Consolidate all branches into flint-0.5 — marketplace + mpeg-dash + restorations (zero-loss)#12
Merged
Merged
Conversation
Produce a single MPEG-DASH/CENC-compliant asset (ISO-IEC 23001-7) for every media (DASH) mint, while keeping the server-decrypt rail's own player working by down-converting back to a plaintext-looking init at the fetch point. - ddrm-envelope: shared `pssh` module -- single source of truth for producer, runtime decrypt read-path, and playback clients. ELASTOS_PQ_SYSTEM_ID (b6e254ef-0dc5-47fe-94e7-0e72ed1dc7b0); build_pssh (v1 box, default-KID + opaque .asset.protections JSON) / parse_pssh (v0/1, trailing-moov tolerant). - ddrm-media: cenc_signal_init() (avc1->encv / mp4a->enca + sinf(frma/schm/tenc) + pssh moov child) and strip_cenc_signal() as a byte-exact inverse. Roundtrip tests assert strip(signal(x)) == x, no-op on unsignaled, fail-closed on double. - encrypt-provider: CencSignalInits op -- pure public box surgery (no CEK/secret), wraps the runtime-built PSSH envelope and rewrites each per-track init; returns transformed inits + pssh_b64 for the MPD. - creator (producer): after the threshold seal, build the PSSH envelope from dkms_protection, CENC-signal each init, and patch stream.mpd with <ContentProtection> (mp4protection:2011 + cenc:default_KID + per-system pssh). - ddrm-media-authority: read_dash_init strips CENC signaling at the fetch point so the seal-bound AAD init and the runtime player's served init both match the plaintext init the mint sealed (no AAD mismatch). - Flip on by default: drop the ELASTOS_DDRM_CENC_PSSH gate -- CENC signaling + MPD ContentProtection are now standard output. Additive; existing playback unchanged. Squashed from: d012fc4 047d38f 4d26798 d6fb99f 3ac5fdc 4edfd9e elastos-server 782+95 green; helper 15 green; fmt clean.
…TY-2282) Stop the dKMS quorum path from wedging and leaking processes under playback+reload, and make the local test suite pass off the Linux x86_64 gate. - dkms-authority (Defect A): serve each accepted connection on its own thread (serve_unix_listener / serve_tcp_listener) so an idle/slow/leaked client can no longer head-of-line-block the daemon in read_frame; revoked_callers becomes daemon-lifetime Arc<Mutex> shared state (additive+idempotent); 30s per-conn read timeout on both transports. Regression test drives the real Unix accept loop (RED pre-fix, GREEN after); 35/35 green. - key-provider: bound the Unix recover read in establish_dkms_session with the same DKMS_TCP_READ_TIMEOUT_MS (5s) the tcp/carrier branches use, so a wedged node fails fail-closed within a bounded window. 18/18 green. - dkms (Defect B): reap leaked quorum helper/provider processes -- add Drop for the helper Capsule (kills+reaps key-provider/decrypt-provider children on every path), and guard MediaAuthorityProc launch/launch_quorum with a ChildReaper so early-return/error paths no longer orphan the raw Child. - browser: keep the runtime stream socket path within the macOS sun_path limit (104) -- fall back to a short "/tmp" base when temp_dir() would overflow, fixing the 6 browser-open route tests on macOS arm64 (Linux unaffected). - test(elastos-server): key component-checksum fixtures by detect_platform() so verify/stamp and agent-binary tests run on any host without masking the check. Squashed from: 50cdc46 0c22718 46a7ba4 d93f673 a9283b5
…view Address correctness, security, and robustness findings across the DKMS and encryption/decryption workflows, each with regression tests. - dkms-authority: revocations now share ONE live Arc<Mutex<HashSet>> across all connection threads (was a per-connection snapshot merged only on close), so a revoke binds every open connection immediately — "revocation outranks a live session" holds under concurrency. Unify the Unix/TCP accept loops into one generic serve_accept_loop with a MAX_ACTIVE_CONNECTIONS cap + RAII slot guard, bounding the thread/memory-exhaustion (slow-loris) vector on the network node. - key-provider: distinguish a transport fault from a node rejection (NodeRecoverError). A warm pooled connection the node's idle timeout closed is re-established and retried ONCE; a genuine rejection still fails closed with no retry. Fixes the first open after a >30s idle gap failing below quorum. - ddrm-media: drive the enca/encv choice off the authoritative hdlr handler type (fallback to an expanded audio-4CC allowlist), and make parse_codec_string use the same allowlist so the two classifiers can't diverge — an uncommon audio codec is no longer mis-signaled as video (non-compliant init + strip missize). - ddrm-media-authority: read_dash_init propagates strip_cenc_signal errors instead of unwrap_or(raw), so a malformed init fails with a precise diagnosis rather than an opaque downstream decrypt/quorum failure. - encrypt-provider: decode_kid16 validates length AND ASCII-hex charset before byte-slicing, rejecting a multibyte KID instead of panicking the capsule. - elastos-server: browser stream sockets use a per-euid dir created 0700 and refuse any pre-existing dir not owned by us or group/other-writable, closing the world-writable /tmp squatting / socket-hijack vector.
