@git-stunts/git-warp 12.1.0 → 12.2.0

package/src/domain/services/SyncController.js

@@ -11,6 +11,7 @@
 import SyncError from '../errors/SyncError.js';
 import OperationAbortedError from '../errors/OperationAbortedError.js';
 import { QueryError, E_NO_STATE_MSG } from '../warp/_internal.js';
+import { validateSyncResponse } from './SyncPayloadSchema.js';
 import {
   createSyncRequest as createSyncRequestImpl,
   processSyncRequest as processSyncRequestImpl,
@@ -25,6 +26,7 @@ import { collectGCMetrics } from './GCMetrics.js';
 import HttpSyncServer from './HttpSyncServer.js';
 import { signSyncRequest, canonicalizePath } from './SyncAuthService.js';
 import { isError } from '../types/WarpErrors.js';
+import SyncTrustGate from './SyncTrustGate.js';
 
 /** @typedef {import('../types/WarpPersistence.js').CorePersistence} CorePersistence */
 
@@ -128,10 +130,14 @@ async function buildSyncAuthHeaders({ auth, bodyStr, targetUrl, crypto }) {
 export default class SyncController {
   /**
    * @param {SyncHost} host - The WarpGraph instance (or any object satisfying SyncHost)
+   * @param {Object} [options]
+   * @param {SyncTrustGate} [options.trustGate] - Trust gate for evaluating patch authors
    */
-  constructor(host) {
+  constructor(host, options = {}) {
     /** @type {SyncHost} */
     this._host = host;
+    /** @type {SyncTrustGate|null} */
+    this._trustGate = options.trustGate || null;
   }
 
   /**
@@ -268,7 +274,7 @@ export default class SyncController {
       localFrontier,
       persistence,
       this._host._graphName,
-      { codec: this._host._codec }
+      { codec: this._host._codec, logger: this._host._logger || undefined }
     );
   }
 
@@ -282,13 +288,48 @@ export default class SyncController {
    * @returns {{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number}} Result with updated state and frontier
    * @throws {import('../errors/QueryError.js').default} If no cached state exists (code: `E_NO_STATE`)
    */
-  applySyncResponse(response) {
+  /**
+   * Applies a sync response to the local graph state.
+   * Updates the cached state with received patches.
+   *
+   * When a trust gate is configured, evaluates patch authors (writersApplied)
+   * against trust policy. In enforce mode, untrusted writers cause rejection
+   * before any state mutation.
+   *
+   * **Requires a cached state.**
+   *
+   * @param {import('./SyncProtocol.js').SyncResponse} response - The sync response
+   * @returns {Promise<{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number, trustVerdict?: string, writersApplied?: string[]}>} Result with updated state and frontier
+   * @throws {import('../errors/QueryError.js').default} If no cached state exists (code: `E_NO_STATE`)
+   * @throws {SyncError} If trust gate rejects untrusted writers (code: `E_SYNC_UNTRUSTED_WRITER`)
+   */
+  async applySyncResponse(response) {
     if (!this._host._cachedState) {
       throw new QueryError(E_NO_STATE_MSG, {
         code: 'E_NO_STATE',
       });
     }
 
+    // Extract actual patch authors for trust evaluation (B1)
+    const writersApplied = SyncTrustGate.extractWritersFromPatches(response.patches || []);
+
+    // Evaluate trust BEFORE applying any patches
+    if (this._trustGate && writersApplied.length > 0) {
+      const verdict = await this._trustGate.evaluate(writersApplied, {
+        graphName: this._host._graphName,
+      });
+      if (!verdict.allowed) {
+        throw new SyncError('Sync rejected: untrusted writer(s)', {
+          code: 'E_SYNC_UNTRUSTED_WRITER',
+          context: {
+            writersApplied,
+            untrustedWriters: verdict.untrustedWriters,
+            verdict: verdict.verdict,
+          },
+        });
+      }
+    }
+
     const currentFrontier = this._host._lastFrontier || createFrontier();
     const result = /** @type {{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number}} */ (applySyncResponseImpl(response, this._host._cachedState, currentFrontier));
 
@@ -301,10 +342,32 @@ export default class SyncController {
     // Track patches for GC
     this._host._patchesSinceGC += result.applied;
 
+    // Invalidate derived caches (C1) — sync changes underlying state
+    this._invalidateDerivedCaches();
+
     // State is now in sync with the frontier -- clear dirty flag
     this._host._stateDirty = false;
 
