@git-stunts/git-warp 12.0.0 → 12.2.0

package/src/domain/services/QueryBuilder.js

@@ -5,9 +5,31 @@
  */
 
 import QueryError from '../errors/QueryError.js';
+import { matchGlob } from '../utils/matchGlob.js';
 
 const DEFAULT_PATTERN = '*';
 
+/**
+ * Processes items in batches with bounded concurrency.
+ *
+ * @template T, R
+ * @param {T[]} items - Items to process
+ * @param {(item: T) => Promise<R>} fn - Async function to apply to each item
+ * @param {number} [limit=100] - Maximum concurrent operations per batch
+ * @returns {Promise<R[]>} Results in input order
+ */
+async function batchMap(items, fn, limit = 100) {
+  const results = [];
+  for (let i = 0; i < items.length; i += limit) {
+    const batch = items.slice(i, i + limit);
+    const batchResults = await Promise.all(batch.map(fn));
+    for (const r of batchResults) {
+      results.push(r);
+    }
+  }
+  return results;
+}
+
 /**
  * @typedef {Object} QueryNodeSnapshot
  * @property {string} id - The unique identifier of the node
@@ -48,15 +70,18 @@ const DEFAULT_PATTERN = '*';
  */
 
 /**
- * Asserts that a match pattern is a string.
+ * Asserts that a match pattern is a string or array of strings.
  *
  * @param {unknown} pattern - The pattern to validate
- * @throws {QueryError} If pattern is not a string (code: E_QUERY_MATCH_TYPE)
+ * @throws {QueryError} If pattern is not a string or array of strings (code: E_QUERY_MATCH_TYPE)
  * @private
  */
 function assertMatchPattern(pattern) {
-  if (typeof pattern !== 'string') {
-    throw new QueryError('match() expects a string pattern', {
+  const isString = typeof pattern === 'string';
+  const isStringArray = Array.isArray(pattern) && pattern.every((p) => typeof p === 'string');
+
+  if (!isString && !isStringArray) {
+    throw new QueryError('match() expects a string pattern or array of string patterns', {
       code: 'E_QUERY_MATCH_TYPE',
       context: { receivedType: typeof pattern },
     });
@@ -165,41 +190,6 @@ function sortIds(ids) {
   return [...ids].sort();
 }
 
-/**
- * Escapes special regex characters in a string so it can be used as a literal match.
- *
- * @param {string} value - The string to escape
- * @returns {string} The escaped string safe for use in a RegExp
- * @private
- */
-function escapeRegex(value) {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
-
-/**
- * Tests whether a node ID matches a glob-style pattern.
- *
- * Supports:
- * - `*` as the default pattern, matching all node IDs
- * - Wildcard `*` anywhere in the pattern, matching zero or more characters
- * - Literal match when pattern contains no wildcards
- *
- * @param {string} nodeId - The node ID to test
- * @param {string} pattern - The glob pattern (e.g., "user:*", "*:admin", "*")
- * @returns {boolean} True if the node ID matches the pattern
- * @private
- */
-function matchesPattern(nodeId, pattern) {
-  if (pattern === DEFAULT_PATTERN) {
-    return true;
-  }
-  if (pattern.includes('*')) {
-    const regex = new RegExp(`^${escapeRegex(pattern).replace(/\\\*/g, '.*')}$`);
-    return regex.test(nodeId);
-  }
-  return nodeId === pattern;
-}
-
 /**
  * Recursively freezes an object and all nested objects/arrays.
  *
@@ -494,7 +484,7 @@ export default class QueryBuilder {
    */
   constructor(graph) {
     this._graph = graph;
-    /** @type {string|null} */
+    /** @type {string|string[]|null} */
     this._pattern = null;
     /** @type {Array<{type: string, fn?: (node: QueryNodeSnapshot) => boolean, label?: string, depth?: [number, number]}>} */
     this._operations = [];
@@ -505,19 +495,21 @@ export default class QueryBuilder {
   }
 