The ci.yml on this line (inherited from flint-0.5) invokes 'just verify-ci' and 'just verify-capsules', but the justfile never got the recipes; both CI jobs fail on every run with 'justfile does not contain recipe'. Port the recipes from feat/ddrm-hardening-and-creator-parity, whose feature sets and paths all exist on this branch (verified locally: verify-capsules, alignment-check, command-smoke, candidate-command-audit all pass).
…and Elacity Labs A narrative and brand document synthesizing the runtime architecture, the ela.city marketplace, and the Elacity Labs mission into one vision: creed, story arc, technical truth layer, category position, language system, and an honest works-today/in-progress/direction ledger reconciled against state.md, PRINCIPLES.md, and the code. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01NhEEeB9pRzGRGPcy7Lc1sN
…laude/git-proxy-auth-roadmap-c214hu
…sion note The w2-consent-source branch retires into flint-0.5. Two of its three commits are content-superseded; the third (3694975, gateway 202-consent seam) collides with flint-0.5's pinned flat-403 posture and the newer intent-envelope consent path, so it is preserved verbatim as a patch with the architecture decision recorded instead of silently merged or lost. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
… squash (B2a) The fix/mpeg-dash-compliance re-authoring replaced the ddrm line's epoch interruption (operator-triggered stop of an in-flight runaway capsule, 8bf1d29) with fuel + wall-clock bounds — a passive property, not an on-demand kill. stop() only removed the instance from the map; a spinning capsule kept burning its blocking thread. Restore the epoch machinery UNIFIED with the successor's work so both properties hold: consume_fuel + StoreLimits + wall-clock stay as-is, and stop() once again sets the per-instance should_stop flag and bumps that capsule's engine epoch so the deadline callback traps it at the next backedge. The restored runaway test pins the operator kill specifically (fuel set effectively unbounded so only the stop signal can trap). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
… the mpeg-dash squash The ddrm line's Improvement A (media-provider streams ffmpeg -progress to a caller-granted sink; the creator progress endpoint merges the measured % onto the active 'package' stage) was dropped in the re-authoring: the successor's package_dash has no progress path and /prepare-progress shows an indeterminate stage for the mint's long pole. Restored surgically from the ddrm generation — ONLY the progress hunks; the raw branch diff would also have reverted the successor's CENC/DASH signaling (which postdates the ddrm fork) and stays untouched here. Capability-passing invariants preserved: host-generated sink path (no path-injection from the client job id), provider writes only that one path, atomic temp+rename publish, best-effort throughout (a progress failure never blocks the mint). Tests: ffmpeg out_time parsing/clamping, atomic publish, and pct surfacing only while 'package' is active. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…er + ABI/protocol ops Transplanted from feat/marketplace-runtime (9bd5489 + 6bde757 + e175c1d + 2a24139): the ResolveTokenId op pivoted to AssetCreated+calldata (the DigitalAssetRegistered event does not emit on Base — verified empirically on the live chain), fail-closed on an ambiguous KID→tokenId binding, with checked arithmetic + length caps in abi_string. Applied 3-way onto the flint-0.5 generation; clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…esale/withdraw calldata) Transplanted from feat/marketplace-runtime onto the flint-0.5 generation: buy_authority Phase-1 invariant (value*qty via paymentProcessor approve, fail-closed tokenId resolution, abort-on-drift re-reading listings live, listings() qty/price word order per SSOT, fail-closed non-hex decode, SCOPE unsigned-only hard-gate, fail-closed on missing seller); trade_authority resale/withdraw/approval calldata assembler (new module, wired in api/mod.rs so it compiles with the slice — route wiring lands in slice 3 with the gateway); chain_tx alignment. 3-way apply, clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…psule + docs
