Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
218 commits
Select commit Hold shift + click to select a range
589092b
feat(runtime): add provider invocation transfer rails
andersalm Jun 7, 2026
38c24fc
feat(library): add object-provider backed file manager
andersalm Jun 7, 2026
42e4d7f
feat(marketplace): add app marketplace
andersalm Jun 7, 2026
d395ad2
docs(convergence): add north-star playbook, product vision PRD, and v…
SashaMIT Jun 8, 2026
82a14ca
feat(decrypt-provider): vendor PC2 cenc-decrypt engine as fail-closed…
SashaMIT Jun 8, 2026
5b167f1
fix(crosvm): compile on non-Linux hosts so 0.4.0 builds/runs on macOS
SashaMIT Jun 8, 2026
efe9b0e
docs(ddrm): record decrypt-rail decision β€” CEK/ciphertext transport t…
SashaMIT Jun 8, 2026
461f415
feat(decrypt-provider): add tested decrypt-step core seam (Branch-by-…
SashaMIT Jun 8, 2026
53efc12
docs(ddrm): add isolation-tier recommendation β€” wasm now, microVM as …
SashaMIT Jun 8, 2026
1813527
docs(ddrm): confirm decrypt-provider compiles clean to wasm32-wasip1
SashaMIT Jun 8, 2026
2866d9a
test(decrypt-provider): WASI-sandbox smoke harness proves fail-closed…
SashaMIT Jun 8, 2026
6276e02
feat(key-provider): bind rights receipt + bring to wasm/WASI-proven bar
SashaMIT Jun 8, 2026
6fb838f
test(rights-provider): WASI smoke harness completes rights->key->decr…
SashaMIT Jun 8, 2026
94d3824
test(drm-provider): WASI smoke + cross-provider contract-seam tests
SashaMIT Jun 8, 2026
a1a18c0
feat(ddrm): unified chain smoke runner + review-ready status package
SashaMIT Jun 8, 2026
ae17c64
feat(ddrm): vendor ECDH CEK-sealing envelope spec + PC2 player alignment
SashaMIT Jun 8, 2026
4233f34
test(ddrm): pin decrypt->player consumer contract for both viewer cap…
SashaMIT Jun 8, 2026
d5916cb
docs(ddrm): security model doc + inter-stage CEK transport decision
SashaMIT Jun 8, 2026
3d3eb55
docs(ddrm): Day 15 checkpoint β€” refresh status + prove PQ-hybrid in wasm
SashaMIT Jun 8, 2026
3b4dba9
feat(encrypt-provider): pin dDRM invariant #1 (in-boundary CEK+KID) +…
SashaMIT Jun 8, 2026
742f624
test(ddrm): drift guard + 0.4.0 reconciliation (force-push, zero type…
SashaMIT Jun 8, 2026
14cb230
docs(convergence): add HANDOVER.md single-entry onboarding for fresh …
SashaMIT Jun 8, 2026
27cce2d
feat(decrypt-provider): prep rail-landing composition behind rail-pre…
SashaMIT Jun 8, 2026
ec6fd6d
feat(encrypt-provider): close invariant #1 keygen gap with in-boundar…
SashaMIT Jun 8, 2026
dea1ac7
chore(encrypt-provider): commit Cargo.lock for in-boundary cipher/key…
SashaMIT Jun 8, 2026
38fa91a
feat(decrypt-provider): de-risk PQ-hybrid CEK-seal envelope (pq-envel…
SashaMIT Jun 8, 2026
ee5b084
feat(decrypt-provider): prove full PQ dDRM data path end-to-end pre-rail
SashaMIT Jun 8, 2026
7df1802
test(decrypt-provider): pin both engines with portable golden vectors
SashaMIT Jun 8, 2026
8bf242a
test(ddrm): make PC2 cross-impl conformance executable, not asserted
SashaMIT Jun 8, 2026
8cb43b8
test(ddrm): promote PC2 conformance to a standing gate + widen coverage
SashaMIT Jun 8, 2026
874c3f5
docs(convergence): refresh HANDOVER to current truth (tip 8cb43b814, …
SashaMIT Jun 8, 2026
48aef61
test(ddrm): pin encrypt->decrypt round-trip golden (both invariants, …
SashaMIT Jun 8, 2026
f3d09e9
feat(ddrm): rail transport shim behind a flag β€” the rail becomes a fl…
