Initial release — Sprout Nostr relay with enterprise extensions#2
Merged
Conversation
All-Rust Nostr relay with structured channels, YAML-as-code workflows, MCP agent interface, tamper-evident audit log, and permission-aware full-text search. 13 crates: sprout-core, sprout-relay, sprout-db, sprout-auth, sprout-pubsub, sprout-search, sprout-audit, sprout-mcp, sprout-workflow, sprout-proxy, sprout-huddle, sprout-admin, sprout-test-client. 394 unit tests, 42 E2E integration tests, 16 MCP tools. Apache-2.0 licensed.
wesbillman
approved these changes
Mar 9, 2026
…ing licenses - Remove deprecated 'vulnerability', 'unmaintained', 'yanked' fields from [advisories] - Remove deprecated 'unlicensed' field from [licenses] - Use structured ignore entries with reasons for advisory ignores - Add CC0-1.0, CDLA-Permissive-2.0, MITNFA to license allow list (Bitcoin/Nostr ecosystem permissive licenses) - Set wildcards = 'allow' (workspace crates use * for inter-crate deps) - Add [licenses.private] ignore = true for unpublished workspace crates All four cargo-deny checks pass: advisories ok, bans ok, licenses ok, sources ok
tlongwell-block
added a commit
that referenced
this pull request
Mar 16, 2026
Crossfire round 1: codex 4/10, opus 8/10. All critical issues fixed: Security (critical): - Force channel_id=None for kind:1059 gift wraps — prevents channel-scoped storage that would bypass #p AUTH-gating (codex finding #1) Correctness: - NIP-50 pagination loop — keep fetching Typesense pages until limit met or result set exhausted, capped at MAX_SEARCH_PAGES=5 (codex finding #2) - Push authors/since/until to Typesense filter_by — post-filtering is now a correction step, not the primary filter (codex + opus suggestion) - NIP-10 root tag validation — reject events where client-supplied root diverges from server-resolved ancestry (codex finding #3) Clarity: - Consolidate #p gating into single P_GATED_KINDS check (opus suggestion #7) - filter.clone() → std::slice::from_ref(filter) (opus suggestion #1) - Remove no-op get_events_by_ids test, add debug_assert (opus #3, #5)
tlongwell-block
added a commit
that referenced
this pull request
Apr 11, 2026
- #2: Document display_name reverse-lookup fragility in agents.rs with TODO for long-term fix (store internal name on PersonaRecord) - #3: Add on_message to ResolvedHooks so it's not silently dropped during resolution - #4: Fix misleading comment on ResolvedPack.description (was 'use pack name as fallback', now 'not yet wired') 156 crate tests pass, desktop compiles clean.
11 tasks
tlongwell-block
added a commit
that referenced
this pull request
May 8, 2026
When any tool call returns an error, append a short reflection prompt to the result text before it enters history: [Reflect] Diagnose the error above before retrying. What went wrong? Why? What will you do differently? This forces the LLM to analyze the failure before blindly repeating the same failing command — the #2 cause of wasted rounds on benchmarks after doom loops. Three lines of code, zero new modules. Inspired by ForgeCode's 'forge-partial-tool-error-reflection.md' template which requires structured reflection after every tool failure.
tlongwell-block
pushed a commit
that referenced
this pull request
May 13, 2026
…alse, idempotent legacy cleanup Addresses Sami + Quinn reviewer-hat catches on the initial PR commit and a P3 finding from codex review. Changes ------- 1. Sidecar MODEL_LICENSE.txt wording: replace 'Used unmodified by Sprout' with Quinn's framing that distinguishes sherpa-onnx's PyTorch→ONNX/int8 conversion (a CC-BY-4.0 §3(a)(1)(b) modification) from Sprout's verbatim shipping of that conversion. Same five §3(a)(1) bullets, no internal contradiction. Sami concurred on-thread. 2. `STT_NUM_THREADS` promoted to a named const at the top of stt.rs with a comment explaining the hold-at-1 rationale and pointing at the planned A/B follow-up. Easier to find and flip than a hardcoded literal. 3. `OfflineRecognizerConfig::model_config.debug = false` set explicitly. Defaults aren't part of the API contract, and per-VAD-chunk debug logging would be expensive in release builds. 4. Best-effort cleanup of the legacy `~/.sprout/models/moonshine-tiny/` directory (~70 MB). Reclaims disk space silently on upgrade. Codex caught a real edge case in the first sketch: a user who already had the new manifest-v2 Parakeet model installed (e.g. from an earlier pre-merge build) would short-circuit out of `start_stt_download`'s `is_ready` fast path and never trigger the cleanup. The fix factors the cleanup into a free `cleanup_legacy_moonshine_dir` helper and schedules it as a detached task from `start_stt_download` on every call — idempotent (no-op if dir absent), runs once per app launch regardless of whether a fresh download happens. Same helper still runs from the post-install success path. Verification: cargo check + fmt + clippy + 66/66 huddle tests + file-size check (bumped models.rs budget 850→900 with a descriptive-comment update; net source growth is real and documented in the diff). codex review on the uncommitted diff: 'No correctness issues were found.' Notes on the other review points (no code change needed) ------------------------------------------------------- - Quinn #1 (manifest v1→v2 upgrade): the new code has no path that resolves `moonshine-tiny/` anymore (the dir name was renamed, not just the version bumped), and `is_ready()` requires both manifest match and every expected file present — half-installs already fail closed. - Quinn #2 (JSON field rename leakage): grep across the whole tree confirms `'moonshine'` and `moonshine-tiny` appear only in `models.rs` source comments. The `VoiceModelStatus.stt` field is a Tauri-invoke IPC type consumed only by HuddleBar.tsx at render time — not persisted in settings, electron-store, telemetry, or any other survives-restart surface. The rename is purely in-memory.
tlongwell-block
added a commit
that referenced
this pull request
May 14, 2026
Adds a Settings → Agent Provider panel to the desktop GUI for configuring the `sprout-agent` provider, model, API key, and behavior knobs. Settings are encrypted at rest with NIP-44 self-encryption (the user's own nostr key) and injected into the sprout-agent child's env at spawn time. The panel also gains automatic provider-URL detection based on the API key format the user pastes. ## Backend (`desktop/src-tauri/src/commands/agent_provider_settings/`) - `mod.rs` — IPC types + plaintext `StoredSettings` (Drop zeroizes `api_key`; no Debug derive on input/stored). v2 envelope binds the plaintext to its owner pubkey for rollback / envelope-swap protection. - `storage.rs` — envelope read/write, NIP-44 encrypt/decrypt with `Zeroizing<String>` for plaintext, atomic-rename writes, file-size cap, `normalize_origin` (rejects non-loopback `http://`, userinfo, query, fragment), `validate_input` (provider whitelist, control-char rejection, size caps for key/model/base_url/system_prompt, positive- int knobs). `validate_stored` mirrors the same rules on the decrypted blob at spawn time — fails closed on a rolled-back pre-validation envelope so a redirected `http://api.example.com/v1` cannot escape. - `commands.rs` — `get_*`, `save_*`, `delete_*`, `get_*_env_presence` Tauri commands. The save command trims whitespace + zeroes the input api_key before validation can early-return. - `spawn.rs` — `LoadForSpawn` enum + `EnvPairs` newtype whose Drop zeroizes every value buffer. `apply_to_command` hands each env pair to `Command::env` by reference, zeroizing the local buffer after. Spawn policy: Ok → strip OWNED_AGENT_ENV_VARS + ACP-level vars then inject; None → no-op; IdentityMismatch / Error → fail closed (strip inherited owned vars, inject nothing). - `tests.rs` — round-trip envelope I/O, identity-rotation, save-time validation (oversized prompt, zero timeouts, tiny history bytes, unknown provider, control chars, oversized fields, api-key whitespace trim, owner_pubkey v2), `apply_to_command` × `LoadForSpawn` matrix (Ok/None/IdentityMismatch-fails-closed/Error-fails-closed, openai dialect), `stored_to_env_pairs` for each dialect, R7 `validate_stored` coverage (non-loopback http, control chars in key/model/base_url, userinfo/query in base_url, unknown provider, oversized prompt, empty-key + loopback local accepted). ## Runtime integration (`desktop/src-tauri/src/managed_agents/runtime.rs`) - `build_agent_command` calls `agent_provider_settings::apply_to_command` exactly when the harness is `sprout-agent`. ACP-level vars (SPROUT_AGENT_PROVIDER etc.) are stripped from inherited parent env before