Skip to content

Initial release — Sprout Nostr relay with enterprise extensions#2

Merged
tlongwell-block merged 5 commits into
mainfrom
oss
Mar 9, 2026
Merged

Initial release — Sprout Nostr relay with enterprise extensions#2
tlongwell-block merged 5 commits into
mainfrom
oss

Conversation

@tlongwell-block

Copy link
Copy Markdown
Collaborator

All-Rust Nostr relay with structured channels, YAML-as-code workflows, MCP agent interface, tamper-evident audit log, and permission-aware full-text search.

13 crates: sprout-core, sprout-relay, sprout-db, sprout-auth, sprout-pubsub, sprout-search, sprout-audit, sprout-mcp, sprout-workflow, sprout-proxy, sprout-huddle, sprout-admin, sprout-test-client.

394 unit tests, 42 E2E integration tests, 16 MCP tools. Apache-2.0 licensed.

All-Rust Nostr relay with structured channels, YAML-as-code workflows,
MCP agent interface, tamper-evident audit log, and permission-aware
full-text search.

13 crates: sprout-core, sprout-relay, sprout-db, sprout-auth, sprout-pubsub,
sprout-search, sprout-audit, sprout-mcp, sprout-workflow, sprout-proxy,
sprout-huddle, sprout-admin, sprout-test-client.

394 unit tests, 42 E2E integration tests, 16 MCP tools.
Apache-2.0 licensed.
Comment thread .github/workflows/ci.yml Fixed
Comment thread .github/workflows/ci.yml Fixed
…ing licenses

- Remove deprecated 'vulnerability', 'unmaintained', 'yanked' fields from [advisories]
- Remove deprecated 'unlicensed' field from [licenses]
- Use structured ignore entries with reasons for advisory ignores
- Add CC0-1.0, CDLA-Permissive-2.0, MITNFA to license allow list
  (Bitcoin/Nostr ecosystem permissive licenses)
- Set wildcards = 'allow' (workspace crates use * for inter-crate deps)
- Add [licenses.private] ignore = true for unpublished workspace crates

All four cargo-deny checks pass: advisories ok, bans ok, licenses ok, sources ok
@tlongwell-block tlongwell-block merged commit 058c4b9 into main Mar 9, 2026
4 checks passed
@tlongwell-block tlongwell-block deleted the oss branch March 9, 2026 19:15
tlongwell-block added a commit that referenced this pull request Mar 16, 2026
Crossfire round 1: codex 4/10, opus 8/10. All critical issues fixed:

Security (critical):
- Force channel_id=None for kind:1059 gift wraps — prevents channel-scoped
  storage that would bypass #p AUTH-gating (codex finding #1)

Correctness:
- NIP-50 pagination loop — keep fetching Typesense pages until limit met
  or result set exhausted, capped at MAX_SEARCH_PAGES=5 (codex finding #2)
- Push authors/since/until to Typesense filter_by — post-filtering is now
  a correction step, not the primary filter (codex + opus suggestion)
- NIP-10 root tag validation — reject events where client-supplied root
  diverges from server-resolved ancestry (codex finding #3)

Clarity:
- Consolidate #p gating into single P_GATED_KINDS check (opus suggestion #7)
- filter.clone() → std::slice::from_ref(filter) (opus suggestion #1)
- Remove no-op get_events_by_ids test, add debug_assert (opus #3, #5)
tlongwell-block added a commit that referenced this pull request Apr 11, 2026
- #2: Document display_name reverse-lookup fragility in agents.rs
  with TODO for long-term fix (store internal name on PersonaRecord)
- #3: Add on_message to ResolvedHooks so it's not silently dropped
  during resolution
- #4: Fix misleading comment on ResolvedPack.description (was 'use
  pack name as fallback', now 'not yet wired')

156 crate tests pass, desktop compiles clean.
tlongwell-block added a commit that referenced this pull request May 8, 2026
When any tool call returns an error, append a short reflection prompt
to the result text before it enters history:

  [Reflect] Diagnose the error above before retrying.
  What went wrong? Why? What will you do differently?

This forces the LLM to analyze the failure before blindly repeating
the same failing command — the #2 cause of wasted rounds on benchmarks
after doom loops. Three lines of code, zero new modules.

Inspired by ForgeCode's 'forge-partial-tool-error-reflection.md' template
which requires structured reflection after every tool failure.
tlongwell-block pushed a commit that referenced this pull request May 13, 2026
…alse, idempotent legacy cleanup

Addresses Sami + Quinn reviewer-hat catches on the initial PR commit and a
P3 finding from codex review.

Changes
-------
1. Sidecar MODEL_LICENSE.txt wording: replace 'Used unmodified by Sprout'
   with Quinn's framing that distinguishes sherpa-onnx's PyTorch→ONNX/int8
   conversion (a CC-BY-4.0 §3(a)(1)(b) modification) from Sprout's verbatim
   shipping of that conversion. Same five §3(a)(1) bullets, no internal
   contradiction. Sami concurred on-thread.
2. `STT_NUM_THREADS` promoted to a named const at the top of stt.rs with a
   comment explaining the hold-at-1 rationale and pointing at the planned
   A/B follow-up. Easier to find and flip than a hardcoded literal.
3. `OfflineRecognizerConfig::model_config.debug = false` set explicitly.
   Defaults aren't part of the API contract, and per-VAD-chunk debug
   logging would be expensive in release builds.
4. Best-effort cleanup of the legacy `~/.sprout/models/moonshine-tiny/`
   directory (~70 MB). Reclaims disk space silently on upgrade.

   Codex caught a real edge case in the first sketch: a user who already
   had the new manifest-v2 Parakeet model installed (e.g. from an earlier
   pre-merge build) would short-circuit out of `start_stt_download`'s
   `is_ready` fast path and never trigger the cleanup. The fix factors
   the cleanup into a free `cleanup_legacy_moonshine_dir` helper and
   schedules it as a detached task from `start_stt_download` on every
   call — idempotent (no-op if dir absent), runs once per app launch
   regardless of whether a fresh download happens. Same helper still
   runs from the post-install success path.

Verification: cargo check + fmt + clippy + 66/66 huddle tests + file-size
check (bumped models.rs budget 850→900 with a descriptive-comment update;
net source growth is real and documented in the diff). codex review on
the uncommitted diff: 'No correctness issues were found.'

Notes on the other review points (no code change needed)
-------------------------------------------------------
- Quinn #1 (manifest v1→v2 upgrade): the new code has no path that
  resolves `moonshine-tiny/` anymore (the dir name was renamed, not just
  the version bumped), and `is_ready()` requires both manifest match and
  every expected file present — half-installs already fail closed.
- Quinn #2 (JSON field rename leakage): grep across the whole tree
  confirms `'moonshine'` and `moonshine-tiny` appear only in `models.rs`
  source comments. The `VoiceModelStatus.stt` field is a Tauri-invoke
  IPC type consumed only by HuddleBar.tsx at render time — not persisted
  in settings, electron-store, telemetry, or any other survives-restart
  surface. The rename is purely in-memory.
tlongwell-block added a commit that referenced this pull request May 14, 2026
Adds a Settings → Agent Provider panel to the desktop GUI for configuring
the `sprout-agent` provider, model, API key, and behavior knobs. Settings
are encrypted at rest with NIP-44 self-encryption (the user's own nostr
key) and injected into the sprout-agent child's env at spawn time. The
panel also gains automatic provider-URL detection based on the API key
format the user pastes.

## Backend (`desktop/src-tauri/src/commands/agent_provider_settings/`)

- `mod.rs` — IPC types + plaintext `StoredSettings` (Drop zeroizes
  `api_key`; no Debug derive on input/stored). v2 envelope binds the
  plaintext to its owner pubkey for rollback / envelope-swap protection.
- `storage.rs` — envelope read/write, NIP-44 encrypt/decrypt with
  `Zeroizing<String>` for plaintext, atomic-rename writes, file-size
  cap, `normalize_origin` (rejects non-loopback `http://`, userinfo,
  query, fragment), `validate_input` (provider whitelist, control-char
  rejection, size caps for key/model/base_url/system_prompt, positive-
  int knobs). `validate_stored` mirrors the same rules on the decrypted
  blob at spawn time — fails closed on a rolled-back pre-validation
  envelope so a redirected `http://api.example.com/v1` cannot escape.
- `commands.rs` — `get_*`, `save_*`, `delete_*`, `get_*_env_presence`
  Tauri commands. The save command trims whitespace + zeroes the input
  api_key before validation can early-return.
- `spawn.rs` — `LoadForSpawn` enum + `EnvPairs` newtype whose Drop
  zeroizes every value buffer. `apply_to_command` hands each env pair
  to `Command::env` by reference, zeroizing the local buffer after.
  Spawn policy: Ok → strip OWNED_AGENT_ENV_VARS + ACP-level vars then
  inject; None → no-op; IdentityMismatch / Error → fail closed (strip
  inherited owned vars, inject nothing).
- `tests.rs` — round-trip envelope I/O, identity-rotation, save-time
  validation (oversized prompt, zero timeouts, tiny history bytes,
  unknown provider, control chars, oversized fields, api-key whitespace
  trim, owner_pubkey v2), `apply_to_command` × `LoadForSpawn` matrix
  (Ok/None/IdentityMismatch-fails-closed/Error-fails-closed, openai
  dialect), `stored_to_env_pairs` for each dialect, R7 `validate_stored`
  coverage (non-loopback http, control chars in key/model/base_url,
  userinfo/query in base_url, unknown provider, oversized prompt,
  empty-key + loopback local accepted).

