ciris-server 0.1.1__tar.gz

ciris_server-0.1.1/.github/workflows/ci.yml

@@ -0,0 +1,71 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  fmt:
+    name: rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt
+      - run: cargo fmt --all --check
+
+  clippy-test:
+    name: clippy + test (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          components: clippy
+      - name: Install build deps (Linux)
+        if: runner.os == 'Linux'
+        run: sudo apt-get update && sudo apt-get install -y libtss2-dev libsqlite3-dev
+      - uses: Swatinem/rust-cache@v2
+        continue-on-error: true
+        with:
+          cache-bin: false
+      - run: cargo clippy --all-targets --all-features -- -D warnings
+      - run: cargo test --all-features
+
+  # Win7-SP1 → Win11 build check (CIRISVerify#67 pattern, mirrored by every
+  # upstream substrate crate). Rust 1.78 raised the windows-msvc std floor to
+  # Win10 1809; a default-target build hard-imports Win8/Win10 APIs. We build
+  # the Tier-3 target `x86_64-win7-windows-msvc` (std keeps the Win7 fallbacks)
+  # on nightly + `-Zbuild-std` so the fabric node still LoadLibrary's on Win7.
+  # build-std crate list is `std,panic_abort`; panic_abort is required by std's
+  # own build (omit → E0463) and does NOT set the panic strategy, which stays
+  # "unwind" via the Cargo.toml profile pin (so any catch_unwind sites work).
+  win7-build-std:
+    name: Win7 build-std check
+    runs-on: windows-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          components: rust-src
+      - uses: Swatinem/rust-cache@v2
+        continue-on-error: true
+        with:
+          cache-bin: false
+          key: ci-win7-build-std
+      - name: Build (x86_64-win7-windows-msvc, build-std)
+        shell: bash
+        run: |
+          cargo +nightly build --release \
+            --target x86_64-win7-windows-msvc \
+            -Z build-std=std,panic_abort \
+            -p ciris-server

ciris_server-0.1.1/.github/workflows/conformance.yml

@@ -0,0 +1,63 @@
+name: conformance
+
+# Cohabitation conformance: build the ciris-server abi3 wheel, then drive it
+# through CIRISConformance's reusable suite alongside the pinned substrate
+# triple (persist / edge / verify) — the production cohabitation shape (the
+# wheels run together in one Python process). CIRISServer carries the absorbed
+# lens surface, so the suite's `requires_lens` tests run against THIS wheel.
+#
+# A failure here is the cohabitation contract failing — the same gate that
+# blocks publish-pypi in the substrate sisters' release flows. Wired on PR +
+# push now; promote to a publish gate when the PyPI release job lands.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build-wheel:
+    name: build ciris-server wheel (linux-x86_64)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Install build deps
+        # libtss2-dev: the family links the TPM keyring backend on Linux.
+        # libsqlite3-dev: persist's sqlite backend.
+        # patchelf: maturin's manylinux repair (the wheel dynamically links
+        # libtss2/libcrypto) — without it `maturin build` fails.
+        run: sudo apt-get update && sudo apt-get install -y libtss2-dev libsqlite3-dev patchelf
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build abi3 wheel (maturin)
+        # [tool.maturin] in pyproject.toml supplies features = ["extension-module"]
+        # + module-name = ciris_server; pyo3 abi3-py310 → one wheel for 3.10+.
+        run: |
+          python -m pip install --upgrade pip
+          pip install "maturin>=1.7,<2"
+          maturin build --release --out dist
+          ls -l dist/
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ciris_server-wheel-linux-x86_64
+          path: dist/*.whl
+          if-no-files-found: error
+
+  cohabitation-conformance:
+    name: cohabitation (linux-x86_64 × ${{ matrix.backend }})
+    needs: build-wheel
+    strategy:
+      fail-fast: false
+      matrix:
+        backend: [sqlite, postgres]
+    uses: CIRISAI/CIRISConformance/.github/workflows/run-against-wheels.yml@main
+    with:
+      runs-on: ubuntu-latest
+      backend: ${{ matrix.backend }}
+      under-test-wheel-artifact: ciris_server-wheel-linux-x86_64
+      under-test-package: ciris-server
+      # matrix-ref defaults to main, which pins the persist-7 substrate triple
+      # + maps requires_lens → ciris_server (CIRISConformance#14, merged).

ciris_server-0.1.1/.github/workflows/publish-pypi.yml

@@ -0,0 +1,166 @@
+name: publish-pypi
+
+# Build the ciris-server abi3 wheels for every platform, gate them through the
+# CIRISConformance cohabitation suite, then publish to PyPI via **Trusted
+# Publishing** (OIDC — no stored API token). Fires on a v* tag.
+#
+# Trusted-publisher registration (one-time, done on PyPI by a maintainer):
+#   PyPI project:      ciris-server
+#   Owner:             CIRISAI
+#   Repository:        CIRISServer
+#   Workflow filename: publish-pypi.yml
+#   Environment:       pypi
+# Until that's registered, the `publish` job's OIDC mint will fail — the build
+# + conformance jobs still run, so the gate is exercised on every tag.
+
+on:
+  push:
+    tags: ["v*"]
+  workflow_dispatch:
+    inputs:
+      publish:
+        description: "Publish to PyPI (true) or build+conformance only (false)"
+        type: boolean
+        default: false
+
+permissions:
+  contents: read
+
+jobs:
+  # ── Build abi3 wheels per platform ─────────────────────────────────────────
+  # Linux: build on the native runners with apt deps + patchelf (NOT a manylinux
+  # container). The keyring's tss-esapi-sys needs tpm2-tss >= 3.x; the
+  # manylinux_2_28/el8 container only ships 2.3.2 → "tss2-sys not found". Ubuntu
+  # 24.04 has 4.0.x, and maturin+patchelf produce a manylinux_2_39 wheel — the
+  # same recipe the sister wheels ship (persist manylinux_2_38, edge _2_39) and
+  # the one the green conformance build-wheel job uses.
+  linux:
+    name: wheel ${{ matrix.plat.name }}
+    runs-on: ${{ matrix.plat.runs-on }}
+    strategy:
+      fail-fast: false
+      matrix:
+        plat:
+          - { name: linux-x86_64, runs-on: ubuntu-latest }
+          - { name: linux-aarch64, runs-on: ubuntu-24.04-arm }
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - name: Install build deps
+        run: sudo apt-get update && sudo apt-get install -y libtss2-dev libsqlite3-dev patchelf
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build wheel (maturin)
+        run: |
+          python -m pip install --upgrade pip
+          pip install "maturin>=1.7,<2"
+          maturin build --release --out dist
+      - uses: actions/upload-artifact@v4
+        with:
+          name: wheels-${{ matrix.plat.name }}
+          path: dist/*.whl
+          if-no-files-found: error
+
+  macos:
+    name: wheel macos-${{ matrix.target }}
+    runs-on: macos-14
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [aarch64, x86_64]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build wheel (maturin)
+        uses: PyO3/maturin-action@v1
+        with:
+          target: ${{ matrix.target }}
+          args: --release --out dist
+      - uses: actions/upload-artifact@v4
+        with:
+          name: wheels-macos-${{ matrix.target }}
+          path: dist/*.whl
+          if-no-files-found: error
+
+  windows:
+    name: wheel windows-x64
+    runs-on: windows-latest
+    # The family's Windows wheel has historically failed on persist's Unix-only
+    # paths (CIRISPersist#200 / CIRISEdge#90). Don't block the release on it;
+    # publish whatever platforms succeed. Remove continue-on-error once green.
+    continue-on-error: true
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Build wheel (maturin)
+        uses: PyO3/maturin-action@v1
+        with:
+          target: x64
+          args: --release --out dist
+      - uses: actions/upload-artifact@v4
+        with:
+          name: wheels-windows-x64
+          path: dist/*.whl
+          if-no-files-found: warn
+
+  sdist:
+    name: sdist
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build sdist
+        uses: PyO3/maturin-action@v1
+        with:
+          command: sdist
+          args: --out dist
+      - uses: actions/upload-artifact@v4
+        with:
+          name: wheels-sdist
+          path: dist/*.tar.gz
+          if-no-files-found: error
+
+  # ── Gate: the linux wheel must pass cohabitation conformance ───────────────
+  # A failure here BLOCKS publish (the substrate-sister discipline). Runs the
+  # CIRISConformance suite with the just-built wheel + the pinned triple.
+  conformance-gate:
+    name: cohabitation gate (linux-x86_64 × ${{ matrix.backend }})
+    needs: linux
+    strategy:
+      fail-fast: true
+      matrix:
+        backend: [sqlite, postgres]
+    uses: CIRISAI/CIRISConformance/.github/workflows/run-against-wheels.yml@main
+    with:
+      runs-on: ubuntu-latest
+      backend: ${{ matrix.backend }}
+      under-test-wheel-artifact: wheels-linux-x86_64
+      under-test-package: ciris-server
+      # matrix-ref defaults to main = the persist-7 triple (CIRISConformance#14, merged).
+
+  # ── Publish to PyPI via Trusted Publishing (OIDC) ──────────────────────────
+  publish:
+    name: publish to PyPI
+    needs: [linux, macos, windows, sdist, conformance-gate]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/') || inputs.publish
+    environment: pypi
+    permissions:
+      id-token: write   # OIDC token for Trusted Publishing — no stored secret
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: wheels-*
+          path: dist
+          merge-multiple: true
+      - run: ls -l dist/
+      - name: Publish
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          packages-dir: dist/
+          # Trusted Publishing: no `password:` — the OIDC identity is verified
+          # against the publisher registered on PyPI.

