Here’s my list of use cases again: https://github.com/valueflows/vf-apps-agents/issues/3
@lynnfoster added some others.
Here’s my list of use cases again: https://github.com/valueflows/vf-apps-agents/issues/3
@lynnfoster added some others.
@pauldaoust yes, thanks. I think the minimum we need to just get HoloREA working for any use case that has groups (almost all of them) is basically a simple app where a group can be defined and get a unique hash for its id. And we have workable ways to get that suggested in the thread.
Then there will be other things like you mentioned, probably sooner than later, but we can address those as we run into them, when people start using HoloREA.
I think this is a holochain-wide application opportunity, but we can do what we need in any case. (Says she who is not coding. )
Thanks @bhaugen! You jogged my memory:
Thinking about this:
- Authorized individuals could be act for the group in more than one way, for example:
- An individual agent who is an authorized member of the group sends a message to the group to cause the group to do something that only the group can do, for example, any of the use cases where the group does something.
- The authorized member could act “on behalf of” the group in some context where actions “on behalf of a group” are attributed accurately to the group.
I think the second option is definitely the most Holochain-idiomatic, although it does require changing a lot of assumptions about how economic exchanges work — and how they may be modelled in Holochain in a way that’s attack-resistant.
The big issue I see here is that, if we use the good ol’ pattern of counterparty signing + unbranched source chains, we run the risk of orphaned resources if one agent accepts stewardship on behalf of a group then disappears (device drops in the toilet, employee gets fired, etc).
An easy answer would be your first option, what I might call a ‘group bot’ or ‘group notary’. Not so Holochain idiomatic, but super simple to implement even with the current HDK.
oh @lynnfoster I see you responded while I was typing! Guess I’m getting ahead of things
Good to hear that is easy to implement. Is “sorta-kinda” holochain idiomatic in that it is basically making a source-chain like thing?? So a REA-agent-but-not-HC-agent can get some agent-like privileges and protections. Just takes agent-centric a step further… or not, but if it will work, that’s all we need…
Guess I’m getting ahead of things
Nah, keep it up! Thanks very much for engaging on this topic!
I personally think there ought to be room for bot agents like this, even if they kind of go against the grain. Anyhow, there aren’t any technological barriers that I can see. The DNA does have to have rules/functions for the human agents and the bot agents, but that’s not such a huge deal. To clarify: this bot agent would be an REA group agent and a Holochain agent. Sure I’ll get some flak from Art for even suggesting this
To clarify: this bot agent would be an REA group agent and a Holochain agent.
Oooh, I didn’t think we could do that… but if we can, oooh… (we gotta go, hopefully something more substantive later )
there are ways, all involving node-to-node messaging A node can respond automatically to another node’s message if it doesn’t need human intervention or outside data. Or it can use signals for more complex flows:
The UI could be completely replaced with a daemon that does nothing but approve requests, if that’s how the cafe is run.
I think there’s brittleness and robustness in both approaches.
Really enjoying the clarity that is coming through in this thread of late… hopefully I can add some more pieces to ground this (:
Other than what follows, in agreement with everything else being said here. And really appreciate the clear distillation from @zeemarx_jeremyboom8 of some of the common abstract logic at play. Validating to see the thinking here aligned with some of the fundamental insights I remember people in the blockchain space coming to as they developed programmatic governance systems (“multisig is a fundamental abstraction”).
group agency
An overlap here is “group accountability”, and it’s all intertwined with the mechanism for how to act “on behalf of” the group. Given that groups have no native agency in Holochain this means that abstractions for representing groups must be created, and APIs must be made manually compatible with them. So it will be up to each Holochain app whether it allows the participation of group agents or not. In terms of technical details, we think this requires onBehalfOf
parameters at the zome API layer.
This means we need a standard set of APIs for dealing with groups. In REA, group agents can do anything that singular agents can do. So, any references to Holochain agent IDs also need to be able to reference group agent IDs. We think this necessitates a Holochain URI scheme- the document linked in this issue proposes a format which we believe allows us to elegantly differentiate agent, entry and DNA addresses.
