@git-stunts/git-warp 12.1.0 → 12.2.1

package/src/domain/services/QueryBuilder.js

@@ -9,6 +9,27 @@ import { matchGlob } from '../utils/matchGlob.js';
 
 const DEFAULT_PATTERN = '*';
 
+/**
+ * Processes items in batches with bounded concurrency.
+ *
+ * @template T, R
+ * @param {T[]} items - Items to process
+ * @param {(item: T) => Promise<R>} fn - Async function to apply to each item
+ * @param {number} [limit=100] - Maximum concurrent operations per batch
+ * @returns {Promise<R[]>} Results in input order
+ */
+async function batchMap(items, fn, limit = 100) {
+  const results = [];
+  for (let i = 0; i < items.length; i += limit) {
+    const batch = items.slice(i, i + limit);
+    const batchResults = await Promise.all(batch.map(fn));
+    for (const r of batchResults) {
+      results.push(r);
+    }
+  }
+  return results;
+}
+
 /**
  * @typedef {Object} QueryNodeSnapshot
  * @property {string} id - The unique identifier of the node
@@ -200,6 +221,10 @@ function deepFreeze(obj) {
 /**
  * Creates a deep clone of a value.
  *
+ * Results are deep-frozen to prevent accidental mutation of cached state.
+ * structuredClone is preferred; JSON round-trip is the fallback for
+ * environments without structuredClone support.
+ *
  * Attempts structuredClone first (Node 17+ / modern browsers), falls back
  * to JSON round-trip, and returns the original value if both fail (e.g.,
  * for values containing functions or circular references).
@@ -652,22 +677,33 @@ export default class QueryBuilder {
 
     const pattern = this._pattern ?? DEFAULT_PATTERN;
 
+    // Per-run props memo to avoid redundant getNodeProps calls
+    /** @type {Map<string, Map<string, unknown>>} */
+    const propsMemo = new Map();
+    const getProps = async (/** @type {string} */ nodeId) => {
+      const cached = propsMemo.get(nodeId);
+      if (cached !== undefined) {
+        return cached;
+      }
+      const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
+      propsMemo.set(nodeId, propsMap);
+      return propsMap;
+    };
+
     let workingSet;
     workingSet = allNodes.filter((nodeId) => matchGlob(pattern, nodeId));
 
     for (const op of this._operations) {
       if (op.type === 'where') {
-        const snapshots = await Promise.all(
-          workingSet.map(async (nodeId) => {
-            const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
-            const edgesOut = adjacency.outgoing.get(nodeId) || [];
-            const edgesIn = adjacency.incoming.get(nodeId) || [];
-            return {
-              nodeId,
-              snapshot: createNodeSnapshot({ id: nodeId, propsMap, edgesOut, edgesIn }),
-            };
-          })
-        );
+        const snapshots = await batchMap(workingSet, async (nodeId) => {
+          const propsMap = await getProps(nodeId);
+          const edgesOut = adjacency.outgoing.get(nodeId) || [];
+          const edgesIn = adjacency.incoming.get(nodeId) || [];
+          return {
+            nodeId,
+            snapshot: createNodeSnapshot({ id: nodeId, propsMap, edgesOut, edgesIn }),
+          };
+        });
         const predicate = /** @type {(node: QueryNodeSnapshot) => boolean} */ (op.fn);
         const filtered = snapshots
           .filter(({ snapshot }) => predicate(snapshot))
@@ -698,7 +734,7 @@ export default class QueryBuilder {
     }
 
     if (this._aggregate) {
-      return await this._runAggregate(workingSet, stateHash);
+      return await this._runAggregate(workingSet, stateHash, getProps);
     }
 
     const selected = this._select;
@@ -718,22 +754,20 @@ export default class QueryBuilder {
     const includeId = !selectFields || selectFields.includes('id');
     const includeProps = !selectFields || selectFields.includes('props');
 