## Runtime integration (`desktop/src-tauri/src/managed_agents/runtime.rs`)

- `build_agent_command` calls `agent_provider_settings::apply_to_command`
  exactly when the harness is `sprout-agent`. ACP-level vars
  (SPROUT_AGENT_PROVIDER etc.) are stripped from inherited parent env
  before injection so a stale shell `ANTHROPIC_API_KEY` never shadows
  saved settings. `respond-to` gate env (`SPROUT_ACP_RESPOND_TO[_ALLOWLIST]`)
  threads through with the new `owner_hex: Option<&str>` parameter
  (origin/main merge).

## Frontend

- `lib/detectProvider.ts` — pure key-format detector. Recognizes
  Anthropic, OpenAI (legacy/proj/svcacct via fixed infix), OpenRouter,
  Groq, xAI, Cerebras, Together, Perplexity, Fireworks (medium), bare
  sk- → DeepSeek (low + ambiguity-aware), plus localhost/127.0.0.1
  patterns for Ollama / vLLM / llama.cpp. Includes ADMIN_ONLY_PROVIDER_ID
  sentinel for `sk-ant-admin01-` which we explicitly refuse to save.
  Key format wins over a prefilled default base URL; an explicit non-
  default base URL wins back for medium-confidence keys (e.g. Fireworks
  + api.openai.com host). Fixture strings construct the OpenAI infix
  via concat so GitHub's secret scanner doesn't regex-match an inline
  OpenAI-shaped service-account/project key (`detectProvider.test.mjs`,
  `settings-agent-provider.spec.ts`).
- `lib/providerCatalog.ts` — declarative catalog (id, label, dialect,
  isLocal, default model + base URL, key-shape hint). Drives the
  picker, the auto-fill on detection, the local-provider placeholder
  enforcement, and the per-provider model field default.
- `lib/agentProviderFormState.ts` — FormState shape + reducers.
  `applyProviderSwitch` is the single source of truth for what gets
  reset on a provider change (model when empty or still previous
  default; baseUrl when new provider has a default OR user hasn't
  edited it; clears previous default host for null-default providers;
  drops apiKey on switch TO a local provider). Used by both the
  manual picker and the auto-detect effect so the policy can't drift.
- `lib/agentProviderSettingsApi.ts` + `hooks/useAgentProviderSettings.ts`
  — typed IPC wrappers + React-Query hooks (load / save / delete /
  envPresence).
- `ui/AgentProviderSettingsCard.tsx` — the panel itself. Empty state
  with shell-env hint, identity-rotation banner, load-error banner,
  detected-provider badge, reveal/hide toggle, advanced section,
  inline provider-change warning, confirm-clear dialog. On save success
  the plaintext is wiped from form state + reveal toggles off,
  independent of any React-Query refresh effect (covers the structural-
  sharing identical-redacted-view edge case).
- `ui/AgentProviderAdvancedFields.tsx`, `AgentProviderBanners.tsx`,
  `AgentProviderClearDialog.tsx` — split components.

## Per-agent dialog (sprout-agent special case)

- `agents/ui/CreateAgentDialogSections.tsx` — Model + System prompt
  inputs are hidden for sprout-agent paths (those are owned globally).
  A note line points users to Settings → Agent Provider.
- `agents/ui/EditAgentDialog.tsx` — passes `selectedProviderId="custom"`
  to the shared runtime fields so the agent-command input stays
  editable for existing rows; the system-prompt hide still resolves
  via `isSproutAgentPath`'s `agentCommand` arm.
- `agents/ui/ManagedAgentRow.tsx` — "Model managed by Sprout settings"
  link is a span with role="button" + stopPropagation (was a nested
  `<button>` inside the row button — both invalid HTML and double-
  triggering).
- `agents/lib/resolveAcpProviderId.ts` — TS / Rust alignment for
  inline-args resolution (Rust `known_acp_provider` strips args; TS
  now matches).

## Tests

- Rust: 328 tests passing (R7 added 7; full agent_provider_settings
  suite at 44/44).
- TS / node-test: 55 cases for the form-state reducer + provider
  detector.
- Playwright integration: 12 settings-agent-provider scenarios (empty
  state + detection + save round-trip, identity-rotation banner,
  provider-change-warning, key-format-beats-prefilled-baseUrl, load-
  error banner, clear flow + Escape cancel, rotation banner a11y,
  local-provider switch with saved key, manual switch reset, detected-
  provider model reset, post-save key-input clear).

## just ci summary

- Rust: 321/321 + 7 new validate_stored tests
- Mobile: 336/336
- Desktop / web: format + biome + file-size + ts-check all green
- Playwright integration agents + settings-agent-provider: 19/19 green

## Codex review history

- Reviews #1, #2, #3, #5, #6 surfaced and fixed: non-loopback HTTP at
  save AND spawn, identity-mismatch fails closed, local-provider key
  leak prevention, inline-args resolver alignment, Zeroize on api_key
  before early-return, no Debug derive, control-char / length caps +
  trim, owner_pubkey v2 envelope, local-provider switch unblock,
  EditAgentDialog command field, model reset on detection switch,
  nested-button fix, `applyProviderSwitch` reducer extraction.
- Review #7 (P2-UI + P2-Rust): clear form.apiKey + revealKey on save
  success; validate decrypted settings at spawn time.
- Review #8: 9/10, no blocking findings.

Signed-off-by: Tyler Longwell <109685178+tlongwell-block@users.noreply.github.com>
Co-authored-by: Dawn <c6237ef84fa537c78dcee78efd2d4e59f728859c7f194da42ac51ededfa0be05@sprout-oss.stage.blox.sqprod.co>
tlongwell-block added a commit that referenced this pull request May 17, 2026
…nses auto-upgrade

Two follow-ups from review on #604.

1. Anthropic startup hardening (Max #1)
   `OPENAI_COMPAT_API` was parsed unconditionally, so a stray bad value
   in an Anthropic-only env broke startup. Parse it only inside the
   `Provider::OpenAi` arm of `Config::from_env`. Anthropic gets a
   placeholder `OpenAiApi::ChatCompletions` it never reads. New tests
   pin the parser behavior without touching process env.

2. One-shot chat→responses auto-upgrade (Max #2, Tyler "automatic
   detection/fallthrough")
   When `OPENAI_COMPAT_API=auto` and the provider replies to a Chat
   Completions request with a body that explicitly names `/v1/responses`
   (or the prose "use the Responses API"), latch a process-wide
   sticky-cached upgrade and re-issue the same request on `/v1/responses`.
   Subsequent calls skip the chat attempt entirely. Pinned values
   (`OPENAI_COMPAT_API=chat`|`responses`) never auto-upgrade.

   Signal matcher (`is_responses_required_error`) is intentionally
   narrow — only matches the literal path `/v1/responses` or specific
   prose phrases, so we don't get fooled by unrelated 4xx bodies.

   New `Config.openai_api_auto: bool` records whether the operator
   resolved-by-auto vs. pinned, so we know when to enable the upgrade.

   `Llm` gains an `AtomicBool` for the sticky upgrade, plus three
   small helpers (`effective_openai_api`, `should_try_auto_upgrade`,
   `latch_responses_upgrade`) so the dispatch reads straight through.

   Logged at WARN once per process: `"openai chat-completions endpoint
   reported that this model requires the Responses API; auto-upgrading
   subsequent OpenAI calls to /v1/responses for the rest of this
   process"`, with the provider error body attached.

Tests:
- 4 new unit tests for `is_responses_required_error` covering the
  Databricks GPT-5.5 signal, OpenAI prose phrasing, and explicit
  non-matches for `invalid_api_key`, generic `unsupported_parameter`,
  and empty body.
- 3 new unit tests for `parse_openai_api` covering unset-defaults-to-auto,
  case-insensitive explicit values with whitespace, and rejected garbage.
- New integration test `tests/openai_auto_upgrade.rs` spawns a fake
  provider that 400s on `/chat/completions` with the Databricks signal
  and 200s on `/responses`. Drives sprout-agent through ACP and asserts
  `stopReason=end_turn` plus chat-hit-once / responses-hit-once.

65 tests pass, 0 fail. clippy `-D warnings` clean. cargo fmt clean.
Live smoke against api.openai.com with gpt-5-mini still 3/3 PASS.

Signed-off-by: Tyler Longwell <109685178+tlongwell-block@users.noreply.github.com>
tlongwell-block added a commit that referenced this pull request May 17, 2026
…nses auto-upgrade

Two follow-ups from review on #604.