SashaMIT Jun 8, 2026
363d75b
test(ddrm): pin rail carrier as a portable golden + PC2 session-level…
SashaMIT Jun 8, 2026
80137f2
docs(convergence): refresh HANDOVER to current truth (tip 363d75b09, …
SashaMIT Jun 8, 2026
e4e4d11
test(ddrm): PQ carrier golden through the shim β€” profile symmetry closed
SashaMIT Jun 8, 2026
787bb3a
decrypt-provider: widen cenc golden + PC2 conformance to real playbac…
SashaMIT Jun 8, 2026
d6899b9
decrypt-provider: wire real ML-DSA-65 (FIPS 204) into the CekSealVeri…
SashaMIT Jun 8, 2026
aadb4f1
decrypt-provider: verify real ML-DSA-65 through the rail entrypoint (…
SashaMIT Jun 8, 2026
b1f8b7d
decrypt-provider: adversarial negative-space + containment sweep (har…
SashaMIT Jun 8, 2026
90899e7
chore(ddrm): make the verification gate authoritative over the full l…
SashaMIT Jun 8, 2026
d1035d9
chore(ddrm): reconcile-prep β€” widen drift guard to full consumed surf…
SashaMIT Jun 8, 2026
c63c375
test(ddrm): widen the encrypt<->decrypt round-trip to real playback s…
SashaMIT Jun 8, 2026
926b9ad
test(ddrm): prove PC2's real decrypt consumes the producer's output (…
SashaMIT Jun 8, 2026
b3b5f0a
refactor(encrypt-provider): reconcile sealed output to shared elastos…
SashaMIT Jun 8, 2026
4f0cc65
chore(ddrm): integrity audit β€” map every claim to its gate; wire WASI…
SashaMIT Jun 8, 2026
779c74f
feat(decrypt-provider): hybrid ECDSA-P256 + ML-DSA-65 seal verifier —…
SashaMIT Jun 8, 2026
a291bec
chore(decrypt-provider): lock ecdsa/rfc6979/signature deps for pq-mld…
SashaMIT Jun 8, 2026
142f633
docs(convergence): verify fix/crosvm-darwin-build green on macOS; rec…
SashaMIT Jun 8, 2026
6b0ba1e
docs(convergence): build-verify push queue #3 (bincode-2x) + #2 (home…
SashaMIT Jun 8, 2026
96ecfb5
docs(convergence): align with RELEASED v0.4.0 β€” contract byte-identic…
SashaMIT Jun 9, 2026
3f7c67f
feat(decrypt-provider): wire recommended decrypt rail (Option A) into…
SashaMIT Jun 9, 2026
0b019a1
feat(decrypt-provider): bind sealed CEK to the full decrypt transcrip…
SashaMIT Jun 9, 2026
2909d32
feat(decrypt-provider): mint + publish the per-session key in-sandbox…
SashaMIT Jun 9, 2026
5e5ca0d
feat(decrypt-provider): enforce short expiry + emit scoped CEK-free a…
SashaMIT Jun 9, 2026
4c33514
feat(decrypt-provider): consolidate suite-tagged SealedDecryptMateria…
SashaMIT Jun 9, 2026
28f91c8
docs(convergence): whole-system architecture map (PC2 journey vs runt…
SashaMIT Jun 9, 2026
ec7f765
feat(key-provider): pluggable multi-backend key authority (Phase A.1)
SashaMIT Jun 9, 2026
3225e97
feat(key-provider): reference key-authority seal engine + shared ddrm…
SashaMIT Jun 9, 2026
4e04837
test(decrypt-provider): cross-capsule equivalence guard for ddrm-enve…
SashaMIT Jun 9, 2026
7774cda
refactor(decrypt-provider): re-export ddrm-envelope; PQ crypto now si…
SashaMIT Jun 9, 2026
7f9d72f
feat(ddrm-envelope): shared decrypt-transcript to_aad; both rail side…
SashaMIT Jun 9, 2026
35bd237
feat(ddrm): consumer-half orchestration smoke runs the chain end to e…
SashaMIT Jun 9, 2026
07e0c93
feat(rights-provider): render on-chain ownership into a typed rights …
SashaMIT Jun 9, 2026
879904a
feat(chain/rights): characterize on-chain ownership + opt-in live wal…
SashaMIT Jun 9, 2026
e4ffb3a
