@githolon/testing 0.20.0 → 0.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/vendor/engine/engine.mjs +22 -20
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@githolon/testing",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.21.0",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"description": "@githolon/testing — law TDD for Nomos domains: boot the REAL engine plane in-process (the exact machinery every cloud DO, heavy container and web client runs), dispatch directives, assert rows, assert TYPED REFUSALS, fork for what-ifs — fully offline inside vitest.",
|
|
6
6
|
"license": "SEE LICENSE IN LICENSE.md",
|
package/vendor/engine/engine.mjs
CHANGED
|
@@ -995,8 +995,7 @@ export async function replicateIntents(eng, ws, ledger, intents, { push = true }
|
|
|
995
995
|
* main once. This is still untrusted work: owner-only/control-plane/receipt
|
|
996
996
|
* writes are refused or dead-lettered exactly like session refs.
|
|
997
997
|
*/
|
|
998
|
-
export async function admitIntentOffers(eng, ws, ledger, offers, {
|
|
999
|
-
const refuse = new Set(refuseDomains);
|
|
998
|
+
export async function admitIntentOffers(eng, ws, ledger, offers, { receiptFence = null, shardRouting = null, clientBase = null, defer = false } = {}) {
|
|
1000
999
|
const main = await mainIntentIds(eng, ws);
|
|
1001
1000
|
const sessions = new Map();
|
|
1002
1001
|
const deadLetters = [];
|
|
@@ -1048,14 +1047,13 @@ export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains
|
|
|
1048
1047
|
const dirId = typeof doc?.payload?.directiveId === "string" ? doc.payload.directiveId : null;
|
|
1049
1048
|
const oid = String(offer?.oid || intentId || "").slice(0, 10);
|
|
1050
1049
|
// THE GATE DECIDES (offer-kernel doctrine — OFFER_KERNEL_ARCHITECTURE.dot): the adapter does NOT
|
|
1051
|
-
// pre-filter
|
|
1052
|
-
//
|
|
1053
|
-
//
|
|
1054
|
-
//
|
|
1055
|
-
//
|
|
1056
|
-
|
|
1057
|
-
|
|
1058
|
-
rec.rejected.push({ oid, error: `${dom ? `'${dom}' is adapter-fenced on this workspace` : "non-authored intent"} — governance enters its own admin lane` });
|
|
1050
|
+
// pre-filter ANY intent by domain string. An install/governance offer rides the SAME lane; the kernel
|
|
1051
|
+
// gate refuses an author who lacks the declared relation, so an unauthorized control-plane write is a
|
|
1052
|
+
// TYPED GATE refusal, never an adapter verdict. host does no authority — the kernel gates the control
|
|
1053
|
+
// plane (open until the warrant-flip arms signature verification on root/co2). Only `!dom` (malformed
|
|
1054
|
+
// bytes — structural, not authority) stays.
|
|
1055
|
+
if (!dom) {
|
|
1056
|
+
rec.rejected.push({ oid, error: "non-authored intent — governance enters its own admin lane" });
|
|
1059
1057
|
continue;
|
|
1060
1058
|
}
|
|
1061
1059
|
if (receiptFence && dirId && Array.isArray(receiptFence[dom]) && receiptFence[dom].includes(dirId)) {
|
|
@@ -2031,8 +2029,7 @@ async function mainIntentIds(eng, ws) {
|
|
|
2031
2029
|
* engine has no durable store), obvious attacks drop. Admitted intents merge to main,
|
|
2032
2030
|
* durably push, the branch is consumed.