We’re not sure what “group agent IDs” actually are in terms of Holochain’s fundamentals; but I think they’re probably DNA hashes. It makes the most sense to me from an encapsulation perspective to use permissioned DNAs to represent group agents; bridge them to other DNAs that the group needs to interact with; and internally code them with whatever governance rules the group wants to use (we have some suggestions, but they imply the development of that standard set of APIs to interrogate group agent DNAs for privileges).
You would end up with paired DNAs which store the group configuration data, and library crates which provide the API for other DNAs to make checks against the group’s membership and authority. Note that in this case we are talking about other DNAS, not other zomes- integration of something like this probably isn’t tied to a particular network, but interacts with many. So the interface would likely be via hdk::call
rather than the internal entry & link manipulation API.
“checking with the group” pattern vs “ignorant DNA” pattern
(not a reply, just a heading :P)
The above is one path we could take, but it feels like a failing of “separation of concerns”. It would be cleaner if modules wanting to support group agents mostly didn’t have to think about the logic of group agents at all. The other path is to use the group agent as a controller DNA that mostly just manages capabilities in other DNAs. We described this as 2 complementary zomes which go together to form an “agent relationships” DNA.
Basically, there may be a lot of cases where groups are about delegating individual members to do different things. In these cases, the group could just be coded to delegate capability tokens to its members. More advanced cases, eg. where groups have “role based access control” internally, would potentially require other DNAs to inspect the group in order to verify authority. So I think it’s likely a mix of these two techniques.
Regardless, you still need to pass in onBehalfOf
and deal with it if you want your modules to track the groups who’s authority was used to perform certain actions.
It’s for this reason that I believe this module needs to be treated as Holochain core infrastructure, and care given to standardisation and ease of adoption. Incompatible group agent implementations means incompatible hApps.
“orphaned resources” and continuity
I’ve recently put some thoughts together about what splitting out sub-projects might look like. For public and permissioned, discoverable sub-projects, you could certainly go down the path of running “headless nodes” to keep the DHT alive. But I think that’s a bit hairy.
You could make it less hairy for the parent org by registering sub-project members and network IDs within the organisation’s collaboration space. That way, at least you have a record of who was involved and can correlate any dangling group agent IDs with those people if the group has been taken offline.
Next level would be translating & replicating entries from the sub-project network into the main network. It’s essentially data duplication, but that’s not necessarily a bad thing in distributed environments with semi-permeable access membranes. For REA networks this is a per-record setting; because economic participants can enter event observations scoped for publication in many accounting scopes. Say for example the sub-project needs to enlist the skills of another worker from the group’s collective- they could publish an Intent
into the sub-project that is also broadcast into the wider network’s skills marketplace so that a contributor can be located.
At the end of the day, there’s nothing you can really do about people creating entirely private groups that your parent collaboration space has no knowledge of. But at the very least we can create tools to facilitate easily “spinning off” projects in ways that are coupled with the “parent” collaboration space where the goal is to keep them connected. But you want loose coupling, because you want the sub-projects to be able to expand into collaboration with others outside of their originating organisation.
Ok, I’ve said a lot. Am I getting us closer to an MVP, or am I adding extra complexity? What do we pare all this back to?
Trying to think about architecture and grok REA lingo/needs at the same time. Stretches the brain, whoof!
@pospi when you say group ‘accountability’, what does that mean and how does it differ from agency? I mean ‘agency’ in the sense of ‘how the group is able to perform actions’, or more accurately 'who’s allowed to do things on behalf of the group.
I’m just going through your idea of having groups be manifested as multiple DHTs. I think that lines up with my vision? Not sure yet; still understanding eveything that’s been written. The way you’re describing it, it sounds to me like:
It means “being able to tell that the group was responsible for something”. Technically, that boils down to being able to refer to the group via its own unique identifier in every action that was carried out on its behalf.
one private DHT for the group’s internal workings (economic activity, governance, etc)
The group DNA only manages the internal governance of the group. Since economic activity is recorded in observation, planning and other DNAs which are entirely decoupled from the group and may involve agents other than the group, it is always kept in separate shared network spaces.
