@githolon/testing 0.19.0 → 0.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/vendor/engine/engine.mjs +90 -24
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@githolon/testing",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.21.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "@githolon/testing — law TDD for Nomos domains: boot the REAL engine plane in-process (the exact machinery every cloud DO, heavy container and web client runs), dispatch directives, assert rows, assert TYPED REFUSALS, fork for what-ifs — fully offline inside vitest.",
|
|
6
6
|
"license": "SEE LICENSE IN LICENSE.md",
|
package/vendor/engine/engine.mjs
CHANGED
|
@@ -995,8 +995,7 @@ export async function replicateIntents(eng, ws, ledger, intents, { push = true }
|
|
|
995
995
|
* main once. This is still untrusted work: owner-only/control-plane/receipt
|
|
996
996
|
* writes are refused or dead-lettered exactly like session refs.
|
|
997
997
|
*/
|
|
998
|
-
export async function admitIntentOffers(eng, ws, ledger, offers, {
|
|
999
|
-
const refuse = new Set(refuseDomains);
|
|
998
|
+
export async function admitIntentOffers(eng, ws, ledger, offers, { receiptFence = null, shardRouting = null, clientBase = null, defer = false } = {}) {
|
|
1000
999
|
const main = await mainIntentIds(eng, ws);
|
|
1001
1000
|
const sessions = new Map();
|
|
1002
1001
|
const deadLetters = [];
|
|
@@ -1048,14 +1047,13 @@ export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains
|
|
|
1048
1047
|
const dirId = typeof doc?.payload?.directiveId === "string" ? doc.payload.directiveId : null;
|
|
1049
1048
|
const oid = String(offer?.oid || intentId || "").slice(0, 10);
|
|
1050
1049
|
// THE GATE DECIDES (offer-kernel doctrine — OFFER_KERNEL_ARCHITECTURE.dot): the adapter does NOT
|
|
1051
|
-
// pre-filter
|
|
1052
|
-
//
|
|
1053
|
-
//
|
|
1054
|
-
//
|
|
1055
|
-
//
|
|
1056
|
-
|
|
1057
|
-
|
|
1058
|
-
rec.rejected.push({ oid, error: `${dom ? `'${dom}' is adapter-fenced on this workspace` : "non-authored intent"} — governance enters its own admin lane` });
|
|
1050
|
+
// pre-filter ANY intent by domain string. An install/governance offer rides the SAME lane; the kernel
|
|
1051
|
+
// gate refuses an author who lacks the declared relation, so an unauthorized control-plane write is a
|
|
1052
|
+
// TYPED GATE refusal, never an adapter verdict. host does no authority — the kernel gates the control
|
|
1053
|
+
// plane (open until the warrant-flip arms signature verification on root/co2). Only `!dom` (malformed
|
|
1054
|
+
// bytes — structural, not authority) stays.
|
|
1055
|
+
if (!dom) {
|
|
1056
|
+
rec.rejected.push({ oid, error: "non-authored intent — governance enters its own admin lane" });
|
|
1059
1057
|
continue;
|
|
1060
1058
|
}
|
|
1061
1059
|
if (receiptFence && dirId && Array.isArray(receiptFence[dom]) && receiptFence[dom].includes(dirId)) {
|
|
@@ -1137,7 +1135,11 @@ export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains
|
|
|
1137
1135
|
} catch { /* fall back to the client's own GET /pack */ }
|
|
1138
1136
|
}
|
|
1139
1137
|
log("admit-intent-offers", { ws, sessions: sessions.size, admitted: admittedTotal, rejected: [...sessions.values()].reduce((n, s) => n + s.rejected.length, 0), resultPack: resultPackB64 ? "inline" : "none" });
|
|
1140
|
-
|
|
1138
|
+
// G3 COLD-STORAGE: a `.births()` offer in this batch produced child custody in this engine's FS (the sibling
|
|
1139
|
+
// repos). Pack each born child's full chain BEFORE returning so the bytes ride out for the worker to persist
|
|
1140
|
+
// to the child's own Artifacts repo (the host names nothing — it shuttles kernel-produced bytes keyed by ws).