Transplanted from feat/marketplace-runtime onto the workbench:
- market API: search/sections/get/history/preview/vault/listed/me/acquire/
acquire-status/order-{sell,withdraw,approve} routes (gateway.rs both-added
conflict resolved keeping the flint-0.5 services routes AND the market
routes); handlers in gateway_marketplace.rs; content_index (AssetCreated
decode + cache + short-TTL discovery collapse) and market_reads (live
sellersOf/listings reads) modules wired in api/mod.rs
- the marketplace-content storefront capsule (pure UI shell, no authority —
Principle 16 posture; compiles natively and builds wasm32-wasip1 release)
- docs/marketplace/* spec set; the retired ddrm branch's contracts doc is
preserved as CONTRACTS_LEGACY_ABI_REFERENCE.md (ABI appendix + Lit notes)
under its successor
- fixes the slice-2 gate findings: buy_authority live-reads now resolve
(market_reads landed) and its tests use the unified crate ddrm_env_lock()
instead of the branch-local ENV_LOCK static
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
Transplanted from feat/marketplace-runtime (3236772 + 33254f9): the object-provider Acquire op pins a bought encrypted asset into the Library (typed-folder placement + reveal/status), viewer_open/viewer_gateway open handoff for acquired assets. Completes the slice-3 seam: makes resolve_subject_address and viewer_object_provider_request pub(crate) for the market handlers (the slice-3 gate's E0603s) and carries the 5-arg signature its callers expect. 3-way apply, clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…findings Red-team of the fresh + transplanted marketplace code (2026-07-03): FIXED (our code — the restored epoch termination): the operator kill had a startup race — start() reset should_stop OUTSIDE the lock (clobbering a concurrent stop()) and the single increment-on-stop could be consumed before the store armed its deadline, silently dropping the kill until wall-clock. Removed the reset (should_stop starts false at load, only goes true at stop which also removes the instance) and added an in-execute_wasm epoch WATCHDOG (condvar-signalled, RAII-joined on every exit path) that advances the epoch on a fixed cadence so the deadline callback observes should_stop within one tick regardless of arming order. The test now sets ONLY should_stop (no manual epoch bump) so it pins the race-free property and cannot flake. REGISTERED (pre-existing in the source branches, transplanted byte-identical — NOT introduced here; fixing mid-migration would diverge from the reviewable source): KNOWN_GAPS MKT-1 (HIGH, on-chain-reachable: KID->tokenId resolver can mis-bind to a hostile co-channel mint — fix before the marketplace ships), MKT-2 (unbounded resolve RPC fan-out), MKT-3 (media progress_path unconfined), MKT-4 (ffmpeg progress stdout-read deadlock window). CONTRACT HONESTY: the new object-provider:acquire op (buy->pin) tripped the universal preview!=enforce conformance gate; registered in the G3b known_divergences ledger as fail-CLOSED (Admin-enforced, previewed-but-denied — a money-path write kept at highest privilege), mirroring its sibling share. Not a test edit — the sanctioned _or_tracked mechanism. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…build) The marketplace product surface (storefront UI + Elacity brand tokens) already landed with the marketplace-content capsule in slice 3. This final slice is the Home integration only: - shell.js: allow marketplace-content to ask Home to open library/ddrm-viewer/ elacity-player (narrowly scoped, no ambient launch authority — P7/P16), added alongside flint-0.5's services routing (both-added map key, kept both) - run-creator-gateway.sh: kept flint-0.5's DYNAMIC wasm-capsule discovery (it already builds marketplace-content) over the marketplace branch's older hardcoded list — the dynamic scan is exactly what stops stale-list 404s NOT taken (marketplace branch is OLDER here — applying its diff would REVERT flint-0.5's newer work, a regression the gate caught): creator.js/index.html (flint-0.5's 2026-07-01 surface vs marketplace's 2026-06-18; delta was comment-only), media-provider/creator.rs (would have deleted the R2 transcode-progress restoration). Reverted all four to HEAD. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…tion + delete-safety The content-verified map of the whole consolidation: what the workbench adds on top of flint-0.5, per-branch disposition (ABSORBED/TRANSPLANTED/CARRIED/ SUPERSEDED/PRESERVED/TEAM-OWNED), evidence for each, and which branches are safe to delete. Dispositions are by CONTENT (symbol + zero-unique-code-file audits), not commit-SHA reachability. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this is
One pull request that collapses the outstanding branch sprawl into a single line (
flint-0.5) with zero value lost. Everything was verified by content (symbol- and file-level audits), never by branch name or commit-SHA reachability, and gated at every step (build → test → clippy). Full map:docs/CONSOLIDATION_LEDGER_2026-07-03.md.Scope vs the current
flint-0.5tip: 64 files, +12,856 / −239.What it brings in
fix/mpeg-dash-compliancedelta — MPEG-DASH/CENC compliance (ELACITY-2283), DKMS quorum reliability (ELACITY-2282), and the code-review hardening pass — absorbed via--no-ffmerge.feat/marketplace-runtime(73 commits) re-landed as 5 gated slices: chain-provider KID→tokenId resolver, buy/trade authorities,/api/market/*+ content-index discovery, library Acquire (buy→pin), and the storefront capsule wired into Home. (The branch's dkms self-heal was already superseded by flint-0.5's better retry-once path — no transplant.)w2-consent-sourcecommit, banked asdocs/patches/w2-gateway-consent-request-3694975.patchwith a decision note (it collides with flint-0.5's deliberately-pinned behavior; needs an architecture call, not a silent merge).Red-team + honesty
An adversarial pass reviewed both the new and transplanted code:
stop(), plus a single-increment arm race). Replaced with a race-free in-execute_wasmepoch watchdog; the test now pins the operator-kill with no timing assumption.KNOWN_GAPS.mdMKT-1..MKT-4. MKT-1 is HIGH and on-chain-reachable — the KID→tokenId resolver can mis-bind a buyer to a hostile co-channel mint. It is not client-API-reachable, but should be fixed before the marketplace goes live. MKT-2/3/4 are hardening gaps.object-provider:acquireop tripped the universal preview≠enforce conformance gate; it's registered in the G3bknown_divergencesledger as fail-closed (Admin-enforced, previewed-but-denied), mirroring its siblingshare— via the test's sanctioned tracking mechanism, not a test edit.Verification
Every slice gated build → test → clippy. Final aggregate gate on x86_64:
cargo fmt --checkclean,cargo clippy --workspace --all-targetsclean,cargo test --workspacegreen (incl.elastos-server1104 tests,elastos-computeincl. the runaway-termination test, and the universal provider-manifest conformance test).After merge
flint-0.5holds everything; PR #9 (flint-0.5→upstream/0.6-dev) refreshes for the team to audit and pull on their own schedule. The ledger lists which branches are then safe to delete (fix/mpeg-dash-compliance,feat/marketplace-runtime,feat/ddrm-hardening-and-creator-parity,feat/capsule-inspector[PR #6, close as delivered],claude/keep-consent-architecture-0fz0ll,w2-consent-source,claude/branch-deep-audit-yiez86,review/0.5.0,flint) — keepingflint-0.5,upstream/0.6-dev,main.🤖 Generated with Claude Code
Generated by Claude Code