@typeberry/lib 0.5.10-6923c44 → 0.5.10-7338c21

package/packages/jam/in-core/in-core.js

@@ -1,18 +1,13 @@
-import { tryAsCoreIndex, tryAsServiceGas, } from "#@typeberry/block";
-import { W_C } from "#@typeberry/block/gp-constants.js";
-import { WorkPackageInfo, } from "#@typeberry/block/refine-context.js";
+import { WorkPackageInfo } from "#@typeberry/block/refine-context.js";
 import { WorkPackageSpec, WorkReport } from "#@typeberry/block/work-report.js";
-import { WorkExecResult, WorkExecResultKind, WorkRefineLoad, WorkResult } from "#@typeberry/block/work-result.js";
-import { Bytes, BytesBlob } from "#@typeberry/bytes";
-import { codec, Encoder } from "#@typeberry/codec";
+import { Bytes } from "#@typeberry/bytes";
 import { asKnownSize, FixedSizeArray } from "#@typeberry/collections";
-import { PvmExecutor, ReturnStatus } from "#@typeberry/executor";
 import { HASH_SIZE } from "#@typeberry/hash";
 import { Logger } from "#@typeberry/logger";
 import { tryAsU8, tryAsU16, tryAsU32 } from "#@typeberry/numbers";
-import { RefineFetchExternalities } from "#@typeberry/transition/externalities/refine-fetch-externalities.js";
-import { assertEmpty, assertNever, Result } from "#@typeberry/utils";
-import { RefineExternalitiesImpl } from "./externalities/refine.js";
+import { assertEmpty, Result } from "#@typeberry/utils";
+import { AuthorizationError, IsAuthorized } from "./is-authorized.js";
+import { Refine } from "./refine.js";
 export var RefineError;
 (function (RefineError) {
     /** State for context anchor block or lookup anchor is not found in the DB. */
@@ -24,39 +19,17 @@ export var RefineError;
     /** Authorization error. */
     RefineError[RefineError["AuthorizationError"] = 3] = "AuthorizationError";
 })(RefineError || (RefineError = {}));
-var ServiceCodeError;
-(function (ServiceCodeError) {
-    /** Service id is not found in the state. */
-    ServiceCodeError[ServiceCodeError["ServiceNotFound"] = 0] = "ServiceNotFound";
-    /** Expected service code does not match the state one. */
-    ServiceCodeError[ServiceCodeError["ServiceCodeMismatch"] = 1] = "ServiceCodeMismatch";
-    /** Code preimage missing. */
-    ServiceCodeError[ServiceCodeError["ServiceCodeMissing"] = 2] = "ServiceCodeMissing";
-    /** Code blob is too big. */
-    ServiceCodeError[ServiceCodeError["ServiceCodeTooBig"] = 3] = "ServiceCodeTooBig";
-})(ServiceCodeError || (ServiceCodeError = {}));
-var AuthorizationError;
-(function (AuthorizationError) {
-})(AuthorizationError || (AuthorizationError = {}));
 const logger = Logger.new(import.meta.filename, "refine");
-/** https://graypaper.fluffylabs.dev/#/ab2cdbd/2ffe002ffe00?v=0.7.2 */
-const ARGS_CODEC = codec.object({
-    core: codec.varU32.convert((x) => tryAsU32(x), (x) => tryAsCoreIndex(x)),
-    workItemIndex: codec.varU32,
-    serviceId: codec.varU32.asOpaque(),
-    payloadLength: codec.varU32,
-    packageHash: codec.bytes(HASH_SIZE).asOpaque(),
-});
 export class InCore {
     chainSpec;
     states;
-    pvmBackend;
-    blake2b;
+    isAuthorized;
+    refineItem;
     constructor(chainSpec, states, pvmBackend, blake2b) {
         this.chainSpec = chainSpec;
         this.states = states;
-        this.pvmBackend = pvmBackend;
-        this.blake2b = blake2b;
+        this.isAuthorized = new IsAuthorized(chainSpec, pvmBackend, blake2b);
+        this.refineItem = new Refine(chainSpec, pvmBackend, blake2b);
     }
     /**
      * Work-report computation function.
@@ -70,13 +43,14 @@ export class InCore {
      */
     async refine(workPackageAndHash, core, imports, extrinsics) {
         const workPackageHash = workPackageAndHash.hash;
-        const { context, authorization, authCodeHash, authCodeHost, parametrization, items, ...rest } = workPackageAndHash.data;
+        const { context, authToken, authCodeHash, authCodeHost, authConfiguration, items, ...rest } = workPackageAndHash.data;
         assertEmpty(rest);
         // TODO [ToDr] Verify BEEFY root
         // TODO [ToDr] Verify prerequisites
         logger.log `[core:${core}] Attempting to refine work package with ${items.length} items.`;
-        // TODO [ToDr] GP link
         // Verify anchor block
+        // https://graypaper.fluffylabs.dev/#/ab2cdbd/15cd0215cd02?v=0.7.2
+        // TODO [ToDr] Validation