injection so a stale shell `ANTHROPIC_API_KEY` never shadows saved settings. `respond-to` gate env (`SPROUT_ACP_RESPOND_TO[_ALLOWLIST]`) threads through with the new `owner_hex: Option<&str>` parameter (origin/main merge). ## Frontend - `lib/detectProvider.ts` — pure key-format detector. Recognizes Anthropic, OpenAI (legacy/proj/svcacct via fixed infix), OpenRouter, Groq, xAI, Cerebras, Together, Perplexity, Fireworks (medium), bare sk- → DeepSeek (low + ambiguity-aware), plus localhost/127.0.0.1 patterns for Ollama / vLLM / llama.cpp. Includes ADMIN_ONLY_PROVIDER_ID sentinel for `sk-ant-admin01-` which we explicitly refuse to save. Key format wins over a prefilled default base URL; an explicit non- default base URL wins back for medium-confidence keys (e.g. Fireworks + api.openai.com host). Fixture strings construct the OpenAI infix via concat so GitHub's secret scanner doesn't regex-match an inline OpenAI-shaped service-account/project key (`detectProvider.test.mjs`, `settings-agent-provider.spec.ts`). - `lib/providerCatalog.ts` — declarative catalog (id, label, dialect, isLocal, default model + base URL, key-shape hint). Drives the picker, the auto-fill on detection, the local-provider placeholder enforcement, and the per-provider model field default. - `lib/agentProviderFormState.ts` — FormState shape + reducers. `applyProviderSwitch` is the single source of truth for what gets reset on a provider change (model when empty or still previous default; baseUrl when new provider has a default OR user hasn't edited it; clears previous default host for null-default providers; drops apiKey on switch TO a local provider). Used by both the manual picker and the auto-detect effect so the policy can't drift. - `lib/agentProviderSettingsApi.ts` + `hooks/useAgentProviderSettings.ts` — typed IPC wrappers + React-Query hooks (load / save / delete / envPresence). - `ui/AgentProviderSettingsCard.tsx` — the panel itself. Empty state with shell-env hint, identity-rotation banner, load-error banner, detected-provider badge, reveal/hide toggle, advanced section, inline provider-change warning, confirm-clear dialog. On save success the plaintext is wiped from form state + reveal toggles off, independent of any React-Query refresh effect (covers the structural- sharing identical-redacted-view edge case). - `ui/AgentProviderAdvancedFields.tsx`, `AgentProviderBanners.tsx`, `AgentProviderClearDialog.tsx` — split components. ## Per-agent dialog (sprout-agent special case) - `agents/ui/CreateAgentDialogSections.tsx` — Model + System prompt inputs are hidden for sprout-agent paths (those are owned globally). A note line points users to Settings → Agent Provider. - `agents/ui/EditAgentDialog.tsx` — passes `selectedProviderId="custom"` to the shared runtime fields so the agent-command input stays editable for existing rows; the system-prompt hide still resolves via `isSproutAgentPath`'s `agentCommand` arm. - `agents/ui/ManagedAgentRow.tsx` — "Model managed by Sprout settings" link is a span with role="button" + stopPropagation (was a nested `<button>` inside the row button — both invalid HTML and double- triggering). - `agents/lib/resolveAcpProviderId.ts` — TS / Rust alignment for inline-args resolution (Rust `known_acp_provider` strips args; TS now matches). ## Tests - Rust: 328 tests passing (R7 added 7; full agent_provider_settings suite at 44/44). - TS / node-test: 55 cases for the form-state reducer + provider detector. - Playwright integration: 12 settings-agent-provider scenarios (empty state + detection + save round-trip, identity-rotation banner, provider-change-warning, key-format-beats-prefilled-baseUrl, load- error banner, clear flow + Escape cancel, rotation banner a11y, local-provider switch with saved key, manual switch reset, detected- provider model reset, post-save key-input clear). ## just ci summary - Rust: 321/321 + 7 new validate_stored tests - Mobile: 336/336 - Desktop / web: format + biome + file-size + ts-check all green - Playwright integration agents + settings-agent-provider: 19/19 green ## Codex review history - Reviews #1, #2, #3, #5, #6 surfaced and fixed: non-loopback HTTP at save AND spawn, identity-mismatch fails closed, local-provider key leak prevention, inline-args resolver alignment, Zeroize on api_key before early-return, no Debug derive, control-char / length caps + trim, owner_pubkey v2 envelope, local-provider switch unblock, EditAgentDialog command field, model reset on detection switch, nested-button fix, `applyProviderSwitch` reducer extraction. - Review #7 (P2-UI + P2-Rust): clear form.apiKey + revealKey on save success; validate decrypted settings at spawn time. - Review #8: 9/10, no blocking findings. Signed-off-by: Tyler Longwell <109685178+tlongwell-block@users.noreply.github.com> Co-authored-by: Dawn <c6237ef84fa537c78dcee78efd2d4e59f728859c7f194da42ac51ededfa0be05@sprout-oss.stage.blox.sqprod.co>
tlongwell-block
added a commit
that referenced
this pull request
May 17, 2026
…nses auto-upgrade Two follow-ups from review on #604. 1. Anthropic startup hardening (Max #1) `OPENAI_COMPAT_API` was parsed unconditionally, so a stray bad value in an Anthropic-only env broke startup. Parse it only inside the `Provider::OpenAi` arm of `Config::from_env`. Anthropic gets a placeholder `OpenAiApi::ChatCompletions` it never reads. New tests pin the parser behavior without touching process env. 2. One-shot chat→responses auto-upgrade (Max #2, Tyler "automatic detection/fallthrough") When `OPENAI_COMPAT_API=auto` and the provider replies to a Chat Completions request with a body that explicitly names `/v1/responses` (or the prose "use the Responses API"), latch a process-wide sticky-cached upgrade and re-issue the same request on `/v1/responses`. Subsequent calls skip the chat attempt entirely. Pinned values (`OPENAI_COMPAT_API=chat`|`responses`) never auto-upgrade. Signal matcher (`is_responses_required_error`) is intentionally narrow — only matches the literal path `/v1/responses` or specific prose phrases, so we don't get fooled by unrelated 4xx bodies. New `Config.openai_api_auto: bool` records whether the operator resolved-by-auto vs. pinned, so we know when to enable the upgrade. `Llm` gains an `AtomicBool` for the sticky upgrade, plus three small helpers (`effective_openai_api`, `should_try_auto_upgrade`, `latch_responses_upgrade`) so the dispatch reads straight through. Logged at WARN once per process: `"openai chat-completions endpoint reported that this model requires the Responses API; auto-upgrading subsequent OpenAI calls to /v1/responses for the rest of this process"`, with the provider error body attached. Tests: - 4 new unit tests for `is_responses_required_error` covering the Databricks GPT-5.5 signal, OpenAI prose phrasing, and explicit non-matches for `invalid_api_key`, generic `unsupported_parameter`, and empty body. - 3 new unit tests for `parse_openai_api` covering unset-defaults-to-auto, case-insensitive explicit values with whitespace, and rejected garbage. - New integration test `tests/openai_auto_upgrade.rs` spawns a fake provider that 400s on `/chat/completions` with the Databricks signal and 200s on `/responses`. Drives sprout-agent through ACP and asserts `stopReason=end_turn` plus chat-hit-once / responses-hit-once. 65 tests pass, 0 fail. clippy `-D warnings` clean. cargo fmt clean. Live smoke against api.openai.com with gpt-5-mini still 3/3 PASS. Signed-off-by: Tyler Longwell <109685178+tlongwell-block@users.noreply.github.com>
tlongwell-block
added a commit
that referenced
this pull request
May 17, 2026