ciris_server-0.1.1/.github/workflows/release.yml

@@ -0,0 +1,207 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+  CARGO_TERM_COLOR: always
+
+permissions:
+  contents: write
+  id-token: write  # Sigstore keyless signing
+
+# ============================================================================
+# CIRISServer ships the `ciris-server` BINARY (the fabric node) across the full
+# server/embedded matrix — the same platform set the upstream substrate crates
+# (Edge / Persist / Verify / LensCore) build, restricted to targets a headless
+# server actually runs on, plus the two the maintainer requires explicitly:
+# **Windows 7** (the Tier-3 build-std lane) and **ARM32** (armv7 linux — Pi /
+# embedded Reticulum-mesh nodes; de-singletonization includes hardware
+# diversity, M-1).
+#
+# The mobile FFI lanes (Android .aar / iOS .xcframework) are NOT here: a headless
+# server binary does not ship as a mobile library. Those belong to the core
+# LIBRARY crates this binary composes (they build them in their own repos so the
+# AGENT — fabric node + brain — can embed them on mobile).
+#
+# TODO(post-#210): when the binary actually builds (CIRISPersist#210 +
+# CIRISEdge v2.3.0 land the shared-edge-singleton API), port the deeper
+# conformance pipeline from CIRISVerify/.github/workflows/release.yml —
+# function-manifest generation + signed BuildManifest self-attestation +
+# upload to the registry's /v1/verify/build-manifest. The fabric node is part
+# of the conformance fabric; it must attest its own builds.
+# ============================================================================
+
+jobs:
+  build-native:
+    name: Build (${{ matrix.target }})
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            target: x86_64-unknown-linux-gnu
+          - os: ubuntu-latest
+            target: aarch64-unknown-linux-gnu
+            cross: true
+          # ARM32 — Raspberry Pi / embedded mesh nodes.
+          - os: ubuntu-latest
+            target: armv7-unknown-linux-gnueabihf
+            cross: true
+          - os: macos-latest
+            target: x86_64-apple-darwin
+          - os: macos-latest
+            target: aarch64-apple-darwin
+          # Windows 7 → Win11 lane (CIRISVerify#67). `target` stays
+          # x86_64-pc-windows-msvc so the artifact name is stable; `build_target`
+          # is the Tier-3 win7 triple cargo actually compiles (nightly +
+          # build-std keeps std's Win7 syscall fallbacks). panic_abort is in the
+          # build-std crate list because std's build references it (else E0463);
+          # the active panic strategy stays "unwind" via the Cargo.toml profile.
+          - os: windows-latest
+            target: x86_64-pc-windows-msvc
+            build_target: x86_64-win7-windows-msvc
+            toolchain: nightly
+            build_std: "true"
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        if: ${{ matrix.toolchain != 'nightly' }}
+        with:
+          targets: ${{ matrix.target }}
+      - uses: dtolnay/rust-toolchain@nightly
+        if: ${{ matrix.toolchain == 'nightly' }}
+        with:
+          components: rust-src
+
+      - name: Install build deps (Linux native)
+        if: runner.os == 'Linux' && !matrix.cross
+        run: sudo apt-get update && sudo apt-get install -y libtss2-dev libsqlite3-dev
+
+      - uses: Swatinem/rust-cache@v2
+        continue-on-error: true
+        with:
+          cache-bin: false
+          key: release-${{ matrix.build_target || matrix.target }}-${{ github.ref_name }}
+
+      - name: Install cross (retry on timeout)
+        if: matrix.cross
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 10
+          max_attempts: 2
+          retry_wait_seconds: 30
+          retry_on: timeout
+          command: cargo install cross --git https://github.com/cross-rs/cross
+
+      - name: Build (cross)
+        if: matrix.cross
+        run: cross build --release --target ${{ matrix.target }} -p ciris-server
+
+      - name: Build (native)
+        if: ${{ !matrix.cross }}
+        shell: bash
+        run: |
+          TARGET="${{ matrix.build_target || matrix.target }}"
+          if [ "${{ matrix.build_std }}" = "true" ]; then
+            cargo +nightly build --release --target "$TARGET" -Z build-std=std,panic_abort -p ciris-server
+          else
+            cargo build --release --target "$TARGET" -p ciris-server
+          fi
+
+      - name: Stage + strip binary
+        shell: bash
+        run: |
+          TARGET="${{ matrix.build_target || matrix.target }}"
+          EXT=""; [ "${{ runner.os }}" = "Windows" ] && EXT=".exe"
+          BIN="target/$TARGET/release/ciris-server$EXT"
+          mkdir -p stage
+          if [ "${{ runner.os }}" != "Windows" ]; then strip "$BIN" || true; fi
+          cp "$BIN" stage/
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ciris-server-${{ matrix.target }}
+          path: stage/
+          if-no-files-found: error
+
+  # Linux ARM64 musl (Alpine / Home Assistant) — static, via zigbuild.
+  build-musl:
+    name: Build (aarch64 musl)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: aarch64-unknown-linux-musl
+      - uses: Swatinem/rust-cache@v2
+        continue-on-error: true
+        with:
+          cache-bin: false
+          key: release-musl-aarch64-${{ github.ref_name }}
+      - uses: mlugg/setup-zig@v2
+        with:
+          version: 0.13.0
+      - name: Install cargo-zigbuild (retry on timeout)
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 10
+          max_attempts: 2
+          retry_wait_seconds: 30
+          retry_on: timeout
+          command: cargo install cargo-zigbuild
+      - run: cargo zigbuild --release --target aarch64-unknown-linux-musl -p ciris-server
+      - name: Stage + strip
+        run: |
+          BIN=target/aarch64-unknown-linux-musl/release/ciris-server
+          zig objcopy --strip-all "$BIN" "$BIN.stripped" && mv "$BIN.stripped" "$BIN" || true
+          mkdir -p stage && cp "$BIN" stage/
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ciris-server-aarch64-unknown-linux-musl
+          path: stage/
+          if-no-files-found: error
+
+  create-release:
+    name: Create Release
+    needs: [build-native, build-musl]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+      - name: Package + checksum
+        run: |
+          mkdir -p release
+          for dir in artifacts/ciris-server-*; do
+            [ -d "$dir" ] || continue
+            target=$(basename "$dir" | sed 's/ciris-server-//')
+            tar -czvf "release/ciris-server-${{ github.ref_name }}-${target}.tar.gz" -C "$dir" .
+          done
+          cd release && sha256sum *.tar.gz > SHA256SUMS
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Sign artifacts (Sigstore keyless)
+        run: |
+          cd release
+          for f in *.tar.gz SHA256SUMS; do
+            cosign sign-blob --yes --output-signature "$f.sig" --output-certificate "$f.pem" "$f"
+          done
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          files: |
+            release/*.tar.gz
+            release/*.tar.gz.sig
+            release/*.tar.gz.pem
+            release/SHA256SUMS
+            release/SHA256SUMS.sig
+            release/SHA256SUMS.pem
+          generate_release_notes: true
+          prerelease: ${{ contains(github.ref_name, '-rc') || contains(github.ref_name, '-spec') || contains(github.ref_name, '-beta') }}

ciris_server-0.1.1/.gitignore

@@ -0,0 +1,6 @@
+/target
+**/*.rs.bk
+Cargo.lock.bak
+.DS_Store
+*.identity
+/keyring

ciris_server-0.1.1/CHANGELOG.md

@@ -0,0 +1,63 @@
+# Changelog
+
+All notable changes to CIRISServer. Format follows [Keep a Changelog](https://keepachangelog.com/);
+this project uses [Semantic Versioning](https://semver.org/). The minor line tracks
+the fabric-node scope (0.1 lens · 0.5 +registry · 1.0 +node), paced by the CIRISAgent train.
+
+## [0.1.1] — 2026-06-15
+
+Release-CI fixes only — **no change to the node**. 0.1.0 was tagged but did not
+publish: `publish-pypi.yml`'s linux wheel built in a manylinux_2_28 (AlmaLinux 8)
+container whose tpm2-tss is 2.3.2, too old for the keyring's `tss-esapi-sys`
+(`tss2-sys not found`), and two lint gates failed.
+
+### Fixed
+- **Linux wheels** now build on the native runners (ubuntu-latest + ubuntu-24.04-arm)
+  with apt `libtss2-dev` + `patchelf` — the same recipe the green conformance
+  wheel job and the sister wheels (persist `manylinux_2_38`, edge `_2_39`) use —
+  instead of the el8 container with its stale tss2.
+- `rustfmt` (bench formatting) and `clippy` doc-list lints in
+  `benches/pqc_av_streaming.rs` (allow the two stylized-doc lints).
+
+## [0.1.0] — 2026-06-15
+
+First release. **Lens-only fabric node** — the federation's headless cohabitation
+runtime with only the observation slice live. Replaces both the deployed CIRISLens
+server and the agent's direct `ciris-lens-core` cohabitation.
+
+### Added
+- **Zero-setup node** (`ciris-server`): one shared persist `Engine` + one shared
+  Reticulum `Edge` (a single federation identity), mode defaults to `server`,
+  no wizard. Data under `$CIRIS_HOME`; SQLite corpus by default, Postgres via
+  `CIRIS_DB_URL`.
+- **Lens slice**: relay ingest of CEG `AccordEventsBatch` (over Reticulum/HTTP)
+  into the shared corpus, plus the seven frozen `GET /lens/api/v1/*` read
+  endpoints. `ciris-lens-core` is absorbed in-tree (workspace member); the
+  standalone CIRISLensCore library and the CIRISLens deployment retire.
+- **Hardware key custody**, two classes: the RNS transport identity and the
+  Ed25519 federation seed are TPM / Secure-Enclave / StrongBox sealed, with a
+  software-encrypted fallback. Existing keys are **adopted byte-identically** —
+  a CIRISLens host keeps its `key_id` and RNS destination on cutover (no re-key,
+  no re-enroll). See `FSD/LENS_TO_SERVER_MIGRATION.md`.
+- **Reticulum floor with capability gating**: always a routable RET node; the
+  lens corpus + read API gate on a realistic free-disk minimum
+  (`CIRIS_SERVER_LENS_STORE_MIN_GIB`), else the node runs as a relay.
+- **`ciris-canonical` founder-quorum** (`src/quorum.rs`): the entrenched 2-of-3
+  trust root that replaces the shared steward key (prep for the 0.5 registry
+  fold; CEG §8.1.13.1.1).
+- **PyO3 abi3 wheel**: `pip install ciris-server` → the `ciris-server` command,
+  and the lens drop-in `from ciris_server import LensClient` for CIRISAgent.
+- **Conformance + benchmarks**: cohabitation + CEG-profile gating via
+  CIRISConformance; `benches/pqc_av_streaming.rs` (realtime-A/V two-layer
+  hybrid-PQC mesh) and `tests/replication.rs` (CEG-RC5 corpus replication spine).
+
+### Substrate
+- persist **v7.0.0** · edge **v3.6.0** · verify-family **v5.6.0**
+  (verify-core + keyring + crypto). CEG **1.0-RC6**.
+
+### Notes
+- Registry (0.5) and node (1.0) slices are scaffolded in `src/compose.rs` and
+  fold in as their co-bumps land. Registry-fold prep: `FSD/REGISTRY_FOLD_DERISK.md`,
+  [#2](https://github.com/CIRISAI/CIRISServer/issues/2).
+
+[0.1.0]: https://github.com/CIRISAI/CIRISServer/releases/tag/v0.1.0