-    return result;
+    return { ...result, writersApplied };
+  }
+
+  /**
+   * Invalidates all derived caches on the host graph.
+   *
+   * Called after sync apply or join to ensure stale index/provider/view
+   * data is not returned to callers. The next query or traversal will
+   * trigger a rebuild.
+   *
+   * @private
+   */
+  _invalidateDerivedCaches() {
+    const h = /** @type {import('../WarpGraph.js').default} */ (this._host);
+    h._materializedGraph = null;
+    h._logicalIndex = null;
+    h._propertyReader = null;
+    h._cachedViewHash = null;
+    h._cachedIndexTree = null;
+    h._stateDirty = true;
   }
 
   /**
@@ -468,12 +531,12 @@ export default class SyncController {
         }
       }
 
-      if (!response || typeof response !== 'object' ||
-        response.type !== 'sync-response' ||
-        !response.frontier || typeof response.frontier !== 'object' || Array.isArray(response.frontier) ||
-        !Array.isArray(response.patches)) {
-        throw new SyncError('Invalid sync response', {
-          code: 'E_SYNC_PROTOCOL',
+      // Validate response shape + resource limits via Zod schema (B64).
+      // For HTTP responses, always validate — untrusted boundary.
+      const validation = validateSyncResponse(response);
+      if (!validation.ok) {
+        throw new SyncError(`Invalid sync response: ${validation.error}`, {
+          code: 'E_SYNC_PAYLOAD_INVALID',
         });
       }
 
@@ -482,7 +545,7 @@ export default class SyncController {
         emit('materialized');
       }
 
-      const result = this.applySyncResponse(response);
+      const result = await this.applySyncResponse(response);
       emit('applied', { applied: result.applied });
 
       const durationMs = this._host._clock.now() - attemptStart;