…nses auto-upgrade Two follow-ups from review on #604. 1. Anthropic startup hardening (Max #1) `OPENAI_COMPAT_API` was parsed unconditionally, so a stray bad value in an Anthropic-only env broke startup. Parse it only inside the `Provider::OpenAi` arm of `Config::from_env`. Anthropic gets a placeholder `OpenAiApi::ChatCompletions` it never reads. New tests pin the parser behavior without touching process env. 2. One-shot chat→responses auto-upgrade (Max #2, Tyler "automatic detection/fallthrough") When `OPENAI_COMPAT_API=auto` and the provider replies to a Chat Completions request with a body that explicitly names `/v1/responses` (or the prose "use the Responses API"), latch a process-wide sticky-cached upgrade and re-issue the same request on `/v1/responses`. Subsequent calls skip the chat attempt entirely. Pinned values (`OPENAI_COMPAT_API=chat`|`responses`) never auto-upgrade. Signal matcher (`is_responses_required_error`) is intentionally narrow — only matches the literal path `/v1/responses` or specific prose phrases, so we don't get fooled by unrelated 4xx bodies. New `Config.openai_api_auto: bool` records whether the operator resolved-by-auto vs. pinned, so we know when to enable the upgrade. `Llm` gains an `AtomicBool` for the sticky upgrade, plus three small helpers (`effective_openai_api`, `should_try_auto_upgrade`, `latch_responses_upgrade`) so the dispatch reads straight through. Logged at WARN once per process: `"openai chat-completions endpoint reported that this model requires the Responses API; auto-upgrading subsequent OpenAI calls to /v1/responses for the rest of this process"`, with the provider error body attached. Tests: - 4 new unit tests for `is_responses_required_error` covering the Databricks GPT-5.5 signal, OpenAI prose phrasing, and explicit non-matches for `invalid_api_key`, generic `unsupported_parameter`, and empty body. - 3 new unit tests for `parse_openai_api` covering unset-defaults-to-auto, case-insensitive explicit values with whitespace, and rejected garbage. - New integration test `tests/openai_auto_upgrade.rs` spawns a fake provider that 400s on `/chat/completions` with the Databricks signal and 200s on `/responses`. Drives sprout-agent through ACP and asserts `stopReason=end_turn` plus chat-hit-once / responses-hit-once. 65 tests pass, 0 fail. clippy `-D warnings` clean. cargo fmt clean. Live smoke against api.openai.com with gpt-5-mini still 3/3 PASS. Signed-off-by: Tyler Longwell <109685178+tlongwell-block@users.noreply.github.com>
tlongwell-block
added a commit
that referenced
this pull request
May 19, 2026
… arithmetic Desktop smoke e2e was failing on the two click-to-select mention paths. Root cause: `replacePlainTextRange` placed the post-transaction cursor at tr.mapping.map(fromPM + text.length) The argument to `mapping.map` is a *pre-image* (old-doc) position, but `fromPM + text.length` can be larger than the old doc's size — for a 3-char input replacing a 0-char range with 7 chars, the arithmetic yields a position 7 past the original end, which ProseMirror rejects with "Position N out of range". The thrown error bubbled out of the mention click handler, the transaction never dispatched, and the editor stayed at "Hey @ali". The keyboard-Enter path passed only because the surrounding code-path (`handleEditorKeyDown`) caught the error implicitly — but in fact it was hitting the same bug; the test just asserted on a state that the default Enter keymap also reaches. Fix: map `toPM` (the right end of the replaced range, a valid old-doc position) through `tr.mapping.map`. That returns the post-transaction position right after the inserted text — which is what we want, and is always valid: const cursorPM = tr.mapping.map(toPM); This still satisfies Perci's robustness concern from the original review (use the transaction's mapping, not raw arithmetic) but uses the correct pre-image input. Regression coverage: - All 4 existing mentions.spec.ts tests for the click-and-Enter selection paths now pass. - Added a new regression test for bug #2: type two lines separated by Shift+Enter, type "@ali", click "alice" — assert both lines survive *and* there's still exactly one `<br>` in the editor. This is the literal scenario from the bug report. Verified locally: - smoke suite: 97/97 pass (was 94 + 2 new mentions tests + 1 new regression test). - node unit tests: 182/182. - typecheck + biome + file-size: clean. Removed the temporary `console.warn` instrumentation I'd added while diagnosing.
tlongwell-block
pushed a commit
that referenced
this pull request
May 22, 2026
Adds crates/sprout-relay/src/api/git/cas_publish.rs — the pure async function that turns a post-receive-pack workspace into a durable manifest CAS. Composes Dawn's GitStore primitives (put_pack, put_manifest, get_pointer, put_pointer) and Dawn's Manifest schema (canonical_bytes, validate, Inv_Closed at compose time) into the spec's step 2-7 sequence: read pointer (e, d_before) §step 3 fetch + verify m_before §step 3 + A1 detectability snapshot refs + symref-HEAD from disk (HEAD inherits parent on detach) pack new objects via pack-objects --revs §step 1-2 put_pack(bytes) -> packs/<sha256> §step 2 (A1) compose m_after (parent packs + new pack, parent = digest only) §step 5 m_after.validate() (Sami/Max/Perci #2-#4) put_manifest(canonical_bytes) -> manifests/<sha256> §step 6 put_pointer(IfMatch(e) | IfNoneMatchStar) §step 7 (CAS) Won -> CasSuccess { manifest, manifest_key } Lost -> CasError::Conflict { winner_manifest, winner_manifest_key } (→ HTTP 409, with winner for disk reconcile) The function returns *before* a Response is constructed — it is called from finalize_push, which is the unique site that builds a push 2xx, so the structural seam still enforces Theorem 1 (success-after-CAS). ## Review fixes folded in Sami's review (#1–#6) + Perci's #1 + Max's pre-CAS-validation blocker are all addressed in this commit: - **parent = bare 64-hex digest, not full key** (Perci #1, Max). Pointer body is `<digest>`; `Manifest.parent` stores the same digest, matching `Inv_RefDerivedFromParent` literally. `read_parent` strips the `manifests/` prefix before assigning. Dawn's new `MalformedParent` validator catches any drift at the write seam. - **Pre-CAS validation** (Sami #2, Max). `m_after.validate()?` runs between `compose_after` and `put_manifest`. Unsafe refnames, malformed oids, empty HEAD — all surface as `CasError::ManifestInvalid(...)` (4xx-class) before any S3 write, *not* as "valid CAS, un-clone-able output." Typed variant (not reused `ManifestReadFailed`) so logs / status mapping distinguish "client input rejected" from "stored parent failed A1" (Max + Dawn). - **Detached-HEAD fallback** (Sami #3). `snapshot_workspace_state` returns empty `head` on detached HEAD; `cas_publish` falls back to `parent.head` if non-empty. `validate()` rejects the first-push-+- detached case (Sami #4 — no parent to inherit from, manifest is un-clone-able). - **Conflict carries the winner** (Sami #5 + Dawn). `Conflict { winner_manifest, winner_manifest_key }` lets `finalize_push` invoke Eva's `reconcile_to_manifest` mechanically from the error arm, without a second pointer GET in the caller. `warn!()` at the `LostRace` site logs (pointer, expected etag, attempted manifest) for debugging concurrent-push patterns. Boxed for `clippy::result_large_err`. - **Empty-pack comment** (Sami #6). Clarified `capture_pack` returns `None` in both the delete-all (`refs_after.is_empty()`) and refs-only (`pack-objects` empty stdout) cases. - **`pointer_key` consolidated** in `manifest.rs` (Sami #1, Dawn, Max — Sami's "single source of truth" argument). `cas_publish` imports it; the duplicate definition is gone. - **`validate-invocation` test added** in `cas_publish.rs` (Sami's recommendation). Pins that a future refactor dropping the `validate?` call between `compose_after` and `put_manifest` is caught by unit test, not by every subsequent un-clone-able read. ## What this deliberately does NOT do (each with citation) - No retry on LostRace. Per Sami's TLA-action guidance: the receive-pack output is derived against a now-superseded parent; reusing it would violate Inv_RefDerivedFromParent. Client re-pushes, which re-hydrates + re-runs receive-pack against the advanced pointer — the only safe retry, which git already performs. Spec §Push step 7: 'GOTO 3 (retry) or respond non-ff' — both arms safe; we take non-ff. - No kind:30618 emission. That is derived after CAS — finalize_push calls Sami's build_ref_state_event over m_after.refs / m_after.head on Ok. Spec §Implementation Correspondence: 'kind:30618 is derived after CAS, never the commit.' - No advisory lock. Spec §Push 'no advisory lock in v1' — writer serialization is the CAS. A mutex would hide the contention Inv_NoFork proves safe. ## Tests 10 unit tests pin digest_from_key (manifest/<...> prefix invariant), compose_after (Inv_Closed coverage, sort, dedupe, refs-only-no-new-pack, first-push, parent-is-digest-not-key), validate invocation (unsafe refname + first-push-empty-HEAD both rejected pre-CAS). 244 relay tests green; clippy --tests -D warnings clean. The integration into finalize_push lands separately — Eva owns the AppState::git_store wiring + main.rs startup probe gate. This module is callable today: cas_publish(&store, repo_path, owner, repo, &refs_before) -> Result<CasSuccess, CasError>. Refs: - docs/git-on-object-storage.md §Push step 2-7, §Implementation Correspondence, §Mechanized Verification (Inv_NoFork, Inv_RefEffectApplied, Inv_RefDerivedFromParent, Inv_Closed). Also makes transport::harden_git_env pub(crate) for reuse by cas_publish's two subprocess sites (for-each-ref, pack-objects). Co-authored-by: Tyler Longwell <tyler@block.xyz>
