@githolon/testing 0.20.0 → 0.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@githolon/testing",
3
- "version": "0.20.0",
3
+ "version": "0.21.0",
4
4
  "type": "module",
5
5
  "description": "@githolon/testing — law TDD for Nomos domains: boot the REAL engine plane in-process (the exact machinery every cloud DO, heavy container and web client runs), dispatch directives, assert rows, assert TYPED REFUSALS, fork for what-ifs — fully offline inside vitest.",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
@@ -995,8 +995,7 @@ export async function replicateIntents(eng, ws, ledger, intents, { push = true }
995
995
  * main once. This is still untrusted work: owner-only/control-plane/receipt
996
996
  * writes are refused or dead-lettered exactly like session refs.
997
997
  */
998
- export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains = [], receiptFence = null, shardRouting = null, clientBase = null, defer = false } = {}) {
999
- const refuse = new Set(refuseDomains);
998
+ export async function admitIntentOffers(eng, ws, ledger, offers, { receiptFence = null, shardRouting = null, clientBase = null, defer = false } = {}) {
1000
999
  const main = await mainIntentIds(eng, ws);
1001
1000
  const sessions = new Map();
1002
1001
  const deadLetters = [];
@@ -1048,14 +1047,13 @@ export async function admitIntentOffers(eng, ws, ledger, offers, { refuseDomains
1048
1047
  const dirId = typeof doc?.payload?.directiveId === "string" ? doc.payload.directiveId : null;
1049
1048
  const oid = String(offer?.oid || intentId || "").slice(0, 10);
1050
1049
  // THE GATE DECIDES (offer-kernel doctrine — OFFER_KERNEL_ARCHITECTURE.dot): the adapter does NOT
1051
- // pre-filter control-plane (`nomos`/`bootstrap`) intents by domain string that was the adapter
1052
- // "choosing admission", which the doctrine forbids. An install/governance offer rides the SAME lane;
1053
- // the kernel gate refuses an author who lacks the declared relation (installDomain.requiresRelationGate
1054
- // = {relation:"installDomain", object:"workspace:self"}), so an unauthorized control-plane write is a
1055
- // TYPED GATE refusal, not a adapter verdict. Only `!dom` (malformed) and the explicit per-workspace
1056
- // `refuse` fence (root's `workspaces` governance lane) stay — those are structural, not authority.
1057
- if (!dom || refuse.has(dom)) {
1058
- rec.rejected.push({ oid, error: `${dom ? `'${dom}' is adapter-fenced on this workspace` : "non-authored intent"} — governance enters its own admin lane` });
1050
+ // pre-filter ANY intent by domain string. An install/governance offer rides the SAME lane; the kernel
1051
+ // gate refuses an author who lacks the declared relation, so an unauthorized control-plane write is a
1052
+ // TYPED GATE refusal, never an adapter verdict. host does no authority — the kernel gates the control
1053
+ // plane (open until the warrant-flip arms signature verification on root/co2). Only `!dom` (malformed
1054
+ // bytes structural, not authority) stays.
1055
+ if (!dom) {
1056
+ rec.rejected.push({ oid, error: "non-authored intent — governance enters its own admin lane" });
1059
1057
  continue;
1060
1058
  }
1061
1059
  if (receiptFence && dirId && Array.isArray(receiptFence[dom]) && receiptFence[dom].includes(dirId)) {
@@ -2031,8 +2029,7 @@ async function mainIntentIds(eng, ws) {
2031
2029
  * engine has no durable store), obvious attacks drop. Admitted intents merge to main,
2032
2030
  * durably push, the branch is consumed.
