Closed: void review surface#4
Closed
andersalm wants to merge 18 commits into
Closed
Conversation
Add the Runtime provider registry and gateway proxy support needed for object/content provider invocation, stream sessions, progress/cancel metadata, and provider-backed viewer handoff. This is the transport/control-plane slice. Concrete Library, content, Spaces, and package surfaces are committed separately so reviewers can separate runtime plumbing from product behavior.
Replace the static Library capsule with a PC2-familiar file-manager surface backed by the Runtime object-provider API. This includes source-split Library UI code, icons, navigation, selection, upload/download, rename/create/delete/trash, publish/share/status/properties hooks, and object CID metadata. Add the standalone object-provider capsule and boundary tests while keeping publish/share availability authority separated through Runtime/content-provider coordination.
Make Home/Desktop use the same Library object model for file and folder projections, including signed session context, desktop item rendering, self-open Library windows, and Home system API support. This keeps desktop files/shortcuts consistent with Library instead of creating a second file authority surface.
Extend content-provider, Carrier orchestration, availability-provider, content-block-graph-provider, and protected-content provider contracts for CID-backed publication, replication proof/status, protected payload metadata, recipient proof handling, and fail-closed provider behavior. This keeps mutable object authority in object-provider while published content identity, delivery, and availability stay with content-provider and Carrier-backed providers.
Add the WebSpace provider and operator drive adapter surfaces for mounted Spaces, resolver status, byte sync/traversal receipts, remote authority hints, and local Runtime command support. This establishes the Spaces/WebSpace foundation without claiming production storage-market federation or raw host filesystem exposure.
Add a dedicated Archive Manager capsule for archive inspection and extraction UX, wired to the Library object/archive operations added in the Explorer slice. The supported release surface remains intentional: safe ZIP/tar/tar.gz/tgz handling, with broader archive families left for dependency and release-policy review.
Update component metadata and release build/publish scripts for the Library release capsule set, including object-provider, archive-manager, content-block-graph-provider, WebSpace, operator drive, and protected-content provider capsules. This is packaging metadata only; provider behavior lives in the feature commits.
Add gateway tests and browser-facing smoke scripts for Library object flows, Home projection, archive operations, provider menus, release entropy checks, live Home/Library smoke, and protected-content provider contracts. These checks are the branch-local proof surface for the Library release and the first line of defense against PC2 UX and ElastOS authority regressions.
Document the PC2-aligned Library release, object/content authority split, Public versus Published behavior, Spaces model, archive policy, content availability, WCI weekly report, release gates, and explicit remaining production deferrals. The docs intentionally state that the object-provider capsule/API boundary is complete while pure object-provider core extraction remains architecture/build-review cleanup, not a shipped behavior claim.
Keep mutable Library objects under object-provider authority, including Trash lifecycle operations, Spaces object metadata, archive object metadata, and provider proxy routing for empty_trash.
Adds provider-backed desktop object projection, canonical Archive shell title handling, and Home tests for the Trash desktop object and layout sanitation rules.
Canonicalizes Archive naming in the browser shell, authorizes Library/Archive message handoff, renders provider-backed Trash desktop objects, and adds Trash context actions.
Renames the visible app to Archive, removes noisy manager copy, supports opening existing archives through Library, builds new ZIPs through Library selection, and keeps extraction destination handling provider-mediated.
Adds Archive open/create modes, object payload normalization, Archive viewer handoff, and provider-backed object actions needed by the Archive capsule.
Adds sidebar reordering, clearer Spaces/Localhost behavior, Trash-aware interactions, picker-mode UI for Archive, and PC2-style properties details without changing provider authority.
Extends Rust and browser smoke coverage for object-provider Library flows, Archive picker/open paths, Spaces/Localhost behavior, Trash lifecycle, Home shell handoff, and release entropy checks.
Updates the working release notes with the current Library/Home/Archive state, remaining production-infra boundaries, live deployment invariants, and post-cleanup checklist status.