tlongwell-block
pushed a commit
that referenced
this pull request
May 22, 2026
Adds crates/sprout-relay/src/api/git/cas_publish.rs — the pure async function that turns a post-receive-pack workspace into a durable manifest CAS. Composes Dawn's GitStore primitives (put_pack, put_manifest, get_pointer, put_pointer) and Dawn's Manifest schema (canonical_bytes, validate, Inv_Closed at compose time) into the spec's step 2-7 sequence: read pointer (e, d_before) §step 3 fetch + verify m_before §step 3 + A1 detectability snapshot refs + symref-HEAD from disk (HEAD inherits parent on detach) pack new objects via pack-objects --revs §step 1-2 put_pack(bytes) -> packs/<sha256> §step 2 (A1) compose m_after (parent packs + new pack, parent = digest only) §step 5 m_after.validate() (Sami/Max/Perci #2-#4) put_manifest(canonical_bytes) -> manifests/<sha256> §step 6 put_pointer(IfMatch(e) | IfNoneMatchStar) §step 7 (CAS) Won -> CasSuccess { manifest, manifest_key } Lost -> CasError::Conflict { winner_manifest, winner_manifest_key } (→ HTTP 409, with winner for disk reconcile) The function returns *before* a Response is constructed — it is called from finalize_push, which is the unique site that builds a push 2xx, so the structural seam still enforces Theorem 1 (success-after-CAS). ## Review fixes folded in Sami's review (#1–#6) + Perci's #1 + Max's pre-CAS-validation blocker are all addressed in this commit: - **parent = bare 64-hex digest, not full key** (Perci #1, Max). Pointer body is `<digest>`; `Manifest.parent` stores the same digest, matching `Inv_RefDerivedFromParent` literally. `read_parent` strips the `manifests/` prefix before assigning. Dawn's new `MalformedParent` validator catches any drift at the write seam. - **Pre-CAS validation** (Sami #2, Max). `m_after.validate()?` runs between `compose_after` and `put_manifest`. Unsafe refnames, malformed oids, empty HEAD — all surface as `CasError::ManifestInvalid(...)` (4xx-class) before any S3 write, *not* as "valid CAS, un-clone-able output." Typed variant (not reused `ManifestReadFailed`) so logs / status mapping distinguish "client input rejected" from "stored parent failed A1" (Max + Dawn). - **Detached-HEAD fallback** (Sami #3). `snapshot_workspace_state` returns empty `head` on detached HEAD; `cas_publish` falls back to `parent.head` if non-empty. `validate()` rejects the first-push-+- detached case (Sami #4 — no parent to inherit from, manifest is un-clone-able). - **Conflict carries the winner** (Sami #5 + Dawn). `Conflict { winner_manifest, winner_manifest_key }` lets `finalize_push` invoke Eva's `reconcile_to_manifest` mechanically from the error arm, without a second pointer GET in the caller. `warn!()` at the `LostRace` site logs (pointer, expected etag, attempted manifest) for debugging concurrent-push patterns. Boxed for `clippy::result_large_err`. - **Empty-pack comment** (Sami #6). Clarified `capture_pack` returns `None` in both the delete-all (`refs_after.is_empty()`) and refs-only (`pack-objects` empty stdout) cases. - **`pointer_key` consolidated** in `manifest.rs` (Sami #1, Dawn, Max — Sami's "single source of truth" argument). `cas_publish` imports it; the duplicate definition is gone. - **`validate-invocation` test added** in `cas_publish.rs` (Sami's recommendation). Pins that a future refactor dropping the `validate?` call between `compose_after` and `put_manifest` is caught by unit test, not by every subsequent un-clone-able read. ## What this deliberately does NOT do (each with citation) - No retry on LostRace. Per Sami's TLA-action guidance: the receive-pack output is derived against a now-superseded parent; reusing it would violate Inv_RefDerivedFromParent. Client re-pushes, which re-hydrates + re-runs receive-pack against the advanced pointer — the only safe retry, which git already performs. Spec §Push step 7: 'GOTO 3 (retry) or respond non-ff' — both arms safe; we take non-ff. - No kind:30618 emission. That is derived after CAS — finalize_push calls Sami's build_ref_state_event over m_after.refs / m_after.head on Ok. Spec §Implementation Correspondence: 'kind:30618 is derived after CAS, never the commit.' - No advisory lock. Spec §Push 'no advisory lock in v1' — writer serialization is the CAS. A mutex would hide the contention Inv_NoFork proves safe. ## Tests 10 unit tests pin digest_from_key (manifest/<...> prefix invariant), compose_after (Inv_Closed coverage, sort, dedupe, refs-only-no-new-pack, first-push, parent-is-digest-not-key), validate invocation (unsafe refname + first-push-empty-HEAD both rejected pre-CAS). 244 relay tests green; clippy --tests -D warnings clean. The integration into finalize_push lands separately — Eva owns the AppState::git_store wiring + main.rs startup probe gate. This module is callable today: cas_publish(&store, repo_path, owner, repo, &refs_before) -> Result<CasSuccess, CasError>. Refs: - docs/git-on-object-storage.md §Push step 2-7, §Implementation Correspondence, §Mechanized Verification (Inv_NoFork, Inv_RefEffectApplied, Inv_RefDerivedFromParent, Inv_Closed). Also makes transport::harden_git_env pub(crate) for reuse by cas_publish's two subprocess sites (for-each-ref, pack-objects). Co-authored-by: Tyler Longwell <tyler@block.xyz>
wpfleger96
added a commit
that referenced
this pull request
May 22, 2026
…iew findings The original implementation created a second parallel Tauri command (discover_all_acp_providers) alongside the existing one to avoid changing the return type. This produced two commands, two hooks, two query keys, and two raw type converters. Consolidates into a single command returning the full catalog, with a useAvailableAcpProviders hook that type-narrows for callers needing non-null command/binaryPath. Also fixes: pipe deadlock in install command (#1), UTF-8 truncation panic (#2/#4), adds install concurrency guard (#11), exact provider ID match (#15), error display stdout fallback (#5), success banner suppression when already available (#12), misleading re-run text (#13), IIFE refactor in PersonaDialog (#14), hidden internal query lift (#7), configurable e2e mocks (#9), shared raw type exports (#8), and classify_provider unit tests (#10).
tlongwell-block
pushed a commit
that referenced
this pull request
May 22, 2026
The architectural split Eva's live e2e caught: 30617 created the on-disk bare repo but no S3 pointer, while the read path (info_refs/upload_pack) now hydrates from the pointer. Pointer-absent ⇒ Ok(None) ⇒ 404 by Max's intentional fail-closed, so announce-then-clone returned 404 for every freshly-announced repo. Fix: establish the invariant "repo announced ⟺ pointer exists" by seeding an empty-manifest pointer at the end of `handle_git_repo_ announcement`. After seed: - `info_refs` stays strictly fail-closed: pointer-absent means never-announced, not "announced but no pushes." Max's blocker preserved exactly. - `live_hydrate_empty_repo` proves clone of an empty hydrated repo works. - First push CASes the seeded pointer via `IfMatch(etag)`, no special-case branch. The `IfNoneMatchStar` arm of `cas_publish` becomes dead code for announced repos. Two new private helpers in `side_effects.rs`: - `seed_manifest_pointer(state, owner, repo)` — `put_manifest(empty)` + `put_pointer(IfNoneMatchStar)`. **Idempotency is constructive, not trusted**: a `CasOutcome::LostRace` is treated as success ONLY if the existing pointer body matches the empty manifest's digest. Any other value (stale from a prior lifecycle, real misconfiguration) surfaces as `anyhow!` — Max's guardrail #1. - `emit_initial_ref_state(state, owner, repo)` — kind:30618 over the seeded empty manifest using Sami's `build_ref_state_event`. Pointer is the commit; this event is the derived "repo exists, empty" signal — Max's guardrail #2. Non-fatal on failure: manifest is truth, 30618 is just notification. Empty manifests across all repos share canonical bytes (deterministic serialization by construction) ⟹ same digest ⟹ `put_manifest` is idempotent at the store level. One blob, many pointers. Pinned by `empty_manifest_validates` test in manifest.rs with byte-stable canonical bytes — locks the digest so future serde version bumps don't silently shift it. Rollback on seed failure: remove the on-disk repo + the name reservation, same pattern as hook-install failure. A successful seed but failed emit leaves the pointer in place (correctly — it's the source of truth). 239/239 relay tests (was 238 + 1 new), clippy + fmt clean.
tlongwell-block
added a commit
that referenced
this pull request
May 22, 2026
Adds crates/sprout-relay/src/api/git/cas_publish.rs — the pure async function that turns a post-receive-pack workspace into a durable manifest CAS. Composes Dawn's GitStore primitives (put_pack, put_manifest, get_pointer, put_pointer) and Dawn's Manifest schema (canonical_bytes, validate, Inv_Closed at compose time) into the spec's step 2-7 sequence: read pointer (e, d_before) §step 3 fetch + verify m_before §step 3 + A1 detectability snapshot refs + symref-HEAD from disk (HEAD inherits parent on detach) pack new objects via pack-objects --revs §step 1-2 put_pack(bytes) -> packs/<sha256> §step 2 (A1) compose m_after (parent packs + new pack, parent = digest only) §step 5 m_after.validate() (Sami/Max/Perci #2-#4) put_manifest(canonical_bytes) -> manifests/<sha256> §step 6 put_pointer(IfMatch(e) | IfNoneMatchStar) §step 7 (CAS) Won -> CasSuccess { manifest, manifest_key } Lost -> CasError::Conflict { winner_manifest, winner_manifest_key } (→ HTTP 409, with winner for disk reconcile) The function returns *before* a Response is constructed — it is called from finalize_push, which is the unique site that builds a push 2xx, so the structural seam still enforces Theorem 1 (success-after-CAS). ## Review fixes folded in Sami's review (#1–#6) + Perci's #1 + Max's pre-CAS-validation blocker are all addressed in this commit: - **parent = bare 64-hex digest, not full key** (Perci #1, Max). Pointer body is `<digest>`; `Manifest.parent` stores the same digest, matching `Inv_RefDerivedFromParent` literally. `read_parent` strips the `manifests/` prefix before assigning. Dawn's new `MalformedParent` validator catches any drift at the write seam. - **Pre-CAS validation** (Sami #2, Max). `m_after.validate()?` runs between `compose_after` and `put_manifest`. Unsafe refnames, malformed oids, empty HEAD — all surface as `CasError::ManifestInvalid(...)` (4xx-class) before any S3 write, *not* as "valid CAS, un-clone-able output." Typed variant (not reused `ManifestReadFailed`) so logs / status mapping distinguish "client input rejected" from "stored parent failed A1" (Max + Dawn). - **Detached-HEAD fallback** (Sami #3). `snapshot_workspace_state` returns empty `head` on detached HEAD; `cas_publish` falls back to `parent.head` if non-empty. `validate()` rejects the first-push-+- detached case (Sami #4 — no parent to inherit from, manifest is un-clone-able). - **Conflict carries the winner** (Sami #5 + Dawn). `Conflict { winner_manifest, winner_manifest_key }` lets `finalize_push` invoke Eva's `reconcile_to_manifest` mechanically from the error arm, without a second pointer GET in the caller. `warn!()` at the `LostRace` site logs (pointer, expected etag, attempted manifest) for debugging concurrent-push patterns. Boxed for `clippy::result_large_err`. - **Empty-pack comment** (Sami #6). Clarified `capture_pack` returns `None` in both the delete-all (`refs_after.is_empty()`) and refs-only (`pack-objects` empty stdout) cases. - **`pointer_key` consolidated** in `manifest.rs` (Sami #1, Dawn, Max — Sami's "single source of truth" argument). `cas_publish` imports it; the duplicate definition is gone. - **`validate-invocation` test added** in `cas_publish.rs` (Sami's recommendation). Pins that a future refactor dropping the `validate?` call between `compose_after` and `put_manifest` is caught by unit test, not by every subsequent un-clone-able read. ## What this deliberately does NOT do (each with citation) - No retry on LostRace. Per Sami's TLA-action guidance: the receive-pack output is derived against a now-superseded parent; reusing it would violate Inv_RefDerivedFromParent. Client re-pushes, which re-hydrates + re-runs receive-pack against the advanced pointer — the only safe retry, which git already performs. Spec §Push step 7: 'GOTO 3 (retry) or respond non-ff' — both arms safe; we take non-ff. - No kind:30618 emission. That is derived after CAS — finalize_push calls Sami's build_ref_state_event over m_after.refs / m_after.head on Ok. Spec §Implementation Correspondence: 'kind:30618 is derived after CAS, never the commit.' - No advisory lock. Spec §Push 'no advisory lock in v1' — writer serialization is the CAS. A mutex would hide the contention Inv_NoFork proves safe. ## Tests 10 unit tests pin digest_from_key (manifest/<...> prefix invariant), compose_after (Inv_Closed coverage, sort, dedupe, refs-only-no-new-pack, first-push, parent-is-digest-not-key), validate invocation (unsafe refname + first-push-empty-HEAD both rejected pre-CAS). 244 relay tests green; clippy --tests -D warnings clean. The integration into finalize_push lands separately — Eva owns the AppState::git_store wiring + main.rs startup probe gate. This module is callable today: cas_publish(&store, repo_path, owner, repo, &refs_before) -> Result<CasSuccess, CasError>. Refs: - docs/git-on-object-storage.md §Push step 2-7, §Implementation Correspondence, §Mechanized Verification (Inv_NoFork, Inv_RefEffectApplied, Inv_RefDerivedFromParent, Inv_Closed). Also makes transport::harden_git_env pub(crate) for reuse by cas_publish's two subprocess sites (for-each-ref, pack-objects). Co-authored-by: Tyler Longwell <tyler@block.xyz> Co-authored-by: Quinn <quinn@users.noreply.sprout> Signed-off-by: tlongwell-block <109685178+tlongwell-block@users.noreply.github.com>
tlongwell-block
added a commit
that referenced
this pull request
May 22, 2026
The architectural split Eva's live e2e caught: 30617 created the on-disk bare repo but no S3 pointer, while the read path (info_refs/upload_pack) now hydrates from the pointer. Pointer-absent ⇒ Ok(None) ⇒ 404 by Max's intentional fail-closed, so announce-then-clone returned 404 for every freshly-announced repo. Fix: establish the invariant "repo announced ⟺ pointer exists" by seeding an empty-manifest pointer at the end of `handle_git_repo_ announcement`. After seed: - `info_refs` stays strictly fail-closed: pointer-absent means never-announced, not "announced but no pushes." Max's blocker preserved exactly. - `live_hydrate_empty_repo` proves clone of an empty hydrated repo works. - First push CASes the seeded pointer via `IfMatch(etag)`, no special-case branch. The `IfNoneMatchStar` arm of `cas_publish` becomes dead code for announced repos. Two new private helpers in `side_effects.rs`: - `seed_manifest_pointer(state, owner, repo)` — `put_manifest(empty)` + `put_pointer(IfNoneMatchStar)`. **Idempotency is constructive, not trusted**: a `CasOutcome::LostRace` is treated as success ONLY if the existing pointer body matches the empty manifest's digest. Any other value (stale from a prior lifecycle, real misconfiguration) surfaces as `anyhow!` — Max's guardrail #1. - `emit_initial_ref_state(state, owner, repo)` — kind:30618 over the seeded empty manifest using Sami's `build_ref_state_event`. Pointer is the commit; this event is the derived "repo exists, empty" signal — Max's guardrail #2. Non-fatal on failure: manifest is truth, 30618 is just notification. Empty manifests across all repos share canonical bytes (deterministic serialization by construction) ⟹ same digest ⟹ `put_manifest` is idempotent at the store level. One blob, many pointers. Pinned by `empty_manifest_validates` test in manifest.rs with byte-stable canonical bytes — locks the digest so future serde version bumps don't silently shift it. Rollback on seed failure: remove the on-disk repo + the name reservation, same pattern as hook-install failure. A successful seed but failed emit leaves the pointer in place (correctly — it's the source of truth). 239/239 relay tests (was 238 + 1 new), clippy + fmt clean. Co-authored-by: Dawn <c6237ef84fa537c78dcee78efd2d4e59f728859c7f194da42ac51ededfa0be05@users.noreply.sprout> Signed-off-by: tlongwell-block <109685178+tlongwell-block@users.noreply.github.com>
wpfleger96
added a commit
that referenced
this pull request
May 22, 2026
…iew findings The original implementation created a second parallel Tauri command (discover_all_acp_providers) alongside the existing one to avoid changing the return type. This produced two commands, two hooks, two query keys, and two raw type converters. Consolidates into a single command returning the full catalog, with a useAvailableAcpProviders hook that type-narrows for callers needing non-null command/binaryPath. Also fixes: pipe deadlock in install command (#1), UTF-8 truncation panic (#2/#4), adds install concurrency guard (#11), exact provider ID match (#15), error display stdout fallback (#5), success banner suppression when already available (#12), misleading re-run text (#13), IIFE refactor in PersonaDialog (#14), hidden internal query lift (#7), configurable e2e mocks (#9), shared raw type exports (#8), and classify_provider unit tests (#10).
wpfleger96
added a commit
that referenced
this pull request
May 22, 2026
…iew findings The original implementation created a second parallel Tauri command (discover_all_acp_providers) alongside the existing one to avoid changing the return type. This produced two commands, two hooks, two query keys, and two raw type converters. Consolidates into a single command returning the full catalog, with a useAvailableAcpProviders hook that type-narrows for callers needing non-null command/binaryPath. Also fixes: pipe deadlock in install command (#1), UTF-8 truncation panic (#2/#4), adds install concurrency guard (#11), exact provider ID match (#15), error display stdout fallback (#5), success banner suppression when already available (#12), misleading re-run text (#13), IIFE refactor in PersonaDialog (#14), hidden internal query lift (#7), configurable e2e mocks (#9), shared raw type exports (#8), and classify_provider unit tests (#10).
