@githolon/testing 0.34.1 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@githolon/testing",
3
- "version": "0.34.1",
3
+ "version": "0.35.0",
4
4
  "type": "module",
5
5
  "description": "@githolon/testing — law TDD for Nomos domains: boot the REAL engine plane in-process (the exact machinery every cloud DO, heavy container and web client runs), dispatch directives, assert rows, assert TYPED REFUSALS, fork for what-ifs — fully offline inside vitest.",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
@@ -44,7 +44,7 @@ function osEntropyBuffer(n) { const bytes = new Uint8Array(n * 8); for (let o =
44
44
  function stringifyBig(o) { return JSON.stringify(o, (_k, v) => (typeof v === "bigint" ? `@@B:${v}@@` : v)).replace(/"@@B:(\d+)@@"/g, "$1"); }
45
45
  const log = (evt, fields = {}) => console.log(JSON.stringify({ evt, t: Date.now(), ...fields }));
46
46
 
47
- function call(ex, mode, fields, STDERR) {
47
+ export function call(ex, mode, fields, STDERR) {
48
48
  const req = enc.encode(JSON.stringify({ mode, ...fields }));
49
49
  const reqPtr = ex.git_holon_alloc(req.length);
50
50
  try {
@@ -1411,9 +1411,31 @@ export function author(eng, ws, domain, directiveId, payload, controllerHash, op
1411
1411
  capPorts.principal_verified = !!opts.principalVerified;
1412
1412
  }
1413
1413
  const envelope = { payload: { domain, directiveId, payload }, captured_ports: capPorts, policy_version: 1, policy_domain: "Nomos", policy_gas: 0, policy_memory: 0 };
1414
+ // ATTESTED READS (slice B stage 1 — attested_reads_design.md §4.1): the PRE-FETCHED foreign
1415
+ // envelopes injected on the author request (`[{queryId, result, attestation}]`). The wasm author
1416
+ // door serves a plan's `read(q, args, {from})` from these AFTER verifying each (never mid-plan
1417
+ // I/O); unconsumed entries are dropped (COMMIT-ONLY-CONSUMED). Absent ⇒ byte-identical envelope
1418
+ // (the era rule). The DO→DO/HTTPS pre-fetch that POPULATES this is stage 2 — this is the seam.
1419
+ if (opts.attestations !== undefined) envelope.attestations = opts.attestations;
1414
1420
  writeWork(eng, `payload-${seq}.json`, enc.encode(JSON.stringify(payload)));
1415
1421
  writeWork(eng, `envelope-${seq}.json`, enc.encode(stringifyBig(envelope)));
1416
1422
  const genesis = !controllerHash;
1423
+ // THE COLOCATION SHORT-CIRCUIT (stage 2): when the declared foreign SOURCE is already MOUNTED in
1424
+ // THIS engine (the container pool colocates workspaces; the engine plane is multi-workspace — the
1425
+ // birth-effect precedent), a missing attested read never leaves the kernel: the gate's typed
1426
+ // `attested-read-unreachable` refusal names {queryId, from, args}; we serve + sign it via the SAME
1427
+ // `attestedRead` op (secret injected per call from `opts.attestorSecrets[from]` — operator config
1428
+ // the host passes through blindly), inject the envelope, and retry. Zero HTTP, zero host decision.
1429
+ // The envelope is BYTE-IDENTICAL to one fetched over ?attest=1 (same signed bytes, same verify arm).
1430
+ // A CARRIED attestation always wins — the refusal only fires for a read no injected entry answers,
1431
+ // so nothing is ever silently replaced. Non-colocated / secret-less sources fall through to the
1432
+ // caller with the kernel's own instruction (the client-carried ?attest=1 dance).
1433
+ const attestorSecretFor = (from) => {
1434
+ const s = opts.attestorSecrets;
1435
+ if (!s) return null;
1436
+ if (typeof s === "string") return s;
1437
+ return typeof s[from] === "string" ? s[from] : null;
1438
+ };
1417
1439
  // THE DEFERRED-PROJECTION ACK (#47, sharding slice 7): the read-projection
1418
1440
  // catch-up (incl. the derive/combine materialize) moves OFF the author ack path
1419
1441
  // by default — every read op self-heals to head, and the post-ack warm lane
@@ -1430,7 +1452,25 @@ export function author(eng, ws, domain, directiveId, payload, controllerHash, op
1430
1452
  // DRY-RUN (offer-kernel): `offer` with the commit withheld — run the plan + full gate, get the verdict,
1431
1453
  // commit nothing. This is the home of the old `evolve_dryrun` verb (see `evolveDryRun`). Never defers
1432
1454
  // projection (no commit to flush).
1433
- const v = JSON.parse(call(eng.ex, "offer", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: opts.actor ?? "", ...(opts.authToken ? { authToken: opts.authToken } : {}), domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH, ...(opts.authorSecret ? { authorSecret: opts.authorSecret } : {}), ...(opts.dryRun ? { dryRun: true } : (defer ? { deferProjection: true } : {})) }, eng.STDERR));
1455
+ const offerOnce = () =>
1456
+ JSON.parse(call(eng.ex, "offer", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: opts.actor ?? "", ...(opts.authToken ? { authToken: opts.authToken } : {}), domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH, ...(opts.authorSecret ? { authorSecret: opts.authorSecret } : {}), ...(opts.dryRun ? { dryRun: true } : (defer ? { deferProjection: true } : {})) }, eng.STDERR));
1457
+ let v = offerOnce();
1458
+ // COLOCATED foreign reads: bounded loop (a plan may declare several) — each pass answers exactly the
1459
+ // read the kernel named, so it terminates in ≤ #declared-foreign-reads passes (cap 8, defensive).