-    const nodes = await Promise.all(
-      workingSet.map(async (nodeId) => {
-        const entry = {};
-        if (includeId) {
-          entry.id = nodeId;
-        }
-        if (includeProps) {
-          const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
-          const props = buildPropsSnapshot(propsMap);
-          if (selectFields || Object.keys(props).length > 0) {
-            entry.props = props;
-          }
+    const nodes = await batchMap(workingSet, async (nodeId) => {
+      const entry = {};
+      if (includeId) {
+        entry.id = nodeId;
+      }
+      if (includeProps) {
+        const propsMap = await getProps(nodeId);
+        const props = buildPropsSnapshot(propsMap);
+        if (selectFields || Object.keys(props).length > 0) {
+          entry.props = props;
         }
-        return entry;
-      })
-    );
+      }
+      return entry;
+    });
 
     return { stateHash, nodes };
   }
@@ -747,10 +781,11 @@ export default class QueryBuilder {
    *
    * @param {string[]} workingSet - Array of matched node IDs
    * @param {string} stateHash - Hash of the materialized state
+   * @param {(nodeId: string) => Promise<Map<string, unknown>>} getProps - Memoized props fetcher
    * @returns {Promise<AggregateResult>} Object containing stateHash and requested aggregation values
    * @private
    */
-  async _runAggregate(workingSet, stateHash) {
+  async _runAggregate(workingSet, stateHash, getProps) {
     const spec = /** @type {AggregateSpec} */ (this._aggregate);
     /** @type {AggregateResult} */
     const result = { stateHash };
@@ -773,8 +808,10 @@ export default class QueryBuilder {
         });
       }
 
-      for (const nodeId of workingSet) {
-        const propsMap = (await this._graph.getNodeProps(nodeId)) || new Map();
+      // Pre-fetch all props with bounded concurrency
+      const propsList = await batchMap(workingSet, getProps);
+
+      for (const propsMap of propsList) {
         for (const { segments, values } of propsByAgg.values()) {
           /** @type {unknown} */
           let value = propsMap.get(segments[0]);

package/src/domain/services/SyncController.js

@@ -11,6 +11,7 @@
 import SyncError from '../errors/SyncError.js';
 import OperationAbortedError from '../errors/OperationAbortedError.js';
 import { QueryError, E_NO_STATE_MSG } from '../warp/_internal.js';
+import { validateSyncResponse } from './SyncPayloadSchema.js';
 import {
   createSyncRequest as createSyncRequestImpl,
   processSyncRequest as processSyncRequestImpl,
@@ -25,6 +26,7 @@ import { collectGCMetrics } from './GCMetrics.js';
 import HttpSyncServer from './HttpSyncServer.js';
 import { signSyncRequest, canonicalizePath } from './SyncAuthService.js';
 import { isError } from '../types/WarpErrors.js';
+import SyncTrustGate from './SyncTrustGate.js';
 
 /** @typedef {import('../types/WarpPersistence.js').CorePersistence} CorePersistence */
 
@@ -49,6 +51,7 @@ import { isError } from '../types/WarpErrors.js';
  * @property {number} _patchesSinceCheckpoint
  * @property {(op: string, t0: number, opts?: {metrics?: string, error?: Error}) => void} _logTiming
  * @property {(options?: Record<string, unknown>) => Promise<unknown>} materialize
+ * @property {(state: import('../services/JoinReducer.js').WarpStateV5) => Promise<unknown>} _setMaterializedState
  * @property {() => Promise<string[]>} discoverWriters
  */
 
@@ -128,10 +131,14 @@ async function buildSyncAuthHeaders({ auth, bodyStr, targetUrl, crypto }) {
 export default class SyncController {
   /**
    * @param {SyncHost} host - The WarpGraph instance (or any object satisfying SyncHost)
+   * @param {Object} [options]
+   * @param {SyncTrustGate} [options.trustGate] - Trust gate for evaluating patch authors
    */
-  constructor(host) {
+  constructor(host, options = {}) {
     /** @type {SyncHost} */
     this._host = host;
+    /** @type {SyncTrustGate|null} */
+    this._trustGate = options.trustGate || null;
   }
 
   /**
@@ -268,7 +275,7 @@ export default class SyncController {
       localFrontier,
       persistence,
       this._host._graphName,
-      { codec: this._host._codec }
+      { codec: this._host._codec, logger: this._host._logger || undefined }
     );
   }
 
@@ -282,18 +289,58 @@ export default class SyncController {
    * @returns {{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number}} Result with updated state and frontier
    * @throws {import('../errors/QueryError.js').default} If no cached state exists (code: `E_NO_STATE`)
    */
-  applySyncResponse(response) {
+  /**
+   * Applies a sync response to the local graph state.
+   * Updates the cached state with received patches.
+   *
+   * When a trust gate is configured, evaluates patch authors (writersApplied)
+   * against trust policy. In enforce mode, untrusted writers cause rejection
+   * before any state mutation.
+   *
+   * **Requires a cached state.**
+   *
+   * @param {import('./SyncProtocol.js').SyncResponse} response - The sync response
+   * @returns {Promise<{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number, trustVerdict?: string, writersApplied?: string[], skippedWriters: Array<{writerId: string, reason: string, localSha: string, remoteSha: string|null}>}>} Result with updated state and frontier
+   * @throws {import('../errors/QueryError.js').default} If no cached state exists (code: `E_NO_STATE`)
+   * @throws {SyncError} If trust gate rejects untrusted writers (code: `E_SYNC_UNTRUSTED_WRITER`)
+   */
+  async applySyncResponse(response) {
     if (!this._host._cachedState) {
       throw new QueryError(E_NO_STATE_MSG, {
         code: 'E_NO_STATE',
       });
     }
 