This was referenced Jun 16, 2026
wpfleger96
added a commit
that referenced
this pull request
Jun 17, 2026
Several spawn, teardown, and shim paths were #[cfg(unix)]-only and silently no-op (or returned a falsey stub) on Windows, breaking the desktop build four ways. All four are in the same Windows-portability theme. #2/#4 (MCP PermissionDenied on C:\Windows): buzz-agent spawns the MCP with env_clear() then re-adds only an allowlist that omitted the Windows temp/profile vars. Stripped of TMP/TEMP/USERPROFILE, std::env::temp_dir() falls back to C:\Windows and Shim::install() can't write there. Pass the Windows vars through (cfg-gated). The shim itself had two more Unix-isms in the same install path: the PATH separator was hardcoded ':' (now std::env::join_paths) and the non-unix multicall copies dropped the .exe extension PATHEXT needs to exec them. Multicall dispatch now matches on file_stem() so the .exe copies route correctly. #1 (stray console + orphaned process tree): the buzz-acp child spawned with no CREATE_NO_WINDOW (console popped) and the non-unix stop path was Child::kill(), which kills only the harness and orphans the 24 workers + MCP servers. A Win32 Job Object with JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE now owns the tree and reaps it when the handle drops — the Windows mirror of the Unix process-group teardown. The after-restart path (PID only, no handle) falls back to taskkill /T. The Windows primitives live in a new process_lifecycle module. #4 (program not found): the create-path default agent command was the bare `goose`, not on PATH on a stock Windows install. It now catalog-resolves the bundled `buzz-agent`, the same shape mesh_llm::preset already uses. #3 (updater silently does nothing): when the updater plugin is unavailable the hook collapsed to `idle`, re-rendering the same button — indistinguishable from a no-op. It now sets a visible `unavailable` state and warns to the log so the firing branch is diagnosable on Will's Windows build. Co-authored-by: Will Pfleger <pfleger.will@gmail.com> Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
tellaho
added a commit
that referenced
this pull request
Jun 24, 2026
… misleading prop Rust auth-branch test (#2 follow-up): extracted the declared-owner predicate from get_agent_memory into a pure kind0_declares_viewer_owner() and added 5 unit tests driving a verified kind:0 owner declaration through it (opens for verified owner, case-insensitive, refuses non-owner / no-auth-tag / missing kind:0). Uses the same verify_auth_tag crypto path as the live gate; behavior-identical to the inlined block. Sidebar fixture (#3 follow-up): seeded nadia, a relay-classified bot owned by the mock viewer but with no local managed record, plus a Playwright assertion that the members sidebar exposes view-activity for her. This exercises the declared-owner gate-open path that mira never reached (she was never bot-classified). Naming rename (#2 follow-up): MemoryFocusedView's prop was named isOwner but fed the combined viewerIsOwner; renamed for honesty, value unchanged. Co-authored-by: Taylor Ho <taylorkmho@gmail.com> Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
tellaho
added a commit
that referenced
this pull request
Jun 24, 2026
…misleading prop Rust auth-branch test (#2 follow-up): extracted the declared-owner predicate from get_agent_memory into a pure kind0_declares_viewer_owner() and added 5 unit tests driving a verified kind:0 owner declaration through it (opens for verified owner, case-insensitive, refuses non-owner / no-auth-tag / missing kind:0). Uses the same verify_auth_tag crypto path as the live gate; behavior-identical to the inlined block. Sidebar fixture (#3 follow-up): seeded nadia, a relay-classified bot owned by the mock viewer but with no local managed record, plus a Playwright assertion that the members sidebar exposes view-activity for her. This exercises the declared-owner gate-open path that mira never reached (she was never bot-classified). Naming rename (#2 follow-up): MemoryFocusedView's prop was named isOwner but fed the combined viewerIsOwner; renamed for honesty, value unchanged. Co-authored-by: Taylor Ho <taylorkmho@gmail.com> Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
tellaho
added a commit
that referenced
this pull request
Jun 24, 2026
…misleading prop Rust auth-branch test (#2 follow-up): extracted the declared-owner predicate from get_agent_memory into a pure kind0_declares_viewer_owner() and added 5 unit tests driving a verified kind:0 owner declaration through it (opens for verified owner, case-insensitive, refuses non-owner / no-auth-tag / missing kind:0). Uses the same verify_auth_tag crypto path as the live gate; behavior-identical to the inlined block. Sidebar fixture (#3 follow-up): seeded nadia, a relay-classified bot owned by the mock viewer but with no local managed record, plus a Playwright assertion that the members sidebar exposes view-activity for her. This exercises the declared-owner gate-open path that mira never reached (she was never bot-classified). Naming rename (#2 follow-up): MemoryFocusedView's prop was named isOwner but fed the combined viewerIsOwner; renamed for honesty, value unchanged. Co-authored-by: Taylor Ho <taylorkmho@gmail.com> Signed-off-by: Taylor Ho <taylorkmho@gmail.com>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 25, 2026
…n REQ/COUNT A REQ or COUNT targeting a specific channel gates on `accessible_channels`, a per-request Vec built once from the 10s membership cache. On a multi-pod relay this Vec can be stale on a non-writer pod: a member just added on the pod that processed the write sees a cache-negative until the TTL expires or the cross-pod invalidation (commit #2) lands. That manifested as the create-channel readback coming back empty and agents not subscribed to rooms they were just added to. On a cache-negative, confirm membership against the DB uncached. On a verified positive, repair the request-local Vec by pushing `ch_id` once, via the pure helper `resolve_request_local_access`. The same Vec gates subscription registration, historical delivery, search scope, and COUNT — repairing it once makes all of them see the confirmed membership, not just the denial branch. A stale negative can no longer stay sticky for the rest of the request. The repair runs UP FRONT in req.rs, right after the subscription channel_id is extracted and before the NIP-50 search early-return — not in a late denial branch. A search scoped to `#h=<just-added>` would otherwise be scoped against the stale vector and false-miss; running the repair first means `handle_search_req` sees the repaired vector too. The helper takes a `token_allows` upper bound so a DB-positive can never push a channel back in past a narrower scoped token: a token scoped to channel A must not reach channel B merely because the user is a DB member of B. Both call sites compute it from the token's `channel_ids`. - req.rs: `resolve_request_local_access(&mut Vec, ch_id, token_allows, Option<bool>)` encodes the truth table (token-denies → denied no DB; cache-hit → allowed no DB; miss+DB-true → allowed & pushed; miss+DB-false → denied & unchanged) with unit tests for all four. The handler does the async `db.is_member` lookup only on a token-allowed miss. - count.rs: mirrors the same flow through the shared helper, gated by the same token bound. Known follow-up (pre-existing, out of scope): count.rs does not apply the scoped-token `retain` that req.rs does, so a scoped token can still COUNT out-of-scope channels via the no-channel-filter pushdown. This change gates the new repair against the token bound but leaves that broader retain gap for a separate fix. DB truth (`is_member` after `add_member`) is covered by the existing #[sqlx::test] membership tests in buzz-db/channel.rs. End-to-end handler coverage is noted in the PR: this crate has no AppState+DB test harness and standing one up was out of scope; the request-local repair invariant is proven by the pure-helper tests instead. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 25, 2026
…n REQ/COUNT A REQ or COUNT targeting a specific channel gates on `accessible_channels`, a per-request Vec built once from the 10s membership cache. On a multi-pod relay this Vec can be stale on a non-writer pod: a member just added on the pod that processed the write sees a cache-negative until the TTL expires or the cross-pod invalidation (commit #2) lands. That manifested as the create-channel readback coming back empty and agents not subscribed to rooms they were just added to. On a cache-negative, confirm membership against the DB uncached. On a verified positive, repair the request-local Vec by pushing `ch_id` once, via the pure helper `resolve_request_local_access`. The same Vec gates subscription registration, historical delivery, search scope, and COUNT — repairing it once makes all of them see the confirmed membership, not just the denial branch. A stale negative can no longer stay sticky for the rest of the request. The repair runs UP FRONT in req.rs, right after the subscription channel_id is extracted and before the NIP-50 search early-return — not in a late denial branch. A search scoped to `#h=<just-added>` would otherwise be scoped against the stale vector and false-miss; running the repair first means `handle_search_req` sees the repaired vector too. The helper takes a `token_allows` upper bound so a DB-positive can never push a channel back in past a narrower scoped token: a token scoped to channel A must not reach channel B merely because the user is a DB member of B. Both call sites compute it from the token's `channel_ids`. - req.rs: `resolve_request_local_access(&mut Vec, ch_id, token_allows, Option<bool>)` encodes the truth table (token-denies → denied no DB; cache-hit → allowed no DB; miss+DB-true → allowed & pushed; miss+DB-false → denied & unchanged) with unit tests for all four. The handler does the async `db.is_member` lookup only on a token-allowed miss. - count.rs: mirrors the same flow through the shared helper, gated by the same token bound, and applies the scoped-token `retain` that REQ does (after `get_accessible_channel_ids_cached`) so a scoped token cannot COUNT out-of-scope channels via the no-channel-filter SQL pushdown either. DB truth (`is_member` after `add_member`) is covered by the existing #[sqlx::test] membership tests in buzz-db/channel.rs. End-to-end handler coverage is noted in the PR: this crate has no AppState+DB test harness and standing one up was out of scope; the request-local repair invariant is proven by the pure-helper tests instead. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 27, 2026
