Conversation
Add the Runtime provider registry and gateway proxy support needed for object/content provider invocation, stream sessions, progress/cancel metadata, and provider-backed viewer handoff. This is the transport/control-plane slice. Concrete Library, content, Spaces, and package surfaces are committed separately so reviewers can separate runtime plumbing from product behavior.
Replace the static Library capsule with a PC2-familiar file-manager surface backed by the Runtime object-provider API. This includes source-split Library UI code, icons, navigation, selection, upload/download, rename/create/delete/trash, publish/share/status/properties hooks, and object CID metadata. Add the standalone object-provider capsule and boundary tests while keeping publish/share availability authority separated through Runtime/content-provider coordination.
Make Home/Desktop use the same Library object model for file and folder projections, including signed session context, desktop item rendering, self-open Library windows, and Home system API support. This keeps desktop files/shortcuts consistent with Library instead of creating a second file authority surface.
Extend content-provider, Carrier orchestration, availability-provider, content-block-graph-provider, and protected-content provider contracts for CID-backed publication, replication proof/status, protected payload metadata, recipient proof handling, and fail-closed provider behavior. This keeps mutable object authority in object-provider while published content identity, delivery, and availability stay with content-provider and Carrier-backed providers.
Add the WebSpace provider and operator drive adapter surfaces for mounted Spaces, resolver status, byte sync/traversal receipts, remote authority hints, and local Runtime command support. This establishes the Spaces/WebSpace foundation without claiming production storage-market federation or raw host filesystem exposure.
Add a dedicated Archive Manager capsule for archive inspection and extraction UX, wired to the Library object/archive operations added in the Explorer slice. The supported release surface remains intentional: safe ZIP/tar/tar.gz/tgz handling, with broader archive families left for dependency and release-policy review.
Update component metadata and release build/publish scripts for the Library release capsule set, including object-provider, archive-manager, content-block-graph-provider, WebSpace, operator drive, and protected-content provider capsules. This is packaging metadata only; provider behavior lives in the feature commits.
Add gateway tests and browser-facing smoke scripts for Library object flows, Home projection, archive operations, provider menus, release entropy checks, live Home/Library smoke, and protected-content provider contracts. These checks are the branch-local proof surface for the Library release and the first line of defense against PC2 UX and ElastOS authority regressions.
Document the PC2-aligned Library release, object/content authority split, Public versus Published behavior, Spaces model, archive policy, content availability, WCI weekly report, release gates, and explicit remaining production deferrals. The docs intentionally state that the object-provider capsule/API boundary is complete while pure object-provider core extraction remains architecture/build-review cleanup, not a shipped behavior claim.
Keep mutable Library objects under object-provider authority, including Trash lifecycle operations, Spaces object metadata, archive object metadata, and provider proxy routing for empty_trash.
Adds provider-backed desktop object projection, canonical Archive shell title handling, and Home tests for the Trash desktop object and layout sanitation rules.
Canonicalizes Archive naming in the browser shell, authorizes Library/Archive message handoff, renders provider-backed Trash desktop objects, and adds Trash context actions.
Renames the visible app to Archive, removes noisy manager copy, supports opening existing archives through Library, builds new ZIPs through Library selection, and keeps extraction destination handling provider-mediated.
Adds Archive open/create modes, object payload normalization, Archive viewer handoff, and provider-backed object actions needed by the Archive capsule.
Adds sidebar reordering, clearer Spaces/Localhost behavior, Trash-aware interactions, picker-mode UI for Archive, and PC2-style properties details without changing provider authority.
Extends Rust and browser smoke coverage for object-provider Library flows, Archive picker/open paths, Spaces/Localhost behavior, Trash lifecycle, Home shell handoff, and release entropy checks.
Updates the working release notes with the current Library/Home/Archive state, remaining production-infra boundaries, live deployment invariants, and post-cleanup checklist status.
Contributor
Author
|
Closing this draft PR to use the established 0.4.0 branch-first, commit-by-commit review workflow instead. The branch remains published; commits should be reviewed sequentially from the branch history. |
SashaMIT
added a commit
that referenced
this pull request
Jun 17, 2026
Close the last pre-audit backlog item — reduce observable metadata and document the trust model honestly for the external audit. - viewer_open: log subject/content_id only as non-reversible truncated SHA-256 fingerprints (log_fp); no raw (wallet, content_id) at info!. - ddrm-envelope: channel_pad module — coarse power-of-two size bucketing (ISO 7816-4, fail-closed unpad, cap-safe) applied plaintext-side before sealing at every dKMS channel seal/open site (dkms-authority, key-provider, ddrm-runtime-open, dkms-live-recover) to blunt on-path length analysis. - docs/THREAT_MODEL.md: states the 2-of-3 (NOT "no collusion") trust model, the observable (wallet, content_id, time) access pattern, the audit non-repudiation caveat, and what we do NOT defend (oblivious lookup is the flagged next scope). - HANDOVER: Day 139 closure addendum — pre-audit backlog #1-#5 closed. PRE_AUDIT.md intentionally left untracked (found-and-fixed exploit detail; public repo) — hand to the auditor out-of-band. Co-authored-by: Cursor <cursoragent@cursor.com>
SashaMIT
added a commit
that referenced
this pull request
Jun 17, 2026
…lockfiles - PRE_AUDIT.md: firm-facing scoping evidence (findings + verified-clean list) for the pre-audit security backlog #1-#5 (now closed). - CONFIDENTIAL_COMPUTE.md: TEE opportunity audit + quorum hardware reality. - README + capsule lockfiles refreshed. Co-authored-by: Cursor <cursoragent@cursor.com>
SashaMIT
pushed a commit
that referenced
this pull request
Jun 20, 2026
…partial Re-verified all eight PRE_AUDIT findings against the current tree (deep + passing tests for #1/#3/#6; code + mechanism for #2/#4/#5/#7/#8). Adds a dated verification banner with file:line evidence and flips the #1/#2 status cells. - #1 (was HIGH/CRITICAL) RESOLVED: CEK reconstruction is integrity-checked end-to-end and production-wired — producer publishes cek_commitment at mint, the open path reconstructs via reconstruct_quorum_cek_checked (3+ shares cross-check / commitment binding / degraded 2-share-without-commitment refused). Byzantine-share tests pass (decrypt-provider 146/0). - #2 PARTIAL by design: log-redaction is done (log_fp fingerprints the wallet/content triple); blinded identifiers / oblivious lookup / frame padding / node-operator visibility remain documented roadmap, not code defects. Kept for the firm. - #3 RESOLVED (audit tamper-evidence; recorded earlier this branch). - #4 RESOLVED: central required_action_for map, fail-closed on unmapped ops, enforced at the bridge on the required (not token's) action. - #5 RESOLVED: node-set-id pin mandatory in release (compile_error fence + authorize refuses a caller-declared node-set). - #6 RESOLVED: vsock-proxy MAX_LINE_BYTES cap fails closed; binds the guest vsock wildcard CID, not TCP 0.0.0.0. - #7 RESOLVED: GF(256) multiply rewritten branchless (mask selects, fixed 8 iters). - #8 RESOLVED: effective_now clamps the caller clock in release (window can only shrink). No code change. Purpose: hand the external firm a trustworthy "scope these OUT" list. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VjFQt6DK9ZGnLs4ykUWsuX
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closed and void. This PR was opened accidentally during release workflow setup. Do not review it. The release is being reviewed through the published 0.4.0 branch one commit at a time.