@githolon/testing 0.19.0 → 0.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@githolon/testing",
3
- "version": "0.19.0",
3
+ "version": "0.21.0",
4
4
  "type": "module",
5
5
  "description": "@githolon/testing — law TDD for Nomos domains: boot the REAL engine plane in-process (the exact machinery every cloud DO, heavy container and web client runs), dispatch directives, assert rows, assert TYPED REFUSALS, fork for what-ifs — fully offline inside vitest.",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
@@ -995,8 +995,7 @@ export async function replicateIntents(eng, ws, ledger, intents, { push = true }
995
995
  * main once. This is still untrusted work: owner-only/control-plane/receipt
996
996
  * writes are refused or dead-lettered exactly like session refs.
997
997
  */
998
- export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains = [], receiptFence = null, shardRouting = null, clientBase = null, defer = false } = {}) {
999
- const refuse = new Set(refuseDomains);
998
+ export async function admitIntentOffers(eng, ws, ledger, offers, { receiptFence = null, shardRouting = null, clientBase = null, defer = false } = {}) {
1000
999
  const main = await mainIntentIds(eng, ws);
1001
1000
  const sessions = new Map();
1002
1001
  const deadLetters = [];
@@ -1048,14 +1047,13 @@ export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains
1048
1047
  const dirId = typeof doc?.payload?.directiveId === "string" ? doc.payload.directiveId : null;
1049
1048
  const oid = String(offer?.oid || intentId || "").slice(0, 10);
1050
1049
  // THE GATE DECIDES (offer-kernel doctrine — OFFER_KERNEL_ARCHITECTURE.dot): the adapter does NOT
1051
- // pre-filter control-plane (`nomos`/`bootstrap`) intents by domain string that was the adapter
1052
- // "choosing admission", which the doctrine forbids. An install/governance offer rides the SAME lane;
1053
- // the kernel gate refuses an author who lacks the declared relation (installDomain.requiresRelationGate
1054
- // = {relation:"installDomain", object:"workspace:self"}), so an unauthorized control-plane write is a
1055
- // TYPED GATE refusal, not a adapter verdict. Only `!dom` (malformed) and the explicit per-workspace
1056
- // `refuse` fence (root's `workspaces` governance lane) stay — those are structural, not authority.
1057
- if (!dom || refuse.has(dom)) {
1058
- rec.rejected.push({ oid, error: `${dom ? `'${dom}' is adapter-fenced on this workspace` : "non-authored intent"} — governance enters its own admin lane` });
1050
+ // pre-filter ANY intent by domain string. An install/governance offer rides the SAME lane; the kernel
1051
+ // gate refuses an author who lacks the declared relation, so an unauthorized control-plane write is a
1052
+ // TYPED GATE refusal, never an adapter verdict. host does no authority — the kernel gates the control
1053
+ // plane (open until the warrant-flip arms signature verification on root/co2). Only `!dom` (malformed
1054
+ // bytes structural, not authority) stays.
1055
+ if (!dom) {
1056
+ rec.rejected.push({ oid, error: "non-authored intent — governance enters its own admin lane" });
1059
1057
  continue;
1060
1058
  }
1061
1059
  if (receiptFence && dirId && Array.isArray(receiptFence[dom]) && receiptFence[dom].includes(dirId)) {
@@ -1137,7 +1135,11 @@ export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains
1137
1135
  } catch { /* fall back to the client's own GET /pack */ }
1138
1136
  }
1139
1137
  log("admit-intent-offers", { ws, sessions: sessions.size, admitted: admittedTotal, rejected: [...sessions.values()].reduce((n, s) => n + s.rejected.length, 0), resultPack: resultPackB64 ? "inline" : "none" });
1140
- return { sessions: [...sessions.values()].map((s) => ({ ...s, ...(s.skipped.length ? {} : { skipped: undefined }) })), main: head, deadLetters, timings, ...(summary ? { summary } : {}), ...(born.length ? { born } : {}), ...(resultPackB64 ? { resultPackB64, resultBase: clientBase } : {}), ...(deferDurability && admittedTotal && head ? { deferred: true, head } : {}) };
1138
+ // G3 COLD-STORAGE: a `.births()` offer in this batch produced child custody in this engine's FS (the sibling
1139
+ // repos). Pack each born child's full chain BEFORE returning so the bytes ride out for the worker to persist
1140
+ // to the child's own Artifacts repo (the host names nothing — it shuttles kernel-produced bytes keyed by ws).
1141
+ const bornPacked = born.length ? packBornChildren(eng, born) : born;
1142
+ return { sessions: [...sessions.values()].map((s) => ({ ...s, ...(s.skipped.length ? {} : { skipped: undefined }) })), main: head, deadLetters, timings, ...(summary ? { summary } : {}), ...(bornPacked.length ? { born: bornPacked } : {}), ...(resultPackB64 ? { resultPackB64, resultBase: clientBase } : {}), ...(deferDurability && admittedTotal && head ? { deferred: true, head } : {}) };
1141
1143
  }
1142
1144
 
1143
1145
  /**
@@ -1175,9 +1177,12 @@ export async function authorOn(eng, ws, ledger, domain, directiveId, payload, la
1175
1177
  }
1176
1178
  if (res && res.ok === false) return { ok: false, error: String(res.error || "the law refused this intent").slice(0, 500) };
1177
1179
  await commitAndPush(eng, ws, ledger);
1178
- // KEEP `born`: a `.births()` directive authored here ran the G3 birth offer-effect; surface the child
1179
- // heads so the container author case worker out.born relays them (the host persists the child custody).
1180
- return { ok: true, head: res.head, ...(res.born ? { born: res.born } : {}) };
1180
+ // G3 COLD-STORAGE: a `.births()` directive authored here ran the kernel birth offer-effect, which wrote each
1181
+ // child's custody to a sibling repo in this engine's FS. Pack each born child's full chain so the container
1182
+ // author case worker relays the bytes and the worker persists them to the child's OWN Artifacts repo. The
1183
+ // PARENT's main was already pushed above; the child custody is a SEPARATE store the host must ship.
1184
+ const bornPacked = Array.isArray(res.born) && res.born.length ? packBornChildren(eng, res.born) : res.born;
1185
+ return { ok: true, head: res.head, ...(bornPacked ? { born: bornPacked } : {}) };
1181
1186
  }
1182
1187
 
1183
1188
  /**
@@ -1899,6 +1904,63 @@ export function servePack(eng, ws, base = "") {
1899
1904
  if (!r || r.ok !== true || typeof r.packB64 !== "string") throw new Error("servePack: kernel produced no pack");
1900
1905
  return { packB64: r.packB64, bytes: r.bytes };
1901
1906
  }
1907
+
1908
+ // ── G3 COLD-STORAGE: SURFACE THE BORN CHILD'S CUSTODY BYTES (the host-bailiff persist lane) ──────────────
1909
+ // The kernel's birth offer-effect (`run_birth_effect`) wrote each born child's whole genesis→head custody to
1910
+ // a SIBLING repo IN THIS ENGINE'S FS — `sibling_repo_arg(parent_repo_arg, child)` == `/work/ws/<child>` ==
1911
+ // `repoArgOf(child)` (the kernel names no DO/container topology; it writes a path the host already keys by ws
1912
+ // name). That custody lives ONLY in the engine FS until the HOST ships it to the child's OWN custody store.
1913
+ // So pack each born child's FULL chain (base="" ⇒ genesis→head) straight from its sibling repo and carry the
1914
+ // bytes OUT on the born entry; the worker (which holds the Artifacts binding) creates the child repo + pushes
1915
+ // the pack to refs/heads/main. Host-pure: the adapter NAMES no domain, DECIDES nothing — it shuttles the
1916
+ // kernel-produced child custody keyed by the kernel-returned `{workspace, head}`. A child whose pack can't be
1917
+ // produced keeps its entry WITHOUT packB64 (+ logs) so the worker SURFACES the failure (the physical birth is
1918
+ // never silently dropped). Returns the born array with packB64 added where it could be packed.
1919
+ export function packBornChildren(eng, born) {
1920
+ if (!Array.isArray(born) || !born.length) return born;
1921
+ return born.map((b) => {
1922
+ const child = b && typeof b.workspace === "string" ? b.workspace : null;
1923
+ const head = b && typeof b.head === "string" ? b.head : null;
1924
+ if (!child || !/^[0-9a-f]{40}$/i.test(head || "")) {
1925
+ log("born-pack-skipped", { workspace: child, head, reason: "malformed born entry" });
1926
+ return b;
1927
+ }
1928
+ try {
1929
+ // base="" ⇒ the FULL pack of everything reachable from the child's head (genesis→head). The kernel
1930
+ // resolves the child's main itself from the sibling repo at repoArgOf(child).
1931
+ const pack = packDelta(eng, child, "", head);
1932
+ if (!pack || !pack.length) {
1933
+ log("born-pack-empty", { workspace: child, head });
1934
+ return b;
1935
+ }
1936
+ return { ...b, packB64: b64Bytes(pack), packBytes: pack.length };
1937
+ } catch (e) {
1938
+ log("born-pack-failed", { workspace: child, head, error: String(e).slice(0, 200) });
1939
+ return b;
1940
+ }
1941
+ });
1942
+ }
1943
+
1944
+ // ── INGEST A CUSTODY PACK AS A WORKSPACE'S OWN STORE (the host-side twin of the worker's pushPack persist) ──
1945
+ // Stage a FRESH bare repo for `ws` in THIS engine's FS, ingest the kernel-built `packBytes` (apply_pack — the
1946
+ // inbound twin of pack_delta; objects land PACKED), then point refs/heads/main + HEAD at `head`. This is what
1947
+ // a peer/edge does on receiving a workspace's pack over the wire: it holds ONLY the pack, no parent FS. The
1948
+ // cross-workspace birth proof uses it to mount a born child from an INDEPENDENT custody store (not the parent
1949
+ // engine FS) — proving the host-bailiff persist is what makes the child servable on its own. `packBytes` is a
1950
+ // Uint8Array (the bytes packBornChildren / the worker's b64-decoded packB64 carry).
1951
+ export async function ingestPackAsCustody(eng, ws, packBytes, head) {
1952
+ if (!packBytes || !packBytes.length) throw new Error(`ingestPackAsCustody: empty pack for '${ws}'`);
1953
+ if (!/^[0-9a-f]{40}$/i.test(head || "")) throw new Error(`ingestPackAsCustody: bad head '${head}' for '${ws}'`);
1954
+ unmount(eng, ws);
1955
+ stageWorkspaceDir(eng, ws);
1956
+ const gitdir = gitdirOf(ws);
1957
+ await custodySkeleton(eng, gitdir);
1958
+ applyPackInto(eng, ws, packBytes); // kernel apply_pack — ingests the genesis→head objects
1959
+ kgit.writeRef(eng, gitdir, "refs/heads/main", head);
1960
+ kgit.writeRef(eng, gitdir, "HEAD", "ref: refs/heads/main");
1961
+ eng.mounted.set(ws, { restored: true, remoteMain: head, restoreError: null });
1962
+ return { ok: true, head: kgit.resolveRef(eng, gitdir, "refs/heads/main") };
1963
+ }
1902
1964
  export const nomosActive = (eng, ws) => qById(eng, ws, `domain-installation:${eng.hashes.nomos}`).length > 0;
1903
1965
  // E2E crypto linkage probe (the encryption arc): run the wrap→unwrap + field seal→open
1904
1966
  // INSIDE the deployable wasm. Pure — no workspace, no chain. Returns {wrapHandoff, fieldAead}.
@@ -1967,8 +2029,7 @@ async function mainIntentIds(eng, ws) {
1967
2029
  * engine has no durable store), obvious attacks drop. Admitted intents merge to main,
1968
2030
  * durably push, the branch is consumed.
1969
2031
  */
1970
- export async function admitAll(eng, ws, ledger, { refuseDomains = [], receiptFence = null, shardRouting = null, defer = false } = {}) {
1971
- const refuse = new Set(refuseDomains);
2032
+ export async function admitAll(eng, ws, ledger, { receiptFence = null, shardRouting = null, defer = false } = {}) {
1972
2033
  const routes = shardRouting ? directiveRoutes(eng) : null;
1973
2034
  const gitdir = gitdirOf(ws);
1974
2035
  // FRESH HEADER COPY PER GIT OP. isomorphic-git's `discover` MUTATES the headers object it's given
@@ -2082,12 +2143,13 @@ export async function admitAll(eng, ws, ledger, { refuseDomains = [], receiptFen
2082
2143
  const blob = bytesFromB64(c.intentB64);
2083
2144
  let dom = null, intentId = null, dirId = null;
2084
2145
  try { const doc = JSON.parse(dec.decode(blob)); intentId = typeof doc.id === "string" ? doc.id : null; dom = doc && doc.payload && typeof doc.payload.domain === "string" ? doc.payload.domain : null; dirId = doc && doc.payload && typeof doc.payload.directiveId === "string" ? doc.payload.directiveId : null; } catch {}
2085
- // THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for control-plane
2086
- // an install/governance offer rides the SAME lane and the kernel gate refuses an author lacking
2087
- // the declared relation (a TYPED gate refusal, not a adapter verdict). Only `!dom` (malformed) and
2088
- // the explicit `refuse` fence (root's `workspaces` governance lane) stay structural, not authority.
2089
- if (!dom || refuse.has(dom)) {
2090
- rejected.push({ oid: oid.slice(0, 10), error: `${dom ? `'${dom}' is adapter-fenced on this workspace` : "non-authored intent"} — governance enters its own admin lane` });
2146
+ // THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for ANY intent an
2147
+ // install/governance offer rides the SAME lane and the kernel gate refuses an author lacking the
2148
+ // declared relation (a TYPED gate refusal, never an adapter verdict). host does no authority — the
2149
+ // kernel gates the control plane (open until the warrant-flip arms signature verification on
2150
+ // root/co2). Only `!dom` (malformed bytes — structural, not authority) stays.
2151
+ if (!dom) {
2152
+ rejected.push({ oid: oid.slice(0, 10), error: "non-authored intent — governance enters its own admin lane" });
2091
2153
  continue;
2092
2154
  }
2093
2155
  // THE RECEIPT FENCE (capability_marketplace.md slice 1.5 — the ratified
@@ -2579,12 +2641,16 @@ export async function boot(eng, ws, ledger) {
2579
2641
  }
2580
2642
 
2581
2643
  /** Install a tenant package under the nomos controller (validation is the ADAPTER's job). */
2582
- export async function deploy(eng, ws, ledger, usda, domainHash, dispositions) {
2644
+ export async function deploy(eng, ws, ledger, usda, domainHash, dispositions, opts = {}) {
2583
2645
  // THE EVOLVE-GATE ANSWER LANE (#58): `dispositions` ({retired, retyped, rebinds,
2584
2646
  // ackBy}) ride the committed installDomain payload — IN-HISTORY facts the one gate
2585
2647
  // adjudicates the stable-id diff against. Absent for the common (non-destructive)
2586
2648
  // upgrade; the gate's typed refusal names the remedy when one is needed.
2587
- const result = author(eng, ws, "nomos", "installDomain", installPayload(domainHash, usda, eng.installedBy, dispositions), eng.hashes.nomos);
2649
+ // THE DEPLOYER's attested identity (actor + raw token) rides the install author exactly as the `offer`
2650
+ // verb threads it — the kernel judges whether this principal holds the `installDomain` relation. Empty
2651
+ // actor (the default) preserves the genesis-virgin / broadly-held-relation install path (backward-compat);
2652
+ // a present actor lets an AUTHORIZED non-virgin evolve admit instead of being refused for want of authority.
2653
+ const result = author(eng, ws, "nomos", "installDomain", installPayload(domainHash, usda, eng.installedBy, dispositions), eng.hashes.nomos, { actor: opts.actor ?? "", ...(opts.authToken ? { authToken: opts.authToken } : {}) });
2588
2654
  // ATOMICITY: VALIDATE the post-install projection BEFORE committing to custody. The install's
2589
2655
  // read manifest is re-derived on this read; if it cannot fold (e.g. a divergent read-projection
2590
2656
  // declaration the kernel refuses), this THROWS — and because we have NOT yet pushed, custody