…98_replay assertion Follow-up to da6051f per Quinn's cold-read (event 4529860195007964...). The within-community replay assertion `assert_eq!(second_a.status(), UNAUTHORIZED)` pins the 401 status code rather than checking the body, because the system has defense-in-depth across two layers with distinct rejection signatures: * auth-layer replay check (`check_nip98_replay`) — rejects with 401 + body "NIP-98: replay detected". * storage-layer dedup (`events` PK `ON CONFLICT DO NOTHING` in `ingest_event`) — accepts with 200 + body `accepted: false, message: "duplicate"`. Both reject a duplicate, but only the 401 path proves the seen-set is in the request path. A body-only check like `!accepted` would pass under a noop'd `check_nip98_replay` because storage-dedup still 200-accepted-false's the second post — the bite would go vacuous against the layer the obligation actually names ("seen-set in the request path"). Adds: * Inline `//` comment block immediately above the `assert_eq!` naming the two layers, their distinct status signatures, and why the 401 expectation is the load-bearing-layer discriminator. Explicitly tells a future reader not to weaken to `!accepted` for "simpler reading." * Extended assertion message: when the test fails, the panic message now names both layers and which one the 401 proves, so a future debugger sees the architectural property without reading the doc-comment. Generalized principle (per Quinn): when a system has defense-in-depth across layers with different status-code signatures on rejection, the assertion should pin the status code from the load-bearing layer, not any rejection. Held in the row's doc-comment (not the shared discipline slug) per Quinn's stopping rule — this is a deeper instance of slug rule #2's defense-in-depth class, not a new spine entry. Bar: * Comment/string-only diff: 21 lines (+19 / −2), zero runtime behavior change — verified by inspection (`git diff` shows only comments and string-literal extensions). * `cargo check -p buzz-test-client --tests`: clean. * `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean. * `cargo fmt -p buzz-test-client -- --check`: clean. * Default `cargo test ... api_tokens` (no `--ignored`): doc-only `#[test]` still passes; wire-driven still `#[ignore]`-skipped. * No live mutate-bite re-run needed: the runtime path of the wire-driven test is byte-identical (only strings/comments touched), and the mutate-bite at da6051f was already RED-on-right-assertion by Sami's hands at :3300 and Eva's hands at her :3300 (event 9e9050cd44d6...). The follow-up makes the *reason* the bite bites discoverable to a future reader; it does not change *whether* the bite bites. Base: PR #1321 head `da6051fdb`. Test-only diff. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 27, 2026
…98_replay assertion Follow-up to da6051f per Quinn's cold-read (event 4529860195007964...). The within-community replay assertion `assert_eq!(second_a.status(), UNAUTHORIZED)` pins the 401 status code rather than checking the body, because the system has defense-in-depth across two layers with distinct rejection signatures: * auth-layer replay check (`check_nip98_replay`) — rejects with 401 + body "NIP-98: replay detected". * storage-layer dedup (`events` PK `ON CONFLICT DO NOTHING` in `ingest_event`) — accepts with 200 + body `accepted: false, message: "duplicate"`. Both reject a duplicate, but only the 401 path proves the seen-set is in the request path. A body-only check like `!accepted` would pass under a noop'd `check_nip98_replay` because storage-dedup still 200-accepted-false's the second post — the bite would go vacuous against the layer the obligation actually names ("seen-set in the request path"). Adds: * Inline `//` comment block immediately above the `assert_eq!` naming the two layers, their distinct status signatures, and why the 401 expectation is the load-bearing-layer discriminator. Explicitly tells a future reader not to weaken to `!accepted` for "simpler reading." * Extended assertion message: when the test fails, the panic message now names both layers and which one the 401 proves, so a future debugger sees the architectural property without reading the doc-comment. Generalized principle (per Quinn): when a system has defense-in-depth across layers with different status-code signatures on rejection, the assertion should pin the status code from the load-bearing layer, not any rejection. Held in the row's doc-comment (not the shared discipline slug) per Quinn's stopping rule — this is a deeper instance of slug rule #2's defense-in-depth class, not a new spine entry. Bar: * Comment/string-only diff: 21 lines (+19 / −2), zero runtime behavior change — verified by inspection (`git diff` shows only comments and string-literal extensions). * `cargo check -p buzz-test-client --tests`: clean. * `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean. * `cargo fmt -p buzz-test-client -- --check`: clean. * Default `cargo test ... api_tokens` (no `--ignored`): doc-only `#[test]` still passes; wire-driven still `#[ignore]`-skipped. * No live mutate-bite re-run needed: the runtime path of the wire-driven test is byte-identical (only strings/comments touched), and the mutate-bite at da6051f was already RED-on-right-assertion by Sami's hands at :3300 and Eva's hands at her :3300 (event 9e9050cd44d6...). The follow-up makes the *reason* the bite bites discoverable to a future reader; it does not change *whether* the bite bites. Base: PR #1321 head `da6051fdb`. Test-only diff. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 27, 2026
…okup per-community
Conformance matrix row `users_profiles_nip05` (Quinn — buzz-search/auth
joint, both halves driven by Quinn per one-author-per-mod-block
discipline; Sami's active queue is `api_tokens_nip98_replay` per Eva's
batching). Fills both `pending_lane` stubs in the row.
Half 1: `same_pubkey_distinct_profiles_in_two_communities`
Same keypair publishes kind:0 (Metadata) on each host's WS-AUTH'd
connection with community-distinct content
(`{"display_name":"A profile"}` vs `{"display_name":"B profile"}`).
NIP-01 replaceable semantics: latest kind:0 per
`(community_id, pubkey)` is what subsequent queries return. REST
`POST /query` (using dev-mode `X-Pubkey` auth, which the
`BUZZ_REQUIRE_AUTH_TOKEN=false` harness allows) returns each host's
own kind:0 — never the other's. Distinct content per community is
load-bearing for the bite: identical content would collapse the leak
into setup-equivalence vacuity (Dawn's catch on `audit_log` —
identical Nostr event ids when (pubkey, created_at, kind, tags,
content) match — making the assertion blind to the wrong-row
substitution).
Half 2: `same_nip05_local_part_on_two_hosts_is_independent`
Same local-part registered in BOTH communities with **distinct**
pubkeys (one per community). `GET /.well-known/nostr.json?name=alice`
against host A returns A's pubkey; against host B returns B's pubkey.
Distinct pubkeys per community make the leak observable as
wrong-pubkey-returned on the wire — the same setup-equivalence-vacuity
defense Dawn established (different keys = different rows = the wrong
answer is observable in the response, not just absent from it). Handle
canonicalization uses `extract_relay_domain` (mirrors
`crates/buzz-relay/src/api/nip05.rs::extract_domain`) against
`RELAY_URL` env so the test still works if the harness's relay URL
changes; defaults to `localhost` for the standard recipe.
Bar (by my own hands against the live `:3100` harness, PR head
`b02d767f2`):
Clean → BOTH GREEN.
Mutate (community fences dropped, both paths simultaneously, mirroring
the search_fts dual-fence approach):
- crates/buzz-db/src/event.rs:267-270 — `query_events` non-p-tag
branch `WHERE community_id = $1` → `WHERE TRUE`
- crates/buzz-db/src/user.rs:185 — `get_user_by_nip05`
`WHERE community_id = $1 AND LOWER(handle) = LOWER($2)` →
`WHERE LOWER(handle) = LOWER($1)` (rebind to keep param count
aligned)
→ BOTH halves RED on their own assertions:
- kind:0 half: "B's kind:0 content is not B's profile — A's
profile leaked through. got: '{"display_name":"A profile"}'"
- NIP-05 half: "NIP-05 lookup on B for local-part 'alice_…' must
resolve to B's pubkey ($B_PK); got $A_PK. If this is A's
pubkey, the community fence on `get_user_by_nip05` has been
dropped and A's user leaked through B's lookup."