         const state = this.states.getState(context.anchor);
         if (state === null) {
             return Result.error(RefineError.StateMissing, () => `State at anchor block ${context.anchor} is missing.`);
@@ -96,7 +70,7 @@ export class InCore {
             return Result.error(RefineError.InvalidLookupAnchorSlot, () => `Lookup anchor slot does not match the one is state. Ours: ${lookupState.timeslot}, expected: ${context.lookupAnchorSlot}`);
         }
         // Check authorization
-        const authResult = await this.authorizePackage(authorization, authCodeHost, authCodeHash, parametrization);
+        const authResult = await this.isAuthorized.invoke(state, core, authToken, authCodeHost, authCodeHash, authConfiguration);
         if (authResult.isError) {
             return Result.error(RefineError.AuthorizationError, () => `Authorization error: ${AuthorizationError[authResult.error]}: ${authResult.details()}.`);
         }
@@ -106,14 +80,14 @@ export class InCore {
         const refineResults = [];
         for (const [idx, item] of items.entries()) {
             logger.info `[core:${core}][i:${idx}] Refining item for service ${item.service}.`;
-            const result = await this.refineItem(state, lookupState, idx, item, imports, extrinsics, core, workPackageHash, exportOffset);
+            const result = await this.refineItem.invoke(state, lookupState, idx, item, imports, extrinsics, core, workPackageHash, exportOffset);
             refineResults.push(result);
             exportOffset += result.exports.length;
         }
         // amalgamate the work report now
-        return Result.ok(this.amalgamateWorkReport(asKnownSize(refineResults), authResult.ok, workPackageHash, context, core));
+        return Result.ok(InCore.amalgamateWorkReport(asKnownSize(refineResults), authResult.ok, workPackageHash, context, core));
     }
-    amalgamateWorkReport(refineResults, authResult, workPackageHash, context, coreIndex) {
+    static amalgamateWorkReport(refineResults, authResult, workPackageHash, context, coreIndex) {
         // unzip exports and work results for each work item
         const exports = refineResults.map((x) => x.exports);
         const results = refineResults.map((x) => x.result);
@@ -156,146 +130,4 @@ export class InCore {
             exports: asKnownSize(exports),
         };
     }
-    async authorizePackage(_authorization, _authCodeHost, _authCodeHash, _parametrization) {
-        // TODO [ToDr] Check authorization?
-        const authorizerHash = Bytes.zero(HASH_SIZE).asOpaque();
-        const authorizationGasUsed = tryAsServiceGas(0);
-        const authorizationOutput = BytesBlob.empty();
-        return Result.ok({
-            authorizerHash,
-            authorizationGasUsed,
-            authorizationOutput,
-        });
-    }
-    async refineItem(state, lookupState, idx, item, allImports, allExtrinsics, coreIndex, workPackageHash, exportOffset) {
-        const payloadHash = this.blake2b.hashBytes(item.payload);
-        const baseResult = {
-            serviceId: item.service,
-            codeHash: item.codeHash,
-            payloadHash,
-            gas: item.refineGasLimit,
-        };
-        const imports = allImports[idx];
-        const extrinsics = allExtrinsics[idx];
-        const baseLoad = {
-            importedSegments: tryAsU32(imports.length),
-            extrinsicCount: tryAsU32(extrinsics.length),
-            extrinsicSize: tryAsU32(extrinsics.reduce((acc, x) => acc + x.length, 0)),
-        };
-        const maybeCode = this.getServiceCode(state, idx, item);
-        if (maybeCode.isError) {
-            const error = maybeCode.error === ServiceCodeError.ServiceCodeTooBig
-                ? WorkExecResultKind.codeOversize
-                : WorkExecResultKind.badCode;
-            return {
-                exports: [],
-                result: WorkResult.create({
-                    ...baseResult,
-                    result: WorkExecResult.error(error),
-                    load: WorkRefineLoad.create({
-                        ...baseLoad,
-                        gasUsed: tryAsServiceGas(item.refineGasLimit),
-                        exportedSegments: tryAsU32(0),
-                    }),
-                }),
-            };
-        }
-        const code = maybeCode.ok;
-        const externalities = this.createRefineExternalities({
-            payload: item.payload,
-            imports: allImports,
-            extrinsics: allExtrinsics,
-            currentServiceId: item.service,
-            lookupState,
-            exportOffset,
-        });
-        const executor = await PvmExecutor.createRefineExecutor(item.service, code, externalities, this.pvmBackend);
-        const args = Encoder.encodeObject(ARGS_CODEC, {
-            serviceId: item.service,
-            core: coreIndex,
-            workItemIndex: tryAsU32(idx),
-            payloadLength: tryAsU32(item.payload.length),
-            packageHash: workPackageHash,
-        });
-        const execResult = await executor.run(args, item.refineGasLimit);
-        const exports = externalities.refine.getExportedSegments();
-        if (exports.length !== item.exportCount) {
-            return {
-                exports,
-                result: WorkResult.create({
-                    ...baseResult,
-                    result: WorkExecResult.error(WorkExecResultKind.incorrectNumberOfExports),
-                    load: WorkRefineLoad.create({
-                        ...baseLoad,
-                        gasUsed: tryAsServiceGas(item.refineGasLimit),
-                        exportedSegments: tryAsU32(0),
-                    }),
-                }),
-            };
-        }
-        const result = this.extractWorkResult(execResult);
-        return {
-            exports,
-            result: WorkResult.create({
-                ...baseResult,
-                result,
-                load: WorkRefineLoad.create({
-                    ...baseLoad,
-                    gasUsed: tryAsServiceGas(execResult.consumedGas),
-                    exportedSegments: tryAsU32(exports.length),
-                }),
-            }),
-        };
-    }
-    extractWorkResult(execResult) {
-        if (execResult.status === ReturnStatus.OK) {
-            const slice = execResult.memorySlice;
-            // TODO [ToDr] Verify the output size and change digestTooBig?
-            return WorkExecResult.ok(BytesBlob.blobFrom(slice));
-        }
-        switch (execResult.status) {
-            case ReturnStatus.OOG:
-                return WorkExecResult.error(WorkExecResultKind.outOfGas);
-            case ReturnStatus.PANIC:
-                return WorkExecResult.error(WorkExecResultKind.panic);
-            default:
-                assertNever(execResult);
-        }
-    }
-    getServiceCode(state, idx, item) {
-        const serviceId = item.service;
-        const service = state.getService(serviceId);
-        // TODO [ToDr] GP link
-        // missing service
-        if (service === null) {
-            return Result.error(ServiceCodeError.ServiceNotFound, () => `[i:${idx}] Service ${serviceId} is missing in state.`);
-        }
-        // TODO [ToDr] GP link
-        // TODO [ToDr] shall we rather use the old codehash instead
-        if (!service.getInfo().codeHash.isEqualTo(item.codeHash)) {
-            return Result.error(ServiceCodeError.ServiceCodeMismatch, () => `[i:${idx}] Service ${serviceId} has invalid code hash. Ours: ${service.getInfo().codeHash}, expected: ${item.codeHash}`);
-        }
-        const code = service.getPreimage(item.codeHash.asOpaque());
-        if (code === null) {
-            return Result.error(ServiceCodeError.ServiceCodeMissing, () => `[i:${idx}] Code ${item.codeHash} for service ${serviceId} was not found.`);
-        }
-        if (code.length > W_C) {
-            return Result.error(ServiceCodeError.ServiceCodeTooBig, () => `[i:${idx}] Code ${item.codeHash} for service ${serviceId} is too big! ${code.length} bytes vs ${W_C} bytes max.`);
-        }
-        return Result.ok(code);
-    }
-    createRefineExternalities(args) {
-        // TODO [ToDr] Pass all required fetch data
-        const fetchExternalities = new RefineFetchExternalities(this.chainSpec);
-        const refine = RefineExternalitiesImpl.create({
-            currentServiceId: args.currentServiceId,
-            lookupState: args.lookupState,
-            exportOffset: args.exportOffset,
-            pvmBackend: this.pvmBackend,
-        });
-        return {
-            fetchExternalities,
-            refine,
-        };
-    }
 }

package/packages/jam/in-core/in-core.test.js

@@ -1,4 +1,6 @@
 import assert from "node:assert";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
 import { before, describe, it } from "node:test";
 import { tryAsCoreIndex, tryAsServiceGas, tryAsServiceId, tryAsTimeSlot } from "#@typeberry/block";
 import { RefineContext } from "#@typeberry/block/refine-context.js";
@@ -6,21 +8,46 @@ import { WorkItem } from "#@typeberry/block/work-item.js";
 import { tryAsWorkItemsCount, WorkPackage } from "#@typeberry/block/work-package.js";
 import { Bytes, BytesBlob } from "#@typeberry/bytes";
 import { Encoder } from "#@typeberry/codec";
-import { asKnownSize, FixedSizeArray } from "#@typeberry/collections";
+import { asKnownSize, FixedSizeArray, HashDictionary } from "#@typeberry/collections";
 import { PvmBackend, tinyChainSpec } from "#@typeberry/config";
 import { InMemoryStates } from "#@typeberry/database";
 import { Blake2b, HASH_SIZE, WithHash } from "#@typeberry/hash";
-import { tryAsU16 } from "#@typeberry/numbers";
-import { testState } from "#@typeberry/state/test.utils.js";
+import { tryAsU16, tryAsU32, tryAsU64 } from "#@typeberry/numbers";
+import { InMemoryService, InMemoryState, PreimageItem, ServiceAccountInfo } from "#@typeberry/state";
 import { InCore, RefineError } from "./in-core.js";
+// Load the authorizer PVM fixture (checks authToken === authConfiguration).
+const AUTHORIZER_PVM = BytesBlob.blobFrom(readFileSync(resolve(import.meta.dirname, "fixtures/authorizer.pvm")));
+const AUTH_SERVICE_ID = tryAsServiceId(1);
 let blake2b;
 before(async () => {
     blake2b = await Blake2b.createHasher();
 });
-function createWorkItem(serviceId = 1) {
+function getAuthCodeHash() {
+    return blake2b.hashBytes(AUTHORIZER_PVM).asOpaque();
+}
+function createService(serviceId, codeHash, code) {
+    return new InMemoryService(serviceId, {
+        info: ServiceAccountInfo.create({
+            codeHash: codeHash.asOpaque(),
+            balance: tryAsU64(10_000_000_000),
+            accumulateMinGas: tryAsServiceGas(0n),
+            onTransferMinGas: tryAsServiceGas(0n),
+            storageUtilisationBytes: tryAsU64(0),
+            storageUtilisationCount: tryAsU32(0),
+            gratisStorage: tryAsU64(0),
+            created: tryAsTimeSlot(0),
+            lastAccumulation: tryAsTimeSlot(0),
+            parentService: tryAsServiceId(0),
+        }),
+        preimages: HashDictionary.fromEntries([PreimageItem.create({ hash: codeHash.asOpaque(), blob: code })].map((x) => [x.hash, x])),
+        lookupHistory: HashDictionary.fromEntries([]),
+        storage: new Map(),
+    });
+}
+function createWorkItem(codeHash, serviceId = 1) {
     return WorkItem.create({
         service: tryAsServiceId(serviceId),
-        codeHash: Bytes.zero(HASH_SIZE).asOpaque(),
+        codeHash,
         payload: BytesBlob.empty(),
         refineGasLimit: tryAsServiceGas(1_000_000),
         accumulateGasLimit: tryAsServiceGas(1_000_000),
@@ -29,12 +56,12 @@ function createWorkItem(serviceId = 1) {
         exportCount: tryAsU16(0),
     });
 }
-function createWorkPackage(anchorHash, stateRoot, lookupAnchorSlot = 0) {
+function createWorkPackage(anchorHash, stateRoot, authCodeHash, lookupAnchorSlot = 0) {
     return WorkPackage.create({
-        authorization: BytesBlob.empty(),
-        authCodeHost: tryAsServiceId(1),
-        authCodeHash: Bytes.zero(HASH_SIZE).asOpaque(),
-        parametrization: BytesBlob.empty(),
+        authToken: BytesBlob.empty(),
+        authCodeHost: AUTH_SERVICE_ID,
+        authCodeHash,
+        authConfiguration: BytesBlob.empty(),
         context: RefineContext.create({
             anchor: anchorHash,
             stateRoot,
@@ -43,7 +70,7 @@ function createWorkPackage(anchorHash, stateRoot, lookupAnchorSlot = 0) {
             lookupAnchorSlot: tryAsTimeSlot(lookupAnchorSlot),
             prerequisites: [],
         }),
-        items: FixedSizeArray.new([createWorkItem()], tryAsWorkItemsCount(1)),
+        items: FixedSizeArray.new([createWorkItem(authCodeHash)], tryAsWorkItemsCount(1)),
     });
 }
 function hashWorkPackage(spec, workPackage) {
@@ -59,7 +86,8 @@ describe("InCore", () => {
         const inCore = new InCore(spec, states, PvmBackend.BuiltIn, blake2b);
         const anchorHash = Bytes.fill(HASH_SIZE, 1).asOpaque();
         const stateRoot = Bytes.zero(HASH_SIZE).asOpaque();
-        const workPackage = createWorkPackage(anchorHash, stateRoot);
+        const authCodeHash = getAuthCodeHash();
+        const workPackage = createWorkPackage(anchorHash, stateRoot, authCodeHash);
         const result = await inCore.refine(hashWorkPackage(spec, workPackage), tryAsCoreIndex(0), asKnownSize([[]]), asKnownSize([[]]));
         assert.strictEqual(result.isError, true);
         assert.strictEqual(result.error, RefineError.StateMissing);
@@ -68,13 +96,17 @@ describe("InCore", () => {
         const spec = tinyChainSpec;
         const states = new InMemoryStates(spec);
         const inCore = new InCore(spec, states, PvmBackend.BuiltIn, blake2b);
+        const authCodeHash = getAuthCodeHash();
         const anchorHash = Bytes.fill(HASH_SIZE, 1).asOpaque();
-        const state = testState();
+        const state = InMemoryState.partial(spec, {
+            timeslot: tryAsTimeSlot(16),
+            services: new Map([[AUTH_SERVICE_ID, createService(AUTH_SERVICE_ID, authCodeHash, AUTHORIZER_PVM)]]),
+        });
         await states.insertInitialState(anchorHash, state);
         const correctStateRoot = await states.getStateRoot(state);
-        const workPackage = createWorkPackage(anchorHash, correctStateRoot, state.timeslot);
+        const workPackage = createWorkPackage(anchorHash, correctStateRoot, authCodeHash, state.timeslot);
         const result = await inCore.refine(hashWorkPackage(spec, workPackage), tryAsCoreIndex(0), asKnownSize([[]]), asKnownSize([[]]));
-        assert.strictEqual(result.isOk, true);
+        assert.strictEqual(result.isOk, true, `Expected OK but got error: ${result.isError ? result.details() : ""}`);
         assert.strictEqual(result.ok.report.coreIndex, 0);
         assert.strictEqual(result.ok.report.results.length, 1);
     });

package/packages/jam/in-core/is-authorized.d.ts

@@ -0,0 +1,33 @@
+import { type CodeHash, type CoreIndex, type ServiceGas, type ServiceId } from "#@typeberry/block";
+import type { AuthorizerHash } from "#@typeberry/block/refine-context.js";
+import { BytesBlob } from "#@typeberry/bytes";
+import type { ChainSpec, PvmBackend } from "#@typeberry/config";
+import type { Blake2b } from "#@typeberry/hash";
+import type { State } from "#@typeberry/state";
+import { Result } from "#@typeberry/utils";
+export declare enum AuthorizationError {
+    /** BAD: authorizer code not found (service or preimage missing). */
+    CodeNotFound = 0,
+    /** BIG: authorizer code exceeds W_A limit. */
+    CodeTooBig = 1,
+    /** PANIC/OOG: PVM execution failed. */
+    PvmFailed = 2
+}
+export type AuthorizationOk = {
+    authorizerHash: AuthorizerHash;
+    authorizationGasUsed: ServiceGas;
+    authorizationOutput: BytesBlob;
+};
+/**
+ * IsAuthorized PVM invocation (Psi_I).
+ *
+ * https://graypaper.fluffylabs.dev/#/ab2cdbd/2e64002e6400?v=0.7.2
+ */
+export declare class IsAuthorized {
+    private readonly chainSpec;
+    private readonly pvmBackend;
+    private readonly blake2b;
+    constructor(chainSpec: ChainSpec, pvmBackend: PvmBackend, blake2b: Blake2b);
+    invoke(state: State, coreIndex: CoreIndex, authToken: BytesBlob, authCodeHost: ServiceId, authCodeHash: CodeHash, authConfiguration: BytesBlob): Promise<Result<AuthorizationOk, AuthorizationError>>;
+}
+//# sourceMappingURL=is-authorized.d.ts.map

package/packages/jam/in-core/is-authorized.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"is-authorized.d.ts","sourceRoot":"","sources":["../../../../../packages/jam/in-core/is-authorized.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,QAAQ,EAAE,KAAK,SAAS,EAAE,KAAK,UAAU,EAAE,KAAK,SAAS,EAAmB,MAAM,kBAAkB,CAAC;AAEnH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oCAAoC,CAAC;AACzE,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAE7C,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAE9C,OAAO,EAAE,MAAM,EAAE,MAAM,kBAAkB,CAAC;AAE1C,oBAAY,kBAAkB;IAC5B,oEAAoE;IACpE,YAAY,IAAI;IAChB,8CAA8C;IAC9C,UAAU,IAAI;IACd,uCAAuC;IACvC,SAAS,IAAI;CACd;AAED,MAAM,MAAM,eAAe,GAAG;IAC5B,cAAc,EAAE,cAAc,CAAC;IAC/B,oBAAoB,EAAE,UAAU,CAAC;IACjC,mBAAmB,EAAE,SAAS,CAAC;CAChC,CAAC;AAMF;;;;GAIG;AACH,qBAAa,YAAY;IAErB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFP,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO;IAG7B,MAAM,CACV,KAAK,EAAE,KAAK,EACZ,SAAS,EAAE,SAAS,EACpB,SAAS,EAAE,SAAS,EACpB,YAAY,EAAE,SAAS,EACvB,YAAY,EAAE,QAAQ,EACtB,iBAAiB,EAAE,SAAS,GAC3B,OAAO,CAAC,MAAM,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;CA+DxD"}