Contributor
Author
|
Superseded by the versioned 0.4.0 release branch PR. This PR used the intermediate review/library-release branch name and made the review workflow look different from the expected version-branch flow; the replacement keeps the same code at the same HEAD but reviews it from 0.4.0. |
andersalm
changed the title
SashaMIT
added a commit
that referenced
this pull request
Jun 17, 2026
…ent audit, action enforcement, hardening pass Closes the four highest pre-audit findings as fail-closed boundaries, each with a regression test. #1 CEK reconstruction integrity (HIGH): bind the reconstructed CEK to a published commitment before use and add 3-share cheater-detection on the live quorum/threshold open path. A Byzantine node returning a well-formed but wrong-valued share now FAILS THE OPEN CLOSED; an uncommitted 2-of-2 open is refused rather than yielding a silently-wrong key. (ddrm-envelope, decrypt/encrypt/key providers, media-authority/producer rails) #2 Tamper-evident audit + content-open custody (GAP-8): hash-chained (seq + prev_hash + record_hash), ed25519-signed records with a crypto- agility tag, persisted 0600 signing key, verify_chain, emit() -> Result. A content-open event is emitted on the viewer open path; a failed audit append fails the open closed (503). ed25519 lives in the trusted core (no capsule ML-DSA dependency). Caveat in-code: tamper-evident against external editing + non-repudiable, NOT against a live-compromised runtime (external anchoring is a deliberate follow-on). (elastos-runtime primitives/audit.rs, elastos-server viewer_open/gateway) #3 Central action-enforcement: validate every provider dispatch against the operation's required action via required_action_for(op), not the token's self-declared action. Enforced centrally at the trust boundary (bridge + HTTP provider proxy); fail-closed Admin default for unmapped ops. (provider_resource.rs, carrier_bridge.rs, handlers/provider.rs) #4 Quick hardening: (a) DKMS_AUTHORITY_NODE_SET_ID_B64 mandatory in release — absent it, the node refuses to authorize against a caller-declared node-set (cross-quorum replay defense); fallback only in test/dev-modes. (b) MAX_LINE_BYTES (16 MiB) cap in vsock-proxy: all line reads routed through a bounded reader so a newline-less peer can't OOM the bridge. (c) gf256_mul made branchless (arithmetic masks, no tables, fixed 8 iters) to remove the secret-dependent control-flow timing channel. (d) effective_now clamped to the node clock at issuance so a caller can only shorten its session window, never extend it past its TTL. Also: widen check-wci-alignment.sh to exempt manifest-less crates (crypto libraries / node binaries are not deployable app capsules) and dependency files; HANDOVER Day 139 checkpoint; incidental cargo-fmt normalization to keep the workspace fmt-clean. Verified per-crate: ddrm-envelope 40/40, dkms-authority 24/24, vsock-proxy 3/3; alignment-check green. (These crates are outside the elastos workspace, so `just verify` does not exercise them.) Co-authored-by: Cursor <cursoragent@cursor.com>
SashaMIT
pushed a commit
that referenced
this pull request
Jun 17, 2026
…re doc Addresses a Carrier/Principles alignment review (#4, #9, #7, #12, #10). - UI bridge rewritten as a Carrier-shaped host adapter: one inspectInvoke(operation, payload) targeting the runtime's node-local control API (POST /api/provider/inspect/<op> + x-elastos-home-token), exactly as the library/browser capsules call providers. HTTP is the transport adapter BELOW the capsule contract (CARRIER.md "Where HTTP Fits" #1), not something the capsule "knows"; swapping transport needs no UI change. Degrades to sample data when no token/bridge is present. - docs: new "Transports & Carrier alignment" section recording the two transports (capsule carrier_invoke path — implemented/tested; browser control-API path — not yet wired) feeding ONE authority decision (crate::inspect), and the honest finding that the gateway dispatches via ProviderRegistry::send_raw with GatewayState holding only the registry — so the browser path needs inspect exposed as a registry provider, which also converges on one canonical path (#10) and lets handle_inspect retire. No runtime behaviour change; capsule/carrier path unchanged (278 lib tests still green). UI passes node --check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016ZKy5Cca9RzwDuLb1szdeq
SashaMIT
pushed a commit
that referenced
this pull request
Jun 18, 2026
…ignore]d tests Apply the LESSONS.md flywheel pattern: turn the inspector's honest gaps into a build-visible, self-closing registry instead of prose that rots. - docs/KNOWN_GAPS.md: registry table of the 4 open gaps (granted_capabilities, verified signer/signed_by, invoke dispatch, human-approval loop) with why-open + ratchet + close criteria, plus an "enforced invariants" section (merge tripwire, no-leak, fail-closed scope) so safe-by-construction items aren't mistaken for open work. - Two #[ignore]d ratchet tests (G1 granted_capabilities, G2 verified signer): they encode the desired end-state and FAIL today, so they are non-blocking in a shared tree (skipped by default) yet flip to green the moment the gap closes (delete the #[ignore]). Verified: default run skips them (30 passed, 2 ignored); `--ignored` run shows both failing — proving they're real ratchets, not vacuous passes. - G3/G4 are registry rows only — no compiling test exists until the feature scaffold does; a fabricated one would be vacuous (default to "not a finding"). fmt --check PASS; new code clippy-clean (pre-existing gateway_capsule_catalog #4 untouched, not ours). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_016ZKy5Cca9RzwDuLb1szdeq
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closed and void. This PR was opened accidentally during release workflow setup. Do not review it. The release is being reviewed through the published 0.4.0 branch one commit at a time.