feat(encrypt-provider): pin KID-as-bytes16-contentId identity join + …
SashaMIT Jun 9, 2026
2dc9b0c
feat(ddrm): CEK-escrow engine β€” producerβ†’authorityβ†’decrypt on a fresh…
SashaMIT Jun 9, 2026
adc118e
ddrm(Day60/Phase C): producer half runs across real processes
SashaMIT Jun 9, 2026
ad6bd13
ddrm(Day61/Phase C): publish-provider assembles the on-chain content …
SashaMIT Jun 9, 2026
fce0c33
ddrm(Day62/Phase C): chain-provider assemble_mint β€” the mint becomes …
SashaMIT Jun 9, 2026
76e0d1e
ddrm(Day63/Phase C): close the producer->chain loop end to end
SashaMIT Jun 9, 2026
ea4962a
ddrm(Day64/Phase C): content-market reconstructs a listing from mint …
SashaMIT Jun 9, 2026
676a90f
ddrm(Day65/Phase C): content-market enriches a listing from metadata.…
SashaMIT Jun 9, 2026
81bd466
ddrm(Day66/Phase C): content-market reconstructs a listing from the c…
SashaMIT Jun 9, 2026
af55eca
ddrm(docs): add NEW_AGENT_BRIEF β€” zero-blind-spots onboarding + boots…
SashaMIT Jun 9, 2026
dba19d8
ddrm(Day67/Phase A): drm-provider::open emits the executable DrmOpenP…
SashaMIT Jun 9, 2026
e8dc4d8
ddrm(Day68/Phase C): encrypt-provider content-addresses the ciphertex…
SashaMIT Jun 9, 2026
7dda28a
ddrm(Day69/Phase C): encrypt-provider::seal runs the full production …
SashaMIT Jun 9, 2026
58808ef
ddrm(Day70/Phase A): canonical key-provider::release actually release…
SashaMIT Jun 9, 2026
015233b
ddrm(Day71/Phase A): runtime-core plan executor β€” ddrm-plan-runner wa…
SashaMIT Jun 9, 2026
c81f777
ddrm(Day72/Phase A): runtime-core injects per-provider capability han…
SashaMIT Jun 9, 2026
717919f
ddrm(Day73/Phase A): runtime-core composition root β€” open_drm_plan(pl…
SashaMIT Jun 9, 2026
c4d7195
ddrm(Day74/Phase A): runtime-owned capability registry β€” RuntimeCapab…
SashaMIT Jun 9, 2026
bd39b18
ddrm(Day75-76/Phase A): runtime-core trusted host β€” DrmHost::open(con…
SashaMIT Jun 9, 2026
b1c4baf
ddrm(Day77-78/Phase A): the trusted host OWNS THE RAIL + PERSISTS the…
SashaMIT Jun 9, 2026
68a535e
ddrm(Day79-80/Phase A): the trusted host LAUNCHES THE RAIL + persists…
SashaMIT Jun 9, 2026
e970279
ddrm(Day81-82/Phase A): STABLE durable-key-store authority + escrow-a…
SashaMIT Jun 9, 2026
b14a644
ddrm(Day83-84/Phase A): config-driven runtime-open bin (NO smoke in t…
SashaMIT Jun 9, 2026
3a6416e
ddrm(Day85-86/Phase A): drive the dkms EXTERNAL authority END-TO-END …
SashaMIT Jun 9, 2026
806bb6a
dDRM Day 87-88: split dkms into a secret-holding NODE + a public-only…
SashaMIT Jun 9, 2026
0745c8e
dDRM Day 89-90: make the dkms delegation an AUTHENTICATED channel + a…
SashaMIT Jun 9, 2026
bceea30
dDRM Day 91-92: make the dkms node a LONG-LIVED CONNECTION the client…
SashaMIT Jun 9, 2026
ce10d4a
dDRM Day 93–94: real transport boundary (framed Unix-domain socket) +…
SashaMIT Jun 9, 2026
f016306
dDRM Day 95–96: serve only a KNOWN allow-listed caller + make every r…
SashaMIT Jun 9, 2026
001f09d
dDRM Day 97–98: make the threshold REAL β€” XOR-split the CEK 2-of-2 ac…
SashaMIT Jun 9, 2026
e4edaab
dDRM Day 99–100: drive the real 2-of-2 threshold through the producti…
SashaMIT Jun 9, 2026
1cc75ba
dDRM Day 101–102: make the live 2-of-2 threshold RESILIENT + IDENTITY…
SashaMIT Jun 9, 2026
b392556
dDRM Day 103–104: make the threshold identity CRYPTOGRAPHIC + AUDITAB…
SashaMIT Jun 9, 2026
e9c0854
dDRM Day 105–108: take the dKMS node OFF LOCALHOST β€” real TCP transpo…
SashaMIT Jun 9, 2026
0c08241
dDRM Day 109–112: give the secret-holders a LIFECYCLE β€” live share-wi…
SashaMIT Jun 9, 2026
8ce79f5
dDRM Day 113–116: REAL t-of-n β€” the CEK is Shamir-split 2-of-3 over G…
SashaMIT Jun 10, 2026
9322733
dDRM Day 117–120: give the QUORUM a LIFECYCLE β€” live share-wise rotat…
SashaMIT Jun 10, 2026
8f86da2
dDRM Day 121–125: make the QUORUM RECONFIGURABLE β€” re-share a live 2-…
SashaMIT Jun 10, 2026
00f3294
dDRM Day 126–130: the CEK is BORN DISTRIBUTED β€” verifiable Distribute…
SashaMIT Jun 10, 2026
962219b
dDRM Day 131-135: the quorum PROVES it served you β€” verifiable, publi…
SashaMIT Jun 10, 2026
c4725be
dDRM Carrier-plane honesty pass: expose `lit` as an operator-selectab…
SashaMIT Jun 10, 2026
7b26470
dDRM E2E (a) step 1: the canonical open FETCHES content by CID throug…
SashaMIT Jun 10, 2026
6d32e27
dDRM: ownership real-by-default via in-process chain-provider RPC mock
SashaMIT Jun 10, 2026
1648c95
dDRM: multi-MiB content via Helia-byte-compatible chunked UnixFS
SashaMIT Jun 10, 2026
2f313e3
dDRM: decrypt a multi-SEGMENT CENC asset under one CEK
SashaMIT Jun 10, 2026
49f57fc
ddrm: carry the multi-segment LIST through the LIVE open_session_v1 r…
SashaMIT Jun 10, 2026
eaa0792
docs(convergence): add RUN_E2E operator runbook for the runnable dDRM…
SashaMIT Jun 10, 2026
71ca0fb
feat(ddrm): balanced dag-pb tree for arbitrarily-large Helia-compatib…
SashaMIT Jun 11, 2026
50206ac
dDRM: multi-segment on the THRESHOLD + QUORUM split rails
SashaMIT Jun 11, 2026
e6910f9
feat(viewer): dDRM viewer seam (B1-B4) β€” elacity-player + scoped medi…
SashaMIT Jun 11, 2026
5c2f6a3
merge: bring in crosvm Darwin build fix for macOS gateway/Home
SashaMIT Jun 11, 2026
f385874
feat(demo): local end-to-end dDRM viewer-seam player (ddrm-viewer-demo)
SashaMIT Jun 11, 2026
f3c47fc
refactor(ddrm-media): extract shared local media-prep crate from the …
SashaMIT Jun 11, 2026
ac13f4f
feat(gateway): play owned media via a subprocess local key-authority
SashaMIT Jun 11, 2026
840d9f5
feat(home): Owned Video tile plays owned media via the local dDRM rail
SashaMIT Jun 11, 2026
e9dcedb
feat(ddrm): live-chain rights gate + non-media viewer + Library binding
SashaMIT Jun 11, 2026
cb60905
feat(ddrm): real chain-provider ownership read behind the Home rights…
SashaMIT Jun 11, 2026
cf62be6
feat(ddrm): buy-flow orchestration β€” put an access token in the wallet
SashaMIT Jun 11, 2026
b3fa455
docs(convergence): visual architecture map (birds-eye + dDRM + macOS-…
SashaMIT Jun 11, 2026
edf96c2
feat(ddrm): live EVM tx signing for buy via wallet-provider (key neve…
SashaMIT Jun 11, 2026
866751a
docs(convergence): strategic roadmap + sequencing (real ~/.pc2 source…
SashaMIT Jun 11, 2026
36137ff
feat(ddrm): live content mint on the managed-key rail (Create stage 2)
SashaMIT Jun 11, 2026
33b6088
feat(ddrm): align chain reads + buy to the real Base ABIs (roadmap A2)
SashaMIT Jun 11, 2026
73d80ee
feat(ddrm): creator mint spine + dKMS quorum provisioning + mac dev l…
SashaMIT Jun 12, 2026
f60760b
Merge tag 'v0.4.0' into feat/ddrm-home-playback
SashaMIT Jun 13, 2026
1e9d6c1
dev: wire object-provider into creator gateway launch
SashaMIT Jun 13, 2026
dc32fa0
Fix Mac dev gateway launch and document Day 136 handover.