package/packages/jam/in-core/is-authorized.js

@@ -0,0 +1,72 @@
+import { tryAsServiceGas } from "#@typeberry/block";
+import { G_I, W_A } from "#@typeberry/block/gp-constants.js";
+import { BytesBlob } from "#@typeberry/bytes";
+import { codec, Encoder } from "#@typeberry/codec";
+import { PvmExecutor, ReturnStatus } from "#@typeberry/executor";
+import { IsAuthorizedFetchExternalities } from "#@typeberry/transition/externalities/is-authorized-fetch-externalities.js";
+import { Result } from "#@typeberry/utils";
+export var AuthorizationError;
+(function (AuthorizationError) {
+    /** BAD: authorizer code not found (service or preimage missing). */
+    AuthorizationError[AuthorizationError["CodeNotFound"] = 0] = "CodeNotFound";
+    /** BIG: authorizer code exceeds W_A limit. */
+    AuthorizationError[AuthorizationError["CodeTooBig"] = 1] = "CodeTooBig";
+    /** PANIC/OOG: PVM execution failed. */
+    AuthorizationError[AuthorizationError["PvmFailed"] = 2] = "PvmFailed";
+})(AuthorizationError || (AuthorizationError = {}));
+const AUTH_ARGS_CODEC = codec.object({
+    coreIndex: codec.u16,
+});
+/**
+ * IsAuthorized PVM invocation (Psi_I).
+ *
+ * https://graypaper.fluffylabs.dev/#/ab2cdbd/2e64002e6400?v=0.7.2
+ */
+export class IsAuthorized {
+    chainSpec;
+    pvmBackend;
+    blake2b;
+    constructor(chainSpec, pvmBackend, blake2b) {
+        this.chainSpec = chainSpec;
+        this.pvmBackend = pvmBackend;
+        this.blake2b = blake2b;
+    }
+    async invoke(state, coreIndex, authToken, authCodeHost, authCodeHash, authConfiguration) {
+        // Look up the authorizer code from the auth code host service
+        const service = state.getService(authCodeHost);
+        // https://graypaper.fluffylabs.dev/#/ab2cdbd/2eca002eca00?v=0.7.2
+        if (service === null) {
+            return Result.error(AuthorizationError.CodeNotFound, () => `Auth code host service ${authCodeHost} not found in state.`);
+        }
+        const code = service.getPreimage(authCodeHash.asOpaque());
+        if (code === null) {
+            return Result.error(AuthorizationError.CodeNotFound, () => `Auth code preimage ${authCodeHash} not found in service ${authCodeHost}.`);
+        }
+        // BIG: code exceeds W_A
+        // https://graypaper.fluffylabs.dev/#/ab2cdbd/2ed6002ed600?v=0.7.2
+        if (code.length > W_A) {
+            return Result.error(AuthorizationError.CodeTooBig, () => `Auth code is too big: ${code.length} bytes vs ${W_A} max.`);
+        }
+        // Prepare fetch externalities and executor
+        const fetchExternalities = new IsAuthorizedFetchExternalities(this.chainSpec, {
+            authToken,
+            authConfiguration,
+        });
+        const executor = await PvmExecutor.createIsAuthorizedExecutor(authCodeHost, code, { fetchExternalities }, this.pvmBackend);
+        const args = Encoder.encodeObject(AUTH_ARGS_CODEC, {
+            coreIndex,
+        });
+        // Run PVM with gas budget G_I
+        const gasLimit = tryAsServiceGas(G_I);
+        const execResult = await executor.run(args, gasLimit);
+        if (execResult.status !== ReturnStatus.OK) {
+            return Result.error(AuthorizationError.PvmFailed, () => `IsAuthorized PVM ${ReturnStatus[execResult.status]} (gas used: ${execResult.consumedGas}).`);
+        }
+        // Compute authorizer hash: H(code_hash ++ configuration)
+        // https://graypaper.fluffylabs.dev/#/ab2cdbd/1b81011b8401?v=0.7.2
+        const authorizerHash = this.blake2b.hashBlobs([authCodeHash, authConfiguration]);
+        const authorizationOutput = BytesBlob.blobFrom(execResult.memorySlice);
+        const authorizationGasUsed = tryAsServiceGas(execResult.consumedGas);
+        return Result.ok({ authorizerHash, authorizationGasUsed, authorizationOutput });
+    }
+}

package/packages/jam/in-core/is-authorized.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=is-authorized.test.d.ts.map

package/packages/jam/in-core/is-authorized.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"is-authorized.test.d.ts","sourceRoot":"","sources":["../../../../../packages/jam/in-core/is-authorized.test.ts"],"names":[],"mappings":""}

