Skip to content

Consolidate all branches into flint-0.5 — marketplace + mpeg-dash + restorations (zero-loss)#12

Merged
SashaMIT merged 17 commits into
flint-0.5from
claude/git-proxy-auth-roadmap-c214hu
Jul 3, 2026
Merged

Consolidate all branches into flint-0.5 — marketplace + mpeg-dash + restorations (zero-loss)#12
SashaMIT merged 17 commits into
flint-0.5from
claude/git-proxy-auth-roadmap-c214hu

Conversation

@SashaMIT

@SashaMIT SashaMIT commented Jul 3, 2026

Copy link
Copy Markdown

What this is

One pull request that collapses the outstanding branch sprawl into a single line (flint-0.5) with zero value lost. Everything was verified by content (symbol- and file-level audits), never by branch name or commit-SHA reachability, and gated at every step (build → test → clippy). Full map: docs/CONSOLIDATION_LEDGER_2026-07-03.md.

Scope vs the current flint-0.5 tip: 64 files, +12,856 / −239.

What it brings in

  1. The team's fix/mpeg-dash-compliance delta — MPEG-DASH/CENC compliance (ELACITY-2283), DKMS quorum reliability (ELACITY-2282), and the code-review hardening pass — absorbed via --no-ff merge.
  2. Two features an earlier squash silently dropped, now restored (a content audit of the ddrm line vs the mpeg-dash re-authoring caught these):
    • WASM epoch operator-termination — the on-demand kill of a runaway capsule. Restored and made race-free (see red-team note below); fuel + wall-clock bounds retained.
    • Media transcode-progress reporting — creator sees real DASH-packaging progress again. Restored surgically (only the progress hunks; the successor's CENC signaling is untouched).
  3. The marketplace layer from feat/marketplace-runtime (73 commits) re-landed as 5 gated slices: chain-provider KID→tokenId resolver, buy/trade authorities, /api/market/* + content-index discovery, library Acquire (buy→pin), and the storefront capsule wired into Home. (The branch's dkms self-heal was already superseded by flint-0.5's better retry-once path — no transplant.)
  4. Recovered work that was nearly lost — the Elacity Bible narrative doc, the only unique commit on an already-deleted branch.
  5. A preserved consent-seam experiment — the one unique w2-consent-source commit, banked as docs/patches/w2-gateway-consent-request-3694975.patch with a decision note (it collides with flint-0.5's deliberately-pinned behavior; needs an architecture call, not a silent merge).

Red-team + honesty

An adversarial pass reviewed both the new and transplanted code:

  • Fixed here (our code): the restored epoch-termination had a startup race (a reset clobbering a concurrent stop(), plus a single-increment arm race). Replaced with a race-free in-execute_wasm epoch watchdog; the test now pins the operator-kill with no timing assumption.
  • Registered, not silently changed (pre-existing in the source branches, transplanted byte-identical): KNOWN_GAPS.md MKT-1..MKT-4. MKT-1 is HIGH and on-chain-reachable — the KID→tokenId resolver can mis-bind a buyer to a hostile co-channel mint. It is not client-API-reachable, but should be fixed before the marketplace goes live. MKT-2/3/4 are hardening gaps.
  • Contract honesty: the new object-provider:acquire op tripped the universal preview≠enforce conformance gate; it's registered in the G3b known_divergences ledger as fail-closed (Admin-enforced, previewed-but-denied), mirroring its sibling share — via the test's sanctioned tracking mechanism, not a test edit.

Verification

Every slice gated build → test → clippy. Final aggregate gate on x86_64: cargo fmt --check clean, cargo clippy --workspace --all-targets clean, cargo test --workspace green (incl. elastos-server 1104 tests, elastos-compute incl. the runaway-termination test, and the universal provider-manifest conformance test).

After merge

flint-0.5 holds everything; PR #9 (flint-0.5upstream/0.6-dev) refreshes for the team to audit and pull on their own schedule. The ledger lists which branches are then safe to delete (fix/mpeg-dash-compliance, feat/marketplace-runtime, feat/ddrm-hardening-and-creator-parity, feat/capsule-inspector [PR #6, close as delivered], claude/keep-consent-architecture-0fz0ll, w2-consent-source, claude/branch-deep-audit-yiez86, review/0.5.0, flint) — keeping flint-0.5, upstream/0.6-dev, main.

🤖 Generated with Claude Code


Generated by Claude Code

irzhywau and others added 17 commits July 2, 2026 16:55
Produce a single MPEG-DASH/CENC-compliant asset (ISO-IEC 23001-7) for every
media (DASH) mint, while keeping the server-decrypt rail's own player working
by down-converting back to a plaintext-looking init at the fetch point.