|
|
1141
|
+
const bornPacked = born.length ? packBornChildren(eng, born) : born;
|
|
1142
|
+
return { sessions: [...sessions.values()].map((s) => ({ ...s, ...(s.skipped.length ? {} : { skipped: undefined }) })), main: head, deadLetters, timings, ...(summary ? { summary } : {}), ...(bornPacked.length ? { born: bornPacked } : {}), ...(resultPackB64 ? { resultPackB64, resultBase: clientBase } : {}), ...(deferDurability && admittedTotal && head ? { deferred: true, head } : {}) };
|
|
1141
1143
|
}
|
|
1142
1144
|
|
|
1143
1145
|
/**
|
|
@@ -1175,9 +1177,12 @@ export async function authorOn(eng, ws, ledger, domain, directiveId, payload, la
|
|
|
1175
1177
|
}
|
|
1176
1178
|
if (res && res.ok === false) return { ok: false, error: String(res.error || "the law refused this intent").slice(0, 500) };
|
|
1177
1179
|
await commitAndPush(eng, ws, ledger);
|
|
1178
|
-
//
|
|
1179
|
-
//
|
|
1180
|
-
|
|
1180
|
+
// G3 COLD-STORAGE: a `.births()` directive authored here ran the kernel birth offer-effect, which wrote each
|
|
1181
|
+
// child's custody to a sibling repo in this engine's FS. Pack each born child's full chain so the container
|
|
1182
|
+
// author case → worker relays the bytes and the worker persists them to the child's OWN Artifacts repo. The
|
|
1183
|
+
// PARENT's main was already pushed above; the child custody is a SEPARATE store the host must ship.
|
|
1184
|
+
const bornPacked = Array.isArray(res.born) && res.born.length ? packBornChildren(eng, res.born) : res.born;
|
|
1185
|
+
return { ok: true, head: res.head, ...(bornPacked ? { born: bornPacked } : {}) };
|
|
1181
1186
|
}
|
|
1182
1187
|
|
|
1183
1188
|
/**
|
|
@@ -1899,6 +1904,63 @@ export function servePack(eng, ws, base = "") {
|
|
|
1899
1904
|
if (!r || r.ok !== true || typeof r.packB64 !== "string") throw new Error("servePack: kernel produced no pack");
|
|
1900
1905
|
return { packB64: r.packB64, bytes: r.bytes };
|
|
1901
1906
|
}
|
|
1907
|
+
|
|
1908
|
+
// ── G3 COLD-STORAGE: SURFACE THE BORN CHILD'S CUSTODY BYTES (the host-bailiff persist lane) ──────────────
|
|
1909
|
+
// The kernel's birth offer-effect (`run_birth_effect`) wrote each born child's whole genesis→head custody to
|
|
1910
|
+
// a SIBLING repo IN THIS ENGINE'S FS — `sibling_repo_arg(parent_repo_arg, child)` == `/work/ws/<child>` ==
|
|
1911
|
+
// `repoArgOf(child)` (the kernel names no DO/container topology; it writes a path the host already keys by ws
|
|
1912
|
+
// name). That custody lives ONLY in the engine FS until the HOST ships it to the child's OWN custody store.
|
|
1913
|
+
// So pack each born child's FULL chain (base="" ⇒ genesis→head) straight from its sibling repo and carry the
|
|
1914
|
+
// bytes OUT on the born entry; the worker (which holds the Artifacts binding) creates the child repo + pushes
|
|
1915
|
+
// the pack to refs/heads/main. Host-pure: the adapter NAMES no domain, DECIDES nothing — it shuttles the
|
|
1916
|
+
// kernel-produced child custody keyed by the kernel-returned `{workspace, head}`. A child whose pack can't be
|
|
1917
|
+
// produced keeps its entry WITHOUT packB64 (+ logs) so the worker SURFACES the failure (the physical birth is
|
|
1918
|
+
// never silently dropped). Returns the born array with packB64 added where it could be packed.
|
|
1919
|
+
export function packBornChildren(eng, born) {
|
|
1920
|
+
if (!Array.isArray(born) || !born.length) return born;
|
|
1921
|
+
return born.map((b) => {
|
|
1922
|
+
const child = b && typeof b.workspace === "string" ? b.workspace : null;
|
|
1923
|
+
const head = b && typeof b.head === "string" ? b.head : null;
|
|
1924
|
+
if (!child || !/^[0-9a-f]{40}$/i.test(head || "")) {
|
|
1925
|
+
log("born-pack-skipped", { workspace: child, head, reason: "malformed born entry" });
|
|
1926
|
+
return b;
|
|
1927
|
+
}
|
|
1928
|
+
try {
|
|
1929
|
+
// base="" ⇒ the FULL pack of everything reachable from the child's head (genesis→head). The kernel
|
|
1930
|
+
// resolves the child's main itself from the sibling repo at repoArgOf(child).