SashaMIT Jun 13, 2026
45f094b
feat(ddrm): mint persists owned Library object + .ddrm capsule; trade…
SashaMIT Jun 14, 2026
4ccf3f5
feat(decrypt): wire 2-of-3 quorum cleartext streaming (consumer-open …
SashaMIT Jun 14, 2026
e32a045
docs(convergence): Day 139 β€” quorum cleartext streaming wired + teste…
SashaMIT Jun 14, 2026
27fb1f0
test(ddrm): prove quorum consumer-open RENDER end-to-end β€” byte-ident…
SashaMIT Jun 14, 2026
daa1141
feat(ddrm): ddrm-media-authority --quorum open mode + helper verify (…
SashaMIT Jun 14, 2026
855d3a9
feat(gateway): wire dKMS quorum consumer-open into mint persist + vie…
SashaMIT Jun 14, 2026
af60f44
feat(gateway): run-creator-gateway brings the dKMS recovery quorum LI…
SashaMIT Jun 14, 2026
d53bd68
feat(ddrm): end-to-end creator mint + quorum consumer-open over Carrier
SashaMIT Jun 15, 2026
018900d
feat(ddrm): popup-free re-opens via cached wallet-signed delegation (…
SashaMIT Jun 15, 2026
d6412e0
feat(dkms): Phase A warm key-provider daemon β€” reuse node sessions ac…
SashaMIT Jun 15, 2026
adc14ba
fix(dkms): give parallel quorum-recover threads a 16 MiB stack (was o…
SashaMIT Jun 15, 2026
4fc4cf5
feat(home): live staged progress for protected (dKMS) opens
SashaMIT Jun 15, 2026
2b4ea05
fix(media): audio-only DASH path β€” skip video filter when source has …
SashaMIT Jun 15, 2026
a22d73c
docs(handover): Day 138 checkpoint β€” open-latency Tiers 1+2, transpor…
SashaMIT Jun 15, 2026
ab3adb3
feat(ddrm): fence dev modes out of release builds + PC2 creator core …
SashaMIT Jun 16, 2026
3f282dd
feat(ddrm): pre-audit security hardening β€” CEK integrity, tamper-evid…
SashaMIT Jun 16, 2026
b08d5d8
feat(ddrm): metadata minimization + threat model (pre-audit #5)
SashaMIT Jun 16, 2026
622fe69
fix(ddrm): make dKMS channel padding negotiated + off by default
SashaMIT Jun 16, 2026
dff2883
fix(ddrm): pin trade approval to the just-minted asset by content_id
SashaMIT Jun 17, 2026
4df439b
feat(ddrm): server-side pixel-lock PDF rendering with warm session + …
SashaMIT Jun 17, 2026
ca3e5d9
docs(ddrm): pre-audit findings, confidential-compute audit, README + …
SashaMIT Jun 17, 2026
c580160
feat(ddrm): pixel-lock images, comics, text/code, and SVG
SashaMIT Jun 17, 2026
d418117
fix(ddrm): route audio through the media player, not the object viewer
SashaMIT Jun 17, 2026
6228407
docs(ddrm): asset-tier containment model + protected-content update
SashaMIT Jun 17, 2026
dade8af
style(server): clear pre-existing clippy drift so `just lint` is green
SashaMIT Jun 17, 2026
294884e
feat(ddrm): asset-rendering parity, faster mint, and Library polish
SashaMIT Jun 18, 2026
1cba0f7
feat(ddrm): two-layer forensic watermark (visible full-address + invi…
SashaMIT Jun 18, 2026
2a4ca10
fix(dkms): threshold-with-grace quorum recover so a dead node can't w…
SashaMIT Jun 18, 2026
b8cafe3
docs(ddrm): roadmap + design for AV forensic watermarking
SashaMIT Jun 18, 2026
273d0aa
fix(ddrm): bound pixel-lock decode/raster size (pixel-bomb defense)
SashaMIT Jun 18, 2026
eae67ff
fix(ddrm): serve-time content sniff + html-lock CSP/nosniff (mislabel…
SashaMIT Jun 18, 2026
9bc2c54