1460
+ for (let pass = 0; pass < 8 && v.outcome === "refused"; pass++) {
1461
+ const need = parseAttestedReadNeed(v.verdict?.reason ?? v.error);
1462
+ if (!need || !eng.mounted.has(need.from)) break;
1463
+ const secret = attestorSecretFor(need.from);
1464
+ if (!secret) break;
1465
+ const served = attestedRead(eng, need.from, {
1466
+ queryId: need.queryId, paramsJson: JSON.stringify(need.args), attestorSecret: secret,
1467
+ nowMs: opts.attestNowMs ?? Date.now(),
1468
+ });
1469
+ if (!served || served.ok !== true) break; // the kernel's original instruction stands for the caller
1470
+ envelope.attestations = [...(envelope.attestations ?? []), { queryId: need.queryId, result: served.rows, attestation: served.attestation }];
1471
+ writeWork(eng, `envelope-${seq}.json`, enc.encode(stringifyBig(envelope)));
1472
+ v = offerOnce();
1473
+ }
1434
1474
  // KEEP `born`: the wasm offer ran the G3 birth offer-effect and surfaced the child heads; thread them
1435
1475
  // through the normalized shape so the relay (container author case → worker out.born) sees them.
1436
1476
  const res = v.outcome === "admitted" ? { ok: true, head: v.head, intentOut: v.intentOut, ...(v.born ? { born: v.born } : {}) }
@@ -1861,6 +1901,36 @@ export function describe(eng, ws) {
1861
1901
  // (base64) — the parts a `recordShare` payload carries; the subject's home gate verifies them (§3 gate-arm).
1862
1902
  export const attestationSign = (eng, { secret, asserterWorkspace, object, relation, subject, attestedAt }) =>
1863
1903
  JSON.parse(call(eng.ex, "query", { queryBytes: b64Json({ op: "attestationSign", secret, asserterWorkspace, object, relation, subject, attestedAt }) }, eng.STDERR));
1904
+
1905
+ // THE ATTESTED READ (slice B stage 2 — attested_reads_design.md §4.1, the source side). Serve + SIGN a
1906
+ // DECLARED query read over this workspace's own certified fold: the KERNEL derives the rows, pins
1907
+ // {genesis, head, fold_root, signer epoch, time} and signs with the PER-CALL-INJECTED read-attestor
1908
+ // secret (the `attestationSign` pattern — never persisted). The adapter/host transports the secret and
1909
+ // relays the returned `{rows, attestation, leafCount}` OPAQUE — it never constructs, inspects, or
1910
+ // modifies the envelope (the bailiff line). `nowMs` = the source clock at serve, injected by the caller.
1911
+ export const attestedRead = (eng, ws, { queryId, paramsJson, attestorSecret, nowMs }) =>
1912
+ JSON.parse(call(eng.ex, "query", {
1913
+ repoArg: repoArgOf(ws), workspace: ws, branch: BRANCH,
1914
+ queryBytes: b64Json({ op: "attestedRead", queryId, paramsJson: paramsJson || "{}", attestorSecret, nowMs: nowMs ?? Date.now(), sourceWorkspace: ws }),
1915
+ }, eng.STDERR));
1916
+
1917
+ // THE KERNEL-INSTRUCTED MISSING-EVIDENCE PARSE (stage 2 §4.1): the one gate's typed
1918
+ // `attested-read-unreachable` refusal NAMES the exact fetch — queryId + source + args. This parses it so
1919
+ // a caller (the colocation short-circuit below; the web client's pre-fetch convenience) can fulfil the
1920
+ // instruction and retry. Returns { queryId, from, args } or null. The kernel instructs; nobody guesses.
1921
+ export function parseAttestedReadNeed(error) {
1922
+ const m = /attested-read-unreachable: read\('([^']+)', \{from: '([^']+)'\}\) args=(.*?) has no injected attestation/
1923
+ .exec(String(error || ""));
1924
+ if (!m) return null;
1925
+ // The refusal may surface through a JSON-quoting layer (the engine's Threw detail) — the args
1926
+ // blob's quotes then arrive backslash-escaped. Unescape a level at a time until it parses.
1927
+ let blob = m[3];
1928
+ for (let i = 0; i < 4; i++) {
1929
+ try { return { queryId: m[1], from: m[2], args: JSON.parse(blob) }; }
1930
+ catch { blob = blob.replace(/\\(["\\])/g, "$1"); }
1931
+ }
1932
+ return null;
1933
+ }
1864
1934
  // THE BIRTH-CERT SIGNER (VA root-of-trust) — the SINGLE SOURCE OF TRUTH for the cert byte format. The
1865
1935
  // signer's client produces a SIGNED birth cert IN-wasm (`cert_sign` reuses `BirthCert::signed_bytes`/`sign`,
1866
1936
  // the SIBLING of `attestation_sign`) so no client re-implements the layout (drift-proof). The device