package/packages/jam/in-core/is-authorized.test.js

@@ -0,0 +1,125 @@
+import assert from "node:assert";
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+import { before, describe, it } from "node:test";
+import { tryAsCoreIndex, tryAsServiceGas, tryAsServiceId, tryAsTimeSlot } from "#@typeberry/block";
+import { Bytes, BytesBlob } from "#@typeberry/bytes";
+import { HashDictionary } from "#@typeberry/collections";
+import { PvmBackend, tinyChainSpec } from "#@typeberry/config";
+import { Blake2b, HASH_SIZE } from "#@typeberry/hash";
+import { tryAsU32, tryAsU64 } from "#@typeberry/numbers";
+import { InMemoryService, InMemoryState, PreimageItem, ServiceAccountInfo } from "#@typeberry/state";
+import { AuthorizationError, IsAuthorized } from "./is-authorized.js";
+let blake2b;
+before(async () => {
+    blake2b = await Blake2b.createHasher();
+});
+// Load the authorizer PVM fixture.
+// This authorizer checks that authToken === authConfiguration and returns "Auth=<token>".
+// https://github.com/tomusdrw/as-lan/blob/main/examples/authorizer/assembly/authorize.ts
+const AUTHORIZER_PVM = BytesBlob.blobFrom(readFileSync(resolve(import.meta.dirname, "fixtures/authorizer.pvm")));
+const AUTH_SERVICE_ID = tryAsServiceId(42);
+function createService(serviceId, codeHash, code) {
+    return new InMemoryService(serviceId, {
+        info: ServiceAccountInfo.create({
+            codeHash: codeHash.asOpaque(),
+            balance: tryAsU64(10_000_000_000),
+            accumulateMinGas: tryAsServiceGas(0n),
+            onTransferMinGas: tryAsServiceGas(0n),
+            storageUtilisationBytes: tryAsU64(0),
+            storageUtilisationCount: tryAsU32(0),
+            gratisStorage: tryAsU64(0),
+            created: tryAsTimeSlot(0),
+            lastAccumulation: tryAsTimeSlot(0),
+            parentService: tryAsServiceId(0),
+        }),
+        preimages: HashDictionary.fromEntries([PreimageItem.create({ hash: codeHash.asOpaque(), blob: code })].map((x) => [x.hash, x])),
+        lookupHistory: HashDictionary.fromEntries([]),
+        storage: new Map(),
+    });
+}
+describe("IsAuthorized", () => {
+    const spec = tinyChainSpec;
+    function getAuthCodeHash() {
+        return blake2b.hashBytes(AUTHORIZER_PVM).asOpaque();
+    }
+    function createStateWithService(codeHash, code) {
+        return InMemoryState.partial(spec, {
+            timeslot: tryAsTimeSlot(16),
+            services: new Map([[AUTH_SERVICE_ID, createService(AUTH_SERVICE_ID, codeHash, code)]]),
+        });
+    }
+    it("should authorize when token matches configuration", async () => {
+        const authCodeHash = getAuthCodeHash();
+        const state = createStateWithService(authCodeHash, AUTHORIZER_PVM);
+        const isAuthorized = new IsAuthorized(spec, PvmBackend.BuiltIn, blake2b);
+        const token = BytesBlob.blobFromString("hello");
+        const result = await isAuthorized.invoke(state, tryAsCoreIndex(0), token, AUTH_SERVICE_ID, authCodeHash, token);
+        assert.strictEqual(result.isOk, true, `Expected OK but got error: ${result.isError ? result.details() : ""}`);
+        // Verify the authorization output starts with "Auth=<hello>"
+        const outputStr = Buffer.from(result.ok.authorizationOutput.raw).toString("utf8");
+        assert.ok(outputStr.startsWith("Auth=<hello>"), `Expected "Auth=<hello>" prefix but got "${outputStr.slice(0, 30)}"`);
+        // Verify the authorizer hash is H(code_hash ++ configuration)
+        const expectedHash = blake2b.hashBlobs([authCodeHash, token]);
+        assert.ok(result.ok.authorizerHash.isEqualTo(expectedHash), "authorizerHash should be H(code_hash || config)");
+        // Verify gas was consumed
+        assert.ok(Number(result.ok.authorizationGasUsed) > 0, "should have consumed some gas");
+    });
+    it("should authorize with empty token and configuration", async () => {
+        const authCodeHash = getAuthCodeHash();
+        const state = createStateWithService(authCodeHash, AUTHORIZER_PVM);
+        const isAuthorized = new IsAuthorized(spec, PvmBackend.BuiltIn, blake2b);
+        const result = await isAuthorized.invoke(state, tryAsCoreIndex(0), BytesBlob.empty(), AUTH_SERVICE_ID, authCodeHash, BytesBlob.empty());
+        assert.strictEqual(result.isOk, true, `Expected OK but got error: ${result.isError ? result.details() : ""}`);
+        const outputStr = Buffer.from(result.ok.authorizationOutput.raw).toString("utf8");
+        assert.ok(outputStr.startsWith("Auth=<>"), `Expected "Auth=<>" prefix but got "${outputStr.slice(0, 30)}"`);
+    });
+    it("should fail when token does not match configuration", async () => {
+        const authCodeHash = getAuthCodeHash();
+        const state = createStateWithService(authCodeHash, AUTHORIZER_PVM);
+        const isAuthorized = new IsAuthorized(spec, PvmBackend.BuiltIn, blake2b);
+        const result = await isAuthorized.invoke(state, tryAsCoreIndex(0), BytesBlob.blobFromString("wrong"), AUTH_SERVICE_ID, authCodeHash, BytesBlob.blobFromString("right"));
+        assert.strictEqual(result.isError, true);
+        assert.strictEqual(result.error, AuthorizationError.PvmFailed);
+    });
+    it("should fail when auth code host service is missing", async () => {
+        const authCodeHash = getAuthCodeHash();
+        const state = InMemoryState.partial(spec, {
+            timeslot: tryAsTimeSlot(16),
+            services: new Map(),
+        });
+        const isAuthorized = new IsAuthorized(spec, PvmBackend.BuiltIn, blake2b);
+        const result = await isAuthorized.invoke(state, tryAsCoreIndex(0), BytesBlob.empty(), AUTH_SERVICE_ID, authCodeHash, BytesBlob.empty());
+        assert.strictEqual(result.isError, true);
+        assert.strictEqual(result.error, AuthorizationError.CodeNotFound);
+    });
+    it("should fail when auth code preimage is missing", async () => {
+        const authCodeHash = getAuthCodeHash();
+        // Service exists but with no preimages
+        const emptyService = new InMemoryService(AUTH_SERVICE_ID, {
+            info: ServiceAccountInfo.create({
+                codeHash: Bytes.zero(HASH_SIZE).asOpaque(),
+                balance: tryAsU64(0),
+                accumulateMinGas: tryAsServiceGas(0n),
+                onTransferMinGas: tryAsServiceGas(0n),
+                storageUtilisationBytes: tryAsU64(0),
+                storageUtilisationCount: tryAsU32(0),
+                gratisStorage: tryAsU64(0),
+                created: tryAsTimeSlot(0),
+                lastAccumulation: tryAsTimeSlot(0),
+                parentService: tryAsServiceId(0),
+            }),
+            preimages: HashDictionary.fromEntries([]),
+            lookupHistory: HashDictionary.fromEntries([]),
+            storage: new Map(),
+        });
+        const state = InMemoryState.partial(spec, {
+            timeslot: tryAsTimeSlot(16),
+            services: new Map([[AUTH_SERVICE_ID, emptyService]]),
+        });
+        const isAuthorized = new IsAuthorized(spec, PvmBackend.BuiltIn, blake2b);
+        const result = await isAuthorized.invoke(state, tryAsCoreIndex(0), BytesBlob.empty(), AUTH_SERVICE_ID, authCodeHash, BytesBlob.empty());
+        assert.strictEqual(result.isError, true);
+        assert.strictEqual(result.error, AuthorizationError.CodeNotFound);
+    });
+});