docs(ddrm): honest forensic-watermark scope + pixel-bomb bounds + htm…
SashaMIT Jun 18, 2026
b01ed34
feat(ddrm): authenticate the forensic watermark via the buyer's signe…
SashaMIT Jun 18, 2026
0eac1d0
feat(ddrm): retain the forensic grant anchor in the tamper-evident cu…
SashaMIT Jun 18, 2026
58380d3
fix(ddrm): audit cleanups (item 6) + reclassify media-tier egress as …
SashaMIT Jun 19, 2026
9f57172
ci(ddrm): gate the dDRM capsule crates + run the full `just verify` o…
SashaMIT Jun 19, 2026
a01cecc
ci: also run the gate on this feature branch (branch-scoped trigger)
SashaMIT Jun 19, 2026
391a438
fix(ci): rustfmt viewer_object.rs + install ripgrep for the verify job
SashaMIT Jun 19, 2026
0e1bd96
fix(rights): validate wallet linkage before resolving the rights-prov…
SashaMIT Jun 19, 2026
46cbeed
fix(ci): install wasm32-wasip1 target for the verify job's carrier smoke
SashaMIT Jun 19, 2026
e350a49
fix(ci): pin wasm32-wasip1 in rust-toolchain.toml so the pinned toolc…
SashaMIT Jun 19, 2026
2ecb7a6
ci: split out `verify-ci` (full gate minus the Carrier-network smoke)…
SashaMIT Jun 19, 2026
681d10a
docs(av): fold Phase-0 feasibility + FP correction into AV_WATERMARKING
SashaMIT Jun 19, 2026
5bc2381
fix(ddrm): pre-mainnet fix-pack ①–⑀ + dKMS open test runbook
SashaMIT Jun 19, 2026
fadad72
feat(av): land Phase 5 chunks 1/2/6 β€” variant schema + canonical code…
SashaMIT Jun 19, 2026
3d07444
feat(av): analytic Tardos threshold + Monte-Carlo certification gate
SashaMIT Jun 19, 2026
7feccd3
docs(audit): focused external-auditor packet for the dKMS decrypt plane
SashaMIT Jun 19, 2026
39fead5
fix(dkms): bind re-seal AAD into the recover possession-proof (close …
SashaMIT Jun 19, 2026
0720219
feat(av): serve-time variant selector + variant-set AAD weld (chunks …
SashaMIT Jun 19, 2026
65f0975
feat(av): mint-side asset-secret KDF + manifest builder (chunk 5 core)
SashaMIT Jun 19, 2026
2bbd45b
docs(av): reconcile Phase 5 status β€” 3/4/5 core landed, wiring + cert…
SashaMIT Jun 19, 2026
b241e1f
fix(smoke): build dkms-authority with dev-modes in quorum-helper-verify
SashaMIT Jun 19, 2026
643752e
feat(av): bounded placeholder variant embed in ddrm-media (mint DSP s…
SashaMIT Jun 19, 2026
4574eed
test(av): end-to-end variant pipeline on real fMP4 + CENC (chunks 3/4/5)
SashaMIT Jun 19, 2026
c596f1f
fix(dkms): revert recover-proof to v1 to match the deployed quorum nodes
SashaMIT Jun 20, 2026
1677023
feat(av): wire forensic variant mint-emit + serve selection into the …
SashaMIT Jun 20, 2026
d270500
perf(serve): single-copy in-place CENC decrypt + boot-stable gateway …
claude Jun 20, 2026
fea728b
harden(ddrm): bound untrusted CENC box counts + pin the H1 watermark-…
claude Jun 20, 2026
edb02ec
fix(open): refresh single-use grant nonce on quorum retries (A7) + pi…
claude Jun 20, 2026
e47f2be
docs(audit): record PRE-3 (audit tamper-evidence / GAP-8) as already …
claude Jun 20, 2026
b823c62
docs(pre-audit): record verification pass β€” 7/8 findings resolved, #2…
claude Jun 20, 2026
98b57c9
perf(library): hash each file once on the directory-list hot path
claude Jun 20, 2026
72550c4
perf(library): cache file listing facts on the directory-list path
claude Jun 20, 2026
9d8e6d9
perf(library-ui): bound the cover cache (LRU) and revoke evicted obje…
claude Jun 20, 2026
371bf21
chore(ci): satisfy fmt + clippy gates on the branch
claude Jun 20, 2026
ad84904
perf(serve): drop redundant per-segment capsule re-resolve from the v…
claude Jun 20, 2026
4894f50
test(conformance): close GAP-8's tamper-evidence half + pin it (ratch…
claude Jun 20, 2026
1e9e712
test(verdicts): build-visible DDRM audit-verdict ratchet + pin PRE-2 …
claude Jun 20, 2026
38b45bd
docs(roadmap): capture the path to 10/10 β€” audit, node-bundle redeplo…
claude Jun 20, 2026
3567f54
docs(auditor): point the external firm at the verified-safe scope-out…
claude Jun 20, 2026
cec3086
build(release): add a release profile to the elastos workspace (LTO +…
claude Jun 20, 2026
253d099
feat(wasm): enforce per-capsule memory/table/instance limits + share …
claude Jun 20, 2026
f2e9c53
docs(roadmap): track the per-capsule WASM memory budget + CPU-runaway…
claude Jun 20, 2026
ce2bd96
feat(wasm): honor each capsule's DECLARED memory budget (clamped), ma…
claude Jun 20, 2026
0d904c6
docs(roadmap): mark per-capsule WASM memory budget DONE (B1); CPU sti…
claude Jun 20, 2026
8bf1d29
feat(wasm): make a runaway capsule operator-terminable (epoch interru…
claude Jun 20, 2026
43eee84
docs(roadmap): mark WASM CPU-runaway operator-terminable DONE (B2a); …
claude Jun 20, 2026
5080468
chore(fmt): satisfy rustfmt on the branch's elastos-server additions
claude Jun 20, 2026
e5e6ad0
docs(handoff): branch-handoff note for the merge + live-validation pass
claude Jun 20, 2026
97bcd36
docs(runbook): mark the retry-replay grant gap RESOLVED by A7
SashaMIT Jun 20, 2026
4218c52
feat(creator): creator capsule UI + media-provider + gateway creator …
SashaMIT Jun 27, 2026
38c6633
dev: added debug profile at build
irzhywau Jun 29, 2026
525288d
feat(dash): MPEG-DASH / CENC compliance for media assets (ELACITY-2283)
irzhywau Jul 2, 2026
4e9e40a
fix(runtime): DKMS quorum reliability + host-independent tests (ELACI…
irzhywau Jul 2, 2026
1aa77dc
fix(runtime): harden DKMS lifecycle + CENC/socket safety from code re…
irzhywau Jul 2, 2026
2175657
Merge branch 'main' into dev/mpeg-dash-compliance
irzhywau Jul 2, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
100 changes: 99 additions & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,16 @@ name: CI

on:
push:
branches: [main]
# `main` is the live line. The feature branch is included so we can run the full
# gate on our own work in isolation (this entry lives only on the branch; it does
# NOT affect main or other branches until/unless it is merged). Drop or generalise
# to `feat/**` at merge time.
branches: [main, feat/ddrm-hardening-and-creator-parity]
pull_request:
branches: [main]
# Manual trigger so a feature branch can be put through the full Linux gate
# (incl. the Linux-only carrier smoke in `just verify`) before merge.
workflow_dispatch:

env:
CARGO_TERM_COLOR: always
Expand Down Expand Up @@ -64,3 +71,94 @@ jobs:
- name: cargo build --release
working-directory: elastos
run: cargo build --workspace --release

