Conversation
Add the Runtime provider registry and gateway proxy support needed for object/content provider invocation, stream sessions, progress/cancel metadata, and provider-backed viewer handoff. This is the transport/control-plane slice. Concrete Library, content, Spaces, and package surfaces are committed separately so reviewers can separate runtime plumbing from product behavior.
Replace the static Library capsule with a PC2-familiar file-manager surface backed by the Runtime object-provider API. This includes source-split Library UI code, icons, navigation, selection, upload/download, rename/create/delete/trash, publish/share/status/properties hooks, and object CID metadata. Add the standalone object-provider capsule and boundary tests while keeping publish/share availability authority separated through Runtime/content-provider coordination.
Make Home/Desktop use the same Library object model for file and folder projections, including signed session context, desktop item rendering, self-open Library windows, and Home system API support. This keeps desktop files/shortcuts consistent with Library instead of creating a second file authority surface.
Extend content-provider, Carrier orchestration, availability-provider, content-block-graph-provider, and protected-content provider contracts for CID-backed publication, replication proof/status, protected payload metadata, recipient proof handling, and fail-closed provider behavior. This keeps mutable object authority in object-provider while published content identity, delivery, and availability stay with content-provider and Carrier-backed providers.
Add the WebSpace provider and operator drive adapter surfaces for mounted Spaces, resolver status, byte sync/traversal receipts, remote authority hints, and local Runtime command support. This establishes the Spaces/WebSpace foundation without claiming production storage-market federation or raw host filesystem exposure.
Add a dedicated Archive Manager capsule for archive inspection and extraction UX, wired to the Library object/archive operations added in the Explorer slice. The supported release surface remains intentional: safe ZIP/tar/tar.gz/tgz handling, with broader archive families left for dependency and release-policy review.
Update component metadata and release build/publish scripts for the Library release capsule set, including object-provider, archive-manager, content-block-graph-provider, WebSpace, operator drive, and protected-content provider capsules. This is packaging metadata only; provider behavior lives in the feature commits.
Add gateway tests and browser-facing smoke scripts for Library object flows, Home projection, archive operations, provider menus, release entropy checks, live Home/Library smoke, and protected-content provider contracts. These checks are the branch-local proof surface for the Library release and the first line of defense against PC2 UX and ElastOS authority regressions.
Document the PC2-aligned Library release, object/content authority split, Public versus Published behavior, Spaces model, archive policy, content availability, WCI weekly report, release gates, and explicit remaining production deferrals. The docs intentionally state that the object-provider capsule/API boundary is complete while pure object-provider core extraction remains architecture/build-review cleanup, not a shipped behavior claim.
Keep mutable Library objects under object-provider authority, including Trash lifecycle operations, Spaces object metadata, archive object metadata, and provider proxy routing for empty_trash.
Adds provider-backed desktop object projection, canonical Archive shell title handling, and Home tests for the Trash desktop object and layout sanitation rules.
Canonicalizes Archive naming in the browser shell, authorizes Library/Archive message handoff, renders provider-backed Trash desktop objects, and adds Trash context actions.
Renames the visible app to Archive, removes noisy manager copy, supports opening existing archives through Library, builds new ZIPs through Library selection, and keeps extraction destination handling provider-mediated.
Adds Archive open/create modes, object payload normalization, Archive viewer handoff, and provider-backed object actions needed by the Archive capsule.
Adds sidebar reordering, clearer Spaces/Localhost behavior, Trash-aware interactions, picker-mode UI for Archive, and PC2-style properties details without changing provider authority.
Extends Rust and browser smoke coverage for object-provider Library flows, Archive picker/open paths, Spaces/Localhost behavior, Trash lifecycle, Home shell handoff, and release entropy checks.
Updates the working release notes with the current Library/Home/Archive state, remaining production-infra boundaries, live deployment invariants, and post-cleanup checklist status.
Contributor
Author
|
Closing this draft PR to use the established 0.4.0 branch-first, commit-by-commit review workflow instead. The branch remains published; commits should be reviewed sequentially from the branch history. |
SashaMIT
added a commit
that referenced
this pull request
Jun 17, 2026
Close the last pre-audit backlog item — reduce observable metadata and document the trust model honestly for the external audit. - viewer_open: log subject/content_id only as non-reversible truncated SHA-256 fingerprints (log_fp); no raw (wallet, content_id) at info!. - ddrm-envelope: channel_pad module — coarse power-of-two size bucketing (ISO 7816-4, fail-closed unpad, cap-safe) applied plaintext-side before sealing at every dKMS channel seal/open site (dkms-authority, key-provider, ddrm-runtime-open, dkms-live-recover) to blunt on-path length analysis. - docs/THREAT_MODEL.md: states the 2-of-3 (NOT "no collusion") trust model, the observable (wallet, content_id, time) access pattern, the audit non-repudiation caveat, and what we do NOT defend (oblivious lookup is the flagged next scope). - HANDOVER: Day 139 closure addendum — pre-audit backlog #1-#5 closed. PRE_AUDIT.md intentionally left untracked (found-and-fixed exploit detail; public repo) — hand to the auditor out-of-band. Co-authored-by: Cursor <cursoragent@cursor.com>
SashaMIT
added a commit
that referenced
this pull request
Jun 17, 2026
…lockfiles - PRE_AUDIT.md: firm-facing scoping evidence (findings + verified-clean list) for the pre-audit security backlog #1-#5 (now closed). - CONFIDENTIAL_COMPUTE.md: TEE opportunity audit + quorum hardware reality. - README + capsule lockfiles refreshed. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closed and void. This PR was opened accidentally during release workflow setup. Do not review it. The release is being reviewed through the published 0.4.0 branch one commit at a time.