‘group agency’ interface DHT
For me this would be the same DHT as the aforementioned “group’s internal workings”; ie governance, permissions, access roles. The rest of what you’re saying about this DNA sounds aligned with my thinking. Except for-
Group representatives and people who want to interact with them both belong to this DHT, so that they can check the validity of actions via bridge calls rather than duplicating functionality in every single DNA.
I don’t think “people who want to interact with them” need to belong to the group’s DHT, but it may not pan out that way. I would prefer this not to be the case… it’s just a poor separation of concerns.
Action happens in a separate DHT
Yep. These are the related observation and planning DNAs.
everyone who receives an action must bridge to the group agency DHT to make sure the agent is allowed to perform it
Again, I hope not. I think it depends on the action- in cases where an agent has full authority to act on behalf of a group, the check could be handled entirely by a capabililty token within the target DNA; the group DNA should not need to be consulted.
counterparty validation (which is performed by two people in the act of transaction, and can be as non-deterministic as you like)
This is probably mostly what we have in Holo-REA (see #82 & #83). For our purposes we will probably have a separate API endpoint to sign an existing EconomicEvent
, and have the API coded such that events which have not yet been counter-signed are interpreted as not existing until verified.
thanks for the clarification @pospi; it sounds like I’m mostly tracking with you but had some misunderstandings about how you were thinking about the group-as-agent in the wider world — specifically, how do agents interacting with the group-as-agent figure out whether a human acting on behalf of the group is actually allowed to perform that action? I misunderstood you as saying that this could happen in two separate layers: one DNA for economic events, and another DNA for defining and verifying permissions, and anyone who wants to interact with the group-as-agent would have to belong to both.
But if you’re saying that both of those roles could be collapsed into one DNA, that’d be cool. Or maybe you’re just saying that this would be true for simple privilege definitions. But I think it’d be possible to do it even for complex definitions, in a way that still permits changes to the group agent.
You suggested that group agency is something that ought to be supported by Holochain Core, and I forget where I read that. My current thinking is that it could be supported in app-land instead, by simply creating a library and watching it become the standard. Happy to be proven wrong though — what were your reasons for saying it should be part of core? I remember something about avoiding competing standards, but I wonder if you also brought up concerns about cross-DNA validation?
More ambiguous wording! English is fun huh
It’s for this reason that I believe this module needs to be treated as Holochain core infrastructure, and care given to standardisation and ease of adoption. Incompatible group agent implementations means incompatible hApps.
“Core infrastructure” wasn’t meant to imply it should be part of holochain-core
, just that it is something that should be abstract enough to have widespread utility and adoption (and set a good precedent for that); similar to the Personas or DPKI hApps.
To bring the private email chain I forwarded you yesterday into the light; I now envisage this situation:
So accordingly— we create a group agent abstraction that:
#[validate_agent]
source chain initialisation hook. In other words, the group agent DNA needs to register with the foreign DNA in order for it to be allowed to participate. That registration would (by default) grant capabilities (via some group agent registry “mixin zome”) for all participants in the “third party DNA” to query the group agent DNA and check permissions.
By the nature of Holochain’s architecture, this would provide visibility of the group agent’s internal audit trail to all networks that the group has interacted with. That visibility could have variable levels, if the generic capabilities we assign to the group agent’s query API are given more nuance.
For this we would need to get a working group together and define the protocol(s) for both the group agent zome API methods and also the permission structure to overlay on top of it.
I’m not sure whether or not core supports it, but group agents might be a good use-case for where you’d want your redundancy factor to be 100% of the network size. For small groups in particular, the likelihood that a majority of parties may collude to suddenly exit the network and leave data orphaned is not inconsequential.
In ValueFlows/REA terms, this gives the ability to generate all of the usual accounting reports plus new analytical reports and visualizations for each agent in a group, as well as the group itself, and when the individuals and multiple groups are part of a network (a higher-level group), for the network as a whole.
See also https://valueflo.ws/introduction/accounting.html and https://valueflo.ws/appendix/overview.html
@pospi cool, thanks for the clarification yet again. So a ‘stdlib’ sort of thing — a lib with the backing of the org and the community as embodying the patterns we’ve decided on for group agency?