|
|
1931
|
+
const pack = packDelta(eng, child, "", head);
|
|
1932
|
+
if (!pack || !pack.length) {
|
|
1933
|
+
log("born-pack-empty", { workspace: child, head });
|
|
1934
|
+
return b;
|
|
1935
|
+
}
|
|
1936
|
+
return { ...b, packB64: b64Bytes(pack), packBytes: pack.length };
|
|
1937
|
+
} catch (e) {
|
|
1938
|
+
log("born-pack-failed", { workspace: child, head, error: String(e).slice(0, 200) });
|
|
1939
|
+
return b;
|
|
1940
|
+
}
|
|
1941
|
+
});
|
|
1942
|
+
}
|
|
1943
|
+
|
|
1944
|
+
// ── INGEST A CUSTODY PACK AS A WORKSPACE'S OWN STORE (the host-side twin of the worker's pushPack persist) ──
|
|
1945
|
+
// Stage a FRESH bare repo for `ws` in THIS engine's FS, ingest the kernel-built `packBytes` (apply_pack — the
|
|
1946
|
+
// inbound twin of pack_delta; objects land PACKED), then point refs/heads/main + HEAD at `head`. This is what
|
|
1947
|
+
// a peer/edge does on receiving a workspace's pack over the wire: it holds ONLY the pack, no parent FS. The
|
|
1948
|
+
// cross-workspace birth proof uses it to mount a born child from an INDEPENDENT custody store (not the parent
|
|
1949
|
+
// engine FS) — proving the host-bailiff persist is what makes the child servable on its own. `packBytes` is a
|
|
1950
|
+
// Uint8Array (the bytes packBornChildren / the worker's b64-decoded packB64 carry).
|
|
1951
|
+
export async function ingestPackAsCustody(eng, ws, packBytes, head) {
|
|
1952
|
+
if (!packBytes || !packBytes.length) throw new Error(`ingestPackAsCustody: empty pack for '${ws}'`);
|
|
1953
|
+
if (!/^[0-9a-f]{40}$/i.test(head || "")) throw new Error(`ingestPackAsCustody: bad head '${head}' for '${ws}'`);
|
|
1954
|
+
unmount(eng, ws);
|
|
1955
|
+
stageWorkspaceDir(eng, ws);
|
|
1956
|
+
const gitdir = gitdirOf(ws);
|
|
1957
|
+
await custodySkeleton(eng, gitdir);
|
|
1958
|
+
applyPackInto(eng, ws, packBytes); // kernel apply_pack — ingests the genesis→head objects
|
|
1959
|
+
kgit.writeRef(eng, gitdir, "refs/heads/main", head);
|
|
1960
|
+
kgit.writeRef(eng, gitdir, "HEAD", "ref: refs/heads/main");
|
|
1961
|
+
eng.mounted.set(ws, { restored: true, remoteMain: head, restoreError: null });
|
|
1962
|
+
return { ok: true, head: kgit.resolveRef(eng, gitdir, "refs/heads/main") };
|
|
1963
|
+
}
|
|
1902
1964
|
export const nomosActive = (eng, ws) => qById(eng, ws, `domain-installation:${eng.hashes.nomos}`).length > 0;
|
|
1903
1965
|
// E2E crypto linkage probe (the encryption arc): run the wrap→unwrap + field seal→open
|
|
1904
1966
|
// INSIDE the deployable wasm. Pure — no workspace, no chain. Returns {wrapHandoff, fieldAead}.
|
|
@@ -1967,8 +2029,7 @@ async function mainIntentIds(eng, ws) {
|
|
|
1967
2029
|
* engine has no durable store), obvious attacks drop. Admitted intents merge to main,
|
|
1968
2030
|
* durably push, the branch is consumed.
