githolon 0.34.1 → 0.35.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.mjs +45 -2
  2. package/package.json +3 -3
package/dist/cli.mjs CHANGED
@@ -1540,11 +1540,35 @@ function author(eng, ws, domain, directiveId, payload, controllerHash, opts = {}
1540
1540
  capPorts.principal_verified = !!opts.principalVerified;
1541
1541
  }
1542
1542
  const envelope = { payload: { domain, directiveId, payload }, captured_ports: capPorts, policy_version: 1, policy_domain: "Nomos", policy_gas: 0, policy_memory: 0 };
1543
+ if (opts.attestations !== void 0) envelope.attestations = opts.attestations;
1543
1544
  writeWork(eng, `payload-${seq}.json`, enc3.encode(JSON.stringify(payload)));
1544
1545
  writeWork(eng, `envelope-${seq}.json`, enc3.encode(stringifyBig(envelope)));
1545
1546
  const genesis = !controllerHash;
1547
+ const attestorSecretFor = (from) => {
1548
+ const s = opts.attestorSecrets;
1549
+ if (!s) return null;
1550
+ if (typeof s === "string") return s;
1551
+ return typeof s[from] === "string" ? s[from] : null;
1552
+ };
1546
1553
  const defer = opts.deferProjection !== false;
1547
- const v = JSON.parse(call(eng.ex, "offer", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: opts.actor ?? "", ...opts.authToken ? { authToken: opts.authToken } : {}, domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH, ...opts.authorSecret ? { authorSecret: opts.authorSecret } : {}, ...opts.dryRun ? { dryRun: true } : defer ? { deferProjection: true } : {} }, eng.STDERR));
1554
+ const offerOnce = () => JSON.parse(call(eng.ex, "offer", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: opts.actor ?? "", ...opts.authToken ? { authToken: opts.authToken } : {}, domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH, ...opts.authorSecret ? { authorSecret: opts.authorSecret } : {}, ...opts.dryRun ? { dryRun: true } : defer ? { deferProjection: true } : {} }, eng.STDERR));
1555
+ let v = offerOnce();
1556
+ for (let pass = 0; pass < 8 && v.outcome === "refused"; pass++) {
1557
+ const need = parseAttestedReadNeed(v.verdict?.reason ?? v.error);
1558
+ if (!need || !eng.mounted.has(need.from)) break;
1559
+ const secret = attestorSecretFor(need.from);
1560
+ if (!secret) break;
1561
+ const served = attestedRead(eng, need.from, {
1562
+ queryId: need.queryId,
1563
+ paramsJson: JSON.stringify(need.args),
1564
+ attestorSecret: secret,
1565
+ nowMs: opts.attestNowMs ?? Date.now()
1566
+ });
1567
+ if (!served || served.ok !== true) break;
1568
+ envelope.attestations = [...envelope.attestations ?? [], { queryId: need.queryId, result: served.rows, attestation: served.attestation }];
1569
+ writeWork(eng, `envelope-${seq}.json`, enc3.encode(stringifyBig(envelope)));
1570
+ v = offerOnce();
1571
+ }
1548
1572
  const res = v.outcome === "admitted" ? { ok: true, head: v.head, intentOut: v.intentOut, ...v.born ? { born: v.born } : {} } : v.outcome === "refused" ? { ok: false, error: v.verdict?.reason ?? v.error } : v;
1549
1573
  if (defer && res.ok) (eng.pendingProjection ??= /* @__PURE__ */ new Set()).add(ws);
1550
1574
  return res;
@@ -1577,6 +1601,19 @@ async function custodyFetch(eng, ws, ledger, { remoteRef = "refs/heads/main", lo
1577
1601
  kgit.writeRef(eng, gitdirOf(ws), fullRef(localRef || remoteRef), tip);
1578
1602
  return tip;
1579
1603
  }
1604
+ function parseAttestedReadNeed(error) {
1605
+ const m = /attested-read-unreachable: read\('([^']+)', \{from: '([^']+)'\}\) args=(.*?) has no injected attestation/.exec(String(error || ""));
1606
+ if (!m) return null;
1607
+ let blob = m[3];
1608
+ for (let i = 0; i < 4; i++) {
1609
+ try {
1610
+ return { queryId: m[1], from: m[2], args: JSON.parse(blob) };
1611
+ } catch {
1612
+ blob = blob.replace(/\\(["\\])/g, "$1");
1613
+ }
1614
+ }
1615
+ return null;
1616
+ }
1580
1617
  function offerIntent(eng, ws, bytes, opts) {
1581
1618
  const name = `offer-in-${eng.seq++}.json`;
1582
1619
  writeWork(eng, name, bytes);
@@ -1594,7 +1631,7 @@ function applyIntentBytes(eng, ws, bytes, opts) {
1594
1631
  function verifyChainLocal(eng, ws) {
1595
1632
  return JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "verifyChain" }), branch: BRANCH }, eng.STDERR));
1596
1633
  }
1597
- var enc3, dec3, BRANCH, RESULT_PACK_INLINE_MAX, repoArgOf, gitdirOf, unpack, repoArgOfGitdir, bytesFromB64, kgit, installPayload, fullRef, applyPackInto, custodyLsRefs, qById, query, cryptoUnwrapKey, count, sum;
1634
+ var enc3, dec3, BRANCH, RESULT_PACK_INLINE_MAX, repoArgOf, gitdirOf, unpack, repoArgOfGitdir, bytesFromB64, kgit, installPayload, fullRef, applyPackInto, custodyLsRefs, qById, query, attestedRead, cryptoUnwrapKey, count, sum;
1598
1635
  var init_engine = __esm({
1599
1636
  "vendor/engine/engine.mjs"() {
1600
1637
  "use strict";
@@ -1651,6 +1688,12 @@ var init_engine = __esm({
1651
1688
  custodyLsRefs = (ledger, prefix = null) => lsRefs(ledger.remote, ledger.headers || {}, { service: "git-upload-pack", prefix });
1652
1689
  qById = (eng, ws, id, principal = "", keys = []) => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "byId", aggregateId: id }), principal, keys, branch: BRANCH }, eng.STDERR));
1653
1690
  query = (eng, ws, queryId, paramsJson, principal = "", keys = []) => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ kind: "query", queryId, paramsJson }), principal, keys, branch: BRANCH }, eng.STDERR));
1691
+ attestedRead = (eng, ws, { queryId, paramsJson, attestorSecret, nowMs }) => JSON.parse(call(eng.ex, "query", {
1692
+ repoArg: repoArgOf(ws),
1693
+ workspace: ws,
1694
+ branch: BRANCH,
1695
+ queryBytes: b64Json({ op: "attestedRead", queryId, paramsJson: paramsJson || "{}", attestorSecret, nowMs: nowMs ?? Date.now(), sourceWorkspace: ws })
1696
+ }, eng.STDERR));
1654
1697
  cryptoUnwrapKey = (eng, { secret, hpkeEpk, ct }) => JSON.parse(call(eng.ex, "query", { queryBytes: b64Json({ op: "cryptoUnwrapKey", secret, hpkeEpk, ct }) }, eng.STDERR)).scopeKey;
1655
1698
  count = (eng, ws, countId, groupKey, principal = "") => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "count", countId, groupKey }), principal, branch: BRANCH }, eng.STDERR));
1656
1699
  sum = (eng, ws, sumId, groupKey, principal = "") => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "sum", sumId, groupKey }), principal, branch: BRANCH }, eng.STDERR));
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "githolon",
3
- "version": "0.34.1",
3
+ "version": "0.35.0",
4
4
  "type": "module",
5
5
  "description": "githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
@@ -29,8 +29,8 @@
29
29
  },
30
30
  "dependencies": {
31
31
  "@bjorn3/browser_wasi_shim": "0.4.2",
32
- "@githolon/client": "^0.34.1",
33
- "@githolon/dsl": "^0.34.1",
32
+ "@githolon/client": "^0.35.0",
33
+ "@githolon/dsl": "^0.35.0",
34
34
  "isomorphic-git": "^1.38.4"
35
35
  },
36
36
  "devDependencies": {