1. Anthropic startup hardening (Max #1)
   `OPENAI_COMPAT_API` was parsed unconditionally, so a stray bad value
   in an Anthropic-only env broke startup. Parse it only inside the
   `Provider::OpenAi` arm of `Config::from_env`. Anthropic gets a
   placeholder `OpenAiApi::ChatCompletions` it never reads. New tests
   pin the parser behavior without touching process env.

2. One-shot chat→responses auto-upgrade (Max #2, Tyler "automatic
   detection/fallthrough")
   When `OPENAI_COMPAT_API=auto` and the provider replies to a Chat
   Completions request with a body that explicitly names `/v1/responses`
   (or the prose "use the Responses API"), latch a process-wide
   sticky-cached upgrade and re-issue the same request on `/v1/responses`.
   Subsequent calls skip the chat attempt entirely. Pinned values
   (`OPENAI_COMPAT_API=chat`|`responses`) never auto-upgrade.

   Signal matcher (`is_responses_required_error`) is intentionally
   narrow — only matches the literal path `/v1/responses` or specific
   prose phrases, so we don't get fooled by unrelated 4xx bodies.

   New `Config.openai_api_auto: bool` records whether the operator
   resolved-by-auto vs. pinned, so we know when to enable the upgrade.

   `Llm` gains an `AtomicBool` for the sticky upgrade, plus three
   small helpers (`effective_openai_api`, `should_try_auto_upgrade`,
   `latch_responses_upgrade`) so the dispatch reads straight through.

   Logged at WARN once per process: `"openai chat-completions endpoint
   reported that this model requires the Responses API; auto-upgrading
   subsequent OpenAI calls to /v1/responses for the rest of this
   process"`, with the provider error body attached.

Tests:
- 4 new unit tests for `is_responses_required_error` covering the
  Databricks GPT-5.5 signal, OpenAI prose phrasing, and explicit
  non-matches for `invalid_api_key`, generic `unsupported_parameter`,
  and empty body.
- 3 new unit tests for `parse_openai_api` covering unset-defaults-to-auto,
  case-insensitive explicit values with whitespace, and rejected garbage.
- New integration test `tests/openai_auto_upgrade.rs` spawns a fake
  provider that 400s on `/chat/completions` with the Databricks signal
  and 200s on `/responses`. Drives sprout-agent through ACP and asserts
  `stopReason=end_turn` plus chat-hit-once / responses-hit-once.

65 tests pass, 0 fail. clippy `-D warnings` clean. cargo fmt clean.
Live smoke against api.openai.com with gpt-5-mini still 3/3 PASS.

Signed-off-by: Tyler Longwell <109685178+tlongwell-block@users.noreply.github.com>
tlongwell-block added a commit that referenced this pull request May 19, 2026
… arithmetic

Desktop smoke e2e was failing on the two click-to-select mention paths.
Root cause: `replacePlainTextRange` placed the post-transaction cursor at

  tr.mapping.map(fromPM + text.length)

The argument to `mapping.map` is a *pre-image* (old-doc) position, but
`fromPM + text.length` can be larger than the old doc's size — for a
3-char input replacing a 0-char range with 7 chars, the arithmetic
yields a position 7 past the original end, which ProseMirror rejects
with "Position N out of range". The thrown error bubbled out of the
mention click handler, the transaction never dispatched, and the
editor stayed at "Hey @ali".

The keyboard-Enter path passed only because the surrounding code-path
(`handleEditorKeyDown`) caught the error implicitly — but in fact it
was hitting the same bug; the test just asserted on a state that the
default Enter keymap also reaches.

Fix: map `toPM` (the right end of the replaced range, a valid old-doc
position) through `tr.mapping.map`. That returns the post-transaction
position right after the inserted text — which is what we want, and
is always valid:

  const cursorPM = tr.mapping.map(toPM);

This still satisfies Perci's robustness concern from the original
review (use the transaction's mapping, not raw arithmetic) but uses
the correct pre-image input.

Regression coverage:
  - All 4 existing mentions.spec.ts tests for the click-and-Enter
    selection paths now pass.
  - Added a new regression test for bug #2: type two lines separated
    by Shift+Enter, type "@ali", click "alice" — assert both lines
    survive *and* there's still exactly one `<br>` in the editor.
    This is the literal scenario from the bug report.

Verified locally:
  - smoke suite: 97/97 pass (was 94 + 2 new mentions tests + 1 new
    regression test).
  - node unit tests: 182/182.
  - typecheck + biome + file-size: clean.

Removed the temporary `console.warn` instrumentation I'd added while
diagnosing.
tlongwell-block pushed a commit that referenced this pull request May 22, 2026
Adds crates/sprout-relay/src/api/git/cas_publish.rs — the pure async
function that turns a post-receive-pack workspace into a durable manifest
CAS. Composes Dawn's GitStore primitives (put_pack, put_manifest,
get_pointer, put_pointer) and Dawn's Manifest schema (canonical_bytes,
validate, Inv_Closed at compose time) into the spec's step 2-7 sequence:

  read pointer (e, d_before)            §step 3
  fetch + verify m_before                §step 3 + A1 detectability
  snapshot refs + symref-HEAD from disk (HEAD inherits parent on detach)
  pack new objects via pack-objects --revs    §step 1-2
  put_pack(bytes) -> packs/<sha256>          §step 2 (A1)
  compose m_after (parent packs + new pack, parent = digest only) §step 5
  m_after.validate()                          (Sami/Max/Perci #2-#4)
  put_manifest(canonical_bytes) -> manifests/<sha256>  §step 6
  put_pointer(IfMatch(e) | IfNoneMatchStar)  §step 7 (CAS)
    Won  -> CasSuccess { manifest, manifest_key }
    Lost -> CasError::Conflict { winner_manifest, winner_manifest_key }
            (→ HTTP 409, with winner for disk reconcile)

The function returns *before* a Response is constructed — it is called
from finalize_push, which is the unique site that builds a push 2xx, so
the structural seam still enforces Theorem 1 (success-after-CAS).

## Review fixes folded in

Sami's review (#1#6) + Perci's #1 + Max's pre-CAS-validation blocker
are all addressed in this commit:

- **parent = bare 64-hex digest, not full key** (Perci #1, Max). Pointer
  body is `<digest>`; `Manifest.parent` stores the same digest, matching
  `Inv_RefDerivedFromParent` literally. `read_parent` strips the
  `manifests/` prefix before assigning. Dawn's new `MalformedParent`
  validator catches any drift at the write seam.

- **Pre-CAS validation** (Sami #2, Max). `m_after.validate()?` runs
  between `compose_after` and `put_manifest`. Unsafe refnames, malformed
  oids, empty HEAD — all surface as `CasError::ManifestInvalid(...)`
  (4xx-class) before any S3 write, *not* as "valid CAS, un-clone-able
  output." Typed variant (not reused `ManifestReadFailed`) so logs /
  status mapping distinguish "client input rejected" from "stored parent
  failed A1" (Max + Dawn).

- **Detached-HEAD fallback** (Sami #3). `snapshot_workspace_state`
  returns empty `head` on detached HEAD; `cas_publish` falls back to
  `parent.head` if non-empty. `validate()` rejects the first-push-+-
  detached case (Sami #4 — no parent to inherit from, manifest is
  un-clone-able).

- **Conflict carries the winner** (Sami #5 + Dawn). `Conflict {
  winner_manifest, winner_manifest_key }` lets `finalize_push` invoke
  Eva's `reconcile_to_manifest` mechanically from the error arm, without
  a second pointer GET in the caller. `warn!()` at the `LostRace` site
  logs (pointer, expected etag, attempted manifest) for debugging
  concurrent-push patterns. Boxed for `clippy::result_large_err`.

- **Empty-pack comment** (Sami #6). Clarified `capture_pack` returns
  `None` in both the delete-all (`refs_after.is_empty()`) and refs-only
  (`pack-objects` empty stdout) cases.

- **`pointer_key` consolidated** in `manifest.rs` (Sami #1, Dawn,
  Max — Sami's "single source of truth" argument). `cas_publish`
  imports it; the duplicate definition is gone.

- **`validate-invocation` test added** in `cas_publish.rs` (Sami's
  recommendation). Pins that a future refactor dropping the `validate?`
  call between `compose_after` and `put_manifest` is caught by unit
  test, not by every subsequent un-clone-able read.

## What this deliberately does NOT do (each with citation)

- No retry on LostRace. Per Sami's TLA-action guidance: the receive-pack
  output is derived against a now-superseded parent; reusing it would
  violate Inv_RefDerivedFromParent. Client re-pushes, which re-hydrates
  + re-runs receive-pack against the advanced pointer — the only safe
  retry, which git already performs. Spec §Push step 7: 'GOTO 3 (retry)
  or respond non-ff' — both arms safe; we take non-ff.
- No kind:30618 emission. That is derived after CAS — finalize_push
  calls Sami's build_ref_state_event over m_after.refs / m_after.head
  on Ok. Spec §Implementation Correspondence: 'kind:30618 is derived
  after CAS, never the commit.'
- No advisory lock. Spec §Push 'no advisory lock in v1' — writer
  serialization is the CAS. A mutex would hide the contention Inv_NoFork
  proves safe.