- ddrm-envelope: shared `pssh` module -- single source of truth for producer,
  runtime decrypt read-path, and playback clients. ELASTOS_PQ_SYSTEM_ID
  (b6e254ef-0dc5-47fe-94e7-0e72ed1dc7b0); build_pssh (v1 box, default-KID +
  opaque .asset.protections JSON) / parse_pssh (v0/1, trailing-moov tolerant).
- ddrm-media: cenc_signal_init() (avc1->encv / mp4a->enca + sinf(frma/schm/tenc)
  + pssh moov child) and strip_cenc_signal() as a byte-exact inverse. Roundtrip
  tests assert strip(signal(x)) == x, no-op on unsignaled, fail-closed on double.
- encrypt-provider: CencSignalInits op -- pure public box surgery (no CEK/secret),
  wraps the runtime-built PSSH envelope and rewrites each per-track init; returns
  transformed inits + pssh_b64 for the MPD.
- creator (producer): after the threshold seal, build the PSSH envelope from
  dkms_protection, CENC-signal each init, and patch stream.mpd with
  <ContentProtection> (mp4protection:2011 + cenc:default_KID + per-system pssh).
- ddrm-media-authority: read_dash_init strips CENC signaling at the fetch point
  so the seal-bound AAD init and the runtime player's served init both match the
  plaintext init the mint sealed (no AAD mismatch).
- Flip on by default: drop the ELASTOS_DDRM_CENC_PSSH gate -- CENC signaling +
  MPD ContentProtection are now standard output. Additive; existing playback
  unchanged.

Squashed from: d012fc4 047d38f 4d26798 d6fb99f 3ac5fdc 4edfd9e
elastos-server 782+95 green; helper 15 green; fmt clean.
…TY-2282)

Stop the dKMS quorum path from wedging and leaking processes under
playback+reload, and make the local test suite pass off the Linux x86_64 gate.

- dkms-authority (Defect A): serve each accepted connection on its own thread
  (serve_unix_listener / serve_tcp_listener) so an idle/slow/leaked client can no
  longer head-of-line-block the daemon in read_frame; revoked_callers becomes
  daemon-lifetime Arc<Mutex> shared state (additive+idempotent); 30s per-conn
  read timeout on both transports. Regression test drives the real Unix accept
  loop (RED pre-fix, GREEN after); 35/35 green.
- key-provider: bound the Unix recover read in establish_dkms_session with the
  same DKMS_TCP_READ_TIMEOUT_MS (5s) the tcp/carrier branches use, so a wedged
  node fails fail-closed within a bounded window. 18/18 green.
- dkms (Defect B): reap leaked quorum helper/provider processes -- add Drop for
  the helper Capsule (kills+reaps key-provider/decrypt-provider children on every
  path), and guard MediaAuthorityProc launch/launch_quorum with a ChildReaper so
  early-return/error paths no longer orphan the raw Child.
- browser: keep the runtime stream socket path within the macOS sun_path limit
  (104) -- fall back to a short "/tmp" base when temp_dir() would overflow, fixing
  the 6 browser-open route tests on macOS arm64 (Linux unaffected).
- test(elastos-server): key component-checksum fixtures by detect_platform() so
  verify/stamp and agent-binary tests run on any host without masking the check.

Squashed from: 50cdc46 0c22718 46a7ba4 d93f673 a9283b5
…view

Address correctness, security, and robustness findings across the DKMS and
encryption/decryption workflows, each with regression tests.

- dkms-authority: revocations now share ONE live Arc<Mutex<HashSet>> across all
  connection threads (was a per-connection snapshot merged only on close), so a
  revoke binds every open connection immediately — "revocation outranks a live
  session" holds under concurrency. Unify the Unix/TCP accept loops into one
  generic serve_accept_loop with a MAX_ACTIVE_CONNECTIONS cap + RAII slot guard,
  bounding the thread/memory-exhaustion (slow-loris) vector on the network node.

- key-provider: distinguish a transport fault from a node rejection
  (NodeRecoverError). A warm pooled connection the node's idle timeout closed is
  re-established and retried ONCE; a genuine rejection still fails closed with no
  retry. Fixes the first open after a >30s idle gap failing below quorum.

- ddrm-media: drive the enca/encv choice off the authoritative hdlr handler type
  (fallback to an expanded audio-4CC allowlist), and make parse_codec_string use
  the same allowlist so the two classifiers can't diverge — an uncommon audio
  codec is no longer mis-signaled as video (non-compliant init + strip missize).

- ddrm-media-authority: read_dash_init propagates strip_cenc_signal errors
  instead of unwrap_or(raw), so a malformed init fails with a precise diagnosis
  rather than an opaque downstream decrypt/quorum failure.

- encrypt-provider: decode_kid16 validates length AND ASCII-hex charset before
  byte-slicing, rejecting a multibyte KID instead of panicking the capsule.

- elastos-server: browser stream sockets use a per-euid dir created 0700 and
  refuse any pre-existing dir not owned by us or group/other-writable, closing
  the world-writable /tmp squatting / socket-hijack vector.
The ci.yml on this line (inherited from flint-0.5) invokes 'just verify-ci'
and 'just verify-capsules', but the justfile never got the recipes; both CI
jobs fail on every run with 'justfile does not contain recipe'. Port the
recipes from feat/ddrm-hardening-and-creator-parity, whose feature sets and
paths all exist on this branch (verified locally: verify-capsules,
alignment-check, command-smoke, candidate-command-audit all pass).
…and Elacity Labs

A narrative and brand document synthesizing the runtime architecture,
the ela.city marketplace, and the Elacity Labs mission into one vision:
creed, story arc, technical truth layer, category position, language
system, and an honest works-today/in-progress/direction ledger
reconciled against state.md, PRINCIPLES.md, and the code.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01NhEEeB9pRzGRGPcy7Lc1sN
…sion note

The w2-consent-source branch retires into flint-0.5. Two of its three
commits are content-superseded; the third (3694975, gateway 202-consent
seam) collides with flint-0.5's pinned flat-403 posture and the newer
intent-envelope consent path, so it is preserved verbatim as a patch with
the architecture decision recorded instead of silently merged or lost.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
… squash (B2a)

The fix/mpeg-dash-compliance re-authoring replaced the ddrm line's epoch
interruption (operator-triggered stop of an in-flight runaway capsule,
8bf1d29) with fuel + wall-clock bounds — a passive property, not an
on-demand kill. stop() only removed the instance from the map; a spinning
capsule kept burning its blocking thread.

Restore the epoch machinery UNIFIED with the successor's work so both
properties hold: consume_fuel + StoreLimits + wall-clock stay as-is, and
stop() once again sets the per-instance should_stop flag and bumps that
capsule's engine epoch so the deadline callback traps it at the next
backedge. The restored runaway test pins the operator kill specifically
(fuel set effectively unbounded so only the stop signal can trap).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
… the mpeg-dash squash

The ddrm line's Improvement A (media-provider streams ffmpeg -progress to a
caller-granted sink; the creator progress endpoint merges the measured %
onto the active 'package' stage) was dropped in the re-authoring: the
successor's package_dash has no progress path and /prepare-progress shows
an indeterminate stage for the mint's long pole.

Restored surgically from the ddrm generation — ONLY the progress hunks;
the raw branch diff would also have reverted the successor's CENC/DASH
signaling (which postdates the ddrm fork) and stays untouched here.
Capability-passing invariants preserved: host-generated sink path (no
path-injection from the client job id), provider writes only that one
path, atomic temp+rename publish, best-effort throughout (a progress
failure never blocks the mint). Tests: ffmpeg out_time parsing/clamping,
atomic publish, and pct surfacing only while 'package' is active.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…er + ABI/protocol ops

Transplanted from feat/marketplace-runtime (9bd5489 + 6bde757 + e175c1d +
2a24139): the ResolveTokenId op pivoted to AssetCreated+calldata (the
DigitalAssetRegistered event does not emit on Base — verified empirically
on the live chain), fail-closed on an ambiguous KID→tokenId binding, with
checked arithmetic + length caps in abi_string. Applied 3-way onto the
flint-0.5 generation; clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…esale/withdraw calldata)

Transplanted from feat/marketplace-runtime onto the flint-0.5 generation:
buy_authority Phase-1 invariant (value*qty via paymentProcessor approve,
fail-closed tokenId resolution, abort-on-drift re-reading listings live,
listings() qty/price word order per SSOT, fail-closed non-hex decode,
SCOPE unsigned-only hard-gate, fail-closed on missing seller);
trade_authority resale/withdraw/approval calldata assembler (new module,
wired in api/mod.rs so it compiles with the slice — route wiring lands in
slice 3 with the gateway); chain_tx alignment. 3-way apply, clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…psule + docs

Transplanted from feat/marketplace-runtime onto the workbench:
- market API: search/sections/get/history/preview/vault/listed/me/acquire/
  acquire-status/order-{sell,withdraw,approve} routes (gateway.rs both-added
  conflict resolved keeping the flint-0.5 services routes AND the market
  routes); handlers in gateway_marketplace.rs; content_index (AssetCreated
  decode + cache + short-TTL discovery collapse) and market_reads (live
  sellersOf/listings reads) modules wired in api/mod.rs
- the marketplace-content storefront capsule (pure UI shell, no authority —
  Principle 16 posture; compiles natively and builds wasm32-wasip1 release)
- docs/marketplace/* spec set; the retired ddrm branch's contracts doc is
  preserved as CONTRACTS_LEGACY_ABI_REFERENCE.md (ABI appendix + Lit notes)
  under its successor
- fixes the slice-2 gate findings: buy_authority live-reads now resolve
  (market_reads landed) and its tests use the unified crate ddrm_env_lock()
  instead of the branch-local ENV_LOCK static

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
Transplanted from feat/marketplace-runtime (3236772 + 33254f9): the
object-provider Acquire op pins a bought encrypted asset into the Library
(typed-folder placement + reveal/status), viewer_open/viewer_gateway open
handoff for acquired assets. Completes the slice-3 seam: makes
resolve_subject_address and viewer_object_provider_request pub(crate) for
the market handlers (the slice-3 gate's E0603s) and carries the 5-arg
signature its callers expect. 3-way apply, clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…findings

Red-team of the fresh + transplanted marketplace code (2026-07-03):

FIXED (our code — the restored epoch termination): the operator kill had a
startup race — start() reset should_stop OUTSIDE the lock (clobbering a
concurrent stop()) and the single increment-on-stop could be consumed before
the store armed its deadline, silently dropping the kill until wall-clock.
Removed the reset (should_stop starts false at load, only goes true at stop
which also removes the instance) and added an in-execute_wasm epoch WATCHDOG
(condvar-signalled, RAII-joined on every exit path) that advances the epoch
on a fixed cadence so the deadline callback observes should_stop within one
tick regardless of arming order. The test now sets ONLY should_stop (no
manual epoch bump) so it pins the race-free property and cannot flake.

REGISTERED (pre-existing in the source branches, transplanted byte-identical
— NOT introduced here; fixing mid-migration would diverge from the reviewable
source): KNOWN_GAPS MKT-1 (HIGH, on-chain-reachable: KID->tokenId resolver
can mis-bind to a hostile co-channel mint — fix before the marketplace ships),
MKT-2 (unbounded resolve RPC fan-out), MKT-3 (media progress_path unconfined),
MKT-4 (ffmpeg progress stdout-read deadlock window).

CONTRACT HONESTY: the new object-provider:acquire op (buy->pin) tripped the
universal preview!=enforce conformance gate; registered in the G3b
known_divergences ledger as fail-CLOSED (Admin-enforced, previewed-but-denied
— a money-path write kept at highest privilege), mirroring its sibling share.
Not a test edit — the sanctioned _or_tracked mechanism.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…build)

The marketplace product surface (storefront UI + Elacity brand tokens) already
landed with the marketplace-content capsule in slice 3. This final slice is the
Home integration only:
- shell.js: allow marketplace-content to ask Home to open library/ddrm-viewer/
  elacity-player (narrowly scoped, no ambient launch authority — P7/P16), added
  alongside flint-0.5's services routing (both-added map key, kept both)
- run-creator-gateway.sh: kept flint-0.5's DYNAMIC wasm-capsule discovery (it
  already builds marketplace-content) over the marketplace branch's older
  hardcoded list — the dynamic scan is exactly what stops stale-list 404s

NOT taken (marketplace branch is OLDER here — applying its diff would REVERT
flint-0.5's newer work, a regression the gate caught): creator.js/index.html
(flint-0.5's 2026-07-01 surface vs marketplace's 2026-06-18; delta was
comment-only), media-provider/creator.rs (would have deleted the R2
transcode-progress restoration). Reverted all four to HEAD.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
…tion + delete-safety

The content-verified map of the whole consolidation: what the workbench adds on
top of flint-0.5, per-branch disposition (ABSORBED/TRANSPLANTED/CARRIED/
SUPERSEDED/PRESERVED/TEAM-OWNED), evidence for each, and which branches are safe
to delete. Dispositions are by CONTENT (symbol + zero-unique-code-file audits),
not commit-SHA reachability.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01BnpmuD7RtQ3NuTfRQJGrQb
@SashaMIT SashaMIT merged commit 39842a5 into flint-0.5 Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants