githolon 0.34.1 → 0.36.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/dist/cli.mjs +48 -2
  2. package/package.json +3 -3
package/dist/cli.mjs CHANGED
@@ -1540,11 +1540,38 @@ function author(eng, ws, domain, directiveId, payload, controllerHash, opts = {}
1540
1540
  capPorts.principal_verified = !!opts.principalVerified;
1541
1541
  }
1542
1542
  const envelope = { payload: { domain, directiveId, payload }, captured_ports: capPorts, policy_version: 1, policy_domain: "Nomos", policy_gas: 0, policy_memory: 0 };
1543
+ if (opts.attestations !== void 0) envelope.attestations = opts.attestations;
1543
1544
  writeWork(eng, `payload-${seq}.json`, enc3.encode(JSON.stringify(payload)));
1544
1545
  writeWork(eng, `envelope-${seq}.json`, enc3.encode(stringifyBig(envelope)));
1545
1546
  const genesis = !controllerHash;
1547
+ const attestorSecretFor = (from) => {
1548
+ const s = opts.attestorSecrets;
1549
+ if (!s) return null;
1550
+ if (typeof s === "string") return s;
1551
+ return typeof s[from] === "string" ? s[from] : null;
1552
+ };
1546
1553
  const defer = opts.deferProjection !== false;
1547
- const v = JSON.parse(call(eng.ex, "offer", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: opts.actor ?? "", ...opts.authToken ? { authToken: opts.authToken } : {}, domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH, ...opts.authorSecret ? { authorSecret: opts.authorSecret } : {}, ...opts.dryRun ? { dryRun: true } : defer ? { deferProjection: true } : {} }, eng.STDERR));
1554
+ const offerOnce = () => JSON.parse(call(eng.ex, "offer", { repoArg: repoArgOf(ws), workspace: ws, domain, directiveId, payloadFile: `/work/payload-${seq}.json`, envelopeFile: `/work/envelope-${seq}.json`, seq, actor: opts.actor ?? "", ...opts.authToken ? { authToken: opts.authToken } : {}, domainFile: genesis ? "/work/domain.package.usda" : "", domainHash: genesis ? "" : controllerHash, branch: BRANCH, ...opts.authorSecret ? { authorSecret: opts.authorSecret } : {}, ...opts.dryRun ? { dryRun: true } : defer ? { deferProjection: true } : {} }, eng.STDERR));
1555
+ let v = offerOnce();
1556
+ for (let pass = 0; pass < 8 && v.outcome === "refused"; pass++) {
1557
+ const need = parseAttestedReadNeed(v.verdict?.reason ?? v.error);
1558
+ if (!need || !eng.mounted.has(need.from)) break;
1559
+ const secret = attestorSecretFor(need.from);
1560
+ if (!secret) break;
1561
+ const served = attestedRead(eng, need.from, {
1562
+ queryId: need.queryId,
1563
+ paramsJson: JSON.stringify(need.args),
1564
+ attestorSecret: secret,
1565
+ nowMs: opts.attestNowMs ?? Date.now(),
1566
+ // K3 (§1.5.3): colocated custody is in-memory — always ask for the carried enrollment
1567
+ // proof; the kernel produces-or-omits under its own bounds (the adapter decides nothing).
1568
+ includeRosterProof: true
1569
+ });
1570
+ if (!served || served.ok !== true) break;
1571
+ envelope.attestations = [...envelope.attestations ?? [], { queryId: need.queryId, result: served.rows, attestation: served.attestation }];
1572
+ writeWork(eng, `envelope-${seq}.json`, enc3.encode(stringifyBig(envelope)));
1573
+ v = offerOnce();
1574
+ }
1548
1575
  const res = v.outcome === "admitted" ? { ok: true, head: v.head, intentOut: v.intentOut, ...v.born ? { born: v.born } : {} } : v.outcome === "refused" ? { ok: false, error: v.verdict?.reason ?? v.error } : v;
1549
1576
  if (defer && res.ok) (eng.pendingProjection ??= /* @__PURE__ */ new Set()).add(ws);
1550
1577
  return res;
@@ -1577,6 +1604,19 @@ async function custodyFetch(eng, ws, ledger, { remoteRef = "refs/heads/main", lo
1577
1604
  kgit.writeRef(eng, gitdirOf(ws), fullRef(localRef || remoteRef), tip);
1578
1605
  return tip;
1579
1606
  }
1607
+ function parseAttestedReadNeed(error) {
1608
+ const m = /attested-read-unreachable: read\('([^']+)', \{from: '([^']+)'\}\) args=(.*?) has no injected attestation/.exec(String(error || ""));
1609
+ if (!m) return null;
1610
+ let blob = m[3];
1611
+ for (let i = 0; i < 4; i++) {
1612
+ try {
1613
+ return { queryId: m[1], from: m[2], args: JSON.parse(blob) };
1614
+ } catch {
1615
+ blob = blob.replace(/\\(["\\])/g, "$1");
1616
+ }
1617
+ }
1618
+ return null;
1619
+ }
1580
1620
  function offerIntent(eng, ws, bytes, opts) {
1581
1621
  const name = `offer-in-${eng.seq++}.json`;
1582
1622
  writeWork(eng, name, bytes);
@@ -1594,7 +1634,7 @@ function applyIntentBytes(eng, ws, bytes, opts) {
1594
1634
  function verifyChainLocal(eng, ws) {
1595
1635
  return JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "verifyChain" }), branch: BRANCH }, eng.STDERR));
1596
1636
  }
1597
- var enc3, dec3, BRANCH, RESULT_PACK_INLINE_MAX, repoArgOf, gitdirOf, unpack, repoArgOfGitdir, bytesFromB64, kgit, installPayload, fullRef, applyPackInto, custodyLsRefs, qById, query, cryptoUnwrapKey, count, sum;
1637
+ var enc3, dec3, BRANCH, RESULT_PACK_INLINE_MAX, repoArgOf, gitdirOf, unpack, repoArgOfGitdir, bytesFromB64, kgit, installPayload, fullRef, applyPackInto, custodyLsRefs, qById, query, attestedRead, cryptoUnwrapKey, count, sum;
1598
1638
  var init_engine = __esm({
1599
1639
  "vendor/engine/engine.mjs"() {
1600
1640
  "use strict";
@@ -1651,6 +1691,12 @@ var init_engine = __esm({
1651
1691
  custodyLsRefs = (ledger, prefix = null) => lsRefs(ledger.remote, ledger.headers || {}, { service: "git-upload-pack", prefix });
1652
1692
  qById = (eng, ws, id, principal = "", keys = []) => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "byId", aggregateId: id }), principal, keys, branch: BRANCH }, eng.STDERR));
1653
1693
  query = (eng, ws, queryId, paramsJson, principal = "", keys = []) => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ kind: "query", queryId, paramsJson }), principal, keys, branch: BRANCH }, eng.STDERR));
1694
+ attestedRead = (eng, ws, { queryId, paramsJson, attestorSecret, nowMs, includeRosterProof }) => JSON.parse(call(eng.ex, "query", {
1695
+ repoArg: repoArgOf(ws),
1696
+ workspace: ws,
1697
+ branch: BRANCH,
1698
+ queryBytes: b64Json({ op: "attestedRead", queryId, paramsJson: paramsJson || "{}", attestorSecret, nowMs: nowMs ?? Date.now(), sourceWorkspace: ws, ...includeRosterProof ? { includeRosterProof: true } : {} })
1699
+ }, eng.STDERR));
1654
1700
  cryptoUnwrapKey = (eng, { secret, hpkeEpk, ct }) => JSON.parse(call(eng.ex, "query", { queryBytes: b64Json({ op: "cryptoUnwrapKey", secret, hpkeEpk, ct }) }, eng.STDERR)).scopeKey;
1655
1701
  count = (eng, ws, countId, groupKey, principal = "") => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "count", countId, groupKey }), principal, branch: BRANCH }, eng.STDERR));
1656
1702
  sum = (eng, ws, sumId, groupKey, principal = "") => JSON.parse(call(eng.ex, "query", { repoArg: repoArgOf(ws), workspace: ws, queryBytes: b64Json({ op: "sum", sumId, groupKey }), principal, branch: BRANCH }, eng.STDERR));
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "githolon",
3
- "version": "0.34.1",
3
+ "version": "0.36.0",
4
4
  "type": "module",
5
5
  "description": "githolon — the Nomos developer CLI: Rails-style generators for @githolon/dsl domains + the package compiler. Kernel-independent.",
6
6
  "license": "SEE LICENSE IN LICENSE.md",
@@ -29,8 +29,8 @@
29
29
  },
30
30
  "dependencies": {
31
31
  "@bjorn3/browser_wasi_shim": "0.4.2",
32
- "@githolon/client": "^0.34.1",
33
- "@githolon/dsl": "^0.34.1",
32
+ "@githolon/client": "^0.36.0",
33
+ "@githolon/dsl": "^0.36.0",
34
34
  "isomorphic-git": "^1.38.4"
35
35
  },
36
36
  "devDependencies": {