## Tests

10 unit tests pin digest_from_key (manifest/<...> prefix invariant),
compose_after (Inv_Closed coverage, sort, dedupe, refs-only-no-new-pack,
first-push, parent-is-digest-not-key), validate invocation (unsafe
refname + first-push-empty-HEAD both rejected pre-CAS). 244 relay tests
green; clippy --tests -D warnings clean.

The integration into finalize_push lands separately — Eva owns the
AppState::git_store wiring + main.rs startup probe gate. This module
is callable today: cas_publish(&store, repo_path, owner, repo,
&refs_before) -> Result<CasSuccess, CasError>.

Refs:
- docs/git-on-object-storage.md §Push step 2-7, §Implementation
  Correspondence, §Mechanized Verification (Inv_NoFork,
  Inv_RefEffectApplied, Inv_RefDerivedFromParent, Inv_Closed).

Also makes transport::harden_git_env pub(crate) for reuse by
cas_publish's two subprocess sites (for-each-ref, pack-objects).

Co-authored-by: Tyler Longwell <tyler@block.xyz>
tlongwell-block pushed a commit that referenced this pull request May 22, 2026
Adds crates/sprout-relay/src/api/git/cas_publish.rs — the pure async
function that turns a post-receive-pack workspace into a durable manifest
CAS. Composes Dawn's GitStore primitives (put_pack, put_manifest,
get_pointer, put_pointer) and Dawn's Manifest schema (canonical_bytes,
validate, Inv_Closed at compose time) into the spec's step 2-7 sequence:

  read pointer (e, d_before)            §step 3
  fetch + verify m_before                §step 3 + A1 detectability
  snapshot refs + symref-HEAD from disk (HEAD inherits parent on detach)
  pack new objects via pack-objects --revs    §step 1-2
  put_pack(bytes) -> packs/<sha256>          §step 2 (A1)
  compose m_after (parent packs + new pack, parent = digest only) §step 5
  m_after.validate()                          (Sami/Max/Perci #2-#4)
  put_manifest(canonical_bytes) -> manifests/<sha256>  §step 6
  put_pointer(IfMatch(e) | IfNoneMatchStar)  §step 7 (CAS)
    Won  -> CasSuccess { manifest, manifest_key }
    Lost -> CasError::Conflict { winner_manifest, winner_manifest_key }
            (→ HTTP 409, with winner for disk reconcile)

The function returns *before* a Response is constructed — it is called
from finalize_push, which is the unique site that builds a push 2xx, so
the structural seam still enforces Theorem 1 (success-after-CAS).

## Review fixes folded in

Sami's review (#1#6) + Perci's #1 + Max's pre-CAS-validation blocker
are all addressed in this commit:

- **parent = bare 64-hex digest, not full key** (Perci #1, Max). Pointer
  body is `<digest>`; `Manifest.parent` stores the same digest, matching
  `Inv_RefDerivedFromParent` literally. `read_parent` strips the
  `manifests/` prefix before assigning. Dawn's new `MalformedParent`
  validator catches any drift at the write seam.

- **Pre-CAS validation** (Sami #2, Max). `m_after.validate()?` runs
  between `compose_after` and `put_manifest`. Unsafe refnames, malformed
  oids, empty HEAD — all surface as `CasError::ManifestInvalid(...)`
  (4xx-class) before any S3 write, *not* as "valid CAS, un-clone-able
  output." Typed variant (not reused `ManifestReadFailed`) so logs /
  status mapping distinguish "client input rejected" from "stored parent
  failed A1" (Max + Dawn).

- **Detached-HEAD fallback** (Sami #3). `snapshot_workspace_state`
  returns empty `head` on detached HEAD; `cas_publish` falls back to
  `parent.head` if non-empty. `validate()` rejects the first-push-+-
  detached case (Sami #4 — no parent to inherit from, manifest is
  un-clone-able).

- **Conflict carries the winner** (Sami #5 + Dawn). `Conflict {
  winner_manifest, winner_manifest_key }` lets `finalize_push` invoke
  Eva's `reconcile_to_manifest` mechanically from the error arm, without
  a second pointer GET in the caller. `warn!()` at the `LostRace` site
  logs (pointer, expected etag, attempted manifest) for debugging
  concurrent-push patterns. Boxed for `clippy::result_large_err`.

- **Empty-pack comment** (Sami #6). Clarified `capture_pack` returns
  `None` in both the delete-all (`refs_after.is_empty()`) and refs-only
  (`pack-objects` empty stdout) cases.

- **`pointer_key` consolidated** in `manifest.rs` (Sami #1, Dawn,
  Max — Sami's "single source of truth" argument). `cas_publish`
  imports it; the duplicate definition is gone.

- **`validate-invocation` test added** in `cas_publish.rs` (Sami's
  recommendation). Pins that a future refactor dropping the `validate?`
  call between `compose_after` and `put_manifest` is caught by unit
  test, not by every subsequent un-clone-able read.

## What this deliberately does NOT do (each with citation)

- No retry on LostRace. Per Sami's TLA-action guidance: the receive-pack
  output is derived against a now-superseded parent; reusing it would
  violate Inv_RefDerivedFromParent. Client re-pushes, which re-hydrates
  + re-runs receive-pack against the advanced pointer — the only safe
  retry, which git already performs. Spec §Push step 7: 'GOTO 3 (retry)
  or respond non-ff' — both arms safe; we take non-ff.
- No kind:30618 emission. That is derived after CAS — finalize_push
  calls Sami's build_ref_state_event over m_after.refs / m_after.head
  on Ok. Spec §Implementation Correspondence: 'kind:30618 is derived
  after CAS, never the commit.'
- No advisory lock. Spec §Push 'no advisory lock in v1' — writer
  serialization is the CAS. A mutex would hide the contention Inv_NoFork
  proves safe.

## Tests

10 unit tests pin digest_from_key (manifest/<...> prefix invariant),
compose_after (Inv_Closed coverage, sort, dedupe, refs-only-no-new-pack,
first-push, parent-is-digest-not-key), validate invocation (unsafe
refname + first-push-empty-HEAD both rejected pre-CAS). 244 relay tests
green; clippy --tests -D warnings clean.

The integration into finalize_push lands separately — Eva owns the
AppState::git_store wiring + main.rs startup probe gate. This module
is callable today: cas_publish(&store, repo_path, owner, repo,
&refs_before) -> Result<CasSuccess, CasError>.

Refs:
- docs/git-on-object-storage.md §Push step 2-7, §Implementation
  Correspondence, §Mechanized Verification (Inv_NoFork,
  Inv_RefEffectApplied, Inv_RefDerivedFromParent, Inv_Closed).

Also makes transport::harden_git_env pub(crate) for reuse by
cas_publish's two subprocess sites (for-each-ref, pack-objects).

Co-authored-by: Tyler Longwell <tyler@block.xyz>
wpfleger96 added a commit that referenced this pull request May 22, 2026
…iew findings

The original implementation created a second parallel Tauri command
(discover_all_acp_providers) alongside the existing one to avoid
changing the return type. This produced two commands, two hooks, two
query keys, and two raw type converters. Consolidates into a single
command returning the full catalog, with a useAvailableAcpProviders
hook that type-narrows for callers needing non-null command/binaryPath.

Also fixes: pipe deadlock in install command (#1), UTF-8 truncation
panic (#2/#4), adds install concurrency guard (#11), exact provider ID
match (#15), error display stdout fallback (#5), success banner
suppression when already available (#12), misleading re-run text (#13),
IIFE refactor in PersonaDialog (#14), hidden internal query lift (#7),
configurable e2e mocks (#9), shared raw type exports (#8), and
classify_provider unit tests (#10).
tlongwell-block pushed a commit that referenced this pull request May 22, 2026
The architectural split Eva's live e2e caught: 30617 created the on-disk
bare repo but no S3 pointer, while the read path (info_refs/upload_pack)
now hydrates from the pointer. Pointer-absent ⇒ Ok(None) ⇒ 404 by Max's
intentional fail-closed, so announce-then-clone returned 404 for every
freshly-announced repo.

Fix: establish the invariant "repo announced ⟺ pointer exists" by
seeding an empty-manifest pointer at the end of `handle_git_repo_
announcement`. After seed:

- `info_refs` stays strictly fail-closed: pointer-absent means
  never-announced, not "announced but no pushes." Max's blocker
  preserved exactly.
- `live_hydrate_empty_repo` proves clone of an empty hydrated repo works.
- First push CASes the seeded pointer via `IfMatch(etag)`, no
  special-case branch. The `IfNoneMatchStar` arm of `cas_publish`
  becomes dead code for announced repos.

Two new private helpers in `side_effects.rs`:

- `seed_manifest_pointer(state, owner, repo)` — `put_manifest(empty)` +
  `put_pointer(IfNoneMatchStar)`. **Idempotency is constructive, not
  trusted**: a `CasOutcome::LostRace` is treated as success ONLY if the
  existing pointer body matches the empty manifest's digest. Any other
  value (stale from a prior lifecycle, real misconfiguration) surfaces
  as `anyhow!` — Max's guardrail #1.
- `emit_initial_ref_state(state, owner, repo)` — kind:30618 over the
  seeded empty manifest using Sami's `build_ref_state_event`. Pointer is
  the commit; this event is the derived "repo exists, empty" signal —
  Max's guardrail #2. Non-fatal on failure: manifest is truth, 30618 is
  just notification.