|
|
2033
2031
|
*/
|
|
2034
|
-
export async function admitAll(eng, ws, ledger, {
|
|
2035
|
-
const refuse = new Set(refuseDomains);
|
|
2032
|
+
export async function admitAll(eng, ws, ledger, { receiptFence = null, shardRouting = null, defer = false } = {}) {
|
|
2036
2033
|
const routes = shardRouting ? directiveRoutes(eng) : null;
|
|
2037
2034
|
const gitdir = gitdirOf(ws);
|
|
2038
2035
|
// FRESH HEADER COPY PER GIT OP. isomorphic-git's `discover` MUTATES the headers object it's given
|
|
@@ -2146,12 +2143,13 @@ export async function admitAll(eng, ws, ledger, { refuseDomains = [], receiptFen
|
|
|
2146
2143
|
const blob = bytesFromB64(c.intentB64);
|
|
2147
2144
|
let dom = null, intentId = null, dirId = null;
|
|
2148
2145
|
try { const doc = JSON.parse(dec.decode(blob)); intentId = typeof doc.id === "string" ? doc.id : null; dom = doc && doc.payload && typeof doc.payload.domain === "string" ? doc.payload.domain : null; dirId = doc && doc.payload && typeof doc.payload.directiveId === "string" ? doc.payload.directiveId : null; } catch {}
|
|
2149
|
-
// THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for
|
|
2150
|
-
//
|
|
2151
|
-
//
|
|
2152
|
-
// the
|
|
2153
|
-
|
|
2154
|
-
|
|
2146
|
+
// THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for ANY intent — an
|
|
2147
|
+
// install/governance offer rides the SAME lane and the kernel gate refuses an author lacking the
|
|
2148
|
+
// declared relation (a TYPED gate refusal, never an adapter verdict). host does no authority — the
|
|
2149
|
+
// kernel gates the control plane (open until the warrant-flip arms signature verification on
|
|
2150
|
+
// root/co2). Only `!dom` (malformed bytes — structural, not authority) stays.
|
|
2151
|
+
if (!dom) {
|
|
2152
|
+
rejected.push({ oid: oid.slice(0, 10), error: "non-authored intent — governance enters its own admin lane" });
|
|
2155
2153
|
continue;
|
|
2156
2154
|
}
|
|
2157
2155
|
// THE RECEIPT FENCE (capability_marketplace.md slice 1.5 — the ratified
|
|
@@ -2643,12 +2641,16 @@ export async function boot(eng, ws, ledger) {
|
|
|
2643
2641
|
}
|
|
2644
2642
|
|
|
2645
2643
|
/** Install a tenant package under the nomos controller (validation is the ADAPTER's job). */
|
|
2646
|
-
export async function deploy(eng, ws, ledger, usda, domainHash, dispositions) {
|
|
2644
|
+
export async function deploy(eng, ws, ledger, usda, domainHash, dispositions, opts = {}) {
|
|
2647
2645
|
// THE EVOLVE-GATE ANSWER LANE (#58): `dispositions` ({retired, retyped, rebinds,
|
|
2648
2646
|
// ackBy}) ride the committed installDomain payload — IN-HISTORY facts the one gate
|
|
2649
2647
|
// adjudicates the stable-id diff against. Absent for the common (non-destructive)
|
|
2650
2648
|
// upgrade; the gate's typed refusal names the remedy when one is needed.
|
|
2651
|
-
|
|
2649
|
+
// THE DEPLOYER's attested identity (actor + raw token) rides the install author exactly as the `offer`
|
|
2650
|
+
// verb threads it — the kernel judges whether this principal holds the `installDomain` relation. Empty
|
|
2651
|
+
// actor (the default) preserves the genesis-virgin / broadly-held-relation install path (backward-compat);
|
|
2652
|
+
// a present actor lets an AUTHORIZED non-virgin evolve admit instead of being refused for want of authority.
|
|
2653
|
+
const result = author(eng, ws, "nomos", "installDomain", installPayload(domainHash, usda, eng.installedBy, dispositions), eng.hashes.nomos, { actor: opts.actor ?? "", ...(opts.authToken ? { authToken: opts.authToken } : {}) });
|
|
2652
2654
|
// ATOMICITY: VALIDATE the post-install projection BEFORE committing to custody. The install's
|
|
2653
2655
|
// read manifest is re-derived on this read; if it cannot fold (e.g. a divergent read-projection
|
|
2654
2656
|
// declaration the kernel refuses), this THROWS — and because we have NOT yet pushed, custody
|