The thing I’m struggling with now is how easy it will be to “provide visibility of the group agent’s internal audit trail [at] variable levels” with the primitives that Holochain offers. I can only see a few options (in this table, ‘marketplace’ means larger economic spaces the group acts in, and ‘group space’ means the internal economic space of the group):
Wish I’d brought my scribbling tablet with me; a drawing would make it much easier.
The key thing here is that you can’t bridge a DNA to another DNA — but an agent can bridge their DNA instance to another one of their DNA instances. Bridging always happens through the agency of one node. (Although that node could be the ‘group agent bot’ we were talking about earlier.) A “member in good standing” can simply mean “still a part of the group DNA”. So my big question about the private/complex square is, how do agents who do belong to the group DNA prove that they do? It still seems to fall back on some “group rules” entry in the marketplace DNA — something that says “here’s how to verify the proof of any agent claiming they belong to group X”.
But once you establish that you’re talking to someone who belongs to the group DNA, they can definitely give you a capability token that lets you make calls into their DNA — or rather, you can ask them to make calls on your behalf, which is how capabilities work.
Thoughts? My first thought is that proof of DNA membership has something to do with signature chains, with a signature root established in the public group rules entry. Revocations can be handled by those with authority to update that entry.
Count me in! Looks like I’ll be learning Rust and doing some library development in the new year.
heh, at present 100% redundancy is the only thing the network layer supports
Agents have relationships with other Agents. Forming groups is accomplished by creating Relationships. Relationships have Roles.
So if I have a relationship with some Group Agent, both me and the group agent will know, and can answer what the relationship is and what role I play in that group.
Lots of other logic can be built on those components.
I like the sound of that, yeah. Sounds like, if both the group and I know what our roles in our relationship are, the group can back me up if I claim that I can exercise a role. That seems to necessitate publicly accessible definitions of our relationship and roles — or at least accessible to the people who need to check that information.
how do agents who do belong to the group DNA prove that they do?
Third-parties are invited to the group’s DNA. They are granted readonly capability tokens for a restricted set of query API methods that they can use to query whether any agent is really a member of the group.
still seems to fall back on some “group rules” entry in the marketplace DNA
It falls to the “group rules” API logic embedded within the group DNA. All the marketplace DNA has is a zome API trait as contract that the group responds to queries in the way it expects. Standardised group agent implementations could be validated by network hash.
once you establish that you’re talking to someone who belongs to the group DNA, they can definitely give you a capability token that lets you make calls into their DNA — or rather, you can ask them to make calls on your behalf, which is how capabilities work.
Sounds sensible to me!
@pospi @pauldaoust @bhaugen thanks for digging deeper, sounds like we are making progress on the design. I’m pretty sure this will be useful for a lot of people in holochain land.
A possibly interesting and possibly useful discussion of groups in ActivityPub:
I’ve been having some really indepth and interesting conversations with @guillemcordoba around these topics in a private thread which I’d like to open out for discussion here.
First a quick update: Guillem and I have been scheming to start some weekly community calls (or perhaps I’ll bring them to the Virtual Hackalong) to build group functionality. The intention is to build independent modules which are useful along the way- this “agent registration” work is one of the first sub-components of what’s needed for groups. The other benefit to this approach is that it can be mixed with different membrane keeping logic (eg. “social triangulation”) for different use-cases without requiring edits to the agent registration code itself.
This zome-based composition seems to be working well, even if the tooling makes it a bit awkward in depending on all things being cloned locally (AFAIK you can’t publish zomes on crates.io since they have a different internal format. As an MVP for deployment we could use a similar “web URL + SHAsum” method to what Holoscape uses?). Git submodules have been suggested as a way of addressing this but at this stage I’m preferring to have a master manifest repository that checks out exactly one of each relevant repository, otherwise I may end up with submodules-inside-submodules and multiple diverging copies of the same repos on disk. (Note that you don’t have to use the manifest repo, you can just clone each individual repo into the appropriate sibling directories.)
Some reasons to get moving on group agents now:
There is a lot of overlap in terms of the modularity conversation and potential architectural repercussions, which I’ll try to summarise in a new thread.