npm - midsummer-sol - Versions diffs - 0.2.2 → 0.3.0 - Mend

midsummer-sol 0.2.2 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/index.js CHANGED Viewed

@@ -1423,16 +1423,76 @@ function trustAuthor(op, trust = {}) {
 }
 // src/prov.ts
+var TC_SEP = "\x01";
+var TC_TAG = "tc1";
+function encodeTool(p) {
+  const surface = p.tool?.trim() || "";
+  if (!p.toolCall && !p.testRunId)
+    return surface || undefined;
+  const segs = [surface, TC_TAG];
+  const tc = p.toolCall;
+  segs.push(`name=${tc?.name ?? ""}`, `args=${tc?.argsHash ?? ""}`, `inv=${tc?.invocationId ?? ""}`, `test=${p.testRunId ?? ""}`);
+  return segs.join(TC_SEP);
+}
+function decodeTool(tool) {
+  if (!tool)
+    return {};
+  const parts = tool.split(TC_SEP);
+  if (parts.length < 2 || parts[1] !== TC_TAG)
+    return { tool: tool || undefined };
+  const surface = parts[0] || undefined;
+  const kv = new Map;
+  for (const seg of parts.slice(2)) {
+    const eq2 = seg.indexOf("=");
+    if (eq2 >= 0)
+      kv.set(seg.slice(0, eq2), seg.slice(eq2 + 1));
+  }
+  const name = kv.get("name") || "";
+  const argsHash = kv.get("args") || "";
+  const invocationId = kv.get("inv") || "";
+  const testRunId = kv.get("test") || undefined;
+  const out = { tool: surface };
+  if (name || argsHash || invocationId)
+    out.toolCall = { name, argsHash, invocationId };
+  if (testRunId)
+    out.testRunId = testRunId;
+  return out;
+}
+function parseToolCall(raw) {
+  if (!raw)
+    return;
+  let v;
+  try {
+    v = JSON.parse(raw);
+  } catch {
+    return;
+  }
+  if (!v || typeof v !== "object")
+    return;
+  const o = v;
+  const name = typeof o.name === "string" ? o.name : "";
+  const argsHash = typeof o.argsHash === "string" ? o.argsHash : "";
+  const invocationId = typeof o.invocationId === "string" ? o.invocationId : "";
+  if (!name || !argsHash || !invocationId)
+    return;
+  return { name, argsHash, invocationId };
+}
 function provenanceFromEnv(env = process.env) {
   const kind = env.SOL_KIND === "agent" ? "agent" : "human";
+  const tool = encodeTool({
+    tool: env.SOL_TOOL,
+    toolCall: parseToolCall(env.SOL_TOOL_CALL),
+    testRunId: env.SOL_TEST_RUN_ID || undefined
+  });
   const node = buildProvNode({
     agentId: env.SOL_AGENT_ID || (kind === "agent" ? env.SOL_ACTOR : undefined),
     sessionId: env.SOL_SESSION,
     model: env.SOL_MODEL,
     intent: env.SOL_INTENT,
-    tool: env.SOL_TOOL
+    tool
   });
-  return node ? { kind, node } : { kind };
+  const opRunId = env.SOL_OPERATION_ID || undefined;
+  return { kind, ...node ? { node } : {}, ...opRunId ? { opRunId } : {} };
 }
 function buildProvNode(fields) {
   const clean = { kind: "prov" };
@@ -1461,6 +1521,9 @@ function authorLabel(op, reader) {
   const bits = [];
   if (p?.sessionId)
     bits.push(`session ${p.sessionId}`);
+  const tp = p ? decodeTool(p.tool) : {};
+  if (tp.toolCall)
+    bits.push(`via ${tp.toolCall.name}`);
   const tail = p?.intent ? ` — intent: ${p.intent}` : "";
   return `${who}${bits.length ? ` (${bits.join(", ")})` : ""}${tail}`;
 }
@@ -1470,10 +1533,21 @@ function provJson(op, reader, key, trust) {
     return;
   const out = { kind: op.kind ?? "human" };
   if (p) {
-    for (const k of ["agentId", "sessionId", "model", "intent", "tool", "rationale", "parent"])
+    for (const k of ["agentId", "sessionId", "model", "intent", "rationale", "parent"])
       if (p[k])
         out[k] = p[k];
   }
+  if (p?.tool) {
+    const tp = decodeTool(p.tool);
+    if (tp.tool)
+      out.tool = tp.tool;
+    if (tp.toolCall)
+      out.toolCall = tp.toolCall;
+    if (tp.testRunId)
+      out.testRunId = tp.testRunId;
+  }
+  if (op.opRunId !== undefined)
+    out.opRunId = op.opRunId;
   if (op.sig !== undefined) {
     const t = trustAuthor(op, trust);
     out.signed = true;
@@ -1531,7 +1605,7 @@ function signTrailerValue(op, trust) {
       return `${t.fingerprint} verified`;
   }
 }
-function provTrailers(op, reader, key, trust) {
+function provTrailers(op, reader, key, trust, reviewCount) {
   const p = reader ? provOf(op, reader) : undefined;
   const lines2 = [];
   const signed = trustAuthor(op, trust);
@@ -1545,6 +1619,13 @@ function provTrailers(op, reader, key, trust) {
     lines2.push(`Sol-Session: ${p.sessionId}`);
   if (p?.model)
     lines2.push(`Sol-Model: ${p.model}`);
+  const tp = decodeTool(p?.tool);
+  if (tp.toolCall)
+    lines2.push(`Sol-ToolCall: ${tp.toolCall.name} args=${tp.toolCall.argsHash} inv=${tp.toolCall.invocationId}`);
+  if (tp.testRunId)
+    lines2.push(`Sol-TestRun: ${tp.testRunId}`);
+  if (op.opRunId)
+    lines2.push(`Sol-Operation: ${op.opRunId}`);
   const intent = p?.intent || (isAgent ? op.message?.trim() || undefined : undefined);
   if (intent)
     lines2.push(`Sol-Intent: ${intent}`);
@@ -1553,15 +1634,40 @@ function provTrailers(op, reader, key, trust) {
     lines2.push(`Sol-Sign: ${sign}`);
   if (op.att !== undefined && !(key && !verifyAtt(key, op)))
     lines2.push(`Sol-Attested: pushedBy=${op.pushedBy ?? "?"}`);
+  if (reviewCount && reviewCount > 0)
+    lines2.push(`Sol-Attestations: ${reviewCount}`);
   return lines2;
 }
 async function captureProv(sink, env = process.env) {
-  const { kind, node } = provenanceFromEnv(env);
+  const { kind, node, opRunId } = provenanceFromEnv(env);
   const out = {};
   if (kind === "agent")
     out.kind = "agent";
   if (node)
     out.prov = await sink.put(node);
+  if (opRunId)
+    out.opRunId = opRunId;
+  return out;
+}
+function toolProvOf(op, reader) {
+  const p = reader ? provOf(op, reader) : undefined;
+  return p ? decodeTool(p.tool) : {};
+}
+function toAttestationRecords(op, reader, issuer = "sol") {
+  const tp = toolProvOf(op, reader);
+  const out = [];
+  if (tp.toolCall) {
+    out.push({
+      kind: "audit",
+      issuer,
+      verdict: "pass",
+      summary: `tool-call ${tp.toolCall.name} (inv ${tp.toolCall.invocationId}, args ${tp.toolCall.argsHash})`,
+      at: op.at
+    });
+  }
+  if (tp.testRunId) {
+    out.push({ kind: "check", issuer, verdict: "pending", summary: `test-run ${tp.testRunId}`, at: op.at });
+  }
   return out;
 }
@@ -1613,10 +1719,25 @@ class AsyncRepo {
     await this.log.append(by === this.actor ? this.sign(entry) : entry);
   }
   provFor;
+  pendingToolCall;
+  setToolCall(tc) {
+    this.pendingToolCall = tc;
+  }
   async provenance(by) {
     if (by !== this.actor)
       return {};
-    return this.provFor ??= captureProv(this.store);
+    const base = await (this.provFor ??= captureProv(this.store));
+    const tc = this.pendingToolCall;
+    if (!tc)
+      return base;
+    this.pendingToolCall = undefined;
+    const { kind, node } = provenanceFromEnv();
+    const session = node ?? { kind: "prov" };
+    const surface = decodeTool(session.tool);
+    const tool = encodeTool({ tool: surface.tool, toolCall: tc, testRunId: surface.testRunId });
+    const merged = { ...session, kind: "prov", tool };
+    const prov = await this.store.put(merged);
+    return { ...kind === "agent" ? { kind: "agent" } : {}, prov, ...base.opRunId ? { opRunId: base.opRunId } : {} };
   }
   async currentRoot() {
     const head = await this.log.head();
@@ -1818,6 +1939,9 @@ class SolWorkspace {
     this.actor = actor;
     this.repo = new AsyncRepo(store, log, actor);
   }
+  setToolCall(tc) {
+    this.repo.setToolCall(tc);
+  }
   async write(path, content) {
     return this.repo.writeFile(safePath(path), content);
   }
@@ -2844,7 +2968,64 @@ class Ledger {
     return [...this.bySubject.get(subject) ?? []];
   }
 }
+function canonicalReview(a) {
+  return JSON.stringify({
+    kind: a.kind,
+    issuer: a.issuer,
+    reviewerKind: a.reviewerKind,
+    verdict: a.verdict,
+    commitSha: a.commitSha,
+    findings: a.findings ?? [],
+    at: a.at
+  });
+}
+function signReview(key, a) {
+  return createHmac2("sha256", key).update(canonicalReview(a)).digest("base64");
+}
+function verifyReview(key, a, sig = a.signature) {
+  if (!sig)
+    return false;
+  const expected = Buffer.from(signReview(key, a));
+  const got = Buffer.from(sig);
+  return expected.length === got.length && timingSafeEqual3(expected, got);
+}
+function buildReviewerAttestation(key, a) {
+  const full = { kind: "review", ...a, at: a.at ?? Date.now() };
+  full.signature = signReview(key, full);
+  return full;
+}
+function reviewSubject(changeId, commitSha) {
+  return `review:${changeId}:${commitSha}`;
+}
+class ReviewerAttestationLedger {
+  byChange = new Map;
+  append(changeId, a) {
+    if (!a.signature)
+      throw new Error("reviewer attestation must be signed before it is recorded");
+    const list = this.byChange.get(changeId) ?? [];
+    list.push(a);
+    this.byChange.set(changeId, list);
+  }
+  provenance(changeId) {
+    return [...this.byChange.get(changeId) ?? []];
+  }
+  forCommit(changeId, commitSha) {
+    return this.provenance(changeId).filter((a) => a.commitSha === commitSha);
+  }
+  verifiedCount(key, changeId, commitSha) {
+    const recs = commitSha ? this.forCommit(changeId, commitSha) : this.provenance(changeId);
+    return recs.filter((a) => verifyReview(key, a)).length;
+  }
+}
 // src/check.ts
+function gateFromResult(head, runner, r, at = Date.now()) {
+  return { head, verdict: r.verdict, checkName: runner.id, summary: r.summary, findings: r.findings, at };
+}
+function pendingGate(head, at = Date.now()) {
+  return { head, verdict: "pending", at };
+}
 class CheckCache {
   cache = new Map;
   _hits = 0;
@@ -2871,6 +3052,7 @@ function toAttestation(runner, r) {
 export {
   writeFile,
   wrapCekTo,
+  verifyReview,
   verifyPubkeySig,
   verifyOp,
   verifyAuthor,
@@ -2878,9 +3060,12 @@ export {
   verifyAtt,
   unwrapCekWith,
   trustAuthor,
+  toolProvOf,
+  toAttestationRecords,
   toAttestation,
   signerFrom,
   signTag,
+  signReview,
   signPubkey,
   signOp,
   signAuthor,
@@ -2894,6 +3079,7 @@ export {
   safePath,
   runCommand,
   rotate,
+  reviewSubject,
   recoveryKeyPair,
   readFile,
   reachableFrom,
@@ -2907,6 +3093,8 @@ export {
   provTrailers,
   provOf,
   provJson,
+  pendingGate,
+  parseToolCall,
   pageOps,
   openWithRecovery,
   openContent,
@@ -2927,6 +3115,7 @@ export {
   getTree,
   generateRecoveryCode,
   generateKeypair,
+  gateFromResult,
   garbage,
   formatLog,
   fingerprintOf,
@@ -2934,21 +3123,25 @@ export {
   fileAt,
   exportFiles,
   entryKindAt,
+  encodeTool,
   emptyRoot,
   duplicateExportCheck,
   diffTrees,
   diffFile,
   deriveIdentity,
   deleteFile,
+  decodeTool,
   converge,
   compact,
   clone,
   ciphertextOf,
   captureProv,
+  canonicalReview,
   canonicalOp,
   canonicalAuthor,
   canonicalAttestation,
   canonicalAtt,
+  buildReviewerAttestation,
   buildProvNode,
   blobHashAt,
   blame,
@@ -2963,6 +3156,7 @@ export {
   SealedClient,
   SealRegistry,
   SEALED,
+  ReviewerAttestationLedger,
   Repo,
   RefAcls,
   MemoryOpLog,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "midsummer-sol",
-  "version": "0.2.2",
+  "version": "0.3.0",
   "description": "Sol — agent-native version control (a new git). CLI, MCP server, and no-filesystem SDK.",
   "bin": { "sol": "./sol.js", "sol-mcp": "./sol-mcp.js", "sol-secret-mcp": "./sol-secret-mcp.js" },
   "main": "./index.js",