+    // Extract actual patch authors for trust evaluation (B1)
+    const writersApplied = SyncTrustGate.extractWritersFromPatches(response.patches || []);
+
+    // Evaluate trust BEFORE applying any patches
+    if (this._trustGate && writersApplied.length > 0) {
+      const verdict = await this._trustGate.evaluate(writersApplied, {
+        graphName: this._host._graphName,
+      });
+      if (!verdict.allowed) {
+        throw new SyncError('Sync rejected: untrusted writer(s)', {
+          code: 'E_SYNC_UNTRUSTED_WRITER',
+          context: {
+            writersApplied,
+            untrustedWriters: verdict.untrustedWriters,
+            verdict: verdict.verdict,
+          },
+        });
+      }
+    }
+
     const currentFrontier = this._host._lastFrontier || createFrontier();
     const result = /** @type {{state: import('./JoinReducer.js').WarpStateV5, frontier: Map<string, string>, applied: number}} */ (applySyncResponseImpl(response, this._host._cachedState, currentFrontier));
 
-    // Update cached state
-    this._host._cachedState = result.state;
+    // Route through canonical state-install path (B105 / C1 fix).
+    // _setMaterializedState sets _cachedState, clears _stateDirty, computes
+    // state hash, builds adjacency, and rebuilds indexes via _buildView().
+    // Bookkeeping is deferred until after install succeeds so that a failed
+    // _setMaterializedState does not leave _lastFrontier/_patchesSinceGC
+    // advanced while _cachedState remains stale.
+    await this._host._setMaterializedState(result.state);
 
     // Keep _lastFrontier in sync so hasFrontierChanged() won't misreport stale.
     this._host._lastFrontier = result.frontier;
@@ -301,10 +348,7 @@ export default class SyncController {
     // Track patches for GC
     this._host._patchesSinceGC += result.applied;
 
-    // State is now in sync with the frontier -- clear dirty flag
-    this._host._stateDirty = false;
-
-    return result;
+    return { ...result, writersApplied, skippedWriters: response.skippedWriters || [] };
   }
 
   /**
@@ -333,7 +377,7 @@ export default class SyncController {
    * @param {(event: {type: string, attempt: number, durationMs?: number, status?: number, error?: Error}) => void} [options.onStatus]
    * @param {boolean} [options.materialize=false] - Auto-materialize after sync
    * @param {{ secret: string, keyId?: string }} [options.auth] - Client auth credentials
-   * @returns {Promise<{applied: number, attempts: number, state?: import('./JoinReducer.js').WarpStateV5}>}
+   * @returns {Promise<{applied: number, attempts: number, skippedWriters: Array<{writerId: string, reason: string, localSha: string, remoteSha: string|null}>, state?: import('./JoinReducer.js').WarpStateV5}>}
    */
   async syncWith(remote, options = {}) {
     const t0 = this._host._clock.now();
@@ -468,12 +512,12 @@ export default class SyncController {
         }
       }
 
-      if (!response || typeof response !== 'object' ||
-        response.type !== 'sync-response' ||
-        !response.frontier || typeof response.frontier !== 'object' || Array.isArray(response.frontier) ||
-        !Array.isArray(response.patches)) {
-        throw new SyncError('Invalid sync response', {
-          code: 'E_SYNC_PROTOCOL',
+      // Validate response shape + resource limits via Zod schema (B64).
+      // For HTTP responses, always validate — untrusted boundary.
+      const validation = validateSyncResponse(response);
+      if (!validation.ok) {
+        throw new SyncError(`Invalid sync response: ${validation.error}`, {
+          code: 'E_SYNC_PAYLOAD_INVALID',
         });
       }
 
@@ -482,12 +526,12 @@ export default class SyncController {
         emit('materialized');
       }
 