package/src/domain/services/SyncPayloadSchema.js

@@ -0,0 +1,236 @@
+/**
+ * SyncPayloadSchema -- Zod schemas for sync protocol messages.
+ *
+ * Validates both shape and resource limits for sync requests and responses
+ * at the trust boundary (HTTP ingress/egress). Prevents malformed or
+ * oversized payloads from reaching the CRDT merge engine.
+ *
+ * @module domain/services/SyncPayloadSchema
+ * @see B64 -- Sync ingress payload validation
+ */
+
+import { z } from 'zod';
+
+// ── Resource Limits ─────────────────────────────────────────────────────────
+
+/**
+ * Default resource limits for sync payload validation.
+ * Configurable per-deployment via `createSyncResponseSchema(limits)`.
+ *
+ * @typedef {Object} SyncPayloadLimits
+ * @property {number} maxWritersInFrontier - Maximum writers in a frontier object
+ * @property {number} maxPatches - Maximum patches in a sync response
+ * @property {number} maxOpsPerPatch - Maximum operations per patch
+ * @property {number} maxStringBytes - Maximum bytes for string values (writer ID, node ID, etc.)
+ * @property {number} maxBlobBytes - Maximum bytes for blob values
+ */
+
+/** @type {Readonly<SyncPayloadLimits>} */
+export const DEFAULT_LIMITS = Object.freeze({
+  maxWritersInFrontier: 10_000,
+  maxPatches: 100_000,
+  maxOpsPerPatch: 50_000,
+  maxStringBytes: 4096,
+  maxBlobBytes: 16 * 1024 * 1024,
+});
+
+// ── Schema Version ──────────────────────────────────────────────────────────
+
+/**
+ * Current sync protocol schema version.
+ * Responses with unknown versions are rejected.
+ */
+export const SYNC_SCHEMA_VERSION = 1;
+
+// ── Shared Primitives ───────────────────────────────────────────────────────
+
+/**
+ * Bounded string: rejects strings exceeding maxStringBytes.
+ * @param {number} maxBytes
+ * @returns {z.ZodString}
+ */
+function boundedString(maxBytes) {
+  return z.string().max(maxBytes);
+}
+
+// ── Frontier Schema ─────────────────────────────────────────────────────────
+
+/**
+ * Normalizes a frontier value that may be a Map (cbor-x decodes maps)
+ * or a plain object into a validated plain object.
+ *
+ * @param {unknown} value
+ * @returns {Record<string, string>|null} Normalized object, or null if invalid
+ */
+export function normalizeFrontier(value) {
+  if (value instanceof Map) {
+    /** @type {Record<string, string>} */
+    const obj = {};
+    for (const [k, v] of value) {
+      if (typeof k !== 'string' || typeof v !== 'string') {
+        return null;
+      }
+      obj[k] = v;
+    }
+    return obj;
+  }
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return /** @type {Record<string, string>} */ (value);
+  }
+  return null;
+}
+
+/**
+ * Creates a frontier schema with a size limit.
+ *
+ * Frontier values are strings (typically hex SHAs) but we don't enforce
+ * hex format here — semantic SHA validation happens at a higher level.
+ * This schema validates shape + resource limits only.
+ *
+ * @param {number} maxWriters
+ * @returns {z.ZodType<Record<string, string>>}
+ */
+function frontierSchema(maxWriters) {
+  return /** @type {z.ZodType<Record<string, string>>} */ (z.record(
+    boundedString(256),
+    z.string(),
+  ).refine(
+    (obj) => Object.keys(obj).length <= maxWriters,
+    (obj) => ({ message: `Frontier exceeds max writers: ${Object.keys(obj).length} > ${maxWriters}` }),
+  ));
+}
+
+// ── Op Schema ───────────────────────────────────────────────────────────────
+
+/**
+ * Minimal op validation — checks for type field and basic shape.
+ * Deeper semantic validation happens in JoinReducer/WarpMessageCodec.
+ */
+const opSchema = z.object({
+  type: z.string(),
+}).passthrough();
+
+// ── Patch Schema ────────────────────────────────────────────────────────────
+
+/**
+ * Creates a patch schema with ops limit.
+ * @param {SyncPayloadLimits} limits
+ */
+function patchSchema(limits) {
+  return z.object({
+    schema: z.number().int().min(1).optional(),
+    writer: boundedString(limits.maxStringBytes).optional(),
+    lamport: z.number().int().min(0).optional(),
+    ops: z.array(opSchema).max(limits.maxOpsPerPatch),
+    context: z.unknown().optional(),
+  }).passthrough();
+}
+
+/**
+ * Creates a patches-array entry schema.
+ * @param {SyncPayloadLimits} limits
+ */
+function patchEntrySchema(limits) {
+  return z.object({
+    writerId: boundedString(limits.maxStringBytes),
+    sha: z.string(),
+    patch: patchSchema(limits),
+  });
+}
+
+// ── Sync Request Schema ─────────────────────────────────────────────────────
+
+/**
+ * Creates a validated SyncRequest schema.
+ * @param {SyncPayloadLimits} [limits]
+ * @returns {z.ZodType}
+ */
+export function createSyncRequestSchema(limits = DEFAULT_LIMITS) {
+  return z.object({
+    type: z.literal('sync-request'),
+    frontier: frontierSchema(limits.maxWritersInFrontier),
+  }).strict();
+}
+
+/** Default SyncRequest schema with default limits */
+export const SyncRequestSchema = createSyncRequestSchema();
+
+// ── Sync Response Schema ────────────────────────────────────────────────────
+
+/**
+ * Creates a validated SyncResponse schema.
+ * @param {SyncPayloadLimits} [limits]
+ * @returns {z.ZodType}
+ */
+export function createSyncResponseSchema(limits = DEFAULT_LIMITS) {
+  return z.object({
+    type: z.literal('sync-response'),
+    frontier: frontierSchema(limits.maxWritersInFrontier),
+    patches: z.array(patchEntrySchema(limits)).max(limits.maxPatches),
+  }).passthrough();
+}
+
+/** Default SyncResponse schema with default limits */
+export const SyncResponseSchema = createSyncResponseSchema();
+
+// ── Validation Helpers ──────────────────────────────────────────────────────
+
+/**
+ * Validates a sync request payload. Returns the parsed value or throws.
+ *
+ * Handles Map→object normalization for cbor-x compatibility.
+ *
+ * @param {unknown} payload - Raw parsed payload (from JSON.parse or cbor-x decode)
+ * @param {SyncPayloadLimits} [limits] - Resource limits
+ * @returns {{ ok: true, value: { type: 'sync-request', frontier: Record<string, string> } } | { ok: false, error: string }}
+ */
+export function validateSyncRequest(payload, limits = DEFAULT_LIMITS) {
+  // Normalize Map frontier from cbor-x
+  if (payload && typeof payload === 'object' && !Array.isArray(payload)) {
+    const p = /** @type {Record<string, unknown>} */ (payload);
+    if (p.frontier instanceof Map) {
+      const normalized = normalizeFrontier(p.frontier);
+      if (!normalized) {
+        return { ok: false, error: 'Invalid frontier: Map contains non-string entries' };
+      }
+      p.frontier = normalized;
+    }
+  }
+
+  const schema = limits === DEFAULT_LIMITS ? SyncRequestSchema : createSyncRequestSchema(limits);
+  const result = schema.safeParse(payload);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  return { ok: true, value: /** @type {{ type: 'sync-request', frontier: Record<string, string> }} */ (result.data) };
+}
+
+/**
+ * Validates a sync response payload. Returns the parsed value or an error.
+ *
+ * Handles Map→object normalization for cbor-x compatibility.
+ *
+ * @param {unknown} payload - Raw parsed payload
+ * @param {SyncPayloadLimits} [limits] - Resource limits
+ * @returns {{ ok: true, value: unknown } | { ok: false, error: string }}
+ */
+export function validateSyncResponse(payload, limits = DEFAULT_LIMITS) {
+  // Normalize Map frontier from cbor-x
+  if (payload && typeof payload === 'object' && !Array.isArray(payload)) {
+    const p = /** @type {Record<string, unknown>} */ (payload);
+    if (p.frontier instanceof Map) {
+      const normalized = normalizeFrontier(p.frontier);
+      if (!normalized) {
+        return { ok: false, error: 'Invalid frontier: Map contains non-string entries' };
+      }
+      p.frontier = normalized;
+    }
+  }
+
+  const schema = limits === DEFAULT_LIMITS ? SyncResponseSchema : createSyncResponseSchema(limits);
+  const result = schema.safeParse(payload);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  return { ok: true, value: result.data };
+}

