circuit's expected slot count exactly- Cell map path includes
pathBits and attempt (SMT-specific) — different from standard Merkle pathIndices
- Ensure
credential_type discriminator is always present (old credentials without it default to single-tree)
Acceptance Criteria
Summary
The IndexedDB credential schema must be extended to store two-tree credential data: cell ID, dual Merkle paths (user tree + cell map tree), district array, and the two tree roots.
Severity: Required for two-tree deployment
Source: Two-Tree Architecture Spec
Related voter-protocol tracking: Phase 5 remaining items
Schema Changes
Current Credential Schema
New Two-Tree Credential Schema
Migration Strategy
single-treecredentials remain valid untilexpires_attwo-treetypecredential_typeand routes to appropriate proverPitfalls
cell_idmust be encrypted at rest (finer geographic granularity than district)districts[24]array must match the circuit's expected slot count exactlypathBitsandattempt(SMT-specific) — different from standard MerklepathIndicescredential_typediscriminator is always present (old credentials without it default tosingle-tree)Acceptance Criteria
cell_idencrypted with same Web Crypto scheme asuser_secret