-      const result = this.applySyncResponse(response);
+      const result = await this.applySyncResponse(response);
       emit('applied', { applied: result.applied });
 
       const durationMs = this._host._clock.now() - attemptStart;
       emit('complete', { durationMs, applied: result.applied });
-      return { applied: result.applied, attempts: attempt };
+      return { applied: result.applied, attempts: attempt, skippedWriters: result.skippedWriters || [] };
     };
 
     try {

package/src/domain/services/SyncPayloadSchema.js

@@ -0,0 +1,236 @@
+/**
+ * SyncPayloadSchema -- Zod schemas for sync protocol messages.
+ *
+ * Validates both shape and resource limits for sync requests and responses
+ * at the trust boundary (HTTP ingress/egress). Prevents malformed or
+ * oversized payloads from reaching the CRDT merge engine.
+ *
+ * @module domain/services/SyncPayloadSchema
+ * @see B64 -- Sync ingress payload validation
+ */
+
+import { z } from 'zod';
+
+// ── Resource Limits ─────────────────────────────────────────────────────────
+
+/**
+ * Default resource limits for sync payload validation.
+ * Configurable per-deployment via `createSyncResponseSchema(limits)`.
+ *
+ * @typedef {Object} SyncPayloadLimits
+ * @property {number} maxWritersInFrontier - Maximum writers in a frontier object
+ * @property {number} maxPatches - Maximum patches in a sync response
+ * @property {number} maxOpsPerPatch - Maximum operations per patch
+ * @property {number} maxStringBytes - Maximum bytes for string values (writer ID, node ID, etc.)
+ * @property {number} maxBlobBytes - Maximum bytes for blob values
+ */
+
+/** @type {Readonly<SyncPayloadLimits>} */
+export const DEFAULT_LIMITS = Object.freeze({
+  maxWritersInFrontier: 10_000,
+  maxPatches: 100_000,
+  maxOpsPerPatch: 50_000,
+  maxStringBytes: 4096,
+  maxBlobBytes: 16 * 1024 * 1024,
+});
+
+// ── Schema Version ──────────────────────────────────────────────────────────
+
+/**
+ * Current sync protocol schema version.
+ * Responses with unknown versions are rejected.
+ */
+export const SYNC_SCHEMA_VERSION = 1;
+
+// ── Shared Primitives ───────────────────────────────────────────────────────
+
+/**
+ * Bounded string: rejects strings exceeding maxStringBytes.
+ * @param {number} maxBytes
+ * @returns {z.ZodString}
+ */
+function boundedString(maxBytes) {
+  return z.string().max(maxBytes);
+}
+
+// ── Frontier Schema ─────────────────────────────────────────────────────────
+
+/**
+ * Normalizes a frontier value that may be a Map (cbor-x decodes maps)
+ * or a plain object into a validated plain object.
+ *
+ * @param {unknown} value
+ * @returns {Record<string, string>|null} Normalized object, or null if invalid
+ */
+export function normalizeFrontier(value) {
+  if (value instanceof Map) {
+    /** @type {Record<string, string>} */
+    const obj = {};
+    for (const [k, v] of value) {
+      if (typeof k !== 'string' || typeof v !== 'string') {
+        return null;
+      }
+      obj[k] = v;
+    }
+    return obj;
+  }
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return /** @type {Record<string, string>} */ (value);
+  }
+  return null;
+}
+
+/**
+ * Creates a frontier schema with a size limit.
+ *
+ * Frontier values are strings (typically hex SHAs) but we don't enforce
+ * hex format here — semantic SHA validation happens at a higher level.
+ * This schema validates shape + resource limits only.
+ *
+ * @param {number} maxWriters
+ * @returns {z.ZodType<Record<string, string>>}
+ */
+function frontierSchema(maxWriters) {
+  return /** @type {z.ZodType<Record<string, string>>} */ (z.record(
+    boundedString(256),
+    z.string(),
+  ).refine(
+    (obj) => Object.keys(obj).length <= maxWriters,
+    (obj) => ({ message: `Frontier exceeds max writers: ${Object.keys(obj).length} > ${maxWriters}` }),
+  ));
+}
+
+// ── Op Schema ───────────────────────────────────────────────────────────────
+
+/**
+ * Minimal op validation — checks for type field and basic shape.
+ * Deeper semantic validation happens in JoinReducer/WarpMessageCodec.
+ */
+const opSchema = z.object({
+  type: z.string(),
+}).passthrough();
+
+// ── Patch Schema ────────────────────────────────────────────────────────────
+
+/**