package/packages/jam/in-core/refine.d.ts

@@ -0,0 +1,34 @@
+import { type CoreIndex, type Segment, type SegmentIndex, type ServiceGas } from "#@typeberry/block";
+import type { WorkPackageHash } from "#@typeberry/block/refine-context.js";
+import type { WorkItem, WorkItemExtrinsic } from "#@typeberry/block/work-item.js";
+import { WorkExecResult, WorkResult } from "#@typeberry/block/work-result.js";
+import type { KnownSizeArray } from "#@typeberry/collections";
+import type { ChainSpec, PvmBackend } from "#@typeberry/config";
+import { type ReturnValue } from "#@typeberry/executor";
+import { type Blake2b } from "#@typeberry/hash";
+import type { State } from "#@typeberry/state";
+export type RefineItemResult = {
+    result: WorkResult;
+    exports: readonly Segment[];
+};
+export type PerWorkItem<T> = KnownSizeArray<T, "for each work item">;
+export type ImportedSegment = {
+    index: SegmentIndex;
+    data: Segment;
+};
+/**
+ * Refine PVM invocation (Psi_R).
+ *
+ * Executes a single work item's refinement logic.
+ */
+export declare class Refine {
+    private readonly chainSpec;
+    private readonly pvmBackend;
+    private readonly blake2b;
+    constructor(chainSpec: ChainSpec, pvmBackend: PvmBackend, blake2b: Blake2b);
+    invoke(state: State, lookupState: State, idx: number, item: WorkItem, allImports: PerWorkItem<ImportedSegment[]>, allExtrinsics: PerWorkItem<WorkItemExtrinsic[]>, coreIndex: CoreIndex, workPackageHash: WorkPackageHash, exportOffset: number): Promise<RefineItemResult>;
+    static extractWorkResult(execResult: ReturnValue<ServiceGas>): WorkExecResult;
+    private getServiceCode;
+    private createRefineExternalities;
+}
+//# sourceMappingURL=refine.d.ts.map

package/packages/jam/in-core/refine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"refine.d.ts","sourceRoot":"","sources":["../../../../../packages/jam/in-core/refine.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,KAAK,SAAS,EACd,KAAK,OAAO,EACZ,KAAK,YAAY,EACjB,KAAK,UAAU,EAIhB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oCAAoC,CAAC;AAC1E,OAAO,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AACjF,OAAO,EAAE,cAAc,EAAsC,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAGjH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AAC7D,OAAO,KAAK,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,EAA+D,KAAK,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACpH,OAAO,EAAE,KAAK,OAAO,EAAa,MAAM,iBAAiB,CAAC;AAE1D,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AAK9C,MAAM,MAAM,gBAAgB,GAAG;IAC7B,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,SAAS,OAAO,EAAE,CAAC;CAC7B,CAAC;AAEF,MAAM,MAAM,WAAW,CAAC,CAAC,IAAI,cAAc,CAAC,CAAC,EAAE,oBAAoB,CAAC,CAAC;AAErE,MAAM,MAAM,eAAe,GAAG;IAC5B,KAAK,EAAE,YAAY,CAAC;IACpB,IAAI,EAAE,OAAO,CAAC;CACf,CAAC;AAyBF;;;;GAIG;AACH,qBAAa,MAAM;IAEf,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAFP,SAAS,EAAE,SAAS,EACpB,UAAU,EAAE,UAAU,EACtB,OAAO,EAAE,OAAO;IAG7B,MAAM,CACV,KAAK,EAAE,KAAK,EACZ,WAAW,EAAE,KAAK,EAClB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,QAAQ,EACd,UAAU,EAAE,WAAW,CAAC,eAAe,EAAE,CAAC,EAC1C,aAAa,EAAE,WAAW,CAAC,iBAAiB,EAAE,CAAC,EAC/C,SAAS,EAAE,SAAS,EACpB,eAAe,EAAE,eAAe,EAChC,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,gBAAgB,CAAC;IA0F5B,MAAM,CAAC,iBAAiB,CAAC,UAAU,EAAE,WAAW,CAAC,UAAU,CAAC;IAiB5D,OAAO,CAAC,cAAc;IAyCtB,OAAO,CAAC,yBAAyB;CAsBlC"}