package/src/domain/services/SyncProtocol.js

@@ -37,6 +37,7 @@
  */
 
 import defaultCodec from '../utils/defaultCodec.js';
+import nullLogger from '../utils/nullLogger.js';
 import { decodePatchMessage, assertOpsCompatible, SCHEMA_V3 } from './WarpMessageCodec.js';
 import { join, cloneStateV5 } from './JoinReducer.js';
 import { cloneFrontier, updateFrontier } from './Frontier.js';
@@ -267,11 +268,9 @@ export function computeSyncDelta(localFrontier, remoteFrontier) {
       newWritersForRemote.push(writerId);
     } else if (remoteSha !== localSha) {
       // Different heads - remote might need patches from its head to local head
-      // Only add if not already in needFromRemote (avoid double-counting)
-      // This handles the case where local is ahead of remote
-      if (!needFromRemote.has(writerId)) {
-        needFromLocal.set(writerId, { from: remoteSha, to: localSha });
-      }
+      // Always add both directions — ancestry is verified during loadPatchRange()
+      // which will throw E_SYNC_DIVERGENCE if neither side descends from the other (S3)
+      needFromLocal.set(writerId, { from: remoteSha, to: localSha });
     }
   }
 
@@ -315,6 +314,8 @@ export function computeSyncDelta(localFrontier, remoteFrontier) {
  *   - `writerId`: The writer who created this patch
  *   - `sha`: The commit SHA this patch came from (for frontier updates)
  *   - `patch`: The decoded patch object with ops and context
+ * @property {Array<{writerId: string, reason: string, localSha: string, remoteSha: string|null}>} [skippedWriters] - Writers that were skipped during sync
+ *   (e.g. due to trust gate filtering, divergence, or missing refs)
  */
 
 /**
@@ -375,6 +376,7 @@ export function createSyncRequest(frontier) {
  * @param {string} graphName - Graph name for error messages and logging
  * @param {Object} [options]
  * @param {import('../../ports/CodecPort.js').default} [options.codec] - Codec for deserialization
+ * @param {import('../../ports/LoggerPort.js').default} [options.logger] - Logger for divergence warnings
  * @returns {Promise<SyncResponse>} Response containing local frontier and patches.
  *   Patches are ordered chronologically within each writer.
  * @throws {Error} If patch loading fails for reasons other than divergence
@@ -388,7 +390,9 @@ export function createSyncRequest(frontier) {
  *   res.json(response);
  * });
  */
-export async function processSyncRequest(request, localFrontier, persistence, graphName, { codec } = /** @type {{ codec?: import('../../ports/CodecPort.js').default }} */ ({})) {
+export async function processSyncRequest(request, localFrontier, persistence, graphName, { codec, logger } = /** @type {{ codec?: import('../../ports/CodecPort.js').default, logger?: import('../../ports/LoggerPort.js').default }} */ ({})) {
+  const log = logger || nullLogger;
+
   // Convert incoming frontier from object to Map
   const remoteFrontier = new Map(Object.entries(request.frontier));
 