   /**
-   * Sets the match pattern for filtering nodes by ID.
+   * Sets the match pattern(s) for filtering nodes by ID.
    *
    * Supports glob-style patterns:
    * - `*` matches all nodes
    * - `user:*` matches all nodes starting with "user:"
    * - `*:admin` matches all nodes ending with ":admin"
+   * - Array of patterns: `['campaign:*', 'milestone:*']` (OR semantics)
    *
-   * @param {string} pattern - Glob pattern to match node IDs against
+   * @param {string|string[]} pattern - Glob pattern or array of patterns to match node IDs against
    * @returns {QueryBuilder} This builder for chaining
-   * @throws {QueryError} If pattern is not a string (code: E_QUERY_MATCH_TYPE)
+   * @throws {QueryError} If pattern is not a string or array of strings (code: E_QUERY_MATCH_TYPE)
    */
   match(pattern) {
     assertMatchPattern(pattern);
+    /** @type {string|string[]|null} */
     this._pattern = pattern;
     return this;
   }
@@ -681,22 +673,33 @@ export default class QueryBuilder {
 
     const pattern = this._pattern ?? DEFAULT_PATTERN;
 
+    // Per-run props memo to avoid redundant getNodeProps calls
+    /** @type {Map<string, Map<string, unknown>>} */
+    const propsMemo = new Map();
+    const getProps = async (/** @type {string} */ nodeId) => {
+      const cached = propsMemo.get(nodeId);
+      if (cached !== undefined) {
+        return cached;
+      }
+      const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
+      propsMemo.set(nodeId, propsMap);
+      return propsMap;
+    };
+
     let workingSet;
-    workingSet = allNodes.filter((nodeId) => matchesPattern(nodeId, pattern));
+    workingSet = allNodes.filter((nodeId) => matchGlob(pattern, nodeId));
 
     for (const op of this._operations) {
       if (op.type === 'where') {
-        const snapshots = await Promise.all(
-          workingSet.map(async (nodeId) => {
-            const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
-            const edgesOut = adjacency.outgoing.get(nodeId) || [];
-            const edgesIn = adjacency.incoming.get(nodeId) || [];
-            return {
-              nodeId,
-              snapshot: createNodeSnapshot({ id: nodeId, propsMap, edgesOut, edgesIn }),
-            };
-          })
-        );
+        const snapshots = await batchMap(workingSet, async (nodeId) => {
+          const propsMap = await getProps(nodeId);
+          const edgesOut = adjacency.outgoing.get(nodeId) || [];
+          const edgesIn = adjacency.incoming.get(nodeId) || [];
+          return {
+            nodeId,
+            snapshot: createNodeSnapshot({ id: nodeId, propsMap, edgesOut, edgesIn }),
+          };
+        });
         const predicate = /** @type {(node: QueryNodeSnapshot) => boolean} */ (op.fn);
         const filtered = snapshots
           .filter(({ snapshot }) => predicate(snapshot))
@@ -727,7 +730,7 @@ export default class QueryBuilder {
     }
 
     if (this._aggregate) {
-      return await this._runAggregate(workingSet, stateHash);
+      return await this._runAggregate(workingSet, stateHash, getProps);
     }
 
     const selected = this._select;
@@ -747,22 +750,20 @@ export default class QueryBuilder {
     const includeId = !selectFields || selectFields.includes('id');
     const includeProps = !selectFields || selectFields.includes('props');
 
-    const nodes = await Promise.all(
-      workingSet.map(async (nodeId) => {
-        const entry = {};
-        if (includeId) {
-          entry.id = nodeId;
-        }
-        if (includeProps) {
-          const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
-          const props = buildPropsSnapshot(propsMap);
-          if (selectFields || Object.keys(props).length > 0) {
-            entry.props = props;
-          }
+    const nodes = await batchMap(workingSet, async (nodeId) => {
+      const entry = {};
+      if (includeId) {
+        entry.id = nodeId;
+      }
+      if (includeProps) {
+        const propsMap = await getProps(nodeId);
+        const props = buildPropsSnapshot(propsMap);
+        if (selectFields || Object.keys(props).length > 0) {
+          entry.props = props;
         }
-        return entry;
-      })
-    );
+      }
+      return entry;
+    });
 