Restore both fences (worktree diff empty after restore) → BOTH GREEN.
Each half bit on a SINGLE-fence mutation this time, unlike search_fts's
defense-in-depth shape. That's because the kind:0 read path
(`query_events`) and the NIP-05 lookup path (`get_user_by_nip05`)
each have one community fence at their layer, not redundant fences
across two layers like the FTS+batch-fetch shape. Different rows have
different defense topologies; this row's mutate-bite is the simpler
single-fence form, exactly as the named failure-mode analysis in
`landed-on-head-discipline` rule #2 sub-bullet predicts (the union of
fences IS what makes the property load-bearing; here the union has
exactly one element per path).
Bar checklist:
- `cargo fmt -p buzz-test-client -- --check`: exit 0.
- `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean.
- `cargo test -p buzz-test-client --tests`: non-ignored 0/0 (the 4
nip42_host_binding_live tests are #[ignore]'d by design — they need
the live harness).
- Strict-FF onto PR head: this is +1 on `b02d767f2`, verified by
`git merge-base --is-ancestor` + `git rev-list --count`.
- Trailers preserved as single pair via the explicit `--trailer`
flags on the initial commit (not `--amend --trailer`, which doubled
them earlier in the session).
- Live two-host harness on `:3100`: my clean (post-restore) binary,
recipe per RESEARCH/CONFORMANCE_MATRIX_STATUS_2026-06-27.md, two
community rows seeded `a.localhost:3100`/`b.localhost:3100`.
Conformance lane: this row is one of fourteen in the file; per Eva's
row-ownership contract, this commit touches only the
`users_profiles_nip05` module. No other rows modified.
Co-authored-by: Tyler Longwell <tlongwell@block.xyz>
Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
tlongwell-block
pushed a commit
that referenced
this pull request
Jun 27, 2026
…98_replay assertion Follow-up to da6051f per Quinn's cold-read (event 4529860195007964...). The within-community replay assertion `assert_eq!(second_a.status(), UNAUTHORIZED)` pins the 401 status code rather than checking the body, because the system has defense-in-depth across two layers with distinct rejection signatures: * auth-layer replay check (`check_nip98_replay`) — rejects with 401 + body "NIP-98: replay detected". * storage-layer dedup (`events` PK `ON CONFLICT DO NOTHING` in `ingest_event`) — accepts with 200 + body `accepted: false, message: "duplicate"`. Both reject a duplicate, but only the 401 path proves the seen-set is in the request path. A body-only check like `!accepted` would pass under a noop'd `check_nip98_replay` because storage-dedup still 200-accepted-false's the second post — the bite would go vacuous against the layer the obligation actually names ("seen-set in the request path"). Adds: * Inline `//` comment block immediately above the `assert_eq!` naming the two layers, their distinct status signatures, and why the 401 expectation is the load-bearing-layer discriminator. Explicitly tells a future reader not to weaken to `!accepted` for "simpler reading." * Extended assertion message: when the test fails, the panic message now names both layers and which one the 401 proves, so a future debugger sees the architectural property without reading the doc-comment. Generalized principle (per Quinn): when a system has defense-in-depth across layers with different status-code signatures on rejection, the assertion should pin the status code from the load-bearing layer, not any rejection. Held in the row's doc-comment (not the shared discipline slug) per Quinn's stopping rule — this is a deeper instance of slug rule #2's defense-in-depth class, not a new spine entry. Bar: * Comment/string-only diff: 21 lines (+19 / −2), zero runtime behavior change — verified by inspection (`git diff` shows only comments and string-literal extensions). * `cargo check -p buzz-test-client --tests`: clean. * `cargo clippy -p buzz-test-client --tests -- -D warnings`: clean. * `cargo fmt -p buzz-test-client -- --check`: clean. * Default `cargo test ... api_tokens` (no `--ignored`): doc-only `#[test]` still passes; wire-driven still `#[ignore]`-skipped. * No live mutate-bite re-run needed: the runtime path of the wire-driven test is byte-identical (only strings/comments touched), and the mutate-bite at da6051f was already RED-on-right-assertion by Sami's hands at :3300 and Eva's hands at her :3300 (event 9e9050cd44d6...). The follow-up makes the *reason* the bite bites discoverable to a future reader; it does not change *whether* the bite bites. Base: PR #1321 head `da6051fdb`. Test-only diff. Co-authored-by: Tyler Longwell <tlongwell@block.xyz> Signed-off-by: Tyler Longwell <tlongwell@block.xyz>
wpfleger96
added a commit
that referenced
this pull request
Jun 30, 2026
Implements the full dream consolidation system across four areas: **1. Dispatch liveness (Thufir IMPORTANT #1)** Extracts `maybe_dispatch_dream()` helper, called at four state-transition points: after KIND_DREAM_DUE receipt, after heartbeat fires (idle gap), after prompt result + drain, after panic recovery + drain. Removes the old else-if chain that made dream reachable only when a heartbeat was already in flight — fixing both starvation modes: - Single-agent pool + fast heartbeat: dream now fires in the idle gap after heartbeat completes, not waiting for a concurrent heartbeat slot. - Heartbeat disabled: dream fires immediately on dream-due receipt. Guard: no flushable queue work, dream_pending, !dream_in_flight, !heartbeat_in_flight, idle agent. Preserves pending > heartbeat > dream priority. **2. Skill distribution via Nest scaffolder (Will's requirement)** Adds nest_dream_skill.md (include_str!'d as DREAM_SKILL_MD), written to .agents/skills/dream/SKILL.md at Nest init, mirroring the buzz-cli skill pattern (nest.rs:42-174). Includes NEST_DREAM_SKILL_VERSION=1 for refresh-on-bump, refresh_dream_skill_md_if_stale() with atomic tempfile write, and dream skill symlinks in ensure_skill_symlinks() for all known provider dirs (.goose/skills, .claude/skills, etc.). This makes load_dream_prompt()'s cwd-relative read correct — the Nest IS the cwd, and the scaffolder now guarantees the file. **3. Missing prompt is startup-visible error (Thufir IMPORTANT #2)** dispatch_dream() now logs tracing::error! (target: "dream") when the prompt is None, returns the claimed agent, clears dream_pending so it does not retry on every signal, and documents this as a configuration error (missing SKILL.md). No more silent drop. **4. Relay sweep + dream-due emission (Phase 3)** In buzz-relay: - Config: dream_memory_budget_bytes (default 65536, env BUZZ_DREAM_MEMORY_BUDGET_BYTES), dream_sweep_interval_secs (default 300, env BUZZ_DREAM_SWEEP_INTERVAL_SECS). Set budget to 0 to disable. - main.rs: spawns sweep task if budget > 0 and deployment_community is Some. Each interval: queries agents_over_memory_budget, idle-gates each via buzz_pubsub::presence::get_presence (no live Redis key = idle), builds KIND_DREAM_DUE ephemeral event tagged #p=[agent_pubkey], signs with relay keypair, publishes via pubsub. - Staleness ceiling satisfied: presence TTL is 90s, default sweep is 300s, so "no presence key" already implies > 90s silence. In buzz-db: agents_over_memory_budget() aggregates SUM(LENGTH(content)) for non-tombstone kind:30174 engrams per community, returns agents exceeding budget. **5. Tests (Phase 4)** Six unit tests in dream_dispatch_tests cover: - Guard: dream_pending=false → no dispatch, agent not consumed. - Guard: heartbeat_in_flight=true → blocked (priority order). - Regression: heartbeat disabled → dream still dispatches. - Guard: empty pool → pending preserved for next idle gap. - Fix 3: missing prompt → pending cleared, agent returned, no task. - Guard: dream_in_flight=true → no double dispatch. Co-authored-by: Will Pfleger <pfleger.will@gmail.com> Signed-off-by: Will Pfleger <pfleger.will@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
All-Rust Nostr relay with structured channels, YAML-as-code workflows, MCP agent interface, tamper-evident audit log, and permission-aware full-text search.
13 crates: sprout-core, sprout-relay, sprout-db, sprout-auth, sprout-pubsub, sprout-search, sprout-audit, sprout-mcp, sprout-workflow, sprout-proxy, sprout-huddle, sprout-admin, sprout-test-client.
394 unit tests, 42 E2E integration tests, 16 MCP tools. Apache-2.0 licensed.