@@ -397,6 +401,8 @@ export async function processSyncRequest(request, localFrontier, persistence, gr
 
   // Load patches that the requester needs (from local to requester)
   const patches = [];
+  /** @type {Array<{writerId: string, reason: string, localSha: string, remoteSha: string|null}>} */
+  const skippedWriters = [];
 
   for (const [writerId, range] of delta.needFromRemote) {
     try {
@@ -413,9 +419,21 @@ export async function processSyncRequest(request, localFrontier, persistence, gr
         patches.push({ writerId, sha, patch });
       }
     } catch (err) {
-      // If we detect divergence, skip this writer
-      // The requester may need to handle this separately
+      // If we detect divergence, log and skip this writer (B65).
+      // The requester will not receive patches for this writer.
       if ((err instanceof Error && 'code' in err && /** @type {{ code: string }} */ (err).code === 'E_SYNC_DIVERGENCE') || (err instanceof Error && err.message?.includes('Divergence detected'))) {
+        const entry = {
+          writerId,
+          reason: 'E_SYNC_DIVERGENCE',
+          localSha: range.to,
+          remoteSha: range.from ?? '',
+        };
+        skippedWriters.push(entry);
+        log.warn('Sync divergence detected — skipping writer', {
+          code: 'E_SYNC_DIVERGENCE',
+          graphName,
+          ...entry,
+        });
         continue;
       }
       throw err;
@@ -433,6 +451,7 @@ export async function processSyncRequest(request, localFrontier, persistence, gr
     type: /** @type {'sync-response'} */ ('sync-response'),
     frontier: frontierObj,
     patches,
+    skippedWriters,
   };
 }
 