     return { stateHash, nodes };
   }
@@ -776,10 +777,11 @@ export default class QueryBuilder {
    *
    * @param {string[]} workingSet - Array of matched node IDs
    * @param {string} stateHash - Hash of the materialized state
+   * @param {(nodeId: string) => Promise<Map<string, unknown>>} getProps - Memoized props fetcher
    * @returns {Promise<AggregateResult>} Object containing stateHash and requested aggregation values
    * @private
    */
-  async _runAggregate(workingSet, stateHash) {
+  async _runAggregate(workingSet, stateHash, getProps) {
     const spec = /** @type {AggregateSpec} */ (this._aggregate);
     /** @type {AggregateResult} */
     const result = { stateHash };
@@ -802,8 +804,10 @@ export default class QueryBuilder {
         });
       }
 
-      for (const nodeId of workingSet) {
-        const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
+      // Pre-fetch all props with bounded concurrency
+      const propsList = await batchMap(workingSet, getProps);
+
+      for (const propsMap of propsList) {
         for (const { segments, values } of propsByAgg.values()) {
           /** @type {unknown} */
           let value = propsMap.get(segments[0]);

package/src/domain/services/SyncController.js

@@ -11,6 +11,7 @@
 import SyncError from '../errors/SyncError.js';
 import OperationAbortedError from '../errors/OperationAbortedError.js';
 import { QueryError, E_NO_STATE_MSG } from '../warp/_internal.js';
+import { validateSyncResponse } from './SyncPayloadSchema.js';
 import {
   createSyncRequest as createSyncRequestImpl,
   processSyncRequest as processSyncRequestImpl,
@@ -25,6 +26,7 @@ import { collectGCMetrics } from './GCMetrics.js';
 import HttpSyncServer from './HttpSyncServer.js';
 import { signSyncRequest, canonicalizePath } from './SyncAuthService.js';
 import { isError } from '../types/WarpErrors.js';
+import SyncTrustGate from './SyncTrustGate.js';
 
 /** @typedef {import('../types/WarpPersistence.js').CorePersistence} CorePersistence */
 
@@ -128,10 +130,14 @@ async function buildSyncAuthHeaders({ auth, bodyStr, targetUrl, crypto }) {
 export default class SyncController {
   /**
    * @param {SyncHost} host - The WarpGraph instance (or any object satisfying SyncHost)
+   * @param {Object} [options]
+   * @param {SyncTrustGate} [options.trustGate] - Trust gate for evaluating patch authors
    */
-  constructor(host) {
+  constructor(host, options = {}) {
     /** @type {SyncHost} */
     this._host = host;
+    /** @type {SyncTrustGate|null} */
+    this._trustGate = options.trustGate || null;
   }
 
   /**
@@ -268,7 +274,7 @@ export default class SyncController {
       localFrontier,
       persistence,
       this._host._graphName,
-      { codec: this._host._codec }
+      { codec: this._host._codec, logger: this._host._logger || undefined }
     );
   }
 
@@ -282,13 +288,48 @@ export default class SyncController {
    * @returns {{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number}} Result with updated state and frontier
    * @throws {import('../errors/QueryError.js').default} If no cached state exists (code: `E_NO_STATE`)
    */
-  applySyncResponse(response) {
+  /**
+   * Applies a sync response to the local graph state.
+   * Updates the cached state with received patches.
+   *
+   * When a trust gate is configured, evaluates patch authors (writersApplied)
+   * against trust policy. In enforce mode, untrusted writers cause rejection
+   * before any state mutation.
+   *
+   * **Requires a cached state.**
+   *
+   * @param {import('./SyncProtocol.js').SyncResponse} response - The sync response
+   * @returns {Promise<{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number, trustVerdict?: string, writersApplied?: string[]}>} Result with updated state and frontier
+   * @throws {import('../errors/QueryError.js').default} If no cached state exists (code: `E_NO_STATE`)
+   * @throws {SyncError} If trust gate rejects untrusted writers (code: `E_SYNC_UNTRUSTED_WRITER`)
+   */
+  async applySyncResponse(response) {
     if (!this._host._cachedState) {
       throw new QueryError(E_NO_STATE_MSG, {
         code: 'E_NO_STATE',
       });
     }
 
+    // Extract actual patch authors for trust evaluation (B1)
+    const writersApplied = SyncTrustGate.extractWritersFromPatches(response.patches || []);
+
+    // Evaluate trust BEFORE applying any patches
+    if (this._trustGate && writersApplied.length > 0) {
+      const verdict = await this._trustGate.evaluate(writersApplied, {
+        graphName: this._host._graphName,
+      });
+      if (!verdict.allowed) {
+        throw new SyncError('Sync rejected: untrusted writer(s)', {
+          code: 'E_SYNC_UNTRUSTED_WRITER',
+          context: {
+            writersApplied,
+            untrustedWriters: verdict.untrustedWriters,
+            verdict: verdict.verdict,
+          },
+        });
+      }
+    }
+
     const currentFrontier = this._host._lastFrontier || createFrontier();
     const result = /** @type {{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number}} */ (applySyncResponseImpl(response, this._host._cachedState, currentFrontier));
 
@@ -301,10 +342,32 @@ export default class SyncController {
     // Track patches for GC
     this._host._patchesSinceGC += result.applied;
 
+    // Invalidate derived caches (C1) — sync changes underlying state
+    this._invalidateDerivedCaches();
+
     // State is now in sync with the frontier -- clear dirty flag
     this._host._stateDirty = false;
 
-    return result;
+    return { ...result, writersApplied };
+  }
+
+  /**
+   * Invalidates all derived caches on the host graph.
+   *
+   * Called after sync apply or join to ensure stale index/provider/view
+   * data is not returned to callers. The next query or traversal will
+   * trigger a rebuild.
+   *
+   * @private
+   */
+  _invalidateDerivedCaches() {
+    const h = /** @type {import('../WarpGraph.js').default} */ (this._host);
+    h._materializedGraph = null;
+    h._logicalIndex = null;
+    h._propertyReader = null;
+    h._cachedViewHash = null;
+    h._cachedIndexTree = null;
+    h._stateDirty = true;
   }
 
   /**
@@ -468,12 +531,12 @@ export default class SyncController {
         }
       }
 
-      if (!response || typeof response !== 'object' ||
-        response.type !== 'sync-response' ||
-        !response.frontier || typeof response.frontier !== 'object' || Array.isArray(response.frontier) ||
-        !Array.isArray(response.patches)) {
-        throw new SyncError('Invalid sync response', {
-          code: 'E_SYNC_PROTOCOL',
+      // Validate response shape + resource limits via Zod schema (B64).
+      // For HTTP responses, always validate — untrusted boundary.
+      const validation = validateSyncResponse(response);
+      if (!validation.ok) {
+        throw new SyncError(`Invalid sync response: ${validation.error}`, {
+          code: 'E_SYNC_PAYLOAD_INVALID',
         });
       }
 
@@ -482,7 +545,7 @@ export default class SyncController {
         emit('materialized');
       }
 
-      const result = this.applySyncResponse(response);
+      const result = await this.applySyncResponse(response);
       emit('applied', { applied: result.applied });
 
       const durationMs = this._host._clock.now() - attemptStart;

package/src/domain/services/SyncPayloadSchema.js

@@ -0,0 +1,236 @@
+/**
+ * SyncPayloadSchema -- Zod schemas for sync protocol messages.
+ *
+ * Validates both shape and resource limits for sync requests and responses
+ * at the trust boundary (HTTP ingress/egress). Prevents malformed or
+ * oversized payloads from reaching the CRDT merge engine.
+ *
+ * @module domain/services/SyncPayloadSchema
+ * @see B64 -- Sync ingress payload validation
+ */
+
+import { z } from 'zod';
+
+// ── Resource Limits ─────────────────────────────────────────────────────────
+
+/**
+ * Default resource limits for sync payload validation.
+ * Configurable per-deployment via `createSyncResponseSchema(limits)`.
+ *
+ * @typedef {Object} SyncPayloadLimits
+ * @property {number} maxWritersInFrontier - Maximum writers in a frontier object
+ * @property {number} maxPatches - Maximum patches in a sync response
+ * @property {number} maxOpsPerPatch - Maximum operations per patch
+ * @property {number} maxStringBytes - Maximum bytes for string values (writer ID, node ID, etc.)
+ * @property {number} maxBlobBytes - Maximum bytes for blob values
+ */
+
+/** @type {Readonly<SyncPayloadLimits>} */
+export const DEFAULT_LIMITS = Object.freeze({
+  maxWritersInFrontier: 10_000,
+  maxPatches: 100_000,
+  maxOpsPerPatch: 50_000,
+  maxStringBytes: 4096,
+  maxBlobBytes: 16 * 1024 * 1024,
+});
+
+// ── Schema Version ──────────────────────────────────────────────────────────
+
+/**
+ * Current sync protocol schema version.
+ * Responses with unknown versions are rejected.
+ */
+export const SYNC_SCHEMA_VERSION = 1;
+
+// ── Shared Primitives ───────────────────────────────────────────────────────
+
+/**
+ * Bounded string: rejects strings exceeding maxStringBytes.
+ * @param {number} maxBytes
+ * @returns {z.ZodString}
+ */
+function boundedString(maxBytes) {
+  return z.string().max(maxBytes);
+}
+
+// ── Frontier Schema ─────────────────────────────────────────────────────────
+
+/**
+ * Normalizes a frontier value that may be a Map (cbor-x decodes maps)
+ * or a plain object into a validated plain object.
+ *
+ * @param {unknown} value
+ * @returns {Record<string, string>|null} Normalized object, or null if invalid
+ */
+export function normalizeFrontier(value) {
+  if (value instanceof Map) {
+    /** @type {Record<string, string>} */
+    const obj = {};
+    for (const [k, v] of value) {
+      if (typeof k !== 'string' || typeof v !== 'string') {
+        return null;
+      }
+      obj[k] = v;
+    }
+    return obj;
+  }
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return /** @type {Record<string, string>} */ (value);
+  }
+  return null;
+}
+
+/**
+ * Creates a frontier schema with a size limit.
+ *
+ * Frontier values are strings (typically hex SHAs) but we don't enforce
+ * hex format here — semantic SHA validation happens at a higher level.
+ * This schema validates shape + resource limits only.
+ *
+ * @param {number} maxWriters
+ * @returns {z.ZodType<Record<string, string>>}
+ */
+function frontierSchema(maxWriters) {
+  return /** @type {z.ZodType<Record<string, string>>} */ (z.record(
+    boundedString(256),
+    z.string(),
+  ).refine(
+    (obj) => Object.keys(obj).length <= maxWriters,
+    (obj) => ({ message: `Frontier exceeds max writers: ${Object.keys(obj).length} > ${maxWriters}` }),
+  ));
+}
+
+// ── Op Schema ───────────────────────────────────────────────────────────────
+
+/**
+ * Minimal op validation — checks for type field and basic shape.
+ * Deeper semantic validation happens in JoinReducer/WarpMessageCodec.
+ */
+const opSchema = z.object({
+  type: z.string(),
+}).passthrough();
+
+// ── Patch Schema ────────────────────────────────────────────────────────────
+
+/**
+ * Creates a patch schema with ops limit.
+ * @param {SyncPayloadLimits} limits
+ */
+function patchSchema(limits) {
+  return z.object({
+    schema: z.number().int().min(1).optional(),
+    writer: boundedString(limits.maxStringBytes).optional(),
+    lamport: z.number().int().min(0).optional(),
+    ops: z.array(opSchema).max(limits.maxOpsPerPatch),
+    context: z.unknown().optional(),
+  }).passthrough();
+}
+
+/**
+ * Creates a patches-array entry schema.
+ * @param {SyncPayloadLimits} limits
+ */
+function patchEntrySchema(limits) {
+  return z.object({
+    writerId: boundedString(limits.maxStringBytes),
+    sha: z.string(),
+    patch: patchSchema(limits),
+  });
+}
+
+// ── Sync Request Schema ─────────────────────────────────────────────────────
+
+/**
+ * Creates a validated SyncRequest schema.
+ * @param {SyncPayloadLimits} [limits]
+ * @returns {z.ZodType}
+ */
+export function createSyncRequestSchema(limits = DEFAULT_LIMITS) {
+  return z.object({
+    type: z.literal('sync-request'),
+    frontier: frontierSchema(limits.maxWritersInFrontier),
+  }).strict();
+}
+
+/** Default SyncRequest schema with default limits */
+export const SyncRequestSchema = createSyncRequestSchema();
+
+// ── Sync Response Schema ────────────────────────────────────────────────────
+
+/**
+ * Creates a validated SyncResponse schema.
+ * @param {SyncPayloadLimits} [limits]
+ * @returns {z.ZodType}
+ */
+export function createSyncResponseSchema(limits = DEFAULT_LIMITS) {
+  return z.object({
+    type: z.literal('sync-response'),
+    frontier: frontierSchema(limits.maxWritersInFrontier),
+    patches: z.array(patchEntrySchema(limits)).max(limits.maxPatches),
+  }).passthrough();
+}
+
+/** Default SyncResponse schema with default limits */
+export const SyncResponseSchema = createSyncResponseSchema();
+
+// ── Validation Helpers ──────────────────────────────────────────────────────
+
+/**
+ * Validates a sync request payload. Returns the parsed value or throws.
+ *
+ * Handles Map→object normalization for cbor-x compatibility.
+ *
+ * @param {unknown} payload - Raw parsed payload (from JSON.parse or cbor-x decode)
+ * @param {SyncPayloadLimits} [limits] - Resource limits
+ * @returns {{ ok: true, value: { type: 'sync-request', frontier: Record<string, string> } } | { ok: false, error: string }}
+ */
+export function validateSyncRequest(payload, limits = DEFAULT_LIMITS) {
+  // Normalize Map frontier from cbor-x
+  if (payload && typeof payload === 'object' && !Array.isArray(payload)) {
+    const p = /** @type {Record<string, unknown>} */ (payload);
+    if (p.frontier instanceof Map) {
+      const normalized = normalizeFrontier(p.frontier);
+      if (!normalized) {
+        return { ok: false, error: 'Invalid frontier: Map contains non-string entries' };
+      }
+      p.frontier = normalized;
+    }
+  }
+
+  const schema = limits === DEFAULT_LIMITS ? SyncRequestSchema : createSyncRequestSchema(limits);
+  const result = schema.safeParse(payload);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  return { ok: true, value: /** @type {{ type: 'sync-request', frontier: Record<string, string> }} */ (result.data) };
+}
+
+/**
+ * Validates a sync response payload. Returns the parsed value or an error.
+ *
+ * Handles Map→object normalization for cbor-x compatibility.
+ *
+ * @param {unknown} payload - Raw parsed payload
+ * @param {SyncPayloadLimits} [limits] - Resource limits
+ * @returns {{ ok: true, value: unknown } | { ok: false, error: string }}
+ */
+export function validateSyncResponse(payload, limits = DEFAULT_LIMITS) {
+  // Normalize Map frontier from cbor-x
+  if (payload && typeof payload === 'object' && !Array.isArray(payload)) {
+    const p = /** @type {Record<string, unknown>} */ (payload);
+    if (p.frontier instanceof Map) {
+      const normalized = normalizeFrontier(p.frontier);
+      if (!normalized) {
+        return { ok: false, error: 'Invalid frontier: Map contains non-string entries' };
+      }
+      p.frontier = normalized;
+    }
+  }
+
+  const schema = limits === DEFAULT_LIMITS ? SyncResponseSchema : createSyncResponseSchema(limits);
+  const result = schema.safeParse(payload);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  return { ok: true, value: result.data };
+}