2033
2031
  */
2034
- export async function admitAll(eng, ws, ledger, { refuseDomains = [], receiptFence = null, shardRouting = null, defer = false } = {}) {
2035
- const refuse = new Set(refuseDomains);
2032
+ export async function admitAll(eng, ws, ledger, { receiptFence = null, shardRouting = null, defer = false } = {}) {
2036
2033
  const routes = shardRouting ? directiveRoutes(eng) : null;
2037
2034
  const gitdir = gitdirOf(ws);
2038
2035
  // FRESH HEADER COPY PER GIT OP. isomorphic-git's `discover` MUTATES the headers object it's given
@@ -2146,12 +2143,13 @@ export async function admitAll(eng, ws, ledger, { refuseDomains = [], receiptFen
2146
2143
  const blob = bytesFromB64(c.intentB64);
2147
2144
  let dom = null, intentId = null, dirId = null;
2148
2145
  try { const doc = JSON.parse(dec.decode(blob)); intentId = typeof doc.id === "string" ? doc.id : null; dom = doc && doc.payload && typeof doc.payload.domain === "string" ? doc.payload.domain : null; dirId = doc && doc.payload && typeof doc.payload.directiveId === "string" ? doc.payload.directiveId : null; } catch {}
2149
- // THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for control-plane
2150
- // an install/governance offer rides the SAME lane and the kernel gate refuses an author lacking
2151
- // the declared relation (a TYPED gate refusal, not a adapter verdict). Only `!dom` (malformed) and
2152
- // the explicit `refuse` fence (root's `workspaces` governance lane) stay structural, not authority.
2153
- if (!dom || refuse.has(dom)) {
2154
- rejected.push({ oid: oid.slice(0, 10), error: `${dom ? `'${dom}' is adapter-fenced on this workspace` : "non-authored intent"} — governance enters its own admin lane` });
2146
+ // THE GATE DECIDES (offer-kernel doctrine): no adapter domain-string filter for ANY intent an
2147
+ // install/governance offer rides the SAME lane and the kernel gate refuses an author lacking the
2148
+ // declared relation (a TYPED gate refusal, never an adapter verdict). host does no authority — the
2149
+ // kernel gates the control plane (open until the warrant-flip arms signature verification on
2150
+ // root/co2). Only `!dom` (malformed bytes — structural, not authority) stays.
2151
+ if (!dom) {
2152
+ rejected.push({ oid: oid.slice(0, 10), error: "non-authored intent — governance enters its own admin lane" });
2155
2153
  continue;
2156
2154
  }
2157
2155
  // THE RECEIPT FENCE (capability_marketplace.md slice 1.5 — the ratified
@@ -2643,12 +2641,16 @@ export async function boot(eng, ws, ledger) {
2643
2641
  }
2644
2642
 
2645
2643
  /** Install a tenant package under the nomos controller (validation is the ADAPTER's job). */
2646
- export async function deploy(eng, ws, ledger, usda, domainHash, dispositions) {
2644
+ export async function deploy(eng, ws, ledger, usda, domainHash, dispositions, opts = {}) {
2647
2645
  // THE EVOLVE-GATE ANSWER LANE (#58): `dispositions` ({retired, retyped, rebinds,
2648
2646
  // ackBy}) ride the committed installDomain payload — IN-HISTORY facts the one gate
2649
2647
  // adjudicates the stable-id diff against. Absent for the common (non-destructive)
2650
2648
  // upgrade; the gate's typed refusal names the remedy when one is needed.
2651
- const result = author(eng, ws, "nomos", "installDomain", installPayload(domainHash, usda, eng.installedBy, dispositions), eng.hashes.nomos);
2649
+ // THE DEPLOYER's attested identity (actor + raw token) rides the install author exactly as the `offer`
2650
+ // verb threads it — the kernel judges whether this principal holds the `installDomain` relation. Empty
2651
+ // actor (the default) preserves the genesis-virgin / broadly-held-relation install path (backward-compat);
2652
+ // a present actor lets an AUTHORIZED non-virgin evolve admit instead of being refused for want of authority.
2653
+ const result = author(eng, ws, "nomos", "installDomain", installPayload(domainHash, usda, eng.installedBy, dispositions), eng.hashes.nomos, { actor: opts.actor ?? "", ...(opts.authToken ? { authToken: opts.authToken } : {}) });
2652
2654
  // ATOMICITY: VALIDATE the post-install projection BEFORE committing to custody. The install's
2653
2655
  // read manifest is re-derived on this read; if it cannot fold (e.g. a divergent read-projection
2654
2656
  // declaration the kernel refuses), this THROWS — and because we have NOT yet pushed, custody