Empty manifests across all repos share canonical bytes (deterministic
serialization by construction) ⟹ same digest ⟹ `put_manifest` is
idempotent at the store level. One blob, many pointers. Pinned by
`empty_manifest_validates` test in manifest.rs with byte-stable canonical
bytes — locks the digest so future serde version bumps don't silently
shift it.

Rollback on seed failure: remove the on-disk repo + the name reservation,
same pattern as hook-install failure. A successful seed but failed emit
leaves the pointer in place (correctly — it's the source of truth).

239/239 relay tests (was 238 + 1 new), clippy + fmt clean.
tlongwell-block added a commit that referenced this pull request May 22, 2026
Adds crates/sprout-relay/src/api/git/cas_publish.rs — the pure async
function that turns a post-receive-pack workspace into a durable manifest
CAS. Composes Dawn's GitStore primitives (put_pack, put_manifest,
get_pointer, put_pointer) and Dawn's Manifest schema (canonical_bytes,
validate, Inv_Closed at compose time) into the spec's step 2-7 sequence:

  read pointer (e, d_before)            §step 3
  fetch + verify m_before                §step 3 + A1 detectability
  snapshot refs + symref-HEAD from disk (HEAD inherits parent on detach)
  pack new objects via pack-objects --revs    §step 1-2
  put_pack(bytes) -> packs/<sha256>          §step 2 (A1)
  compose m_after (parent packs + new pack, parent = digest only) §step 5
  m_after.validate()                          (Sami/Max/Perci #2-#4)
  put_manifest(canonical_bytes) -> manifests/<sha256>  §step 6
  put_pointer(IfMatch(e) | IfNoneMatchStar)  §step 7 (CAS)
    Won  -> CasSuccess { manifest, manifest_key }
    Lost -> CasError::Conflict { winner_manifest, winner_manifest_key }
            (→ HTTP 409, with winner for disk reconcile)

The function returns *before* a Response is constructed — it is called
from finalize_push, which is the unique site that builds a push 2xx, so
the structural seam still enforces Theorem 1 (success-after-CAS).

## Review fixes folded in

Sami's review (#1#6) + Perci's #1 + Max's pre-CAS-validation blocker
are all addressed in this commit:

- **parent = bare 64-hex digest, not full key** (Perci #1, Max). Pointer
  body is `<digest>`; `Manifest.parent` stores the same digest, matching
  `Inv_RefDerivedFromParent` literally. `read_parent` strips the
  `manifests/` prefix before assigning. Dawn's new `MalformedParent`
  validator catches any drift at the write seam.

- **Pre-CAS validation** (Sami #2, Max). `m_after.validate()?` runs
  between `compose_after` and `put_manifest`. Unsafe refnames, malformed
  oids, empty HEAD — all surface as `CasError::ManifestInvalid(...)`
  (4xx-class) before any S3 write, *not* as "valid CAS, un-clone-able
  output." Typed variant (not reused `ManifestReadFailed`) so logs /
  status mapping distinguish "client input rejected" from "stored parent
  failed A1" (Max + Dawn).

- **Detached-HEAD fallback** (Sami #3). `snapshot_workspace_state`
  returns empty `head` on detached HEAD; `cas_publish` falls back to
  `parent.head` if non-empty. `validate()` rejects the first-push-+-
  detached case (Sami #4 — no parent to inherit from, manifest is
  un-clone-able).

- **Conflict carries the winner** (Sami #5 + Dawn). `Conflict {
  winner_manifest, winner_manifest_key }` lets `finalize_push` invoke
  Eva's `reconcile_to_manifest` mechanically from the error arm, without
  a second pointer GET in the caller. `warn!()` at the `LostRace` site
  logs (pointer, expected etag, attempted manifest) for debugging
  concurrent-push patterns. Boxed for `clippy::result_large_err`.

- **Empty-pack comment** (Sami #6). Clarified `capture_pack` returns
  `None` in both the delete-all (`refs_after.is_empty()`) and refs-only
  (`pack-objects` empty stdout) cases.

- **`pointer_key` consolidated** in `manifest.rs` (Sami #1, Dawn,
  Max — Sami's "single source of truth" argument). `cas_publish`
  imports it; the duplicate definition is gone.

- **`validate-invocation` test added** in `cas_publish.rs` (Sami's
  recommendation). Pins that a future refactor dropping the `validate?`
  call between `compose_after` and `put_manifest` is caught by unit
  test, not by every subsequent un-clone-able read.

## What this deliberately does NOT do (each with citation)

- No retry on LostRace. Per Sami's TLA-action guidance: the receive-pack
  output is derived against a now-superseded parent; reusing it would
  violate Inv_RefDerivedFromParent. Client re-pushes, which re-hydrates
  + re-runs receive-pack against the advanced pointer — the only safe
  retry, which git already performs. Spec §Push step 7: 'GOTO 3 (retry)
  or respond non-ff' — both arms safe; we take non-ff.
- No kind:30618 emission. That is derived after CAS — finalize_push
  calls Sami's build_ref_state_event over m_after.refs / m_after.head
  on Ok. Spec §Implementation Correspondence: 'kind:30618 is derived
  after CAS, never the commit.'
- No advisory lock. Spec §Push 'no advisory lock in v1' — writer
  serialization is the CAS. A mutex would hide the contention Inv_NoFork
  proves safe.

## Tests

10 unit tests pin digest_from_key (manifest/<...> prefix invariant),
compose_after (Inv_Closed coverage, sort, dedupe, refs-only-no-new-pack,
first-push, parent-is-digest-not-key), validate invocation (unsafe
refname + first-push-empty-HEAD both rejected pre-CAS). 244 relay tests
green; clippy --tests -D warnings clean.

The integration into finalize_push lands separately — Eva owns the
AppState::git_store wiring + main.rs startup probe gate. This module
is callable today: cas_publish(&store, repo_path, owner, repo,
&refs_before) -> Result<CasSuccess, CasError>.

Refs:
- docs/git-on-object-storage.md §Push step 2-7, §Implementation
  Correspondence, §Mechanized Verification (Inv_NoFork,
  Inv_RefEffectApplied, Inv_RefDerivedFromParent, Inv_Closed).

Also makes transport::harden_git_env pub(crate) for reuse by
cas_publish's two subprocess sites (for-each-ref, pack-objects).

Co-authored-by: Tyler Longwell <tyler@block.xyz>

Co-authored-by: Quinn <quinn@users.noreply.sprout>
Signed-off-by: tlongwell-block <109685178+tlongwell-block@users.noreply.github.com>
tlongwell-block added a commit that referenced this pull request May 22, 2026
The architectural split Eva's live e2e caught: 30617 created the on-disk
bare repo but no S3 pointer, while the read path (info_refs/upload_pack)
now hydrates from the pointer. Pointer-absent ⇒ Ok(None) ⇒ 404 by Max's
intentional fail-closed, so announce-then-clone returned 404 for every
freshly-announced repo.

Fix: establish the invariant "repo announced ⟺ pointer exists" by
seeding an empty-manifest pointer at the end of `handle_git_repo_
announcement`. After seed:

- `info_refs` stays strictly fail-closed: pointer-absent means
  never-announced, not "announced but no pushes." Max's blocker
  preserved exactly.
- `live_hydrate_empty_repo` proves clone of an empty hydrated repo works.
- First push CASes the seeded pointer via `IfMatch(etag)`, no
  special-case branch. The `IfNoneMatchStar` arm of `cas_publish`
  becomes dead code for announced repos.

Two new private helpers in `side_effects.rs`:

- `seed_manifest_pointer(state, owner, repo)` — `put_manifest(empty)` +
  `put_pointer(IfNoneMatchStar)`. **Idempotency is constructive, not
  trusted**: a `CasOutcome::LostRace` is treated as success ONLY if the
  existing pointer body matches the empty manifest's digest. Any other
  value (stale from a prior lifecycle, real misconfiguration) surfaces
  as `anyhow!` — Max's guardrail #1.
- `emit_initial_ref_state(state, owner, repo)` — kind:30618 over the
  seeded empty manifest using Sami's `build_ref_state_event`. Pointer is
  the commit; this event is the derived "repo exists, empty" signal —
  Max's guardrail #2. Non-fatal on failure: manifest is truth, 30618 is
  just notification.

Empty manifests across all repos share canonical bytes (deterministic
serialization by construction) ⟹ same digest ⟹ `put_manifest` is
idempotent at the store level. One blob, many pointers. Pinned by
`empty_manifest_validates` test in manifest.rs with byte-stable canonical
bytes — locks the digest so future serde version bumps don't silently
shift it.

Rollback on seed failure: remove the on-disk repo + the name reservation,
same pattern as hook-install failure. A successful seed but failed emit
leaves the pointer in place (correctly — it's the source of truth).

239/239 relay tests (was 238 + 1 new), clippy + fmt clean.