+ * Creates a patch schema with ops limit.
+ * @param {SyncPayloadLimits} limits
+ */
+function patchSchema(limits) {
+  return z.object({
+    schema: z.number().int().min(1).optional(),
+    writer: boundedString(limits.maxStringBytes).optional(),
+    lamport: z.number().int().min(0).optional(),
+    ops: z.array(opSchema).max(limits.maxOpsPerPatch),
+    context: z.unknown().optional(),
+  }).passthrough();
+}
+
+/**
+ * Creates a patches-array entry schema.
+ * @param {SyncPayloadLimits} limits
+ */
+function patchEntrySchema(limits) {
+  return z.object({
+    writerId: boundedString(limits.maxStringBytes),
+    sha: z.string(),
+    patch: patchSchema(limits),
+  });
+}
+
+// ── Sync Request Schema ─────────────────────────────────────────────────────
+
+/**
+ * Creates a validated SyncRequest schema.
+ * @param {SyncPayloadLimits} [limits]
+ * @returns {z.ZodType}
+ */
+export function createSyncRequestSchema(limits = DEFAULT_LIMITS) {
+  return z.object({
+    type: z.literal('sync-request'),
+    frontier: frontierSchema(limits.maxWritersInFrontier),
+  }).strict();
+}
+
+/** Default SyncRequest schema with default limits */
+export const SyncRequestSchema = createSyncRequestSchema();
+
+// ── Sync Response Schema ────────────────────────────────────────────────────
+
+/**
+ * Creates a validated SyncResponse schema.
+ * @param {SyncPayloadLimits} [limits]
+ * @returns {z.ZodType}
+ */
+export function createSyncResponseSchema(limits = DEFAULT_LIMITS) {
+  return z.object({
+    type: z.literal('sync-response'),
+    frontier: frontierSchema(limits.maxWritersInFrontier),
+    patches: z.array(patchEntrySchema(limits)).max(limits.maxPatches),
+  }).passthrough();
+}
+
+/** Default SyncResponse schema with default limits */
+export const SyncResponseSchema = createSyncResponseSchema();
+
+// ── Validation Helpers ──────────────────────────────────────────────────────
+
+/**
+ * Validates a sync request payload. Returns the parsed value or throws.
+ *
+ * Handles Map→object normalization for cbor-x compatibility.
+ *
+ * @param {unknown} payload - Raw parsed payload (from JSON.parse or cbor-x decode)
+ * @param {SyncPayloadLimits} [limits] - Resource limits
+ * @returns {{ ok: true, value: { type: 'sync-request', frontier: Record<string, string> } } | { ok: false, error: string }}
+ */
+export function validateSyncRequest(payload, limits = DEFAULT_LIMITS) {
+  // Normalize Map frontier from cbor-x
+  if (payload && typeof payload === 'object' && !Array.isArray(payload)) {
+    const p = /** @type {Record<string, unknown>} */ (payload);
+    if (p.frontier instanceof Map) {
+      const normalized = normalizeFrontier(p.frontier);
+      if (!normalized) {
+        return { ok: false, error: 'Invalid frontier: Map contains non-string entries' };
+      }
+      p.frontier = normalized;
+    }
+  }
+
+  const schema = limits === DEFAULT_LIMITS ? SyncRequestSchema : createSyncRequestSchema(limits);
+  const result = schema.safeParse(payload);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  return { ok: true, value: /** @type {{ type: 'sync-request', frontier: Record<string, string> }} */ (result.data) };
+}
+
+/**
+ * Validates a sync response payload. Returns the parsed value or an error.
+ *
+ * Handles Map→object normalization for cbor-x compatibility.
+ *
+ * @param {unknown} payload - Raw parsed payload
+ * @param {SyncPayloadLimits} [limits] - Resource limits
+ * @returns {{ ok: true, value: unknown } | { ok: false, error: string }}
+ */
+export function validateSyncResponse(payload, limits = DEFAULT_LIMITS) {
+  // Normalize Map frontier from cbor-x
+  if (payload && typeof payload === 'object' && !Array.isArray(payload)) {
+    const p = /** @type {Record<string, unknown>} */ (payload);
+    if (p.frontier instanceof Map) {
+      const normalized = normalizeFrontier(p.frontier);
+      if (!normalized) {
+        return { ok: false, error: 'Invalid frontier: Map contains non-string entries' };
+      }
+      p.frontier = normalized;
+    }
+  }
+
+  const schema = limits === DEFAULT_LIMITS ? SyncResponseSchema : createSyncResponseSchema(limits);
+  const result = schema.safeParse(payload);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  return { ok: true, value: result.data };
+}