package/src/domain/services/SyncTrustGate.js

@@ -0,0 +1,146 @@
+/**
+ * SyncTrustGate -- Encapsulates trust evaluation for sync operations.
+ *
+ * Evaluates whether inbound patch authors are trusted according to the
+ * trust record chain. Used by SyncController to validate HTTP sync
+ * responses before applying patches.
+ *
+ * Trust-gates on `writersApplied` (patch authors being ingested), not
+ * frontier keys (which are claims, not effects).
+ *
+ * @module domain/services/SyncTrustGate
+ * @see B1 -- Signed sync ingress
+ */
+
+import nullLogger from '../utils/nullLogger.js';
+
+/**
+ * @typedef {'enforce'|'log-only'|'off'} TrustMode
+ */
+
+/**
+ * @typedef {Object} TrustGateResult
+ * @property {boolean} allowed - Whether the writers are trusted
+ * @property {string[]} untrustedWriters - Writers that failed trust evaluation
+ * @property {string} verdict - Human-readable verdict
+ */
+
+/** @type {() => TrustGateResult} */
+const PASS = () => ({ allowed: true, untrustedWriters: [], verdict: 'pass' });
+
+export default class SyncTrustGate {
+  /**
+   * @param {Object} options
+   * @param {{evaluateWriters: (writerIds: string[]) => Promise<{trusted: Set<string>}>}} [options.trustEvaluator] - Trust evaluator instance
+   * @param {TrustMode} [options.trustMode='off'] - Trust enforcement mode
+   * @param {import('../../ports/LoggerPort.js').default} [options.logger] - Logger
+   */
+  constructor({ trustEvaluator, trustMode = 'off', logger } = {}) {
+    this._evaluator = trustEvaluator || null;
+    this._mode = trustMode;
+    this._logger = logger || nullLogger;
+  }
+
+  /**
+   * Evaluates whether the given patch writers are trusted.
+   *
+   * @param {string[]} writerIds - Writer IDs from patches being applied
+   * @param {Object} [context] - Additional context for logging
+   * @param {string} [context.graphName] - Graph name
+   * @param {string} [context.peerId] - Remote peer identity (if authenticated)
+   * @returns {Promise<TrustGateResult>}
+   */
+  async evaluate(writerIds, context = {}) {
+    if (this._mode === 'off' || !this._evaluator) {
+      return { allowed: true, untrustedWriters: [], verdict: 'trust_disabled' };
+    }
+    if (writerIds.length === 0) {
+      return { allowed: true, untrustedWriters: [], verdict: 'no_writers' };
+    }
+
+    try {
+      const result = await this._evaluator.evaluateWriters(writerIds);
+      const untrusted = writerIds.filter((id) => !result.trusted.has(id));
+      return this._decide(untrusted, writerIds, context);
+    } catch (err) {
+      return this._handleError(err, writerIds, context);
+    }
+  }
+
+  /**
+   * Decides the gate result based on untrusted writers and mode.
+   * @param {string[]} untrusted
+   * @param {string[]} writerIds
+   * @param {Object} context
+   * @returns {TrustGateResult}
+   * @private
+   */
+  _decide(untrusted, writerIds, context) {
+    this._logger.info('Trust gate decision', {
+      code: 'SYNC_TRUST_GATE',
+      mode: this._mode,
+      writersApplied: writerIds,
+      untrustedWriters: untrusted,
+      verdict: untrusted.length === 0 ? 'pass' : 'fail',
+      ...context,
+    });
+
+    if (untrusted.length === 0) {
+      return PASS();
+    }
+
+    if (this._mode === 'enforce') {
+      this._logger.warn('Trust gate rejected untrusted writers', {
+        code: 'SYNC_TRUST_REJECTED',
+        untrustedWriters: untrusted,
+        ...context,
+      });
+      return { allowed: false, untrustedWriters: untrusted, verdict: 'rejected' };
+    }
+
+    this._logger.warn('Trust gate: untrusted writers allowed (log-only mode)', {
+      code: 'SYNC_TRUST_WARN',
+      untrustedWriters: untrusted,
+      ...context,
+    });
+    return { allowed: true, untrustedWriters: untrusted, verdict: 'warn_allowed' };
+  }
+
+  /**
+   * Handles trust evaluation errors with fail-open/fail-closed semantics.
+   * @param {unknown} err
+   * @param {string[]} writerIds
+   * @param {Object} context
+   * @returns {TrustGateResult}
+   * @private
+   */
+  _handleError(err, writerIds, context) {
+    this._logger.error('Trust gate evaluation failed', {
+      code: 'SYNC_TRUST_ERROR',
+      error: err instanceof Error ? err.message : String(err),
+      ...context,
+    });
+
+    if (this._mode === 'enforce') {
+      return { allowed: false, untrustedWriters: writerIds, verdict: 'error_rejected' };
+    }
+    return { allowed: true, untrustedWriters: [], verdict: 'error_allowed' };
+  }
+
+  /**
+   * Extracts writer IDs from patches in a sync response.
+   * These are the actual data authors being ingested — the trust target.
+   *
+   * @param {Array<{writerId: string}>} patches - Patches from sync response
+   * @returns {string[]} Deduplicated writer IDs
+   */
+  static extractWritersFromPatches(patches) {
+    const writers = new Set();
+    for (const { writerId } of patches) {
+      if (writerId) {
+        writers.add(writerId);
+      }
+    }
+    return [...writers];
+  }
+}

package/src/domain/services/TranslationCost.js

@@ -182,10 +182,10 @@ function computePropLoss(state, { nodesA, nodesBSet, configA, configB }) {
  */
 export function computeTranslationCost(configA, configB, state) {
   /** @param {unknown} m */
-  const isValidMatch = (m) => typeof m === 'string' || (Array.isArray(m) && m.every(/** @param {unknown} i */ i => typeof i === 'string'));
+  const isValidMatch = (m) => typeof m === 'string' || (Array.isArray(m) && m.length > 0 && m.every(/** @param {unknown} i */ i => typeof i === 'string'));
   if (!configA || !isValidMatch(configA.match) ||
       !configB || !isValidMatch(configB.match)) {
-    throw new Error('configA.match and configB.match must be strings or arrays of strings');
+    throw new Error('configA.match and configB.match must be non-empty strings or non-empty arrays of strings');
   }
   const allNodes = [...orsetElements(state.nodeAlive)];
   const nodesA = allNodes.filter((id) => matchGlob(configA.match, id));