Co-authored-by: Dawn <c6237ef84fa537c78dcee78efd2d4e59f728859c7f194da42ac51ededfa0be05@users.noreply.sprout>
Signed-off-by: tlongwell-block <109685178+tlongwell-block@users.noreply.github.com>
wpfleger96 added a commit that referenced this pull request May 22, 2026
…iew findings

The original implementation created a second parallel Tauri command
(discover_all_acp_providers) alongside the existing one to avoid
changing the return type. This produced two commands, two hooks, two
query keys, and two raw type converters. Consolidates into a single
command returning the full catalog, with a useAvailableAcpProviders
hook that type-narrows for callers needing non-null command/binaryPath.

Also fixes: pipe deadlock in install command (#1), UTF-8 truncation
panic (#2/#4), adds install concurrency guard (#11), exact provider ID
match (#15), error display stdout fallback (#5), success banner
suppression when already available (#12), misleading re-run text (#13),
IIFE refactor in PersonaDialog (#14), hidden internal query lift (#7),
configurable e2e mocks (#9), shared raw type exports (#8), and
classify_provider unit tests (#10).
wpfleger96 added a commit that referenced this pull request May 22, 2026
…iew findings

The original implementation created a second parallel Tauri command
(discover_all_acp_providers) alongside the existing one to avoid
changing the return type. This produced two commands, two hooks, two
query keys, and two raw type converters. Consolidates into a single
command returning the full catalog, with a useAvailableAcpProviders
hook that type-narrows for callers needing non-null command/binaryPath.

Also fixes: pipe deadlock in install command (#1), UTF-8 truncation
panic (#2/#4), adds install concurrency guard (#11), exact provider ID
match (#15), error display stdout fallback (#5), success banner
suppression when already available (#12), misleading re-run text (#13),
IIFE refactor in PersonaDialog (#14), hidden internal query lift (#7),
configurable e2e mocks (#9), shared raw type exports (#8), and
classify_provider unit tests (#10).
wpfleger96 added a commit that referenced this pull request Jun 17, 2026
Several spawn, teardown, and shim paths were #[cfg(unix)]-only and silently
no-op (or returned a falsey stub) on Windows, breaking the desktop build four
ways. All four are in the same Windows-portability theme.

#2/#4 (MCP PermissionDenied on C:\Windows): buzz-agent spawns the MCP with
env_clear() then re-adds only an allowlist that omitted the Windows temp/profile
vars. Stripped of TMP/TEMP/USERPROFILE, std::env::temp_dir() falls back to
C:\Windows and Shim::install() can't write there. Pass the Windows vars through
(cfg-gated). The shim itself had two more Unix-isms in the same install path:
the PATH separator was hardcoded ':' (now std::env::join_paths) and the
non-unix multicall copies dropped the .exe extension PATHEXT needs to exec them.
Multicall dispatch now matches on file_stem() so the .exe copies route correctly.

#1 (stray console + orphaned process tree): the buzz-acp child spawned with no
CREATE_NO_WINDOW (console popped) and the non-unix stop path was Child::kill(),
which kills only the harness and orphans the 24 workers + MCP servers. A Win32
Job Object with JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE now owns the tree and reaps
it when the handle drops — the Windows mirror of the Unix process-group
teardown. The after-restart path (PID only, no handle) falls back to taskkill /T.
The Windows primitives live in a new process_lifecycle module.

#4 (program not found): the create-path default agent command was the bare
`goose`, not on PATH on a stock Windows install. It now catalog-resolves the
bundled `buzz-agent`, the same shape mesh_llm::preset already uses.

#3 (updater silently does nothing): when the updater plugin is unavailable the
hook collapsed to `idle`, re-rendering the same button — indistinguishable from
a no-op. It now sets a visible `unavailable` state and warns to the log so the
firing branch is diagnosable on Will's Windows build.

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
tellaho added a commit that referenced this pull request Jun 24, 2026
… misleading prop

Rust auth-branch test (#2 follow-up): extracted the declared-owner predicate from get_agent_memory into a pure kind0_declares_viewer_owner() and added 5 unit tests driving a verified kind:0 owner declaration through it (opens for verified owner, case-insensitive, refuses non-owner / no-auth-tag / missing kind:0). Uses the same verify_auth_tag crypto path as the live gate; behavior-identical to the inlined block.

Sidebar fixture (#3 follow-up): seeded nadia, a relay-classified bot owned by the mock viewer but with no local managed record, plus a Playwright assertion that the members sidebar exposes view-activity for her. This exercises the declared-owner gate-open path that mira never reached (she was never bot-classified).

Naming rename (#2 follow-up): MemoryFocusedView's prop was named isOwner but fed the combined viewerIsOwner; renamed for honesty, value unchanged.

Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
tellaho added a commit that referenced this pull request Jun 24, 2026
…misleading prop

Rust auth-branch test (#2 follow-up): extracted the declared-owner predicate from get_agent_memory into a pure kind0_declares_viewer_owner() and added 5 unit tests driving a verified kind:0 owner declaration through it (opens for verified owner, case-insensitive, refuses non-owner / no-auth-tag / missing kind:0). Uses the same verify_auth_tag crypto path as the live gate; behavior-identical to the inlined block.

Sidebar fixture (#3 follow-up): seeded nadia, a relay-classified bot owned by the mock viewer but with no local managed record, plus a Playwright assertion that the members sidebar exposes view-activity for her. This exercises the declared-owner gate-open path that mira never reached (she was never bot-classified).

Naming rename (#2 follow-up): MemoryFocusedView's prop was named isOwner but fed the combined viewerIsOwner; renamed for honesty, value unchanged.

Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
tellaho added a commit that referenced this pull request Jun 24, 2026
…misleading prop

Rust auth-branch test (#2 follow-up): extracted the declared-owner predicate from get_agent_memory into a pure kind0_declares_viewer_owner() and added 5 unit tests driving a verified kind:0 owner declaration through it (opens for verified owner, case-insensitive, refuses non-owner / no-auth-tag / missing kind:0). Uses the same verify_auth_tag crypto path as the live gate; behavior-identical to the inlined block.

Sidebar fixture (#3 follow-up): seeded nadia, a relay-classified bot owned by the mock viewer but with no local managed record, plus a Playwright assertion that the members sidebar exposes view-activity for her. This exercises the declared-owner gate-open path that mira never reached (she was never bot-classified).

Naming rename (#2 follow-up): MemoryFocusedView's prop was named isOwner but fed the combined viewerIsOwner; renamed for honesty, value unchanged.

Co-authored-by: Taylor Ho <taylorkmho@gmail.com>
Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
tlongwell-block pushed a commit that referenced this pull request Jun 25, 2026
…n REQ/COUNT

A REQ or COUNT targeting a specific channel gates on `accessible_channels`,
a per-request Vec built once from the 10s membership cache. On a multi-pod
relay this Vec can be stale on a non-writer pod: a member just added on the
pod that processed the write sees a cache-negative until the TTL expires or
the cross-pod invalidation (commit #2) lands. That manifested as the
create-channel readback coming back empty and agents not subscribed to
rooms they were just added to.

On a cache-negative, confirm membership against the DB uncached. On a
verified positive, repair the request-local Vec by pushing `ch_id` once,
via the pure helper `resolve_request_local_access`. The same Vec gates
subscription registration, historical delivery, search scope, and COUNT —
repairing it once makes all of them see the confirmed membership, not just
the denial branch. A stale negative can no longer stay sticky for the rest
of the request.

The repair runs UP FRONT in req.rs, right after the subscription channel_id
is extracted and before the NIP-50 search early-return — not in a late
denial branch. A search scoped to `#h=<just-added>` would otherwise be
scoped against the stale vector and false-miss; running the repair first
means `handle_search_req` sees the repaired vector too.

The helper takes a `token_allows` upper bound so a DB-positive can never
push a channel back in past a narrower scoped token: a token scoped to
channel A must not reach channel B merely because the user is a DB member
of B. Both call sites compute it from the token's `channel_ids`.

- req.rs: `resolve_request_local_access(&mut Vec, ch_id, token_allows, Option<bool>)`
  encodes the truth table (token-denies → denied no DB; cache-hit → allowed
  no DB; miss+DB-true → allowed & pushed; miss+DB-false → denied &
  unchanged) with unit tests for all four. The handler does the async
  `db.is_member` lookup only on a token-allowed miss.
- count.rs: mirrors the same flow through the shared helper, gated by the
  same token bound.

Known follow-up (pre-existing, out of scope): count.rs does not apply the
scoped-token `retain` that req.rs does, so a scoped token can still COUNT
out-of-scope channels via the no-channel-filter pushdown. This change gates
the new repair against the token bound but leaves that broader retain gap
for a separate fix.

DB truth (`is_member` after `add_member`) is covered by the existing
#[sqlx::test] membership tests in buzz-db/channel.rs. End-to-end handler
coverage is noted in the PR: this crate has no AppState+DB test harness and
standing one up was out of scope; the request-local repair invariant is
proven by the pure-helper tests instead.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block pushed a commit that referenced this pull request Jun 25, 2026
…n REQ/COUNT

A REQ or COUNT targeting a specific channel gates on `accessible_channels`,
a per-request Vec built once from the 10s membership cache. On a multi-pod
relay this Vec can be stale on a non-writer pod: a member just added on the
pod that processed the write sees a cache-negative until the TTL expires or
the cross-pod invalidation (commit #2) lands. That manifested as the
create-channel readback coming back empty and agents not subscribed to
rooms they were just added to.