|
|
1969
2031
|
*/
|
|
1970
|
-
export async function admitAll(eng, ws, ledger, {
|
|
1971
|
-
const refuse = new Set(refuseDomains);
|
|
2032
|
+
export async function admitAll(eng, ws, ledger, { receiptFence = null, shardRouting = null, defer = false } = {}) {
|
|
1972
2033
|
const routes = shardRouting ? directiveRoutes(eng) : null;
|
|
1973
2034
|
const gitdir = gitdirOf(ws);
|
|
1974
2035
|
// FRESH HEADER COPY PER GIT OP. isomorphic-git's `discover` MUTATES the headers object it's given
|
|
@@ -2082,12 +2143,13 @@ export async function admitAll(eng, ws, ledger, { refuseDomains = [], receiptFen
|
|
|
2082
2143
|
const blob = bytesFromB64(c.intentB64);
|
|
2083
2144
|
let dom = null, intentId = null, dirId = null;
|
|
2084
2145
|
try { const doc = JSON.parse(dec.decode(blob)); intentId = typeof doc.id === "string" ? doc.id : null; dom = doc && doc.payload && typeof doc.payload.domain === "string" ? doc.payload.domain : null; dirId = doc && doc.payload && typeof doc.payload.directiveId === "string" ? doc.payload.directiveId : null; } catch {}
|
|
2085
|
-
// THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for
|
|
2086
|
-
//
|
|
2087
|
-
//
|
|
2088
|
-
// the
|
|
2089
|
-
|
|
2090
|
-
|
|
2146
|
+
// THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for ANY intent — an
|
|
2147
|
+
// install/governance offer rides the SAME lane and the kernel gate refuses an author lacking the
|
|
2148
|
+
// declared relation (a TYPED gate refusal, never an adapter verdict). host does no authority — the
|
|
2149
|
+
// kernel gates the control plane (open until the warrant-flip arms signature verification on
|
|
2150
|
+
// root/co2). Only `!dom` (malformed bytes — structural, not authority) stays.
|
|
2151
|
+
if (!dom) {
|
|
2152
|
+
rejected.push({ oid: oid.slice(0, 10), error: "non-authored intent — governance enters its own admin lane" });
|
|
2091
2153
|
continue;
|
|
2092
2154
|
}
|
|
2093
2155
|
// THE RECEIPT FENCE (capability_marketplace.md slice 1.5 — the ratified
|
|
@@ -2579,12 +2641,16 @@ export async function boot(eng, ws, ledger) {
|
|
|
2579
2641
|
}
|
|
2580
2642
|
|
|
2581
2643
|
/** Install a tenant package under the nomos controller (validation is the ADAPTER's job). */
|
|
2582
|
-
export async function deploy(eng, ws, ledger, usda, domainHash, dispositions) {
|
|
2644
|
+
export async function deploy(eng, ws, ledger, usda, domainHash, dispositions, opts = {}) {
|
|
2583
2645
|
// THE EVOLVE-GATE ANSWER LANE (#58): `dispositions` ({retired, retyped, rebinds,
|
|
2584
2646
|
// ackBy}) ride the committed installDomain payload — IN-HISTORY facts the one gate
|
|
2585
2647
|
// adjudicates the stable-id diff against. Absent for the common (non-destructive)
|
|
2586
2648
|
// upgrade; the gate's typed refusal names the remedy when one is needed.
|
|
2587
|
-
|
|
2649
|
+
// THE DEPLOYER's attested identity (actor + raw token) rides the install author exactly as the `offer`
|
|
2650
|
+
// verb threads it — the kernel judges whether this principal holds the `installDomain` relation. Empty
|
|
2651
|
+
// actor (the default) preserves the genesis-virgin / broadly-held-relation install path (backward-compat);
|
|
2652
|
+
// a present actor lets an AUTHORIZED non-virgin evolve admit instead of being refused for want of authority.
|
|
2653
|
+
const result = author(eng, ws, "nomos", "installDomain", installPayload(domainHash, usda, eng.installedBy, dispositions), eng.hashes.nomos, { actor: opts.actor ?? "", ...(opts.authToken ? { authToken: opts.authToken } : {}) });
|
|
2588
2654
|
// ATOMICITY: VALIDATE the post-install projection BEFORE committing to custody. The install's
|
|
2589
2655
|
// read manifest is re-derived on this read; if it cannot fold (e.g. a divergent read-projection
|
|
2590
2656
|
// declaration the kernel refuses), this THROWS — and because we have NOT yet pushed, custody
|