# The canonical gate on Linux, MINUS the Carrier-network setup smoke: alignment-check +
# command smoke + candidate-command-audit + fmt/clippy/test (elastos workspace) + the dDRM
# capsule build+test (verify-capsules). This turns "manually covered" into "green on a clean
# runner". The `local-carrier-setup-smoke` step is excluded here because it fetches the
# net-provider artifact over Elastos Carrier, which a stock GitHub runner cannot reach β€” run
# the full `just verify` on a Carrier-capable Linux box / self-hosted runner before merge.
# RUSTFLAGS=-D warnings is inherited from `env` above.
verify:
name: Verify (Linux CI gate)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy, rustfmt
- uses: Swatinem/rust-cache@v2
with:
workspaces: |
elastos
capsules/decrypt-provider
capsules/ddrm-envelope
scripts/dev/ddrm-media-authority
- uses: extractions/setup-just@v2
- name: Install ripgrep (required by alignment-check; not preinstalled on the runner)
run: sudo apt-get update && sudo apt-get install -y ripgrep
- name: just verify-ci
run: just verify-ci

# Isolated, fast signal for the protected-content capsule crates that live OUTSIDE
# the elastos workspace (so the `check`/`test` jobs and `cargo --workspace` never
# reach them): the watermark codec, the grant-digest envelope, the media-authority.
# Independent of the carrier smoke, so a flaky/heavy smoke run never masks a capsule
# regression. Build+test only (these crates still carry pre-existing clippy debt).
capsules:
name: dDRM Capsule Gate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
workspaces: |
capsules/decrypt-provider
capsules/ddrm-envelope
scripts/dev/ddrm-media-authority
- uses: extractions/setup-just@v2
- name: just verify-capsules
run: just verify-capsules

# Pre-mainnet deploy invariant (fix-pack β‘‘): a PRODUCTION dkms-authority node must be a release
# build with DEFAULT features β€” the legacy unsigned-receipt path (`legacy-receipt-authz`) and the
# `dev-modes` opt-in that pulls it in must NEVER ship. The crate enforces this with a
# `compile_error!` keyed on a release build (no `debug_assertions`); this job asserts BOTH
# directions so the guard can't silently rot. See `docs/DEPLOY_CHECKLIST.md`.
# `dkms-authority` lives OUTSIDE the elastos workspace, so the other jobs never reach it.
dkms-release-invariant:
name: dKMS Release Invariant (no dev-modes/legacy)
runs-on: ubuntu-latest
# Assert the FEATURE invariant only; do not let unrelated pre-existing rustc warnings in this
# out-of-workspace crate mask it (the rest of CI keeps -D warnings).
env:
RUSTFLAGS: ""
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
workspaces: capsules/dkms-authority
- name: Release build with DEFAULT features must succeed (no legacy path compiled)
run: cargo build --release --manifest-path capsules/dkms-authority/Cargo.toml
- name: Release build with legacy-receipt-authz must FAIL closed (compile guard)
run: |
if out=$(cargo build --release --manifest-path capsules/dkms-authority/Cargo.toml --features legacy-receipt-authz 2>&1); then
echo "::error::release build ACCEPTED legacy-receipt-authz β€” the release-invariant guard is missing"
exit 1
fi
echo "$out" | grep -q "release build must not enable" || {
echo "::error::release build failed, but NOT via the release-invariant guard:"; echo "$out"; exit 1;
}
echo "ok: release + legacy-receipt-authz rejected at compile time"
- name: Release build with dev-modes must FAIL closed (compile guard)
run: |
if out=$(cargo build --release --manifest-path capsules/dkms-authority/Cargo.toml --features dev-modes 2>&1); then
echo "::error::release build ACCEPTED dev-modes β€” the release-invariant guard is missing"
exit 1
fi
echo "$out" | grep -q "release build must not enable" || {
echo "::error::release build failed, but NOT via the release-invariant guard:"; echo "$out"; exit 1;
}
echo "ok: release + dev-modes rejected at compile time"
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ elastos/storage/
artifacts/
artifacts-aarch64/

# Local scratch build tree (vendored linux kernel source, cargo output, etc.)
build/

# Secrets and credentials
.env
*.pem
Expand Down
7 changes: 7 additions & 0 deletions ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -924,6 +924,13 @@ clean.
Encrypted capsules, remote trust, reproducible builds, TPM/TEE-backed attestation, and dDRM-like flows remain future work.
They matter, but they should not distort the core runtime contract before the local base is stable.

Forensic watermarking for **audio/video** is a dedicated track: rasterizable types already ship a
two-layer (visible + invisible) per-buyer mark, but AV is key-protected, not yet fingerprinted. The
plan β€” A/B forensic variant watermarking (video) and spread-spectrum/echo-hiding (audio), produced
once at mint and selected per buyer from their signed grant at serve time, keeping the CEK boundary
and one canonical path intact β€” is designed in [docs/AV_WATERMARKING.md](docs/AV_WATERMARKING.md).
The heavy lift is a mint-time transcode pipeline, so it is a roadmap item, not a patch.

### AI and operator surfaces

Agent and AI provider surfaces should keep moving toward one stable runtime contract with explicit policy, identity, and budget boundaries instead of ad hoc special cases.
Expand Down
Loading
Loading