On a cache-negative, confirm membership against the DB uncached. On a
verified positive, repair the request-local Vec by pushing `ch_id` once,
via the pure helper `resolve_request_local_access`. The same Vec gates
subscription registration, historical delivery, search scope, and COUNT —
repairing it once makes all of them see the confirmed membership, not just
the denial branch. A stale negative can no longer stay sticky for the rest
of the request.

The repair runs UP FRONT in req.rs, right after the subscription channel_id
is extracted and before the NIP-50 search early-return — not in a late
denial branch. A search scoped to `#h=<just-added>` would otherwise be
scoped against the stale vector and false-miss; running the repair first
means `handle_search_req` sees the repaired vector too.

The helper takes a `token_allows` upper bound so a DB-positive can never
push a channel back in past a narrower scoped token: a token scoped to
channel A must not reach channel B merely because the user is a DB member
of B. Both call sites compute it from the token's `channel_ids`.

- req.rs: `resolve_request_local_access(&mut Vec, ch_id, token_allows, Option<bool>)`
  encodes the truth table (token-denies → denied no DB; cache-hit → allowed
  no DB; miss+DB-true → allowed & pushed; miss+DB-false → denied &
  unchanged) with unit tests for all four. The handler does the async
  `db.is_member` lookup only on a token-allowed miss.
- count.rs: mirrors the same flow through the shared helper, gated by the
  same token bound, and applies the scoped-token `retain` that REQ does
  (after `get_accessible_channel_ids_cached`) so a scoped token cannot COUNT
  out-of-scope channels via the no-channel-filter SQL pushdown either.

DB truth (`is_member` after `add_member`) is covered by the existing
#[sqlx::test] membership tests in buzz-db/channel.rs. End-to-end handler
coverage is noted in the PR: this crate has no AppState+DB test harness and
standing one up was out of scope; the request-local repair invariant is
proven by the pure-helper tests instead.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block pushed a commit that referenced this pull request Jun 27, 2026
…98_replay assertion

Follow-up to da6051f per Quinn's cold-read (event 4529860195007964...). The
within-community replay assertion `assert_eq!(second_a.status(), UNAUTHORIZED)`
pins the 401 status code rather than checking the body, because the system has
defense-in-depth across two layers with distinct rejection signatures:

  * auth-layer replay check (`check_nip98_replay`) — rejects with
    401 + body "NIP-98: replay detected".
  * storage-layer dedup (`events` PK `ON CONFLICT DO NOTHING` in
    `ingest_event`) — accepts with 200 + body `accepted: false,
    message: "duplicate"`.

Both reject a duplicate, but only the 401 path proves the seen-set is in the
request path. A body-only check like `!accepted` would pass under a noop'd
`check_nip98_replay` because storage-dedup still 200-accepted-false's the
second post — the bite would go vacuous against the layer the obligation
actually names ("seen-set in the request path").

Adds:
  * Inline `//` comment block immediately above the `assert_eq!` naming the
    two layers, their distinct status signatures, and why the 401 expectation
    is the load-bearing-layer discriminator. Explicitly tells a future
    reader not to weaken to `!accepted` for "simpler reading."
  * Extended assertion message: when the test fails, the panic message now
    names both layers and which one the 401 proves, so a future debugger
    sees the architectural property without reading the doc-comment.

Generalized principle (per Quinn): when a system has defense-in-depth
across layers with different status-code signatures on rejection, the
assertion should pin the status code from the load-bearing layer, not
any rejection. Held in the row's doc-comment (not the shared discipline
slug) per Quinn's stopping rule — this is a deeper instance of slug
rule #2's defense-in-depth class, not a new spine entry.

Bar:
  * Comment/string-only diff: 21 lines (+19 / −2), zero runtime behavior
    change — verified by inspection (`git diff` shows only comments and
    string-literal extensions).
  * `cargo check -p buzz-test-client --tests`: clean.
  * `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean.
  * `cargo fmt -p buzz-test-client -- --check`: clean.
  * Default `cargo test ... api_tokens` (no `--ignored`): doc-only `#[test]`
    still passes; wire-driven still `#[ignore]`-skipped.
  * No live mutate-bite re-run needed: the runtime path of the wire-driven
    test is byte-identical (only strings/comments touched), and the
    mutate-bite at da6051f was already RED-on-right-assertion by Sami's
    hands at :3300 and Eva's hands at her :3300 (event 9e9050cd44d6...).
    The follow-up makes the *reason* the bite bites discoverable to a
    future reader; it does not change *whether* the bite bites.

Base: PR #1321 head `da6051fdb`. Test-only diff.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block pushed a commit that referenced this pull request Jun 27, 2026
…98_replay assertion

Follow-up to da6051f per Quinn's cold-read (event 4529860195007964...). The
within-community replay assertion `assert_eq!(second_a.status(), UNAUTHORIZED)`
pins the 401 status code rather than checking the body, because the system has
defense-in-depth across two layers with distinct rejection signatures:

  * auth-layer replay check (`check_nip98_replay`) — rejects with
    401 + body "NIP-98: replay detected".
  * storage-layer dedup (`events` PK `ON CONFLICT DO NOTHING` in
    `ingest_event`) — accepts with 200 + body `accepted: false,
    message: "duplicate"`.

Both reject a duplicate, but only the 401 path proves the seen-set is in the
request path. A body-only check like `!accepted` would pass under a noop'd
`check_nip98_replay` because storage-dedup still 200-accepted-false's the
second post — the bite would go vacuous against the layer the obligation
actually names ("seen-set in the request path").

Adds:
  * Inline `//` comment block immediately above the `assert_eq!` naming the
    two layers, their distinct status signatures, and why the 401 expectation
    is the load-bearing-layer discriminator. Explicitly tells a future
    reader not to weaken to `!accepted` for "simpler reading."
  * Extended assertion message: when the test fails, the panic message now
    names both layers and which one the 401 proves, so a future debugger
    sees the architectural property without reading the doc-comment.

Generalized principle (per Quinn): when a system has defense-in-depth
across layers with different status-code signatures on rejection, the
assertion should pin the status code from the load-bearing layer, not
any rejection. Held in the row's doc-comment (not the shared discipline
slug) per Quinn's stopping rule — this is a deeper instance of slug
rule #2's defense-in-depth class, not a new spine entry.

Bar:
  * Comment/string-only diff: 21 lines (+19 / −2), zero runtime behavior
    change — verified by inspection (`git diff` shows only comments and
    string-literal extensions).
  * `cargo check -p buzz-test-client --tests`: clean.
  * `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean.
  * `cargo fmt -p buzz-test-client -- --check`: clean.
  * Default `cargo test ... api_tokens` (no `--ignored`): doc-only `#[test]`
    still passes; wire-driven still `#[ignore]`-skipped.
  * No live mutate-bite re-run needed: the runtime path of the wire-driven
    test is byte-identical (only strings/comments touched), and the
    mutate-bite at da6051f was already RED-on-right-assertion by Sami's
    hands at :3300 and Eva's hands at her :3300 (event 9e9050cd44d6...).
    The follow-up makes the *reason* the bite bites discoverable to a
    future reader; it does not change *whether* the bite bites.

Base: PR #1321 head `da6051fdb`. Test-only diff.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block pushed a commit that referenced this pull request Jun 27, 2026
…okup per-community

Conformance matrix row `users_profiles_nip05` (Quinn — buzz-search/auth
joint, both halves driven by Quinn per one-author-per-mod-block
discipline; Sami's active queue is `api_tokens_nip98_replay` per Eva's
batching). Fills both `pending_lane` stubs in the row.

Half 1: `same_pubkey_distinct_profiles_in_two_communities`

Same keypair publishes kind:0 (Metadata) on each host's WS-AUTH'd
connection with community-distinct content
(`{"display_name":"A profile"}` vs `{"display_name":"B profile"}`).
NIP-01 replaceable semantics: latest kind:0 per
`(community_id, pubkey)` is what subsequent queries return. REST
`POST /query` (using dev-mode `X-Pubkey` auth, which the
`BUZZ_REQUIRE_AUTH_TOKEN=false` harness allows) returns each host's
own kind:0 — never the other's. Distinct content per community is
load-bearing for the bite: identical content would collapse the leak
into setup-equivalence vacuity (Dawn's catch on `audit_log` —
identical Nostr event ids when (pubkey, created_at, kind, tags,
content) match — making the assertion blind to the wrong-row
substitution).

Half 2: `same_nip05_local_part_on_two_hosts_is_independent`

Same local-part registered in BOTH communities with **distinct**
pubkeys (one per community). `GET /.well-known/nostr.json?name=alice`
against host A returns A's pubkey; against host B returns B's pubkey.
Distinct pubkeys per community make the leak observable as
wrong-pubkey-returned on the wire — the same setup-equivalence-vacuity
defense Dawn established (different keys = different rows = the wrong
answer is observable in the response, not just absent from it). Handle
canonicalization uses `extract_relay_domain` (mirrors
`crates/buzz-relay/src/api/nip05.rs::extract_domain`) against
`RELAY_URL` env so the test still works if the harness's relay URL
changes; defaults to `localhost` for the standard recipe.

Bar (by my own hands against the live `:3100` harness, PR head
`b02d767f2`):

  Clean → BOTH GREEN.
  Mutate (community fences dropped, both paths simultaneously, mirroring
    the search_fts dual-fence approach):
    - crates/buzz-db/src/event.rs:267-270 — `query_events` non-p-tag
      branch `WHERE community_id = $1` → `WHERE TRUE`
    - crates/buzz-db/src/user.rs:185 — `get_user_by_nip05`
      `WHERE community_id = $1 AND LOWER(handle) = LOWER($2)` →
      `WHERE LOWER(handle) = LOWER($1)` (rebind to keep param count
      aligned)
  → BOTH halves RED on their own assertions:
    - kind:0 half: "B's kind:0 content is not B's profile — A's
      profile leaked through. got: '{"display_name":"A profile"}'"
    - NIP-05 half: "NIP-05 lookup on B for local-part 'alice_…' must
      resolve to B's pubkey ($B_PK); got $A_PK. If this is A's
      pubkey, the community fence on `get_user_by_nip05` has been
      dropped and A's user leaked through B's lookup."
  Restore both fences (worktree diff empty after restore) → BOTH GREEN.

Each half bit on a SINGLE-fence mutation this time, unlike search_fts's
defense-in-depth shape. That's because the kind:0 read path
(`query_events`) and the NIP-05 lookup path (`get_user_by_nip05`)
each have one community fence at their layer, not redundant fences
across two layers like the FTS+batch-fetch shape. Different rows have
different defense topologies; this row's mutate-bite is the simpler
single-fence form, exactly as the named failure-mode analysis in
`landed-on-head-discipline` rule #2 sub-bullet predicts (the union of
fences IS what makes the property load-bearing; here the union has
exactly one element per path).

Bar checklist:
- `cargo fmt -p buzz-test-client -- --check`: exit 0.
- `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean.
- `cargo test -p buzz-test-client --tests`: non-ignored 0/0 (the 4
  nip42_host_binding_live tests are #[ignore]'d by design — they need
  the live harness).
- Strict-FF onto PR head: this is +1 on `b02d767f2`, verified by
  `git merge-base --is-ancestor` + `git rev-list --count`.
- Trailers preserved as single pair via the explicit `--trailer`
  flags on the initial commit (not `--amend --trailer`, which doubled
  them earlier in the session).
- Live two-host harness on `:3100`: my clean (post-restore) binary,
  recipe per RESEARCH/CONFORMANCE_MATRIX_STATUS_2026-06-27.md, two
  community rows seeded `a.localhost:3100`/`b.localhost:3100`.

Conformance lane: this row is one of fourteen in the file; per Eva's
row-ownership contract, this commit touches only the
`users_profiles_nip05` module. No other rows modified.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block pushed a commit that referenced this pull request Jun 27, 2026
…98_replay assertion

Follow-up to da6051f per Quinn's cold-read (event 4529860195007964...). The
within-community replay assertion `assert_eq!(second_a.status(), UNAUTHORIZED)`
pins the 401 status code rather than checking the body, because the system has
defense-in-depth across two layers with distinct rejection signatures:

  * auth-layer replay check (`check_nip98_replay`) — rejects with
    401 + body "NIP-98: replay detected".
  * storage-layer dedup (`events` PK `ON CONFLICT DO NOTHING` in
    `ingest_event`) — accepts with 200 + body `accepted: false,
    message: "duplicate"`.

Both reject a duplicate, but only the 401 path proves the seen-set is in the
request path. A body-only check like `!accepted` would pass under a noop'd
`check_nip98_replay` because storage-dedup still 200-accepted-false's the
second post — the bite would go vacuous against the layer the obligation
actually names ("seen-set in the request path").

Adds:
  * Inline `//` comment block immediately above the `assert_eq!` naming the
    two layers, their distinct status signatures, and why the 401 expectation
    is the load-bearing-layer discriminator. Explicitly tells a future
    reader not to weaken to `!accepted` for "simpler reading."
  * Extended assertion message: when the test fails, the panic message now
    names both layers and which one the 401 proves, so a future debugger
    sees the architectural property without reading the doc-comment.

Generalized principle (per Quinn): when a system has defense-in-depth
across layers with different status-code signatures on rejection, the
assertion should pin the status code from the load-bearing layer, not
any rejection. Held in the row's doc-comment (not the shared discipline
slug) per Quinn's stopping rule — this is a deeper instance of slug
rule #2's defense-in-depth class, not a new spine entry.

Bar:
  * Comment/string-only diff: 21 lines (+19 / −2), zero runtime behavior
    change — verified by inspection (`git diff` shows only comments and
    string-literal extensions).
  * `cargo check -p buzz-test-client --tests`: clean.
  * `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean.
  * `cargo fmt -p buzz-test-client -- --check`: clean.
  * Default `cargo test ... api_tokens` (no `--ignored`): doc-only `#[test]`
    still passes; wire-driven still `#[ignore]`-skipped.
  * No live mutate-bite re-run needed: the runtime path of the wire-driven
    test is byte-identical (only strings/comments touched), and the
    mutate-bite at da6051f was already RED-on-right-assertion by Sami's
    hands at :3300 and Eva's hands at her :3300 (event 9e9050cd44d6...).
    The follow-up makes the *reason* the bite bites discoverable to a
    future reader; it does not change *whether* the bite bites.

Base: PR #1321 head `da6051fdb`. Test-only diff.

Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
wpfleger96 added a commit that referenced this pull request Jun 30, 2026
Implements the full dream consolidation system across four areas:

**1. Dispatch liveness (Thufir IMPORTANT #1)**
Extracts `maybe_dispatch_dream()` helper, called at four state-transition
points: after KIND_DREAM_DUE receipt, after heartbeat fires (idle gap),
after prompt result + drain, after panic recovery + drain. Removes the
old else-if chain that made dream reachable only when a heartbeat was
already in flight — fixing both starvation modes:
- Single-agent pool + fast heartbeat: dream now fires in the idle gap
  after heartbeat completes, not waiting for a concurrent heartbeat slot.
- Heartbeat disabled: dream fires immediately on dream-due receipt.
Guard: no flushable queue work, dream_pending, !dream_in_flight,
!heartbeat_in_flight, idle agent. Preserves pending > heartbeat > dream
priority.

**2. Skill distribution via Nest scaffolder (Will's requirement)**
Adds nest_dream_skill.md (include_str!'d as DREAM_SKILL_MD), written
to .agents/skills/dream/SKILL.md at Nest init, mirroring the buzz-cli
skill pattern (nest.rs:42-174). Includes NEST_DREAM_SKILL_VERSION=1
for refresh-on-bump, refresh_dream_skill_md_if_stale() with atomic
tempfile write, and dream skill symlinks in ensure_skill_symlinks() for
all known provider dirs (.goose/skills, .claude/skills, etc.).
This makes load_dream_prompt()'s cwd-relative read correct — the Nest
IS the cwd, and the scaffolder now guarantees the file.

**3. Missing prompt is startup-visible error (Thufir IMPORTANT #2)**
dispatch_dream() now logs tracing::error! (target: "dream") when the
prompt is None, returns the claimed agent, clears dream_pending so
it does not retry on every signal, and documents this as a
configuration error (missing SKILL.md). No more silent drop.

**4. Relay sweep + dream-due emission (Phase 3)**
In buzz-relay:
- Config: dream_memory_budget_bytes (default 65536, env
  BUZZ_DREAM_MEMORY_BUDGET_BYTES), dream_sweep_interval_secs (default
  300, env BUZZ_DREAM_SWEEP_INTERVAL_SECS). Set budget to 0 to disable.
- main.rs: spawns sweep task if budget > 0 and deployment_community
  is Some. Each interval: queries agents_over_memory_budget, idle-gates
  each via buzz_pubsub::presence::get_presence (no live Redis key = idle),
  builds KIND_DREAM_DUE ephemeral event tagged #p=[agent_pubkey], signs
  with relay keypair, publishes via pubsub.
- Staleness ceiling satisfied: presence TTL is 90s, default sweep is
  300s, so "no presence key" already implies > 90s silence.
In buzz-db: agents_over_memory_budget() aggregates SUM(LENGTH(content))
for non-tombstone kind:30174 engrams per community, returns agents
exceeding budget.

**5. Tests (Phase 4)**
Six unit tests in dream_dispatch_tests cover:
- Guard: dream_pending=false → no dispatch, agent not consumed.
- Guard: heartbeat_in_flight=true → blocked (priority order).
- Regression: heartbeat disabled → dream still dispatches.
- Guard: empty pool → pending preserved for next idle gap.
- Fix 3: missing prompt → pending cleared, agent returned, no task.
- Guard: dream_in_flight=true → no double dispatch.

Co-authored-by: Will Pfleger <pfleger.will@gmail.com>
Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants