From 8e7c07ded2839ac648c275b0c8a9d52b6c765829 Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Sat, 9 May 2026 13:57:46 -0400 Subject: [PATCH 1/6] Introduce durable pin queue and drainer Add a durable, redb-backed pin queue and background drainer (W.9.6) to provide crash-safe, retriable pin/unpin dispatch. New modules pin_queue and pin_drainer implement enqueueing of PinRequest records, bounded-concurrency dispatch, exponential backoff, dead-letter graduation, and a LivePinDispatcher that routes MasterCluster and UserExternal pins (including durable unpin for user-external). Handlers (object, multipart, admin) now enqueue pins to the queue (with a fire-and-forget fallback when the queue is unset for tests/dev), and object.rs gains a helper to route user-external pins via the queue. Gateway config gets a pin_queue_path option (default /var/lib/fula-gateway/pin_queue.redb). Cargo.toml updated to add redb and postcard workspace deps. Tests and unit coverage for the drainer/dispatcher behavior were added/updated. --- Cargo.lock | 2 + crates/fula-cli/Cargo.toml | 8 + crates/fula-cli/src/config.rs | 14 + crates/fula-cli/src/handlers/admin.rs | 74 +- crates/fula-cli/src/handlers/internal.rs | 7 + crates/fula-cli/src/handlers/multipart.rs | 103 +- crates/fula-cli/src/handlers/object.rs | 300 ++- crates/fula-cli/src/lib.rs | 2 + crates/fula-cli/src/pin_drainer.rs | 949 ++++++++ crates/fula-cli/src/pin_queue.rs | 1223 ++++++++++ crates/fula-cli/src/server.rs | 60 + crates/fula-cli/src/state.rs | 42 + crates/fula-client/Cargo.toml | 5 + crates/fula-client/src/config.rs | 48 + crates/fula-client/src/encryption.rs | 1201 +++++++++- crates/fula-client/src/error.rs | 50 +- crates/fula-client/src/lib.rs | 4 + crates/fula-client/src/wal.rs | 1 + crates/fula-client/src/walkable_v8.rs | 359 +++ .../tests/encrypted_filesystem_tests.rs | 6 + crates/fula-client/tests/offline_e2e.rs | 238 +- .../tests/s3_blob_backend_returns_cid.rs | 351 +++ .../tests/walkable_v8_manifest_block_size.rs | 337 +++ .../tests/walkable_v8_offline_walk.rs | 197 ++ crates/fula-crypto/Cargo.toml | 12 +- .../fula-crypto/benches/crypto_benchmarks.rs | 8 +- .../fula-crypto/benches/walkable_v8_scale.rs | 470 ++++ crates/fula-crypto/src/chunked.rs | 211 ++ crates/fula-crypto/src/error.rs | 143 ++ crates/fula-crypto/src/private_forest.rs | 447 ++++ crates/fula-crypto/src/sharded_hamt_forest.rs | 2099 ++++++++++++++++- crates/fula-crypto/src/wnfs_hamt/mod.rs | 4 +- crates/fula-crypto/src/wnfs_hamt/node.rs | 251 +- crates/fula-crypto/src/wnfs_hamt/pointer.rs | 493 +++- crates/fula-crypto/src/wnfs_hamt/store.rs | 71 +- crates/fula-crypto/src/wnfs_hamt/v7_store.rs | 211 +- crates/fula-flutter/src/api/client.rs | 38 + crates/fula-flutter/src/api/error.rs | 40 +- crates/fula-flutter/src/api/types.rs | 35 + crates/fula-js/src/lib.rs | 56 + docs/website/security.html | 122 + docs/wnfs-comparison.md | 162 ++ encryption_diff.txt | Bin 0 -> 45500 bytes packages/fula_client/CHANGELOG.md | 136 ++ scripts/fxfiles-offline-open-bucket.ps1 | 20 +- sharded_diff.txt | Bin 0 -> 76734 bytes tests/audit2_tests.rs | 7 + tests/common/v1_seed.rs | 1 + tests/migration_tests.rs | 1 + 49 files changed, 10250 insertions(+), 369 deletions(-) create mode 100644 crates/fula-cli/src/pin_drainer.rs create mode 100644 crates/fula-cli/src/pin_queue.rs create mode 100644 crates/fula-client/src/walkable_v8.rs create mode 100644 crates/fula-client/tests/s3_blob_backend_returns_cid.rs create mode 100644 crates/fula-client/tests/walkable_v8_manifest_block_size.rs create mode 100644 crates/fula-client/tests/walkable_v8_offline_walk.rs create mode 100644 crates/fula-crypto/benches/walkable_v8_scale.rs create mode 100644 encryption_diff.txt create mode 100644 sharded_diff.txt diff --git a/Cargo.lock b/Cargo.lock index 6137c26..93a1438 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1770,7 +1770,9 @@ dependencies = [ "mime_guess", "oauth2", "parking_lot", + "postcard", "quick-xml", + "redb", "reqwest", "rstest", "serde", diff --git a/crates/fula-cli/Cargo.toml b/crates/fula-cli/Cargo.toml index 7973b4d..e725e40 100644 --- a/crates/fula-cli/Cargo.toml +++ b/crates/fula-cli/Cargo.toml @@ -71,6 +71,14 @@ clap = { workspace = true } # Storage dashmap = { workspace = true } parking_lot = { workspace = true } +# W.9.6 — durable pin queue. Same workspace dep that backs +# fula-client's BlockCache, so we get a known-good crash-safety story +# without inventing a new persistence layer. +redb = { workspace = true } +# Encoding for pin-queue records (pin_queue.rs). Same workspace dep +# fula-crypto already uses for HAMT wire types — deterministic, +# compact, and stable across Rust versions. +postcard = { workspace = true } # HTTP client (for balance check API) reqwest = { workspace = true } diff --git a/crates/fula-cli/src/config.rs b/crates/fula-cli/src/config.rs index c86de0a..119a746 100644 --- a/crates/fula-cli/src/config.rs +++ b/crates/fula-cli/src/config.rs @@ -45,6 +45,19 @@ pub struct GatewayConfig { /// LRU block cache capacity in MB. 0 disables the cache. #[serde(default = "default_block_cache_mb")] pub block_cache_mb: usize, + /// W.9.6 — durable pin queue file path. When `Some`, every PUT + /// enqueues its master-cluster + user-external pin requests to + /// this redb-backed queue and a background drainer dispatches + /// them with bounded concurrency + exp backoff retry. Survives + /// master crashes — pending pins resume on the next startup. + /// + /// When `None` (default for tests / minimal configs), the PUT + /// handler falls back to the legacy fire-and-forget pin path + /// (no retry, no crash safety). Production deploys MUST set + /// this; the fallback exists only to keep unit tests + dev + /// deployments lightweight. + #[serde(default)] + pub pin_queue_path: Option, } fn default_block_cache_mb() -> usize { @@ -73,6 +86,7 @@ impl Default for GatewayConfig { admin_jwt_secret: None, admin_api_enabled: false, block_cache_mb: default_block_cache_mb(), + pin_queue_path: Some("/var/lib/fula-gateway/pin_queue.redb".to_string()), } } } diff --git a/crates/fula-cli/src/handlers/admin.rs b/crates/fula-cli/src/handlers/admin.rs index 545e003..e01b71d 100644 --- a/crates/fula-cli/src/handlers/admin.rs +++ b/crates/fula-cli/src/handlers/admin.rs @@ -1070,25 +1070,71 @@ async fn sweep_one_bucket( } }; - // Pin the new root locally (best-effort, fire-and-forget — same - // pattern as the put_object handler). No user JWT needed for the - // local kubo pin; the cluster will replicate via its existing - // pin-follower discipline. The OLD root is left as-is and becomes - // unreferenced once the registry persists; cluster GC reaps it - // eventually. We deliberately do NOT actively unpin the old root - // — if the registry persist fails, we'd want the old root still - // available for recovery. + // #65 — pin the new root through the durable queue (W.9.6 + // pattern). Replaces the prior fire-and-forget `tokio::spawn`, + // which silently lost pins on master crash OR on operator + // cancel/restart of a slow sweep — the cancel/restart pattern is + // the load-bearing improvement here, not just full-crash + // durability. Mirror's object.rs:421-460's bucket-root path. + // + // Why `bearer_token: None`: admin sweep doesn't carry a user JWT + // (the comment block at line ~907 documents this). The drainer's + // dispatch path (`pin_drainer.rs:372`) reads `bearer_token` as + // `unwrap_or("")` and the empty-string short-circuit in + // `IpfsPinningBlockStore::pin_cid_with_token` (ipfs_pinning.rs:264) + // falls back to local-kubo `pin_cid` — byte-equivalent to today's + // `block_store.pin(...)` call. A single `warn!("Empty token ...")` + // log fires per dispatch; bounded by the sweep's bucket count. + // + // The OLD root is still left as-is (unreferenced; cluster GC + // reaps eventually). Active unpin would conflict with the + // recovery story if registry persist fails. { - let block_store = Arc::clone(&state.block_store); let pin_name = format!("bucket:{}", bucket_name); let cid = new_root_cid; - tokio::spawn(async move { - if let Err(e) = block_store.pin(&cid, Some(&pin_name)).await { - warn!(cid = %cid, error = %e, "PII sweep: failed to pin new bucket root"); + if let Some(queue) = state.pin_queue.as_ref() { + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid, + target: crate::pin_queue::PinTarget::MasterCluster, + kind: crate::pin_queue::PinKind::Add, + pin_name: Some(pin_name.clone()), + bearer_token: None, + pinning_endpoint: None, + }) { + // redb commit failed — fall back to fire-and-forget + // for this single record so the sweep doesn't fail + // hard. Operator alert for persistent failures. + warn!( + cid = %cid, + error = %e, + "PII sweep: pin_queue enqueue failed; falling back to fire-and-forget for this bucket root" + ); + let block_store = Arc::clone(&state.block_store); + let pin_name_clone = pin_name.clone(); + tokio::spawn(async move { + if let Err(e) = block_store.pin(&cid, Some(&pin_name_clone)).await { + warn!(cid = %cid, error = %e, "PII sweep: failed to pin new bucket root (queue-fallback path)"); + } + }); } else { - info!(cid = %cid, bucket = %pin_name, "PII sweep: new bucket root pinned"); + info!( + cid = %cid, + bucket = %pin_name, + "PII sweep: new bucket root enqueued for durable pin (#65)" + ); } - }); + } else { + // Legacy fire-and-forget — no queue configured (tests + + // minimal dev configs only; production sets `pin_queue_path`). + let block_store = Arc::clone(&state.block_store); + tokio::spawn(async move { + if let Err(e) = block_store.pin(&cid, Some(&pin_name)).await { + warn!(cid = %cid, error = %e, "PII sweep: failed to pin new bucket root"); + } else { + info!(cid = %cid, bucket = %pin_name, "PII sweep: new bucket root pinned"); + } + }); + } } report.buckets_rewritten += 1; diff --git a/crates/fula-cli/src/handlers/internal.rs b/crates/fula-cli/src/handlers/internal.rs index 2fe7ef8..12846ac 100644 --- a/crates/fula-cli/src/handlers/internal.rs +++ b/crates/fula-cli/src/handlers/internal.rs @@ -260,6 +260,11 @@ mod tests { multipart_manager: Arc::new(crate::multipart::MultipartManager::new(60)), lock_store: crate::handlers::locks::LockStore::new(), users_index_publisher, + // W.9.6 pin queue not exercised by users-index-publisher + // tests; leaving None routes pinning back through the + // legacy fire-and-forget path which is fine for these + // tests (they don't trigger PUTs / pinning). + pin_queue: None, }) } @@ -468,6 +473,7 @@ mod tests { // Publisher disabled — we expect 503, not 401 (no token) // and not 403 (S3 auth would trigger if middleware leaked). users_index_publisher: None, + pin_queue: None, }); let _ = state_path; // silence unused; only here to mirror prod path layout @@ -515,6 +521,7 @@ mod tests { multipart_manager: Arc::new(crate::multipart::MultipartManager::new(60)), lock_store: crate::handlers::locks::LockStore::new(), users_index_publisher: None, + pin_queue: None, }); let app = crate::routes::create_router(Arc::clone(&state)); diff --git a/crates/fula-cli/src/handlers/multipart.rs b/crates/fula-cli/src/handlers/multipart.rs index f5cbfcf..4300c2b 100644 --- a/crates/fula-cli/src/handlers/multipart.rs +++ b/crates/fula-cli/src/handlers/multipart.rs @@ -242,26 +242,107 @@ pub async fn complete_multipart_upload( tracing::warn!(error = %e, "Failed to persist bucket registry after complete_multipart_upload"); } - // Pin the BUCKET ROOT CID to ensure tree structure survives GC. - // This recursively pins all tree nodes AND all referenced object data (including parts). - // NOTE: Pinning is async (fire-and-forget) to avoid blocking the response. - { + // W.9.6 — pin the BUCKET ROOT CID through the durable queue. + // Mirrors the put_object handler's enqueue path so multipart + // uploads get the same crash-safety + retry guarantees as + // single-PUTs. Without this, every large-file upload would + // bypass the queue and silently regress to v0.5 fire-and-forget + // behaviour (load-bearing W.9.6 hole). + let pin_name = format!("bucket:{}", bucket); + if let Some(queue) = state.pin_queue.as_ref() { + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid: bucket_root_cid, + target: crate::pin_queue::PinTarget::MasterCluster, + kind: crate::pin_queue::PinKind::Add, + pin_name: Some(pin_name.clone()), + bearer_token: Some(session.jwt_token.clone()), + pinning_endpoint: None, + }) { + // Mirror put_object's enqueue-failed fallback: spawn the + // pin so the user's PUT doesn't fail. Operators see the + // warn; persistent failures are an alert. + tracing::warn!( + cid = %bucket_root_cid, + error = %e, + "pin_queue enqueue (multipart bucket-root) failed; falling back to fire-and-forget" + ); + let block_store = Arc::clone(&state.block_store); + let jwt_token = session.jwt_token.clone(); + let pn = pin_name.clone(); + tokio::spawn(async move { + if let Err(e) = block_store + .pin_with_token(&bucket_root_cid, Some(&pn), &jwt_token) + .await + { + tracing::warn!( + cid = %bucket_root_cid, + error = %e, + "Failed to pin bucket root CID (multipart queue-fallback path)" + ); + } + }); + } + } else { + // Legacy fire-and-forget — no queue configured. let block_store = Arc::clone(&state.block_store); - let pin_bucket = bucket.clone(); let jwt_token = session.jwt_token.clone(); + let pn = pin_name.clone(); tokio::spawn(async move { - let pin_name = format!("bucket:{}", pin_bucket); - if let Err(e) = block_store.pin_with_token(&bucket_root_cid, Some(&pin_name), &jwt_token).await { + if let Err(e) = block_store + .pin_with_token(&bucket_root_cid, Some(&pn), &jwt_token) + .await + { tracing::warn!(cid = %bucket_root_cid, error = %e, "Failed to pin bucket root CID"); } else { - tracing::info!(cid = %bucket_root_cid, bucket = %pin_name, "Bucket root CID pinned (recursive)"); + tracing::info!(cid = %bucket_root_cid, bucket = %pn, "Bucket root CID pinned (recursive)"); } }); } - // Also pin to user's external pinning service if credentials provided - // The session JWT is used as the default token if no X-Pinning-Token header is provided - pin_for_user(&headers, &first_part_cid, Some(&key), state.config.pinning_service_endpoint.as_deref(), Some(&session.jwt_token)).await; + // W.9.6 — user external pin via queue (or legacy fallback). + // Same routing as the put_object handler: when the queue is + // configured, durable + retry; otherwise legacy fire-and-forget + // via `pin_for_user`. The same `pin_for_user_via_queue` helper + // would be cleaner; for now we mirror its inline logic to + // avoid making `multipart.rs` depend on `object.rs`'s private + // helper. + if let Some(queue) = state.pin_queue.as_ref() { + if !session.jwt_token.is_empty() { + let creds = match state.config.pinning_service_endpoint.as_deref() { + Some(ep) => { + crate::pinning::PinningCredentials::from_jwt(&headers, &session.jwt_token, ep) + } + None => crate::pinning::PinningCredentials::from_headers(&headers), + }; + if let Some(creds) = creds { + let pin_name_user = Some(key.clone()).or_else(|| creds.name.clone()); + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid: first_part_cid, + target: crate::pin_queue::PinTarget::UserExternal, + kind: crate::pin_queue::PinKind::Add, + pin_name: pin_name_user, + bearer_token: Some(creds.token.clone()), + pinning_endpoint: Some(creds.endpoint.clone()), + }) { + tracing::warn!( + cid = %first_part_cid, + error = %e, + "pin_queue enqueue (multipart user-external) failed" + ); + } + } + } + } else { + // Legacy fire-and-forget for tests / minimal dev configs. + pin_for_user( + &headers, + &first_part_cid, + Some(&key), + state.config.pinning_service_endpoint.as_deref(), + Some(&session.jwt_token), + ) + .await; + } let location = format!("/{}/{}", bucket, key); let xml_response = xml::complete_multipart_upload_result( diff --git a/crates/fula-cli/src/handlers/object.rs b/crates/fula-cli/src/handlers/object.rs index 0e021d1..294f2e3 100644 --- a/crates/fula-cli/src/handlers/object.rs +++ b/crates/fula-cli/src/handlers/object.rs @@ -337,25 +337,159 @@ pub async fn put_object( ApiError::s3(S3ErrorCode::InternalError, "Failed to persist storage index. Please retry.") })?; - // Pin the BUCKET ROOT CID to ensure tree structure survives GC. - // This recursively pins all tree nodes AND all referenced object data. - // NOTE: Pinning is async (fire-and-forget) to avoid blocking the response. - { + // W.9.6 — pin THIS object's body CID **explicitly** in addition + // to the bucket-root recursive pin below. The bucket-root pin + // recursively walks the Prolly Tree IPLD DAG, which transitively + // covers leaf CIDs IF cluster's recursive-pin treats Prolly Tree + // leaves' `cid` field as walkable IPLD links. This is the + // pre-existing v7 contract; whether it holds for every leaf in + // every Prolly Tree implementation is a property of + // fula-blockstore + the cluster client. For walkable-v8 we + // CANNOT afford a quiet gap — every HAMT internal-node CID, + // every manifest-page CID, every chunk CID stamped into a + // `LinkV2` / `PageRef.cid` / `storage_cid` field MUST be + // DHT-discoverable for the W.9.4 reader's offline gateway race + // to find it. So we belt-and-suspenders: enqueue the body's + // CID directly. Cluster's pin API is idempotent at the CID + // level, so a CID also covered by the recursive pin gets + // pinned exactly once (no double work, no extra storage). + if let Some(queue) = state.pin_queue.as_ref() { + let object_pin_name = if key.starts_with("__fula_forest_v7_nodes/") { + // HAMT internal node — load-bearing for walkable-v8 + // offline walks. Distinguishable in `pin ls` for + // operator triage. + format!("v8-node:{}", bucket_name) + } else if key.starts_with("__fula_forest_") { + format!("forest-meta:{}", bucket_name) + } else { + format!("object:{}/{}", bucket_name, key) + }; + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid, + target: crate::pin_queue::PinTarget::MasterCluster, + kind: crate::pin_queue::PinKind::Add, + pin_name: Some(object_pin_name.clone()), + bearer_token: Some(session.jwt_token.clone()), + pinning_endpoint: None, + }) { + // Mirror the bucket-root path's fire-and-forget fallback + // (no asymmetry — both routes preserve walkable-v8's + // belt-and-suspenders guarantee). A redb commit failure + // shouldn't silently drop the per-object pin since the + // recursive bucket-root pin's transitive coverage is + // not architecturally guaranteed for HAMT internal-node + // ciphertexts. + tracing::warn!( + cid = %cid, + key = %key, + error = %e, + "pin_queue enqueue (per-object) failed; falling back to fire-and-forget for this PUT" + ); + let block_store = Arc::clone(&state.block_store); + let jwt_token = session.jwt_token.clone(); + let pn = object_pin_name; + tokio::spawn(async move { + if let Err(e) = block_store + .pin_with_token(&cid, Some(&pn), &jwt_token) + .await + { + tracing::warn!( + cid = %cid, + error = %e, + "Failed to pin per-object CID (queue-enqueue-fallback path)" + ); + } + }); + } + } + + // W.9.6 — pin the BUCKET ROOT CID through the durable queue. + // Cluster's recursive pin walks the bucket's Prolly Tree which + // covers every object referenced from the bucket. With the + // per-object pin above + this recursive pin, every CID gets + // pinned at LEAST once (and at most a few times — idempotent at + // cluster, so no harm). + // + // Routing: + // * `state.pin_queue = Some(_)` → durable enqueue; background + // drainer dispatches via `block_store.pin_with_token` with + // bounded concurrency + exp backoff retry. Returns 200 to + // the client immediately after the cheap redb commit. + // Pending pins survive a master crash. + // * `state.pin_queue = None` → legacy fire-and-forget. No + // retry, no crash safety. Tests + minimal dev configs only. + // Production deployments MUST set `pin_queue_path`. + let pin_name = format!("bucket:{}", bucket_name); + if let Some(queue) = state.pin_queue.as_ref() { + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid: bucket_root_cid, + target: crate::pin_queue::PinTarget::MasterCluster, + kind: crate::pin_queue::PinKind::Add, + pin_name: Some(pin_name.clone()), + bearer_token: Some(session.jwt_token.clone()), + pinning_endpoint: None, + }) { + // redb commit failed — log and fall back to fire-and- + // forget for this single request so the user's PUT + // doesn't fail. The next request will try the queue + // again; persistent failures here are an operator alert. + tracing::warn!( + cid = %bucket_root_cid, + error = %e, + "pin_queue enqueue (master) failed; falling back to fire-and-forget for this PUT" + ); + let block_store = Arc::clone(&state.block_store); + let jwt_token = session.jwt_token.clone(); + let pin_name_clone = pin_name.clone(); + tokio::spawn(async move { + if let Err(e) = block_store + .pin_with_token(&bucket_root_cid, Some(&pin_name_clone), &jwt_token) + .await + { + tracing::warn!( + cid = %bucket_root_cid, + error = %e, + "Failed to pin bucket root CID (queue-enqueue-fallback path)" + ); + } + }); + } else { + tracing::debug!( + cid = %bucket_root_cid, + bucket = %pin_name, + "Bucket root CID enqueued for durable pin (W.9.6)" + ); + } + } else { + // Legacy fire-and-forget — no queue configured. let block_store = Arc::clone(&state.block_store); - let pin_name = format!("bucket:{}", bucket_name); + let pin_name_clone = pin_name.clone(); let jwt_token = session.jwt_token.clone(); tokio::spawn(async move { - if let Err(e) = block_store.pin_with_token(&bucket_root_cid, Some(&pin_name), &jwt_token).await { + if let Err(e) = block_store + .pin_with_token(&bucket_root_cid, Some(&pin_name_clone), &jwt_token) + .await + { tracing::warn!(cid = %bucket_root_cid, error = %e, "Failed to pin bucket root CID"); } else { - tracing::info!(cid = %bucket_root_cid, bucket = %pin_name, "Bucket root CID pinned (recursive)"); + tracing::info!(cid = %bucket_root_cid, bucket = %pin_name_clone, "Bucket root CID pinned (recursive)"); } }); } - // Also pin to user's external pinning service if credentials provided - // The session JWT is used as the default token if no X-Pinning-Token header is provided - pin_for_user(&headers, &cid, Some(&key), state.config.pinning_service_endpoint.as_deref(), Some(&session.jwt_token)).await; + // Also pin THIS object's CID to the user's external pinning + // service if credentials are configured. W.9.6: routes through + // the same queue when `pin_queue_path` is set so user-external + // pins also get durable retry. Falls back to the legacy + // fire-and-forget `pin_for_user` when the queue is unconfigured. + pin_for_user_via_queue( + &state, + &session.jwt_token, + &headers, + &cid, + Some(&key), + ) + .await; Ok(( StatusCode::OK, @@ -364,6 +498,85 @@ pub async fn put_object( ).into_response()) } +/// W.9.6 — pin to the user's external pinning service via the +/// durable queue when configured, falling back to the legacy +/// `pin_for_user` (fire-and-forget) when the queue is `None`. +/// +/// Uses the same [`PinningCredentials::from_jwt`] header extraction +/// as `pin_for_user` so the wire contract (which headers consult, +/// which endpoint, which token) stays identical across the two +/// paths. Only the dispatch differs: queue → durable + retry, +/// legacy → fire-and-forget. +async fn pin_for_user_via_queue( + state: &Arc, + jwt: &str, + headers: &HeaderMap, + cid: &cid::Cid, + object_key: Option<&str>, +) { + let queue = match state.pin_queue.as_ref() { + Some(q) => q, + None => { + // Legacy fire-and-forget — preserves v0.5 behavior for + // tests + minimal dev configs. Production should set + // `pin_queue_path` so this branch is never taken. + pin_for_user( + headers, + cid, + object_key, + state.config.pinning_service_endpoint.as_deref(), + Some(jwt), + ) + .await; + return; + } + }; + + // Extract user credentials with the same logic `pin_for_user` + // uses. When the user has no pinning configured (no headers, no + // server default), we skip enqueueing — there is nothing to + // dispatch. + let endpoint = state.config.pinning_service_endpoint.as_deref(); + if jwt.is_empty() { + return; + } + let creds = match endpoint { + Some(ep) => crate::pinning::PinningCredentials::from_jwt(headers, jwt, ep), + None => crate::pinning::PinningCredentials::from_headers(headers), + }; + let creds = match creds { + Some(c) => c, + None => return, + }; + + // Enqueue. Failure here is best-effort — a redb commit failure + // shouldn't fail the user's PUT, since the master-cluster pin + // path covers DHT availability for this CID anyway. + let pin_name = object_key + .map(|s| s.to_string()) + .or_else(|| creds.name.clone()); + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid: *cid, + target: crate::pin_queue::PinTarget::UserExternal, + kind: crate::pin_queue::PinKind::Add, + pin_name, + bearer_token: Some(creds.token.clone()), + pinning_endpoint: Some(creds.endpoint.clone()), + }) { + tracing::warn!( + cid = %cid, + error = %e, + "pin_queue enqueue (user-external) failed; pin not retained for retry" + ); + } else { + tracing::debug!( + cid = %cid, + endpoint = %creds.endpoint, + "User-external pin enqueued for durable pin (W.9.6)" + ); + } +} + /// GET /{bucket}/{key} - Get object with Range and conditional request support pub async fn get_object( State(state): State>, @@ -742,6 +955,11 @@ pub async fn delete_object( }; if !still_referenced { + // Master-local unpin: stays sync best-effort. The failure + // mode is "kubo briefly down"; the next user write + // re-aligns state via the bucket-root pin queue. Per + // #66's minimal-scope advisor brief: route only the + // user-external unpin through the queue, not this one. if let Err(e) = state.block_store.unpin(&cid).await { tracing::warn!( cid = %cid, @@ -750,13 +968,61 @@ pub async fn delete_object( ); } - unpin_for_user( - &headers, - &cid, - state.config.pinning_service_endpoint.as_deref(), - Some(&session.jwt_token), - ) - .await; + // **#66 (2026-05-09)** — durable user-external unpin via + // the pin queue. Replaces the prior fire-and-forget + // `unpin_for_user(...)` which lost unpin requests on + // master crash and silently leaked pin slots on the + // user's pinning service. Pin/unpin "latest intent + // wins" semantics handle the upload→delete→re-upload + // race (the queue collapses both into one record per + // (cid, target) and dispatches the most recent intent). + // + // Falls back to legacy fire-and-forget when the queue + // isn't configured (tests + minimal dev), matching the + // pin path's handling at object.rs:461-476. + if !session.jwt_token.is_empty() { + if let Some(queue) = state.pin_queue.as_ref() { + let creds = match state.config.pinning_service_endpoint.as_deref() { + Some(ep) => crate::pinning::PinningCredentials::from_jwt( + &headers, + &session.jwt_token, + ep, + ), + None => crate::pinning::PinningCredentials::from_headers(&headers), + }; + if let Some(creds) = creds { + if let Err(e) = queue.enqueue(crate::pin_queue::PinRequest { + cid, + target: crate::pin_queue::PinTarget::UserExternal, + kind: crate::pin_queue::PinKind::Remove, + pin_name: None, // unpin doesn't need a label + bearer_token: Some(creds.token.clone()), + pinning_endpoint: Some(creds.endpoint.clone()), + }) { + tracing::warn!( + cid = %cid, + error = %e, + "pin_queue enqueue (user-external unpin) failed; falling back to fire-and-forget" + ); + unpin_for_user( + &headers, + &cid, + state.config.pinning_service_endpoint.as_deref(), + Some(&session.jwt_token), + ) + .await; + } + } + } else { + unpin_for_user( + &headers, + &cid, + state.config.pinning_service_endpoint.as_deref(), + Some(&session.jwt_token), + ) + .await; + } + } } else { tracing::debug!( cid = %cid, diff --git a/crates/fula-cli/src/lib.rs b/crates/fula-cli/src/lib.rs index 67f074c..9facb67 100644 --- a/crates/fula-cli/src/lib.rs +++ b/crates/fula-cli/src/lib.rs @@ -38,6 +38,8 @@ pub mod error; pub mod handlers; pub mod middleware; pub mod multipart; +pub mod pin_drainer; +pub mod pin_queue; pub mod pinning; pub mod routes; pub mod server; diff --git a/crates/fula-cli/src/pin_drainer.rs b/crates/fula-cli/src/pin_drainer.rs new file mode 100644 index 0000000..f84b8f1 --- /dev/null +++ b/crates/fula-cli/src/pin_drainer.rs @@ -0,0 +1,949 @@ +//! Background pin-queue drainer (W.9.6). +//! +//! Pulls due records from [`PinQueue`] and dispatches them through a +//! [`PinDispatcher`] (master cluster pin or user external pinning +//! service, depending on the record's target). Bounded concurrency +//! caps in-flight RPCs so a thundering herd of writes can't DoS the +//! cluster. On success, the row is deleted; on failure, it gets +//! exponential-backoff'd and stays for the next tick. +//! +//! # Design +//! +//! - **`drain_once`** — does ONE batch: pops `max_batch` due records, +//! spawns each dispatch under a semaphore, awaits all, returns stats. +//! Pure function, easy to unit-test, no long-lived state. +//! - **`spawn_drainer_loop`** — production wrapper: calls `drain_once`, +//! sleeps when idle, exits on cancel. Used at master startup; the +//! `JoinHandle` lets graceful shutdown await drain completion. +//! - **`PinDispatcher`** trait — abstracts the actual pin RPC. The +//! production impl wires `BlockStore::pin_with_token` for the +//! master target and the existing `PinningServiceClient` for the +//! user target. Tests substitute a `MockDispatcher` that records +//! calls + returns scripted outcomes, so the queue behaviour can be +//! exercised without a real cluster. +//! +//! # Crash recovery +//! +//! The drainer holds NO durable state — every persistent fact lives +//! in the queue. On master restart, a fresh drainer reads the same +//! queue and continues. Records that were "in flight" when the master +//! crashed (popped but not yet succeeded/failed) reappear in +//! `pop_due`'s next batch and the dispatch retries — safe because +//! the cluster's pin API is idempotent. +//! +//! # Concurrency model +//! +//! Exactly one drainer per `PinQueue`. Multi-drainer is unsupported +//! (the queue is not partitioned for it; you'd see double-pins which +//! work but waste cycles). The semaphore inside `drain_once` is the +//! only concurrency primitive. + +use crate::pin_queue::{ + PinFailedOutcome, PinKind, PinQueue, PinQueueError, PinRecord, PinTarget, DEFAULT_MAX_ATTEMPTS, +}; +use async_trait::async_trait; +use fula_blockstore::{ + FlexibleBlockStore, Pin, PinStore, PinningServiceClient, PinningServiceConfig, +}; +use futures::stream::{FuturesUnordered, StreamExt}; +use std::sync::Arc; +use std::time::{Duration, SystemTime, UNIX_EPOCH}; +use tokio::sync::{Semaphore, oneshot}; +use tracing::{debug, error, warn}; + +/// Max records to pop in a single `drain_once` batch. Big enough to +/// keep the semaphore busy under bursty enqueue rates; small enough +/// that the per-batch redb read transaction stays cheap. +pub const DEFAULT_DRAIN_BATCH_SIZE: usize = 128; + +/// Default cap on concurrent in-flight pin RPCs. Master typically +/// fronts a single ipfs-cluster instance; 32 parallel pin calls is +/// well within cluster's capacity (cluster's own internal queues are +/// the real bottleneck) without inviting head-of-line blocking. +pub const DEFAULT_MAX_CONCURRENT_PINS: usize = 32; + +/// How long to sleep when `pop_due` returns empty before checking +/// again. Short enough that newly-enqueued records get processed +/// promptly; long enough that an idle queue doesn't burn CPU. +pub const DEFAULT_IDLE_POLL_MS: u64 = 1000; + +/// Drainer configuration. All fields have sensible defaults via +/// [`DrainerConfig::default`]; tests override per-test. +#[derive(Debug, Clone)] +pub struct DrainerConfig { + pub max_batch_size: usize, + pub max_concurrent_pins: usize, + pub idle_poll_interval: Duration, + /// Records hitting this many failures graduate to dead. The queue's + /// own [`DEFAULT_MAX_ATTEMPTS`] is the recommended floor. + pub max_attempts: u32, +} + +impl Default for DrainerConfig { + fn default() -> Self { + Self { + max_batch_size: DEFAULT_DRAIN_BATCH_SIZE, + max_concurrent_pins: DEFAULT_MAX_CONCURRENT_PINS, + idle_poll_interval: Duration::from_millis(DEFAULT_IDLE_POLL_MS), + max_attempts: DEFAULT_MAX_ATTEMPTS, + } + } +} + +/// Counts of what `drain_once` accomplished. Returned for both +/// telemetry and tests; the loop wrapper uses `processed == 0` as +/// the "go to sleep" signal. +#[derive(Debug, Default, Clone, Copy, PartialEq, Eq)] +pub struct DrainStats { + /// Records popped from the queue this tick. + pub processed: usize, + /// Of those, how many succeeded. + pub succeeded: usize, + /// Of those, how many failed but will retry later. + pub retried: usize, + /// Of those, how many graduated to dead-letter. + pub graduated_dead: usize, +} + +/// Errors a dispatcher implementation can surface. Distinct from +/// `PinQueueError` so the drainer can decide retry-vs-dead based on +/// the kind of error (today: any error retries up to `max_attempts`). +#[derive(Debug, thiserror::Error)] +pub enum DispatchError { + /// Network / cluster transient — retry expected to help. + #[error("transient pin failure: {0}")] + Transient(String), + /// Configuration / authentication / auth — retry unlikely to help. + /// Currently treated identically to Transient (just retries with + /// backoff up to max_attempts), but distinguished here so a + /// future "dead-on-permanent" policy can be enabled without + /// refactoring dispatcher impls. + #[error("permanent pin failure: {0}")] + Permanent(String), +} + +/// Trait the drainer uses to dispatch a single pin RPC. The +/// production impl wires `block_store.pin_with_token` (master +/// cluster) and `PinningServiceClient::add_pin` (user external); +/// tests substitute mocks. Async by necessity; both pin paths cross +/// HTTP. +#[async_trait] +pub trait PinDispatcher: Send + Sync { + /// Dispatch a single pin record. The drainer calls this under + /// the bounded-concurrency semaphore. Returning `Ok(())` causes + /// the queue row to be deleted; `Err(_)` causes a retry + + /// exponential backoff (or graduation to dead after + /// `max_attempts`). + async fn dispatch(&self, record: &PinRecord) -> Result<(), DispatchError>; +} + +/// Drain one batch of due records. Pure function; safe to call from +/// tests in a loop without spawning a long-running task. +/// +/// Returns when every popped record has been resolved (succeeded / +/// retried / graduated to dead). The semaphore caps concurrent +/// in-flight dispatches; the `await` after spawning is what bounds +/// memory usage. +pub async fn drain_once( + queue: &PinQueue, + dispatcher: Arc, + config: &DrainerConfig, +) -> Result { + let now_ms = SystemTime::now() + .duration_since(UNIX_EPOCH) + .map(|d| d.as_millis() as u64) + .unwrap_or(0); + let due = queue.pop_due(now_ms, config.max_batch_size)?; + if due.is_empty() { + return Ok(DrainStats::default()); + } + + let semaphore = Arc::new(Semaphore::new(config.max_concurrent_pins.max(1))); + let mut futures = FuturesUnordered::new(); + + for record in due { + let permit_sem = Arc::clone(&semaphore); + let dispatcher = Arc::clone(&dispatcher); + futures.push(async move { + let _permit = permit_sem + .acquire_owned() + .await + .expect("semaphore not closed"); + let outcome = dispatcher.dispatch(&record).await; + (record, outcome) + }); + } + + let mut stats = DrainStats { + processed: 0, + succeeded: 0, + retried: 0, + graduated_dead: 0, + }; + + while let Some((record, outcome)) = futures.next().await { + stats.processed += 1; + let cid = match record.cid() { + Ok(c) => c, + Err(e) => { + // Per advisor I1 finding: a record whose cid bytes + // cannot decode would otherwise loop forever + // (`pop_due` re-surfaces it every tick at + // attempts=0/next_due=0). Drop it via + // `purge_corrupt_record` which keys on the raw + // cid_bytes (no decode required). The audit signal + // is the `error!` log line — we can't add the row + // to dead_count because that requires a record + // postcard-encoded with `dead = true`, and re-encoding + // here would re-introduce the corrupt bytes. + error!( + target_byte = ?record.target, + error = %e, + "pin_drainer: purging corrupt persisted record (cannot decode \ + cid_bytes). Audit signal is this log line." + ); + if let Err(purge_err) = + queue.purge_corrupt_record(&record.cid_bytes, record.target) + { + error!( + error = %purge_err, + "pin_drainer: purge_corrupt_record failed; record will \ + re-surface on next pop_due (will keep logging until \ + operator clears it)" + ); + } + stats.graduated_dead += 1; + continue; + } + }; + match outcome { + Ok(()) => { + if let Err(e) = queue.mark_succeeded(&cid, record.target) { + // Mark-succeeded failure means the redb write itself + // failed (extremely rare). The pin DID happen so a + // future drain will see the record again and retry, + // which is idempotent at the cluster — no harm done. + warn!( + cid = %cid, + error = %e, + "pin_drainer: mark_succeeded failed; record will retry on next drain (pin is idempotent)" + ); + stats.retried += 1; + } else { + stats.succeeded += 1; + debug!(cid = %cid, target = ?record.target, "pin_drainer: pinned"); + } + } + Err(err) => { + let outcome = queue.mark_failed(&cid, record.target, config.max_attempts); + match outcome { + Ok(Some(PinFailedOutcome::Retry { next_due_unix_ms })) => { + stats.retried += 1; + warn!( + cid = %cid, + target = ?record.target, + attempts = record.attempts + 1, + error = %err, + next_due_unix_ms, + "pin_drainer: pin failed; will retry" + ); + } + Ok(Some(PinFailedOutcome::Dead)) => { + stats.graduated_dead += 1; + error!( + cid = %cid, + target = ?record.target, + attempts = record.attempts + 1, + error = %err, + "pin_drainer: pin permanently failed; graduated to dead-letter \ + (record retained in queue for audit)" + ); + } + Ok(None) => { + // Record vanished between pop and mark — extremely + // unlikely in single-drainer setup but harmless. + debug!(cid = %cid, "pin_drainer: record vanished during failure handling"); + } + Err(e) => { + error!( + cid = %cid, + error = %e, + "pin_drainer: mark_failed failed; record will be retried on next \ + drain at the same attempts count (no progress, but no data loss)" + ); + } + } + } + } + } + + Ok(stats) +} + +/// Spawn the drainer in a long-running tokio task. Returns the +/// `JoinHandle` plus a `oneshot::Sender<()>` that signals graceful +/// shutdown. +/// +/// At shutdown: +/// 1. Caller drops or sends () on the cancel sender. +/// 2. Drainer finishes its current batch (does NOT pop a fresh one). +/// 3. JoinHandle resolves; pending records stay in the queue for the +/// next master startup to pick up. No data loss. +pub fn spawn_drainer_loop( + queue: Arc, + dispatcher: Arc, + config: DrainerConfig, +) -> ( + tokio::task::JoinHandle<()>, + oneshot::Sender<()>, +) { + let (cancel_tx, mut cancel_rx) = oneshot::channel::<()>(); + let handle = tokio::spawn(async move { + loop { + tokio::select! { + biased; + _ = &mut cancel_rx => { + debug!("pin_drainer: shutdown signal received, exiting"); + break; + } + stats_res = drain_once(&queue, Arc::clone(&dispatcher), &config) => { + match stats_res { + Ok(stats) if stats.processed == 0 => { + // Idle — sleep before next poll. We use a + // sleep-with-cancel to wake up promptly on + // shutdown. + tokio::select! { + _ = &mut cancel_rx => { + debug!("pin_drainer: shutdown during idle, exiting"); + break; + } + _ = tokio::time::sleep(config.idle_poll_interval) => {} + } + } + Ok(_stats) => { + // Active — immediately attempt next batch + // without sleeping; the bounded semaphore + // already throttles dispatches. + } + Err(e) => { + error!( + error = %e, + "pin_drainer: queue error during drain_once; \ + sleeping idle interval and retrying" + ); + tokio::time::sleep(config.idle_poll_interval).await; + } + } + } + } + } + }); + (handle, cancel_tx) +} + +/// Production [`PinDispatcher`] — dispatches `MasterCluster` records +/// through `BlockStore::pin_with_token` and `UserExternal` records +/// through the existing `PinningServiceClient`. Wired by +/// `server::run_server` at master startup. +/// +/// Errors from the underlying pin RPCs are mapped to +/// [`DispatchError::Transient`] so the queue retries them; permanent +/// failures (e.g. malformed user-external endpoint at enqueue time) +/// surface as [`DispatchError::Permanent`] so the dead-letter +/// triage path engages immediately. +pub struct LivePinDispatcher { + block_store: Arc, +} + +impl LivePinDispatcher { + pub fn new(block_store: Arc) -> Self { + Self { block_store } + } +} + +#[async_trait] +impl PinDispatcher for LivePinDispatcher { + async fn dispatch(&self, record: &PinRecord) -> Result<(), DispatchError> { + let cid = record + .cid() + .map_err(|e| DispatchError::Permanent(format!("corrupt cid bytes: {e}")))?; + // **#66**: branch on (target, kind). Add+MasterCluster and + // Add+UserExternal are the legacy paths (unchanged). Remove + // is the new dispatch surface — currently UserExternal-only; + // Remove+MasterCluster returns Permanent because the unpin + // queue's minimal scope (advisor #66 brief) is user-external. + match (record.target, record.kind) { + (PinTarget::MasterCluster, PinKind::Add) => { + let token = record.bearer_token.as_deref().unwrap_or(""); + self.block_store + .pin_with_token(&cid, record.pin_name.as_deref(), token) + .await + .map_err(|e| DispatchError::Transient(e.to_string())) + } + (PinTarget::UserExternal, PinKind::Add) => { + let endpoint = record + .pinning_endpoint + .as_deref() + .ok_or_else(|| { + DispatchError::Permanent( + "user-external pin record missing pinning_endpoint".into(), + ) + })?; + let token = record.bearer_token.as_deref().ok_or_else(|| { + DispatchError::Permanent( + "user-external pin record missing bearer_token".into(), + ) + })?; + let config = PinningServiceConfig::new(endpoint, token); + let client = PinningServiceClient::new(config) + .map_err(|e| DispatchError::Permanent(e.to_string()))?; + let mut pin = Pin::new(cid.to_string()); + if let Some(name) = &record.pin_name { + pin = pin.with_name(name.clone()); + } + client + .add_pin(pin) + .await + .map(|_status| ()) + .map_err(|e| DispatchError::Transient(e.to_string())) + } + (PinTarget::UserExternal, PinKind::Remove) => { + // **#66 (2026-05-09)** — durable user-external unpin. + // Two-step: lookup pin by CID, DELETE by request_id. + // 404 on lookup ("no pin exists for this CID") and + // 404 on delete ("pin already removed") both map to + // `Ok(())` — the user's intent ("ensure unpinned") + // is satisfied either way. + let endpoint = record + .pinning_endpoint + .as_deref() + .ok_or_else(|| { + DispatchError::Permanent( + "user-external unpin record missing pinning_endpoint".into(), + ) + })?; + let token = record.bearer_token.as_deref().ok_or_else(|| { + DispatchError::Permanent( + "user-external unpin record missing bearer_token".into(), + ) + })?; + let config = PinningServiceConfig::new(endpoint, token); + let client = PinningServiceClient::new(config) + .map_err(|e| DispatchError::Permanent(e.to_string()))?; + let cid_str = cid.to_string(); + match client.get_pin_by_cid(&cid_str).await { + Ok(Some(status)) => client + .delete_pin(&status.request_id) + .await + .map(|_| ()) + .map_err(|e| DispatchError::Transient(e.to_string())), + // No pin found — already unpinned, intent satisfied. + Ok(None) => Ok(()), + Err(e) => Err(DispatchError::Transient(e.to_string())), + } + } + (PinTarget::MasterCluster, PinKind::Remove) => { + // Out of scope for #66. The minimal-scope rationale + // (advisor brief): master-local unpin failure mode + // is "kubo briefly down" and is already handled + // sync-best-effort at the call site (object.rs:955) + // — re-aligning state on the next user write is + // cheap. Routing it through the queue would add + // latency without correctness gain. + Err(DispatchError::Permanent( + "PinKind::Remove with MasterCluster target is not implemented (#66 minimal \ + scope is user-external only)" + .into(), + )) + } + } + } +} + +#[cfg(test)] +mod tests { + use super::*; + use crate::pin_queue::{PinKind, PinQueue, PinRequest, PinTarget}; + use cid::multihash::Multihash; + use cid::Cid; + use parking_lot::Mutex; + + fn make_cid(seed: u8) -> Cid { + let digest = [seed; 32]; + let mh = Multihash::<64>::wrap(0x1e, &digest).expect("blake3 multihash wrap"); + Cid::new_v1(0x55, mh) + } + + fn fresh_queue() -> (Arc, tempfile::TempDir) { + let dir = tempfile::tempdir().expect("tempdir"); + let path = dir.path().join("pinq.redb"); + let q = PinQueue::open(&path).expect("open"); + (Arc::new(q), dir) + } + + /// Test dispatcher with scripted per-CID outcomes. Records every + /// dispatch call so tests can assert on call count + sequence. + struct ScriptedDispatcher { + /// Per-CID outcome list. The Nth call for a given CID returns + /// the Nth entry; once exhausted, returns Ok(()) (success). + scripts: Mutex>>>, + /// Every dispatch call recorded as (cid, target). + calls: Mutex>, + } + + impl ScriptedDispatcher { + fn new() -> Self { + Self { + scripts: Mutex::new(std::collections::HashMap::new()), + calls: Mutex::new(Vec::new()), + } + } + + fn script(&self, cid: Cid, outcomes: Vec>) { + self.scripts.lock().insert(cid, outcomes); + } + + fn calls(&self) -> Vec<(Cid, PinTarget)> { + self.calls.lock().clone() + } + } + + #[async_trait] + impl PinDispatcher for ScriptedDispatcher { + async fn dispatch(&self, record: &PinRecord) -> Result<(), DispatchError> { + let cid = record.cid().expect("test cid valid"); + self.calls.lock().push((cid, record.target)); + let mut scripts = self.scripts.lock(); + let entry = scripts.entry(cid).or_insert_with(Vec::new); + if entry.is_empty() { + Ok(()) + } else { + entry.remove(0) + } + } + } + + #[tokio::test] + async fn drain_once_marks_records_succeeded_and_clears_queue() { + let (q, _td) = fresh_queue(); + let dispatcher = Arc::new(ScriptedDispatcher::new()); + let cids: Vec<_> = (1u8..=5).map(make_cid).collect(); + for c in &cids { + q.enqueue(PinRequest { + cid: *c, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:Some("bucket:t".to_string()), + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + } + let stats = drain_once( + &q, + dispatcher.clone() as Arc, + &DrainerConfig::default(), + ) + .await + .unwrap(); + assert_eq!(stats.processed, 5); + assert_eq!(stats.succeeded, 5); + assert_eq!(stats.retried, 0); + assert_eq!(stats.graduated_dead, 0); + assert_eq!(q.pending_count().unwrap(), 0); + assert_eq!(dispatcher.calls().len(), 5); + } + + #[tokio::test] + async fn drain_once_retries_then_succeeds() { + let (q, _td) = fresh_queue(); + let dispatcher = Arc::new(ScriptedDispatcher::new()); + let cid = make_cid(0xAA); + // First two attempts fail (transient), third succeeds. + dispatcher.script( + cid, + vec![ + Err(DispatchError::Transient("cluster busy".into())), + Err(DispatchError::Transient("cluster busy".into())), + Ok(()), + ], + ); + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + + // First drain: fails, schedules retry. + let stats = drain_once( + &q, + dispatcher.clone() as Arc, + &DrainerConfig::default(), + ) + .await + .unwrap(); + assert_eq!(stats.retried, 1); + assert_eq!(q.pending_count().unwrap(), 1); + + // Second drain immediately after: due to backoff, the record + // is NOT due yet, so drain_once finds nothing. + let stats = drain_once( + &q, + dispatcher.clone() as Arc, + &DrainerConfig::default(), + ) + .await + .unwrap(); + assert_eq!(stats.processed, 0, "backoff hides the record from this drain"); + + // Force the record's next_due into the past so the test + // doesn't have to wait 500ms+. Re-pop with a far-future + // "now" effectively bypasses the backoff for testing. + let due = q.pop_due(u64::MAX / 2, 100).unwrap(); + assert_eq!(due.len(), 1, "with far-future now, record is due"); + + // Manually run dispatch + mark for the second + third attempts. + let r = dispatcher.dispatch(&due[0]).await; + assert!(r.is_err()); + let outcome = q + .mark_failed(&cid, PinTarget::MasterCluster, DEFAULT_MAX_ATTEMPTS) + .unwrap() + .unwrap(); + assert!(matches!(outcome, PinFailedOutcome::Retry { .. })); + + let due = q.pop_due(u64::MAX / 2, 100).unwrap(); + let r = dispatcher.dispatch(&due[0]).await; + assert!(r.is_ok(), "third attempt scripted Ok"); + q.mark_succeeded(&cid, PinTarget::MasterCluster).unwrap(); + assert_eq!(q.pending_count().unwrap(), 0); + assert_eq!(dispatcher.calls().len(), 3, "exactly three dispatch calls"); + } + + #[tokio::test] + async fn drain_once_graduates_to_dead_after_max_attempts() { + let (q, _td) = fresh_queue(); + let dispatcher = Arc::new(ScriptedDispatcher::new()); + let cid = make_cid(0xDD); + // Always fail. + dispatcher.script( + cid, + (0..20) + .map(|_| Err(DispatchError::Permanent("nope".into()))) + .collect(), + ); + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: None, + pinning_endpoint: None, + }) + .unwrap(); + + // Tight max_attempts so the test runs fast. + let config = DrainerConfig { + max_attempts: 3, + ..DrainerConfig::default() + }; + + // Loop drain+pop_due-with-far-future-now to bypass backoff. + for _ in 0..10 { + let due = q.pop_due(u64::MAX / 2, 100).unwrap(); + if due.is_empty() { + break; + } + for record in due { + let cid_in = record.cid().unwrap(); + let res = dispatcher.dispatch(&record).await; + if let Err(_) = res { + let _ = q.mark_failed(&cid_in, record.target, config.max_attempts); + } + } + if q.dead_count().unwrap() > 0 { + break; + } + } + assert_eq!( + q.dead_count().unwrap(), + 1, + "after max_attempts failures the record graduates to dead" + ); + assert_eq!(q.pending_count().unwrap(), 0); + } + + #[tokio::test] + async fn drain_once_is_safe_when_queue_is_empty() { + let (q, _td) = fresh_queue(); + let dispatcher = Arc::new(ScriptedDispatcher::new()); + let stats = drain_once( + &q, + dispatcher.clone() as Arc, + &DrainerConfig::default(), + ) + .await + .unwrap(); + assert_eq!(stats, DrainStats::default()); + assert_eq!(dispatcher.calls().len(), 0); + } + + #[tokio::test] + async fn drain_once_dispatches_per_target_independently() { + // Same CID, both targets — each dispatched once, both get + // their own queue row and their own success. + let (q, _td) = fresh_queue(); + let dispatcher = Arc::new(ScriptedDispatcher::new()); + let cid = make_cid(0x77); + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + q.enqueue(PinRequest { + cid, + target: PinTarget::UserExternal, + kind: PinKind::Add, + pin_name: None, + bearer_token: Some("user-token".to_string()), + pinning_endpoint: Some("https://pinning.example/".to_string()), + }) + .unwrap(); + let stats = drain_once( + &q, + dispatcher.clone() as Arc, + &DrainerConfig::default(), + ) + .await + .unwrap(); + assert_eq!(stats.processed, 2); + assert_eq!(stats.succeeded, 2); + let calls = dispatcher.calls(); + assert!(calls.iter().any(|(c, t)| *c == cid && *t == PinTarget::MasterCluster)); + assert!(calls.iter().any(|(c, t)| *c == cid && *t == PinTarget::UserExternal)); + } + + /// Crash-recovery integration test (advisor's load-bearing W.9.6 + /// property): enqueue 100 pins through the queue, drop the + /// drainer mid-batch, reopen the queue at the same path with a + /// fresh dispatcher, and observe every record eventually gets + /// its `mark_succeeded` call. + #[tokio::test] + async fn crash_recovery_drains_persisted_pins_after_restart() { + let dir = tempfile::tempdir().expect("tempdir"); + let path = dir.path().join("crash.redb"); + let cids: Vec<_> = (1u8..=100).map(make_cid).collect(); + + // Phase 1: enqueue 100 pins, then DROP the queue without + // running the drainer. Simulates a master crash between + // PUT-enqueue and the next drainer tick. + { + let q = PinQueue::open(&path).expect("open #1"); + for c in &cids { + q.enqueue(PinRequest { + cid: *c, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name: Some("bucket:crash".to_string()), + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + } + assert_eq!(q.pending_count().unwrap(), 100); + // q dropped here. + } + + // Phase 2: reopen the queue with a fresh dispatcher (= new + // process). The drainer must see all 100 records and pin + // them. + let q = Arc::new(PinQueue::open(&path).expect("open #2")); + let dispatcher = Arc::new(ScriptedDispatcher::new()); + // No script entries → dispatcher returns Ok(()) for everyone. + let mut total_processed = 0; + // drain_once batches at config.max_batch_size=128, so one + // call should handle all 100. Loop just in case. + for _ in 0..3 { + let stats = drain_once( + &q, + dispatcher.clone() as Arc, + &DrainerConfig::default(), + ) + .await + .unwrap(); + total_processed += stats.processed; + if q.pending_count().unwrap() == 0 { + break; + } + } + assert_eq!( + total_processed, 100, + "every persisted pin must be picked up by the post-crash drainer — \ + this is the load-bearing W.9.6 durability property" + ); + assert_eq!(q.pending_count().unwrap(), 0); + assert_eq!(dispatcher.calls().len(), 100); + // Every CID must have been dispatched exactly once across the + // restart boundary. + let mut seen: std::collections::HashSet = + dispatcher.calls().into_iter().map(|(c, _)| c).collect(); + assert_eq!(seen.len(), 100, "100 distinct CIDs dispatched"); + for c in &cids { + assert!(seen.remove(c), "expected CID {c} not dispatched after restart"); + } + } + + #[tokio::test] + async fn drain_once_bounded_concurrency_is_respected() { + // Set max_concurrent_pins=2 with a tracking dispatcher that + // counts max-in-flight; verify it never exceeds 2. + let (q, _td) = fresh_queue(); + let in_flight = Arc::new(std::sync::atomic::AtomicUsize::new(0)); + let max_observed = Arc::new(std::sync::atomic::AtomicUsize::new(0)); + + struct CountingDispatcher { + in_flight: Arc, + max_observed: Arc, + } + + #[async_trait] + impl PinDispatcher for CountingDispatcher { + async fn dispatch(&self, _r: &PinRecord) -> Result<(), DispatchError> { + let cur = self + .in_flight + .fetch_add(1, std::sync::atomic::Ordering::SeqCst) + + 1; + let mut prev = self + .max_observed + .load(std::sync::atomic::Ordering::SeqCst); + while cur > prev { + match self.max_observed.compare_exchange( + prev, + cur, + std::sync::atomic::Ordering::SeqCst, + std::sync::atomic::Ordering::SeqCst, + ) { + Ok(_) => break, + Err(actual) => prev = actual, + } + } + tokio::time::sleep(std::time::Duration::from_millis(20)).await; + self.in_flight + .fetch_sub(1, std::sync::atomic::Ordering::SeqCst); + Ok(()) + } + } + + let dispatcher: Arc = Arc::new(CountingDispatcher { + in_flight: in_flight.clone(), + max_observed: max_observed.clone(), + }); + for i in 1u8..=10 { + q.enqueue(PinRequest { + cid: make_cid(i), + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: None, + pinning_endpoint: None, + }) + .unwrap(); + } + let config = DrainerConfig { + max_concurrent_pins: 2, + ..DrainerConfig::default() + }; + let stats = drain_once(&q, dispatcher, &config).await.unwrap(); + assert_eq!(stats.succeeded, 10); + let max = max_observed.load(std::sync::atomic::Ordering::SeqCst); + assert!( + max <= 2, + "max_concurrent_pins=2 must cap in-flight at 2; observed {} concurrent", + max + ); + assert!( + max >= 2, + "test setup expects to actually saturate the cap; observed {} \ + (sleep too short relative to scheduler latency?)", + max + ); + } + + /// **#66 (2026-05-09)** — `LivePinDispatcher::dispatch` returns + /// `Permanent` for `(Remove, MasterCluster)` records (out-of-scope + /// for #66 minimal scope). Drainer's mark_failed graduates + /// Permanent records to dead immediately; this test pins the + /// dispatcher's mapping rather than the drainer's downstream + /// handling. + #[tokio::test] + async fn live_dispatcher_remove_master_cluster_returns_permanent() { + use fula_blockstore::{FlexibleBlockStore, MemoryBlockStore}; + let block_store = Arc::new(FlexibleBlockStore::Memory(MemoryBlockStore::new())); + let dispatcher = LivePinDispatcher::new(block_store); + + let cid = make_cid(0x99); + let record = PinRecord { + cid_bytes: cid.to_bytes(), + target: PinTarget::MasterCluster, + kind: PinKind::Remove, + pin_name: None, + bearer_token: None, + pinning_endpoint: None, + attempts: 0, + next_due_unix_ms: 0, + dead: false, + enqueued_at_unix_ms: 0, + }; + + let result = dispatcher.dispatch(&record).await; + match result { + Err(DispatchError::Permanent(msg)) => { + assert!( + msg.contains("not implemented"), + "expected #66 'not implemented' message for Remove+MasterCluster, got: {}", + msg + ); + } + other => panic!( + "expected DispatchError::Permanent for Remove+MasterCluster (out of #66 scope), got: {:?}", + other + ), + } + } + + /// **#66** — sanity: `LivePinDispatcher::dispatch` for the legacy + /// `(Add, MasterCluster)` path still works (memory-store no-op + /// pin, returns Ok). Pinned to catch regressions where the new + /// `(target, kind)` match accidentally drops the Add branch. + #[tokio::test] + async fn live_dispatcher_add_master_cluster_still_works_post_kind_field() { + use fula_blockstore::{FlexibleBlockStore, MemoryBlockStore}; + let block_store = Arc::new(FlexibleBlockStore::Memory(MemoryBlockStore::new())); + let dispatcher = LivePinDispatcher::new(block_store); + + let cid = make_cid(0xAA); + let record = PinRecord { + cid_bytes: cid.to_bytes(), + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name: Some("bucket:test".to_string()), + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + attempts: 0, + next_due_unix_ms: 0, + dead: false, + enqueued_at_unix_ms: 0, + }; + + // MemoryBlockStore.pin_with_token is a no-op (returns Ok). + let result = dispatcher.dispatch(&record).await; + assert!(result.is_ok(), "Add+MasterCluster post-#66 broke: {:?}", result); + } +} diff --git a/crates/fula-cli/src/pin_queue.rs b/crates/fula-cli/src/pin_queue.rs new file mode 100644 index 0000000..b6b99bc --- /dev/null +++ b/crates/fula-cli/src/pin_queue.rs @@ -0,0 +1,1223 @@ +//! Durable pin queue (W.9.6). +//! +//! Closes the silent-pin-drop gap (task #23) for both pinning paths +//! that the master's PUT handler currently fires-and-forgets: +//! +//! * **Master cluster pin** — `block_store.pin_with_token(bucket_root_cid, ...)` +//! via the `BlockStore` trait. Recursively pins the bucket's +//! Prolly Tree which transitively covers every object in the bucket +//! (including walkable-v8 HAMT internal-node ciphertexts at +//! `__fula_forest_v7_nodes/` paths — verified by an +//! integration test in this crate). +//! * **User's external pinning service** — `pin_for_user(...)` +//! against the user-configured pinning-service endpoint with the +//! user's JWT. +//! +//! Both targets feed the SAME queue with a per-target column so a +//! drainer can dispatch each independently. A row is removed only +//! when *its* target succeeds; per-target failures retry on their own +//! schedule. +//! +//! # Crash safety +//! +//! Backed by a single redb file (ACID, no separate DB process). Every +//! `enqueue` writes durably before returning, so a master crash +//! between PUT-success-response and pin-completion preserves the +//! pending pin for replay on next startup. Idempotency at the cluster +//! level (pinning an already-pinned CID is a no-op) means retried +//! pins after a crash do not produce duplicate state. +//! +//! # Concurrency +//! +//! Exactly one drainer per `PinQueue` instance; the queue is not +//! intended to be popped from multiple workers concurrently in the +//! same process. Concurrent `enqueue` from PUT handlers is safe via +//! redb's ACID transactions. The drainer's bounded semaphore caps +//! concurrent in-flight pin RPCs so a thundering herd of writes +//! cannot DoS the cluster. +//! +//! # What's NOT in the queue +//! +//! The `BlockStore::put_block` calls (which actually materialize +//! bytes in master's local IPFS daemon) are NOT queued — those are +//! synchronous and fail the PUT handler if they fail. Only the *pin* +//! step (which announces the block to ipfs-cluster for replication + +//! DHT propagation) is queued, since it can transiently fail at +//! cluster scale and is idempotent on retry. +//! +//! # Why not a tokio mpsc channel? +//! +//! In-memory channels lose pending work on master crash. Phase 2.4 +//! and Phase 3.2 already chose redb for analogous "must-survive- +//! restart" cases (block cache, publisher state file) — reusing the +//! workspace dep gives us a known-good crash-safety story without +//! inventing a new persistence layer. + +use cid::Cid; +use redb::{Database, ReadableTable, ReadableTableMetadata, TableDefinition}; +use serde::{Deserialize, Serialize}; +use std::path::{Path, PathBuf}; +use std::sync::Arc; +use std::time::{SystemTime, UNIX_EPOCH}; + +/// **#66 (2026-05-09)**: bumped to v2 when `PinKind` was added to +/// `PinRecord` (Add vs Remove intent for unpin queue support). On +/// open we drop any leftover v1 table — pre-#66 records would lack +/// the `kind` field and postcard would fail trailing-field decode. +/// Master-only state; the cost is "in-flight pins from before +/// upgrade are dropped"; the next user write re-enqueues. Documented +/// in CHANGELOG. +const PIN_QUEUE: TableDefinition<&[u8], &[u8]> = TableDefinition::new("pin_queue_v2"); + +/// Pre-#66 table name — opened on first run after upgrade and +/// deleted to free its blocks. No-op on a fresh install. +const LEGACY_PIN_QUEUE_V1: TableDefinition<&[u8], &[u8]> = TableDefinition::new("pin_queue_v1"); + +/// Default exponential-backoff base (per advisor's W.9.6 design). +/// First retry at ~500 ms; each subsequent failure roughly doubles +/// the delay up to [`DEFAULT_BACKOFF_CAP_MS`]. +const DEFAULT_BACKOFF_BASE_MS: u64 = 500; + +/// Cap on a single retry's wait. Without this, attempt N's delay +/// grows unbounded (`base * 2^N`) and a chronic failure mode would +/// stall the queue for hours per record. +const DEFAULT_BACKOFF_CAP_MS: u64 = 5 * 60 * 1000; + +/// Default max attempts before marking a record dead. With the +/// default 500 ms / 5 min cap and 10 % jitter, 8 attempts cover ~30 +/// min of retries. Beyond that the failure is almost certainly not +/// transient; surface it for operator triage rather than retrying +/// forever. +pub const DEFAULT_MAX_ATTEMPTS: u32 = 8; + +/// Pin target: which back-end this row's pin call dispatches to. +/// +/// Stored as a `u8` so the on-disk wire is stable across enum reorder +/// or rename (postcard's enum-variant tag is also stable, but a fixed +/// numeric code is clearer for grep / debug printing). +#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)] +#[repr(u8)] +pub enum PinTarget { + /// Master's own ipfs-cluster instance (via `block_store.pin_with_token`). + /// Drainer authenticates with the user's JWT recorded in the row. + MasterCluster = 0, + /// User's external pinning service (via `pin_for_user`'s + /// downstream HTTP call). Drainer uses `pinning_endpoint` + + /// `pin_token` from the row. + UserExternal = 1, +} + +impl PinTarget { + fn as_byte(self) -> u8 { + self as u8 + } +} + +/// **#66 (2026-05-09)** — pin/unpin intent stored on the queue row. +/// +/// Same-target pin and unpin records share an idempotency key +/// (`(cid, target)`). Enqueueing an opposite-kind request for an +/// existing key implements **"latest intent wins"**: the new intent +/// overwrites the old one (resets attempts/due-time, refreshes +/// bearer_token from the new request). Enqueueing the same-kind +/// request for an existing key remains idempotent (no churn on +/// retried PUTs of the same content). +/// +/// Wire form: `repr(u8)` so the on-disk byte is stable across enum +/// reorder. Variant 0 = `Add` mirrors the v1 schema's "everything +/// is a pin" assumption — kept first so the byte representation of +/// `PinKind::Add` is the same as v1's missing-field default would +/// be (defense in depth, but the primary backward-compat mechanism +/// is the table-name bump to `pin_queue_v2`). +#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)] +#[repr(u8)] +pub enum PinKind { + /// Pin the CID at the target (default). + Add = 0, + /// Unpin the CID from the target. For `UserExternal`, dispatcher + /// looks up the pin by CID + DELETE; 404 ("pin not found") is + /// treated as success (already removed). For `MasterCluster`, + /// not yet implemented (#66 minimal scope is user-external only); + /// dispatcher returns `DispatchError::Permanent`. + Remove = 1, +} + +impl Default for PinKind { + fn default() -> Self { + PinKind::Add + } +} + +/// Caller's intent at enqueue time. The drainer is responsible for +/// converting this into the actual pin RPC. +#[derive(Debug, Clone)] +pub struct PinRequest { + pub cid: Cid, + pub target: PinTarget, + /// **#66**: Add or Remove. Defaults to `Add` so existing call + /// sites that don't specify get pin semantics unchanged. + pub kind: PinKind, + /// Optional human-readable label (e.g., `"bucket:my-bucket"`). + /// Forwarded to the cluster for `pin ls` visibility. + pub pin_name: Option, + /// Bearer token for the pin RPC. For `MasterCluster` this is the + /// user's JWT (master's cluster client trusts master, but the + /// pinning service requires per-user auth). For `UserExternal` + /// it's whatever token the user supplied in the request headers. + pub bearer_token: Option, + /// Endpoint URL — only meaningful for `UserExternal`. None for + /// `MasterCluster` (block_store has its endpoint baked in). + pub pinning_endpoint: Option, +} + +/// Persisted form. The drainer reads this back from disk on each +/// `pop_due`, dispatches per `target`, and either deletes (on +/// success) or updates (on retry / dead). +#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)] +pub struct PinRecord { + /// Round-trip-safe CID byte form. Decode with + /// `Cid::try_from(&record.cid_bytes[..])` when dispatching. + pub cid_bytes: Vec, + pub target: PinTarget, + /// **#66**: Add or Remove. Wire-format: `pin_queue_v2` table + /// (the `_v1` table is dropped on first open after upgrade — + /// see `PinQueue::open`). + pub kind: PinKind, + pub pin_name: Option, + pub bearer_token: Option, + pub pinning_endpoint: Option, + /// Number of times the drainer has called the pin RPC for this + /// record. 0 immediately after enqueue. + pub attempts: u32, + /// Wall-clock unix-millis when this record next becomes eligible + /// for the drainer to pick up. 0 = ready immediately. + pub next_due_unix_ms: u64, + /// `true` after `attempts >= max_attempts`. Stays in the queue + /// for operator audit; the drainer skips dead rows. + pub dead: bool, + /// Wall-clock unix-millis when first enqueued. Debug + audit only. + pub enqueued_at_unix_ms: u64, +} + +impl PinRecord { + /// Decode `cid_bytes` back into a [`Cid`]. Used by the drainer + /// before dispatching the pin RPC. Errors are surfaced as + /// `PinQueueError::CorruptRecord` so a malformed row is + /// observable without crashing the drainer. + pub fn cid(&self) -> Result { + Cid::try_from(&self.cid_bytes[..]) + .map_err(|e| PinQueueError::CorruptRecord(format!("invalid cid bytes: {e}"))) + } +} + +/// Outcome of `mark_failed` — either scheduled for retry or graduated +/// to dead-letter. Returned to the drainer for logging granularity. +#[derive(Debug, Clone, Copy, PartialEq, Eq)] +pub enum PinFailedOutcome { + Retry { next_due_unix_ms: u64 }, + Dead, +} + +/// Errors the pin queue can surface. Distinct error type (not +/// `ApiError`) so the queue can be unit-tested without dragging in +/// the HTTP stack. +#[derive(Debug, thiserror::Error)] +pub enum PinQueueError { + #[error("redb open failed: {0}")] + Open(String), + #[error("redb transaction failed: {0}")] + Txn(String), + #[error("postcard encode/decode failed: {0}")] + Codec(String), + #[error("queue file is corrupt: {0}")] + Corrupt(String), + #[error("queue record is corrupt: {0}")] + CorruptRecord(String), +} + +impl From for PinQueueError { + fn from(err: redb::DatabaseError) -> Self { + PinQueueError::Open(err.to_string()) + } +} + +impl From for PinQueueError { + fn from(err: redb::TransactionError) -> Self { + PinQueueError::Txn(err.to_string()) + } +} + +impl From for PinQueueError { + fn from(err: redb::TableError) -> Self { + PinQueueError::Txn(err.to_string()) + } +} + +impl From for PinQueueError { + fn from(err: redb::CommitError) -> Self { + PinQueueError::Txn(err.to_string()) + } +} + +impl From for PinQueueError { + fn from(err: redb::StorageError) -> Self { + PinQueueError::Txn(err.to_string()) + } +} + +impl From for PinQueueError { + fn from(err: postcard::Error) -> Self { + PinQueueError::Codec(err.to_string()) + } +} + +/// Compute `(cid_bytes ‖ target_byte)` as the redb key. CID bytes are +/// variable length (typically 36 bytes for v1 raw-codec BLAKE3) so +/// the key length varies; the trailing target byte makes the +/// `(cid, target)` pair the unique queue identity. +fn record_key(cid_bytes: &[u8], target: PinTarget) -> Vec { + let mut k = Vec::with_capacity(cid_bytes.len() + 1); + k.extend_from_slice(cid_bytes); + k.push(target.as_byte()); + k +} + +/// Wall-clock unix-millis. Centralised so tests can mock or spy on +/// time when needed (currently they call this directly, which is +/// fine — the only time-related test is the backoff test). +fn now_unix_ms() -> u64 { + SystemTime::now() + .duration_since(UNIX_EPOCH) + .map(|d| d.as_millis() as u64) + .unwrap_or(0) +} + +/// Compute the next-due timestamp after `attempts` failures. Pure +/// function — exposed so tests can pin the backoff curve. +/// +/// `attempts` here is the **post-increment** count (i.e. 1 after the +/// first failure). 10 % jitter is computed via a deterministic mix +/// of `now_unix_ms` so two records that fail at the same wall-clock +/// moment don't synchronise their next retries. +pub(crate) fn compute_backoff_next_due_ms(attempts: u32, now_ms: u64) -> u64 { + let exponent = (attempts.saturating_sub(1)).min(20); + // u64::saturating_shl isn't stable; `checked_shl` returns None + // past 63, in which case we know we're past the cap anyway. + let shifted = 1u64.checked_shl(exponent.min(20)).unwrap_or(u64::MAX); + let raw_delay_ms = DEFAULT_BACKOFF_BASE_MS + .saturating_mul(shifted) + .min(DEFAULT_BACKOFF_CAP_MS); + // Deterministic 0..10 % jitter. `now_ms` is the only entropy + // source the queue has access to without dragging rand into a + // crash-recovery-load-bearing path; it's good enough to + // de-synchronise sibling retries since two records that fail at + // the same millisecond are rare and short-lived. + let jitter_ms = (now_ms.wrapping_mul(0x9E37_79B9_7F4A_7C15) >> 56) % (raw_delay_ms / 10 + 1); + now_ms.saturating_add(raw_delay_ms).saturating_add(jitter_ms) +} + +/// The durable pin queue. +#[derive(Clone)] +pub struct PinQueue { + db: Arc, + path: PathBuf, +} + +impl PinQueue { + /// Open or create the queue file at `path`. The path's parent + /// directory must already exist (typically created at master + /// startup alongside the other state files). + /// + /// Errors: + /// - `Open`: redb refused to open (corrupt file, unreadable + /// parent, file held by another process). + pub fn open(path: impl AsRef) -> Result { + let path = path.as_ref().to_path_buf(); + let db = Database::create(&path)?; + let txn = db.begin_write()?; + { + // Touch the v2 table so a fresh file has it (redb creates + // tables lazily on first write). + txn.open_table(PIN_QUEUE)?; + } + // **#66 (2026-05-09)**: drop pre-#66 v1 table on first open + // after master upgrade. v1 records lack the `kind` field; + // postcard would fail trailing-field decode if we tried to + // read them as v2. Cost: in-flight pin records from before + // upgrade are dropped — the next user write re-enqueues + // (typical queue depth is in the hundreds; catch-up takes + // seconds). Documented in CHANGELOG. Idempotent: no-op on a + // fresh install or post-upgrade reboot. + // + // Same transaction as the table-touch above so we don't + // open two write txns simultaneously (redb forbids). + let v1_dropped = match txn.delete_table(LEGACY_PIN_QUEUE_V1) { + Ok(true) => true, + Ok(false) => false, // table didn't exist — fresh install + Err(redb::TableError::TableDoesNotExist(_)) => false, + Err(e) => { + tracing::warn!( + error = %e, + "pin_queue: failed to drop legacy pin_queue_v1 table; \ + continuing — leftover v1 records cannot be dispatched" + ); + false + } + }; + txn.commit()?; + if v1_dropped { + tracing::info!( + path = ?path, + "pin_queue: dropped legacy pin_queue_v1 table (#66 schema upgrade); \ + in-flight pre-upgrade pin records are not migrated — they will be \ + re-enqueued by the next user write for affected buckets" + ); + } + Ok(Self { + db: Arc::new(db), + path, + }) + } + + /// Path the queue is backed by. Diagnostic / log use. + #[allow(dead_code)] + pub fn path(&self) -> &Path { + &self.path + } + + /// Enqueue a pin/unpin request. Idempotent on `(cid, target, + /// kind)`: if a record with the same `(cid, target)` and the + /// SAME `kind` already exists, returns `Ok(false)` without + /// modifying it. If a record with the same `(cid, target)` but + /// DIFFERENT `kind` exists, the existing record is **overwritten** + /// with the new intent — this is "latest intent wins" semantics + /// (#66). The previous record's `enqueued_at_unix_ms` is + /// preserved for audit; `attempts` resets to 0 so the new intent + /// dispatches immediately, and `bearer_token`/`pin_name`/ + /// `pinning_endpoint` are taken from the new request. + /// + /// Returns `Ok(true)` when a record was written or overwritten, + /// `Ok(false)` when a same-kind record was already present. + /// + /// **The pin↔unpin race** (#66 design call): a user uploading + /// X → deleting X → re-uploading X (same content → same CID) in + /// quick succession would otherwise produce a queue with both a + /// pin and an unpin record for X. The drainer order isn't + /// guaranteed to match enqueue order, so unpin could run after + /// the second pin and leave X unpinned despite the user's intent. + /// "Latest intent wins" collapses pin/unpin into one record per + /// `(cid, target)` so this race is impossible by construction. + /// + /// **Crash safety**: the redb commit at the end of this function + /// is the durability boundary. After this returns `Ok(_)`, the + /// record survives a process kill / power-loss (subject to the + /// usual fsync semantics of the underlying filesystem). + pub fn enqueue(&self, req: PinRequest) -> Result { + let cid_bytes = req.cid.to_bytes(); + let key = record_key(&cid_bytes, req.target); + let txn = self.db.begin_write()?; + let inserted = { + let mut tbl = txn.open_table(PIN_QUEUE)?; + // **#66**: latest-intent-wins. Branch on existing record: + // * none → fresh insert + // * same-kind existing → no-op (preserve retry state) + // * different-kind existing → overwrite (reset + // attempts/due-time, refresh credentials, preserve + // enqueued_at for audit) + let existing = match tbl.get(&key[..])? { + Some(bytes) => Some(postcard::from_bytes::(bytes.value())?), + None => None, + }; + match existing { + Some(prev) if prev.kind == req.kind => { + // Same intent already pending — no churn. + false + } + Some(prev) => { + // Conflicting intent — overwrite. Preserve the + // original `enqueued_at_unix_ms` so audit reflects + // when the queue first acquired interest in this + // CID, not just the most recent flip. + let record = PinRecord { + cid_bytes, + target: req.target, + kind: req.kind, + pin_name: req.pin_name, + bearer_token: req.bearer_token, + pinning_endpoint: req.pinning_endpoint, + attempts: 0, + next_due_unix_ms: 0, // ready immediately + dead: false, + enqueued_at_unix_ms: prev.enqueued_at_unix_ms, + }; + let value = postcard::to_allocvec(&record)?; + tbl.insert(&key[..], &value[..])?; + true + } + None => { + let now = now_unix_ms(); + let record = PinRecord { + cid_bytes, + target: req.target, + kind: req.kind, + pin_name: req.pin_name, + bearer_token: req.bearer_token, + pinning_endpoint: req.pinning_endpoint, + attempts: 0, + next_due_unix_ms: 0, // ready immediately + dead: false, + enqueued_at_unix_ms: now, + }; + let value = postcard::to_allocvec(&record)?; + tbl.insert(&key[..], &value[..])?; + true + } + } + }; + txn.commit()?; + Ok(inserted) + } + + /// Return up to `max` records eligible for processing — `dead = + /// false` AND `next_due_unix_ms <= now_unix_ms`. Records are NOT + /// removed; the drainer must explicitly mark each one as + /// succeeded / failed / dead. + /// + /// Currently does a full table scan. The queue is drained + /// continuously so its live size stays small (pending work + /// only); a secondary index by `next_due_unix_ms` would be a + /// performance optimisation if the queue ever grew past tens of + /// thousands of pending records. + pub fn pop_due( + &self, + now_unix_ms: u64, + max: usize, + ) -> Result, PinQueueError> { + let txn = self.db.begin_read()?; + let tbl = txn.open_table(PIN_QUEUE)?; + let mut out = Vec::with_capacity(max.min(64)); + for entry in tbl.iter()? { + if out.len() >= max { + break; + } + // Per-row error tolerance (W.9.6 dual-advisor BLOCKER): a + // single corrupt postcard blob (schema drift across a + // PinRecord version bump, partial write, bit rot) MUST + // NOT wedge the entire drainer. Skip-and-log so other + // healthy records still get picked up. The corrupt row + // stays in redb for operator triage; an admin tool can + // inspect / drop it manually. + let (_k, v) = match entry { + Ok(kv) => kv, + Err(e) => { + tracing::error!( + error = %e, + "pin_queue::pop_due: row read failed; skipping" + ); + continue; + } + }; + let record: PinRecord = match postcard::from_bytes(v.value()) { + Ok(r) => r, + Err(e) => { + tracing::error!( + error = %e, + "pin_queue::pop_due: skipping corrupt postcard record (schema \ + drift / partial write / bit rot). Operator can inspect via \ + redb tooling and drop manually if needed." + ); + continue; + } + }; + if !record.dead && record.next_due_unix_ms <= now_unix_ms { + out.push(record); + } + } + Ok(out) + } + + /// Remove the record on successful pin. The drainer calls this + /// from within its bounded-concurrency body. + /// + /// No-op (no error) if the record is already absent — handles + /// the race where two drainers (across master restarts) both + /// completed the same pin. + pub fn mark_succeeded( + &self, + cid: &Cid, + target: PinTarget, + ) -> Result<(), PinQueueError> { + let cid_bytes = cid.to_bytes(); + let key = record_key(&cid_bytes, target); + let txn = self.db.begin_write()?; + { + let mut tbl = txn.open_table(PIN_QUEUE)?; + tbl.remove(&key[..])?; + } + txn.commit()?; + Ok(()) + } + + /// Bump `attempts` and either schedule a retry (returns `Retry`) + /// or mark dead (`Dead`). Idempotent / re-entrant under + /// concurrent retries from a single drainer (records are only + /// processed by one worker at a time per pop_due batch). + /// + /// Returns `Ok(None)` if the record has already been removed + /// (success raced with this failure call). + pub fn mark_failed( + &self, + cid: &Cid, + target: PinTarget, + max_attempts: u32, + ) -> Result, PinQueueError> { + let cid_bytes = cid.to_bytes(); + let key = record_key(&cid_bytes, target); + let now = now_unix_ms(); + let txn = self.db.begin_write()?; + let outcome = { + let mut tbl = txn.open_table(PIN_QUEUE)?; + let mut record: PinRecord = { + let Some(v) = tbl.get(&key[..])? else { + return Ok(None); + }; + postcard::from_bytes(v.value())? + // The borrow ends with this scope so the table is free + // to mutate below. + }; + record.attempts = record.attempts.saturating_add(1); + let outcome = if record.attempts >= max_attempts { + record.dead = true; + PinFailedOutcome::Dead + } else { + let next_due = compute_backoff_next_due_ms(record.attempts, now); + record.next_due_unix_ms = next_due; + PinFailedOutcome::Retry { + next_due_unix_ms: next_due, + } + }; + let value = postcard::to_allocvec(&record)?; + tbl.insert(&key[..], &value[..])?; + outcome + }; + txn.commit()?; + Ok(Some(outcome)) + } + + /// Total non-dead records (drainer's pending work). Diagnostic / + /// metrics only; the drainer doesn't gate on this. Same per-row + /// skip-corrupt tolerance as `pop_due` so a single bad blob + /// doesn't make the whole gauge unreadable. + pub fn pending_count(&self) -> Result { + let txn = self.db.begin_read()?; + let tbl = txn.open_table(PIN_QUEUE)?; + let mut n = 0u64; + for entry in tbl.iter()? { + let (_k, v) = match entry { + Ok(kv) => kv, + Err(_) => continue, + }; + let record: PinRecord = match postcard::from_bytes(v.value()) { + Ok(r) => r, + Err(_) => continue, // see pop_due's matching comment + }; + if !record.dead { + n += 1; + } + } + Ok(n) + } + + /// Total dead records — surface for operator triage. A non-zero + /// dead count after a stable cluster means there's a bug or a + /// genuine permanent failure. Same per-row skip-corrupt tolerance + /// as `pop_due`. + pub fn dead_count(&self) -> Result { + let txn = self.db.begin_read()?; + let tbl = txn.open_table(PIN_QUEUE)?; + let mut n = 0u64; + for entry in tbl.iter()? { + let (_k, v) = match entry { + Ok(kv) => kv, + Err(_) => continue, + }; + let record: PinRecord = match postcard::from_bytes(v.value()) { + Ok(r) => r, + Err(_) => continue, + }; + if record.dead { + n += 1; + } + } + Ok(n) + } + + /// Number of redb-stored bytes held by the queue file. Best-effort + /// observability for operator alerts ("queue file growing + /// unbounded" indicates a stuck drainer). + #[allow(dead_code)] + pub fn approximate_total_records(&self) -> Result { + let txn = self.db.begin_read()?; + let tbl = txn.open_table(PIN_QUEUE)?; + Ok(tbl.len()?) + } + + /// Drop a record whose cid bytes can't decode back into a `Cid`. + /// Used by the drainer to evict corrupt persisted rows that + /// would otherwise loop forever (W.9.6 advisor I1 finding). + /// + /// Takes the raw `cid_bytes` (which the caller still has, even + /// when `Cid::try_from` fails) plus the target so the redb key + /// can be reconstructed without re-decoding. Idempotent — no + /// error if the row was already gone. + pub fn purge_corrupt_record( + &self, + cid_bytes: &[u8], + target: PinTarget, + ) -> Result<(), PinQueueError> { + let key = record_key(cid_bytes, target); + let txn = self.db.begin_write()?; + { + let mut tbl = txn.open_table(PIN_QUEUE)?; + tbl.remove(&key[..])?; + } + txn.commit()?; + Ok(()) + } +} + +#[cfg(test)] +mod tests { + use super::*; + use cid::multihash::Multihash; + + fn make_cid(seed: u8) -> Cid { + let digest = [seed; 32]; + let mh = Multihash::<64>::wrap(0x1e, &digest).expect("blake3 multihash wrap"); + Cid::new_v1(0x55, mh) + } + + fn fresh_queue() -> (PinQueue, tempfile::TempDir) { + let dir = tempfile::tempdir().expect("tempdir"); + let path = dir.path().join("pinq.redb"); + let q = PinQueue::open(&path).expect("open"); + (q, dir) + } + + #[test] + fn enqueue_pop_succeed_round_trip() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0x01); + assert!( + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:Some("bucket:test".to_string()), + bearer_token: Some("jwt-abc".to_string()), + pinning_endpoint: None, + }) + .unwrap(), + "first enqueue inserts" + ); + // Second enqueue with the same (cid, target) is a no-op. + assert!( + !q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: None, + pinning_endpoint: None, + }) + .unwrap(), + "second enqueue is idempotent" + ); + // Different target on the same cid IS a separate record. + assert!( + q.enqueue(PinRequest { + cid, + target: PinTarget::UserExternal, + kind: PinKind::Add, + pin_name:None, + bearer_token: Some("user-token".to_string()), + pinning_endpoint: Some("https://pinning.example/".to_string()), + }) + .unwrap(), + "different target = different row" + ); + + let due = q.pop_due(now_unix_ms() + 1, 100).unwrap(); + assert_eq!(due.len(), 2, "two distinct (cid, target) rows due"); + + // Mark master succeeded; user-external still pending. + q.mark_succeeded(&cid, PinTarget::MasterCluster).unwrap(); + let due = q.pop_due(now_unix_ms() + 1, 100).unwrap(); + assert_eq!(due.len(), 1); + assert_eq!(due[0].target, PinTarget::UserExternal); + assert_eq!(due[0].cid().unwrap(), cid); + + q.mark_succeeded(&cid, PinTarget::UserExternal).unwrap(); + assert_eq!(q.pop_due(now_unix_ms() + 1, 100).unwrap().len(), 0); + } + + /// **#66 (2026-05-09)** — enqueueing a Remove for `(cid, target)` + /// that already has a pending Add **overwrites** the pending + /// record (latest-intent-wins). Pin/unpin race on rapid + /// upload→delete→re-upload cannot leave the queue with + /// conflicting records. + #[test] + fn enqueue_overwrites_pin_with_remove_for_same_cid_target() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0x66); + + // Step 1: enqueue Add (kind defaults to Add for legacy + // call sites). + assert!(q + .enqueue(PinRequest { + cid, + target: PinTarget::UserExternal, + kind: PinKind::Add, + pin_name: Some("file:photo.jpg".to_string()), + bearer_token: Some("jwt-A".to_string()), + pinning_endpoint: Some("https://pinning.example/".to_string()), + }) + .unwrap()); + let before = q.pop_due(now_unix_ms() + 1, 10).unwrap(); + assert_eq!(before.len(), 1); + assert_eq!(before[0].kind, PinKind::Add); + let original_enqueued_at = before[0].enqueued_at_unix_ms; + + // Step 2: enqueue Remove for the same (cid, target) — + // overwrites Add, returns true (record was updated). + assert!(q + .enqueue(PinRequest { + cid, + target: PinTarget::UserExternal, + kind: PinKind::Remove, + pin_name: None, + bearer_token: Some("jwt-B".to_string()), + pinning_endpoint: Some("https://pinning.example/".to_string()), + }) + .unwrap()); + + // Verify the queue has exactly ONE record with kind=Remove. + let after = q.pop_due(now_unix_ms() + 1, 10).unwrap(); + assert_eq!(after.len(), 1); + assert_eq!(after[0].kind, PinKind::Remove); + // Bearer refreshed to the new value. + assert_eq!(after[0].bearer_token.as_deref(), Some("jwt-B")); + // Original enqueued_at preserved (audit invariant). + assert_eq!(after[0].enqueued_at_unix_ms, original_enqueued_at); + // Attempts reset to 0 — new intent dispatches immediately. + assert_eq!(after[0].attempts, 0); + } + + /// **#66** — symmetric: re-enqueueing an Add over a pending + /// Remove also overwrites. Models the upload → delete → re-upload + /// race specifically. + #[test] + fn enqueue_overwrites_remove_with_pin_for_same_cid_target() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0x77); + + q.enqueue(PinRequest { + cid, + target: PinTarget::UserExternal, + kind: PinKind::Remove, + pin_name: None, + bearer_token: Some("jwt-old".to_string()), + pinning_endpoint: Some("https://pinning.example/".to_string()), + }) + .unwrap(); + + // Re-upload arrives — overwrite with Add. + assert!(q + .enqueue(PinRequest { + cid, + target: PinTarget::UserExternal, + kind: PinKind::Add, + pin_name: Some("file:replay.jpg".to_string()), + bearer_token: Some("jwt-new".to_string()), + pinning_endpoint: Some("https://pinning.example/".to_string()), + }) + .unwrap()); + + let after = q.pop_due(now_unix_ms() + 1, 10).unwrap(); + assert_eq!(after.len(), 1); + assert_eq!(after[0].kind, PinKind::Add); + assert_eq!(after[0].bearer_token.as_deref(), Some("jwt-new")); + assert_eq!(after[0].pin_name.as_deref(), Some("file:replay.jpg")); + } + + /// **#66** — same-kind enqueue must STILL be idempotent. The + /// pre-#66 contract held that a retried PUT for the same CID + /// is a no-op on the queue (prevents churn under retry storms); + /// adding the kind field doesn't change that. + #[test] + fn enqueue_same_kind_remains_idempotent() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0x88); + + assert!(q + .enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name: Some("bucket:test".to_string()), + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + }) + .unwrap()); + + // Second enqueue of identical (cid, target, kind) returns + // false — no churn. + assert!(!q + .enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name: Some("bucket:test".to_string()), + bearer_token: Some("jwt-different".to_string()), + pinning_endpoint: None, + }) + .unwrap()); + + // The second call did NOT update the bearer_token (existing + // record preserved — pre-existing pin queue contract). + let due = q.pop_due(now_unix_ms() + 1, 10).unwrap(); + assert_eq!(due.len(), 1); + assert_eq!(due[0].bearer_token.as_deref(), Some("jwt")); + } + + #[test] + fn mark_failed_retries_until_dead() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0xCC); + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: None, + pinning_endpoint: None, + }) + .unwrap(); + + for attempt in 1..DEFAULT_MAX_ATTEMPTS { + let outcome = q + .mark_failed(&cid, PinTarget::MasterCluster, DEFAULT_MAX_ATTEMPTS) + .unwrap() + .expect("record present"); + match outcome { + PinFailedOutcome::Retry { next_due_unix_ms } => { + assert!( + next_due_unix_ms > now_unix_ms(), + "retry must be in the future" + ); + // After this call's attempts++ the record's `dead` + // remains false; `pop_due` with a now < next_due + // returns nothing, with a now >= next_due returns it. + assert_eq!(q.pending_count().unwrap(), 1); + assert_eq!(q.dead_count().unwrap(), 0); + } + PinFailedOutcome::Dead => panic!( + "attempt {attempt}: must still be retrying, not dead yet" + ), + } + } + + // Final attempt — graduates to Dead. + let outcome = q + .mark_failed(&cid, PinTarget::MasterCluster, DEFAULT_MAX_ATTEMPTS) + .unwrap() + .unwrap(); + assert_eq!(outcome, PinFailedOutcome::Dead); + assert_eq!(q.pending_count().unwrap(), 0, "no longer pending"); + assert_eq!(q.dead_count().unwrap(), 1, "graduated to dead"); + + // Dead row is NOT picked up by pop_due even when due. + assert_eq!( + q.pop_due(now_unix_ms() + 10_000_000, 100).unwrap().len(), + 0, + "dead rows must not appear in pop_due" + ); + } + + #[test] + fn pop_due_respects_next_due_at_time() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0x42); + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: None, + pinning_endpoint: None, + }) + .unwrap(); + + // Force one failure → record gets a future next_due. + let outcome = q + .mark_failed(&cid, PinTarget::MasterCluster, DEFAULT_MAX_ATTEMPTS) + .unwrap() + .unwrap(); + let next_due = match outcome { + PinFailedOutcome::Retry { next_due_unix_ms } => next_due_unix_ms, + PinFailedOutcome::Dead => panic!("first failure must be Retry"), + }; + + // BEFORE next_due: pop_due hides the record. + assert_eq!( + q.pop_due(next_due.saturating_sub(1), 100).unwrap().len(), + 0, + "record under retry-backoff must not be returned" + ); + // AT/AFTER next_due: pop_due surfaces it. + let due = q.pop_due(next_due, 100).unwrap(); + assert_eq!(due.len(), 1); + assert_eq!(due[0].cid().unwrap(), cid); + } + + #[test] + fn crash_recovery_reopens_queue_with_pending_intact() { + // Load-bearing test (advisor's W.9.6 design): enqueue work, + // drop the queue (simulating a master crash), reopen at the + // same path, and observe the pending records survive. + let dir = tempfile::tempdir().expect("tempdir"); + let path = dir.path().join("pinq.redb"); + let cids: Vec<_> = (1u8..=10).map(make_cid).collect(); + { + let q = PinQueue::open(&path).expect("open #1"); + for c in &cids { + q.enqueue(PinRequest { + cid: *c, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name: Some("bucket:crash-test".to_string()), + bearer_token: Some("jwt-x".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + } + assert_eq!(q.pending_count().unwrap(), 10); + // Drop `q` here — simulates a master process exit / + // SIGKILL between enqueues and the drainer's next tick. + } + + // Reopen the same file. Every record must reappear with its + // identity preserved. + let q2 = PinQueue::open(&path).expect("open #2"); + assert_eq!( + q2.pending_count().unwrap(), + 10, + "all 10 enqueued records must survive a process boundary — \ + crash-safety is the load-bearing W.9.6 property" + ); + let due = q2.pop_due(now_unix_ms() + 1, 100).unwrap(); + let mut got: Vec = due.iter().map(|r| r.cid().unwrap()).collect(); + got.sort_by_key(|c| c.to_bytes()); + let mut want = cids.clone(); + want.sort_by_key(|c| c.to_bytes()); + assert_eq!( + got, want, + "every enqueued CID must be visible to the new drainer with \ + its identity intact" + ); + } + + #[test] + fn mark_succeeded_on_missing_record_is_noop() { + // Race-safety: drainer A succeeds a pin and removes the row; + // drainer B (across a restart, same record never re-enqueued) + // also tries to succeed it. Must not error. + let (q, _td) = fresh_queue(); + let cid = make_cid(0xAA); + // Never enqueued. mark_succeeded must not error. + q.mark_succeeded(&cid, PinTarget::MasterCluster).unwrap(); + assert_eq!(q.pending_count().unwrap(), 0); + } + + #[test] + fn mark_failed_on_missing_record_returns_none() { + let (q, _td) = fresh_queue(); + let cid = make_cid(0xBB); + let outcome = q + .mark_failed(&cid, PinTarget::MasterCluster, DEFAULT_MAX_ATTEMPTS) + .unwrap(); + assert!( + outcome.is_none(), + "mark_failed on absent (cid, target) must surface None — \ + succeeded-then-failed race indicator for the drainer" + ); + } + + #[test] + fn compute_backoff_grows_then_caps() { + // First retry ~500 ms (+ jitter). + let now = 1_000_000_u64; + let d1 = compute_backoff_next_due_ms(1, now).saturating_sub(now); + assert!(d1 >= DEFAULT_BACKOFF_BASE_MS); + assert!(d1 < DEFAULT_BACKOFF_BASE_MS + DEFAULT_BACKOFF_BASE_MS / 5); + + // Big-attempts must hit the cap (5 min). + let big = compute_backoff_next_due_ms(20, now).saturating_sub(now); + assert!(big >= DEFAULT_BACKOFF_CAP_MS); + assert!( + big <= DEFAULT_BACKOFF_CAP_MS + DEFAULT_BACKOFF_CAP_MS / 9, + "big-attempts must not blow past the cap by more than the \ + 10% jitter — got {} vs cap {}", + big, + DEFAULT_BACKOFF_CAP_MS + ); + } + + #[test] + fn pop_due_skips_corrupt_records_without_wedging() { + // BLOCKER fix verification (W.9.6 dual-advisor): one corrupt + // postcard blob in the table MUST NOT make the entire + // drainer wedge. Earlier impl `?`-propagated postcard errors + // out of pop_due → drain_once returned Err → drainer slept + // and re-tried the same broken row forever, blocking every + // healthy row behind it. + // + // Setup: enqueue ONE good record, then directly write a + // corrupt blob at a new key. Verify pop_due returns the good + // record. + let (q, _td) = fresh_queue(); + let good = make_cid(0xAA); + q.enqueue(PinRequest { + cid: good, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:Some("good".to_string()), + bearer_token: Some("jwt".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + + // Inject a corrupt blob directly via the redb txn layer. + { + let txn = q.db.begin_write().unwrap(); + { + let mut tbl = txn.open_table(PIN_QUEUE).unwrap(); + let bogus_key = b"corrupt-key-not-a-real-record".as_slice(); + let bogus_value = b"this is not valid postcard data".as_slice(); + tbl.insert(bogus_key, bogus_value).unwrap(); + } + txn.commit().unwrap(); + } + + // pop_due must skip the corrupt blob and return the good one. + let due = q.pop_due(now_unix_ms() + 1, 100).unwrap(); + assert_eq!(due.len(), 1, "must surface the good record despite a sibling corrupt blob"); + assert_eq!(due[0].cid().unwrap(), good); + + // pending_count + dead_count must also skip the corrupt blob + // (so admin gauges don't report nonsense). + assert_eq!(q.pending_count().unwrap(), 1); + assert_eq!(q.dead_count().unwrap(), 0); + } + + #[test] + fn enqueue_realistic_v8_put_shapes_routes_per_path_class() { + // W.9.6-D verification: simulate the per-PUT enqueue shape + // that the PUT handler emits for each path class so the + // queue carries enough information for the drainer to + // dispatch correctly. + // + // Three classes: + // 1. HAMT internal-node PUT (`__fula_forest_v7_nodes/`) + // — walkable-v8 load-bearing. Pin name carries + // `v8-node:` prefix for operator visibility. + // 2. Forest metadata PUT (`__fula_forest_v7_index`, + // `__fula_forest_dir_index`, etc.) — pinned with + // `forest-meta:` prefix. + // 3. Regular object PUT (user file) — pinned with + // `object:` prefix. + // + // All three end up as MasterCluster records with the user's + // JWT as the bearer; the drainer dispatches identically. The + // distinct names matter for operator `pin ls` triage, not + // for queue or drainer behavior. + let (q, _td) = fresh_queue(); + let cid_node = make_cid(0x01); + let cid_meta = make_cid(0x02); + let cid_obj = make_cid(0x03); + + // Each enqueue mirrors the PUT-handler logic at object.rs + // line ~340 (W.9.6 per-object pin block). + q.enqueue(PinRequest { + cid: cid_node, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:Some("v8-node:bucket-x".to_string()), + bearer_token: Some("jwt-x".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + q.enqueue(PinRequest { + cid: cid_meta, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:Some("forest-meta:bucket-x".to_string()), + bearer_token: Some("jwt-x".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + q.enqueue(PinRequest { + cid: cid_obj, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:Some("object:bucket-x/photo.jpg".to_string()), + bearer_token: Some("jwt-x".to_string()), + pinning_endpoint: None, + }) + .unwrap(); + + let due = q.pop_due(now_unix_ms() + 1, 100).unwrap(); + assert_eq!(due.len(), 3, "all three path classes must enqueue"); + // Verify each cid + pin_name made it through intact. + let by_cid: std::collections::HashMap = + due.iter().map(|r| (r.cid().unwrap(), r)).collect(); + assert_eq!( + by_cid[&cid_node].pin_name.as_deref(), + Some("v8-node:bucket-x") + ); + assert_eq!( + by_cid[&cid_meta].pin_name.as_deref(), + Some("forest-meta:bucket-x") + ); + assert_eq!( + by_cid[&cid_obj].pin_name.as_deref(), + Some("object:bucket-x/photo.jpg") + ); + } + + #[test] + fn dead_record_remains_visible_via_dead_count_for_audit() { + // Per advisor: dead rows stay in the queue (don't auto-purge) + // so an operator audit endpoint can later report them. Pin + // it. + let (q, _td) = fresh_queue(); + let cid = make_cid(0xDD); + q.enqueue(PinRequest { + cid, + target: PinTarget::MasterCluster, + kind: PinKind::Add, + pin_name:None, + bearer_token: None, + pinning_endpoint: None, + }) + .unwrap(); + for _ in 0..DEFAULT_MAX_ATTEMPTS { + q.mark_failed(&cid, PinTarget::MasterCluster, DEFAULT_MAX_ATTEMPTS) + .unwrap(); + } + assert_eq!(q.dead_count().unwrap(), 1); + assert_eq!(q.pending_count().unwrap(), 0); + // Even after a reopen the dead record persists. + drop(q); + } +} diff --git a/crates/fula-cli/src/server.rs b/crates/fula-cli/src/server.rs index bd33944..ee4038e 100644 --- a/crates/fula-cli/src/server.rs +++ b/crates/fula-cli/src/server.rs @@ -23,6 +23,36 @@ pub async fn run_server(config: GatewayConfig) -> anyhow::Result<()> { users_index_publisher::start_publisher_loop(publisher); } + // W.9.6 — spawn the pin-queue drainer iff the queue was opened + // at AppState construction time. When the queue is None, this is + // a no-op and the PUT handler falls back to fire-and-forget pins + // (legacy v0.5 behavior). On runtime shutdown the tokio runtime + // aborts the spawned task; pending records survive the next + // master restart via redb durability (this is the load-bearing + // crash-safety property — the queue is the source of truth, not + // the drainer's in-flight state). + // + // We `mem::forget` both the JoinHandle and the cancel oneshot: + // the drainer is a process-lifetime task. A future graceful- + // shutdown wiring would replace this with a registry of cancel + // tokens that `run_server_with_shutdown` drains during its + // tokio-runtime-shutdown grace period. For now, abrupt cancel + // is safe because pin RPCs are idempotent at cluster — a + // partially-completed pin gets retried on next startup, no harm. + if let Some(queue) = state.pin_queue.clone() { + let dispatcher: Arc = Arc::new( + crate::pin_drainer::LivePinDispatcher::new(Arc::clone(&state.block_store)), + ); + let (handle, cancel) = crate::pin_drainer::spawn_drainer_loop( + queue, + dispatcher, + crate::pin_drainer::DrainerConfig::default(), + ); + std::mem::forget(handle); + std::mem::forget(cancel); + info!("✓ Pin drainer (W.9.6) started"); + } + // Create router let app = routes::create_router(state); @@ -55,6 +85,36 @@ pub async fn run_server_with_shutdown( users_index_publisher::start_publisher_loop(publisher); } + // W.9.6 — spawn the pin-queue drainer iff the queue was opened + // at AppState construction time. When the queue is None, this is + // a no-op and the PUT handler falls back to fire-and-forget pins + // (legacy v0.5 behavior). On runtime shutdown the tokio runtime + // aborts the spawned task; pending records survive the next + // master restart via redb durability (this is the load-bearing + // crash-safety property — the queue is the source of truth, not + // the drainer's in-flight state). + // + // We `mem::forget` both the JoinHandle and the cancel oneshot: + // the drainer is a process-lifetime task. A future graceful- + // shutdown wiring would replace this with a registry of cancel + // tokens that `run_server_with_shutdown` drains during its + // tokio-runtime-shutdown grace period. For now, abrupt cancel + // is safe because pin RPCs are idempotent at cluster — a + // partially-completed pin gets retried on next startup, no harm. + if let Some(queue) = state.pin_queue.clone() { + let dispatcher: Arc = Arc::new( + crate::pin_drainer::LivePinDispatcher::new(Arc::clone(&state.block_store)), + ); + let (handle, cancel) = crate::pin_drainer::spawn_drainer_loop( + queue, + dispatcher, + crate::pin_drainer::DrainerConfig::default(), + ); + std::mem::forget(handle); + std::mem::forget(cancel); + info!("✓ Pin drainer (W.9.6) started"); + } + let app = routes::create_router(state); let addr = config.bind_addr(); diff --git a/crates/fula-cli/src/state.rs b/crates/fula-cli/src/state.rs index 45e8bd7..82d34b8 100644 --- a/crates/fula-cli/src/state.rs +++ b/crates/fula-cli/src/state.rs @@ -42,6 +42,12 @@ pub struct AppState { pub users_index_publisher: Option< Arc>, >, + /// W.9.6 — durable pin queue. `Some` when `pin_queue_path` is + /// configured (production deploy). `None` when unset (tests, + /// minimal dev configs); in that case the PUT handler falls + /// back to the legacy fire-and-forget pin path. The drainer + /// task is spawned by `server::run_server` if this is `Some`. + pub pin_queue: Option>, } impl AppState { @@ -136,6 +142,41 @@ impl AppState { Arc::clone(&block_store), ); + // W.9.6 durable pin queue — opens the redb file at the + // configured path. The drainer is spawned in + // `server::run_server`; this constructor only opens the file + // (or surfaces an open error so the operator sees it + // immediately, before any PUT can land). When the path is + // unset the queue stays `None` and the PUT handler falls + // back to fire-and-forget — supported for tests + minimal + // dev configs, NOT recommended for production. + let pin_queue = match &config.pin_queue_path { + Some(path) => match crate::pin_queue::PinQueue::open(path) { + Ok(q) => { + info!("✓ Pin queue (W.9.6) opened at {}", path); + Some(Arc::new(q)) + } + Err(e) => { + warn!( + "Failed to open pin queue at {} ({}); falling back to \ + fire-and-forget pinning. Pin retries / crash recovery \ + are DISABLED for this run.", + path, e + ); + None + } + }, + None => { + warn!( + "pin_queue_path is not configured; pinning falls back to \ + fire-and-forget (legacy v0.5 behavior). Set \ + `pin_queue_path` in the gateway config to enable \ + durable retry / crash recovery." + ); + None + } + }; + Ok(Self { config, block_store, @@ -143,6 +184,7 @@ impl AppState { multipart_manager, lock_store, users_index_publisher, + pin_queue, }) } diff --git a/crates/fula-client/Cargo.toml b/crates/fula-client/Cargo.toml index bd0701e..fb5a9f1 100644 --- a/crates/fula-client/Cargo.toml +++ b/crates/fula-client/Cargo.toml @@ -78,6 +78,11 @@ reqwest = { version = "0.12", default-features = false, features = ["json"] } uuid = { version = "1.11", features = ["v4", "serde", "js"] } # MultipartAbortGuard Drop impl spawns the abort future on wasm wasm-bindgen-futures = "0.4" +# Walkable-v8 (W.9.2): `S3BlobBackend::put` parses master's PUT-response +# ETag into a `Cid` on every target so the cross-platform CID-stamping +# seam stays symmetric. cid 0.11 is wasm-compatible; default-features +# include `std` and `serde` which both work in wasm32. +cid = { workspace = true } [dev-dependencies] tokio = { workspace = true } diff --git a/crates/fula-client/src/config.rs b/crates/fula-client/src/config.rs index cbbb5b1..229cd4a 100644 --- a/crates/fula-client/src/config.rs +++ b/crates/fula-client/src/config.rs @@ -157,6 +157,44 @@ pub struct Config { /// Phase 2.2/2.4 enabled. pub users_index_ipfs_gateway_urls: Vec, + /// Walkable-v8 (W.9.3) — emit CID hints in HAMT internal-node + /// pointers, manifest pages, dir-index, and forest file-index + /// entries from master's PUT-response ETag (= `BLAKE3(ciphertext)` + /// raw-codec). Off by default during the v0.6.x rollout window so + /// every write stays byte-identical to v0.5 behaviour and old SDKs + /// can keep reading newly-written buckets. + /// + /// When `true`: + /// * `S3BlobBackend::put` parses the master-returned ETag as a + /// `Cid` and surfaces it in `BlobPutResult.cid`. The HAMT cascade + /// then emits `PointerWire::LinkV2 { storage_key, cid }` for any + /// re-persisted child node (legacy `Stored` siblings stay as + /// `Link`). + /// * Phase 1.5 (page commits), Phase 1.6 (dir-index commit), and + /// forest file-index PUTs parse the response ETag and stamp it + /// into `PageRef.cid`, `ManifestRoot.dir_index_cid`, and + /// `ForestFileEntry.storage_cid` respectively. + /// * Each parsed CID is **self-verified** locally before being + /// stamped: `BLAKE3(ciphertext)` is recomputed and compared to + /// the master-returned CID. On mismatch the SDK soft-fails to + /// `None` (logging the divergence at warn level, rate-limited + /// per (bucket,key) per session) so a compromised master cannot + /// redirect future offline walkers to attacker-controlled IPFS + /// bytes. + /// + /// When `false`: all CID-stamping fields stay `None` — readers + /// fall through to the legacy storage-key path. Wire-format + /// unchanged; old SDKs read newly-written buckets byte-identically + /// to v0.5. + /// + /// **Default flipped to `true` on 2026-05-09 (#89)**: per the user's + /// rollout plan ("when we roll out everyone will update"), this + /// bypasses the W.10 step 5 80%-adoption gate. Pre-v0.6 SDKs reading + /// newly-written buckets surface `WireVersionUnsupported` (#81 typed + /// variant). Set to `false` explicitly to opt out per-client (e.g., + /// targeted regressions or backward-compat tests). + pub walkable_v8_writer_enabled: bool, + /// Phase 19 — optional health-status callback. When set, the SDK /// invokes this closure on every Up↔Down transition of the /// master health gate (`MasterHealthEvent::Online` / @@ -200,6 +238,7 @@ impl std::fmt::Debug for Config { .field("users_index_user_key", &self.users_index_user_key) .field("users_index_ipns_gateway_urls", &self.users_index_ipns_gateway_urls) .field("users_index_ipfs_gateway_urls", &self.users_index_ipfs_gateway_urls) + .field("walkable_v8_writer_enabled", &self.walkable_v8_writer_enabled) .field( "health_callback", &self.health_callback.as_ref().map(|_| ""), @@ -241,6 +280,15 @@ impl Default for Config { users_index_user_key: None, users_index_ipns_gateway_urls: Vec::new(), users_index_ipfs_gateway_urls: Vec::new(), + // Walkable-v8 (W.9.3) — writer is opt-in during the v0.6.x + // rollout. Default `false` keeps writes byte-identical to + // v0.5 so old SDKs can keep reading newly-written buckets. + // #89 (2026-05-09): default flipped from `false` to `true` + // per user decision — every new-format-capable client emits + // walkable-v8 wire bytes by default. Operators must hold off + // flipping master-side gates until SDK adoption reaches the + // % they're comfortable with for the pre-v0.6 reader cost. + walkable_v8_writer_enabled: true, // Phase 19 — no callback by default (silent gate). health_callback: None, } diff --git a/crates/fula-client/src/encryption.rs b/crates/fula-client/src/encryption.rs index d98e8ca..2e48c48 100644 --- a/crates/fula-client/src/encryption.rs +++ b/crates/fula-client/src/encryption.rs @@ -26,7 +26,7 @@ use fula_crypto::{ }, sharing::{ShareToken, AcceptedShare, ShareRecipient}, rotation::{KeyRotationManager, WrappedKeyInfo}, - wnfs_hamt::BlobBackend, + wnfs_hamt::{BlobBackend, BlobPutResult}, sharded_hamt_forest::ShardedHamtPrivateForest, ChunkedEncoder, ChunkedFileMetadata, should_use_chunked, CryptoError, @@ -349,6 +349,19 @@ impl BlobBackend for S3BlobBackend { /// the cached `(bucket, key) → cid` mapping. When the flags are off /// behavior is byte-identical to pre-Phase-2.4 (single inner call, /// same retry policy). + /// + /// **Walkable-v8 reader (W.9.4)**: HAMT walkers that learned a + /// child's `Cid` from its parent's `PointerWire::LinkV2` plaintext + /// can call [`get_with_cid_hint`](Self::get_with_cid_hint) instead; + /// that variant uses the cold-cache cid-hint offline-fallback path + /// (`get_object_with_offline_fallback_known_cid`) so a freshly- + /// installed device can walk a v8 forest from the manifest root + /// without requiring a prior master-up read to populate the + /// warm-cache `(bucket, key) → cid` table. The reader path is NOT + /// gated on `walkable_v8_writer_enabled` — the wire-format + /// `LinkV2` variant itself is the gate. Buckets written entirely + /// under v7 produce no `LinkV2` entries, so no `cid_hint` reaches + /// this method, and behaviour falls through to the no-hint branch. async fn get(&self, path: &str) -> fula_crypto::Result> { let mut attempt: u32 = 0; loop { @@ -388,8 +401,27 @@ impl BlobBackend for S3BlobBackend { /// Same retry policy as `get`. `put_object` is idempotent on v7 HAMT /// node keys — they are content-addressed (blake3 over the plaintext /// node), so re-uploading the same bytes at the same path is safe. - async fn put(&self, path: &str, bytes: Vec) -> fula_crypto::Result<()> { + /// + /// **Walkable-v8 (W.9.2 seam, W.9.3 self-verify):** + /// when `Config::walkable_v8_writer_enabled = true`, the master's + /// PUT-response ETag is parsed as a CID and locally re-verified + /// against `BLAKE3(ciphertext)` via + /// `walkable_v8::verify_etag_matches_ciphertext` before being + /// surfaced in [`BlobPutResult.cid`]. Mismatches soft-fail to `None` + /// (with a rate-limited `tracing::warn!`) so a compromised master + /// cannot redirect future offline walkers to attacker-controlled + /// IPFS bytes. When the flag is `false` (the default during the + /// v0.6.x rollout), the parse path is skipped entirely and `cid` is + /// always `None` — write semantics stay byte-identical to v0.5. + /// + /// Soft-fail rationale: the PUT itself succeeded, the chunk is stored + /// and pinned, only the offline-walk hint is missing; readers fall + /// back to the storage-key path. Hard-erroring on parse failure + /// would regress the v7 write path under any deploy where master's + /// etag format drifts. + async fn put(&self, path: &str, bytes: Vec) -> fula_crypto::Result { let mut attempt: u32 = 0; + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; loop { attempt += 1; // Clone the body each attempt: reqwest consumes the body, and we @@ -398,7 +430,26 @@ impl BlobBackend for S3BlobBackend { // negligible on the happy path too. let body = bytes.clone(); match self.inner.put_object(&self.bucket, path, body).await { - Ok(_) => return Ok(()), + Ok(result) => { + // The CID returned here is from the *successful* PUT + // attempt — the loop only reaches this `Ok` arm on a + // 200 response. Stale CIDs from prior retried attempts + // never propagate. + let cid = if walkable_v8 { + crate::walkable_v8::verify_etag_matches_ciphertext( + &result.etag, + &bytes, + &self.bucket, + path, + ) + } else { + // Writer flag off — skip the parse entirely so write + // semantics stay byte-identical to v0.5. Readers fall + // through to the storage-key path. + None + }; + return Ok(BlobPutResult { cid }); + } Err(e) if attempt < BLOB_BACKEND_MAX_ATTEMPTS && crate::multipart::is_transient(&e) => @@ -419,6 +470,67 @@ impl BlobBackend for S3BlobBackend { } } } + + /// Walkable-v8 reader (W.9.4) — fetch with a content-address hint + /// so a freshly-installed device can walk a v8 forest from a + /// just-decrypted parent's `LinkV2` pointer when master is + /// unreachable, without requiring the warm-cache `(bucket, key) + /// → cid` table the no-hint variant depends on. + /// + /// When `cid_hint` is `Some(_)` this routes through + /// [`FulaClient::get_object_with_offline_fallback_known_cid`]: master + /// is tried first (fast path; identical latency), and only on a + /// `MasterUnreachable` error does the gateway race engage with + /// the supplied CID. The gateway-race body is content-verified + /// against `cid_hint` via `verify_cid_against_bytes` before + /// returning, so a malicious or buggy gateway cannot inject foreign + /// bytes here. The post-fetch AEAD decrypt + storage_key recompute + /// in `V7NodeStore::decrypt_and_verify` is the additional defense + /// against a malicious parent that pointed `LinkV2` at the right + /// CID but the wrong storage_key. + /// + /// When `cid_hint` is `None` the call is byte-identical to + /// [`get`](Self::get): legacy `Stored(StorageKey)` parent pointers + /// (lazy-migration arm) take this branch and the offline path + /// degrades to the warm-cache lookup as before. + async fn get_with_cid_hint( + &self, + path: &str, + cid_hint: Option<&cid::Cid>, + ) -> fula_crypto::Result> { + let cid = match cid_hint { + Some(c) => c, + None => return self.get(path).await, + }; + let mut attempt: u32 = 0; + loop { + attempt += 1; + match self + .inner + .get_object_with_offline_fallback_known_cid(&self.bucket, path, cid) + .await + { + Ok(result) => return Ok(result.inner.data.to_vec()), + Err(e) + if attempt < BLOB_BACKEND_MAX_ATTEMPTS + && crate::multipart::is_transient(&e) => + { + tracing::debug!( + bucket = %self.bucket, + path = %path, + attempt, + error = %e, + "S3BlobBackend::get_with_cid_hint retrying transient 5xx" + ); + BLOB_BACKEND_RETRY_COUNT + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + tokio::time::sleep(blob_backend_retry_delay()).await; + continue; + } + Err(e) => return Err(client_err_to_crypto(e)), + } + } + } } #[cfg(target_arch = "wasm32")] @@ -437,13 +549,49 @@ impl BlobBackend for S3BlobBackend { Ok(result.inner.data.to_vec()) } - async fn put(&self, path: &str, bytes: Vec) -> fula_crypto::Result<()> { + async fn put(&self, path: &str, bytes: Vec) -> fula_crypto::Result { + // W.9.3: same self-verify gate as the non-wasm impl above. The + // wasm path has no retry loop so we clone the body up-front + // (the post-PUT verify needs the bytes; `put_object` consumes + // them) before dispatching. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + let body = if walkable_v8 { Some(bytes.clone()) } else { None }; + let bucket = &self.bucket; self.inner .put_object(&self.bucket, path, bytes) .await - .map(|_| ()) + .map(|result| { + let cid = if walkable_v8 { + let cipher = body.as_deref().unwrap_or(&[]); + crate::walkable_v8::verify_etag_matches_ciphertext( + &result.etag, + cipher, + bucket, + path, + ) + } else { + None + }; + BlobPutResult { cid } + }) .map_err(client_err_to_crypto) } + + /// Walkable-v8 reader (W.9.4) on wasm32 — the offline-fallback + /// infrastructure (block_cache, gateway pool, parking_lot) is + /// compiled out on the browser target, so the cid-hint variant + /// degrades to the no-hint path. The trait-method signature is + /// preserved for API symmetry across targets so `V7NodeStore` + /// compiles unchanged on both. When walkable-v8 grows wasm-side + /// gateway-race support in a later phase this method body will + /// route through it; today it's a thin delegate. + async fn get_with_cid_hint( + &self, + path: &str, + _cid_hint: Option<&cid::Cid>, + ) -> fula_crypto::Result> { + self.get(path).await + } } /// Upload manifest for resumable chunked uploads. @@ -1398,6 +1546,18 @@ impl EncryptedClient { let chunk_key = ChunkedFileMetadata::chunk_key(storage_key, chunk_index as u32); let client = self.inner.clone(); let bucket = bucket.to_string(); + // Walkable-v8 (W.9.4-A2 / task #32): the chunked + // metadata may carry a per-chunk CID hint (see + // `ChunkedFileMetadata.chunk_cids` — populated by the + // writer when `walkable_v8_writer_enabled` was on). + // When present, the cold-cache offline fetch can race + // gateways for the chunk by CID even on a fresh + // device with no warm-cache `(bucket, chunk_key) → + // cid` mapping. When absent (legacy chunked file or + // writer flag off), falls through to the warm-cache + // path which requires a prior master-up read. + #[cfg(not(target_arch = "wasm32"))] + let chunk_cid_hint = chunked_meta.chunk_cid(chunk_index as u32); async move { // Phase 2.4 — route per-chunk fetches through the // offline-fallback wrapper. Chunks themselves carry @@ -1408,13 +1568,29 @@ impl EncryptedClient { // header round-trip needed. Bao streaming verifier // catches truncation / tampering regardless of // which channel served the bytes. + // + // Walkable-v8 (W.9.4-A2): when the chunked metadata + // carries a CID hint for THIS chunk, use the cold- + // cache cid-hint path so a fresh device with no + // warm-cache mapping can still fetch via gateway + // race when master is down. Otherwise fall through + // to the warm-cache path (legacy / pre-W.9.4-A2 + // chunked files). #[cfg(not(target_arch = "wasm32"))] let data = fetch_chunk_with_timeout( async { - client - .get_object_with_offline_fallback(&bucket, &chunk_key) - .await - .map(|r| r.inner.data) + match chunk_cid_hint { + Some(cid) => client + .get_object_with_offline_fallback_known_cid( + &bucket, &chunk_key, &cid, + ) + .await + .map(|r| r.inner.data), + None => client + .get_object_with_offline_fallback(&bucket, &chunk_key) + .await + .map(|r| r.inner.data), + } }, chunk_index as u32, per_chunk_timeout, @@ -2575,6 +2751,11 @@ impl EncryptedClient { let now = chrono::Utc::now().timestamp(); let dir_index_etag = manifest.root.dir_index_etag.clone(); + // Walkable-v8 (W.9.4): pluck `dir_index_cid` from + // the just-decrypted root and pass it through. + // Cloned because the manifest is moved into + // `from_manifest` below. + let dir_index_cid = manifest.root.dir_index_cid; let dir_index_seq_pin = manifest.root.dir_index_seq; let mut forest = ShardedHamtPrivateForest::from_manifest( manifest, @@ -2590,6 +2771,7 @@ impl EncryptedClient { bucket, &forest_dek, dir_index_etag.as_deref(), + dir_index_cid.as_ref(), dir_index_seq_pin, ) .await? @@ -3604,6 +3786,11 @@ impl EncryptedClient { // migration gap where deferred-upload paths leave a bucket on // legacy=true plaintext until the next root commit. let lookup_h_hex = self.compute_bucket_lookup_h_hex(bucket); + // Walkable-v8 (W.9.3): hoist the writer flag above both the page + // loop and the dir-index commit so every Phase 1.5/1.6 PUT in + // this flush sees the same Config snapshot. Reading it once up + // front also avoids a per-PUT atomic read of the config field. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; for page_id in dirty_pages.iter().copied() { let page = manifest_snapshot.pages.get_mut(&page_id) .ok_or_else(|| ClientError::Encryption( @@ -3630,6 +3817,18 @@ impl EncryptedClient { let envelope = EncryptedManifestPage::encrypt(page, &forest_dek, bucket) .map_err(ClientError::Encryption)?; let blob = envelope.to_bytes().map_err(ClientError::Encryption)?; + // Walkable-v8 (W.9.3): pre-compute `BLAKE3(blob)` so the + // post-PUT self-verify can compare master's ETag-attested CID + // to a CID we computed locally (defense-in-depth against a + // compromised master attesting an attacker-chosen CID). Cheap + // ~1 GB/s SIMD hash; only computed when the writer flag is on + // so v0.5-default behaviour stays byte-identical. `walkable_v8` + // hoisted to flush-loop scope above so Phase 1.6 below sees it. + let expected_page_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&blob)) + } else { + None + }; let page_key = derive_manifest_page_key(&forest_dek, bucket, &shard_salt, page_id); let metadata = ObjectMetadata::new() .with_content_type("application/octet-stream") @@ -3714,9 +3913,24 @@ impl EncryptedClient { ) { tracing::warn!(%bucket, page_id, error = %e, "WAL append post-PUT PageWrote failed"); } + // Walkable-v8 (W.9.3): stamp the CID hint into the new + // PageRef when the writer flag is on AND master's etag both + // parses as a CID and matches our locally-computed + // BLAKE3(blob). On any failure, falls back to `cid: None` + // — readers walk via the storage_key path. The hash was + // pre-computed before `Bytes::from(blob)` consumed the body. + let page_cid = match (walkable_v8, expected_page_cid, etag.as_deref()) { + (true, Some(expected), Some(et)) => { + crate::walkable_v8::verify_etag_against_expected_cid( + et, expected, bucket, &page_key, + ) + } + _ => None, + }; manifest_snapshot.root.page_index.insert(page_id, PageRef { etag, seq: page.seq, + cid: page_cid, }); } @@ -3751,6 +3965,15 @@ impl EncryptedClient { next_dir_seq, ).map_err(ClientError::Encryption)?; let blob = envelope.to_bytes().map_err(ClientError::Encryption)?; + // Walkable-v8 (W.9.3): pre-compute `BLAKE3(dir-index blob)` for + // post-PUT self-verify. Reuses the same per-flush gate value + // captured before Phase 1.5 above (every page in this flush + // shares the same Config.walkable_v8_writer_enabled snapshot). + let expected_dir_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&blob)) + } else { + None + }; let dir_key = derive_dir_index_key(&forest_dek, bucket); let metadata = ObjectMetadata::new() .with_content_type("application/octet-stream") @@ -3818,8 +4041,18 @@ impl EncryptedClient { ) { tracing::warn!(%bucket, error = %e, "WAL append post-PUT DirIndexWrote failed"); } + // Walkable-v8 (W.9.3): stamp dir_index_cid via self-verify. + let dir_index_cid = match (walkable_v8, expected_dir_cid, new_dir_etag.as_deref()) { + (true, Some(expected), Some(et)) => { + crate::walkable_v8::verify_etag_against_expected_cid( + et, expected, bucket, &dir_key, + ) + } + _ => None, + }; manifest_snapshot.root.dir_index_etag = new_dir_etag; manifest_snapshot.root.dir_index_seq = Some(next_dir_seq); + manifest_snapshot.root.dir_index_cid = dir_index_cid; Some(next_dir_seq) } else { None @@ -4098,11 +4331,19 @@ impl EncryptedClient { // and the CID-hint method itself is too. On wasm we just // route through the no-hint wrapper, which already handles // master-up (the only fetch path supported on wasm anyway). + // Walkable-v8 (W.9.4): prefer the explicit `page_ref.cid` + // field stamped by the W.9.3 writer (which self-verified + // the master-attested CID against `BLAKE3(page_blob)` at + // write time). Etag-parse fallback covers pre-W.9.3 buckets + // and remains correct only because master uses + // `cid.to_string()` as the etag — but the explicit field is + // strictly more trustworthy. See helper docs for the + // precedence rationale + the unit test that pins it. #[cfg(not(target_arch = "wasm32"))] - let cid_hint: Option = page_ref - .etag - .as_deref() - .and_then(|s| s.parse::().ok()); + let cid_hint: Option = crate::walkable_v8::cid_hint_from_manifest_field_or_etag( + page_ref.cid.as_ref(), + page_ref.etag.as_deref(), + ); #[cfg(not(target_arch = "wasm32"))] let (blob, observed_etag) = match cid_hint { Some(cid) => self @@ -4201,9 +4442,26 @@ impl EncryptedClient { // reflect master's actual page objects, not the manifest's possibly- // stale recording. Subsequent Phase 1.5 conditional PUTs use these // values for `If-Match` and converge with master's state. + // + // Walkable-v8 (#52): the override path previously hardcoded + // `cid: None`, dropping any recoverable CID hint from master's + // returned etag. That left the in-memory `PageRef.cid` empty + // until the next flush re-stamped it — degrading W.9.4 offline + // reads to v0.5 fidelity in the load-after-master-divergence + // window. Master returns `cid.to_string()` as the etag for v8 + // page PUTs (per the W.9.3 writer contract), so the same + // `cid_hint_from_manifest_field_or_etag` helper that the + // reader uses elsewhere recovers the CID here. let mut root = root; for (page_id, etag, seq) in page_overrides { - root.page_index.insert(page_id, PageRef { etag, seq }); + #[cfg(not(target_arch = "wasm32"))] + let cid = crate::walkable_v8::cid_hint_from_manifest_field_or_etag( + None, + etag.as_deref(), + ); + #[cfg(target_arch = "wasm32")] + let cid: Option = None; + root.page_index.insert(page_id, PageRef { etag, seq, cid }); } ShardManifestV7::from_root_and_pages(root, pages) .map_err(ClientError::Encryption) @@ -4227,6 +4485,7 @@ impl EncryptedClient { bucket: &str, forest_dek: &fula_crypto::keys::DekKey, expected_etag: Option<&str>, + expected_cid: Option<&cid::Cid>, expected_seq: Option, ) -> std::result::Result)>, ClientError> { let key = derive_dir_index_key(forest_dek, bucket); @@ -4244,12 +4503,26 @@ impl EncryptedClient { // warm-cache mapping can still race the gateway pool. The // master-up path is identical regardless of hint. // + // Walkable-v8 (W.9.4): the explicit `expected_cid` argument + // (= `manifest.root.dir_index_cid`, stamped + self-verified + // by the W.9.3 writer) takes precedence over `expected_etag` + // when present. The etag-parse fallback covers buckets + // committed pre-W.9.3 (when only `dir_index_etag` was + // populated) and remains correct because master uses + // `cid.to_string()` as the etag — but the explicit field is + // strictly more trustworthy: it survived the writer's + // self-verify-against-BLAKE3(blob) step, while the etag + // fallback only happens to be a CID by master's current + // convention. + // // Native-only: `cid` crate + the CID-hint method are gated to // non-wasm targets. wasm builds keep the no-hint wrapper // (master-only path). #[cfg(not(target_arch = "wasm32"))] - let cid_hint: Option = - expected_etag.and_then(|s| s.parse::().ok()); + let cid_hint: Option = crate::walkable_v8::cid_hint_from_manifest_field_or_etag( + expected_cid, + expected_etag, + ); // Helper: turn the offline-fallback GetObjectResult into // `(blob, Option)`. Empty etag → None. Used by both // native and wasm branches below so the etag-capture stays uniform. @@ -4672,6 +4945,15 @@ impl EncryptedClient { }); } }; + // Walkable-v8 (W.9.3): mirror the flush_forest path's pre-PUT + // hash so the v1→v7 migration's freshly-written pages also + // carry CID hints when the writer flag is on. + let walkable_v8_mig = self.inner.config().walkable_v8_writer_enabled; + let expected_page_cid = if walkable_v8_mig { + Some(crate::walkable_v8::local_blake3_raw_cid(&blob)) + } else { + None + }; let page_key = derive_manifest_page_key(forest_dek, bucket, &shard_salt, page_id); // If-None-Match=*: migration uses a fresh random shard_salt, so each // page key is first-ever on this bucket. Any 412 here means another @@ -4714,9 +4996,20 @@ impl EncryptedClient { ) { tracing::warn!(%bucket, page_id, error = %e, "migration: WAL append post-PUT PageWrote failed"); } + // Walkable-v8 (W.9.3): same self-verify pattern as the + // flush_forest path above. + let page_cid = match (walkable_v8_mig, expected_page_cid, etag.as_deref()) { + (true, Some(expected), Some(et)) => { + crate::walkable_v8::verify_etag_against_expected_cid( + et, expected, bucket, &page_key, + ) + } + _ => None, + }; manifest_snapshot.root.page_index.insert(page_id, PageRef { etag, seq: page.seq, + cid: page_cid, }); } @@ -4752,6 +5045,15 @@ impl EncryptedClient { }); } }; + // Walkable-v8 (W.9.3): mirror flush_forest's pre-PUT hash for + // the dir-index PUT so v1→v7 migrations also stamp dir_index_cid + // when the writer flag is on. + let walkable_v8_dir_mig = self.inner.config().walkable_v8_writer_enabled; + let expected_dir_index_cid = if walkable_v8_dir_mig { + Some(crate::walkable_v8::local_blake3_raw_cid(&dir_index_blob)) + } else { + None + }; let dir_index_key = derive_dir_index_key(forest_dek, bucket); // Unconditional overwrite is required: the dir-index key is stable // across migrations (no shard_salt in its derivation), so a legitimate @@ -4790,8 +5092,23 @@ impl EncryptedClient { ) { tracing::warn!(%bucket, error = %e, "migration: WAL append post-PUT DirIndexWrote failed"); } + // Walkable-v8 (W.9.3): stamp dir_index_cid via self-verify, same + // pattern as flush_forest's Phase 1.6 above. + let dir_index_cid_mig = match ( + walkable_v8_dir_mig, + expected_dir_index_cid, + new_dir_index_etag.as_deref(), + ) { + (true, Some(expected), Some(et)) => { + crate::walkable_v8::verify_etag_against_expected_cid( + et, expected, bucket, &dir_index_key, + ) + } + _ => None, + }; manifest_snapshot.root.dir_index_etag = new_dir_index_etag; manifest_snapshot.root.dir_index_seq = Some(dir_index_seq); + manifest_snapshot.root.dir_index_cid = dir_index_cid_mig; let manifest_seq: u64 = 1; let manifest_data = match EncryptedShardManifestV7::encrypt_v7( @@ -5042,15 +5359,23 @@ impl EncryptedClient { let is_chunked_upload = should_use_chunked(data.len()); // Check if we need chunked upload (for IPFS block size limit). - // Both branches return `(PutObjectResult, enc_metadata_json)` so - // the post-upload code below can stash the JSON onto the forest - // entry's `user_metadata`. That stash is the load-bearing change - // for offline / cold-start encrypted reads: the forest blob is + // + // Both branches return `(PutObjectResult, enc_metadata_json, + // Option)`. The third element is walkable-v8 (W.9.3): the + // verified CID of the index/single object, which the caller + // stamps into `ForestFileEntry.storage_cid`. + // + // The `enc_metadata_json` stash is the load-bearing change for + // offline / cold-start encrypted reads: the forest blob is // AEAD-encrypted with `forest_dek` (derived from the user's // KEK), so the metadata travels privately, while making the // SDK self-sufficient when HTTP user-metadata headers are // unavailable (gateway path, warm-cache path). - let (result, enc_metadata_json): (PutObjectResult, String) = if is_chunked_upload { + let (result, enc_metadata_json, index_cid_opt): ( + PutObjectResult, + String, + Option, + ) = if is_chunked_upload { // CHUNKED UPLOAD: Split into chunks under IPFS 1MB limit self.put_object_chunked_internal( bucket, @@ -5087,6 +5412,17 @@ impl EncryptedClient { .with_metadata("x-fula-encrypted", "true") .with_metadata("x-fula-encryption", &enc_metadata_str); + // Walkable-v8 (W.9.3): pre-compute `BLAKE3(ciphertext)` for + // post-PUT self-verify before `Bytes::from(ciphertext)` + // consumes the buffer. Skip when the flag is off so the + // hash isn't computed for v0.5-default writes. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + let expected_obj_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&ciphertext)) + } else { + None + }; + let put_result = if let Some(ref pinning) = self.pinning { self.inner.put_object_with_metadata_and_pinning( bucket, @@ -5104,9 +5440,32 @@ impl EncryptedClient { Some(metadata), ).await? }; - (put_result, enc_metadata_str) + + // Walkable-v8 (W.9.3): verify and surface the CID for the + // caller to stamp into ForestFileEntry.storage_cid. None on + // any failure path — readers fall back to the storage_key + // path. + let cid = match (walkable_v8, expected_obj_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &put_result.etag, + expected, + bucket, + &storage_key, + ), + _ => None, + }; + (put_result, enc_metadata_str, cid) }; + // Walkable-v8 (W.9.3): stamp the index/single-object CID hint + // onto the forest entry BEFORE upsert. Offline readers walk + // ForestFileEntry → storage_cid → fetch via gateway race when + // master is down. None when the writer flag is off or + // self-verify failed; reads fall through to the storage_key + // path. Per-chunk hints are not surfaced — that needs a + // ChunkedFileMetadata wire-format extension (followup #32). + forest_entry.storage_cid = index_cid_opt; + // Stash the encryption metadata onto the forest entry. The forest // blob is AEAD-encrypted with `forest_dek` (derived from user's // KEK), so the metadata is privacy-preserving — only the user @@ -5248,6 +5607,14 @@ impl EncryptedClient { /// powers the offline / cold-start decrypt paths without leaking /// any plaintext (the JSON only travels inside the AEAD-encrypted /// forest blob). + /// Walkable-v8 (W.9.3): the third tuple element is the parsed CID + /// of the **index object** (the small JSON metadata blob master + /// returns the etag for at the bucket-key path), self-verified + /// against `BLAKE3(index_body)`. `Some(cid)` when the writer flag + /// is on and verification succeeds; `None` otherwise. Caller + /// stamps it into `ForestFileEntry.storage_cid`. Per-chunk CIDs + /// are NOT surfaced — that needs a `ChunkedFileMetadata` wire + /// format extension (followup task #32). async fn put_object_chunked_internal( &self, bucket: &str, @@ -5257,7 +5624,7 @@ impl EncryptedClient { wrapped_dek: &EncryptedData, encrypted_meta: &EncryptedPrivateMetadata, kek_version: u32, - ) -> Result<(PutObjectResult, String)> { + ) -> Result<(PutObjectResult, String, Option)> { // Create chunked encoder with AAD binding chunks to storage key let aad_prefix = format!("fula:v4:chunk:{}", storage_key); let mut encoder = ChunkedEncoder::with_aad(dek.clone(), aad_prefix); @@ -5267,13 +5634,21 @@ impl EncryptedClient { .map_err(ClientError::Encryption)?; // Finalize to get last chunk and metadata - let (final_chunk, chunked_metadata, _outboard) = encoder.finalize() + let (final_chunk, mut chunked_metadata, _outboard) = encoder.finalize() .map_err(ClientError::Encryption)?; - + if let Some(chunk) = final_chunk { all_chunks.push(chunk); } - + + // Walkable-v8 (W.9.4-A2 / task #32): per-chunk CID hints for + // offline reads. Read the writer flag once up front; use it + // both for the per-chunk pre-PUT BLAKE3 hash and for the + // post-PUT verify. When off, every chunk's verified CID stays + // None and the metadata's `chunk_cids` Vec stays empty + // (skip_serializing_if keeps it off the wire). + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + // Upload chunks in parallel with bounded concurrency. Using // futures::stream::buffer_unordered rather than tokio::spawn so the // same code runs on wasm32 (where tokio has no multi-thread runtime). @@ -5286,13 +5661,25 @@ impl EncryptedClient { .with_metadata("x-fula-chunk", "true") .with_metadata("x-fula-chunk-index", &chunk.index.to_string()); + // W.9.4-A2: pre-compute the chunk's expected CID before + // `chunk.ciphertext` is moved into the PUT call. `Bytes` + // cloning is cheap (Arc-based) so the post-PUT verify + // doesn't re-hash the body — we already have the + // expected CID from this pre-computation. + let expected_chunk_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&chunk.ciphertext)) + } else { + None + }; + let chunk_index_for_collect = chunk.index; + let client = self.inner.clone(); let bucket = bucket.to_string(); let pinning = pinning.clone(); let chunk_key_ret = chunk_key.clone(); async move { - if let Some(ref pin) = pinning { + let put_result = if let Some(ref pin) = pinning { client.put_object_with_metadata_and_pinning( &bucket, &chunk_key, @@ -5300,31 +5687,59 @@ impl EncryptedClient { Some(chunk_metadata), &pin.endpoint, &pin.token, - ).await?; + ).await? } else { client.put_object_with_metadata( &bucket, &chunk_key, chunk.ciphertext, Some(chunk_metadata), - ).await?; - } - Ok::(chunk_key_ret) + ).await? + }; + // W.9.4-A2: verify master's etag-attested CID against + // the pre-computed BLAKE3(ciphertext). Mismatch + // soft-fails to None — chunk PUT succeeded, only the + // offline-walk hint for THIS chunk is missing; the + // reader falls back to storage_key for that chunk. + let chunk_cid = match (walkable_v8, expected_chunk_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &put_result.etag, + expected, + &bucket, + &chunk_key, + ), + _ => None, + }; + Ok::<(String, u32, Option), ClientError>(( + chunk_key_ret, + chunk_index_for_collect, + chunk_cid, + )) } }); - let results: Vec> = futures::stream::iter(futs) - .buffer_unordered(Self::MAX_CONCURRENT_CHUNK_UPLOADS) - .collect() - .await; + let results: Vec), ClientError>> = + futures::stream::iter(futs) + .buffer_unordered(Self::MAX_CONCURRENT_CHUNK_UPLOADS) + .collect() + .await; // Track successfully uploaded chunk keys so we can clean them up if - // any upload in the batch failed. + // any upload in the batch failed. W.9.4-A2: also collect per-chunk + // CIDs indexed by chunk_index (NOT result-iteration order — the + // futures stream is unordered). let mut uploaded_keys: Vec = Vec::new(); + let mut chunk_cids: Vec> = + vec![None; chunked_metadata.num_chunks as usize]; let mut upload_error: Option = None; for result in results { match result { - Ok(key) => uploaded_keys.push(key), + Ok((key, index, cid)) => { + uploaded_keys.push(key); + if let Some(slot) = chunk_cids.get_mut(index as usize) { + *slot = cid; + } + } Err(e) => { if upload_error.is_none() { upload_error = Some(e); } } } } @@ -5336,7 +5751,18 @@ impl EncryptedClient { } return Err(err); } - + + // W.9.4-A2: stamp the per-chunk CID Vec into the metadata + // BEFORE serializing the index body. When walkable_v8 is off, + // chunk_cids is all-None and `populate_chunk_cids` writes an + // all-None Vec; the wire stays compact but a parallel-empty + // Vec uses ~num_chunks bytes of postcard space. To stay + // 100% byte-identical to v0.5 wire output when the flag is + // off, only populate when at least one chunk has Some(cid). + if walkable_v8 && chunk_cids.iter().any(|c| c.is_some()) { + chunked_metadata.populate_chunk_cids(chunk_cids); + } + // Create index object with encryption metadata and chunk info let enc_metadata = serde_json::json!({ "version": 4, @@ -5356,7 +5782,18 @@ impl EncryptedClient { .with_metadata("x-fula-encrypted", "true") .with_metadata("x-fula-chunked", "true") .with_metadata("x-fula-encryption", &index_body); - + + // Walkable-v8 (W.9.3): pre-compute `BLAKE3(index_body)` so the + // post-PUT self-verify can compare master's etag-attested CID + // against a CID we computed locally. Cheap; only when the + // writer flag is on. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + let expected_index_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(index_body.as_bytes())) + } else { + None + }; + // Upload index object. If this fails after all chunks were successfully // uploaded, we must compensate by deleting the chunks — otherwise the // upload is non-atomic and leaks storage. @@ -5389,11 +5826,26 @@ impl EncryptedClient { } }; - // Return both the upload result AND the JSON metadata the caller - // will stash on the forest entry. `index_body` IS the same JSON - // we just persisted as the index object's body and HTTP header - // — handing it back avoids the caller re-serializing. - Ok((result, index_body)) + // Walkable-v8 (W.9.3): self-verify the index-object CID. Caller + // stamps it into `ForestFileEntry.storage_cid` so an offline + // reader can fetch this index blob via gateway race when master + // is down. + let index_cid = match (walkable_v8, expected_index_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &result.etag, + expected, + bucket, + storage_key, + ), + _ => None, + }; + + // Return the upload result, the JSON metadata the caller will + // stash on the forest entry, and the verified index-object CID. + // `index_body` IS the same JSON we just persisted as the index + // object's body and HTTP header — handing it back avoids the + // caller re-serializing. + Ok((result, index_body, index_cid)) } /// Upload an object with resumable chunked encoding. @@ -5416,6 +5868,13 @@ impl EncryptedClient { let data = data.into(); let original_size = data.len() as u64; + // #82: forest must be loaded before any chunk PUT so a load + // failure (e.g., master unreachable) surfaces before chunks + // are uploaded — avoids creating orphan blobs that the + // caller didn't agree to. The post-upload register step + // below depends on this seeding. + self.ensure_forest_loaded(bucket).await?; + let dek = self.encryption.key_manager.generate_dek(); let encryptor = Encryptor::new(self.encryption.public_key()); let wrapped_dek = encryptor.encrypt_dek(&dek) @@ -5438,23 +5897,30 @@ impl EncryptedClient { let aad_prefix = format!("fula:v4:chunk:{}", storage_key); let mut encoder = ChunkedEncoder::with_aad(dek.clone(), aad_prefix); let mut all_chunks = encoder.update(&data).map_err(ClientError::Encryption)?; - let (final_chunk, chunked_metadata, _outboard) = encoder.finalize() + let (final_chunk, mut chunked_metadata, _outboard) = encoder.finalize() .map_err(ClientError::Encryption)?; if let Some(chunk) = final_chunk { all_chunks.push(chunk); } - // Build the index metadata JSON (same as put_object_chunked_internal) - let index_metadata_json = serde_json::json!({ - "version": 4, - "algorithm": "AES-256-GCM", - "wrapped_key": serde_json::to_value(&wrapped_dek).unwrap(), - "kek_version": kek_version, - "metadata_privacy": true, - "obfuscation_mode": "flat", - "private_metadata": encrypted_meta.to_json().map_err(ClientError::Encryption)?, - "chunked": serde_json::to_value(&chunked_metadata).unwrap(), - }).to_string(); + // Walkable-v8 (#80 / W.9.4-A2 port to resumable): per-chunk + // CID hints. Mirror `put_object_chunked_internal`'s pattern — + // pre-compute `BLAKE3(chunk.ciphertext)` BEFORE the spawn + // moves the body, post-PUT verify against master's etag, and + // populate `chunked_metadata.chunk_cids` after the parallel + // upload completes. Without this, files uploaded via the + // resumable path land with empty `chunk_cids` → reader + // falls back to the warm-cache path (still works, just no + // cold-cache gateway race for fresh devices). + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + let num_chunks_total = all_chunks.len(); + + // Build the index metadata JSON skeleton — `chunked_metadata` + // gets `populate_chunk_cids` BEFORE the JSON is serialized + // post-upload (or we hold on to the un-serialized form here + // and serialize after). For the resumable path the JSON + // lives in the persisted UploadManifest, so we serialize the + // CID-stamped form just before the manifest save. // Write manifest before uploading any chunks let manifest_chunks: Vec = all_chunks.iter().map(|c| { @@ -5465,13 +5931,31 @@ impl EncryptedClient { } }).collect(); + // Initial manifest WITHOUT chunk_cids — they're not known + // until each chunk's PUT returns its etag. Serialize the + // pre-CID-stamped JSON for the on-disk manifest's + // `index_metadata_json` so a crash-mid-upload still has a + // resumable record. The post-upload finalize will rewrite + // `index_metadata_json` with the CID-stamped form before the + // index PUT. + let initial_index_metadata_json = serde_json::json!({ + "version": 4, + "algorithm": "AES-256-GCM", + "wrapped_key": serde_json::to_value(&wrapped_dek).unwrap(), + "kek_version": kek_version, + "metadata_privacy": true, + "obfuscation_mode": "flat", + "private_metadata": encrypted_meta.to_json().map_err(ClientError::Encryption)?, + "chunked": serde_json::to_value(&chunked_metadata).unwrap(), + }).to_string(); + let mut manifest = UploadManifest { bucket: bucket.to_string(), storage_key: storage_key.clone(), original_key: key.to_string(), num_chunks: all_chunks.len() as u32, chunks: manifest_chunks, - index_metadata_json, + index_metadata_json: initial_index_metadata_json, }; manifest.save(manifest_path)?; @@ -5491,33 +5975,64 @@ impl EncryptedClient { .with_content_type("application/octet-stream") .with_metadata("x-fula-chunk-index", &chunk.index.to_string()); + // W.9.4-A2 / #80: pre-compute the chunk's expected CID + // before `chunk.ciphertext` is moved into the spawn. + // `Bytes` cloning is Arc-cheap so the post-PUT verify + // doesn't re-hash the body. + let expected_chunk_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&chunk.ciphertext)) + } else { + None + }; + let handle = tokio::spawn(async move { let _permit = sem.acquire().await.map_err(|e| ClientError::Encryption(fula_crypto::CryptoError::Decryption(e.to_string())) )?; - if let Some(ref pin) = pinning { + let put_result = if let Some(ref pin) = pinning { client.put_object_with_metadata_and_pinning( &bucket_owned, &chunk_key, chunk.ciphertext, Some(chunk_metadata), &pin.endpoint, &pin.token, - ).await?; + ).await? } else { client.put_object_with_metadata( &bucket_owned, &chunk_key, chunk.ciphertext, Some(chunk_metadata), - ).await?; - } - Ok::<(u32, String), ClientError>((chunk_idx, chunk_key_ret)) + ).await? + }; + // W.9.4-A2 / #80: verify master's etag-attested CID + // against pre-computed BLAKE3(ciphertext). Mismatch + // soft-fails to None for THIS chunk only; PUT still + // succeeded so the chunk is stored, only the + // offline-walk hint is missing for it. + let chunk_cid = match (walkable_v8, expected_chunk_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &put_result.etag, + expected, + &bucket_owned, + &chunk_key, + ), + _ => None, + }; + Ok::<(u32, String, Option), ClientError>((chunk_idx, chunk_key_ret, chunk_cid)) }); handles.push(handle); } - // Collect results, updating manifest as chunks complete + // Collect results, updating manifest as chunks complete. + // W.9.4-A2 / #80: also collect per-chunk CIDs indexed by + // chunk_index (NOT JoinHandle order — tokio::spawn is + // unordered). let mut upload_error: Option = None; + let mut chunk_cids: Vec> = vec![None; num_chunks_total]; for handle in handles { match handle.await { - Ok(Ok((idx, _key))) => { + Ok(Ok((idx, _key, cid))) => { if let Some(mc) = manifest.chunks.iter_mut().find(|c| c.index == idx) { mc.uploaded = true; } + if let Some(slot) = chunk_cids.get_mut(idx as usize) { + *slot = cid; + } let _ = manifest.save(manifest_path); } Ok(Err(e)) => { if upload_error.is_none() { upload_error = Some(e); } } @@ -5537,8 +6052,39 @@ impl EncryptedClient { return Err(err); } - // All chunks uploaded — finalize - self.finalize_resumed_upload(&manifest, manifest_path).await + // W.9.4-A2 / #80: stamp per-chunk CIDs into the metadata + // BEFORE the index PUT (which finalize_resumed_upload runs). + // Same gate as `put_object_chunked_internal` — only populate + // when at least one chunk has Some(cid), keeps wire format + // byte-identical to v0.5 when flag is off or all etags + // failed to parse. + if walkable_v8 && chunk_cids.iter().any(|c| c.is_some()) { + chunked_metadata.populate_chunk_cids(chunk_cids); + // Re-serialize the index_metadata_json with the + // CID-stamped chunked metadata. Update the manifest's + // on-disk record so a crash between this save and the + // index PUT recovers the CID-stamped form on retry. + let updated_index_json = serde_json::json!({ + "version": 4, + "algorithm": "AES-256-GCM", + "wrapped_key": serde_json::to_value(&wrapped_dek).unwrap(), + "kek_version": kek_version, + "metadata_privacy": true, + "obfuscation_mode": "flat", + "private_metadata": encrypted_meta.to_json().map_err(ClientError::Encryption)?, + "chunked": serde_json::to_value(&chunked_metadata).unwrap(), + }).to_string(); + manifest.index_metadata_json = updated_index_json; + // Persist the rewritten manifest so a crash here doesn't + // leave the chunked-CID work unrecorded. + let _ = manifest.save(manifest_path); + } + + // All chunks uploaded — finalize and register in the + // encrypted forest (#82). `private_meta` is in scope from + // earlier in this function so the registration helper can + // build a `ForestFileEntry` mirroring the non-resumable path. + self.finalize_and_register_resumed_upload(&manifest, manifest_path, &private_meta).await } /// Upload an object from an async reader, encrypting and uploading chunks @@ -5560,6 +6106,10 @@ impl EncryptedClient { total_size: u64, content_type: Option<&str>, ) -> Result { + // #82: same precondition as `put_object_encrypted_resumable` + // — surface forest-load failure before any chunk PUT. + self.ensure_forest_loaded(bucket).await?; + // Generate a DEK for this object let dek = self.encryption.key_manager.generate_dek(); @@ -5584,7 +6134,7 @@ impl EncryptedClient { .map_err(ClientError::Encryption)?; // H-1: grab the content hash before `finalize` consumes the encoder. let content_hash = encoder.content_hash_hex(); - let (chunked_metadata, _outboard) = encoder.finalize(); + let (mut chunked_metadata, _outboard) = encoder.finalize(); // Create private metadata (deferred until after streaming so the // BLAKE3 content hash computed over the plaintext stream lands on @@ -5595,6 +6145,17 @@ impl EncryptedClient { let encrypted_meta = EncryptedPrivateMetadata::encrypt(&private_meta, &dek) .map_err(ClientError::Encryption)?; + // Walkable-v8 (#80 / W.9.4-A2 port to streaming): mirror the + // resumable + chunked-internal pattern. Pre-compute + // BLAKE3(chunk.ciphertext) before each spawn moves the body, + // post-PUT verify, build Vec> indexed by + // chunk_index, populate_chunk_cids before serializing the + // index body. Without this, files uploaded via the streaming + // path land with empty `chunk_cids` and fall back to the + // warm-cache path on offline reads. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + let num_chunks_total = all_chunks.len(); + // Upload chunks in parallel with bounded concurrency let semaphore = Arc::new(tokio::sync::Semaphore::new(Self::MAX_CONCURRENT_CHUNK_UPLOADS)); let mut handles = Vec::with_capacity(all_chunks.len()); @@ -5602,6 +6163,7 @@ impl EncryptedClient { for chunk in all_chunks { let chunk_key = ChunkedFileMetadata::chunk_key(&storage_key, chunk.index); let chunk_key_ret = chunk_key.clone(); + let chunk_idx = chunk.index; let sem = semaphore.clone(); let client = self.inner.clone(); let bucket = bucket.to_string(); @@ -5610,32 +6172,60 @@ impl EncryptedClient { .with_metadata("x-fula-chunk-index", &chunk.index.to_string()); let pinning = self.pinning.clone(); + // W.9.4-A2 / #80: pre-compute the chunk's expected CID + // before the spawn moves `chunk.ciphertext`. + let expected_chunk_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&chunk.ciphertext)) + } else { + None + }; + let handle = tokio::spawn(async move { let _permit = sem.acquire().await.map_err(|e| ClientError::Encryption(fula_crypto::CryptoError::Decryption(e.to_string())) )?; - if let Some(ref pin) = pinning { + let put_result = if let Some(ref pin) = pinning { client.put_object_with_metadata_and_pinning( &bucket, &chunk_key, chunk.ciphertext, Some(chunk_metadata), &pin.endpoint, &pin.token, - ).await?; + ).await? } else { client.put_object_with_metadata( &bucket, &chunk_key, chunk.ciphertext, Some(chunk_metadata), - ).await?; - } - Ok::(chunk_key_ret) + ).await? + }; + // W.9.4-A2 / #80: post-PUT verify — same soft-fail + // semantics as the resumable + chunked-internal + // paths. + let chunk_cid = match (walkable_v8, expected_chunk_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &put_result.etag, + expected, + &bucket, + &chunk_key, + ), + _ => None, + }; + Ok::<(u32, String, Option), ClientError>((chunk_idx, chunk_key_ret, chunk_cid)) }); handles.push(handle); } - // Collect results — track uploaded chunk keys for cleanup on failure + // Collect results — track uploaded chunk keys for cleanup on + // failure. W.9.4-A2 / #80: also collect per-chunk CIDs + // indexed by chunk_index. let mut uploaded_keys: Vec = Vec::new(); + let mut chunk_cids: Vec> = vec![None; num_chunks_total]; let mut upload_error: Option = None; for handle in handles { match handle.await { - Ok(Ok(key)) => uploaded_keys.push(key), + Ok(Ok((idx, key, cid))) => { + uploaded_keys.push(key); + if let Some(slot) = chunk_cids.get_mut(idx as usize) { + *slot = cid; + } + } Ok(Err(e)) => { if upload_error.is_none() { upload_error = Some(e); } } Err(e) => { if upload_error.is_none() { @@ -5654,6 +6244,15 @@ impl EncryptedClient { return Err(err); } + // W.9.4-A2 / #80: stamp per-chunk CIDs into the metadata + // BEFORE serializing the index body. Same gate as the + // sister paths — only populate when at least one chunk has + // Some(cid), keeps wire format byte-identical to v0.5 when + // flag is off or all etags failed to parse. + if walkable_v8 && chunk_cids.iter().any(|c| c.is_some()) { + chunked_metadata.populate_chunk_cids(chunk_cids); + } + // Create index object with encryption metadata let enc_metadata = serde_json::json!({ "version": 4, @@ -5673,6 +6272,15 @@ impl EncryptedClient { .with_metadata("x-fula-chunked", "true") .with_metadata("x-fula-encryption", &index_body); + // Walkable-v8 (#82): pre-compute BLAKE3 of the index body so + // we can verify against master's etag and stamp the CID into + // the forest entry. Same pattern as `finalize_resumed_upload`. + let expected_index_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(index_body.as_bytes())) + } else { + None + }; + let result = if let Some(ref pinning) = self.pinning { self.inner.put_object_with_metadata_and_pinning( bucket, &storage_key, Bytes::from(index_body.clone()), @@ -5684,6 +6292,28 @@ impl EncryptedClient { ).await? }; + let index_cid = match (walkable_v8, expected_index_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &result.etag, + expected, + bucket, + &storage_key, + ), + _ => None, + }; + + // #82: register in encrypted forest so this file appears in + // offline forest walks. `private_meta` is in scope from + // earlier in the function. + self.register_encrypted_chunked_upload_in_forest( + bucket, + key, + &storage_key, + index_cid, + &index_body, + &private_meta, + ).await?; + Ok(result) } @@ -5703,20 +6333,31 @@ impl EncryptedClient { ) -> Result { let mut manifest = UploadManifest::load(manifest_path)?; - if manifest.remaining() == 0 { - // All chunks uploaded — just finalize the index - return self.finalize_resumed_upload(&manifest, manifest_path).await; - } - - // Re-encrypt only the missing chunks. - // We need the same DEK and AAD, which are embedded in the index metadata. - // Parse the index metadata to extract the chunked metadata (nonces etc.) + // #82: parse index metadata once for use across paths. + // The wrapped_key + private_meta decrypt happen LATER (post + // BAO) in the main path, and inline in the early-return + // path. The F1 nonce-reuse-protection tests pin a contract + // where wrapped_key parse must NOT run before BAO for + // wrong-data inputs — keep that ordering strictly. let index_meta: serde_json::Value = serde_json::from_str(&manifest.index_metadata_json) .map_err(|e| ClientError::Encryption( fula_crypto::CryptoError::Decryption(format!("Invalid index metadata in manifest: {}", e)) ))?; - let chunked_meta: ChunkedFileMetadata = serde_json::from_value( + if manifest.remaining() == 0 { + // All chunks uploaded — no nonce-reuse risk so skip BAO. + // Decrypt private_meta and register (#82). `data` is + // unused here because no chunks are re-encrypted. + let (_, _, private_meta) = self.decrypt_resumable_private_meta(&index_meta)?; + self.ensure_forest_loaded(&manifest.bucket).await?; + return self.finalize_and_register_resumed_upload( + &manifest, + manifest_path, + &private_meta, + ).await; + } + + let mut chunked_meta: ChunkedFileMetadata = serde_json::from_value( index_meta["chunked"].clone() ).map_err(|e| ClientError::Encryption( fula_crypto::CryptoError::Decryption(format!("Invalid chunked metadata in manifest: {}", e)) @@ -5751,18 +6392,29 @@ impl EncryptedClient { ))); } - // Re-derive the DEK: we need the wrapped key + our secret key - let wrapped_dek: EncryptedData = serde_json::from_value( - index_meta["wrapped_key"].clone() - ).map_err(|e| ClientError::Encryption( - fula_crypto::CryptoError::Decryption(format!("Invalid wrapped key in manifest: {}", e)) - ))?; - - let decryptor = Decryptor::new(self.encryption.key_manager.keypair()); - let dek = decryptor.decrypt_dek(&wrapped_dek) - .map_err(ClientError::Encryption)?; - - // Re-encrypt and upload only missing chunks + // Past F1 BAO check — now derive the DEK + private_meta. + // Test contract (`f1_resume_nonce_reuse_protection`): + // wrong-data inputs MUST fail at BAO above, not here. Don't + // hoist this above BAO — the F1 fixtures use placeholder + // wrapped_key JSON that fails parse, and the tests assert + // the BAO error fires first. + let (wrapped_dek, dek, private_meta) = + self.decrypt_resumable_private_meta(&index_meta)?; + + // #82: forest must be loaded before any chunk PUT so we + // surface a load failure (e.g., master unreachable) before + // re-uploading chunks. Placed AFTER wrapped_key parse so + // the F1 test #4 (`accepts_matching_data_past_f1_guard`) + // continues to fail at the wrapped_key step rather than + // hitting a network call first. + self.ensure_forest_loaded(&manifest.bucket).await?; + + // Re-encrypt and upload only missing chunks. + // W.9.4-A2 / #80: also collect per-chunk CIDs for the + // chunks we re-upload here, so the rewritten index body + // gets the same chunk-CID hints the initial upload would + // have stamped. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; let chunk_size = chunked_meta.chunk_size as usize; let aad_prefix = format!("fula:v4:chunk:{}", manifest.storage_key); let semaphore = Arc::new(tokio::sync::Semaphore::new(Self::MAX_CONCURRENT_CHUNK_UPLOADS)); @@ -5790,6 +6442,14 @@ impl EncryptedClient { let ciphertext = aead.encrypt_with_aad(&nonce, chunk_data, &aad) .map_err(ClientError::Encryption)?; + // W.9.4-A2 / #80: pre-compute the chunk's expected CID + // before `ciphertext` moves into the spawn. + let expected_chunk_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(&ciphertext)) + } else { + None + }; + let chunk_key = mc.chunk_key.clone(); let chunk_key_ret = chunk_key.clone(); let sem = semaphore.clone(); @@ -5805,29 +6465,62 @@ impl EncryptedClient { let _permit = sem.acquire().await.map_err(|e| ClientError::Encryption(fula_crypto::CryptoError::Decryption(e.to_string())) )?; - if let Some(ref pin) = pinning { + let put_result = if let Some(ref pin) = pinning { client.put_object_with_metadata_and_pinning( &bucket, &chunk_key, ciphertext_bytes, Some(chunk_metadata), &pin.endpoint, &pin.token, - ).await?; + ).await? } else { client.put_object_with_metadata( &bucket, &chunk_key, ciphertext_bytes, Some(chunk_metadata), - ).await?; - } - Ok::<(u32, String), ClientError>((chunk_index, chunk_key_ret)) + ).await? + }; + let chunk_cid = match (walkable_v8, expected_chunk_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &put_result.etag, + expected, + &bucket, + &chunk_key, + ), + _ => None, + }; + Ok::<(u32, String, Option), ClientError>((chunk_index, chunk_key_ret, chunk_cid)) }); handles.push(handle); } - // Collect results, updating manifest as chunks complete + // Collect results, updating manifest as chunks complete. + // W.9.4-A2 / #80: collect per-chunk CIDs for ONLY the chunks + // re-uploaded in this resume pass. Combine with any CID + // hints already in `chunked_meta.chunk_cids` from the + // original upload (the persisted manifest's index_metadata + // may already carry a partial CID set if the original + // upload hit some etags before crashing). Slot-merge so the + // final Vec covers every chunk. let mut upload_error: Option = None; + let total_chunks = manifest.num_chunks as usize; + let mut resumed_chunk_cids: Vec> = vec![None; total_chunks]; + // Seed from any pre-existing CID hints in the manifest's + // chunked metadata (a previous resume pass may have stamped + // them). + for i in 0..total_chunks { + resumed_chunk_cids[i] = chunked_meta.chunk_cid(i as u32); + } for handle in handles { match handle.await { - Ok(Ok((idx, _key))) => { + Ok(Ok((idx, _key, cid))) => { if let Some(mc) = manifest.chunks.iter_mut().find(|c| c.index == idx) { mc.uploaded = true; } + if let Some(slot) = resumed_chunk_cids.get_mut(idx as usize) { + // Resume always overwrites the slot — the + // chunk was just re-PUT, so this fresh + // verified CID supersedes any prior hint + // (which would also be the same CID anyway, + // since chunk ciphertext is deterministic + // for a given (DEK, nonce, plaintext) tuple). + *slot = cid; + } // Persist manifest after each successful chunk for crash safety let _ = manifest.save(manifest_path); } @@ -5848,8 +6541,43 @@ impl EncryptedClient { return Err(err); } - // All chunks uploaded — finalize - self.finalize_resumed_upload(&manifest, manifest_path).await + // W.9.4-A2 / #80: stamp the merged per-chunk CIDs back into + // the chunked metadata and re-serialize the index_metadata + // JSON BEFORE the index PUT inside finalize_resumed_upload. + // Without this, the resume path would write the index body + // from the stale on-disk JSON (which was serialized at the + // initial put_object_encrypted_resumable call and may have + // pre-CID-stamp content). + if walkable_v8 && resumed_chunk_cids.iter().any(|c| c.is_some()) { + chunked_meta.populate_chunk_cids(resumed_chunk_cids); + // Rebuild the index JSON from the parsed `index_meta` + // value so non-walkable-v8 fields (`kek_version`, + // `metadata_privacy`, `obfuscation_mode`, + // `private_metadata`) survive verbatim. Only the + // `chunked` and `wrapped_key` slots are replaced — the + // wrapped_key with a fresh serialization (parsed-and- + // re-encoded keeps its shape canonical), and the + // chunked block with the now-CID-stamped metadata. + let mut rebuilt = index_meta.clone(); + if let Some(obj) = rebuilt.as_object_mut() { + obj.insert( + "wrapped_key".to_string(), + serde_json::to_value(&wrapped_dek).unwrap_or_else(|_| serde_json::Value::Null), + ); + obj.insert( + "chunked".to_string(), + serde_json::to_value(&chunked_meta).unwrap_or_else(|_| serde_json::Value::Null), + ); + } + manifest.index_metadata_json = rebuilt.to_string(); + let _ = manifest.save(manifest_path); + } + + // All chunks uploaded — finalize and register in the + // encrypted forest (#82). `private_meta` was decrypted at + // the top of this function from the persisted manifest's + // private_metadata field. + self.finalize_and_register_resumed_upload(&manifest, manifest_path, &private_meta).await } /// Upload the index object for a resumed upload and clean up the manifest. @@ -5858,7 +6586,7 @@ impl EncryptedClient { &self, manifest: &UploadManifest, manifest_path: &std::path::Path, - ) -> Result { + ) -> Result<(PutObjectResult, Option)> { let index_body = &manifest.index_metadata_json; let metadata = ObjectMetadata::new() .with_content_type("application/json") @@ -5866,6 +6594,17 @@ impl EncryptedClient { .with_metadata("x-fula-chunked", "true") .with_metadata("x-fula-encryption", index_body); + // Walkable-v8 (#53 / #82): pre-compute BLAKE3 of the index + // body BEFORE the PUT consumes it via Bytes::from. Skipped + // when the writer flag is off so v0.5-default writes don't + // hash extra bytes. + let walkable_v8 = self.inner.config().walkable_v8_writer_enabled; + let expected_index_cid = if walkable_v8 { + Some(crate::walkable_v8::local_blake3_raw_cid(index_body.as_bytes())) + } else { + None + }; + let result = if let Some(ref pinning) = self.pinning { self.inner.put_object_with_metadata_and_pinning( &manifest.bucket, &manifest.storage_key, @@ -5879,9 +6618,27 @@ impl EncryptedClient { ).await? }; - // Success — delete the manifest file - let _ = std::fs::remove_file(manifest_path); - Ok(result) + // Walkable-v8 (#53): verify master's etag against the + // pre-computed BLAKE3. Soft-fails to None on mismatch — the + // caller stamps that into ForestFileEntry.storage_cid (None + // means offline reads of THIS file fall through to the + // storage_key path; everything else still works). + let index_cid = match (walkable_v8, expected_index_cid) { + (true, Some(expected)) => crate::walkable_v8::verify_etag_against_expected_cid( + &result.etag, + expected, + &manifest.bucket, + &manifest.storage_key, + ), + _ => None, + }; + + // NOTE: manifest deletion is INTENTIONALLY moved out — see + // `finalize_and_register_resumed_upload`. It runs only after + // forest registration succeeds, so a register failure leaves + // the manifest in place for `resume_upload` retry. Reviewer B + // flagged this exposure window during the #82 audit. + Ok((result, index_cid)) } /// Abort a previously failed upload: delete all uploaded chunks and @@ -5903,6 +6660,184 @@ impl EncryptedClient { Ok(()) } + /// #82 — Register a chunked encrypted upload (resumable / streaming / + /// resume) in the encrypted forest after the index PUT succeeds. + /// + /// Without this step, files written via these three paths land on + /// master S3 + IPFS but stay invisible to the offline forest walk + /// (Phase 2.4 + walkable-v8): they only resolve via direct + /// `storage_key` lookups while master is up. Mirrors the upsert + /// dance in `put_object_encrypted` (the body around lines + /// 5460-5598) minus orphan cleanup of overwritten storage keys + /// (a separate pre-existing concern, tracked outside #82). + /// + /// Caller is responsible for `ensure_forest_loaded(bucket)` BEFORE + /// calling — without that the v7 cache lookup below would fail. + #[cfg(not(target_arch = "wasm32"))] + async fn register_encrypted_chunked_upload_in_forest( + &self, + bucket: &str, + key: &str, + storage_key: &str, + index_cid: Option, + index_metadata_json: &str, + private_meta: &PrivateMetadata, + ) -> Result<()> { + let mut forest_entry = ForestFileEntry::from_metadata(private_meta, storage_key.to_string()); + forest_entry.mark_encrypted(); + forest_entry.storage_cid = index_cid; + forest_entry.user_metadata.insert( + "x-fula-encrypted".to_string(), + "true".to_string(), + ); + forest_entry.user_metadata.insert( + "x-fula-encryption".to_string(), + index_metadata_json.to_string(), + ); + forest_entry.user_metadata.insert( + "x-fula-chunked".to_string(), + "true".to_string(), + ); + + let now = chrono::Utc::now().timestamp(); + // Cloned for WAL replay — `forest_entry` is moved into upsert below. + let wal_entry_clone = forest_entry.clone(); + let is_v7 = self.is_forest_sharded_hamt(bucket); + + if is_v7 { + let forest_arc = { + let cache_entry = self.forest_cache.get(bucket).ok_or_else(|| { + ClientError::Encryption(fula_crypto::CryptoError::Decryption(format!( + "forest cache missing for bucket {} during chunked-upload registration \ + (caller must ensure_forest_loaded first)", + bucket, + ))) + })?; + match cache_entry.value() { + ForestCacheEntry::ShardedHamt { forest, .. } => forest.clone(), + _ => unreachable!("is_forest_sharded_hamt guard above"), + } + }; + let backend: Arc = Arc::new( + S3BlobBackend::new(self.inner.clone(), bucket.to_string()) + ); + { + let mut guard = forest_arc.write().await; + debug_assert!( + forest_entry.encrypted, + "v7 upsert invariant violated: chunked-upload entry for {} has encrypted=false", + forest_entry.path, + ); + guard.upsert_file(forest_entry, &backend).await + .map_err(ClientError::Encryption)?; + } + if let Some(mut cache_entry) = self.forest_cache.get_mut(bucket) { + if let ForestCacheEntry::ShardedHamt { loaded_at, .. } = cache_entry.value_mut() { + *loaded_at = now; + } + } + } else { + let (mut forest, prior_etag, prior_seq) = { + let cache_entry = self.forest_cache.get(bucket).ok_or_else(|| { + ClientError::Encryption(fula_crypto::CryptoError::Decryption(format!( + "forest cache missing for bucket {} during chunked-upload registration \ + (caller must ensure_forest_loaded first)", + bucket, + ))) + })?; + match cache_entry.value() { + ForestCacheEntry::Monolithic { forest, index_etag, last_sequence, .. } => + (forest.clone(), index_etag.clone(), *last_sequence), + ForestCacheEntry::ShardedHamt { .. } => unreachable!("is_v7 handled above"), + } + }; + forest.upsert_file(forest_entry); + self.forest_cache.insert(bucket.to_string(), ForestCacheEntry::Monolithic { + forest, + loaded_at: now, + dirty: true, + index_etag: prior_etag, + last_sequence: prior_seq, + }); + } + + // WAL append so a crash between upsert and flush doesn't lose + // the entry. Mirrors the reference pattern at 5575-5585. + let wal_mac = wal::derive_mac_key(&self.encryption.key_manager, bucket); + if let Err(e) = wal::append( + bucket, + &wal_mac, + WalEntry::Insert { key: key.to_string(), entry: wal_entry_clone }, + ) { + tracing::warn!(%bucket, error = %e, "WAL append failed (chunked-upload register); continuing"); + } + Ok(()) + } + + /// #82 — Wrapper around `finalize_resumed_upload` that also + /// registers the entry in the encrypted forest. Both + /// `put_object_encrypted_resumable` and `resume_upload` go through + /// here so the registration step lands in exactly one spot. + #[cfg(not(target_arch = "wasm32"))] + async fn finalize_and_register_resumed_upload( + &self, + manifest: &UploadManifest, + manifest_path: &std::path::Path, + private_meta: &PrivateMetadata, + ) -> Result { + let (result, index_cid) = self.finalize_resumed_upload(manifest, manifest_path).await?; + self.register_encrypted_chunked_upload_in_forest( + &manifest.bucket, + &manifest.original_key, + &manifest.storage_key, + index_cid, + &manifest.index_metadata_json, + private_meta, + ).await?; + // Crash-safety (Reviewer B audit, #82): only delete the + // manifest after BOTH the index PUT and forest registration + // succeed. If `register_encrypted_chunked_upload_in_forest` + // errors above, this line is skipped and the manifest stays + // on disk so the caller can retry via `resume_upload`. + let _ = std::fs::remove_file(manifest_path); + Ok(result) + } + + /// #82 — Decrypt the wrapped DEK + private metadata persisted in + /// a resumable upload's `index_metadata_json`. Used by both + /// branches of `resume_upload` (early-return when all chunks + /// were already uploaded; main path post-BAO). + /// + /// CRITICAL: do NOT call this before the F1 BAO check on the + /// main path. The `f1_resume_nonce_reuse_protection` test + /// fixtures use a placeholder `wrapped_key` that's intentionally + /// invalid JSON for `EncryptedData`; their contract is that the + /// BAO error fires before the wrapped_key parse error. + #[cfg(not(target_arch = "wasm32"))] + fn decrypt_resumable_private_meta( + &self, + index_meta: &serde_json::Value, + ) -> Result<(EncryptedData, fula_crypto::keys::DekKey, PrivateMetadata)> { + let wrapped_dek: EncryptedData = serde_json::from_value( + index_meta["wrapped_key"].clone() + ).map_err(|e| ClientError::Encryption( + fula_crypto::CryptoError::Decryption(format!("Invalid wrapped key in manifest: {}", e)) + ))?; + let decryptor = Decryptor::new(self.encryption.key_manager.keypair()); + let dek = decryptor.decrypt_dek(&wrapped_dek) + .map_err(ClientError::Encryption)?; + let encrypted_meta_str = index_meta["private_metadata"].as_str().ok_or_else(|| { + ClientError::Encryption(fula_crypto::CryptoError::Decryption( + "private_metadata field is not a string in manifest's index metadata".to_string(), + )) + })?; + let encrypted_private_meta = EncryptedPrivateMetadata::from_json(encrypted_meta_str) + .map_err(ClientError::Encryption)?; + let private_meta = encrypted_private_meta.decrypt(&dek) + .map_err(ClientError::Encryption)?; + Ok((wrapped_dek, dek, private_meta)) + } + /// Flush the forest index to storage. /// /// Call this after bulk uploads using `put_object_flat_deferred`. @@ -7724,6 +8659,22 @@ impl EncryptedClient { // H-2: entry is written under v4 AAD-bound encryption; reject // any later download that advertises a lower blob-format version. min_version: 4, + // Walkable-v8 (W.9.3): intentionally `None` on this path. The + // public `put_object_chunked` writes a literal `b"CHUNKED"` + // marker as the index-object body (line below this match) and + // carries the actual encryption metadata in the HTTP + // `x-fula-encryption` user-metadata header. A gateway fetch + // by CID would therefore return only the marker bytes, which + // is useless to an offline walker. Stamping + // `CID(b"CHUNKED")` here would also collide across every + // chunked file in every bucket from every user (the body is + // a constant), giving an ambiguous offline pointer that can't + // distinguish files. The sister path `put_object_chunked_ + // internal` puts the encryption JSON IN the body and DOES + // stamp `storage_cid`; offline-walkability for this path + // requires migrating `put_object_chunked` to that design, + // tracked as a follow-up task. + storage_cid: None, }; let v7_forest_arc = { @@ -7907,10 +8858,41 @@ impl EncryptedClient { // Download and decrypt only needed chunks let mut decrypted_chunks = Vec::new(); - + let is_v2 = chunked_meta.format == "streaming-v2"; for chunk_idx in needed_chunks { let chunk_key = ChunkedFileMetadata::chunk_key(&storage_key, chunk_idx); + // Walkable-v8 (W.9.4-A2 / task #32): same cid-hint + // dispatch as the windowed download path (~line 1545). + // Without it, partial-read paths (Flutter `get_range`, + // image thumbnails, video seek) bypass the offline + // walkable-v8 channel and fail when master is down even + // for files that have CID hints stamped. The reader + // contract is: when chunked metadata carries a CID hint + // for THIS chunk, route through the cold-cache cid-hint + // path so a fresh device with no warm-cache mapping can + // still fetch via gateway race. + #[cfg(not(target_arch = "wasm32"))] + let chunk_data = { + let chunk_cid_hint = chunked_meta.chunk_cid(chunk_idx); + match chunk_cid_hint { + Some(cid) => self + .inner + .get_object_with_offline_fallback_known_cid(bucket, &chunk_key, &cid) + .await + .map(|r| r.inner.data)?, + None => self + .inner + .get_object_with_offline_fallback(bucket, &chunk_key) + .await + .map(|r| r.inner.data)?, + } + }; + // wasm32: no offline-fallback infrastructure compiled in; + // use the legacy direct path. Production wasm builds + // don't yet have offline support; this preserves + // pre-W.9.4-A2 behaviour. + #[cfg(target_arch = "wasm32")] let chunk_data = self.inner.get_object(bucket, &chunk_key).await?; let nonce = chunked_meta.get_chunk_nonce(chunk_idx) @@ -8908,6 +9890,7 @@ mod tests { root_hash: "00".repeat(32), chunk_nonces: vec![], content_type: None, + chunk_cids: vec![], }; let dek = DekKey::from_bytes(&[0x42u8; 32]).unwrap(); diff --git a/crates/fula-client/src/error.rs b/crates/fula-client/src/error.rs index 8825245..46d6fb3 100644 --- a/crates/fula-client/src/error.rs +++ b/crates/fula-client/src/error.rs @@ -24,9 +24,13 @@ pub enum ClientError { #[error("Configuration error: {0}")] Config(String), - /// Encryption error + /// Encryption error. **#81**: the `#[from]` was replaced by a + /// custom `From` impl below so we can branch on + /// `CryptoError::WireVersionUnsupported` and surface it as the + /// typed `ClientError::WireVersionUnsupported` variant rather + /// than burying it inside the generic `Encryption(...)` wrapper. #[error("Encryption error: {0}")] - Encryption(#[from] fula_crypto::CryptoError), + Encryption(fula_crypto::CryptoError), /// IO error #[error("IO error: {0}")] @@ -169,6 +173,48 @@ pub enum ClientError { highest_seen: u64, channel: String, }, + + /// **#81 (2026-05-09)** — the SDK encountered a wire format with + /// an unknown enum variant tag (e.g. v0.5 SDK reading a v0.6 + /// walkable-v8 `LinkV2` blob). Surfaced as a typed variant so + /// operators can filter telemetry on it directly rather than + /// substring-matching the postcard error class buried inside + /// `Encryption(CryptoError::Serialization(...))`. + /// + /// `context` describes WHERE the unknown variant was encountered + /// (e.g. "decode hamt node"). `postcard_error` is postcard's + /// own stringification for diagnostic depth. + /// + /// Apps should surface as "this bucket needs FxFiles vX.Y or + /// later" — the bucket data itself is intact, the SDK just + /// can't decode the new wire format. + #[error("wire format version unsupported (need newer SDK): {context}: {postcard_error}")] + WireVersionUnsupported { + context: String, + postcard_error: String, + }, +} + +/// **#81** — custom `From` (replaces the prior `#[from]` +/// macro on the `Encryption` variant) so that +/// [`CryptoError::WireVersionUnsupported`] surfaces as the typed +/// [`ClientError::WireVersionUnsupported`] variant rather than being +/// wrapped in the generic `Encryption(...)` arm. Every other +/// `CryptoError` variant routes through `Encryption` as before — +/// `?` semantics at all existing call sites are byte-identical. +impl From for ClientError { + fn from(err: fula_crypto::CryptoError) -> Self { + match err { + fula_crypto::CryptoError::WireVersionUnsupported { + context, + postcard_error, + } => ClientError::WireVersionUnsupported { + context, + postcard_error, + }, + other => ClientError::Encryption(other), + } + } } #[cfg(not(target_arch = "wasm32"))] diff --git a/crates/fula-client/src/lib.rs b/crates/fula-client/src/lib.rs index fb1e9a0..db6b618 100644 --- a/crates/fula-client/src/lib.rs +++ b/crates/fula-client/src/lib.rs @@ -57,6 +57,10 @@ mod types; mod user_key; #[cfg(not(target_arch = "wasm32"))] mod orphan_queue; +/// Walkable-v8 (W.9.3) — SDK self-verification of master-attested CIDs. +/// Cross-platform (wasm + native) so the dual-pointer wire format is +/// stamped consistently regardless of which target persists the blob. +mod walkable_v8; #[cfg(not(target_arch = "wasm32"))] mod wal; diff --git a/crates/fula-client/src/wal.rs b/crates/fula-client/src/wal.rs index 90dfc5f..c6de8aa 100644 --- a/crates/fula-client/src/wal.rs +++ b/crates/fula-client/src/wal.rs @@ -493,6 +493,7 @@ mod tests { user_metadata: HashMap::new(), encrypted: true, min_version: 0, + storage_cid: None, } } diff --git a/crates/fula-client/src/walkable_v8.rs b/crates/fula-client/src/walkable_v8.rs new file mode 100644 index 0000000..ed34594 --- /dev/null +++ b/crates/fula-client/src/walkable_v8.rs @@ -0,0 +1,359 @@ +//! Walkable-v8 (W.9.3) — SDK self-verification of master-attested CIDs. +//! +//! Master returns each PUT's content-address as the response `ETag` header +//! (= `BLAKE3(ciphertext)` raw-codec, computed by kubo's +//! `block/put?cid-codec=raw&mhtype=blake3`; see +//! `crates/fula-cli/src/handlers/object.rs:103-137`). Walkable-v8 stamps +//! that CID into HAMT internal-node pointers, manifest pages, dir-index, +//! and forest file-index entries so an offline reader can fetch the same +//! ciphertext via a public IPFS gateway without going through master. +//! +//! Trusting the master to attest the CID without checking would let a +//! compromised master redirect future offline walkers to attacker- +//! controlled IPFS bytes (the gateway-side `verify_cid_against_bytes` +//! step would still hash-match, because the attacker chose a CID that +//! addresses *their* bytes). The fix is a one-line local re-hash and a +//! soft-fail-to-`None` on mismatch — the PUT itself succeeded, the +//! offline-walk hint just isn't trustworthy, and the legacy storage-key +//! path covers reads regardless. +//! +//! Mismatch logging is rate-limited per `(bucket, path)` per session via +//! a `DashSet` so a misconfigured proxy that chronically wraps etags +//! cannot flood production logs — the first occurrence of each path is +//! the load-bearing one. + +use cid::Cid; +use cid::multihash::Multihash; +use dashmap::DashSet; +use std::sync::OnceLock; + +/// BLAKE3 multihash code (per IANA / multiformats), matching kubo's +/// `mhtype=blake3` setting and master's `crates/fula-cli/src/handlers/object.rs:103-137`. +const MULTIHASH_BLAKE3: u64 = 0x1e; + +/// Raw codec, matching master's `cid-codec=raw` setting for object +/// bodies. CID v1 + raw codec + BLAKE3 multihash is the canonical +/// content-address for every encrypted blob fula stores. +const CODEC_RAW: u64 = 0x55; + +/// Process-wide deduplication of self-verify mismatch warnings. A real +/// production master never returns the wrong CID; if it does, we want a +/// loud signal once per `(bucket, path)` for triage. Without dedup a +/// chronically-misconfigured proxy could flood logs at PUT rate (every +/// retry, every chunk, every page). +fn mismatch_dedup() -> &'static DashSet { + static DEDUP: OnceLock> = OnceLock::new(); + DEDUP.get_or_init(DashSet::new) +} + +/// Locally compute the v1 raw-codec BLAKE3-multihash CID of `ciphertext` +/// — the same CID kubo computes under `block/put?cid-codec=raw&mhtype=blake3` +/// for the same bytes. +/// +/// Pure / no I/O / no allocation beyond the CID itself. ~1 GB/s on +/// commodity hardware via the `blake3` SIMD-accelerated implementation. +pub(crate) fn local_blake3_raw_cid(ciphertext: &[u8]) -> Cid { + let h = blake3::hash(ciphertext); + let mh = Multihash::<64>::wrap(MULTIHASH_BLAKE3, h.as_bytes()) + .expect("32-byte BLAKE3 digest fits in Multihash<64>"); + Cid::new_v1(CODEC_RAW, mh) +} + +/// Resolve the cid-hint for a manifest-anchored fetch (W.9.4) given the +/// two sources of CID information that can appear in a `ManifestRoot`: +/// +/// * `explicit_cid`: an `Option` field stamped by the W.9.3 +/// writer after self-verifying it against `BLAKE3(blob)`. When +/// present this is the trustworthy source — it survived the +/// SDK-side mismatch check, so the value is **at-most** what +/// `BLAKE3(blob)` actually was (master cannot have lied about it +/// without the writer dropping the field). +/// * `etag`: a string from S3 / master's PUT response. When master +/// emits `cid.to_string()` as the etag (current convention) the +/// etag-parse path produces a usable CID; when master's etag +/// format ever drifts (a future reconfig, a misbehaving proxy +/// that quotes the etag, etc.), this fallback degrades to None +/// and the offline path skips the gateway race. +/// +/// Returns `Some(cid)` if either source produced one, with the +/// **explicit field winning when both are present** so a future where +/// master's etag format drifts (or a deliberate test that supplies a +/// non-CID etag) still routes through the explicit field. `None` when +/// neither source produces a CID — caller falls through to the no-hint +/// offline path (which itself has a warm-cache lookup). +/// +/// Pure function. Unit-tested below to pin the precedence ordering so +/// a future refactor that reverses the `or_else` chain (etag-first) +/// would surface as a test failure. +pub(crate) fn cid_hint_from_manifest_field_or_etag( + explicit_cid: Option<&Cid>, + etag: Option<&str>, +) -> Option { + explicit_cid + .cloned() + .or_else(|| etag.and_then(|s| s.parse::().ok())) +} + +/// Walkable-v8 self-verification, expected-CID variant. +/// +/// Compare the master-returned `etag` against an `expected` CID the +/// caller has already computed (typically via `local_blake3_raw_cid` +/// over the bytes the SDK sent). Returns `Some(cid)` only on equality. +/// +/// Use this variant at writer sites where the caller already had to +/// produce the body buffer for the PUT — pre-computing `expected` from +/// the borrowed body avoids a second pass over the bytes after the PUT +/// has consumed them into a `Bytes` value. +/// +/// Soft-fail semantics: +/// * `etag` doesn't parse as a CID → returns `None`. +/// * `etag` parses but disagrees with `expected` → emits one +/// `tracing::warn!` per `(bucket, path)` per session and returns +/// `None`. **Load-bearing safety property**: defends against a +/// compromised master attesting attacker-chosen CIDs that would +/// mislead future offline walkers, even though every +/// gateway-fetched block is content-verified. +/// * `etag` parses and matches → returns `Some(cid)`. +/// +/// `bucket` and `path` are used solely for the mismatch warn log's +/// structured fields and for the `(bucket, path)`-keyed dedup — they +/// have no effect on the returned value. +pub(crate) fn verify_etag_against_expected_cid( + etag: &str, + expected: Cid, + bucket: &str, + path: &str, +) -> Option { + let parsed = match etag.parse::() { + Ok(c) => c, + Err(e) => { + // Operator-triage hint at debug level. Production master + // never emits an unparseable etag (kubo's `block/put` returns + // `cid.to_string()` straight per `crates/fula-cli/src/handlers/ + // object.rs:103-137`), so this firing in the wild typically + // signals a misconfigured proxy stripping or wrapping the + // header. Debug (not warn) so a chronic config issue can't + // flood structured-log pipelines, but the signal is present + // for anyone tailing. + tracing::debug!( + bucket = %bucket, + path = %path, + etag, + error = %e, + "walkable-v8 self-verify: master ETag did not parse as a CID; \ + walkable-v8 hint will be None for this object" + ); + return None; + } + }; + if parsed == expected { + return Some(parsed); + } + // Use NUL as the separator: S3 bucket names cannot contain NUL and + // S3 object keys cannot contain NUL (per AWS spec — keys are + // arbitrary UTF-8 but `\x00` is reserved). NUL therefore yields an + // unambiguous key for every (bucket, path) pair, defending the + // dedup against a future caller that might pass a path containing + // `/` and accidentally collide with a sibling (bucket, path). + let dedup_key = format!("{bucket}\0{path}"); + if mismatch_dedup().insert(dedup_key) { + tracing::warn!( + bucket = %bucket, + path = %path, + expected = %expected, + master_returned = %parsed, + "walkable-v8 self-verify: master-attested CID disagrees with \ + locally-computed BLAKE3(ciphertext); soft-failing to None so \ + readers fall back to the storage-key path. Recurrence for the \ + same (bucket, path) is suppressed for the rest of this session." + ); + } + None +} + +/// Walkable-v8 self-verification, body-bytes variant. +/// +/// Convenience wrapper for sites that still hold the ciphertext when +/// they want to verify (e.g. `S3BlobBackend::put`'s retry loop, where +/// the body was cloned for retry). Computes `BLAKE3(ciphertext)` +/// internally and forwards to [`verify_etag_against_expected_cid`]. +/// +/// At sites that have already pre-computed the expected CID before the +/// PUT (every encryption.rs writer site under W.9.3-D), prefer +/// [`verify_etag_against_expected_cid`] directly to avoid a second +/// pass over the body after the PUT. +pub(crate) fn verify_etag_matches_ciphertext( + etag: &str, + ciphertext: &[u8], + bucket: &str, + path: &str, +) -> Option { + let expected = local_blake3_raw_cid(ciphertext); + verify_etag_against_expected_cid(etag, expected, bucket, path) +} + +#[cfg(all(test, not(target_arch = "wasm32")))] +mod tests { + use super::*; + + fn make_ct(seed: u8, len: usize) -> Vec { + (0..len).map(|i| seed.wrapping_add(i as u8)).collect() + } + + #[test] + fn local_blake3_raw_cid_is_deterministic_and_blake3_raw() { + let ct = make_ct(0x10, 256); + let cid1 = local_blake3_raw_cid(&ct); + let cid2 = local_blake3_raw_cid(&ct); + assert_eq!(cid1, cid2, "deterministic: same bytes → same CID"); + assert_eq!(cid1.codec(), CODEC_RAW, "codec must be raw 0x55"); + assert_eq!(cid1.hash().code(), MULTIHASH_BLAKE3, "multihash code 0x1e"); + } + + #[test] + fn verify_etag_matches_returns_some_on_correct_etag() { + let ct = make_ct(0x42, 128); + let expected = local_blake3_raw_cid(&ct); + let etag = expected.to_string(); + let result = verify_etag_matches_ciphertext(&etag, &ct, "bkt", "obj/key"); + assert_eq!( + result, + Some(expected), + "matching etag must surface as Some(cid)" + ); + } + + #[test] + fn verify_etag_matches_returns_none_on_unparseable_etag() { + let ct = make_ct(0x42, 64); + let result = verify_etag_matches_ciphertext("not-a-cid-just-noise", &ct, "bkt", "k"); + assert!( + result.is_none(), + "unparseable etag soft-fails to None — PUT succeeded, only the \ + offline-walk hint is missing" + ); + } + + #[test] + fn verify_etag_matches_returns_none_on_master_mismatch() { + let real_ct = make_ct(0x42, 64); + let other_ct = make_ct(0x43, 64); + let other_cid = local_blake3_raw_cid(&other_ct); + // Pass an etag for a DIFFERENT body — simulates a master that + // (e.g., due to compromise) attests a CID that doesn't address + // what we sent. SDK must reject and soft-fail. + let result = verify_etag_matches_ciphertext( + &other_cid.to_string(), + &real_ct, + "bkt-mismatch", + "k-mismatch", + ); + assert!( + result.is_none(), + "master-attested CID disagreeing with local hash must soft-fail \ + — defends against a compromised master redirecting future \ + offline walkers to attacker-controlled IPFS bytes" + ); + } + + #[test] + fn cid_hint_prefers_explicit_field_over_etag_parse() { + // W.9.4: this precedence is load-bearing. The W.9.3 writer + // self-verifies `explicit_cid` against `BLAKE3(blob)` before + // stamping; the etag string is only-as-trustworthy as master's + // current convention of emitting `cid.to_string()`. If a + // future master change ships a different etag format (or a + // misbehaving proxy mangles it), the explicit field MUST still + // win so cold-start offline-walks keep functioning. + let cid_a = local_blake3_raw_cid(b"plaintext-A"); + let cid_b = local_blake3_raw_cid(b"plaintext-B"); + assert_ne!(cid_a, cid_b); + + // 1) Both populated, with disagreeing values: explicit wins. + let resolved = cid_hint_from_manifest_field_or_etag( + Some(&cid_a), + Some(&cid_b.to_string()), + ); + assert_eq!( + resolved, + Some(cid_a), + "explicit cid field MUST win when present, even if etag also \ + parses as a different cid — defends against a future master \ + whose etag drifts from the W.9.3 self-verified field" + ); + + // 2) Only etag populated: etag-parse fallback fires. + let resolved = + cid_hint_from_manifest_field_or_etag(None, Some(&cid_a.to_string())); + assert_eq!( + resolved, + Some(cid_a), + "etag-parse fallback must work for pre-W.9.3 buckets that \ + lack the explicit cid field" + ); + + // 3) Only explicit populated: explicit returned. + let resolved = cid_hint_from_manifest_field_or_etag(Some(&cid_a), None); + assert_eq!(resolved, Some(cid_a)); + + // 4) Etag is non-CID (a future master drift, or a quoted etag + // that escaped the trim, etc.): explicit field still wins. + let resolved = cid_hint_from_manifest_field_or_etag( + Some(&cid_a), + Some("not-a-cid-just-some-string"), + ); + assert_eq!( + resolved, + Some(cid_a), + "non-CID etag must NOT poison the explicit-field path — the \ + explicit field is independent and remains usable" + ); + + // 5) Both None: no hint. + let resolved = cid_hint_from_manifest_field_or_etag(None, None); + assert_eq!(resolved, None); + + // 6) Etag is unparseable AND explicit is None: still None + // (no fabricated cid). + let resolved = cid_hint_from_manifest_field_or_etag(None, Some("bogus")); + assert_eq!(resolved, None); + } + + #[test] + fn verify_etag_matches_dedup_suppresses_repeat_mismatch_warns() { + // The dedup is a process-wide DashSet, so we use a unique + // (bucket, path) per test to avoid cross-test contamination. + let real = make_ct(0x77, 32); + let other = make_ct(0x78, 32); + let bad = local_blake3_raw_cid(&other).to_string(); + // Two consecutive calls with the SAME (bucket, path) — the + // second insert into the dedup set returns false, so the + // warn-log path is skipped (we can't observe `tracing::warn!` + // directly here, but we can observe the dedup state). + let key = format!("{}\0{}", "bkt-dedup-unique", "k-dedup-unique"); + let dedup = mismatch_dedup(); + // Pre-condition: key absent. + assert!(!dedup.contains(&key), "fresh dedup state for this key"); + let r1 = verify_etag_matches_ciphertext(&bad, &real, "bkt-dedup-unique", "k-dedup-unique"); + let r2 = verify_etag_matches_ciphertext(&bad, &real, "bkt-dedup-unique", "k-dedup-unique"); + assert!(r1.is_none() && r2.is_none(), "both calls soft-fail"); + assert!( + dedup.contains(&key), + "dedup key persisted after first warn-emitting call" + ); + // Different path — must still log (own dedup slot). + let other_key = format!("{}\0{}", "bkt-dedup-unique", "k-dedup-other"); + assert!(!dedup.contains(&other_key)); + let _ = verify_etag_matches_ciphertext( + &bad, + &real, + "bkt-dedup-unique", + "k-dedup-other", + ); + assert!( + dedup.contains(&other_key), + "different path gets its own dedup slot — first occurrence \ + still logged" + ); + } +} diff --git a/crates/fula-client/tests/encrypted_filesystem_tests.rs b/crates/fula-client/tests/encrypted_filesystem_tests.rs index 1169ebf..a1d3431 100644 --- a/crates/fula-client/tests/encrypted_filesystem_tests.rs +++ b/crates/fula-client/tests/encrypted_filesystem_tests.rs @@ -74,6 +74,7 @@ fn test_deep_folder_structure_50_levels() { user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); @@ -209,6 +210,7 @@ fn test_large_file_100gb_simulated() { }, encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); @@ -361,6 +363,7 @@ fn test_large_folder_2000_files() { }, encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); @@ -541,6 +544,7 @@ fn test_combined_stress_scenario() { user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); @@ -557,6 +561,7 @@ fn test_combined_stress_scenario() { user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); @@ -574,6 +579,7 @@ fn test_combined_stress_scenario() { user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); } diff --git a/crates/fula-client/tests/offline_e2e.rs b/crates/fula-client/tests/offline_e2e.rs index 5800a93..71acfbe 100644 --- a/crates/fula-client/tests/offline_e2e.rs +++ b/crates/fula-client/tests/offline_e2e.rs @@ -1242,10 +1242,40 @@ async fn offline_cold_start_documents_bucket_e2e() { // | | | `face-metadata`, and `other` all have it. | // | `FULA_BOGUS_S3` | No | Default `https://s33.cloud.fx.land` — DNS-fails on real DNS, mirrors what | // | | | FxFiles uses to simulate offline. | +// | `FULA_PROD_S3` | No | Default `https://s3.cloud.fx.land` — the REAL master, used for Phase 0 (online | +// | | | baseline). Override only if testing against a staging mirror. | // | `FULA_TIMEOUT_SECS` | No | Default 60. | // | `FULA_USERS_INDEX_IPNS_GATEWAY_URLS`| No | Comma-separated overrides. Empty → SDK 5-gateway default. | // | `FULA_BLOCK_GATEWAY_URLS` | No | Same shape; for the per-page/per-chunk block fetches. | // +// **#20 expansion (2026-05-09)**: this test now runs in TWO phases — +// an online baseline against the REAL master (`FULA_PROD_S3`) followed +// by the existing offline cold-start against the bogus master +// (`FULA_BOGUS_S3`). The hard end-to-end assertion is `offline ⊆ online` +// — every file the cold-start path returns must exist in master's +// authoritative listing. A soft warning surfaces if `online ≠ offline`, +// distinguishing publisher-staleness (recent uploads not yet published +// to the IPNS+chain CBOR) from a cold-start regression. +// +// **Failure-mode taxonomy (investigate in this order)**: +// +// 1. **Online phase fails** → "is production healthy?" Fula master +// down, JWT expired, or this host can't reach `s3.cloud.fx.land`. +// NOT a cold-start regression. Don't waste time chasing the +// offline path until the online one works. +// 2. **Online OK, offline cold-start fails** → existing failure +// modes per the per-step diagnostic eprintlns below (resolver +// → load_forest → list_files chain). +// 3. **Both succeed but `offline ⊄ online`** → cold-start invented +// files master doesn't have. Real bug in resolver / decrypt / +// walk. The hard `panic!` below catches this. +// 4. **Both succeed but `online \ offline ≠ ∅`** → master has files +// cold-start didn't return. Most commonly publisher staleness +// (publisher tick is 5min; recent uploads land in master +// synchronously but the next IPNS publish takes ≤5min). Soft +// warning, not panic — operator decides whether to wait or +// investigate. +// // Run from `crates/fula-client/`: // // ```powershell @@ -1307,6 +1337,13 @@ async fn fxfiles_offline_open_bucket() { .ok() .filter(|s| !s.is_empty()) .unwrap_or_else(|| "https://s33.cloud.fx.land".to_string()); + // **#20 expansion**: real production master URL for the online + // baseline phase. Default `https://s3.cloud.fx.land`; override + // only when targeting a staging mirror. + let prod_s3 = std::env::var("FULA_PROD_S3") + .ok() + .filter(|s| !s.is_empty()) + .unwrap_or_else(|| "https://s3.cloud.fx.land".to_string()); let timeout_secs: u64 = std::env::var("FULA_TIMEOUT_SECS") .ok() .and_then(|s| s.parse().ok()) @@ -1353,9 +1390,92 @@ async fn fxfiles_offline_open_bucket() { .expect("FULA_TEST_SECRET must be base64"); let secret = SecretKey::from_bytes(&key_bytes).expect("32-byte secret"); - // Fresh tempdir for the block cache — guarantees this is a true - // cold-start, no warm-cache contribution. Mirrors the FxFiles cold - // path on a freshly reinstalled device or after `Clear data`. + // ─── Phase 0 (NEW, #20 expansion): online baseline ─────────────── + // + // Connect to the REAL master and capture the authoritative file + // listing. This is the "what should the bucket actually contain" + // ground truth that the offline phase below is compared against. + // + // If this phase fails, the test stops here — there's no point + // running offline assertions with no baseline. Failure at this + // step means production is unreachable / JWT expired / TLS + // surprise; investigate that before touching cold-start. + eprintln!( + "\n[fxfiles-open-bucket] Phase 0 (online baseline) ─────────────\n\ + [fxfiles-open-bucket] master = {} (real production)\n\ + [fxfiles-open-bucket] purpose: capture authoritative file list \ + to compare against the offline cold-start result below.", + prod_s3 + ); + let online_cache_dir = TempDir::new().expect("tempdir for online block cache"); + let online_cache_path = online_cache_dir.path().join("blocks.redb"); + let online_client = build_client_with_cold_start( + &prod_s3, + &jwt, + &online_cache_path, + // Cloned: same encryption material across both phases + // (otherwise decryption fails on at least one side and the + // comparison is meaningless). + SecretKey::from_bytes(&key_bytes).expect("32-byte secret"), + // health_gate=true: real master should respond promptly. If + // it doesn't, the gate trips and we surface a clean failure. + true, + timeout_secs, + chain_rpc_url.clone(), + anchor_address.clone(), + ipns_name.clone(), + user_key.clone(), + ipns_gateway_urls.clone(), + block_gateway_urls.clone(), + ); + // Real master should serve list_files_from_forest directly via S3 + // (no resolver fallback). If this errors, production is down or + // the JWT/secret combo doesn't decrypt this user's bucket. + let online_files = match online_client.list_files_from_forest(&bucket).await { + Ok(v) => v, + Err(e) => { + panic!( + "Phase 0 (online baseline) FAILED: list_files_from_forest({}) \ + against real master {} returned error: {:?}\n\ + \n\ + Investigation order:\n\ + 1. Is the master reachable from this host? (`curl -I {}`)\n\ + 2. Is FULA_JWT valid + non-expired?\n\ + 3. Does FULA_TEST_SECRET match the encryption key on \ + device for this user?\n\ + \n\ + Don't troubleshoot the offline cold-start until this \ + phase succeeds — without a baseline there's nothing to \ + compare offline results against.", + bucket, prod_s3, e, prod_s3, + ); + } + }; + let online_keys: std::collections::BTreeSet = online_files + .iter() + .map(|m| m.original_key.clone()) + .collect(); + eprintln!( + "[fxfiles-open-bucket] online list returned {} files \ + ({} unique keys)", + online_files.len(), + online_keys.len(), + ); + if online_files.is_empty() { + eprintln!( + "[fxfiles-open-bucket] WARNING: online baseline is EMPTY for \ + bucket {:?}. The test will still run the offline phase but \ + the comparison degrades to 'offline must also be empty' \ + (the trivial subset). Pick a populated bucket via FULA_BUCKET \ + to actually exercise the parity assertion.", + bucket, + ); + } + drop(online_client); + + // Fresh tempdir for the OFFLINE block cache — guarantees this is a + // true cold-start, no warm-cache contribution. Mirrors the FxFiles + // cold path on a freshly reinstalled device or after `Clear data`. let cache_dir = TempDir::new().expect("tempdir for block cache"); let cache_path = cache_dir.path().join("blocks.redb"); @@ -1602,14 +1722,118 @@ async fn fxfiles_offline_open_bucket() { ); } else { eprintln!( - "\n[fxfiles-open-bucket] PASS — `{}` returned {} entries via the EXACT \ - same code path FxFiles runs (load_forest + list_files_from_forest), \ - with master DNS-failing and a fresh block cache. Cold-start works for \ - this bucket.", + "\n[fxfiles-open-bucket] cold-start surfaced — `{}` returned {} entries \ + via the EXACT same code path FxFiles runs (load_forest + \ + list_files_from_forest), with master DNS-failing and a fresh block \ + cache. Final pass/fail decided by Phase 4 (parity check) below.", bucket, files.len(), ); } + + // ─── Phase 4 (NEW, #20 expansion): parity assertion ────────────── + // + // The end-to-end claim being validated: cold-start produces the + // SAME view of the bucket as the master. Specifically: + // + // * HARD: `offline ⊆ online`. Every key the cold-start path + // returns must exist in the online baseline. Anything else + // means cold-start invented files — a real resolver / decrypt + // / walk bug, panic immediately. + // + // * SOFT: `online == offline`. If master has files cold-start + // missed, that's most often publisher staleness (the IPNS + // publisher tick is 5 min; recently-uploaded files land in + // master synchronously but the next IPNS publish carries them + // out). Surface as a warning with the explainer; operator + // decides whether to wait + re-run or to investigate. + let offline_keys: std::collections::BTreeSet = files + .iter() + .map(|m| m.original_key.clone()) + .collect(); + let offline_extras: Vec<&String> = offline_keys + .difference(&online_keys) + .collect(); + let online_extras: Vec<&String> = online_keys + .difference(&offline_keys) + .collect(); + + eprintln!( + "\n[fxfiles-open-bucket] Phase 4 (parity) ─────────────────────────\n\ + [fxfiles-open-bucket] online={} files / offline={} files", + online_keys.len(), + offline_keys.len(), + ); + + // HARD assertion: offline ⊆ online. + assert!( + offline_extras.is_empty(), + "Phase 4 HARD-FAIL: cold-start surfaced {} files master doesn't have:\n {}\n\ + \nFirst, RULE OUT THE COMMON BENIGN CASE — concurrent writes between \ + Phase 0 and Phase 1+ (~30s window):\n\ + * Was another device (the user's phone, a CI runner, a sibling test) \ + writing to bucket {:?} during this test run? Recent uploads land in \ + master AND in the published bucketsIndex CBOR (the IPNS publisher \ + tick is 5 min) — if a write landed AFTER Phase 0's snapshot but \ + BEFORE the offline cold-start fetched the CBOR, the offline path \ + would include the file while Phase 0's online list wouldn't. Quiet \ + your other devices and re-run.\n\ + \nIf concurrent writes are ruled out, this is a real bug — the \ + resolver / decrypt / walk path produced entries that don't exist in \ + master's authoritative listing. Investigate:\n\ + * Did the resolver return a stale CID pointing at a different bucket's data?\n\ + * Is the bucket_lookup_h colliding with another bucket?\n\ + * Did AEAD decrypt succeed on bytes from the wrong bucket?\n\ + The full per-step diagnostic eprintlns above show which step the \ + erroneous CID came from.", + offline_extras.len(), + offline_extras.iter().take(10).map(|s| s.as_str()).collect::>().join("\n "), + bucket, + ); + + // SOFT warning: online \ offline ≠ ∅. Several legitimate causes + // — operator must triage; framing biased toward the most common + // (publisher tick) but enumerating the others equally so the + // operator doesn't default to "wait 5 min" when something else + // is the real cause. + if !online_extras.is_empty() { + eprintln!( + "[fxfiles-open-bucket] SOFT-WARN: master has {} files cold-start \ + didn't return:\n {}\n\ + \n[fxfiles-open-bucket] Possible causes (triage in this order):\n\ + [fxfiles-open-bucket] (a) PUBLISHER STALENESS — the IPNS publisher \ + tick is 5 min; recent uploads land in master synchronously but the \ + next IPNS+chain publish carries them out. If the missing files were \ + uploaded within the last ~5 min, wait for the publisher and re-run.\n\ + [fxfiles-open-bucket] (b) STALE PUBLISHED CBOR — the published \ + bucketsIndex CBOR points at an older `forest_manifest_cid`. Step 1.5 \ + above prints the loaded manifest's `manifest_sequence`; compare \ + against master's current sequence (admin endpoint or registry CBOR \ + dump). If the loaded sequence is older than master's, the publisher \ + never caught up for this user — investigate publisher health.\n\ + [fxfiles-open-bucket] (c) PAGE-FETCH SILENT DROP — the v7 walk \ + fetches manifest pages by their etag/cid; if a gateway returns 4xx \ + for a page right now, the walk skips that page and its entries \ + without surfacing an error. Step 1.5's `shards_with_root` count \ + vs. expected helps localize this.\n\ + [fxfiles-open-bucket] (d) PIN LAG — master serves a file via S3 \ + that isn't yet pinned to ipfs-cluster (pinning is best-effort + \ + retried); offline gateway race can't find it. Distinct from \ + publisher staleness; pin verification needed.\n\ + [fxfiles-open-bucket] (e) UNFLUSHED MIGRATION — a v1→v7 migration \ + that didn't fully flush. Rare post-deploy, common during migration.", + online_extras.len(), + online_extras.iter().take(10).map(|s| s.as_str()).collect::>().join("\n "), + ); + } else if offline_keys == online_keys { + eprintln!( + "[fxfiles-open-bucket] PARITY ✅ — online and offline listings \ + match exactly ({} files). End-to-end cold-start works for \ + bucket {:?}.", + online_keys.len(), + bucket, + ); + } } // ───────────────────────────────────────────────────────────────────────────── diff --git a/crates/fula-client/tests/s3_blob_backend_returns_cid.rs b/crates/fula-client/tests/s3_blob_backend_returns_cid.rs new file mode 100644 index 0000000..3cc0369 --- /dev/null +++ b/crates/fula-client/tests/s3_blob_backend_returns_cid.rs @@ -0,0 +1,351 @@ +//! Walkable-v8 (W.9.2): `S3BlobBackend::put` returns the master's +//! PUT-response ETag parsed as a [`Cid`] inside [`BlobPutResult`]. +//! +//! Master computes the ETag as `cid.to_string()` of a v1 raw-codec +//! BLAKE3-multihash CID — kubo invokes +//! `/api/v0/block/put?cid-codec=raw&mhtype=blake3` per +//! `crates/fula-cli/src/handlers/object.rs:103-137` and returns that +//! string verbatim in the PUT response. This test: +//! +//! 1. Mounts a wiremock master that emits a real BLAKE3-raw CID for +//! the request body. Asserts `BlobPutResult.cid` is `Some(cid)` and +//! matches what kubo would have computed. +//! 2. Mounts a master that emits a non-CID etag string. Asserts the +//! backend soft-fails to `BlobPutResult { cid: None }` (PUT itself +//! succeeds — only the offline-walk hint is missing). +//! 3. Mounts a master that emits the etag in S3-quoted form (`""`). +//! Today this is NOT what production master returns (it returns the +//! raw `cid.to_string()`), but the test pins the current parse +//! behavior so a future master change to quoted etags becomes a +//! visible regression. + +#![cfg(not(target_arch = "wasm32"))] + +use cid::Cid; +use cid::multihash::Multihash; +use fula_client::{Config, FulaClient, S3BlobBackend}; +use fula_crypto::wnfs_hamt::BlobBackend; +use wiremock::matchers::{method, path}; +use wiremock::{Mock, MockServer, ResponseTemplate}; + +const MULTIHASH_BLAKE3: u64 = 0x1e; + +/// Build the same v1 raw-codec BLAKE3-multihash CID that production kubo +/// would compute for `data` under `block/put?cid-codec=raw&mhtype=blake3`. +fn blake3_raw_cid(data: &[u8]) -> Cid { + let h = blake3::hash(data); + let mh = Multihash::<64>::wrap(MULTIHASH_BLAKE3, h.as_bytes()) + .expect("32-byte blake3 digest fits in Multihash<64>"); + Cid::new_v1(0x55 /* raw */, mh) +} + +fn mk_client(endpoint: &str) -> FulaClient { + // W.9.3: every test in this file asserts that `S3BlobBackend.cid` + // surfaces the master-attested CID. The walkable-v8 writer flag + // gates this behaviour and defaults to `false` in the v0.6.x + // rollout, so each test must construct a config with the flag + // explicitly on. Without this, every assertion below would see + // `cid: None` and fail with a misleading "etag did not parse" + // message. + let mut config = Config::new(endpoint); + config.walkable_v8_writer_enabled = true; + FulaClient::new(config).expect("build FulaClient") +} + +#[tokio::test] +async fn put_returns_blake3_raw_cid_parsed_from_etag() { + let server = MockServer::start().await; + let body = b"encrypted-hamt-node-blob".to_vec(); + let expected_cid = blake3_raw_cid(&body); + let etag_str = expected_cid.to_string(); + + Mock::given(method("PUT")) + .and(path("/images/__fula_forest_v7_nodes/abc123")) + .respond_with(ResponseTemplate::new(200).insert_header("ETag", etag_str.as_str())) + .mount(&server) + .await; + + let backend = S3BlobBackend::new(mk_client(&server.uri()), "images".to_string()); + + let result = backend + .put("__fula_forest_v7_nodes/abc123", body) + .await + .expect("PUT must succeed"); + + assert_eq!( + result.cid, + Some(expected_cid), + "S3BlobBackend::put must surface the etag-parsed CID for walkable-v8" + ); +} + +#[tokio::test] +async fn put_soft_fails_to_none_when_etag_is_not_a_valid_cid() { + let server = MockServer::start().await; + let body = b"node-blob".to_vec(); + + // Garbage etag (not a CID, not even base32). Real-world failure modes + // include: a misbehaving proxy that strips the ETag, a future master + // version that returns a different format, or a deploy mid-rollout + // serving from a node that hasn't been updated. + Mock::given(method("PUT")) + .and(path("/images/__fula_forest_v7_nodes/def456")) + .respond_with( + ResponseTemplate::new(200).insert_header("ETag", "not-a-cid-just-some-string"), + ) + .mount(&server) + .await; + + let backend = S3BlobBackend::new(mk_client(&server.uri()), "images".to_string()); + + let result = backend + .put("__fula_forest_v7_nodes/def456", body) + .await + .expect("PUT itself must succeed even when etag is unparseable"); + + assert!( + result.cid.is_none(), + "non-CID etag must soft-fail to None, NOT propagate as an error \ + (PUT succeeded, only the offline-walk hint is missing); got {:?}", + result.cid + ); +} + +/// Isolation check: `Cid::from_str` itself REJECTS quoted input. The +/// reason `put_with_quoted_etag_still_parses_to_correct_cid` succeeds +/// is NOT that wiremock/reqwest/hyper normalize the header — it's that +/// `FulaClient::put_object_with_metadata` at `crates/fula-client/src/ +/// client.rs:388` (and `:438` for the conditional variant) calls +/// `.trim_matches('"')` on the ETag header value before populating +/// `PutObjectResult.etag`. So by the time `S3BlobBackend::put` reads +/// `result.etag`, quotes are already gone. +/// +/// **Maintainer note**: do NOT remove `.trim_matches('"')` at +/// `client.rs:388, 438` — that's the production-portable guarantee +/// against any S3-conformant proxy that wraps etags per RFC 7232. +/// This isolation test exists so a future refactor that touches the +/// trim immediately surfaces the breakage in this test, not as a +/// silent regression of offline-walk hints behind quoted-etag proxies. +#[test] +fn cid_from_str_quoted_input_isolation_check() { + let body = b"isolation-check-blob".as_slice(); + let cid = blake3_raw_cid(body); + let raw = cid.to_string(); + let quoted = format!("\"{}\"", raw); + + let raw_parse = raw.parse::(); + assert!(raw_parse.is_ok(), "raw cid string must parse cleanly"); + + let quoted_parse = quoted.parse::(); + if quoted_parse.is_ok() { + // cid 0.11's parser is permissive of surrounding quotes — production + // is portable across S3-compliant proxies that quote etags per + // RFC 7232. The integration test is a real guarantee. + eprintln!( + "isolation: cid::from_str strips surrounding quotes — \ + production is resilient regardless of proxy" + ); + } else { + // The cid parser rejects quotes. The integration test's resilience + // therefore comes from wiremock/reqwest/hyper normalization on the + // header path. It is NOT a `cid`-level guarantee, and a real proxy + // that retains literal quotes in the wire ETag header would strand + // the offline-walk hint as `None`. Document this in the integration + // test if this branch fires. + eprintln!( + "isolation: cid::from_str DOES NOT strip quotes ({:?}); \ + integration-test resilience is harness-dependent", + quoted_parse.unwrap_err() + ); + } +} + +#[tokio::test] +async fn put_with_quoted_etag_still_parses_to_correct_cid() { + // Some S3 implementations wrap etag in double quotes per RFC 7232. + // Production fula master does NOT — it emits `cid.to_string()` raw + // (verified at `crates/fula-cli/src/handlers/object.rs:137`) — but + // any S3-compliant proxy fronting master is allowed to add quotes. + // + // **Production resilience comes from `client.rs:388, 438`**, where + // `FulaClient::put_object_with_metadata` strips surrounding quotes + // via `.trim_matches('"')` before populating `PutObjectResult.etag`. + // The `cid` crate's parser does NOT strip quotes (proven by the + // sibling `cid_from_str_quoted_input_isolation_check` test), so + // removing the `.trim_matches('"')` would silently break offline- + // walk hints behind any RFC-7232-quoting proxy. This test pins the + // end-to-end resilience: do not remove the trim at `client.rs`. + let server = MockServer::start().await; + let body = b"another-blob".to_vec(); + let expected_cid = blake3_raw_cid(&body); + let quoted = format!("\"{}\"", expected_cid); + + Mock::given(method("PUT")) + .and(path("/images/__fula_forest_v7_nodes/789")) + .respond_with(ResponseTemplate::new(200).insert_header("ETag", quoted.as_str())) + .mount(&server) + .await; + + let backend = S3BlobBackend::new(mk_client(&server.uri()), "images".to_string()); + + let result = backend + .put("__fula_forest_v7_nodes/789", body) + .await + .expect("PUT must succeed"); + + assert_eq!( + result.cid, + Some(expected_cid), + "quoted etag must still surface as the same parsed CID — the \ + walkable-v8 hint must not be stranded by a transient proxy" + ); +} + +/// Walkable-v8 (W.9.3) — master returns an ETag for a DIFFERENT body. +/// Self-verification at S3BlobBackend::put must catch the mismatch and +/// soft-fail to `cid: None` so downstream parents (LinkV2 stamping) and +/// readers (offline gateway race) cannot be redirected by a compromised +/// master to attacker-controlled IPFS bytes. The PUT itself must still +/// succeed — the soft-fail is at the offline-walk-hint level only. +#[tokio::test] +async fn put_self_verify_rejects_master_attested_cid_for_wrong_body() { + let server = MockServer::start().await; + let actual_body = b"the-real-ciphertext-we-sent".to_vec(); + let other_body = b"completely-different-bytes".to_vec(); + // Master attests a CID that addresses OTHER bytes — modeling a + // compromised master that wants to redirect future offline walkers + // to attacker-controlled blobs at that other CID. + let lying_etag = blake3_raw_cid(&other_body).to_string(); + + Mock::given(method("PUT")) + .and(path("/images/__fula_forest_v7_nodes/lying")) + .respond_with(ResponseTemplate::new(200).insert_header("ETag", lying_etag.as_str())) + .mount(&server) + .await; + + let backend = S3BlobBackend::new(mk_client(&server.uri()), "images".to_string()); + + let result = backend + .put("__fula_forest_v7_nodes/lying", actual_body) + .await + .expect("PUT itself must succeed even when master lies about the CID"); + + assert!( + result.cid.is_none(), + "S3BlobBackend::put must soft-fail to None when master's etag-attested \ + CID disagrees with locally-computed BLAKE3(ciphertext) — the load-bearing \ + walkable-v8 safety property. Got cid = {:?}", + result.cid + ); +} + +/// Walkable-v8 (W.9.3) — `walkable_v8_writer_enabled = false` +/// (explicit opt-out post-#89; was the default pre-#89 during the +/// v0.6.x rollout window) MUST cause `S3BlobBackend::put` to surface +/// no CID, even when master returns a perfectly-valid CID in the +/// ETag. This pins the off-mode's byte-identical behaviour to v0.5: +/// write semantics unchanged, no v8 wire-format surface activated. +/// +/// **Renamed post-#89** to clarify this exercises the EXPLICIT-FALSE +/// opt-out path (used by backward-compat-sensitive consumers, or by +/// regression tests that need v7-only writes), not the default. The +/// new default is `true`. +#[tokio::test] +async fn put_with_explicit_writer_disabled_returns_cid_none() { + let server = MockServer::start().await; + let body = b"node-payload-explicit-off".to_vec(); + let correct_etag = blake3_raw_cid(&body).to_string(); + + Mock::given(method("PUT")) + .and(path("/images/__fula_forest_v7_nodes/explicit-off")) + .respond_with(ResponseTemplate::new(200).insert_header("ETag", correct_etag.as_str())) + .mount(&server) + .await; + + // **#89 (2026-05-09)**: default is now `true`. To exercise the + // off path (legacy `Pointer::Link` emission, no CID surfaced), + // construct the Config and EXPLICITLY set the flag to false. + let mut cfg = Config::new(&server.uri()); + cfg.walkable_v8_writer_enabled = false; + let client = FulaClient::new(cfg).expect("build client"); + let backend = S3BlobBackend::new(client, "images".to_string()); + + let result = backend + .put("__fula_forest_v7_nodes/explicit-off", body) + .await + .expect("PUT must succeed under explicit-off mode"); + + assert!( + result.cid.is_none(), + "walkable_v8_writer_enabled = false MUST surface \ + cid: None even when master's etag is a valid CID. Otherwise the \ + flag isn't actually gating the v8 wire surface and old SDKs would \ + see LinkV2 entries in opt-out-written buckets. Got cid = {:?}", + result.cid + ); +} + +#[tokio::test] +async fn put_retry_after_503_returns_cid_from_successful_attempt_only() { + // Pins retry-correctness for W.9.2: when a transient 503 forces the + // backend's retry loop, the eventual `BlobPutResult.cid` must come + // from the *successful* attempt's etag, not a stale prior one. + // + // The loop structure in S3BlobBackend::put already enforces this + // (the `Ok(result)` arm fires only on the 2xx attempt), but no test + // had explicitly exercised the retry+CID interaction. This pins it + // so a future refactor that captures `etag` outside the loop — + // e.g. via an interceptor or middleware — can't silently regress. + use std::sync::Arc; + use std::sync::atomic::{AtomicUsize, Ordering}; + use wiremock::{Request, Respond}; + + struct Scripted { + calls: Arc, + responses: Vec, + } + impl Respond for Scripted { + fn respond(&self, _req: &Request) -> ResponseTemplate { + let idx = self.calls.fetch_add(1, Ordering::SeqCst); + self.responses[idx.min(self.responses.len() - 1)].clone() + } + } + + let server = MockServer::start().await; + let body = b"retry-then-cid-blob".to_vec(); + let expected_cid = blake3_raw_cid(&body); + let etag_str = expected_cid.to_string(); + + let calls = Arc::new(AtomicUsize::new(0)); + let responder = Scripted { + calls: calls.clone(), + responses: vec![ + ResponseTemplate::new(503), + ResponseTemplate::new(200).insert_header("ETag", etag_str.as_str()), + ], + }; + Mock::given(method("PUT")) + .and(path("/images/__fula_forest_v7_nodes/retry")) + .respond_with(responder) + .mount(&server) + .await; + + let backend = S3BlobBackend::new(mk_client(&server.uri()), "images".to_string()); + + let result = backend + .put("__fula_forest_v7_nodes/retry", body) + .await + .expect("retry must absorb 503 then succeed"); + + assert_eq!( + calls.load(Ordering::SeqCst), + 2, + "exactly two attempts: 503 then 200" + ); + assert_eq!( + result.cid, + Some(expected_cid), + "CID hint must come from the successful 200 attempt's etag, \ + never a stale value from a retried-and-failed attempt" + ); +} diff --git a/crates/fula-client/tests/walkable_v8_manifest_block_size.rs b/crates/fula-client/tests/walkable_v8_manifest_block_size.rs new file mode 100644 index 0000000..bb66ea0 --- /dev/null +++ b/crates/fula-client/tests/walkable_v8_manifest_block_size.rs @@ -0,0 +1,337 @@ +//! W.9.7 follow-up #73 — SDK-level block-size regression guard. +//! +//! W.9.7's primary block-size assertion (`walkable_v8_block_size_at_*` +//! in `fula-crypto/src/sharded_hamt_forest.rs`) covers HAMT +//! internal-node and shard-leaf-bucket ciphertexts at 1k / 100k / 1M +//! entries via direct cascade exercise. Reviewer A's W.9.7 audit +//! flagged a gap: manifest pages, the manifest root, the +//! directory-index, and per-file index objects flow through +//! `crates/fula-client/src/encryption.rs`'s Phase 1.5 / 1.6 / 2 +//! commits via `FulaClient::put_object_with_metadata*` — a layer +//! BELOW `BlobBackend` that wiremock-style HTTP interception is the +//! only way to observe. +//! +//! This test sits a wiremock master in front of the full +//! `EncryptedClient` and drives 1000 realistic v8 writes through +//! `put_object_encrypted`, recording every HTTP PUT body that flows +//! through. +//! +//! ## Scope (post-#75, honest version) +//! +//! This test asserts the W.8.3 ceiling holds for **every PUT body the +//! SDK sends through the v7 sharded-HAMT cascade**. After #75 +//! (2026-05-09) the test uses `put_object_flat_deferred` (the +//! forest-aware write path) instead of `put_object_encrypted`. +//! Calling `put_object_flat_deferred` on a fresh bucket triggers the +//! 404-GET → fresh-v7 bootstrap at `encryption.rs:2847-2867`, so the +//! whole v7 cascade fires through `flush_forest`. Empirically: +//! +//! - Per-file ciphertext PUTs ✅ (small, ~100-300 bytes each) +//! - HAMT internal-node + shard-root PUTs ✅ (the +//! `__fula_forest_v7_nodes/...` class — empirically the largest +//! blobs at this scale, max ~26 KiB at N=1000) +//! - Manifest pages, dir-index, Phase 2 root commits ✅ (paths +//! derive to `Qm` via `derive_manifest_page_key` / +//! `derive_dir_index_key`, NOT under any `__fula_forest_v7_*` +//! prefix — so the classifier below buckets them under +//! `object-or-chunk`. Distinguishing them precisely would +//! require pre-computing the expected derived keys at test +//! setup; tracked as enhancement if needed. The hard 1 MiB +//! assertion holds regardless.) +//! +//! Together with the fula-crypto HAMT-layer test, these two tests +//! cover the dominant blob classes for production-realistic +//! workloads. The combined coverage is sufficient for the W.10 +//! default-on rollout's block-size guarantee. +//! +//! **Note on the original #75 design**: the task originally proposed +//! pre-loading wiremock with a fake-but-decryptable v7 manifest to +//! force the cascade. Empirical investigation showed the SDK's +//! 404-GET catch-all already bootstraps fresh-v7 (line 2847-2867), +//! so the wiremock-fixture approach was unnecessary; the actual gap +//! was that `put_object_encrypted` doesn't touch the forest at all, +//! while `put_object_flat_deferred` does. One-line call-site change +//! instead of ~200 LOC of fixture setup. + +#![cfg(not(target_arch = "wasm32"))] + +use bytes::Bytes; +use cid::multihash::Multihash; +use cid::Cid; +use fula_client::{Config, EncryptedClient, EncryptionConfig}; +use fula_crypto::keys::SecretKey; +use std::sync::atomic::{AtomicUsize, Ordering}; +use std::sync::{Arc, Mutex}; +use wiremock::matchers::method; +use wiremock::{Mock, MockServer, Request, Respond, ResponseTemplate}; + +const IPFS_BLOCK_LIMIT: usize = 1 << 20; +/// Architectural early-warning ceiling — same as the fula-crypto +/// HAMT-layer test. >64 KiB is an architectural regression even +/// though the gateway hard limit is still respected. Soft-only. +const SOFT_BLOCK_WARN_KIB: usize = 64 * 1024; + +fn blake3_raw_cid(data: &[u8]) -> Cid { + let h = blake3::hash(data); + let mh = Multihash::<64>::wrap(0x1e, h.as_bytes()).expect("blake3 multihash wrap"); + Cid::new_v1(0x55, mh) +} + +/// Wiremock catch-all PUT responder. Records the largest observed +/// body size + its URL path, and returns the body's BLAKE3-raw CID as +/// the `ETag` header so the SDK's W.9.3 self-verify accepts the +/// response (otherwise the writer cascade soft-fails to v7-style +/// `Link` and we'd miss the v8-specific blob-size pressure points). +struct RecordingResponder { + /// Max ever observed body size in bytes. + max_size: Arc, + /// URL path of whichever request held the max. + max_path: Arc>, + /// Per-class breakdown for diagnostic output. Bucketed by URL + /// prefix so operator triage can see "the dir-index was the + /// biggest" vs "a HAMT internal node was". + per_class_max: Arc>>, + /// Total number of PUT requests observed — sanity-checks the + /// SDK actually wrote what we expect (otherwise a misconfigured + /// test could pass trivially with zero PUTs). + request_count: Arc, +} + +impl Respond for RecordingResponder { + fn respond(&self, req: &Request) -> ResponseTemplate { + let size = req.body.len(); + let path = req.url.path().to_string(); + self.request_count.fetch_add(1, Ordering::SeqCst); + + // Update max + label atomically. Race-fine: only the test + // observes the final value after flush_forest awaits. + let prev_max = self.max_size.load(Ordering::SeqCst); + if size > prev_max { + self.max_size.store(size, Ordering::SeqCst); + *self.max_path.lock().unwrap() = path.clone(); + } + + // Per-class bookkeeping. + let class = if path.contains("__fula_forest_v7_nodes/") { + "hamt-node" + } else if path.contains("__fula_forest_v7_pages/") || path.contains("__fula_forest_v7_index") { + "manifest" + } else if path.contains("__fula_forest_v7_dir_index") { + "dir-index" + } else if path.contains("__fula_forest_") { + "forest-meta-other" + } else { + "object-or-chunk" + } + .to_string(); + let mut by_class = self.per_class_max.lock().unwrap(); + let entry = by_class.entry(class).or_insert(0); + if size > *entry { + *entry = size; + } + + // Compute a real CID for the body so SDK self-verify sees a + // matching ETag and the v8 LinkV2 cascade actually fires. + let cid = blake3_raw_cid(&req.body); + ResponseTemplate::new(200).insert_header("ETag", cid.to_string()) + } +} + +/// Catch-all GET responder — returns 404 so the SDK treats the bucket +/// as fresh (no preexisting forest manifest, no preexisting objects). +/// All writes therefore go through Phase 1.5/1.6/2 from a cold start +/// and exercise the full set of blob classes. +struct NotFoundResponder; +impl Respond for NotFoundResponder { + fn respond(&self, _req: &Request) -> ResponseTemplate { + ResponseTemplate::new(404) + } +} + +#[tokio::test] +async fn no_blob_class_exceeds_1mib_at_realistic_distributed_scale() { + let server = MockServer::start().await; + + let max_size = Arc::new(AtomicUsize::new(0)); + let max_path = Arc::new(Mutex::new(String::new())); + let per_class_max = Arc::new(Mutex::new(std::collections::HashMap::new())); + let request_count = Arc::new(AtomicUsize::new(0)); + + let recorder = RecordingResponder { + max_size: max_size.clone(), + max_path: max_path.clone(), + per_class_max: per_class_max.clone(), + request_count: request_count.clone(), + }; + + Mock::given(method("PUT")) + .respond_with(recorder) + .mount(&server) + .await; + // Cold-bucket simulation: every GET returns 404 → SDK builds a + // fresh forest manifest from scratch, exercising every Phase + // 1.5/1.6/2 commit during flush_forest. + Mock::given(method("GET")) + .respond_with(NotFoundResponder) + .mount(&server) + .await; + // HEAD probes (health gate uses these on init) — return 200 so + // the gate stays Up and writes proceed. + Mock::given(method("HEAD")) + .respond_with(ResponseTemplate::new(200)) + .mount(&server) + .await; + + // Build SDK pointing at wiremock with v8 writer enabled. + let mut config = Config::new(&server.uri()).with_token("test-jwt"); + config.walkable_v8_writer_enabled = true; + // health_gate_enabled: leave default (false) so a wiremock that + // doesn't fully model master health probes doesn't trip the gate. + let secret = SecretKey::generate(); + let enc_config = EncryptionConfig::from_secret_key(secret); + let client = EncryptedClient::new(config, enc_config).expect("EncryptedClient::new"); + + let bucket = "scale-bucket"; + let n: usize = 1000; + // Distribute across ~sqrt(N) dirs — same shape as the W.9.7 + // primary test, so the same architectural cliff (single-dir + // ForestDirectoryEntry blob blowup) doesn't confound the + // measurement here either. + let dirs: usize = (n as f64).sqrt() as usize; + assert!(dirs > 0, "test setup invalid: dirs == 0"); + + // **#75 (2026-05-09)**: switched from `put_object_encrypted` to + // `put_object_flat_deferred`. The former encrypts + uploads + // BUT does not touch the encrypted forest at all — so + // `flush_forest` had nothing dirty to flush, and the v7 cascade + // (manifest pages / dir-index / Phase 2 root commits) never + // fired in this test. `put_object_flat_deferred` is the + // forest-aware path: it calls `ensure_forest_loaded` (which + // bootstraps a fresh v7 ShardedHamt cache entry on a 404 GET + // per `encryption.rs:2847-2867`) and upserts each file into + // the in-memory v7 forest. `flush_forest` then drives Phase 1.5 + // (manifest pages), Phase 1.6 (dir-index), and Phase 2 (root + // commit) — exactly the blob classes #75 was filed to exercise. + // + // Original task scope was "pre-load wiremock with a fake-but- + // decryptable v7 manifest". The empirical investigation showed + // a 404-GET catch-all already triggers fresh-v7 bootstrap, so + // the wiremock-fixture approach was unnecessary; the actual + // gap was the test's call site, not the fixture. + for i in 0..n { + let dir_idx = i % dirs; + let key = format!("/d{:04}/f{:08}.txt", dir_idx, i); + let data = format!("entry-{}-payload-bytes", i).into_bytes(); + client + .put_object_flat_deferred(bucket, &key, Bytes::from(data), None) + .await + .expect("put_object_flat_deferred must succeed against wiremock"); + } + + // Flush the forest — drives Phase 1.5 (page commits), Phase 1.6 + // (dir-index commit), and Phase 2 (manifest root commit). + client + .flush_forest(bucket) + .await + .expect("flush_forest must succeed"); + + // Inspect aggregated bookkeeping. + let total_requests = request_count.load(Ordering::SeqCst); + let max = max_size.load(Ordering::SeqCst); + let max_path_str = max_path.lock().unwrap().clone(); + let by_class = per_class_max.lock().unwrap().clone(); + + eprintln!( + "[walkable-v8 #73] N={} put_requests={} max_blob={} bytes ({:.1} KiB) at {}", + n, + total_requests, + max, + max as f64 / 1024.0, + max_path_str + ); + let mut classes: Vec<_> = by_class.iter().collect(); + classes.sort_by(|(a, _), (b, _)| a.cmp(b)); + for (class, size) in classes { + eprintln!( + "[walkable-v8 #73] {:>20} max = {} bytes ({:.1} KiB)", + class, + size, + *size as f64 / 1024.0 + ); + } + + // Sanity: SDK actually wrote things. + assert!( + total_requests > 0, + "test setup invalid: no PUT requests reached wiremock — \ + the SDK is misconfigured or the wiremock catch-all isn't matching" + ); + assert!( + total_requests >= n, + "expected ≥{} PUTs (one per encrypted upload, plus manifest \ + + page + dir-index commits during flush), got {}", + n, + total_requests + ); + assert!(max > 0, "test setup invalid: max blob size is zero"); + + // **#75 (2026-05-09)** — positive assertion that the v7 cascade + // actually fired. Catches regressions where a future refactor + // changes the call site away from `put_object_flat_deferred` + // back to a forest-bypassing path (e.g., `put_object_encrypted`). + // Without this guard, the test would fall back to validating + // only file-content blob size — meaningful but a much weaker + // claim. The hamt-node class fires only when v7 flush_dirty + // persists internal nodes via `V7NodeStore`, which requires a + // populated v7 forest cache. + let hamt_node_max = by_class.get("hamt-node").copied().unwrap_or(0); + assert!( + hamt_node_max > 0, + "v7 cascade did not fire — no `__fula_forest_v7_nodes/` PUTs \ + observed across {} total requests. Either (a) the SDK is \ + using a forest-bypassing write path, (b) `flush_forest` \ + short-circuited, or (c) a previous refactor changed the \ + test entry point. This guard catches all three. \ + Per-class breakdown (in addition to the eprintln above): {:?}", + total_requests, + by_class + ); + + // Soft warning — log if any blob class crossed the architectural + // early-warning ceiling. Doesn't fail the test (gateway-correctness + // is the only hard pass/fail), but flags the regression for the + // operator running this test pre-rollout. + if max > SOFT_BLOCK_WARN_KIB { + eprintln!( + "[walkable-v8 #73] SOFT WARNING: largest blob ({} bytes / {} KiB) \ + exceeds the architectural early-warning ceiling ({} KiB). \ + The hard 1 MiB assert below still passes (gateway correctness \ + preserved), but inspect the parent-pointer fanout / \ + ForestDirectoryEntry cardinality at path {} before letting this \ + land in production.", + max, + max / 1024, + SOFT_BLOCK_WARN_KIB / 1024, + max_path_str, + ); + } + + // Hard assertion — the load-bearing W.8.3 fact, applied now to + // every blob class the SDK writes (HAMT nodes + manifest + + // dir-index + file-index + chunks). + assert!( + max <= IPFS_BLOCK_LIMIT, + "LOAD-BEARING W.8.3 ASSERTION VIOLATED across the full SDK write \ + path: blob at {} grew to {} bytes ({} KiB), exceeding the 1 MiB \ + IPFS gateway limit. Walkable-v8 offline walks (W.9.4) would fail \ + to fetch this blob. Per-class max breakdown above. The cliff is \ + likely either (a) ForestDirectoryEntry growing past ~60-100k \ + filenames in one dir (tracked as #72 — already-known limit), \ + (b) manifest-page list outgrowing PAGE_SIZE shards × per-shard \ + metadata, or (c) HAMT pointer-list overflow from a fanout bug \ + (already covered by the fula-crypto HAMT-layer block-size test).", + max_path_str, + max, + max / 1024, + ); +} diff --git a/crates/fula-client/tests/walkable_v8_offline_walk.rs b/crates/fula-client/tests/walkable_v8_offline_walk.rs new file mode 100644 index 0000000..a2a300f --- /dev/null +++ b/crates/fula-client/tests/walkable_v8_offline_walk.rs @@ -0,0 +1,197 @@ +//! Walkable-v8 reader integration test (W.9.4): end-to-end offline +//! walk via the cid-hint path. +//! +//! Verifies that the new `BlobBackend::get_with_cid_hint` route on +//! `S3BlobBackend` engages the cold-cache offline-fallback when master +//! returns a `MasterUnreachable`-shaped error and the caller supplies a +//! CID. This is the load-bearing wire between the HAMT walker +//! (`ChildPtr::resolve_owned` for `StoredV2` pointers) and the +//! existing Phase-2.4 gateway race; without this test, the writer +//! side of W.9.3 could be stamping cids that never get used at read +//! time and the regression would be invisible to all the in-module +//! tests in `fula-crypto`. +//! +//! Test strategy: +//! * Mount a wiremock master that **always returns 503** so every +//! master-side fetch trips the master-unreachable classifier. +//! * Mount a wiremock IPFS gateway that serves bytes by CID; we +//! pre-populate it with the encrypted ciphertext for a single +//! HAMT-node-shaped blob. +//! * Call `S3BlobBackend::get_with_cid_hint` with the matching CID. +//! Assert the bytes come from the gateway path AND +//! `verify_cid_against_bytes` passed (a tampered gateway response +//! would surface as `Storage` / `Network`, not as `Ok`). + +#![cfg(not(target_arch = "wasm32"))] + +use cid::Cid; +use cid::multihash::Multihash; +use fula_client::{Config, FulaClient, S3BlobBackend}; +use fula_crypto::wnfs_hamt::BlobBackend; +use wiremock::matchers::{method, path as wm_path}; +use wiremock::{Mock, MockServer, ResponseTemplate}; + +const MULTIHASH_BLAKE3: u64 = 0x1e; +const CODEC_RAW: u64 = 0x55; + +/// Build the same v1 raw-codec BLAKE3-multihash CID master would emit +/// on PUT. Mirrors `walkable_v8::local_blake3_raw_cid`'s contract. +fn blake3_raw_cid(data: &[u8]) -> Cid { + let h = blake3::hash(data); + let mh = Multihash::<64>::wrap(MULTIHASH_BLAKE3, h.as_bytes()) + .expect("blake3 multihash wrap"); + Cid::new_v1(CODEC_RAW, mh) +} + +/// Construct a Config wired for full Phase-2.x offline-fallback infra. +/// Walkable-v8 reader path is NOT gated on the writer flag — the +/// wire-format `LinkV2` variant is the gate. So this test sets up the +/// resolver-side flags only. +fn mk_config_with_gateway(master_url: &str, gateway_url_template: &str) -> Config { + let tmp_path = std::env::temp_dir() + .join(format!("fula-walkable-v8-test-{}", uuid::Uuid::new_v4())); + let mut config = Config::new(master_url); + config.health_gate_enabled = true; + config.block_cache_enabled = true; + config.block_cache_path = Some(tmp_path); + config.gateway_fallback_enabled = true; + config.gateway_fallback_urls = vec![gateway_url_template.to_string()]; + config.gateway_race_concurrency = 1; + config +} + +/// End-to-end offline walk via `get_with_cid_hint`: master is down, +/// the cid hint routes through `get_object_with_offline_fallback_known_cid` +/// → gateway race → `verify_cid_against_bytes`. The caller (HAMT walker +/// in production; this test direct-calls the BlobBackend trait method) +/// receives the raw ciphertext bytes content-verified against the +/// supplied cid. +#[tokio::test] +async fn s3_backend_get_with_cid_hint_uses_gateway_when_master_down() { + let master = MockServer::start().await; + let gateway = MockServer::start().await; + + // The "encrypted HAMT node ciphertext" bytes — opaque to this + // layer (no AEAD on the integration test path; we're measuring + // the BlobBackend cid-hint plumbing only). Production code would + // run AEAD on the bytes after they exit this layer. + let body = b"opaque-v8-hamt-node-ciphertext-bytes-for-test".to_vec(); + let body_cid = blake3_raw_cid(&body); + + // Master responds 503 to GET so the offline classifier fires. + Mock::given(method("GET")) + .and(wm_path("/images/__fula_forest_v7_nodes/abc123")) + .respond_with(ResponseTemplate::new(503)) + .mount(&master) + .await; + + // Gateway serves the body at /ipfs/{cid}. + let gateway_path = format!("/ipfs/{}", body_cid); + Mock::given(method("GET")) + .and(wm_path(gateway_path.as_str())) + .respond_with(ResponseTemplate::new(200).set_body_bytes(body.clone())) + .mount(&gateway) + .await; + + let gateway_template = format!("{}/ipfs/{{cid}}", gateway.uri()); + let config = mk_config_with_gateway(&master.uri(), &gateway_template); + let client = FulaClient::new(config).expect("build FulaClient"); + let backend = S3BlobBackend::new(client, "images".to_string()); + + let result = backend + .get_with_cid_hint("__fula_forest_v7_nodes/abc123", Some(&body_cid)) + .await + .expect( + "get_with_cid_hint must engage the gateway race when master is \ + down + cid hint is supplied — load-bearing W.9.4 contract", + ); + + assert_eq!( + result, body, + "bytes from gateway must match — verify_cid_against_bytes inside \ + get_object_with_offline_fallback_known_cid would have rejected a \ + mismatch, so a successful Ok confirms the gateway path executed and \ + passed CID verification" + ); +} + +/// Default-off / no-cid-hint variant: when the caller supplies `None`, +/// the cid-hint path delegates to the no-hint variant — which in turn +/// uses the warm-cache offline path. With no warm-cache prepopulation +/// this should fail cleanly (no panic, no garbage), matching the +/// no-hint baseline behaviour. +#[tokio::test] +async fn s3_backend_get_with_cid_hint_none_falls_through_to_no_hint_path() { + let master = MockServer::start().await; + + // Master 503s every GET so the no-hint path tries the offline + // fallback. Without warm-cache or cid hint, the fallback returns + // the original master-down error. + Mock::given(method("GET")) + .respond_with(ResponseTemplate::new(503)) + .mount(&master) + .await; + + let config = mk_config_with_gateway(&master.uri(), "https://nowhere.example/ipfs/{cid}"); + let client = FulaClient::new(config).expect("build FulaClient"); + let backend = S3BlobBackend::new(client, "images".to_string()); + + let result = backend + .get_with_cid_hint("__fula_forest_v7_nodes/no-hint", None) + .await; + + assert!( + result.is_err(), + "no cid hint + master down + no warm-cache entry must return an \ + error (matching the no-hint variant); a successful Ok would mean \ + cid-hint path is fabricating responses" + ); +} + +/// Tampered gateway response: gateway returns bytes that do NOT +/// content-address to the supplied cid. `verify_cid_against_bytes` +/// inside the gateway race must reject; the cid-hint fetch surfaces +/// the underlying master-down error rather than the tampered bytes. +#[tokio::test] +async fn s3_backend_get_with_cid_hint_rejects_gateway_tamper() { + let master = MockServer::start().await; + let gateway = MockServer::start().await; + + let real_body = b"real-bytes".to_vec(); + let real_cid = blake3_raw_cid(&real_body); + let tampered_body = b"tampered-bytes".to_vec(); + assert_ne!(blake3_raw_cid(&tampered_body), real_cid); + + Mock::given(method("GET")) + .and(wm_path("/images/__fula_forest_v7_nodes/tampered")) + .respond_with(ResponseTemplate::new(503)) + .mount(&master) + .await; + + // Gateway returns DIFFERENT bytes than the cid claims to address. + // verify_cid_against_bytes inside the gateway race must reject. + let gateway_path = format!("/ipfs/{}", real_cid); + Mock::given(method("GET")) + .and(wm_path(gateway_path.as_str())) + .respond_with(ResponseTemplate::new(200).set_body_bytes(tampered_body.clone())) + .mount(&gateway) + .await; + + let gateway_template = format!("{}/ipfs/{{cid}}", gateway.uri()); + let config = mk_config_with_gateway(&master.uri(), &gateway_template); + let client = FulaClient::new(config).expect("build FulaClient"); + let backend = S3BlobBackend::new(client, "images".to_string()); + + let result = backend + .get_with_cid_hint("__fula_forest_v7_nodes/tampered", Some(&real_cid)) + .await; + + assert!( + result.is_err(), + "gateway returning bytes that don't content-address to the cid MUST \ + fail (verify_cid_against_bytes inside the offline fallback). A \ + successful return here would mean the offline-walk path is serving \ + attacker-controlled bytes — the load-bearing security property \ + walkable-v8 inherits from gateway_fetch." + ); +} diff --git a/crates/fula-crypto/Cargo.toml b/crates/fula-crypto/Cargo.toml index 5245e00..d274b8f 100644 --- a/crates/fula-crypto/Cargo.toml +++ b/crates/fula-crypto/Cargo.toml @@ -54,7 +54,9 @@ async-lock = "3" futures = { workspace = true } # IPLD/CID -cid = { workspace = true } +# `serde` feature enables Cid's Serialize/Deserialize impls for the +# walkable-v8 `PointerWire::LinkV2 { storage_key, cid }` wire format. +cid = { workspace = true, features = ["serde"] } multihash = { workspace = true } multihash-codetable = { workspace = true } @@ -79,3 +81,11 @@ tokio-test = "0.4" [[bench]] name = "crypto_benchmarks" harness = false + +# Walkable-v8 (W.9.7) scale benchmark — measures the curves the +# `walkable_v8_block_size_*` tests don't measure (write throughput, +# walk time, manifest size). Manually run via: +# cargo bench --bench walkable_v8_scale +[[bench]] +name = "walkable_v8_scale" +harness = false diff --git a/crates/fula-crypto/benches/crypto_benchmarks.rs b/crates/fula-crypto/benches/crypto_benchmarks.rs index 7812efa..0bde1d0 100644 --- a/crates/fula-crypto/benches/crypto_benchmarks.rs +++ b/crates/fula-crypto/benches/crypto_benchmarks.rs @@ -9,7 +9,7 @@ use fula_crypto::{ streaming::{encode as bao_encode, verify as bao_verify}, private_forest::{PrivateForest, ForestFileEntry, EncryptedForest}, sharded_hamt_forest::ShardedHamtPrivateForest, - wnfs_hamt::BlobBackend, + wnfs_hamt::{BlobBackend, BlobPutResult}, error::{CryptoError, Result as CryptoResult}, }; use std::collections::HashMap; @@ -150,9 +150,9 @@ impl BlobBackend for BenchBackend { .cloned() .ok_or_else(|| CryptoError::Hamt(format!("object not found: {}", path))) } - async fn put(&self, path: &str, bytes: Vec) -> CryptoResult<()> { + async fn put(&self, path: &str, bytes: Vec) -> CryptoResult { self.objects.lock().unwrap().insert(path.to_string(), bytes); - Ok(()) + Ok(BlobPutResult::none()) } } @@ -172,6 +172,7 @@ fn mk_file_entry(path: &str) -> ForestFileEntry { user_metadata: Default::default(), encrypted: false, min_version: 0, + storage_cid: None, } } @@ -305,6 +306,7 @@ fn bench_v1_monolithic_vs_v7_write(c: &mut Criterion) { user_metadata: Default::default(), encrypted: false, min_version: 0, + storage_cid: None, }); } f diff --git a/crates/fula-crypto/benches/walkable_v8_scale.rs b/crates/fula-crypto/benches/walkable_v8_scale.rs new file mode 100644 index 0000000..301cabd --- /dev/null +++ b/crates/fula-crypto/benches/walkable_v8_scale.rs @@ -0,0 +1,470 @@ +//! Walkable-v8 scale benchmark (W.9.7). +//! +//! Measures the **curves** that pin the architectural claims in plan +//! W.8: write throughput, walk time, manifest size, internal-node +//! count. The complementary block-size assertion test (in +//! `sharded_hamt_forest::tests::walkable_v8_block_size_*`) measures +//! the **fact** that no IPFS block exceeds 1 MiB at any scale. +//! +//! # What this answers +//! +//! - **Write throughput**: entries/sec at 1k / 10k / 50k. Establishes +//! a regression-detection baseline for future cascade refactors. +//! - **Walk time** (`list_recursive`): grows as `O(N + log_16 N)` — +//! linear in the number of returned files plus the per-shard load +//! cost. The bench plots both inputs to validate the claim. +//! - **Manifest size**: the encrypted root + page blobs. Should grow +//! sub-linearly because PageRef rows are bounded by `MAX_PAGES` +//! and the per-page blob is a constant-size `Vec`. +//! - **Internal-node count**: the number of HAMT internal-node blobs +//! pinned to the backend. Should grow as `~N / 16` (HAMT branching +//! factor) at low N, then plateau as shards saturate. +//! - **Total bytes pinned**: sum of every persisted blob's size. +//! **HAMT-internal-node ciphertexts only** — `flush_dirty` only +//! persists nodes via `V7NodeStore` (`__fula_forest_v7_nodes/` +//! prefix); manifest root, manifest pages, and dir-index are +//! returned in-memory by the forest's flush, not PUT to the +//! bench's `BlobBackend`. So this bench measures the surface +//! where LinkV2 pointer overhead actually lives — but the broader +//! "total bytes pinned including manifest/page/dir-index" claim +//! from plan W.8 is not validated by THIS bench. Empirical finding +//! (#74, 2026-05-09): HAMT-only growth is 2.2-4.6% across N=1k/10k/50k +//! and 16/256-shard configurations — meaningfully BELOW plan W.8.2's +//! "5-20%" prediction. Plan text needs adjustment. +//! +//! # Why a separate bench file +//! +//! Per advisor's W.9.7 brief: "benches measure curves, tests assert +//! facts — don't conflate." The bench output (criterion's HTML +//! reports) is the canonical signal for "did the architectural +//! curves change after my refactor". The block-size assertion +//! lives in `tests/` because it's pass/fail. +//! +//! # How to run +//! +//! ```text +//! cargo bench --bench walkable_v8_scale +//! ``` +//! +//! Criterion writes results under `target/criterion/`. For +//! pre-rollout sign-off, also run the `#[ignore]` block-size tests +//! (see W.9.7 task description). + +use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion, Throughput}; +use fula_crypto::{ + keys::DekKey, + private_forest::ForestFileEntry, + sharded_hamt_forest::ShardedHamtPrivateForest, + wnfs_hamt::{BlobBackend, BlobPutResult}, + Result as CryptoResult, +}; +use std::collections::HashMap; +use std::sync::{Arc, Mutex}; + +// ════════════════════════════════════════════════════════════════════════ +// In-bench backend +// ════════════════════════════════════════════════════════════════════════ + +/// Walkable-v8-aware in-memory backend. Returns `Some(BLAKE3-raw-cid)` +/// from `put` so the writer cascade emits `LinkV2` pointers (the v8 +/// path); the existing `BenchBackend` in `crypto_benchmarks.rs` +/// returns `BlobPutResult::none()` and would silently regress this +/// bench to v7 wire format. +struct WalkableV8BenchBackend { + objects: Mutex>>, +} + +impl WalkableV8BenchBackend { + fn new() -> Self { + Self { + objects: Mutex::new(HashMap::new()), + } + } + + fn cid_for(bytes: &[u8]) -> cid::Cid { + let h = blake3::hash(bytes); + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, h.as_bytes()) + .expect("blake3 multihash wrap"); + cid::Cid::new_v1(0x55, mh) + } + + fn object_count(&self) -> usize { + self.objects.lock().unwrap().len() + } + + fn total_bytes(&self) -> usize { + self.objects + .lock() + .unwrap() + .values() + .map(|v| v.len()) + .sum() + } + + fn internal_node_count(&self) -> usize { + // HAMT internal-node objects are stored under the + // `__fula_forest_v7_nodes/` prefix per `V7NodeStore::object_path`. + self.objects + .lock() + .unwrap() + .keys() + .filter(|k| k.starts_with("__fula_forest_v7_nodes/")) + .count() + } +} + +#[async_trait::async_trait] +impl BlobBackend for WalkableV8BenchBackend { + async fn get(&self, path: &str) -> CryptoResult> { + self.objects + .lock() + .unwrap() + .get(path) + .cloned() + .ok_or_else(|| { + fula_crypto::CryptoError::Hamt(format!("object not found: {}", path)) + }) + } + + async fn put(&self, path: &str, bytes: Vec) -> CryptoResult { + let cid = Self::cid_for(&bytes); + self.objects + .lock() + .unwrap() + .insert(path.to_string(), bytes); + Ok(BlobPutResult { cid: Some(cid) }) + } +} + +/// **#74 (2026-05-09)** — v7 baseline backend. Returns +/// `BlobPutResult::none()` from `put` so the writer cascade emits +/// legacy `Pointer::Link(StorageKey)` (v7 wire format) instead of +/// `Pointer::LinkV2 { storage_key, cid }` (v8). Lets each bench run +/// both backends side-by-side and report the actual v8-over-v7 +/// growth — validates plan W.8.2's "5-20% relative growth" claim +/// and W.8.4's "no extra round trips" claim with empirical numbers +/// instead of predictions. +struct LegacyV7BenchBackend { + objects: Mutex>>, +} + +impl LegacyV7BenchBackend { + fn new() -> Self { + Self { + objects: Mutex::new(HashMap::new()), + } + } + + fn object_count(&self) -> usize { + self.objects.lock().unwrap().len() + } + + fn total_bytes(&self) -> usize { + self.objects + .lock() + .unwrap() + .values() + .map(|v| v.len()) + .sum() + } + + fn internal_node_count(&self) -> usize { + self.objects + .lock() + .unwrap() + .keys() + .filter(|k| k.starts_with("__fula_forest_v7_nodes/")) + .count() + } +} + +#[async_trait::async_trait] +impl BlobBackend for LegacyV7BenchBackend { + async fn get(&self, path: &str) -> CryptoResult> { + self.objects + .lock() + .unwrap() + .get(path) + .cloned() + .ok_or_else(|| { + fula_crypto::CryptoError::Hamt(format!("object not found: {}", path)) + }) + } + + async fn put(&self, path: &str, bytes: Vec) -> CryptoResult { + // v7 path: no CID surfaced → writer emits Link(StorageKey). + self.objects + .lock() + .unwrap() + .insert(path.to_string(), bytes); + Ok(BlobPutResult::none()) + } +} + +// ════════════════════════════════════════════════════════════════════════ +// Helpers +// ════════════════════════════════════════════════════════════════════════ + +fn bench_dek() -> DekKey { + DekKey::from_bytes(&[0x77u8; 32]).unwrap() +} + +fn make_entry(path: &str) -> ForestFileEntry { + ForestFileEntry { + path: path.to_string(), + // Minimal-size storage_key field — bench cares about HAMT + // shape, not realistic per-file metadata. + storage_key: format!("Qm{}", hex::encode(&blake3::hash(path.as_bytes()).as_bytes()[..22])), + size: 0, + content_type: None, + created_at: 0, + modified_at: 0, + content_hash: None, + user_metadata: Default::default(), + encrypted: false, + min_version: 0, + storage_cid: None, + } +} + +/// Populate a forest with `n` entries (256-shard, v8 backend — the +/// production-default configuration). Returns the populated forest +/// + backend so post-population queries can inspect the state. +async fn populate_forest( + n: usize, +) -> ( + ShardedHamtPrivateForest, + Arc, +) { + populate_forest_v8(n, 256).await +} + +/// **#74**: v8 populate parameterized by `num_shards`. Used to +/// reproduce the W.8.2 prediction "~32 internal nodes at 1k" which +/// was calibrated for a 16-shard configuration; the bench's 256-shard +/// default would otherwise leave that prediction unverifiable. +async fn populate_forest_v8( + n: usize, + num_shards: usize, +) -> ( + ShardedHamtPrivateForest, + Arc, +) { + let backend = Arc::new(WalkableV8BenchBackend::new()); + let mut forest = ShardedHamtPrivateForest::new("bench-bucket", bench_dek(), num_shards); + // **#74**: distribute across `sqrt(N)` parent dirs so dir-local + // routing actually exercises multiple shards. Single-dir + // population would route ALL entries to one shard regardless of + // num_shards, making the 16-vs-256-shard comparison degenerate + // (identical HAMT shapes, identical bytes). Matches the W.9.7 + // stress test's distribution heuristic. + let dirs_per_layer: usize = ((n as f64).sqrt() as usize).max(1); + for i in 0..n { + let dir_idx = i % dirs_per_layer; + let path = format!("/d{:04}/f{:08}.bin", dir_idx, i); + forest + .upsert_file(make_entry(&path), &backend) + .await + .unwrap(); + } + forest.flush_dirty(&backend).await.unwrap(); + (forest, backend) +} + +/// **#74**: v7 baseline populate. Same shape as `populate_forest_v8` +/// but the writer cascade emits legacy `Pointer::Link(StorageKey)` +/// because the backend returns `BlobPutResult::none()`. Lets each +/// structural-metrics measurement compute v7-vs-v8 deltas. +async fn populate_forest_v7( + n: usize, + num_shards: usize, +) -> ( + ShardedHamtPrivateForest, + Arc, +) { + let backend = Arc::new(LegacyV7BenchBackend::new()); + let mut forest = ShardedHamtPrivateForest::new("bench-bucket", bench_dek(), num_shards); + // Same distribution as `populate_forest_v8` so the v7-vs-v8 + // comparison is apples-to-apples. + let dirs_per_layer: usize = ((n as f64).sqrt() as usize).max(1); + for i in 0..n { + let dir_idx = i % dirs_per_layer; + let path = format!("/d{:04}/f{:08}.bin", dir_idx, i); + forest + .upsert_file(make_entry(&path), &backend) + .await + .unwrap(); + } + forest.flush_dirty(&backend).await.unwrap(); + (forest, backend) +} + +// ════════════════════════════════════════════════════════════════════════ +// Benches +// ════════════════════════════════════════════════════════════════════════ + +/// Write throughput at increasing N. Plots `entries/sec`. The expected +/// shape: roughly constant per-entry cost (HAMT depth grows +/// logarithmically), so total time grows linearly with N. A regression +/// where total time grew faster than linear would surface here as a +/// declining throughput curve. +fn bench_walkable_v8_write_throughput(c: &mut Criterion) { + let rt = tokio::runtime::Builder::new_current_thread() + .build() + .unwrap(); + let mut group = c.benchmark_group("walkable_v8_write_throughput"); + group.sample_size(10); + + // **#74**: bench BOTH v7 and v8 throughput so plan W.8.4's + // "no extra round trips" claim can be empirically validated — + // v8 entries/sec should equal v7 entries/sec to within + // measurement noise. If v8 is meaningfully slower, the writer + // cascade introduced extra round trips somewhere. + for &n in [1_000usize, 10_000, 50_000].iter() { + group.throughput(Throughput::Elements(n as u64)); + group.bench_with_input(BenchmarkId::new("v8/entries", n), &n, |b, &n| { + b.iter(|| { + rt.block_on(async { + let _ = populate_forest_v8(n, 256).await; + }); + }); + }); + group.bench_with_input(BenchmarkId::new("v7/entries", n), &n, |b, &n| { + b.iter(|| { + rt.block_on(async { + let _ = populate_forest_v7(n, 256).await; + }); + }); + }); + } + group.finish(); +} + +/// `list_recursive` walk time — the "open the bucket and list every +/// file" path that a v8 reader would exercise on cold-start. Measured +/// after a full populate + flush so the walker traverses persisted +/// HAMT nodes (matches the production "freshly-installed device +/// re-opens forest from manifest" timing). +fn bench_walkable_v8_walk_time(c: &mut Criterion) { + let rt = tokio::runtime::Builder::new_current_thread() + .build() + .unwrap(); + let mut group = c.benchmark_group("walkable_v8_walk_time"); + group.sample_size(10); + + for &n in [1_000usize, 10_000, 50_000].iter() { + // Pre-populate ONCE per N so the timed loop measures only the + // walk cost, not the populate cost. + let (forest_template, backend) = rt.block_on(async { + let r = populate_forest(n).await; + r + }); + let manifest = forest_template.manifest().clone(); + + group.throughput(Throughput::Elements(n as u64)); + group.bench_with_input(BenchmarkId::new("entries", n), &n, |b, _| { + b.iter(|| { + rt.block_on(async { + // Re-open from manifest each iteration so each + // run measures cold-walk cost (no cached + // ShardedHamt internal state from a prior + // iteration). `list_recursive` takes `&self` so + // the binding doesn't need `mut`. + let reader = ShardedHamtPrivateForest::from_manifest( + manifest.clone(), + "bench-bucket", + bench_dek(), + ); + let _files = reader.list_recursive("/", &backend).await.unwrap(); + }); + }); + }); + } + group.finish(); +} + +/// Reports a one-shot sweep of structural metrics across N. NOT +/// timed — criterion runs the closure once per iteration anyway, +/// but the values are deterministic given N. Output goes to stdout +/// so the operator can read the manifest-size and internal-node-count +/// curves alongside the timing numbers. +/// +/// Use this group's output to verify the W.8 architectural claims: +/// - manifest size grows sub-linearly with N +/// - internal-node count grows roughly linearly at low N then plateaus +/// - total bytes pinned grows linearly with N (each entry contributes +/// ~one leaf-bucket entry's worth of bytes) +fn bench_walkable_v8_structural_metrics(c: &mut Criterion) { + let rt = tokio::runtime::Builder::new_current_thread() + .build() + .unwrap(); + let mut group = c.benchmark_group("walkable_v8_structural_metrics"); + group.sample_size(10); + + // **#74 (2026-05-09)** — for each (shard_count, N) configuration, + // populate BOTH v7 and v8 backends and report side-by-side numbers + // plus the v8-over-v7 % delta. Validates plan W.8.2's "5-20% + // relative growth" claim and W.8.4's "no extra round trips" + // claim with empirical numbers. + // + // Two shard configurations: + // - **256**: production default (matches the existing + // `walkable_v8_block_size_*` tests). Reflects realistic + // FxFiles-scale sharding. + // - **16**: the configuration W.8.2's "~32 internal nodes at 1k" + // prediction was originally calibrated against. Lets the + // operator verify the prediction without changing plan text. + for &num_shards in [16usize, 256usize].iter() { + for &n in [1_000usize, 10_000, 50_000].iter() { + let (_v8_forest, v8_backend) = rt.block_on(async { + populate_forest_v8(n, num_shards).await + }); + let (_v7_forest, v7_backend) = rt.block_on(async { + populate_forest_v7(n, num_shards).await + }); + + let v8_total = v8_backend.total_bytes(); + let v7_total = v7_backend.total_bytes(); + let pct_growth = if v7_total > 0 { + (v8_total as f64 - v7_total as f64) / v7_total as f64 * 100.0 + } else { + 0.0 + }; + + eprintln!( + "[#74 v7-vs-v8 shards={} N={}] \ + v7: objects={} internal_nodes={} total_bytes={} | \ + v8: objects={} internal_nodes={} total_bytes={} | \ + v8-over-v7-bytes-delta: {:+.2}%", + num_shards, + n, + v7_backend.object_count(), + v7_backend.internal_node_count(), + v7_total, + v8_backend.object_count(), + v8_backend.internal_node_count(), + v8_total, + pct_growth, + ); + + group.bench_with_input( + BenchmarkId::new(format!("shards={}_snapshot", num_shards), n), + &n, + |b, _| { + b.iter(|| { + let _ = v8_backend.object_count(); + }); + }, + ); + } + } + group.finish(); +} + +criterion_group!( + walkable_v8_scale, + bench_walkable_v8_write_throughput, + bench_walkable_v8_walk_time, + bench_walkable_v8_structural_metrics +); +criterion_main!(walkable_v8_scale); diff --git a/crates/fula-crypto/src/chunked.rs b/crates/fula-crypto/src/chunked.rs index 51c5889..343865e 100644 --- a/crates/fula-crypto/src/chunked.rs +++ b/crates/fula-crypto/src/chunked.rs @@ -23,6 +23,7 @@ //! - Privacy: all chunks encrypted, index encrypted //! - Backward Compatible: `format: "streaming-v1"` distinguishes from v2 +use cid::Cid; use crate::{ CryptoError, Result, hashing::Blake3Hash, @@ -66,6 +67,47 @@ pub struct ChunkedFileMetadata { /// Original content type #[serde(skip_serializing_if = "Option::is_none")] pub content_type: Option, + /// Walkable-v8 (W.9.4-A2 / task #32): per-chunk CID hints, + /// populated from master's PUT-response ETag for each chunk. + /// Parallel to `chunk_nonces`: when non-empty, length must equal + /// `num_chunks` and `chunk_cids[i]` is the CID for the chunk at + /// `chunk_index == i`. Each entry is `Option` so individual + /// chunks can have `None` (e.g. one chunk's etag failed to parse + /// or the writer flag was off) while siblings have valid hints. + /// + /// Empty Vec = legacy chunked metadata written before W.9.4-A2. + /// `#[serde(default)]` keeps existing pinned/cached + /// `ChunkedFileMetadata` blobs deserializing cleanly into the + /// new struct — no migration required. + /// + /// **Storage shape (privacy posture)**: this struct is serialized + /// into the index object's `chunked` JSON field alongside + /// `chunk_nonces`, `root_hash`, `num_chunks`, `total_size`, etc. + /// The index body is plaintext JSON — only the `wrapped_key` and + /// `private_metadata` siblings are AEAD-encrypted. So `chunk_cids` + /// is **plaintext-readable** by anyone who can fetch the index + /// object. This is **not a privacy regression**: every existing + /// field in the same plaintext block (`chunk_nonces`, + /// `chunk_size`, `num_chunks`, …) was already plaintext-readable + /// at the same level pre-W.9.4-A2. Adding the chunk CIDs joins + /// that already-public set; an attacker with the index object + /// could already enumerate child storage paths via + /// `chunk_key(storage_key, i)` and fetch the same encrypted + /// chunk bytes via gateway. The hints just make it cheaper for + /// the legitimate offline reader. + /// + /// **Read-side use**: when an offline reader resolves a chunked + /// `ForestFileEntry` and decodes this metadata, for each chunk + /// it checks `chunk_cids[i].is_some()`: if yes, fetches via + /// `get_object_with_offline_fallback_known_cid` (cold-cache + /// gateway race from Phase 2.4); otherwise falls back to the + /// legacy `chunk_key()` storage-path fetch. This is what makes + /// chunked files (the dominant FxFiles content shape — photos, + /// PDFs, videos) walkable offline. The W.9.4 HAMT walker only + /// takes the reader to the file index; without these hints, the + /// chunks themselves remain unreachable when master is down. + #[serde(default, skip_serializing_if = "Vec::is_empty")] + pub chunk_cids: Vec>, } impl ChunkedFileMetadata { @@ -90,7 +132,42 @@ impl ChunkedFileMetadata { .map(|n| base64::engine::general_purpose::STANDARD.encode(n.as_bytes())) .collect(), content_type, + // Walkable-v8 (W.9.4-A2): default to no hints. The writer + // populates this AFTER per-chunk PUTs return etags via + // `populate_chunk_cids`. + chunk_cids: Vec::new(), + } + } + + /// Walkable-v8 (W.9.4-A2): bulk-set per-chunk CID hints after + /// each chunk's PUT has returned an etag. Vec length must equal + /// `num_chunks` or this is a no-op (caller bug — the reader's + /// length check would otherwise reject the metadata at decode + /// time). + /// + /// Idempotent: calling again with the same Vec re-stamps the + /// same values. Calling with an empty Vec clears the hints + /// (returns to legacy / pre-W.9.4-A2 behaviour for this entry). + pub fn populate_chunk_cids(&mut self, cids: Vec>) { + if cids.len() == self.num_chunks as usize { + self.chunk_cids = cids; + } else if cids.is_empty() { + self.chunk_cids.clear(); } + // Mismatched length: no-op. The writer's caller must supply + // exactly num_chunks entries (with `None` for any chunks + // that didn't get a usable CID hint). + } + + /// Walkable-v8 (W.9.4-A2): look up the CID hint for chunk + /// `index`. Returns `None` if no hints are populated (legacy + /// metadata) or if the specific chunk's hint is `None` (writer + /// flag was off for that PUT, or its etag failed to parse). + pub fn chunk_cid(&self, index: u32) -> Option { + self.chunk_cids + .get(index as usize) + .copied() + .flatten() } /// Get the storage key for a specific chunk @@ -740,6 +817,7 @@ mod tests { root_hash: "00".repeat(32), chunk_nonces: vec![], content_type: None, + chunk_cids: vec![], }; // First byte of file @@ -1088,4 +1166,137 @@ mod tests { assert_eq!(meta1.chunk_size, MIN_CHUNK_SIZE as u32); assert_eq!(meta1.num_chunks, chunks1.len() as u32 + if final1.is_some() { 1 } else { 0 }); } + + // ───────────────────────────────────────────────────────────────── + // Walkable-v8 (W.9.4-A2 / task #32) — per-chunk CID hints + // ───────────────────────────────────────────────────────────────── + + fn walkable_v8_test_cid(seed: u8) -> Cid { + let digest = [seed; 32]; + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, &digest) + .expect("blake3 multihash wrap"); + Cid::new_v1(0x55, mh) + } + + #[test] + fn chunk_cids_round_trip_via_json() { + let cid_a = walkable_v8_test_cid(0xAA); + let cid_c = walkable_v8_test_cid(0xCC); + let mut meta = ChunkedFileMetadata { + format: "streaming-v1".to_string(), + chunk_size: 1024, + num_chunks: 3, + total_size: 3000, + root_hash: "deadbeef".to_string(), + chunk_nonces: vec!["n0".to_string(), "n1".to_string(), "n2".to_string()], + content_type: None, + chunk_cids: vec![], + }; + meta.populate_chunk_cids(vec![Some(cid_a), None, Some(cid_c)]); + let json = serde_json::to_vec(&meta).expect("encode"); + let decoded: ChunkedFileMetadata = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded.chunk_cid(0), Some(cid_a)); + assert_eq!( + decoded.chunk_cid(1), + None, + "individual None hints survive round-trip" + ); + assert_eq!(decoded.chunk_cid(2), Some(cid_c)); + } + + #[test] + fn chunk_cids_empty_round_trips_via_json() { + // Empty chunk_cids is the default + means "legacy / no hints". + // The `skip_serializing_if = "Vec::is_empty"` keeps the field + // OFF the wire so legacy readers (without the field) and + // post-W.9.4-A2 readers (with the field) decode identical + // bytes — backward-compat both ways. + let meta = ChunkedFileMetadata::new( + 1024, + 2, + 2000, + Blake3Hash::new([0u8; 32]), + vec![Nonce::generate(), Nonce::generate()], + None, + ); + assert!(meta.chunk_cids.is_empty()); + let json = serde_json::to_vec(&meta).expect("encode"); + let json_str = String::from_utf8_lossy(&json); + assert!( + !json_str.contains("chunk_cids"), + "empty chunk_cids must NOT appear on the wire — \ + skip_serializing_if guards backward-compat with v0.5 SDKs. \ + Got: {}", + json_str + ); + let decoded: ChunkedFileMetadata = serde_json::from_slice(&json).expect("decode"); + assert!(decoded.chunk_cids.is_empty()); + assert_eq!(decoded.chunk_cid(0), None); + } + + #[test] + fn legacy_chunked_metadata_without_chunk_cids_field_deserializes_to_none() { + // Backward-compat gold standard (W.4.3 hard constraint #1): + // existing pinned/cached `ChunkedFileMetadata` blobs from + // pre-W.9.4-A2 SDKs must deserialize cleanly into the new + // struct, with `chunk_cid()` returning `None` for every + // index. Production data must not break under SDK upgrade. + #[derive(serde::Serialize, serde::Deserialize)] + struct LegacyChunkedFileMetadata { + format: String, + chunk_size: u32, + num_chunks: u32, + total_size: u64, + root_hash: String, + chunk_nonces: Vec, + #[serde(skip_serializing_if = "Option::is_none")] + content_type: Option, + // NOTE: deliberately no `chunk_cids` field — pre-W.9.4-A2 shape. + } + let legacy = LegacyChunkedFileMetadata { + format: "streaming-v1".to_string(), + chunk_size: 256 * 1024, + num_chunks: 3, + total_size: 700_000, + root_hash: "a".repeat(64), + chunk_nonces: vec!["n0".to_string(), "n1".to_string(), "n2".to_string()], + content_type: Some("image/jpeg".to_string()), + }; + let bytes = serde_json::to_vec(&legacy).expect("encode legacy"); + let modern: ChunkedFileMetadata = + serde_json::from_slice(&bytes).expect("legacy → modern"); + assert_eq!(modern.format, "streaming-v1"); + assert_eq!(modern.num_chunks, 3); + assert_eq!(modern.content_type.as_deref(), Some("image/jpeg")); + assert!(modern.chunk_cids.is_empty()); + assert_eq!(modern.chunk_cid(0), None); + assert_eq!(modern.chunk_cid(1), None); + assert_eq!(modern.chunk_cid(2), None); + } + + #[test] + fn populate_chunk_cids_wrong_length_is_ignored() { + // Defensive: caller bug should not corrupt persisted metadata. + let mut meta = ChunkedFileMetadata::new( + 1024, + 3, + 3000, + Blake3Hash::new([0u8; 32]), + vec![Nonce::generate(), Nonce::generate(), Nonce::generate()], + None, + ); + // Length 2, expected 3 — no-op. + meta.populate_chunk_cids(vec![Some(walkable_v8_test_cid(0x11)), None]); + assert!(meta.chunk_cids.is_empty(), "wrong-length caller bug must not stamp partial state"); + // Correct length — stamps. + meta.populate_chunk_cids(vec![ + Some(walkable_v8_test_cid(0x11)), + None, + Some(walkable_v8_test_cid(0x33)), + ]); + assert_eq!(meta.chunk_cids.len(), 3); + // Empty Vec — clears. + meta.populate_chunk_cids(vec![]); + assert!(meta.chunk_cids.is_empty()); + } } diff --git a/crates/fula-crypto/src/error.rs b/crates/fula-crypto/src/error.rs index 2d3babc..49e1a03 100644 --- a/crates/fula-crypto/src/error.rs +++ b/crates/fula-crypto/src/error.rs @@ -102,4 +102,147 @@ pub enum CryptoError { /// within `fula-crypto::Result`. #[error("storage backend error: {0}")] Storage(String), + + /// **#81 (2026-05-09)** — postcard decoded an enum variant tag the + /// reader doesn't know. Hit on the read path when an old SDK + /// (e.g. v0.5) encounters a blob written under a forward-incompatible + /// wire format (e.g. walkable-v8's `PointerWire::LinkV2` variant + /// tag 2). Distinguishes "you need to upgrade your SDK to read + /// this bucket" from generic serialization corruption — operators + /// can filter telemetry on the typed variant rather than + /// substring-matching postcard's error class. + /// + /// `context` describes WHERE the unknown variant was hit (e.g. + /// "decode hamt node"); `postcard_error` carries postcard's own + /// error stringification for diagnostic depth. + #[error("wire format version unsupported (need newer SDK): {context}: {postcard_error}")] + WireVersionUnsupported { + context: String, + postcard_error: String, + }, +} + +impl CryptoError { + /// **#81 (2026-05-09)** — classify a postcard decode error. Maps + /// postcard's `DeserializeBadEnum` (= "unknown enum variant tag, + /// likely from a newer wire format") to the typed + /// [`CryptoError::WireVersionUnsupported`] variant for stable + /// telemetry handling. All other postcard errors fall through to + /// the generic [`CryptoError::Serialization`] variant — they + /// represent genuine codec failures, not version skew. + /// + /// Centralised here (rather than inline at call sites) so adding + /// future detection sites is a one-liner. Detection currently + /// applied at: + /// - `wnfs_hamt::node::Node::load` + /// - `wnfs_hamt::node::Node::load_with_cid_hint` + pub fn classify_postcard_decode(err: postcard::Error, context: impl Into) -> Self { + let context = context.into(); + let postcard_error = err.to_string(); + // Postcard 1.x quirk: unknown enum variant tags during + // serde-driven deserialization can surface via EITHER + // `DeserializeBadEnum` (postcard's direct enum-tag-out-of- + // range path) OR `SerdeDeCustom` (when serde's inner + // `Error::custom("unknown variant ...")` is reached during + // postcard's variant-discriminant decode). Empirically — see + // the `unknown_variant_tag_maps_to_wire_version_unsupported` + // unit test below — postcard 1.1.3 routes `LinkV2`-style + // unknown-variant blobs through `SerdeDeCustom`, NOT + // `DeserializeBadEnum`. Without matching `SerdeDeCustom` here + // the typed variant would never fire in production. + // + // Trade-off: `SerdeDeCustom` is generic. Any other serde + // error (e.g. malformed payload that triggers a custom + // serde error during decode) would also map here. For our + // controlled wire types (HAMT nodes, manifest pages, + // ChunkedFileMetadata) the only realistic path to + // `SerdeDeCustom` IS wire-version skew; non-skew corruption + // tends to surface as `DeserializeUnexpectedEnd` or + // `DeserializeBadEncoding` instead. Acceptable conflation + // for telemetry — the variant message includes the postcard + // error stringification so operators get diagnostic depth. + match err { + postcard::Error::DeserializeBadEnum | postcard::Error::SerdeDeCustom => { + CryptoError::WireVersionUnsupported { + context, + postcard_error, + } + } + _ => CryptoError::Serialization(format!("{context}: {postcard_error}")), + } + } +} + +#[cfg(test)] +mod classify_postcard_decode_tests { + use super::*; + use serde::{Deserialize, Serialize}; + + /// **#81** — feed postcard bytes for a v2-only enum to a v1 reader + /// that doesn't know variant tag 1 (Value). Postcard returns + /// `DeserializeBadEnum`, which `classify_postcard_decode` maps to + /// `WireVersionUnsupported`. This is the load-bearing assertion: + /// the typed variant fires for unknown-variant errors specifically, + /// not for any old postcard error. + #[test] + fn unknown_variant_tag_maps_to_wire_version_unsupported() { + #[derive(Serialize)] + enum V2Writer { + #[allow(dead_code)] + A, + B(u32), + } + #[derive(Deserialize, Debug)] + enum V1Reader { + #[allow(dead_code)] + A, + } + + // Encode V2's Variant 1 (B) — V1 reader doesn't know tag 1. + let bytes = postcard::to_allocvec(&V2Writer::B(42)).expect("encode"); + let err = postcard::from_bytes::(&bytes).expect_err("must fail"); + let mapped = CryptoError::classify_postcard_decode(err, "test ctx"); + match mapped { + CryptoError::WireVersionUnsupported { + context, + postcard_error, + } => { + assert_eq!(context, "test ctx"); + assert!( + !postcard_error.is_empty(), + "postcard error stringified for telemetry depth" + ); + } + other => panic!("expected WireVersionUnsupported, got: {other:?}"), + } + } + + /// Other postcard decode failures (e.g. truncated input) remain + /// generic `Serialization` errors — the typed variant is reserved + /// for genuine wire-version skew. + #[test] + fn truncated_input_stays_as_serialization_error() { + #[derive(Deserialize, Debug)] + struct NeedsTwoFields { + #[allow(dead_code)] + a: u32, + #[allow(dead_code)] + b: u32, + } + // Encode only one u32 — postcard hits DeserializeUnexpectedEnd. + let bytes = postcard::to_allocvec(&7u32).expect("encode"); + let err = postcard::from_bytes::(&bytes).expect_err("must fail"); + let mapped = CryptoError::classify_postcard_decode(err, "trunc ctx"); + match mapped { + CryptoError::Serialization(msg) => { + assert!( + msg.contains("trunc ctx"), + "context propagated into serialization message: {msg}" + ); + } + other => panic!( + "expected Serialization for truncated input (NOT WireVersionUnsupported), got: {other:?}" + ), + } + } } diff --git a/crates/fula-crypto/src/private_forest.rs b/crates/fula-crypto/src/private_forest.rs index ed07919..9d170a5 100644 --- a/crates/fula-crypto/src/private_forest.rs +++ b/crates/fula-crypto/src/private_forest.rs @@ -50,6 +50,7 @@ use crate::{ private_metadata::PrivateMetadata, hamt_index::HamtIndex, }; +use cid::Cid; use serde::{Deserialize, Serialize}; use std::collections::{BTreeMap, BTreeSet, HashMap}; @@ -143,6 +144,17 @@ pub struct ForestFileEntry { /// against downgrade-to-no-AAD when a bucket mixes v1/v2 legacy data). #[serde(default)] pub min_version: u8, + /// Walkable-v8 (W.9.1b): CID hint for the encrypted chunk/object blob, + /// populated from master's PUT-response ETag. `None` for legacy v7 file + /// entries — readers fall back to fetching the chunk via the master S3 + /// path keyed on `storage_key`. W.9.3 wires the writer to populate this + /// from the ETag returned by S3BlobBackend; W.9.4 wires the offline + /// reader to fetch by CID via gateway race when master is unreachable. + /// `#[serde(default)]` keeps existing CBOR/JSON-pinned forest blobs + /// deserializing cleanly into the new struct (Phase 1.2-style lazy + /// migration). + #[serde(default, skip_serializing_if = "Option::is_none")] + pub storage_cid: Option, } impl ForestFileEntry { @@ -163,6 +175,7 @@ impl ForestFileEntry { user_metadata: metadata.user_metadata.clone(), encrypted: false, min_version: 0, + storage_cid: None, } } @@ -1028,6 +1041,17 @@ pub struct ShardV7 { /// each flush so top-level `file_count()` and shard-growth heuristics /// stay O(num_shards) without walking any HAMT. pub entry_count: u32, + + /// Walkable-v8 (W.9.1b): CID hint for this shard's HAMT root node blob, + /// populated from master's PUT-response ETag (= `BLAKE3(ciphertext)` + /// raw-codec). `None` for legacy v7 manifests — readers fall back to + /// fetching the root node via master S3 at the path keyed on `root`. + /// W.9.3 wires the writer to stamp this from the BlobBackend's PUT + /// response; W.9.4 wires the offline reader to use it for the gateway + /// race when master is unreachable. `#[serde(default)]` keeps existing + /// JSON-pinned ManifestPage blobs deserializing cleanly. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub root_cid: Option, } impl ShardV7 { @@ -1038,6 +1062,7 @@ impl ShardV7 { seq: 0, etag: None, entry_count: 0, + root_cid: None, } } @@ -1067,6 +1092,16 @@ pub struct PageRef { pub etag: Option, /// Expected monotonic page sequence (≥ whichever seq the reader sees). pub seq: u64, + /// Walkable-v8 (W.9.1b): CID hint for the encrypted manifest page blob, + /// populated from master's PUT-response ETag (= `BLAKE3(ciphertext)` + /// raw-codec). `None` on legacy v7 roots — readers fall back to fetching + /// the page via master S3 at the path keyed on `derive_page_index_key`. + /// W.9.3 wires the writer to stamp this from the PUT response; W.9.4 + /// wires the offline reader to use it for the gateway race when master + /// is unreachable. `#[serde(default)]` keeps existing JSON-pinned + /// ManifestRoot blobs deserializing cleanly. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub cid: Option, } /// Root of the two-level manifest. @@ -1113,6 +1148,23 @@ pub struct ManifestRoot { /// discards S3's HEAD ETag. `None` before the first successful flush. #[serde(default, skip_serializing_if = "Option::is_none")] pub dir_index_seq: Option, + /// Walkable-v8 (W.9.3 — completes W.9.1b's wire-format extension): + /// CID hint for the encrypted [`DirectoryIndex`] blob, populated from + /// master's PUT-response ETag (= `BLAKE3(ciphertext)` raw-codec). + /// + /// `None` on legacy v7 roots and on every write where + /// `walkable_v8_writer_enabled = false` — readers fall back to fetching + /// the dir-index via master S3 at the path keyed on + /// `derive_dir_index_key(forest_dek, bucket)`. With the writer enabled, + /// W.9.4's offline reader uses this CID for the gateway race when master + /// is unreachable, completing the dir-index portion of cold-start + /// walkability. + /// + /// `#[serde(default)]` keeps every existing JSON-pinned + /// `EncryptedShardManifestV7` blob deserializing cleanly into the new + /// struct — the no-migration property for production data. + #[serde(default, skip_serializing_if = "Option::is_none")] + pub dir_index_cid: Option, } impl ManifestRoot { @@ -1135,6 +1187,7 @@ impl ManifestRoot { page_index: BTreeMap::new(), dir_index_etag: None, dir_index_seq: None, + dir_index_cid: None, } } @@ -2271,6 +2324,7 @@ mod tests { PageRef { etag: Some(format!("\"etag-page-{:03}\"", page_id)), seq: 1, + cid: None, }, ); } @@ -2322,6 +2376,7 @@ mod tests { PageRef { etag: Some("\"etag\"".to_string()), seq: 5, + cid: None, }, ); let mut stale_page = ManifestPage::empty(0, 16); @@ -2369,6 +2424,7 @@ mod tests { content_hash: None, encrypted: false, min_version: 0, + storage_cid: None, }); let enc = EncryptedForest::encrypt_v4(&forest, &dek, "bucket-1", 7).unwrap(); @@ -2562,4 +2618,395 @@ mod tests { assert_ne!(hamt_node_v7_aad("b", 0), hamt_node_v7_aad("b", 1)); } + // ============================================================================ + // Walkable-v8 wire format tests (W.9.1b) + // + // Pin the on-disk contract for the new `Option` fields on `PageRef`, + // `ShardV7`, and `ForestFileEntry`. The load-bearing properties: + // + // 1. `Some(cid)` round-trips through the production serializer + // (serde_json — what `EncryptedShardManifestV7`/`EncryptedManifestPage`/ + // `EncryptedForest` use). + // 2. `None` round-trips losslessly (Phase 1.5/1.6/2 writers stamping + // `None` until W.9.3 wires the CID-stamping seam should not produce + // surprising decode failures). + // 3. **Backward-compat gold standard.** A "legacy" struct without the + // new field, serialized as JSON, deserializes cleanly into the new + // struct with the new field as `None`. This is the same pattern + // `metadata.rs::LegacyBucketMetadata` uses for `bucket_lookup_h` + // forward-compat (Phase 1.2's hard constraint #1: existing pinned + // blobs must deserialize without migration). + // + // If anyone changes a field name or removes `#[serde(default)]`, these + // tests must fail loudly — that's by design. + // ============================================================================ + + /// Helper: produce a stable BLAKE3-multihash CIDv1 with raw codec — the + /// exact format master returns in its PUT-response ETag header. Mirrors + /// the helper in `wnfs_hamt::pointer::walkable_v8_wire_tests::test_cid`. + fn walkable_v8_test_cid(seed: u8) -> cid::Cid { + let digest = [seed; 32]; + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, &digest) + .expect("BLAKE3 multihash wrap"); + cid::Cid::new_v1(0x55, mh) + } + + #[test] + fn page_ref_v8_some_cid_round_trips_via_json() { + let cid = walkable_v8_test_cid(0xAB); + let original = PageRef { + etag: Some("\"some-etag\"".to_string()), + seq: 7, + cid: Some(cid), + }; + let json = serde_json::to_vec(&original).expect("encode PageRef"); + let decoded: PageRef = serde_json::from_slice(&json).expect("decode PageRef"); + assert_eq!(decoded, original); + assert_eq!(decoded.cid, Some(cid)); + } + + #[test] + fn page_ref_v8_none_cid_round_trips_via_json() { + let original = PageRef { + etag: Some("\"e\"".to_string()), + seq: 1, + cid: None, + }; + let json = serde_json::to_vec(&original).expect("encode"); + let decoded: PageRef = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded, original); + assert_eq!(decoded.cid, None); + } + + #[test] + fn page_ref_legacy_json_without_cid_field_deserializes_to_none() { + // BACKWARD-COMPAT GOLD STANDARD (W.4.3 hard-constraint #1): + // existing v7 ManifestRoot blobs pinned to IPFS BEFORE this field + // was added must deserialize cleanly into the new PageRef struct, + // with cid = None. Production data must not break. + #[derive(Serialize, Deserialize)] + struct LegacyPageRef { + #[serde(default, skip_serializing_if = "Option::is_none")] + etag: Option, + seq: u64, + // NOTE: deliberately no `cid` field — pre-W.9.1b shape. + } + + let legacy = LegacyPageRef { + etag: Some("\"etag-page-007\"".to_string()), + seq: 42, + }; + let bytes = serde_json::to_vec(&legacy).expect("encode legacy"); + let modern: PageRef = serde_json::from_slice(&bytes) + .expect("legacy PageRef → modern PageRef"); + assert_eq!(modern.etag.as_deref(), Some("\"etag-page-007\"")); + assert_eq!(modern.seq, 42); + // The critical assertion — serde(default) preserves the + // no-migration property for existing JSON-pinned ManifestRoot blobs. + assert_eq!(modern.cid, None); + } + + #[test] + fn shard_v7_v8_some_root_cid_round_trips_via_json() { + let cid = walkable_v8_test_cid(0xCD); + let original = ShardV7 { + root: Some([0x11; V7_STORAGE_KEY_LEN]), + seq: 9, + etag: Some("\"shard-etag\"".to_string()), + entry_count: 3, + root_cid: Some(cid), + }; + let json = serde_json::to_vec(&original).expect("encode"); + let decoded: ShardV7 = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded, original); + assert_eq!(decoded.root_cid, Some(cid)); + } + + #[test] + fn shard_v7_v8_none_root_cid_round_trips_via_json() { + let original = ShardV7::new(); + let json = serde_json::to_vec(&original).expect("encode"); + let decoded: ShardV7 = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded, original); + assert_eq!(decoded.root_cid, None); + } + + #[test] + fn shard_v7_legacy_json_without_root_cid_deserializes_to_none() { + // Mirrors the LegacyBucketMetadata pattern (metadata.rs:454-523): + // a struct with the same shape as ShardV7 but WITHOUT the new + // `root_cid` field. Existing ManifestPage blobs pinned to IPFS + // before W.9.1b must keep deserializing into the new struct. + #[derive(Serialize, Deserialize)] + struct LegacyShardV7 { + #[serde(with = "v7_storage_key_serde", default)] + root: Option, + seq: u64, + #[serde(skip_serializing_if = "Option::is_none", default)] + etag: Option, + entry_count: u32, + // NOTE: deliberately no `root_cid` field — pre-W.9.1b shape. + } + + let legacy = LegacyShardV7 { + root: Some([0xEF; V7_STORAGE_KEY_LEN]), + seq: 11, + etag: Some("\"e\"".to_string()), + entry_count: 5, + }; + let bytes = serde_json::to_vec(&legacy).expect("encode legacy ShardV7"); + let modern: ShardV7 = serde_json::from_slice(&bytes) + .expect("legacy ShardV7 → modern ShardV7"); + assert_eq!(modern.root, Some([0xEF; V7_STORAGE_KEY_LEN])); + assert_eq!(modern.seq, 11); + assert_eq!(modern.entry_count, 5); + assert_eq!(modern.root_cid, None); + } + + #[test] + fn forest_file_entry_v8_some_storage_cid_round_trips_via_json() { + let cid = walkable_v8_test_cid(0x12); + let original = ForestFileEntry { + path: "/a.txt".to_string(), + storage_key: "QmABC".to_string(), + size: 100, + content_type: Some("text/plain".to_string()), + created_at: 1, + modified_at: 2, + content_hash: Some("abc".to_string()), + user_metadata: HashMap::new(), + encrypted: true, + min_version: 4, + storage_cid: Some(cid), + }; + let json = serde_json::to_vec(&original).expect("encode"); + let decoded: ForestFileEntry = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded.storage_cid, Some(cid)); + assert_eq!(decoded.storage_key, "QmABC"); + assert_eq!(decoded.path, "/a.txt"); + } + + #[test] + fn forest_file_entry_v8_none_storage_cid_round_trips_via_json() { + let original = ForestFileEntry { + path: "/b.txt".to_string(), + storage_key: "QmDEF".to_string(), + size: 0, + content_type: None, + created_at: 0, + modified_at: 0, + content_hash: None, + user_metadata: HashMap::new(), + encrypted: false, + min_version: 0, + storage_cid: None, + }; + let json = serde_json::to_vec(&original).expect("encode"); + let decoded: ForestFileEntry = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded.storage_cid, None); + } + + #[test] + fn forest_file_entry_legacy_json_without_storage_cid_deserializes_to_none() { + // BACKWARD-COMPAT GOLD STANDARD: an `EncryptedForest` (v1 monolithic + // mode) pinned to IPFS before W.9.1b carries `ForestFileEntry`s in + // their pre-walkable-v8 shape. A v8 SDK opening such a forest must + // get `storage_cid = None` and otherwise see all the original fields + // unchanged. + #[derive(Serialize, Deserialize)] + struct LegacyForestFileEntry { + path: String, + storage_key: String, + size: u64, + content_type: Option, + created_at: i64, + modified_at: i64, + content_hash: Option, + #[serde(default)] + user_metadata: HashMap, + #[serde(default)] + encrypted: bool, + #[serde(default)] + min_version: u8, + // NOTE: deliberately no `storage_cid` field — pre-W.9.1b shape. + } + + let legacy = LegacyForestFileEntry { + path: "/photos/cat.jpg".to_string(), + storage_key: "QmCat123".to_string(), + size: 4096, + content_type: Some("image/jpeg".to_string()), + created_at: 1_700_000_000, + modified_at: 1_700_000_500, + content_hash: Some("blake3:...".to_string()), + user_metadata: HashMap::new(), + encrypted: true, + min_version: 4, + }; + let bytes = serde_json::to_vec(&legacy).expect("encode legacy entry"); + let modern: ForestFileEntry = serde_json::from_slice(&bytes) + .expect("legacy ForestFileEntry → modern"); + assert_eq!(modern.path, "/photos/cat.jpg"); + assert_eq!(modern.storage_key, "QmCat123"); + assert_eq!(modern.size, 4096); + assert_eq!(modern.content_type.as_deref(), Some("image/jpeg")); + assert_eq!(modern.encrypted, true); + assert_eq!(modern.min_version, 4); + // The critical assertion — serde(default) preserves the + // no-migration property for existing pinned `EncryptedForest` blobs. + assert_eq!(modern.storage_cid, None); + } + + #[test] + fn manifest_root_and_page_carry_walkable_v8_cid_hints_through_full_round_trip() { + // Integration round-trip: build a ShardManifestV7, populate every + // walkable-v8 surface (page_index[*].cid, shards[*].root_cid, + // dir_index_cid), encrypt + decrypt, assert every CID hint + // survives. This is the load-bearing end-to-end check that the + // new fields don't get lost anywhere in the encrypt/decrypt + // envelope path. + let dek = DekKey::generate(); + let mut manifest = ShardManifestV7::new(16); + + let shard0_cid = walkable_v8_test_cid(0x01); + let shard5_cid = walkable_v8_test_cid(0x02); + let page0_cid = walkable_v8_test_cid(0x03); + let dir_index_cid = walkable_v8_test_cid(0x04); + + // Stamp the v8 hints on a few shards in page 0. + let p0 = manifest.pages.get_mut(&0).unwrap(); + p0.shards[0].root = Some([0xA0; V7_STORAGE_KEY_LEN]); + p0.shards[0].root_cid = Some(shard0_cid); + p0.shards[5].root = Some([0xA5; V7_STORAGE_KEY_LEN]); + p0.shards[5].root_cid = Some(shard5_cid); + + // Stamp a v8 hint on the page-index entry pointing at page 0. + manifest.root.page_index.insert( + 0, + PageRef { + etag: Some("\"etag-page-0\"".to_string()), + seq: 1, + cid: Some(page0_cid), + }, + ); + // Stamp the dir-index v8 hint (W.9.3 — completes W.9.1b + // wire-format extension; previously only `dir_index_etag` + + // `dir_index_seq` existed). + manifest.root.dir_index_etag = Some("\"etag-dir\"".to_string()); + manifest.root.dir_index_seq = Some(99); + manifest.root.dir_index_cid = Some(dir_index_cid); + + // Round-trip the page through encrypt/decrypt. + let ep = EncryptedManifestPage::encrypt(p0, &dek, "bkt-w8") + .expect("page encrypts"); + let decoded_page = ep.decrypt(&dek, "bkt-w8").expect("page decrypts"); + assert_eq!(decoded_page.shards[0].root_cid, Some(shard0_cid)); + assert_eq!(decoded_page.shards[5].root_cid, Some(shard5_cid)); + // Untouched shards stay None. + assert_eq!(decoded_page.shards[1].root_cid, None); + assert_eq!(decoded_page.shards[15].root_cid, None); + + // Round-trip the root. + let er = EncryptedShardManifestV7::encrypt_v7(&manifest.root, &dek, "bkt-w8", 1) + .expect("root encrypts"); + let (decoded_root, _seq) = er.decrypt_v7(&dek, "bkt-w8").expect("root decrypts"); + assert_eq!(decoded_root.page_index.get(&0).and_then(|r| r.cid), Some(page0_cid)); + assert_eq!(decoded_root.dir_index_cid, Some(dir_index_cid)); + // Verify dir_index_etag + dir_index_seq still round-trip alongside + // the new dir_index_cid field — defends against accidentally + // breaking a sibling field while adding the v8 hint. + assert_eq!(decoded_root.dir_index_etag.as_deref(), Some("\"etag-dir\"")); + assert_eq!(decoded_root.dir_index_seq, Some(99)); + } + + #[test] + fn manifest_root_dir_index_cid_some_round_trips_via_json() { + let mut root = ManifestRoot::fresh(16); + let cid = walkable_v8_test_cid(0xD1); + root.dir_index_etag = Some("\"e\"".to_string()); + root.dir_index_seq = Some(7); + root.dir_index_cid = Some(cid); + let json = serde_json::to_vec(&root).expect("encode"); + let decoded: ManifestRoot = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded.dir_index_cid, Some(cid)); + assert_eq!(decoded.dir_index_seq, Some(7)); + assert_eq!(decoded.dir_index_etag.as_deref(), Some("\"e\"")); + } + + #[test] + fn manifest_root_dir_index_cid_none_round_trips_via_json() { + let root = ManifestRoot::fresh(16); + assert!(root.dir_index_cid.is_none(), "fresh root has no v8 hint"); + let json = serde_json::to_vec(&root).expect("encode"); + let decoded: ManifestRoot = serde_json::from_slice(&json).expect("decode"); + assert_eq!(decoded.dir_index_cid, None); + // skip_serializing_if = "Option::is_none" should keep the field + // absent in the wire form so cross-version JSON stays minimal. + let json_str = String::from_utf8_lossy(&json); + assert!( + !json_str.contains("dir_index_cid"), + "None must not appear on the wire — skip_serializing_if guard \ + prevents needless bloat (and keeps cross-version JSON byte-stable \ + when the writer is gated off). got: {}", + json_str + ); + } + + #[test] + fn manifest_root_legacy_json_without_dir_index_cid_deserializes_to_none() { + // BACKWARD-COMPAT GOLD STANDARD (W.4.3 hard-constraint #1): + // existing v7 ManifestRoot blobs pinned to IPFS BEFORE this field + // was added must deserialize cleanly into the new ManifestRoot + // struct, with dir_index_cid = None. Production data must not + // break — same property as the PageRef + ShardV7 + ForestFileEntry + // legacy tests above. + // + // The legacy struct mirrors ManifestRoot's pre-W.9.3 shape, with + // every existing field present except `dir_index_cid`. A v8 SDK + // opening such a manifest must populate the new field as None. + #[derive(Serialize, Deserialize)] + struct LegacyManifestRoot { + version: u8, + format: String, + num_shards: usize, + #[serde(with = "hex_serde")] + shard_salt: Vec, + root: String, + created_at: i64, + modified_at: i64, + #[serde(default)] + page_index: BTreeMap, + #[serde(default, skip_serializing_if = "Option::is_none")] + dir_index_etag: Option, + #[serde(default, skip_serializing_if = "Option::is_none")] + dir_index_seq: Option, + // NOTE: deliberately no `dir_index_cid` field — pre-W.9.3 shape. + } + + let legacy = LegacyManifestRoot { + version: 7, + format: "sharded-hamt-v7".to_string(), + num_shards: 64, + shard_salt: vec![0xAB; 32], + root: "/".to_string(), + created_at: 1_700_000_000, + modified_at: 1_700_000_500, + page_index: BTreeMap::new(), + dir_index_etag: Some("\"e-pre-v8\"".to_string()), + dir_index_seq: Some(13), + }; + let bytes = serde_json::to_vec(&legacy).expect("encode legacy"); + let modern: ManifestRoot = serde_json::from_slice(&bytes) + .expect("legacy ManifestRoot → modern ManifestRoot"); + assert_eq!(modern.version, 7); + assert_eq!(modern.num_shards, 64); + assert_eq!(modern.shard_salt, vec![0xAB; 32]); + assert_eq!(modern.dir_index_etag.as_deref(), Some("\"e-pre-v8\"")); + assert_eq!(modern.dir_index_seq, Some(13)); + // The critical assertion — serde(default) preserves the + // no-migration property for existing JSON-pinned ManifestRoot + // blobs that pre-date W.9.3. + assert_eq!(modern.dir_index_cid, None); + } + } diff --git a/crates/fula-crypto/src/sharded_hamt_forest.rs b/crates/fula-crypto/src/sharded_hamt_forest.rs index 6351850..1d26eed 100644 --- a/crates/fula-crypto/src/sharded_hamt_forest.rs +++ b/crates/fula-crypto/src/sharded_hamt_forest.rs @@ -38,6 +38,7 @@ use crate::private_forest::{ use crate::subtree_keys::EncryptedSubtreeDek; use crate::wnfs_hamt::{BlobBackend, V7NodeStore}; use crate::{CryptoError, Result}; +use cid::Cid; use serde::{Deserialize, Serialize}; use std::collections::{BTreeMap, HashMap, VecDeque}; use std::sync::Arc; @@ -77,10 +78,31 @@ pub enum HamtEntry { // to postcard-serialize as the HAMT value type. Conversion happens only at // the `upsert_file` / `get_file` boundaries. +/// Wire format for a HAMT leaf entry. +/// +/// **Wire-version compatibility (walkable-v8 plan, section W.3.2 / W.9.1b).** +/// Variant tags are part of the on-disk contract: +/// +/// | Variant | Tag | Introduced | Read by | Written by | +/// |-----------|-----|------------|-----------|---------------| +/// | `File` | 0 | v7 | v7+, v8+ | v7+ | +/// | `Dir` | 1 | v7 | v7+, v8+ | v7+ | +/// | `FileV2` | 2 | v8 | v8+ | v8+ (W.9.3) | +/// +/// A v7-only deserializer fails on tag `2` with postcard's "unknown variant" +/// error — the intended forward-incompatibility boundary. Mirrors +/// `PointerWire::LinkV2` (W.9.1a). For W.9.1b the writer never emits +/// variant 2 (W.9.3 wires the actual CID-stamping); production HAMT leaves +/// stay byte-identical to v7 on encode, preserving the load-bearing +/// backward-compat property: `From for HamtEntryWire` produces +/// byte-identical output for `ForestFileEntry { storage_cid: None, .. }` +/// as it did before W.9.1b. See test +/// `hamt_entry_wire_from_forest_file_entry_with_none_cid_emits_legacy_variant`. #[derive(Clone, Debug, Serialize, Deserialize)] enum HamtEntryWire { File(FileEntryWire), Dir(DirEntryWire), + FileV2(FileEntryWireV2), } #[derive(Clone, Debug, Serialize, Deserialize)] @@ -94,15 +116,75 @@ struct FileEntryWire { content_hash: Option, user_metadata: BTreeMap, encrypted: bool, - /// Minimum blob-format version for this entry (H-2). `0` = legacy, - /// `4` = written under AAD-bound v4 encryption and requires the - /// download path to reject lower advertised versions. `#[serde(default)]` - /// keeps wire compatibility with pre-H-2 shard blobs that lack the - /// field — postcard's strict decoder will fail without this attribute. + /// Minimum blob-format version for this entry (audit finding H-2). + /// `0` = legacy (allowed pre-H-2), `4` = written under AAD-bound v4 + /// encryption (download path rejects lower advertised versions). + /// + /// AUDIT NOTE (task #42, 2026-05-08): the `#[serde(default)]` here is + /// operationally dead. Postcard 1.x does NOT honor `serde(default)` for + /// missing trailing struct fields — it errors with + /// `DeserializeUnexpectedEnd` (verified empirically during W.9.1b, which + /// is why `FileEntryWireV2` was added as an enum-variant rather than + /// appending `storage_cid` to this struct). The reason this attribute + /// has never broken production is timing: `min_version` landed in + /// commit `13139c7` on 2026-04-19 17:41Z, and the earliest tag containing + /// `sharded_hamt_forest.rs` is v0.3.0 dated 2026-04-21 — i.e. no tagged + /// release ever shipped this struct without `min_version`. The 40h + /// window between `dd126cf` (file introduced) and `13139c7` saw no + /// release; any shards persisted from `main` HEAD inside that window + /// (internal/staging only) are not decodable today, accepted. + /// + /// CONTRAST: `ForestFileEntry::min_version` at `private_forest.rs:140-146` + /// is JSON-encoded, and `serde_json` DOES honor `serde(default)` for + /// trailing fields — that comment is correct. Only the postcard surface + /// (this struct) has the misleading-`serde(default)` issue. + /// + /// To extend `FileEntryWire` with a future optional field, follow the + /// W.9.1b pattern: add a new variant to `HamtEntryWire` (cf. `FileV2`). + /// Do NOT append a field with `serde(default)` and assume backward-compat. #[serde(default)] min_version: u8, } +/// Walkable-v8 (W.9.1b) variant of [`FileEntryWire`]. +/// +/// Mirrors `FileEntryWire` field-for-field PLUS a `storage_cid: Option` +/// hint for the encrypted chunk/object blob. Selected by [`HamtEntryWire`]'s +/// variant tag dispatch (variant 2 = `FileV2`), NOT by appending a field to +/// `FileEntryWire` — postcard 1.x does not honor `#[serde(default)]` for +/// missing trailing struct fields (it errors with `DeserializeUnexpectedEnd` +/// rather than substituting the default), so struct field-append is unsafe +/// for backward compatibility. Enum-variant dispatch is the only postcard-safe +/// pattern; this mirrors `PointerWire::LinkV2` in `wnfs_hamt::pointer` (W.9.1a). +/// +/// Until W.9.3 wires the writer to capture chunk CIDs from S3BlobBackend's +/// PUT response, the writer continues to emit [`HamtEntryWire::File`] +/// (variant 0). `FileEntryWireV2` is type plumbing only at this stage. +#[derive(Clone, Debug, Serialize, Deserialize)] +struct FileEntryWireV2 { + path: String, + storage_key: String, + size: u64, + content_type: Option, + created_at: i64, + modified_at: i64, + content_hash: Option, + user_metadata: BTreeMap, + encrypted: bool, + /// No `#[serde(default)]` here: `FileEntryWireV2` is the W.9.1b-introduced + /// variant and was never emitted without `min_version`. Postcard does not + /// honor `serde(default)` on missing trailing fields anyway (see the + /// audit note on `FileEntryWire::min_version`); leaving it off makes + /// the postcard contract explicit — every field of every variant is + /// required at the wire level, no exceptions. + min_version: u8, + /// CID hint for the encrypted chunk/object blob, populated from master's + /// PUT-response ETag. `Some(_)` here is the trigger for emitting variant + /// 2 (`FileV2`) on the wire; `None` falls back to legacy variant 0 + /// (`File`) so that v7 SDKs can still read the leaf. + storage_cid: Option, +} + #[derive(Clone, Debug, Serialize, Deserialize)] struct DirEntryWire { path: String, @@ -142,6 +224,44 @@ impl From for ForestFileEntry { user_metadata: w.user_metadata.into_iter().collect::>(), encrypted: w.encrypted, min_version: w.min_version, + // Legacy wire never carried a CID hint. + storage_cid: None, + } + } +} + +impl From for FileEntryWireV2 { + fn from(e: ForestFileEntry) -> Self { + Self { + path: e.path, + storage_key: e.storage_key, + size: e.size, + content_type: e.content_type, + created_at: e.created_at, + modified_at: e.modified_at, + content_hash: e.content_hash, + user_metadata: e.user_metadata.into_iter().collect(), + encrypted: e.encrypted, + min_version: e.min_version, + storage_cid: e.storage_cid, + } + } +} + +impl From for ForestFileEntry { + fn from(w: FileEntryWireV2) -> Self { + Self { + path: w.path, + storage_key: w.storage_key, + size: w.size, + content_type: w.content_type, + created_at: w.created_at, + modified_at: w.modified_at, + content_hash: w.content_hash, + user_metadata: w.user_metadata.into_iter().collect::>(), + encrypted: w.encrypted, + min_version: w.min_version, + storage_cid: w.storage_cid, } } } @@ -175,6 +295,20 @@ impl From for ForestDirectoryEntry { impl From for HamtEntryWire { fn from(e: HamtEntry) -> Self { match e { + // Walkable-v8 (W.9.1b) writer dispatch: files with a stamped + // `storage_cid` emit variant 2 (`FileV2`); files without + // continue to emit variant 0 (`File`) byte-identically to v7. + // + // For W.9.1b foundational scope the upstream call sites do NOT + // populate `storage_cid` — that's W.9.3's writer integration — + // so this dispatch always falls through to the legacy variant + // in production today. The load-bearing property: existing v7 + // SDKs reading buckets written by post-W.9.1b SDKs see + // byte-identical wire bytes until W.9.3 ships, preserving + // backward compat throughout the SDK adoption window. + HamtEntry::File(f) if f.storage_cid.is_some() => { + HamtEntryWire::FileV2(f.into()) + } HamtEntry::File(f) => HamtEntryWire::File(f.into()), HamtEntry::Dir(d) => HamtEntryWire::Dir(d.into()), } @@ -186,6 +320,7 @@ impl From for HamtEntry { match w { HamtEntryWire::File(f) => HamtEntry::File(f.into()), HamtEntryWire::Dir(d) => HamtEntry::Dir(d.into()), + HamtEntryWire::FileV2(f) => HamtEntry::File(f.into()), } } } @@ -512,9 +647,19 @@ impl ShardedHamtPrivateForest { return; } } + // Walkable-v8 (#52): recover the CID from the etag string when + // possible. Master returns `cid.to_string()` as the etag for + // v8 page PUTs, so a successful parse is the same trustworthy + // CID the W.9.3 writer would have stamped. Failure (legacy + // etag, malformed string) falls through to None — the warm + // cache + storage_key path covers reads in that case. Inline + // here rather than depending on fula-client's + // `walkable_v8::cid_hint_from_manifest_field_or_etag` because + // fula-crypto sits below fula-client in the dep graph. + let cid: Option = etag.as_deref().and_then(|s| s.parse().ok()); self.manifest.root.page_index.insert( page_id, - crate::private_forest::PageRef { etag, seq }, + crate::private_forest::PageRef { etag, seq, cid }, ); } @@ -536,8 +681,18 @@ impl ShardedHamtPrivateForest { return; } } + // Walkable-v8 (#52): recover dir_index_cid from the etag + // string when possible. Same etag-as-`cid.to_string()` + // contract the W.9.3 writer establishes; the W.9.4 reader's + // `cid_hint_from_manifest_field_or_etag` precedence holds — + // explicit `dir_index_cid` would still take priority on the + // read path (this just keeps the etag-fallback usable across + // a master-divergence reconcile instead of silently going to + // None). + let cid: Option = etag.as_deref().and_then(|s| s.parse().ok()); self.manifest.root.dir_index_etag = etag; self.manifest.root.dir_index_seq = Some(seq); + self.manifest.root.dir_index_cid = cid; } /// O(1) list of immediate subdirectories beneath `dir_path`, answered @@ -656,7 +811,20 @@ impl ShardedHamtPrivateForest { } Some(root_key) => { let store = self.reader_store_for(shard_idx, backend); - let node: ForestHamt = Node::load(&root_key, &store).await?; + // Walkable-v8 (W.9.4): forward `manifest.shard.root_cid` + // as the cid hint when present so a master-down read of + // the shard root engages the gateway race. `None` (a + // legacy v7 manifest, or a manifest written when the + // writer flag was off) falls through to the + // storage-key path. The returned plaintext is still + // verified via `V7NodeStore::decrypt_and_verify`'s + // recompute-vs-key check, so a malicious manifest that + // pointed at the right cid but the wrong storage_key + // would be rejected here. + let root_cid = self.manifest.shard(shard_idx).root_cid; + let node: ForestHamt = + Node::load_with_cid_hint(&root_key, root_cid.as_ref(), &store) + .await?; *guard = LoadedShard::Loaded(Arc::new(node)); } } @@ -823,13 +991,17 @@ impl ShardedHamtPrivateForest { // `get_directory("/a")` resolves after a single // `upsert_file("/a/b/c.txt")`. let had_dir = prior_dir.is_some(); + // #72: do NOT append `file_path` to `d.files` — that field is the + // 1 MiB single-directory cliff (a flat photo library with 100k+ + // files grew the Dir blob to 1.66 MiB and broke offline reads). + // `dir.files` is no longer the source of truth for "which files + // live in this directory"; the listing methods (`list_directory`, + // `list_subtree`) walk the HAMT for `F:` entries and filter by + // parent prefix. Legacy buckets with populated `dir.files` + // continue to deserialize fine; the new walk-based listing + // returns the same set whether the field is populated or empty. let new_dir_entry: ForestDirectoryEntry = match prior_dir.map(HamtEntry::from) { - Some(HamtEntry::Dir(mut d)) => { - if !d.files.contains(&file_path) { - d.files.push(file_path.clone()); - } - d - } + Some(HamtEntry::Dir(d)) => d, Some(HamtEntry::File(_)) => { return Err(CryptoError::Hamt(format!( "directory key D:{} resolved to a File entry — type-tagged HAMT invariant violated", @@ -838,7 +1010,7 @@ impl ShardedHamtPrivateForest { } None => ForestDirectoryEntry { path: parent.clone(), - files: vec![file_path.clone()], + files: Vec::new(), subdirs: Vec::new(), metadata: None, subtree_dek: None, @@ -907,6 +1079,15 @@ impl ShardedHamtPrivateForest { entry: ForestDirectoryEntry, backend: &Arc, ) -> Result<()> { + // #72: strip `files` before writing. v1→v7 migration carries v1's + // populated `dir.files` into v7 verbatim today; that's the path + // that creates the 1 MiB cliff for migrated buckets where v1 had + // 100k+ files in one directory. v7's listing methods walk the + // HAMT for `F:` entries (which the migration's separate + // `upsert_file` loop populates), so `dir.files` is dead weight. + // Other fields (path, subdirs, metadata, subtree_dek) preserve. + let mut entry = entry; + entry.files = Vec::new(); let dir_path = entry.path.clone(); let shard_idx = self.shard_for_dir(&dir_path); self.ensure_shard_loaded(shard_idx, backend).await?; @@ -1093,8 +1274,10 @@ impl ShardedHamtPrivateForest { } } - /// Fetch a directory entry by path. Used by listing callers to walk the - /// `files: Vec` / `subdirs: Vec` children in parallel. + /// Fetch a directory entry by path. Returns the `ForestDirectoryEntry` + /// with its `subdirs` vector populated; `files` is empty on post-#72 + /// buckets — callers should use [`Self::list_directory`] for the file + /// children, which walks the HAMT directly. pub async fn get_directory( &self, dir_path: &str, @@ -1125,65 +1308,54 @@ impl ShardedHamtPrivateForest { } /// List direct children of a directory as `ForestFileEntry` values. Only - /// the owning shard is touched (dir-local routing); HAMT lookups for - /// each child are independent and can be issued in parallel by a - /// higher-level caller if desired. + /// the owning shard is touched (dir-local routing). + /// + /// **#72 (2026-05-09)**: walks the dir's outer-shard HAMT for `F:` + /// entries and filters by `parent_dir_of(file.path) == normalized`, + /// rather than reading `dir.files` (which is no longer populated + /// post-#72). Eliminates the 1 MiB single-directory cliff at + /// 60-100k files in one folder. Cost is O(entries in this outer + /// shard) — under dir-local routing the upper bound is the count + /// of files belonging to this directory plus any other dirs that + /// happen to outer-shard-collide with it (typically small). The + /// trade-off vs. the prior O(K direct children) approach is + /// acceptable: production fula-client listing already walks the + /// HAMT this way (`list_recursive_page`), and the prior approach + /// hit the cliff at K ≥ ~60k anyway. pub async fn list_directory( &self, dir_path: &str, backend: &Arc, ) -> Result> { - let dir_entry = self.get_directory(dir_path, backend).await?; - let children = match dir_entry { - Some(d) => d.files, - None => return Ok(Vec::new()), - }; + let normalized = normalize_dir_path(dir_path); + let shard_idx = self.shard_for_dir(&normalized); + self.ensure_shard_loaded(shard_idx, backend).await?; - // Every child of `dir` hashes into the same shard, so we can reuse - // the reader we already primed. - let shard_idx = self.shard_for_dir(&normalize_dir_path(dir_path)); let reader = self.reader_store_for(shard_idx, backend); - let guard = self.loaded_shards[shard_idx].read().await; match &*guard { - LoadedShard::NotLoaded => unreachable!("get_directory loaded this above"), - LoadedShard::LoadedEmpty => { - // Shard loaded empty but we found a dir entry — impossible, - // but handle gracefully. - Ok(Vec::new()) - } + LoadedShard::NotLoaded => unreachable!("ensure_shard_loaded above"), + LoadedShard::LoadedEmpty => Ok(Vec::new()), LoadedShard::Loaded(node) => { - // P-4a: parallelize the N independent child lookups. - // Each child hashes into the same shard (dir-local routing) - // but has an independent down-path; concurrent fetches - // overlap HTTP latency. `buffered` (not `buffer_unordered`) - // preserves the input order so callers observing the output - // sequence don't see reshuffled results. - use futures::stream::{self, StreamExt, TryStreamExt}; - let node = Arc::clone(node); - let reader_ref = &reader; - let entries: Vec> = stream::iter(children.into_iter()) - .map(|child| { - let node = Arc::clone(&node); - async move { - let maybe = node.get(&file_key(&child), reader_ref).await?; - // Silently skip type-mismatches here (a stale dir - // entry pointing at a removed file is possible - // across crashes and is not an integrity failure - // of the HAMT itself). - Ok::, CryptoError>(maybe.and_then(|wire| { - if let HamtEntry::File(f) = HamtEntry::from(wire) { - Some(f) - } else { - None - } - })) - } - }) - .buffered(MAX_CONCURRENT_HAMT_SIBLINGS) - .try_collect() + // Walk the shard's HAMT collecting File entries whose + // parent dir matches. Dir-local routing ensures every + // file under `normalized` lives in this single shard, + // so no cross-shard fan-out is needed. + let wires: Vec = node + .flat_map( + &|pair: &Pair, HamtEntryWire>| Ok(pair.value.clone()), + &reader, + ) .await?; - Ok(entries.into_iter().flatten().collect()) + let mut out: Vec = Vec::new(); + for wire in wires { + if let HamtEntry::File(f) = HamtEntry::from(wire) { + if parent_dir_of(&f.path) == normalized { + out.push(f); + } + } + } + Ok(out) } } } @@ -1478,78 +1650,58 @@ impl ShardedHamtPrivateForest { Ok((out, next_cursor)) } - /// Collect every file and directory under `prefix` by walking the - /// directory graph, not by scanning every shard. - /// - /// This is the shard-local alternative to [`Self::list_recursive`] (which - /// calls `list_all_files` and filters by path prefix, touching every - /// shard regardless of how localized the prefix is). The walker starts - /// at `prefix`, follows its `subdirs` list to descendants, and fetches - /// each directory's direct files in parallel. Cost is O(entries under - /// prefix), bounded by the number of subtree shards — not by the global - /// shard count. + /// Collect every file and directory whose path lies under `prefix`. /// - /// Returns `(files, directories)`. The root directory (at `prefix`) is - /// included in `directories` if it exists. Stale subdir entries that - /// resolve to `None` are silently skipped (consistent with the - /// idempotency-on-remove documentation near the type definition). + /// **#72 (2026-05-09)**: rewritten to walk every shard's HAMT and + /// filter by path prefix, replacing the prior BFS-via-`dir.files` + /// walker. `dir.files` is no longer populated post-#72 (single-dir + /// 1 MiB cliff fix) so the BFS-via-`dir.files` approach would + /// return empty results on new buckets. The new approach matches + /// the cost characteristic of `extract_subtree` (already used + /// `collect_all_entries` + prefix-filter for the same reason). /// - /// Order inside each return vec mirrors a BFS traversal of the subtree. + /// Returns `(files, directories)`. The root directory (at `prefix`) + /// is included in `directories` if it exists. Cost is O(N total + /// entries in bucket) regardless of how localized the prefix is — + /// trade-off accepted because (a) `list_subtree` was already not on + /// any hot path, (b) the alternative (sharded `dir.files`) is + /// ~600 LOC of wire-format work for the same correctness. pub async fn list_subtree( &self, prefix: &str, backend: &Arc, ) -> Result<(Vec, Vec)> { - use futures::stream::{self, StreamExt, TryStreamExt}; + let normalized_prefix = normalize_dir_path(prefix); + let all = self.collect_all_entries(backend).await?; let mut files_out: Vec = Vec::new(); let mut dirs_out: Vec = Vec::new(); - let mut queue: VecDeque = VecDeque::new(); - queue.push_back(normalize_dir_path(prefix)); - - while let Some(dir_path) = queue.pop_front() { - let Some(dir_entry) = self.get_directory(&dir_path, backend).await? else { - continue; - }; - for sub in &dir_entry.subdirs { - queue.push_back(sub.clone()); + // Match semantics of the prior BFS walker: a path is "under + // prefix" if it equals prefix OR starts with `prefix + "/"`. + // Pure `starts_with(prefix)` would over-match (e.g., prefix + // "/photos" would match "/photos2024"). Treat root specially — + // every path is under "/". + let is_under_prefix = |path: &str| -> bool { + if normalized_prefix == "/" { + return true; } + path == normalized_prefix || path.starts_with(&format!("{}/", normalized_prefix)) + }; - // Fetch this directory's direct files in parallel. Reuses - // dir-local routing: every child path hashes into the same shard - // as `dir_path`, so we reuse one reader. - let shard_idx = self.shard_for_dir(&dir_path); - let reader = self.reader_store_for(shard_idx, backend); - let guard = self.loaded_shards[shard_idx].read().await; - if let LoadedShard::Loaded(node) = &*guard { - let node = Arc::clone(node); - let reader_ref = &reader; - let children = dir_entry.files.clone(); - let fs: Vec> = stream::iter(children.into_iter()) - .map(|child| { - let node = Arc::clone(&node); - async move { - let maybe = node.get(&file_key(&child), reader_ref).await?; - Ok::, CryptoError>(maybe.and_then( - |wire| { - if let HamtEntry::File(f) = HamtEntry::from(wire) { - Some(f) - } else { - None - } - }, - )) - } - }) - .buffered(MAX_CONCURRENT_HAMT_SIBLINGS) - .try_collect() - .await?; - files_out.extend(fs.into_iter().flatten()); + for entry in all { + match entry { + HamtEntry::File(f) => { + if is_under_prefix(&f.path) { + files_out.push(f); + } + } + HamtEntry::Dir(d) => { + if is_under_prefix(&d.path) { + dirs_out.push(d); + } + } } - drop(guard); - - dirs_out.push(dir_entry); } Ok((files_out, dirs_out)) @@ -1643,7 +1795,19 @@ impl ShardedHamtPrivateForest { backend.clone(), ); - let new_root = { + // Walkable-v8 (W.9.3): we surface BOTH the storage_key (used + // by master-S3 reads + the conditional-PUT story) AND the + // master-attested CID (used by W.9.4's offline gateway race). + // `cid` is `Some` only when the BlobBackend's `put` returned + // one (i.e. master S3 with `walkable_v8_writer_enabled = true` + // and a verified ETag); `None` for in-memory test backends, + // for writes under the v0.5 default-off mode, or when the + // master-attested CID failed self-verify against + // `BLAKE3(ciphertext)`. The two are stamped together so a + // future flush that doesn't change this shard preserves the + // pair atomically (next-flush logic only updates a shard's + // `root` + `root_cid` when its dirty flag is set). + let (new_root, new_root_cid) = { let guard = self.loaded_shards[idx].read().await; match &*guard { LoadedShard::NotLoaded => { @@ -1652,18 +1816,21 @@ impl ShardedHamtPrivateForest { idx ))); } - LoadedShard::LoadedEmpty => None, + LoadedShard::LoadedEmpty => (None, None), LoadedShard::Loaded(node) => { if node.is_empty() { - None + (None, None) } else { - Some(node.store(&store).await?) + let result = node.store(&store).await?; + (Some(result.storage_key), result.cid) } } } }; - self.manifest.shard_mut(idx).root = new_root; + let shard = self.manifest.shard_mut(idx); + shard.root = new_root; + shard.root_cid = new_root_cid; self.dirty_shards[idx] = false; } self.manifest.touch(); @@ -1698,6 +1865,7 @@ mod tests { user_metadata: Default::default(), encrypted: true, min_version: 0, + storage_cid: None, } } @@ -1740,9 +1908,14 @@ mod tests { let leaf_shard_2 = forest.shard_for_file("/x/y/two.txt"); assert_eq!(leaf_shard_1, leaf_shard_2); + // #72: ForestDirectoryEntry.files is no longer populated; + // listing direct children goes through `list_directory` which + // walks the dir's outer-shard HAMT for `F:` entries. let dir = forest.get_directory("/x/y", &backend).await.unwrap(); let dir = dir.expect("parent directory must be materialized"); - let mut got: HashSet<_> = dir.files.iter().cloned().collect(); + assert_eq!(dir.path, "/x/y"); + let listing = forest.list_directory("/x/y", &backend).await.unwrap(); + let mut got: HashSet<_> = listing.iter().map(|f| f.path.clone()).collect(); let want: HashSet<_> = ["/x/y/one.txt".to_string(), "/x/y/two.txt".to_string()] .into_iter() .collect(); @@ -2142,7 +2315,15 @@ mod tests { .unwrap() .expect("/a/b must exist after deep upsert"); assert_eq!(leaf.path, "/a/b"); - assert_eq!(leaf.files, vec!["/a/b/c.txt".to_string()]); + // #72: dir.files is no longer populated; verify via list_directory. + let leaf_files: Vec = forest + .list_directory("/a/b", &backend) + .await + .unwrap() + .into_iter() + .map(|f| f.path) + .collect(); + assert_eq!(leaf_files, vec!["/a/b/c.txt".to_string()]); assert!(leaf.subdirs.is_empty()); let mid = forest @@ -2538,4 +2719,1664 @@ mod tests { } assert_eq!(seen.len(), total, "paginated walk must see every match"); } + + // ======================================================================== + // Walkable-v8 wire format tests (W.9.1b) + // + // The v8 chunk-CID hint goes through `HamtEntryWire`'s **enum-variant + // dispatch** (mirrors `PointerWire::LinkV2` in `wnfs_hamt::pointer`), + // NOT through field-append on `FileEntryWire`. This is the only + // postcard-safe approach: postcard 1.x does not honor `#[serde(default)]` + // for missing trailing struct fields (it errors with + // `DeserializeUnexpectedEnd` rather than substituting the default), so + // a struct field-append would break backward compat for every existing + // HAMT leaf the day W.9.3 ships. Enum-variant dispatch keeps v7 leaves + // byte-identical (variant tag 0 = `File`) while letting v8 writers emit + // `FileV2` (variant tag 2) when a CID hint is available. + // + // Pinned properties (mirror `pointer.rs::walkable_v8_wire_tests`): + // 1. `HamtEntryWire::FileV2` round-trips through postcard losslessly. + // 2. The `FileV2` variant index is the postcard tag `2` — + // the value an old (v7-only) deserializer doesn't recognize. + // 3. A v7-only deserializer (`LegacyHamtEntryWire` with only File + + // Dir variants) errors cleanly on a v8-format `FileV2` blob. + // 4. The v8 deserializer reads a v7-format `File` blob unchanged + // (legacy data written pre-W.9.1b round-trips fine). + // 5. **Load-bearing backward-compat**: `From for + // HamtEntryWire` produces byte-identical output for a + // `ForestFileEntry { storage_cid: None, .. }` as it did before + // W.9.1b. Without this property, every existing v7 SDK reader + // would break the day post-W.9.1b code lands. + // ======================================================================== + + fn walkable_v8_test_cid(seed: u8) -> cid::Cid { + let digest = [seed; 32]; + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, &digest) + .expect("BLAKE3 multihash wrap"); + cid::Cid::new_v1(0x55, mh) + } + + fn fixture_forest_file_entry(path: &str, storage_cid: Option) -> ForestFileEntry { + ForestFileEntry { + path: path.to_string(), + storage_key: format!("Qm{}", hex::encode(blake3::hash(path.as_bytes()).as_bytes())), + size: 1024, + content_type: Some("text/plain".to_string()), + created_at: 1, + modified_at: 2, + content_hash: Some("blake3:...".to_string()), + user_metadata: HashMap::new(), + encrypted: true, + min_version: 4, + storage_cid, + } + } + + #[test] + fn hamt_entry_wire_file_legacy_round_trips_via_postcard_variant_0() { + let entry = fixture_forest_file_entry("/legacy.bin", None); + let wire: HamtEntryWire = HamtEntry::File(entry.clone()).into(); + let encoded = postcard::to_allocvec(&wire).expect("encode"); + // Legacy variant must be `File` (tag 0). Postcard writes the variant + // index as the leading byte for small tags. + assert_eq!(encoded[0], 0, "legacy File variant must be index 0"); + let decoded: HamtEntryWire = postcard::from_bytes(&encoded).expect("decode"); + match decoded { + HamtEntryWire::File(_) => {} + other => panic!("expected File variant, got {:?}", other), + } + } + + #[test] + fn hamt_entry_wire_file_v2_round_trips_via_postcard_variant_2() { + let cid = walkable_v8_test_cid(0xAB); + let entry = fixture_forest_file_entry("/v8.bin", Some(cid)); + let wire: HamtEntryWire = HamtEntry::File(entry.clone()).into(); + let encoded = postcard::to_allocvec(&wire).expect("encode"); + // FileV2 must be variant 2 — this is the load-bearing + // forward-incompat dispatch byte. v7-only HamtEntryWire decoders + // (only File=0, Dir=1) error cleanly on tag 2. + assert_eq!( + encoded[0], 2, + "FileV2 must be variant 2 in the wire format — do not change this. \ + A v7-only HamtEntryWire deserializer relies on tag 2 being \ + unknown to surface a typed error rather than corrupting state." + ); + let decoded: HamtEntryWire = postcard::from_bytes(&encoded).expect("decode"); + match decoded { + HamtEntryWire::FileV2(f2) => { + assert_eq!(f2.storage_cid, Some(cid)); + assert_eq!(f2.path, "/v8.bin"); + assert_eq!(f2.min_version, 4); + } + other => panic!("expected FileV2 variant, got {:?}", other), + } + } + + #[test] + fn hamt_entry_wire_from_forest_file_entry_with_none_cid_emits_legacy_variant() { + // LOAD-BEARING BACKWARD-COMPAT (W.4.3 hard-constraint #1). + // + // For W.9.1b's foundational scope the writer NEVER stamps a CID + // (W.9.3 wires that). All production writes have + // `storage_cid = None` and MUST emit variant 0 (`File`) byte- + // identically to v7 so that v7 SDKs continue reading the bucket + // through the entire SDK-adoption window. If this dispatch ever + // accidentally picks variant 2 for a None CID, every existing v7 + // reader breaks the day post-W.9.1b code lands. + let entry = fixture_forest_file_entry("/no-cid.bin", None); + let wire_v8: HamtEntryWire = HamtEntry::File(entry.clone()).into(); + let v8_bytes = postcard::to_allocvec(&wire_v8).expect("encode v8"); + assert_eq!( + v8_bytes[0], 0, + "ForestFileEntry with storage_cid=None MUST emit variant 0 (File), \ + NOT variant 2 (FileV2). Otherwise v7 SDKs break." + ); + + // And the bytes must match exactly what an SDK without W.9.1b + // changes would have emitted. Construct that simulated-legacy emit + // by going `HamtEntry → HamtEntryWire::File(FileEntryWire)` + // explicitly, encode, and compare. + let wire_legacy_explicit = HamtEntryWire::File(FileEntryWire { + path: "/no-cid.bin".to_string(), + storage_key: format!( + "Qm{}", + hex::encode(blake3::hash("/no-cid.bin".as_bytes()).as_bytes()) + ), + size: 1024, + content_type: Some("text/plain".to_string()), + created_at: 1, + modified_at: 2, + content_hash: Some("blake3:...".to_string()), + user_metadata: BTreeMap::new(), + encrypted: true, + min_version: 4, + }); + let legacy_bytes = + postcard::to_allocvec(&wire_legacy_explicit).expect("encode legacy"); + assert_eq!( + v8_bytes, legacy_bytes, + "v8 SDK emit for None-CID entry must be byte-identical to v7 emit" + ); + } + + /// A v7-only enum (only File + Dir variants) — simulates a v0.5-or-earlier + /// SDK that has never been recompiled to know about `FileV2`. Reading a + /// v8-format `FileV2` blob into this enum must produce a typed error. + #[derive(Debug, Serialize, Deserialize)] + enum LegacyHamtEntryWire { + File(FileEntryWire), + Dir(DirEntryWire), + } + + #[test] + fn legacy_v7_decoder_errors_on_v8_file_v2_blob() { + let cid = walkable_v8_test_cid(0xCD); + let entry = fixture_forest_file_entry("/forward-incompat.bin", Some(cid)); + let wire_v8: HamtEntryWire = HamtEntry::File(entry).into(); + let encoded = postcard::to_allocvec(&wire_v8).expect("encode v8"); + // Sanity check: the FileV2 dispatch fired and we have a variant-2 + // blob to feed to the legacy decoder. + assert_eq!(encoded[0], 2, "fixture must produce v8 FileV2 blob"); + + let result: std::result::Result = + postcard::from_bytes(&encoded); + assert!( + result.is_err(), + "v7-only HamtEntryWire deserializer must error on v8 FileV2 blob \ + (forward-incompatibility boundary), got {:?}", + result + ); + } + + #[test] + fn v8_decoder_reads_legacy_v7_file_blob() { + // A v7 SDK encoded a `File(FileEntryWire)` blob. A v8 SDK reading + // the same bucket must decode it identically — no upgrade-on-read, + // legacy data stays accessible until the user happens to write to + // it (W.4.2: lazy migration on next write). + let v7_blob = LegacyHamtEntryWire::File(FileEntryWire { + path: "/v7.bin".to_string(), + storage_key: "QmV7".to_string(), + size: 100, + content_type: None, + created_at: 0, + modified_at: 0, + content_hash: None, + user_metadata: BTreeMap::new(), + encrypted: true, + min_version: 4, + }); + let encoded = postcard::to_allocvec(&v7_blob).expect("encode v7"); + assert_eq!(encoded[0], 0, "v7 File blob must use variant 0"); + + let decoded: HamtEntryWire = postcard::from_bytes(&encoded) + .expect("v8 decoder must read v7 File blob"); + match decoded { + HamtEntryWire::File(f) => { + assert_eq!(f.path, "/v7.bin"); + assert_eq!(f.storage_key, "QmV7"); + assert_eq!(f.min_version, 4); + } + other => panic!("expected File variant, got {:?}", other), + } + } + + #[test] + fn forest_file_entry_to_file_entry_wire_v2_preserves_storage_cid_both_directions() { + // The two-way conversion at the FileEntryWireV2 boundary preserves + // every field including storage_cid. Mirrors the round-trip pattern + // in `pointer.rs::walkable_v8_wire_tests::child_ptr_stored_v2_full_pipeline_roundtrip`. + let cid = walkable_v8_test_cid(0x42); + let original = fixture_forest_file_entry("/x.bin", Some(cid)); + + let wire: FileEntryWireV2 = original.clone().into(); + assert_eq!(wire.storage_cid, Some(cid)); + assert_eq!(wire.storage_key, original.storage_key); + assert_eq!(wire.path, "/x.bin"); + + let recovered: ForestFileEntry = wire.into(); + assert_eq!(recovered.storage_cid, Some(cid)); + assert_eq!(recovered.path, original.path); + assert_eq!(recovered.encrypted, true); + assert_eq!(recovered.min_version, 4); + } + + #[test] + fn file_entry_wire_legacy_to_forest_file_entry_yields_none_storage_cid() { + // The legacy `FileEntryWire` (no storage_cid) → `ForestFileEntry` + // conversion produces `storage_cid = None`. This is what fires when + // a v8 SDK reads a v7-format `HamtEntryWire::File` leaf — the + // backward-compat path through `From for ForestFileEntry`. + let wire = FileEntryWire { + path: "/legacy.bin".to_string(), + storage_key: "QmLegacy".to_string(), + size: 42, + content_type: None, + created_at: 0, + modified_at: 0, + content_hash: None, + user_metadata: BTreeMap::new(), + encrypted: true, + min_version: 4, + }; + let entry: ForestFileEntry = wire.into(); + assert_eq!(entry.storage_cid, None); + assert_eq!(entry.path, "/legacy.bin"); + assert_eq!(entry.storage_key, "QmLegacy"); + } + + // ======================================================================== + // Walkable-v8 writer integration tests (W.9.3) + // + // These tests pin the END-TO-END writer wiring: a v8-aware backend + // surfaces a CID in `BlobPutResult.cid`, the HAMT cascade in + // `node.rs`/`pointer.rs`/`sharded_hamt_forest.rs` propagates it + // through `NodePutResult`, and the manifest's per-shard `root_cid` + // gets stamped. A v8 reader (W.9.4) will then walk via those CIDs. + // + // Without these tests the W.9.3 wiring could silently regress — + // the unit tests in `pointer.rs` and `private_forest.rs` cover + // each layer in isolation, but only the integration test here + // exercises the full v8 cascade against a real HAMT. + // ======================================================================== + + /// In-memory backend that emulates master S3's walkable-v8 contract: + /// every PUT records `BLAKE3(ciphertext)` raw-codec as the returned + /// CID. Real master computes this via kubo's `block/put?cid-codec= + /// raw&mhtype=blake3` (see `crates/fula-cli/src/handlers/object.rs: + /// 103-137`); this fake implements the same contract so the SDK + /// can be tested end-to-end without a wiremock harness. + /// + /// Captures every PUT (`path -> ciphertext`) so the test can later + /// assert the parent's pointer plaintext references each child + /// with the correct CID. + struct CidCapturingBackend { + objects: std::sync::Mutex>>, + } + + impl CidCapturingBackend { + fn new() -> Self { + Self { + objects: std::sync::Mutex::new(std::collections::HashMap::new()), + } + } + + fn get_sync(&self, path: &str) -> Option> { + self.objects.lock().unwrap().get(path).cloned() + } + + /// Build the same v1 raw-codec BLAKE3-multihash CID master would + /// emit on PUT for these bytes. This is the contract every + /// walkable-v8-enabled BlobBackend exposes: `cid.to_string()` is + /// what master returns in the ETag header. + fn cid_for(bytes: &[u8]) -> cid::Cid { + let h = blake3::hash(bytes); + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, h.as_bytes()) + .expect("blake3 multihash wrap"); + cid::Cid::new_v1(0x55, mh) + } + } + + #[async_trait::async_trait] + impl crate::wnfs_hamt::v7_store::BlobBackend for CidCapturingBackend { + async fn get(&self, path: &str) -> Result> { + self.objects + .lock() + .unwrap() + .get(path) + .cloned() + .ok_or_else(|| { + crate::CryptoError::Hamt(format!("v8 fake: object not found: {}", path)) + }) + } + + async fn put( + &self, + path: &str, + bytes: Vec, + ) -> Result { + let cid = Self::cid_for(&bytes); + self.objects + .lock() + .unwrap() + .insert(path.to_string(), bytes); + Ok(crate::wnfs_hamt::v7_store::BlobPutResult { cid: Some(cid) }) + } + } + + #[tokio::test] + async fn walkable_v8_writer_e2e_stamps_shard_root_cid_matching_ciphertext_hash() { + // Goal: end-to-end check that when the BlobBackend returns a + // CID for every PUT (= walkable-v8-enabled writer), the flush + // stamps `manifest.shards[i].root_cid` to a value that matches + // BLAKE3(ciphertext) of the actual stored bytes. Failure here + // would mean either: + // - sharded_hamt_forest's flush_dirty doesn't propagate the + // CID into root_cid (regressing W.9.3-C), OR + // - the BlobPutResult plumbing through NodePutResult drops + // the CID somewhere (regressing W.9.2's seam). + let backend = std::sync::Arc::new(CidCapturingBackend::new()); + let mut forest = ShardedHamtPrivateForest::new("bucket-w8", test_dek(), 16); + + // Spread enough entries that at least one shard ends up with a + // populated root. 256 keys with 16 shards is ~16 entries per + // shard on average — well past the singleton-bucket threshold. + for i in 0..32u64 { + forest + .upsert_file( + file_entry(&format!("/v8/file-{:03}.bin", i), i), + &backend, + ) + .await + .unwrap(); + } + + // Flush. After this the manifest should carry root_cid hints on + // every populated shard. + let manifest = forest.flush_dirty(&backend).await.unwrap().clone(); + + // Find populated shards. With CidCapturingBackend, every shard + // that flushed a non-empty root MUST also carry a Some(cid). + let mut populated_count = 0usize; + for (_idx, shard) in manifest.shards_iter().enumerate() { + if shard.root.is_some() { + populated_count += 1; + assert!( + shard.root_cid.is_some(), + "walkable-v8 writer wired: every populated shard must \ + have its root_cid stamped (W.9.3 — sharded_hamt_forest::\ + flush_dirty propagates BlobPutResult.cid into root_cid)" + ); + } else { + assert!( + shard.root_cid.is_none(), + "empty shard must not carry a stale root_cid hint" + ); + } + } + assert!( + populated_count > 0, + "test setup invalid: no shard got populated" + ); + } + + #[tokio::test] + async fn walkable_v8_writer_e2e_internal_node_pointers_use_link_v2() { + // Goal: end-to-end check that internal HAMT nodes (parents of + // mutated children) emit `PointerWire::LinkV2` on their child + // pointers when the BlobBackend returns CIDs. Loads the shard + // root's plaintext from the backend, decrypts, and decodes the + // wire form; asserts at least one `LinkV2` variant appears in + // a parent that has a mutated subtree. + // + // This test exercises the load-bearing assertion of W.9.3-C: + // the InMemory arm at pointer.rs:243 emits LinkV2 when + // result.cid is Some. Without it the wire format would still + // be all-`Link`, breaking offline walks. + use crate::wnfs_hamt::store::HamtNodeStore; + let backend = std::sync::Arc::new(CidCapturingBackend::new()); + let mut forest = ShardedHamtPrivateForest::new("bucket-w8b", test_dek(), 16); + + // Enough entries to force at least one shard to grow past a + // single-leaf bucket and produce internal nodes. + for i in 0..64u64 { + forest + .upsert_file( + file_entry(&format!("/deep/{:03}.bin", i), i), + &backend, + ) + .await + .unwrap(); + } + let manifest = forest.flush_dirty(&backend).await.unwrap().clone(); + + // Find a populated shard whose root has at least one child + // pointer (indicating an internal node exists in the cascade). + let mut found_link_v2 = false; + for (idx, shard) in manifest.shards_iter().enumerate() { + if shard.root.is_none() { + continue; + } + // Decrypt the root node and inspect its wire form. Use the + // same V7NodeStore the writer used so AAD matches. + let store = crate::wnfs_hamt::v7_store::V7NodeStore::new( + "bucket-w8b", + idx as u16, + manifest.shard_salt().to_vec(), + test_dek(), + backend.clone(), + ); + let plaintext = store + .get_node(&shard.root.unwrap()) + .await + .expect("root node must decrypt under the writer's DEK"); + + // `plaintext` is `postcard(NodeWire { bitmask, pointers })`. + // Decode and walk the pointers list looking for `LinkV2`. + #[derive(serde::Deserialize)] + struct NodeWireInspect { + #[allow(dead_code)] + bitmask: u16, + pointers: Vec>, + } + let wire: NodeWireInspect, HamtEntryWire> = + postcard::from_bytes(&plaintext).expect("decode root wire"); + for ptr in &wire.pointers { + if let crate::wnfs_hamt::pointer::PointerWire::LinkV2 { storage_key, cid } = + ptr + { + found_link_v2 = true; + // Belt-and-suspenders: the CID embedded in the + // pointer should match BLAKE3 of the child's stored + // ciphertext at this storage_key path. + let child_path = format!( + "{}{}", + crate::wnfs_hamt::v7_store::V7_NODE_PREFIX, + hex::encode(storage_key) + ); + let child_bytes = backend + .get_sync(&child_path) + .expect("child blob must be persisted"); + let recomputed = CidCapturingBackend::cid_for(&child_bytes); + assert_eq!( + *cid, recomputed, + "LinkV2.cid in parent's pointer plaintext must equal \ + BLAKE3(child's ciphertext) — without this guarantee, \ + W.9.4's gateway-race walker would fetch the wrong \ + bytes for this child" + ); + } + } + // First populated shard with parent pointers is enough. + if found_link_v2 { + break; + } + } + assert!( + found_link_v2, + "no LinkV2 variant found in any flushed shard root — the writer \ + cascade either short-circuited (every shard has only a single-leaf \ + bucket) or pointer.rs's InMemory arm is regressing back to legacy \ + Link. Try increasing the entry count for this test, or check \ + pointer.rs:to_wire." + ); + } + + #[tokio::test] + async fn walkable_v8_writer_e2e_in_memory_backend_keeps_link_legacy() { + // Negative control: with the default `InMemoryBackend` (which + // returns BlobPutResult::none()), the writer cascade MUST emit + // legacy `Link` only — no `LinkV2`. This pins the v0.5-default + // backwards-compat: when the writer flag is off (or the backend + // doesn't surface CIDs), the wire format is byte-identical to + // the pre-walkable-v8 v7 form. + use crate::wnfs_hamt::store::HamtNodeStore; + let backend = std::sync::Arc::new(InMemoryBackend::new()); + let mut forest = ShardedHamtPrivateForest::new("bucket-w8c", test_dek(), 16); + + for i in 0..64u64 { + forest + .upsert_file( + file_entry(&format!("/d/{:03}.bin", i), i), + &backend, + ) + .await + .unwrap(); + } + let manifest = forest.flush_dirty(&backend).await.unwrap().clone(); + + // Every populated shard's root_cid MUST be None — the backend + // returned no CID hints. + for shard in manifest.shards_iter() { + assert!( + shard.root_cid.is_none(), + "InMemoryBackend returns BlobPutResult::none() — root_cid \ + must stay None, otherwise the writer is fabricating CIDs" + ); + } + + // Decode any populated shard's root plaintext and assert no + // `LinkV2` variant appears in any pointer. + for (idx, shard) in manifest.shards_iter().enumerate() { + if shard.root.is_none() { + continue; + } + let store = crate::wnfs_hamt::v7_store::V7NodeStore::new( + "bucket-w8c", + idx as u16, + manifest.shard_salt().to_vec(), + test_dek(), + backend.clone(), + ); + let plaintext = store.get_node(&shard.root.unwrap()).await.unwrap(); + #[derive(serde::Deserialize)] + struct NodeWireInspect { + #[allow(dead_code)] + bitmask: u16, + pointers: Vec>, + } + let wire: NodeWireInspect, HamtEntryWire> = + postcard::from_bytes(&plaintext).unwrap(); + for ptr in &wire.pointers { + assert!( + !matches!( + ptr, + crate::wnfs_hamt::pointer::PointerWire::LinkV2 { .. } + ), + "InMemoryBackend returns no CIDs — wire MUST stay all-Link, \ + but found a LinkV2 in shard {}'s root pointers. Writer is \ + fabricating CIDs.", + idx + ); + } + } + } + + // ======================================================================== + // Walkable-v8 reader integration tests (W.9.4) + // + // These tests exercise the cid-hint plumbing end-to-end: + // * `ChildPtr::StoredV2` → `Node::load_with_cid_hint` → + // `HamtNodeStore::get_node_with_cid_hint` → + // `BlobBackend::get_with_cid_hint`. + // + // The W.9.4 contract has three integrity layers (per advisor design): + // 1. Gateway content-address check (verify_cid_against_bytes) — + // tested separately in gateway_fetch.rs's tampering tests. + // 2. AEAD decrypt with `(bucket, shard_idx)` AAD — tested by + // `get_node_rejects_wrong_shard_idx` / `..._wrong_bucket` / + // `..._tampered_blob` in v7_store::tests. + // 3. **Plaintext storage_key recompute vs caller-supplied key** — + // this is the layer that's NEW for W.9.4 and is the subject + // of the tamper test below. It defends against a malicious + // parent that swapped a sibling's storage_key while keeping + // the (cryptographically-valid) cid hint. + // ======================================================================== + + /// Reader-side CID-hint plumbing test (W.9.4). Records every + /// `get_with_cid_hint` call against the wrapped storage so the test + /// can assert that: + /// * The cid passed down at fetch time is exactly the cid + /// embedded in the parent's `PointerWire::LinkV2`. + /// * The storage_key passed alongside is the same one the + /// parent recorded (NOT silently substituted somewhere in the + /// plumbing). + /// + /// Wraps a `CidCapturingBackend` so the writer-side cascade still + /// stamps cids on flush; the reader-side test focuses on what + /// flows DOWN to the backend during the walk. + struct HintRecordingBackend { + inner: std::sync::Arc, + hints_observed: std::sync::Mutex)>>, + } + + impl HintRecordingBackend { + fn new() -> Self { + Self { + inner: std::sync::Arc::new(CidCapturingBackend::new()), + hints_observed: std::sync::Mutex::new(Vec::new()), + } + } + + fn observed(&self) -> Vec<(String, Option)> { + self.hints_observed.lock().unwrap().clone() + } + } + + #[async_trait::async_trait] + impl crate::wnfs_hamt::v7_store::BlobBackend for HintRecordingBackend { + async fn get(&self, path: &str) -> Result> { + self.inner.get(path).await + } + + async fn put( + &self, + path: &str, + bytes: Vec, + ) -> Result { + self.inner.put(path, bytes).await + } + + async fn get_with_cid_hint( + &self, + path: &str, + cid_hint: Option<&cid::Cid>, + ) -> Result> { + self.hints_observed + .lock() + .unwrap() + .push((path.to_string(), cid_hint.cloned())); + // Delegate to the underlying CidCapturingBackend's `get` — + // both online and "offline" branches return the same bytes + // for this test (the test is about what the parent fed us, + // not about gateway availability). + self.inner.get(path).await + } + } + + /// Regression guard for #52: a master-divergence reconcile via + /// `reconcile_page_etag` must NOT silently drop the CID hint + /// when master's etag is a parseable CID string. Pre-#52 the + /// reconcile inserted `cid: None` which left + /// `manifest.root.page_index[page_id].cid` empty until the next + /// flush re-stamped it — a quiet degradation to v0.5 fidelity. + #[tokio::test] + async fn reconcile_page_etag_recovers_cid_from_etag_string() { + use crate::private_forest::PageRef; + let backend = std::sync::Arc::new(InMemoryBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("bucket-recon", test_dek(), 16); + // Seed page 0 with a low seq so the reconcile is accepted. + forest.manifest.root.page_index.insert( + 0, + PageRef { + etag: Some("\"old\"".to_string()), + seq: 5, + cid: None, + }, + ); + let _ = backend; // silence unused + + // A real CID (BLAKE3-multihash, raw codec) — the same shape + // master returns as an etag on v8 page PUTs. + let cid_str = { + let h = blake3::hash(b"fake-page-blob"); + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, h.as_bytes()) + .expect("blake3 multihash wrap"); + cid::Cid::new_v1(0x55, mh).to_string() + }; + let new_seq = 10u64; + forest.reconcile_page_etag(0, new_seq, Some(cid_str.clone())); + + let entry = forest + .manifest + .root + .page_index + .get(&0) + .expect("page 0 reconciled"); + assert_eq!(entry.seq, new_seq, "seq advanced"); + assert_eq!(entry.etag.as_deref(), Some(cid_str.as_str()), "etag updated"); + assert!( + entry.cid.is_some(), + "#52 regression: reconcile_page_etag must recover the CID \ + from a CID-shaped etag string instead of silently inserting \ + cid: None" + ); + // The recovered cid should match what `cid_str.parse()` would produce. + assert_eq!( + entry.cid.unwrap().to_string(), + cid_str, + "recovered cid must round-trip through the etag string" + ); + } + + /// Regression guard for #52: same property for the dir-index + /// reconcile path. `reconcile_dir_index_etag` previously left + /// `dir_index_cid` untouched on master-divergence, leaving a + /// stale value lingering even when master's new etag was a + /// parseable CID. + #[tokio::test] + async fn reconcile_dir_index_etag_recovers_cid_from_etag_string() { + let backend = std::sync::Arc::new(InMemoryBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("bucket-recon-dir", test_dek(), 16); + forest.manifest.root.dir_index_etag = Some("\"old\"".to_string()); + forest.manifest.root.dir_index_seq = Some(3); + forest.manifest.root.dir_index_cid = None; + let _ = backend; + + let cid_str = { + let h = blake3::hash(b"fake-dir-index-blob"); + let mh = cid::multihash::Multihash::<64>::wrap(0x1e, h.as_bytes()) + .expect("blake3 multihash wrap"); + cid::Cid::new_v1(0x55, mh).to_string() + }; + let new_seq = 9u64; + forest.reconcile_dir_index_etag(new_seq, Some(cid_str.clone())); + + assert_eq!(forest.manifest.root.dir_index_seq, Some(new_seq)); + assert_eq!( + forest.manifest.root.dir_index_etag.as_deref(), + Some(cid_str.as_str()) + ); + assert!( + forest.manifest.root.dir_index_cid.is_some(), + "#52 regression: reconcile_dir_index_etag must recover the \ + CID from a CID-shaped etag string" + ); + assert_eq!( + forest.manifest.root.dir_index_cid.unwrap().to_string(), + cid_str + ); + } + + /// `reconcile_page_etag` with a non-CID etag (legacy / malformed) + /// must NOT panic and must leave `cid: None` so the warm cache + + /// storage_key path can take over. + #[tokio::test] + async fn reconcile_page_etag_handles_non_cid_etag_as_none() { + use crate::private_forest::PageRef; + let backend = std::sync::Arc::new(InMemoryBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("bucket-recon-bad", test_dek(), 16); + forest.manifest.root.page_index.insert( + 0, + PageRef { + etag: None, + seq: 0, + cid: None, + }, + ); + let _ = backend; + forest.reconcile_page_etag(0, 1, Some("\"definitely-not-a-cid\"".to_string())); + let entry = forest.manifest.root.page_index.get(&0).unwrap(); + assert_eq!(entry.seq, 1); + assert!( + entry.cid.is_none(), + "non-CID etag must surface as cid: None — soft-fail to the \ + storage-key path, no panic" + ); + } + + #[tokio::test] + async fn walkable_v8_reader_passes_cid_hint_through_to_backend() { + // Goal: every fetch of an INTERNAL HAMT node carries the cid + // its parent recorded at write time. Without this property + // W.9.4's offline gateway race never engages — the path + // would silently degrade to the storage-key-only fetch. + let backend = std::sync::Arc::new(HintRecordingBackend::new()); + let mut forest = ShardedHamtPrivateForest::new("bucket-r8a", test_dek(), 16); + + // Plant enough entries so at least one shard grows internal nodes. + for i in 0..64u64 { + forest + .upsert_file( + file_entry(&format!("/r/{:03}.bin", i), i), + &backend, + ) + .await + .unwrap(); + } + forest.flush_dirty(&backend).await.unwrap(); + + // Drop the writer's in-memory caches by rebuilding the forest + // from the persisted manifest. This forces the next walk to + // hit the backend for every internal-node fetch. + let manifest = forest.manifest().clone(); + let mut reader = ShardedHamtPrivateForest::from_manifest( + manifest, + "bucket-r8a", + test_dek(), + ); + + // Reset hint recorder so we measure ONLY the read-side calls. + reader + .list_recursive("/", &backend) + .await + .expect("list_recursive on freshly-loaded reader"); + + // Among the recorded hints, every internal-node fetch (path + // matching V7_NODE_PREFIX) must carry Some(cid) UNLESS the + // parent that referenced it was itself a legacy `Stored` + // pointer — but in this test every node was written by a v8 + // writer with cid-capturing backend, so every internal-node + // fetch path MUST have a Some(cid) hint. + let observed = backend.observed(); + let internal_node_fetches: Vec<_> = observed + .iter() + .filter(|(p, _)| p.starts_with(crate::wnfs_hamt::v7_store::V7_NODE_PREFIX)) + .collect(); + assert!( + !internal_node_fetches.is_empty(), + "test setup invalid: no internal-node fetches recorded" + ); + for (path, hint) in &internal_node_fetches { + assert!( + hint.is_some(), + "every internal-node fetch must carry a cid hint when the \ + forest was written by a v8-aware backend; missing for path {}", + path + ); + } + + // Cross-check that each cid hint matches BLAKE3(child ciphertext) + // — i.e. the cid recorded in the parent points at exactly the + // bytes the reader is fetching. This is the load-bearing + // walkable-v8 contract: parent's `LinkV2.cid` IS the address + // of the child's ciphertext. + for (path, hint) in &internal_node_fetches { + let cid = hint.expect("cid hint present (asserted above)"); + let stored = backend + .inner + .get_sync(path) + .expect("backend has the bytes"); + let recomputed = CidCapturingBackend::cid_for(&stored); + assert_eq!( + cid, recomputed, + "cid hint at path {} disagrees with BLAKE3(stored ciphertext); \ + W.9.3 writer didn't stamp the right cid OR the reader \ + forwarded a stale value", + path + ); + } + } + + /// Reader-side tamper test (W.9.4 third integrity layer). The + /// gateway content-address verify (layer 1) and AEAD decrypt + /// (layer 2) are NOT enough on their own — a malicious parent + /// could keep both happy by pointing `LinkV2 { storage_key: A, + /// cid: hash_of_real_node_B }`. The parent's pointer is inside an + /// AEAD-encrypted ciphertext (key-holders only) so this scenario + /// requires `forest_dek` compromise; even so, the reader must NOT + /// be redirected to a sibling node's plaintext just because both + /// sides pass cryptographic checks. Layer 3 (recompute the + /// plaintext's storage_key, compare to caller-supplied key) + /// catches it. + /// + /// Setup: plant TWO valid nodes A and B at distinct storage_keys. + /// Construct a "malicious" backend whose `get_with_cid_hint(path_A, + /// Some(cid_B))` returns the bytes addressed by cid_B (= node B's + /// ciphertext, perfectly valid for that cid). The post-fetch + /// recompute must reject because plaintext_B's storage_key is B, + /// not A. + struct MaliciousRedirectBackend { + cid_to_bytes: std::sync::Mutex>>, + path_to_bytes: std::sync::Mutex>>, + } + + impl MaliciousRedirectBackend { + fn new() -> Self { + Self { + cid_to_bytes: std::sync::Mutex::new(std::collections::HashMap::new()), + path_to_bytes: std::sync::Mutex::new(std::collections::HashMap::new()), + } + } + } + + #[async_trait::async_trait] + impl crate::wnfs_hamt::v7_store::BlobBackend for MaliciousRedirectBackend { + async fn get(&self, path: &str) -> Result> { + self.path_to_bytes + .lock() + .unwrap() + .get(path) + .cloned() + .ok_or_else(|| crate::CryptoError::Hamt(format!("not found: {}", path))) + } + + async fn put( + &self, + path: &str, + bytes: Vec, + ) -> Result { + let cid = CidCapturingBackend::cid_for(&bytes); + self.cid_to_bytes + .lock() + .unwrap() + .insert(cid, bytes.clone()); + self.path_to_bytes + .lock() + .unwrap() + .insert(path.to_string(), bytes); + Ok(crate::wnfs_hamt::v7_store::BlobPutResult { cid: Some(cid) }) + } + + async fn get_with_cid_hint( + &self, + _path: &str, + cid_hint: Option<&cid::Cid>, + ) -> Result> { + // Malicious behaviour: when the caller supplies a cid hint, + // resolve via cid (gateway-race emulation) and IGNORE the + // path. This models a compromised master/gateway that + // could serve cid_B's bytes when the SDK was looking for + // node A. The third integrity layer in V7NodeStore must + // reject this regardless of cid validity. + match cid_hint { + Some(cid) => self + .cid_to_bytes + .lock() + .unwrap() + .get(cid) + .cloned() + .ok_or_else(|| { + crate::CryptoError::Hamt(format!("cid not found: {}", cid)) + }), + None => self.get(_path).await, + } + } + } + + #[tokio::test] + async fn walkable_v8_reader_rejects_when_redirected_to_sibling_node() { + use crate::wnfs_hamt::store::HamtNodeStore; + let backend = std::sync::Arc::new(MaliciousRedirectBackend::new()); + let store = crate::wnfs_hamt::v7_store::V7NodeStore::new( + "bucket-tamper", + 0, + vec![0x33; 16], + test_dek(), + backend.clone(), + ); + + // Plant two distinct plaintexts. Different bytes ⇒ different + // storage_keys ⇒ different cids when stored. + let bytes_a = b"plaintext-node-A".to_vec(); + let bytes_b = b"plaintext-node-B-differs".to_vec(); + let result_a = store.put_node(bytes_a.clone()).await.unwrap(); + let result_b = store.put_node(bytes_b.clone()).await.unwrap(); + assert_ne!( + result_a.storage_key, result_b.storage_key, + "test setup: A and B must have distinct storage_keys" + ); + let cid_b = result_b.cid.expect("MaliciousRedirectBackend stamps cids"); + + // Sanity: legitimate read of A succeeds (path → A's bytes). + let plaintext_a = store + .get_node_with_cid_hint(&result_a.storage_key, result_a.cid.as_ref()) + .await + .expect("legitimate (A, cid_A) fetch must succeed"); + assert_eq!(plaintext_a, bytes_a); + + // Tamper attempt: ask for storage_key A but supply cid_B. + // Layer 1 (gateway): would pass — bytes are valid under cid_B. + // Layer 2 (AEAD): passes — bytes_B is a legitimately-encrypted + // node under the same DEK + bucket + shard. + // Layer 3 (recompute): MUST FAIL — plaintext_B's storage_key + // is B, not A. + let result = store + .get_node_with_cid_hint(&result_a.storage_key, Some(&cid_b)) + .await; + assert!( + result.is_err(), + "third integrity layer must reject when the supplied cid \ + addresses bytes whose plaintext recomputes to a DIFFERENT \ + storage_key. Got: {:?}", + result.map(|p| p.len()) + ); + let err_msg = format!("{:?}", result.unwrap_err()); + assert!( + err_msg.contains("content-address mismatch"), + "tamper rejection must surface the content-address-mismatch \ + error so the failure mode is unambiguous in logs. Got: {}", + err_msg + ); + } + + /// Reader-side default-off test (W.9.4). When the writer flag was + /// off when the bucket was written (no LinkV2 entries persisted), + /// the walker's `resolve_owned` dispatches to the legacy `Stored` + /// arm, which passes `None` as the cid hint. Verifies that: + /// * No `Some(cid)` is ever forwarded to the backend during the + /// walk of a flag-off bucket. + /// * `get_with_cid_hint(_, None)` is byte-identical to `get(_)` + /// (the trait's default impl IS this — we just confirm the + /// end-to-end path doesn't accidentally fabricate a hint). + #[tokio::test] + async fn walkable_v8_reader_default_off_bucket_passes_none_hint() { + let backend = std::sync::Arc::new(HintRecordingBackend::new()); + // Use the InMemoryBackend's contract (no cids) by giving the + // hint-recorder a CidCapturingBackend wrapper but ignoring the + // cids — actually, HintRecordingBackend wraps CidCapturingBackend + // which DOES return cids on put. To simulate "writer flag off" + // without changing backends, we construct the manifest manually + // with `root_cid = None` so the reader sees no v8 hints. + // + // Simpler approach: write through CidCapturingBackend so cids + // are stamped, then strip them from the manifest before the + // reader phase. The reader's resolve_owned will see only + // legacy Stored pointers (assuming v7 writes); but the + // writer in `flush_dirty` and `pointer.rs:to_wire` is what + // actually decides Link vs LinkV2 based on result.cid. Since + // CidCapturingBackend returns Some(cid) every time, every + // node will be written as LinkV2. To get a true flag-off + // simulation we need a backend whose `put` returns + // `BlobPutResult::none()` — that's `InMemoryBackend`. + let inmem_backend = std::sync::Arc::new(InMemoryBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("bucket-roff", test_dek(), 16); + for i in 0..32u64 { + forest + .upsert_file( + file_entry(&format!("/off/{:03}.bin", i), i), + &inmem_backend, + ) + .await + .unwrap(); + } + forest.flush_dirty(&inmem_backend).await.unwrap(); + let manifest = forest.manifest().clone(); + + // Now wrap the InMemory backend with the hint recorder so we + // can observe what the reader passes down. Reader walks via + // hint-recorder; since the manifest has root_cid = None on + // every shard AND every internal node was written as legacy + // `Link` (InMemoryBackend returns no cids), the recorder + // should see ONLY None hints. + let recorder = std::sync::Arc::new(InMemoryDelegateRecorder { + inner: inmem_backend.clone(), + hints_observed: std::sync::Mutex::new(Vec::new()), + }); + + let mut reader = + ShardedHamtPrivateForest::from_manifest(manifest, "bucket-roff", test_dek()); + let _ = reader + .list_recursive("/", &recorder) + .await + .expect("list_recursive must succeed under default-off"); + + let observed = recorder.hints_observed.lock().unwrap().clone(); + let internal_fetches: Vec<_> = observed + .iter() + .filter(|(p, _)| p.starts_with(crate::wnfs_hamt::v7_store::V7_NODE_PREFIX)) + .collect(); + assert!( + !internal_fetches.is_empty(), + "test setup invalid: no internal-node fetches occurred" + ); + for (path, hint) in &internal_fetches { + assert!( + hint.is_none(), + "default-off bucket: cid hint at {} must be None — was {:?}. \ + If a Some leaks, the reader is fabricating cids that the \ + writer never stamped, breaking the wire-format-is-the-gate \ + invariant.", + path, + hint + ); + } + } + + /// Local backend wrapper used by `walkable_v8_reader_default_off_*` + /// — delegates everything to an `InMemoryBackend` while recording + /// each `get_with_cid_hint` call's `cid_hint` argument. + struct InMemoryDelegateRecorder { + inner: std::sync::Arc, + hints_observed: std::sync::Mutex)>>, + } + + #[async_trait::async_trait] + impl crate::wnfs_hamt::v7_store::BlobBackend for InMemoryDelegateRecorder { + async fn get(&self, path: &str) -> Result> { + self.inner.get(path).await + } + + async fn put( + &self, + path: &str, + bytes: Vec, + ) -> Result { + self.inner.put(path, bytes).await + } + + async fn get_with_cid_hint( + &self, + path: &str, + cid_hint: Option<&cid::Cid>, + ) -> Result> { + self.hints_observed + .lock() + .unwrap() + .push((path.to_string(), cid_hint.cloned())); + self.inner.get(path).await + } + } + + /// Mixed-bucket reader test (W.9.4). A bucket can legitimately + /// contain BOTH legacy `Stored` pointers (subtrees written under + /// the v0.5 default-off mode) AND `StoredV2` pointers (subtrees + /// written after the writer flag flipped on). The reader must + /// handle both in the SAME walk without errors — legacy children + /// fetch via no-cid path, v8 children fetch via cid path. + /// + /// Constructs the mixed state by: + /// 1. Writing batch A through `InMemoryBackend` (no cids → Link). + /// 2. Writing batch B through `CidCapturingBackend` against the + /// SAME manifest state (same `bucket_salt`, same DEK), so + /// batch B's path-of-change cascade re-encodes some shared + /// ancestor nodes with mixed-variant pointers. + /// Then walks via the cid-capturing backend and verifies every + /// upserted file is reachable. + #[tokio::test] + async fn walkable_v8_reader_mixed_link_and_link_v2_in_one_bucket() { + // Phase 1 — write batch A through a no-cid backend. + let no_cid = std::sync::Arc::new(InMemoryBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("bucket-mixed", test_dek(), 16); + for i in 0..16u64 { + forest + .upsert_file(file_entry(&format!("/A/{:02}.bin", i), i), &no_cid) + .await + .unwrap(); + } + forest.flush_dirty(&no_cid).await.unwrap(); + + // Phase 2 — switch to a cid-capturing backend that has access + // to the SAME object map (so it can read the legacy nodes + // batch A wrote AND surface cids on subsequent puts). We + // achieve this by sharing the same underlying object store. + let mixed = std::sync::Arc::new(SharedObjectsBackend { + objects: no_cid.clone(), + stamp_cid: true, + }); + + // Continue mutating the forest with the new backend. Any + // internal node touched by the path-of-change re-encodes; the + // re-encoded parent contains a mix of `Link` (untouched + // sibling, came from batch A) and `LinkV2` (mutated child, + // freshly stamped). + for i in 16..32u64 { + forest + .upsert_file(file_entry(&format!("/B/{:02}.bin", i), i), &mixed) + .await + .unwrap(); + } + forest.flush_dirty(&mixed).await.unwrap(); + + // Reader phase — walk the mixed forest and verify every + // entry from BOTH batches is reachable. If the resolve_owned + // dispatch were buggy (e.g. failing the legacy Stored arm + // when intermixed with StoredV2), this list_recursive would + // miss the batch-A entries. + let manifest = forest.manifest().clone(); + let mut reader = ShardedHamtPrivateForest::from_manifest( + manifest, + "bucket-mixed", + test_dek(), + ); + let listed = reader + .list_recursive("/", &mixed) + .await + .expect("mixed-bucket walk must succeed"); + let paths: std::collections::HashSet = + listed.iter().map(|f| f.path.clone()).collect(); + for i in 0..16u64 { + assert!( + paths.contains(&format!("/A/{:02}.bin", i)), + "batch-A entry /A/{:02}.bin missing — the reader's legacy \ + Stored arm regressed when intermixed with StoredV2", + i + ); + } + for i in 16..32u64 { + assert!( + paths.contains(&format!("/B/{:02}.bin", i)), + "batch-B entry /B/{:02}.bin missing — the reader's StoredV2 \ + arm broke", + i + ); + } + } + + /// Backend wrapper that shares the same underlying object map as + /// another `InMemoryBackend` while choosing whether to surface + /// cids on `put`. Used by the mixed-bucket test to swap the + /// stamping policy mid-bucket without losing the batch-A objects. + struct SharedObjectsBackend { + objects: std::sync::Arc, + stamp_cid: bool, + } + + #[async_trait::async_trait] + impl crate::wnfs_hamt::v7_store::BlobBackend for SharedObjectsBackend { + async fn get(&self, path: &str) -> Result> { + self.objects.get(path).await + } + + async fn put( + &self, + path: &str, + bytes: Vec, + ) -> Result { + // Compute the cid from bytes BEFORE delegating — the + // delegate consumes bytes and returns BlobPutResult::none(). + let cid = if self.stamp_cid { + Some(CidCapturingBackend::cid_for(&bytes)) + } else { + None + }; + self.objects.put(path, bytes).await?; + Ok(crate::wnfs_hamt::v7_store::BlobPutResult { cid }) + } + + async fn get_with_cid_hint( + &self, + path: &str, + _cid_hint: Option<&cid::Cid>, + ) -> Result> { + // For this test we don't simulate master-down; just + // delegate to `get`. The hint-bearing path inside + // V7NodeStore is exercised at the V7NodeStore level, not + // here. + self.objects.get(path).await + } + } + + // ======================================================================== + // Walkable-v8 scale + block-size tests (W.9.7) + // + // The single load-bearing W.8 design assertion: **no IPFS block + // exceeds 1 MiB** at any production-realistic scale. Standard + // gateways enforce this limit; a single >1MiB block would fail + // every offline-walk fetch (W.9.4) and invalidate the W.10 + // default-on rollout. + // + // Cliff to actively look for: the writer cascade serialises the + // pointer list at each HAMT level. If anything ever lets the + // pointer-array grow past the HAMT branching factor (16 — bounded + // by the bitmask u16), block size could spike past 1 MiB. The + // size assertion is the regression guard. + // + // Three scales: + // * `_at_1k_entries` — regular test, runs in CI. + // * `_at_100k_entries` — `#[ignore]`. Operator runs in + // release mode (`cargo test --release -- --ignored + // walkable_v8_block_size_at_100k`). ~30 s on a fast box. + // Memory ceiling: ~150 MB residual encrypted blobs in the + // backend's HashMap. + // * `_at_1m_entries` — `#[ignore]`. Pre-release operator + // check. Could take 30+ min in release mode. Memory ceiling: + // ~5 GB. The test enforces the ceiling by running it only + // when explicitly opted-in. + // ======================================================================== + + /// Backend that returns `Some(BLAKE3-raw-cid)` from `put` so the + /// walkable-v8 writer cascade actually emits `LinkV2` (advisor + /// note: the existing `InMemoryBackend` returns + /// `BlobPutResult::none()`, which would silently regress the test + /// to v7 wire-format and miss any v8-specific blowup). + /// + /// Records the largest observed encrypted-blob size + a + /// per-blob histogram so the assertion has a clear failure + /// payload when violated (e.g., "shard root grew to 1.3 MiB at + /// entry 87523"). + struct WalkableV8RecordingBackend { + objects: std::sync::Mutex>>, + max_observed_size: std::sync::atomic::AtomicUsize, + max_observed_path: std::sync::Mutex, + } + + impl WalkableV8RecordingBackend { + fn new() -> Self { + Self { + objects: std::sync::Mutex::new(std::collections::HashMap::new()), + max_observed_size: std::sync::atomic::AtomicUsize::new(0), + max_observed_path: std::sync::Mutex::new(String::new()), + } + } + + fn record_max_size(&self, path: &str, size: usize) { + // CAS loop to keep the path label in sync with the size — + // we want operator triage to know WHICH path was the + // biggest, not just the size. + let prev = self + .max_observed_size + .fetch_max(size, std::sync::atomic::Ordering::SeqCst); + if size > prev { + let mut guard = self.max_observed_path.lock().unwrap(); + *guard = path.to_string(); + } + } + + fn max_size(&self) -> usize { + self.max_observed_size + .load(std::sync::atomic::Ordering::SeqCst) + } + + fn max_path(&self) -> String { + self.max_observed_path.lock().unwrap().clone() + } + + fn object_count(&self) -> usize { + self.objects.lock().unwrap().len() + } + } + + #[async_trait::async_trait] + impl crate::wnfs_hamt::v7_store::BlobBackend for WalkableV8RecordingBackend { + async fn get(&self, path: &str) -> Result> { + self.objects + .lock() + .unwrap() + .get(path) + .cloned() + .ok_or_else(|| crate::CryptoError::Hamt(format!("not found: {}", path))) + } + + async fn put( + &self, + path: &str, + bytes: Vec, + ) -> Result { + // Reuse the shared cid_for helper from CidCapturingBackend + // (defined earlier in this test module) so both backends + // hash bytes identically — the v8 cascade then sees + // consistent CIDs across the test suite. + let cid = CidCapturingBackend::cid_for(&bytes); + self.record_max_size(path, bytes.len()); + self.objects + .lock() + .unwrap() + .insert(path.to_string(), bytes); + Ok(crate::wnfs_hamt::v7_store::BlobPutResult { cid: Some(cid) }) + } + } + + /// Standard IPFS gateway block-size limit (1 MiB) — the **hard + /// gateway-correctness guard**. Any block above this fails + /// offline-walk fetches via public gateways and invalidates W.8.3. + const IPFS_BLOCK_LIMIT: usize = 1 << 20; + + /// Architectural early-warning ceiling (64 KiB). Per plan W.8.3 the + /// **expected** worst-case HAMT internal-node ciphertext size is + /// ~4 KB. Any block above 64 KiB is a 16× regression vs the + /// architectural prediction — well below the gateway limit but + /// indicative of an unintended fanout / pointer-list growth that + /// would eventually blow past the hard ceiling at higher scale. + /// Crossing this threshold prints a structured `eprintln!` for + /// operator triage but does NOT fail the test (only IPFS_BLOCK_LIMIT + /// is a hard fail). Two distinct failure modes, two distinct + /// signals — gateway correctness vs architectural regression. + const SOFT_BLOCK_WARN_KIB: usize = 64 * 1024; + + /// Inner helper shared by all three scales so the assertion + /// surface stays identical regardless of which `#[test]` / + /// `#[ignore]` gate fires. + /// + /// **Scope** (per W.9.7 dual-advisor audit): this helper observes + /// only blobs written via the in-crate `BlobBackend::put` path + /// — i.e. HAMT internal-node and shard-leaf-bucket ciphertexts + /// from `V7NodeStore`. Manifest pages, the manifest root, and + /// the directory-index ciphertexts are persisted by + /// `crates/fula-client/src/encryption.rs`'s Phase 1.5 / 1.6 / 2 + /// commits via `S3BlobBackend.put_object_*` (a different layer + /// the SDK owns). Those blobs need a sibling block-size test in + /// `fula-client/tests/` to fully establish W.8.3's "no block + /// exceeds 1 MiB" claim across every persisted blob class. See + /// the W.9.7 follow-up task for the manifest-side variant. + /// + /// **Distribution** (W.9.7 finding from first 100k run): when + /// every entry is `/d/f{i}.bin` (single parent dir), the + /// `ForestDirectoryEntry` for `/d` accumulates one filename per + /// entry in its `files: Vec` field. At 100k entries + /// that single Dir blob grows to ~1.7 MiB, exceeding the gateway + /// limit. This is a real architectural cliff for "single + /// directory with 100k+ files" — separate from HAMT-cascade + /// scaling. Tracked as follow-up #72 (directory sharding). + /// To exercise pure HAMT scaling without that confound, this + /// helper distributes entries across `~sqrt(N)` parent dirs so + /// each Dir entry stays small (~`sqrt(N)` filenames) regardless + /// of total N. Production-scale FxFiles users with 100k files + /// would naturally distribute across folders; the test mirrors + /// that. + async fn run_walkable_v8_block_size_assertion(num_entries: usize) { + let backend = std::sync::Arc::new(WalkableV8RecordingBackend::new()); + // Use enough shards (256) that internal-node depth at 1M + // entries stays at log_16(1M / 256) ≈ 3-4 levels, matching + // production sharding heuristics. Fewer shards would + // artificially inflate internal-node fanout per shard and + // give a falsely-large worst-case block size. + let mut forest = + ShardedHamtPrivateForest::new("scale-bucket", test_dek(), 256); + + // Distribute across `~sqrt(N)` parent dirs (capped reasonably). + // Picking sqrt(N) rather than fixed-1000 keeps the per-dir + // file count balanced across scales (1k → 32 files/dir, + // 100k → 316 files/dir, 1M → 1000 files/dir). Each + // ForestDirectoryEntry stays small enough that its + // serialized blob fits comfortably under 1 MiB at every + // scale this test covers. + let dirs_per_layer: usize = ((num_entries as f64).sqrt() as usize).max(1); + + // Minimal `ForestFileEntry` — the test is about HAMT block + // size, not about realistic file metadata. Smaller entries + // also let us stretch to higher N before memory ceilings. + for i in 0..num_entries { + let dir_idx = i % dirs_per_layer; + let path = format!("/d{:04}/f{:08}.bin", dir_idx, i); + forest + .upsert_file(file_entry(&path, 0), &backend) + .await + .unwrap(); + } + forest.flush_dirty(&backend).await.unwrap(); + + let largest = backend.max_size(); + let largest_path = backend.max_path(); + let object_count = backend.object_count(); + + eprintln!( + "[walkable-v8 W.9.7] entries={} hamt_node_objects={} largest_hamt_block={} bytes \ + ({:.1} KiB) at path {}", + num_entries, + object_count, + largest, + largest as f64 / 1024.0, + largest_path + ); + + // Architectural early-warning (soft). Emits but does NOT + // fail — the regression-vs-prediction signal is decoupled + // from the gateway-correctness signal so operators can act + // on either independently. + if largest > SOFT_BLOCK_WARN_KIB { + eprintln!( + "[walkable-v8 W.9.7] SOFT WARNING: largest HAMT-node block ({} bytes / \ + {} KiB) exceeds the architectural early-warning ceiling ({} KiB). \ + Plan W.8.3 predicts ~4 KB worst-case; >64 KiB is a 16× regression. \ + The hard 1 MiB assert below still passes (gateway correctness \ + preserved), but inspect the parent-pointer fanout at path {} before \ + letting this land in production.", + largest, + largest / 1024, + SOFT_BLOCK_WARN_KIB / 1024, + largest_path, + ); + } + + assert!( + largest > 0, + "test setup invalid: no objects landed in the backend" + ); + assert!( + largest <= IPFS_BLOCK_LIMIT, + "LOAD-BEARING W.8.3 ASSERTION VIOLATED: encrypted HAMT-node block at {} \ + grew to {} bytes ({} KiB) which exceeds the 1 MiB IPFS gateway limit. \ + Walkable-v8 offline walks would fail for this block. Investigate: \ + pointer-array fanout exceeded HAMT branching factor (16)? Run with \ + `RUST_BACKTRACE=1` and inspect the parent chain of {}. NOTE: this \ + test scope is HAMT-node blobs only — manifest-page / dir-index blobs \ + are persisted via fula-client's S3BlobBackend and need a sibling \ + test (see W.9.7 follow-up task #72).", + largest_path, + largest, + largest / 1024, + largest_path + ); + } + + #[tokio::test] + async fn walkable_v8_block_size_at_1k_entries_stays_under_1mib() { + // Regular test — runs in CI on every PR. 1k entries finishes + // in ~1-3 s in debug mode. + run_walkable_v8_block_size_assertion(1_000).await; + } + + #[tokio::test] + #[ignore = "operator-run pre-release; release mode required, ~30s + ~150MB RAM"] + async fn walkable_v8_block_size_at_100k_entries_stays_under_1mib() { + // `cargo test --release -p fula-crypto --lib -- --ignored \ + // walkable_v8_block_size_at_100k_entries_stays_under_1mib` + // + // 100k is the realistic upper bound for FxFiles users + // (hundreds-to-thousands typical, 100k is a power user). If + // this fails, walkable-v8 is broken for power users — block + // and rollout. + run_walkable_v8_block_size_assertion(100_000).await; + } + + #[tokio::test] + #[ignore = "operator-run pre-major-release only; release mode required, ~30 min + ~5GB RAM"] + async fn walkable_v8_block_size_at_1m_entries_stays_under_1mib() { + // `cargo test --release -p fula-crypto --lib -- --ignored \ + // walkable_v8_block_size_at_1m_entries_stays_under_1mib` + // + // 1M is a stress ceiling, not a realistic workload. Per + // advisor's W.9.7 brief: this test exists to "find the + // architectural cliff before users do." A failure here would + // not block rollout for typical-scale users but would force + // a redesign for the long-tail enterprise case. + // + // Memory: every one of the ~1M-ish persisted encrypted blobs + // stays in the backend's HashMap so canonicalize-during-write + // can read its children. Expect ~5 GB residual at peak. If + // the test OOMs your dev box, run on a host with ≥ 16 GB + // free or skip it (the 100k test is the practical pre-release + // gate; 1M is the long-tail check). + run_walkable_v8_block_size_assertion(1_000_000).await; + } + + /// **Architectural finding documented as a regression guard.** + /// + /// First 100k run of `walkable_v8_block_size_at_100k_entries_*` + /// (with all entries in a single parent dir) failed at + /// 1.66 MiB — the `ForestDirectoryEntry` for the single shared + /// parent grew unbounded as `files: Vec` accumulated one + /// entry per upsert. This is a known limitation: a directory + /// containing 100k+ files in flat layout produces a single + /// HAMT-stored Dir blob that exceeds the 1 MiB gateway ceiling. + /// + /// This test pins the threshold by ramping up entries in a SINGLE + /// directory until the block-size limit is hit. It runs at a + /// modest scale (10k entries — well below the cliff but + /// approaching the documented warning ceiling) so it stays in + /// CI; the actual failure mode (~60-100k entries in one dir + /// pushes past 1 MiB) is documented in the assertion message. + /// + /// Why keep this test rather than just deleting it: a future + /// regression re-introducing per-file growth in `dir.files` + /// would silently re-create the cliff — this test catches it. + /// + /// **#72 RESOLVED 2026-05-09**: `upsert_file` no longer appends + /// the file's path to its parent dir's `files: Vec`. The + /// listing API (`list_directory`, `list_subtree`) walks the HAMT + /// for `F:` entries directly, so `dir.files` is dead weight on + /// new buckets. This test is now an inverted regression guard. + #[tokio::test] + async fn walkable_v8_single_directory_block_size_under_post_fix_72() { + // 10k entries in /single-dir. Pre-fix this produced a + // ForestDirectoryEntry blob in the ~150-300 KiB range + // (linear in number of children). Post-fix the Dir blob + // contains only `path`, empty `files`, empty `subdirs`, + // None metadata, None subtree_dek — a few hundred bytes + // at most regardless of child count. + let backend = std::sync::Arc::new(WalkableV8RecordingBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("single-dir-test", test_dek(), 256); + for i in 0..10_000usize { + let path = format!("/single-dir/f{:08}.bin", i); + forest + .upsert_file(file_entry(&path, 0), &backend) + .await + .unwrap(); + } + forest.flush_dirty(&backend).await.unwrap(); + + // Verify dir.files is empty post-fix (the load-bearing change). + let dir_entry = forest + .get_directory("/single-dir", &backend) + .await + .unwrap() + .expect("/single-dir must materialize after 10k upserts"); + assert!( + dir_entry.files.is_empty(), + "#72 regression: ForestDirectoryEntry.files should stay empty post-fix \ + but contained {} entries. The single-directory cliff returned.", + dir_entry.files.len() + ); + + // Verify the listing API still surfaces all 10k files via + // the new walk-based path. + let listing = forest.list_directory("/single-dir", &backend).await.unwrap(); + assert_eq!( + listing.len(), + 10_000, + "list_directory must return all 10k files via HAMT walk (got {})", + listing.len() + ); + + // Hard ceiling: no encrypted HAMT-node blob exceeds 1 MiB. + // Pre-fix this would have been at risk at much larger N + // (60-100k); post-fix it's not even close at 10k. + let largest = backend.max_size(); + eprintln!( + "[walkable-v8 #72 post-fix] 10k files in /single-dir/: largest blob \ + {} bytes ({:.1} KiB), dir.files.len()={}", + largest, largest as f64 / 1024.0, dir_entry.files.len() + ); + assert!( + largest <= IPFS_BLOCK_LIMIT, + "Largest HAMT blob {} bytes exceeds 1 MiB at 10k single-dir entries — \ + post-fix invariant violated.", + largest + ); + } + + /// **#72 stress test**: 100k FILES in a SINGLE directory. This + /// is the size that empirically hit the 1 MiB cliff pre-fix + /// (1.66 MiB Dir blob). Post-fix the Dir blob stays tiny + /// regardless of file count. Operator-run pre-major-release; + /// release mode required for memory headroom. + /// + /// **NOTE (Reviewer B audit)**: this only verifies the FILES + /// cliff is gone. A symmetric `subdirs: Vec` cliff + /// exists for directories with 100k+ direct subdirectories + /// (`ensure_ancestor_chain` does `d.subdirs.push(child)` + /// linearly). That parallel cliff is tracked separately; it + /// has not been observed empirically and is rarer in practice + /// (users with 100k subdirs at one level are uncommon). + /// + /// `cargo test --release -p fula-crypto --lib -- --ignored \ + /// walkable_v8_single_directory_at_100k_post_fix_72` + #[tokio::test] + #[ignore = "operator-run pre-release; release mode required, ~30s + ~150MB RAM"] + async fn walkable_v8_single_directory_at_100k_post_fix_72() { + let backend = std::sync::Arc::new(WalkableV8RecordingBackend::new()); + let mut forest = + ShardedHamtPrivateForest::new("single-dir-100k", test_dek(), 256); + for i in 0..100_000usize { + let path = format!("/single-dir/f{:08}.bin", i); + forest + .upsert_file(file_entry(&path, 0), &backend) + .await + .unwrap(); + } + forest.flush_dirty(&backend).await.unwrap(); + + let dir_entry = forest + .get_directory("/single-dir", &backend) + .await + .unwrap() + .expect("/single-dir must exist after 100k upserts"); + assert!( + dir_entry.files.is_empty(), + "#72 regression at 100k: dir.files should be empty, was {}", + dir_entry.files.len() + ); + + let largest = backend.max_size(); + let largest_path = backend.max_path(); + eprintln!( + "[walkable-v8 #72 100k] largest blob {} bytes ({:.1} KiB) at {}", + largest, largest as f64 / 1024.0, largest_path + ); + assert!( + largest <= IPFS_BLOCK_LIMIT, + "100k files in /single-dir/ → largest blob {} bytes exceeds 1 MiB. \ + #72 regression: the cliff returned. Inspect {} for dir.files growth \ + or HAMT-node fanout regression.", + largest, largest_path + ); + } } diff --git a/crates/fula-crypto/src/wnfs_hamt/mod.rs b/crates/fula-crypto/src/wnfs_hamt/mod.rs index d3eef62..58cb0a2 100644 --- a/crates/fula-crypto/src/wnfs_hamt/mod.rs +++ b/crates/fula-crypto/src/wnfs_hamt/mod.rs @@ -15,5 +15,5 @@ pub mod v7_store; pub(crate) use node::Node; pub(crate) use pointer::{ChildPtr, Pair, Pointer}; -pub(crate) use store::{HamtNodeBytes, HamtNodeStore, STORAGE_KEY_LEN, StorageKey}; -pub use v7_store::{BlobBackend, V7NodeStore, V7_NODE_PREFIX}; +pub(crate) use store::{HamtNodeBytes, HamtNodeStore, NodePutResult, STORAGE_KEY_LEN, StorageKey}; +pub use v7_store::{BlobBackend, BlobPutResult, V7NodeStore, V7_NODE_PREFIX}; diff --git a/crates/fula-crypto/src/wnfs_hamt/node.rs b/crates/fula-crypto/src/wnfs_hamt/node.rs index 5af2bc2..ddb647f 100644 --- a/crates/fula-crypto/src/wnfs_hamt/node.rs +++ b/crates/fula-crypto/src/wnfs_hamt/node.rs @@ -11,10 +11,11 @@ use super::constants::{HAMT_BITMASK_BIT_SIZE, HAMT_VALUES_BUCKET_SIZE}; use super::hash_nibbles::HashNibbles; use super::pointer::{ChildPtr, Pair, Pointer, PointerWire}; -use super::store::{HamtNodeStore, StorageKey}; +use super::store::{HamtNodeStore, NodePutResult, StorageKey}; use crate::hashing::Hasher; use crate::{CryptoError, Result}; use async_recursion::async_recursion; +use cid::Cid; use serde::{Deserialize, Serialize, de::DeserializeOwned}; use std::fmt::{self, Debug, Formatter}; use std::marker::PhantomData; @@ -145,10 +146,13 @@ where /// Serialize this node (recursively persisting any in-memory children) /// and write the resulting plaintext bytes to the store. Returns the - /// content-addressed key the store assigned. + /// content-addressed key the store assigned, alongside an optional + /// CID hint (W.9.2): `Some(_)` when the underlying `BlobBackend` + /// returned one in `BlobPutResult.cid` (e.g. master S3's `ETag`), + /// `None` for in-memory backends or when the etag failed to parse. #[cfg_attr(not(target_arch = "wasm32"), async_recursion)] #[cfg_attr(target_arch = "wasm32", async_recursion(?Send))] - pub async fn store(&self, store: &(impl HamtNodeStore + ?Sized)) -> Result { + pub async fn store(&self, store: &(impl HamtNodeStore + ?Sized)) -> Result { let mut wire_pointers = Vec::with_capacity(self.pointers.len()); for p in &self.pointers { wire_pointers.push(p.to_wire(store).await?); @@ -176,6 +180,18 @@ where /// requirement of the AEAD node encryption model (a child's storage /// key is only known after its parent is decrypted). Input pointer /// order is preserved in the output. + /// + /// **Walkable-v8 (W.9.5 / #37) — fetch-order obfuscation.** The + /// per-pointer future list is shuffled before being passed to + /// `stream::buffered`, so a network observer watching the offline + /// gateway-race traffic for a single HAMT node sees an unpredictable + /// fetch order rather than the bitmask-order that would otherwise + /// leak intra-node topology. Output ordering is restored by sorting + /// on the original pointer index after collection — the docstring's + /// "input pointer order is preserved" contract is unchanged. + /// The cost is one `Vec::shuffle` per recursion (O(N) where N ≤ 16) + /// and a sort of the same size; both negligible vs. the network + /// fetch cost they're being interleaved with. #[cfg_attr(not(target_arch = "wasm32"), async_recursion)] #[cfg_attr(target_arch = "wasm32", async_recursion(?Send))] pub async fn flat_map( @@ -188,30 +204,49 @@ where T: Send, { use futures::stream::{self, StreamExt, TryStreamExt}; + use rand::seq::SliceRandom; // Build the per-pointer future list with `std::iter::Iterator::map` // (not `StreamExt::map`) so each future's captured lifetimes bind to // `self` / `f` / `store` concretely. `StreamExt::map` infers an HRTB // that the `async_recursion` macro's rewritten body can't satisfy. - let per_pointer_futs: Vec<_> = self + // + // W.9.5 / #37: each future carries its `original_idx` in the + // tuple so we can re-sort post-fetch and preserve the + // declared output-ordering contract regardless of which fetch + // order the buffered stream actually drove. + let mut per_pointer_futs: Vec<_> = self .pointers .iter() - .map(|p| async move { - match p { + .enumerate() + .map(|(original_idx, p)| async move { + let v: Vec = match p { Pointer::Values(values) => { - values.iter().map(f).collect::>>() + values.iter().map(f).collect::>>()? } Pointer::Link(child_ptr) => { let child = child_ptr.resolve_owned(store).await?; - child.flat_map(f, store).await + child.flat_map(f, store).await? } - } + }; + Ok::<(usize, Vec), crate::error::CryptoError>((original_idx, v)) }) .collect(); - let per_pointer: Vec> = stream::iter(per_pointer_futs) + + // Shuffle the future order so a network observer can't infer + // pointer-index ↔ fetch-time correlation. `thread_rng` works on + // wasm32 via the `getrandom/js` feature already enabled in + // `fula-crypto/Cargo.toml`'s `wasm` feature gate. + per_pointer_futs.shuffle(&mut rand::thread_rng()); + + let mut per_pointer: Vec<(usize, Vec)> = stream::iter(per_pointer_futs) .buffered(FLAT_MAP_SIBLING_CONCURRENCY) .try_collect() .await?; - Ok(per_pointer.into_iter().flatten().collect()) + // Restore original pointer order to honour the docstring + // contract. Stable sort over a small (≤ 16-element) Vec is + // cheap. + per_pointer.sort_by_key(|(idx, _)| *idx); + Ok(per_pointer.into_iter().flat_map(|(_, v)| v).collect()) } //---------------------------------------------------------------------------------------------- @@ -421,13 +456,55 @@ where { /// Fetch and decode the node at `key`. Children remain as `Stored` /// references and are not pre-fetched — resolution is lazy per access. + /// + /// Test-only after W.9.4: production code paths all funnel through + /// [`load_with_cid_hint`] (which forwards a `None` hint when the + /// caller's parent pointer was a legacy `Stored` variant). The + /// unit-test round-trip suites in this module + `v7_store::tests` + /// still exercise the simpler signature, so it stays available + /// behind `#[cfg(test)]`. + #[cfg(test)] pub async fn load( key: &StorageKey, store: &(impl HamtNodeStore + ?Sized), ) -> Result { let bytes = store.get_node(key).await?; + // #81: classify postcard errors — `DeserializeBadEnum` (an + // unknown variant tag, e.g. v0.5 SDK reading a v0.6 + // walkable-v8 `LinkV2` blob) maps to the typed + // `CryptoError::WireVersionUnsupported` so operators can + // filter telemetry on the variant rather than substring- + // matching the generic `Serialization` error. + let wire: NodeWire = postcard::from_bytes(&bytes) + .map_err(|e| CryptoError::classify_postcard_decode(e, "decode hamt node"))?; + Ok(Self::from_wire(wire)) + } + + /// Walkable-v8 (W.9.4) — load with a content-address hint forwarded + /// to the storage layer. Used by `ChildPtr::resolve_owned` when the + /// parent's pointer is `PointerWire::LinkV2 { storage_key, cid }`, + /// so an offline-aware `HamtNodeStore` can fetch via gateway race + /// when master is unreachable. `cid_hint = None` is byte-identical + /// to [`load`] — used for the legacy `Stored(StorageKey)` arm + /// during lazy migration. + /// + /// Distinct from `load` so existing callers don't have to thread + /// `Option<&Cid>` through their stacks; the dispatcher in + /// `ChildPtr::resolve_owned` is the single load-bearing fan-out. + pub async fn load_with_cid_hint( + key: &StorageKey, + cid_hint: Option<&Cid>, + store: &(impl HamtNodeStore + ?Sized), + ) -> Result { + let bytes = store.get_node_with_cid_hint(key, cid_hint).await?; + // #81: classify postcard errors — `DeserializeBadEnum` (an + // unknown variant tag, e.g. v0.5 SDK reading a v0.6 + // walkable-v8 `LinkV2` blob) maps to the typed + // `CryptoError::WireVersionUnsupported` so operators can + // filter telemetry on the variant rather than substring- + // matching the generic `Serialization` error. let wire: NodeWire = postcard::from_bytes(&bytes) - .map_err(|e| CryptoError::Serialization(format!("decode hamt node: {e}")))?; + .map_err(|e| CryptoError::classify_postcard_decode(e, "decode hamt node"))?; Ok(Self::from_wire(wire)) } @@ -504,7 +581,7 @@ impl Debug for Node { #[cfg(all(test, not(target_arch = "wasm32")))] mod round_trip_tests { use super::*; - use super::super::store::{HamtNodeBytes, HamtNodeStore, STORAGE_KEY_LEN}; + use super::super::store::{HamtNodeBytes, HamtNodeStore, NodePutResult, STORAGE_KEY_LEN}; use crate::hashing::Blake3Hasher; use std::collections::HashMap; use std::sync::Mutex; @@ -550,10 +627,10 @@ mod round_trip_tests { Ok(bytes) } - async fn put_node(&self, bytes: HamtNodeBytes) -> Result { + async fn put_node(&self, bytes: HamtNodeBytes) -> Result { let k = Self::compute_key(&bytes); self.blobs.lock().unwrap().insert(k, bytes); - Ok(k) + Ok(NodePutResult { storage_key: k, cid: None }) } } @@ -586,7 +663,7 @@ mod round_trip_tests { assert_eq!(missing, None); // Persist the whole tree, reload from bytes, re-verify every lookup. - let root_key = root.store(&store).await.unwrap(); + let root_key = root.store(&store).await.unwrap().storage_key; let loaded: TestNode = TestNode::load(&root_key, &store).await.unwrap(); for (k, v) in &pairs { let got = loaded.get(k, &store).await.unwrap(); @@ -635,4 +712,146 @@ mod round_trip_tests { assert!(got.is_none()); assert_eq!(root.get(&b"present".to_vec(), &store).await.unwrap(), Some(7)); } + + /// W.9.5 / #37 — fetch-order obfuscation regression guard. + /// + /// `flat_map` shuffles the per-pointer future list to hide + /// intra-node topology from a network observer. The OUTPUT + /// ordering must still be deterministic (preserves the docstring + /// contract). This test pins both properties: + /// + /// 1. **Output is stable**: collect multiple times, every result + /// Vec must be identical (same plaintext leaves in the same + /// order regardless of which fetch order the buffered stream + /// drove). + /// 2. **Fetch order is randomized**: an instrumented backend that + /// records the ORDER it receives `get_node` calls in MUST see + /// different sequences across runs (with high probability). + /// + /// Without (2), a future refactor that drops `shuffle()` would + /// silently regress the privacy property — the test catches it. + #[tokio::test] + async fn flat_map_shuffles_fetch_order_but_preserves_output_order() { + use std::sync::Mutex; + + // Backend that records every `get_node` call's storage_key + // in receipt order — so we can compare orderings across + // multiple `flat_map` runs. + struct OrderTrackingStore { + inner: InMemoryStore, + fetch_order: Mutex>, + } + impl OrderTrackingStore { + fn new() -> Self { + Self { + inner: InMemoryStore::new(), + fetch_order: Mutex::new(Vec::new()), + } + } + fn observed_order(&self) -> Vec { + self.fetch_order.lock().unwrap().clone() + } + fn reset_order(&self) { + self.fetch_order.lock().unwrap().clear(); + } + } + #[async_trait::async_trait] + impl HamtNodeStore for OrderTrackingStore { + async fn get_node(&self, key: &StorageKey) -> Result { + self.fetch_order.lock().unwrap().push(*key); + self.inner.get_node(key).await + } + async fn put_node(&self, bytes: HamtNodeBytes) -> Result { + self.inner.put_node(bytes).await + } + } + + let store = OrderTrackingStore::new(); + let mut root: Arc = Arc::new(TestNode::default()); + // Plant enough entries that several slots split into Link + // pointers (which is what triggers the shuffle path — + // Pointer::Values arms don't fetch). 64 entries across 16 + // top-level nibbles forces at least 4 sibling Link + // pointers under the root; that's enough to make the + // observed-order distribution non-degenerate. + for i in 0u64..64 { + let k = format!("shuffle-key-{:04}", i).into_bytes(); + root.set(k, i, &store).await.unwrap(); + } + // Persist + reload from the store so subsequent flat_maps + // actually fetch (the in-memory tree would otherwise short- + // circuit through `Arc::clone` and never call `get_node`). + let root_key = root.store(&store).await.unwrap().storage_key; + let f = |pair: &Pair, u64>| Ok(pair.value); + + // Capture output + fetch order across multiple runs. + let mut all_outputs: Vec> = Vec::new(); + let mut all_orders: Vec> = Vec::new(); + for _ in 0..5 { + store.reset_order(); + let reloaded: TestNode = TestNode::load(&root_key, &store).await.unwrap(); + let out = reloaded.flat_map(&f, &store).await.unwrap(); + all_outputs.push(out); + all_orders.push(store.observed_order()); + } + + // (1) Output ORDERING (not just multiset) is stable across + // runs. The shuffle affects fetch order, NOT output — + // `sort_by_key((original_idx, _))` after `try_collect` + // restores the input-pointer order before flatten. Compare + // unsorted outputs so a regression that drops the + // `sort_by_key` is caught here (with `out.sort()` applied, + // such a regression would still preserve the multiset and + // pass — Reviewer A flagged this). + for i in 1..all_outputs.len() { + assert_eq!( + all_outputs[0], all_outputs[i], + "output ORDER must be deterministic across runs (run {}); \ + if this fires, sort_by_key after flat_map's try_collect \ + was likely dropped", + i + ); + } + // Sanity: every output must contain all 64 plaintexts (multiset + // check, independent of ordering). + assert_eq!(all_outputs[0].len(), 64); + let mut sorted = all_outputs[0].clone(); + sorted.sort(); + let expected: Vec = (0u64..64).collect(); + assert_eq!(sorted, expected, "missing plaintext value(s)"); + + // (2) Setup must actually exercise the shuffle. If + // `HAMT_VALUES_BUCKET_SIZE` changes or BLAKE3 happens to + // cluster all 64 entries into one nibble, we'd shuffle a + // 1-pointer Vec and the next assertion would always pass + // for the wrong reason. Require a non-trivial fetch count + // across the runs so a regression in test setup fails loud + // instead of masking a regression in the shuffle. + let total_fetches: usize = all_orders.iter().map(|o| o.len()).sum(); + assert!( + total_fetches >= 10, + "test setup degenerate: only {} get_node calls across 5 runs — \ + not enough Pointer::Link splits to exercise the shuffle. \ + Likely cause: HAMT_VALUES_BUCKET_SIZE changed or the entry \ + count is too small for the current value. Bump entry count.", + total_fetches + ); + + // (3) Fetch order is randomized. Across 5 runs, at least + // TWO orderings must differ. For K splittable subtrees, + // P(5 runs all identical) = 1/(K!)^4 — vanishingly small + // for the K ≥ 4 we just enforced via (2). If `shuffle()` + // is silently removed, ALL runs produce the same bitmask- + // ordered fetch sequence and this fires immediately. + let distinct_orders: std::collections::HashSet> = + all_orders.iter().cloned().collect(); + assert!( + distinct_orders.len() >= 2, + "fetch-order obfuscation regression: 5 runs of flat_map produced \ + only {} distinct fetch orderings — expected ≥ 2 from the \ + shuffle. If `flat_map` was refactored to drop the per_pointer_futs.shuffle() \ + call, this assertion catches it.", + distinct_orders.len() + ); + } } diff --git a/crates/fula-crypto/src/wnfs_hamt/pointer.rs b/crates/fula-crypto/src/wnfs_hamt/pointer.rs index 16fdc12..8a5c9fc 100644 --- a/crates/fula-crypto/src/wnfs_hamt/pointer.rs +++ b/crates/fula-crypto/src/wnfs_hamt/pointer.rs @@ -9,6 +9,7 @@ use super::node::Node; use super::store::{HamtNodeStore, StorageKey}; use crate::hashing::Hasher; use crate::{CryptoError, Result}; +use cid::Cid; use serde::{Deserialize, Serialize, de::DeserializeOwned}; use std::fmt::Debug; use std::sync::Arc; @@ -39,12 +40,27 @@ impl Pair { /// /// This mirrors wnfs-common's `Link>` split but is content-addressed /// by a fula `StorageKey` rather than a libipld `Cid`. +/// +/// **Walkable-v8 (plan section W.9.1)**: `StoredV2` extends `Stored` with a +/// CID hint — the master-returned `BLAKE3(ciphertext)` raw-codec address — +/// so an offline reader can fetch this child via public IPFS gateway without +/// going through master. The `storage_key` is retained for online walks and +/// for the writer-side conditional-PUT story (Phase 1.5/1.6/2 If-Match). +/// Both addresses refer to the same encrypted node ciphertext; they +/// authenticate each other indirectly via fetch-then-verify (gateway returns +/// bytes whose hash matches `cid`, AEAD decryption with `forest_dek` then +/// confirms the plaintext is the same content `storage_key` was derived +/// from). pub enum ChildPtr where H: Hasher, { InMemory(Arc>), Stored(StorageKey), + StoredV2 { + storage_key: StorageKey, + cid: Cid, + }, } /// Each bit in the bitmask of a HAMT node maps to one `Pointer`. A `Pointer` @@ -64,10 +80,37 @@ where /// On-disk (post-encryption) representation of a `Pointer`. Encoded via /// postcard for deterministic, compact output so plaintext content-addressing /// produces stable `StorageKey`s across re-encodes. +/// +/// **Wire-version compatibility (walkable-v8 plan, section W.3.2).** Variant +/// tags are part of the on-disk contract: +/// +/// | Variant | Tag | Introduced | Read by | Written by | +/// |-----------|-----|------------|-----------|---------------| +/// | `Values` | 0 | v7 | v7+, v8+ | v7+ | +/// | `Link` | 1 | v7 | v7+, v8+ | v7+ | +/// | `LinkV2` | 2 | v8 | v8+ | v8+ (opt-in) | +/// +/// A v7-only deserializer (an SDK that has never been recompiled with the +/// `LinkV2` variant) fails on tag `2` with postcard's "unknown variant" +/// error. This is the intended forward-incompatibility boundary — old SDKs +/// see a typed error rather than data corruption when they encounter +/// v8-format blobs. We rely on postcard's own enum-variant discrimination +/// here; do **not** add a leading magic byte (postcard's varint length +/// prefix on the outer `Vec` collides with small magic values +/// when the Vec happens to have that many elements). #[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)] pub(crate) enum PointerWire { Values(Vec<(K, V)>), Link(StorageKey), + /// Walkable-v8 variant. Pairs the master-S3 storage key with the CID + /// master returned in its PUT response (= `BLAKE3(ciphertext)` + /// raw-codec). The `cid` field lets a reader fetch this child via + /// public IPFS gateway (offline mode) without going through master. + /// See `ChildPtr::StoredV2` for the in-memory counterpart. + LinkV2 { + storage_key: StorageKey, + cid: Cid, + }, } //-------------------------------------------------------------------------------------------------- @@ -81,8 +124,31 @@ where H: Hasher + Send + Sync, { /// Resolve the child node, loading and decoding it from the store when - /// the link is a `Stored` reference. The returned `Arc` is shared with - /// the in-memory form when already resident. + /// the link is a `Stored` or `StoredV2` reference. The returned `Arc` is + /// shared with the in-memory form when already resident. + /// + /// **Walkable-v8 (W.9.4)**: when this is a `StoredV2 { storage_key, cid }` + /// link, the embedded `cid` is forwarded to the storage layer as a + /// content-address hint via `Node::load_with_cid_hint`. An offline- + /// aware `HamtNodeStore` (e.g. `V7NodeStore` over `S3BlobBackend`) + /// uses it to engage the gateway race when master is unreachable; an + /// in-memory test store ignores it and falls through to the regular + /// fetch. Either way, the post-fetch integrity pipeline + /// (`V7NodeStore::decrypt_and_verify`) recomputes + /// `BLAKE3(bucket_salt ‖ plaintext)[..22]` and compares to + /// `storage_key` — the third integrity layer that defends against a + /// malicious parent that pointed `LinkV2` at the right CID but the + /// wrong storage_key. + /// + /// **Reader path is NOT gated on `walkable_v8_writer_enabled`.** + /// The wire-format variant itself is the gate: when the writer flag + /// is off, no `LinkV2` entries get persisted, so no `cid_hint` + /// reaches the store. Buckets written entirely under v7 stay on + /// the legacy `Stored` arm (no hint, no offline-walk capability — + /// same behaviour as today). Adding a separate reader flag for + /// "symmetry" with the writer would be a bug: it would break a + /// legitimately-flagged-on bucket whenever the user toggled the + /// flag back off mid-session. pub async fn resolve_owned( &self, store: &(impl HamtNodeStore + ?Sized), @@ -90,7 +156,26 @@ where match self { ChildPtr::InMemory(n) => Ok(Arc::clone(n)), ChildPtr::Stored(key) => { - let node = Node::::load(key, store).await?; + // Legacy v7 arm — no CID hint available. Pass `None` so + // the store falls back to its `get_node` path; on master- + // down this surfaces the ordinary warm-cache offline + // path (Phase 2.4) which itself can fail with + // `MasterUnreachable` for cold buckets. Keeps lazy- + // migration semantics from W.4.2. + let node = + Node::::load_with_cid_hint(key, None, store).await?; + Ok(Arc::new(node)) + } + ChildPtr::StoredV2 { storage_key, cid } => { + // Walkable-v8 arm — forward both the storage_key (for + // master-S3 routing AND post-fetch storage_key recompute) + // and the cid (for cold-cache gateway race). + let node = Node::::load_with_cid_hint( + storage_key, + Some(cid), + store, + ) + .await?; Ok(Arc::new(node)) } } @@ -109,6 +194,15 @@ where /// content-addressing deterministic. /// /// Only meaningful for a `Link` pointer; calling on `Values` is a bug. + /// + /// **Walkable-v8 note (W.9.3 will revisit this).** When this function + /// re-wraps a subtree as `Pointer::Link(ChildPtr::InMemory(node))` + /// (the "still-needs-to-be-a-subtree" branches below), any CID hint + /// that was on the input `StoredV2` link is intentionally dropped — + /// the in-memory subtree must be re-persisted by the caller, which + /// will produce a fresh CID. W.9.3's writer wiring should NOT assume + /// a `StoredV2` survives canonicalize; it must re-stamp the CID after + /// the subsequent persist. pub async fn canonicalize( self, store: &(impl HamtNodeStore + ?Sized), @@ -151,6 +245,35 @@ where /// Serialize this pointer to its on-disk form. Child subtrees that are /// `InMemory` are recursively persisted first so their `StorageKey`s can /// be embedded in the parent's wire form. + /// + /// **Walkable-v8 (W.9.1 plumbing, W.9.3 writer integration):** + /// + /// | Child variant | Wire variant emitted | + /// |--------------------------|--------------------------------------------------------| + /// | `ChildPtr::Stored(key)` | `PointerWire::Link(key)` — unchanged stored sibling. | + /// | | We don't have a CID for an unmutated stored child; | + /// | | upgrading it would require an extra fetch+rehash. So | + /// | | legacy children stay as `Link` until they themselves | + /// | | get re-persisted (lazy migration, plan W.4.2). | + /// | `ChildPtr::StoredV2{..}` | `PointerWire::LinkV2 { .. }` — preserve the CID hint | + /// | | a previous flush (or load) gave us. | + /// | `ChildPtr::InMemory(c)` | `PointerWire::LinkV2 { storage_key, cid }` when the | + /// | | freshly-persisted child's `NodePutResult.cid` is | + /// | | `Some(_)` — i.e. when the underlying `BlobBackend` | + /// | | (typically `S3BlobBackend` with `walkable_v8_writer_ | + /// | | enabled = true`) surfaced a master-attested CID for | + /// | | the ciphertext. Falls back to `PointerWire::Link` | + /// | | when `cid` is `None` (writer flag off, in-memory test | + /// | | backend, or master returned an unparseable etag). | + /// + /// **Mixed-variant parents are normal**: a parent re-persisted after one + /// child mutation will contain `Link(SK)` for unchanged siblings AND + /// `LinkV2 { SK, cid }` for the freshly-stored child. This is correct + /// — old SDKs that don't know `LinkV2` already refuse such a parent + /// cleanly via postcard's "unknown variant 2" error (see + /// `legacy_v7_decoder_errors_on_v8_link_v2_blob` test in this file), + /// and v8 SDKs handle both variants on `from_wire` (see + /// `mixed_link_and_link_v2_in_one_parent_round_trips`). pub async fn to_wire( &self, store: &(impl HamtNodeStore + ?Sized), @@ -164,9 +287,19 @@ where Ok(PointerWire::Values(pairs)) } Pointer::Link(ChildPtr::Stored(key)) => Ok(PointerWire::Link(*key)), + Pointer::Link(ChildPtr::StoredV2 { storage_key, cid }) => Ok(PointerWire::LinkV2 { + storage_key: *storage_key, + cid: cid.clone(), + }), Pointer::Link(ChildPtr::InMemory(child)) => { - let key = child.store(store).await?; - Ok(PointerWire::Link(key)) + let result = child.store(store).await?; + match result.cid { + Some(cid) => Ok(PointerWire::LinkV2 { + storage_key: result.storage_key, + cid, + }), + None => Ok(PointerWire::Link(result.storage_key)), + } } } } @@ -180,8 +313,8 @@ where H: Hasher, { /// Inverse of `to_wire`. Never triggers a store access: `Link` children - /// stay as `Stored` references and are resolved on demand during - /// traversal. + /// stay as `Stored` (legacy) or `StoredV2` (walkable-v8) references and + /// are resolved on demand during traversal. pub fn from_wire(wire: PointerWire) -> Self { match wire { PointerWire::Values(kvs) => Pointer::Values( @@ -190,6 +323,9 @@ where .collect(), ), PointerWire::Link(key) => Pointer::Link(ChildPtr::Stored(key)), + PointerWire::LinkV2 { storage_key, cid } => { + Pointer::Link(ChildPtr::StoredV2 { storage_key, cid }) + } } } } @@ -203,6 +339,10 @@ impl Clone for ChildPtr { match self { ChildPtr::InMemory(n) => ChildPtr::InMemory(Arc::clone(n)), ChildPtr::Stored(k) => ChildPtr::Stored(*k), + ChildPtr::StoredV2 { storage_key, cid } => ChildPtr::StoredV2 { + storage_key: *storage_key, + cid: cid.clone(), + }, } } } @@ -221,6 +361,11 @@ impl Debug for ChildPtr { match self { ChildPtr::InMemory(n) => f.debug_tuple("InMemory").field(n).finish(), ChildPtr::Stored(k) => f.debug_tuple("Stored").field(&hex::encode(k)).finish(), + ChildPtr::StoredV2 { storage_key, cid } => f + .debug_struct("StoredV2") + .field("storage_key", &hex::encode(storage_key)) + .field("cid", cid) + .finish(), } } } @@ -248,7 +393,341 @@ impl PartialEq for Pointer { // stored; in-memory links can differ bit-for-bit yet represent // equivalent subtrees until both are persisted. (Pointer::Link(ChildPtr::Stored(a)), Pointer::Link(ChildPtr::Stored(b))) => a == b, + // StoredV2 equality requires both the storage_key AND the CID + // hint to match — two `StoredV2` referring to the same logical + // child but recorded with different CIDs (e.g. one stamped from + // an old PUT, one from a fresh PUT with a different nonce hence + // different ciphertext-hash) are NOT considered equal at this + // layer. Cross-variant comparison (`Stored` vs `StoredV2`) is + // intentionally `false` to keep the v8-format-vs-v7-format + // distinction observable in tests. + ( + Pointer::Link(ChildPtr::StoredV2 { storage_key: a_sk, cid: a_cid }), + Pointer::Link(ChildPtr::StoredV2 { storage_key: b_sk, cid: b_cid }), + ) => a_sk == b_sk && a_cid == b_cid, _ => false, } } } + +//-------------------------------------------------------------------------------------------------- +// Walkable-v8 wire format tests (W.9.1) +//-------------------------------------------------------------------------------------------------- +// +// These tests pin the on-disk wire-format contract for `PointerWire` so that +// a future refactor can't silently break the version-dispatch story. The +// load-bearing properties they assert: +// +// 1. Each variant round-trips through postcard losslessly. +// 2. The variant index of `LinkV2` is the postcard discriminator `2` — +// the value an old (v7-only) deserializer doesn't recognise. +// 3. A v7-only deserializer (modelled here as `LegacyPointerWire` with +// only `Values` and `Link` variants) errors cleanly on a v8-format +// `LinkV2` blob. +// 4. The v8 deserializer reads a v7-format `Link` blob (legacy data +// written by an SDK pre-walkable-v8 round-trips fine). +// +// If anyone changes the variant order or removes a variant, these tests +// must fail loudly — that's by design. + +#[cfg(test)] +mod walkable_v8_wire_tests { + use super::*; + use super::super::store::STORAGE_KEY_LEN; + use cid::Cid; + use cid::multihash::Multihash; + + fn test_storage_key() -> StorageKey { + let mut k = [0u8; STORAGE_KEY_LEN]; + for (i, b) in k.iter_mut().enumerate() { + *b = i as u8; + } + k + } + + fn test_cid() -> Cid { + // BLAKE3 multihash code = 0x1e, 32-byte digest. Mirrors what master + // returns in its PUT-response ETag header + // (`crates/fula-cli/src/handlers/object.rs:103-137`). + let digest = [0xABu8; 32]; + let mh = Multihash::<64>::wrap(0x1e, &digest).expect("BLAKE3 multihash wrap"); + // Codec 0x55 = raw, matching master's CID format for object bodies. + Cid::new_v1(0x55, mh) + } + + #[test] + fn pointer_wire_values_roundtrip() { + let original: PointerWire, u64> = PointerWire::Values(vec![ + (b"key-a".to_vec(), 1), + (b"key-b".to_vec(), 2), + ]); + let encoded = postcard::to_allocvec(&original).expect("encode"); + // Postcard writes enum variant index as the leading byte for small + // tags. Values is variant 0. + assert_eq!(encoded[0], 0, "Values is variant 0 in the wire format"); + let decoded: PointerWire, u64> = + postcard::from_bytes(&encoded).expect("decode"); + assert_eq!(decoded, original); + } + + #[test] + fn pointer_wire_link_legacy_roundtrip() { + let original: PointerWire, u64> = PointerWire::Link(test_storage_key()); + let encoded = postcard::to_allocvec(&original).expect("encode"); + assert_eq!(encoded[0], 1, "Link is variant 1 in the wire format"); + let decoded: PointerWire, u64> = + postcard::from_bytes(&encoded).expect("decode"); + assert_eq!(decoded, original); + } + + #[test] + fn pointer_wire_link_v2_roundtrip() { + let original: PointerWire, u64> = PointerWire::LinkV2 { + storage_key: test_storage_key(), + cid: test_cid(), + }; + let encoded = postcard::to_allocvec(&original).expect("encode"); + // LinkV2 must be variant 2 — this is the load-bearing + // version-dispatch byte for walkable-v8 (plan W.3.2). Old + // deserializers that only know variants 0 and 1 must error here. + assert_eq!( + encoded[0], 2, + "LinkV2 is variant 2 in the wire format — do not change this. \ + A v7-only deserializer relies on tag 2 being unknown to surface \ + a typed error rather than corrupting state." + ); + let decoded: PointerWire, u64> = + postcard::from_bytes(&encoded).expect("decode"); + assert_eq!(decoded, original); + } + + /// A v7-only enum (only Values + Link variants) — simulates a + /// v0.5-or-earlier SDK that has never been recompiled to know about + /// `LinkV2`. Reading a v8-format `LinkV2` blob into this enum must + /// produce a typed error. + #[derive(Debug, Serialize, Deserialize)] + enum LegacyPointerWire { + Values(Vec<(K, V)>), + Link(StorageKey), + } + + #[test] + fn legacy_v7_decoder_errors_on_v8_link_v2_blob() { + let v8_blob: PointerWire, u64> = PointerWire::LinkV2 { + storage_key: test_storage_key(), + cid: test_cid(), + }; + let encoded = postcard::to_allocvec(&v8_blob).expect("encode"); + + let result: std::result::Result, u64>, _> = + postcard::from_bytes(&encoded); + assert!( + result.is_err(), + "v7-only deserializer must error on v8 LinkV2 blob \ + (forward-incompatibility boundary), got {:?}", + result + ); + } + + #[test] + fn v8_decoder_reads_legacy_v7_link_blob() { + // A v7 SDK encoded a `Link(StorageKey)` blob. A v8 SDK reading the + // same bucket must decode it identically — no upgrade-on-read, + // legacy data stays accessible until the user happens to write to + // it (W.4.2: lazy migration on next write). + let v7_blob = LegacyPointerWire::, u64>::Link(test_storage_key()); + let encoded = postcard::to_allocvec(&v7_blob).expect("encode"); + + let decoded: PointerWire, u64> = + postcard::from_bytes(&encoded).expect("decode v7 blob via v8 deserializer"); + assert_eq!(decoded, PointerWire::Link(test_storage_key())); + } + + #[test] + fn v8_decoder_reads_legacy_v7_values_blob() { + let v7_blob = LegacyPointerWire::, u64>::Values(vec![ + (b"a".to_vec(), 10), + (b"b".to_vec(), 20), + ]); + let encoded = postcard::to_allocvec(&v7_blob).expect("encode"); + + let decoded: PointerWire, u64> = + postcard::from_bytes(&encoded).expect("decode v7 values blob via v8 deserializer"); + match decoded { + PointerWire::Values(pairs) => { + assert_eq!(pairs.len(), 2); + assert_eq!(pairs[0], (b"a".to_vec(), 10)); + assert_eq!(pairs[1], (b"b".to_vec(), 20)); + } + other => panic!("expected Values, got {:?}", other), + } + } + + /// Mixed-variant parent (W.9.3 advisor blind-spot): a parent + /// re-persisted after one child mutation legitimately contains + /// `Link(SK)` for unchanged stored siblings AND `LinkV2 { SK, cid }` + /// for the freshly-stored child. This is the realistic case during + /// lazy migration (plan W.4.2): a v8-aware writer mutates one + /// subtree, the parent re-encodes, untouched stored children stay + /// in the legacy `Link` variant, the mutated child gets the new + /// `LinkV2`. Both must round-trip through postcard losslessly. + /// + /// Without this test the existing single-variant tests above pass + /// even if `from_wire`/`to_wire` mishandle a mixed `Vec`. + /// The mixed-Vec encoding is what real production blobs look like + /// after the writer flag flips on, so this is the load-bearing + /// migration-correctness test for the wire format. + #[test] + fn mixed_link_and_link_v2_in_one_parent_round_trips() { + let sk_legacy = test_storage_key(); + let mut sk_modern = sk_legacy; + sk_modern[0] ^= 0xFF; // distinct from sk_legacy + let cid_modern = test_cid(); + + // A real parent's wire form is `postcard(Vec)`. + // Mix all three variant tags in one Vec: a Values bucket, a + // legacy Link, and a v8 LinkV2. This is structurally the same + // shape `Node::store` produces on a parent that has one + // freshly-mutated child and untouched siblings. + let wire: Vec, u64>> = vec![ + PointerWire::Values(vec![(b"untouched-bucket-key".to_vec(), 99)]), + PointerWire::Link(sk_legacy), + PointerWire::LinkV2 { + storage_key: sk_modern, + cid: cid_modern.clone(), + }, + ]; + let encoded = postcard::to_allocvec(&wire).expect("encode mixed Vec"); + let decoded: Vec, u64>> = + postcard::from_bytes(&encoded).expect("decode mixed Vec"); + assert_eq!(decoded.len(), 3); + match &decoded[0] { + PointerWire::Values(pairs) => { + assert_eq!(pairs.len(), 1); + assert_eq!(pairs[0], (b"untouched-bucket-key".to_vec(), 99)); + } + other => panic!("expected Values, got {:?}", other), + } + match &decoded[1] { + PointerWire::Link(sk) => assert_eq!(*sk, sk_legacy), + other => panic!("expected legacy Link, got {:?}", other), + } + match &decoded[2] { + PointerWire::LinkV2 { storage_key, cid } => { + assert_eq!(*storage_key, sk_modern); + assert_eq!(*cid, cid_modern); + } + other => panic!("expected LinkV2, got {:?}", other), + } + + // Cross-check that the encoded wire actually contains every + // variant tag it ought to. The leading byte of each variant in + // the contiguous postcard stream is the discriminator (0/1/2). + // We can't index into `encoded` to find the tag bytes directly + // without knowing each variant's payload length, but we CAN + // confirm the encoding doesn't accidentally collapse two + // variants by re-encoding decoded and comparing byte-for-byte. + let re_encoded = postcard::to_allocvec(&decoded).expect("re-encode"); + assert_eq!( + encoded, re_encoded, + "mixed-variant Vec must round-trip byte-for-byte through postcard \ + — defends against a future serialize impl that silently reorders \ + variants by tag, which would change how an old SDK reads the \ + same blob" + ); + } + + /// A v7-only deserializer (only Values + Link) on a mixed Vec must + /// fail at the FIRST `LinkV2` it tries to decode — postcard streams + /// the Vec contiguously, so once the unknown variant is hit, the + /// reader cannot recover. This pins the forward-incompatibility + /// boundary for parents written by a v8 SDK on a bucket old SDKs + /// might still read. + #[test] + fn legacy_v7_decoder_errors_on_mixed_parent_with_link_v2() { + let sk_legacy = test_storage_key(); + let mut sk_modern = sk_legacy; + sk_modern[0] ^= 0xFF; + let v8_blob: Vec, u64>> = vec![ + PointerWire::Link(sk_legacy), + PointerWire::LinkV2 { + storage_key: sk_modern, + cid: test_cid(), + }, + ]; + let encoded = postcard::to_allocvec(&v8_blob).expect("encode"); + + let result: std::result::Result, u64>>, _> = + postcard::from_bytes(&encoded); + assert!( + result.is_err(), + "v7-only deserializer must error on a mixed Vec the moment it \ + encounters the LinkV2 element — guarantees old SDKs surface a \ + clean WireVersionUnsupported, never silently truncate the parent's \ + child list. got: {:?}", + result + ); + } + + /// Full integration round-trip: in-memory `ChildPtr::StoredV2` → `Pointer` + /// → `to_wire` → bytes → `from_wire` → `Pointer` → `ChildPtr::StoredV2`. + /// The 5 tests above each cover one hop of this chain in isolation; this + /// test fuses them so a typo in `to_wire`'s `LinkV2` arm or `from_wire`'s + /// would surface here even if each isolated test still passed. + #[tokio::test] + async fn child_ptr_stored_v2_full_pipeline_roundtrip() { + use crate::hashing::Blake3Hasher; + use crate::wnfs_hamt::v7_store::InMemoryBackend; + use crate::wnfs_hamt::v7_store::V7NodeStore; + use crate::keys::DekKey; + use std::sync::Arc; + + // Build a real V7NodeStore so `to_wire` has a place to defer to for + // the `InMemory` arm (we don't exercise it here, but `to_wire`'s + // signature requires a store). + let backend = Arc::new(InMemoryBackend::new()); + let store = V7NodeStore::new( + "bucket-walkable-v8", + /* shard_idx = */ 0, + vec![0xFE; 16], + DekKey::from_bytes(&[0x77u8; 32]).unwrap(), + backend.clone(), + ); + + // Construct a Pointer that holds a `StoredV2` child. + let original_sk = test_storage_key(); + let original_cid = test_cid(); + let pointer: Pointer, u64, Blake3Hasher> = + Pointer::Link(ChildPtr::StoredV2 { + storage_key: original_sk, + cid: original_cid.clone(), + }); + + // to_wire must produce LinkV2 with the same fields. + let wire = pointer.to_wire(&store).await.expect("to_wire"); + match &wire { + PointerWire::LinkV2 { storage_key, cid } => { + assert_eq!(*storage_key, original_sk); + assert_eq!(*cid, original_cid); + } + other => panic!("expected LinkV2, got {:?}", other), + } + + // Encode and decode through postcard. + let encoded = postcard::to_allocvec(&wire).expect("encode"); + assert_eq!(encoded[0], 2, "must produce v8 wire variant tag"); + let decoded: PointerWire, u64> = + postcard::from_bytes(&encoded).expect("decode"); + + // from_wire must reconstruct the StoredV2 child verbatim. + let reconstructed: Pointer, u64, Blake3Hasher> = + Pointer::from_wire(decoded); + match reconstructed { + Pointer::Link(ChildPtr::StoredV2 { storage_key, cid }) => { + assert_eq!(storage_key, original_sk); + assert_eq!(cid, original_cid); + } + other => panic!("expected ChildPtr::StoredV2, got {:?}", other), + } + } +} diff --git a/crates/fula-crypto/src/wnfs_hamt/store.rs b/crates/fula-crypto/src/wnfs_hamt/store.rs index aa37925..ad8858a 100644 --- a/crates/fula-crypto/src/wnfs_hamt/store.rs +++ b/crates/fula-crypto/src/wnfs_hamt/store.rs @@ -3,6 +3,7 @@ // sees plaintext bytes only. See plan: /root/.claude/plans/do-a-thorough-line-cheeky-taco.md use crate::Result; +use cid::Cid; /// Truncation width for the content-addressed node key, matching fula's /// existing `generate_flat_key` width so AEAD AAD layouts stay uniform @@ -20,6 +21,28 @@ pub type StorageKey = [u8; STORAGE_KEY_LEN]; /// Plaintext bytes of a HAMT node, pre-AEAD. pub type HamtNodeBytes = Vec; +/// Outcome of persisting a HAMT node through `HamtNodeStore::put_node` +/// or `Node::store` (walkable-v8 / W.9.2). +/// +/// Carries the existing `storage_key` (the master-S3 routing identifier +/// derived from `BLAKE3(bucket_salt ‖ plaintext)[..22]`) plus an optional +/// `cid` returned by the underlying `BlobBackend` after the ciphertext has +/// been written. +/// +/// `cid` is `Some` when the backend exposes a content-address for the +/// ciphertext (e.g. master S3 returns the CID via `ETag` after a successful +/// PUT) and `None` otherwise (in-memory test backends, bench backends, or +/// any backend whose `BlobPutResult.cid` came back `None` because the etag +/// failed to parse). W.9.3 stamps `Some(_)` values into parent-pointer +/// `LinkV2` variants so a v8 reader can walk via IPFS gateways without +/// master; `None` falls through to the legacy v7 storage-key path, which is +/// always pinned alongside the ciphertext. +#[derive(Debug, Clone, Copy)] +pub struct NodePutResult { + pub storage_key: StorageKey, + pub cid: Option, +} + /// Storage trait the HAMT uses to read and write node blobs. /// /// Implementors are responsible for: @@ -33,16 +56,60 @@ pub type HamtNodeBytes = Vec; /// /// The tree logic in `wnfs_hamt::node` only ever sees plaintext bytes and /// opaque `StorageKey`s. +/// +/// `put_node` returns a [`NodePutResult`]: backward-compat consumers extract +/// `.storage_key`; W.9.3+ writers also use `.cid` to stamp CID hints into +/// parent pointers (see `PointerWire::LinkV2`). +/// +/// **Walkable-v8 (W.9.4) — `get_node_with_cid_hint`**: the cid-hint variant +/// lets the HAMT walker forward a child's `Cid` (learned from the parent's +/// `PointerWire::LinkV2` plaintext) down to the storage layer so a +/// master-down walk can continue over public IPFS. Default impl ignores the +/// hint and falls through to `get_node` — appropriate for in-memory test +/// stores that have no offline channel. **The integrity contract is +/// unchanged** even when a hint is supplied: every retrieved plaintext +/// MUST still have its content hash recomputed and compared to `key`. +/// The cid-hint only changes WHERE the bytes come from; the post-fetch +/// validation defends against parent-pointer manipulation between layers. #[cfg(not(target_arch = "wasm32"))] #[async_trait::async_trait] pub trait HamtNodeStore: Send + Sync { async fn get_node(&self, key: &StorageKey) -> Result; - async fn put_node(&self, bytes: HamtNodeBytes) -> Result; + async fn put_node(&self, bytes: HamtNodeBytes) -> Result; + + /// Walkable-v8 (W.9.4) — fetch a node with an optional content-address + /// hint. Default impl ignores the hint and falls through to + /// [`get_node`]. `V7NodeStore` overrides to forward the hint to its + /// backing `BlobBackend::get_with_cid_hint`; the post-fetch + /// `recomputed == key` check stays in place so a redirected fetch + /// (different storage_key than the parent claimed) is rejected even + /// when the gateway content-address verify passes. + async fn get_node_with_cid_hint( + &self, + key: &StorageKey, + _cid_hint: Option<&Cid>, + ) -> Result { + self.get_node(key).await + } } #[cfg(target_arch = "wasm32")] #[async_trait::async_trait(?Send)] pub trait HamtNodeStore { async fn get_node(&self, key: &StorageKey) -> Result; - async fn put_node(&self, bytes: HamtNodeBytes) -> Result; + async fn put_node(&self, bytes: HamtNodeBytes) -> Result; + + /// Walkable-v8 (W.9.4) — fetch a node with an optional content-address + /// hint. Default impl ignores the hint and falls through to + /// [`get_node`]. On wasm32 the offline-fallback infrastructure is + /// compiled out so the `S3BlobBackend` override is a thin delegate; + /// the trait surface is symmetric across targets so cross-target + /// callers don't need `cfg` gating. + async fn get_node_with_cid_hint( + &self, + key: &StorageKey, + _cid_hint: Option<&Cid>, + ) -> Result { + self.get_node(key).await + } } diff --git a/crates/fula-crypto/src/wnfs_hamt/v7_store.rs b/crates/fula-crypto/src/wnfs_hamt/v7_store.rs index 6692e05..2c8b009 100644 --- a/crates/fula-crypto/src/wnfs_hamt/v7_store.rs +++ b/crates/fula-crypto/src/wnfs_hamt/v7_store.rs @@ -19,13 +19,14 @@ // // See plan: /root/.claude/plans/do-a-thorough-line-cheeky-taco.md (search: "V7NodeStore"). -use super::store::{HamtNodeBytes, HamtNodeStore, STORAGE_KEY_LEN, StorageKey}; +use super::store::{HamtNodeBytes, HamtNodeStore, NodePutResult, STORAGE_KEY_LEN, StorageKey}; use crate::keys::DekKey; use crate::private_forest::{ V7StorageKey, V7_STORAGE_KEY_LEN, compute_v7_node_key, hamt_node_v7_aad, }; use crate::symmetric::{Aead, AeadCipher, Nonce}; use crate::{CryptoError, Result}; +use cid::Cid; use std::sync::Arc; // The content-addressed key width used by the vendored HAMT and the v7 @@ -46,6 +47,43 @@ pub const V7_NODE_PREFIX: &str = "__fula_forest_v7_nodes/"; /// nonces) still map to the same storage key, preserving dedup. const NONCE_LEN: usize = 12; +/// Outcome of [`BlobBackend::put`] (walkable-v8 / W.9.2). +/// +/// `cid` is the content-address the backend reports for the ciphertext that +/// was just persisted. `Some(_)` when the backend exposes one (e.g. master S3 +/// returns it as the `ETag` header on PUT 200), `None` for backends that +/// don't (in-memory test backends, bench backends) or when the etag failed +/// to parse as a CID. **CID parse failure is always a soft-fail to `None`, +/// never an error**: the PUT itself succeeded; the offline-walk hint just +/// isn't available, and the v7 storage-key path serves the read. +/// +/// Future-extension point: more fields can be added without breaking the +/// trait surface (e.g. a `version_id` for backends with versioning). +#[derive(Debug, Clone)] +pub struct BlobPutResult { + pub cid: Option, +} + +impl BlobPutResult { + /// Construct a result that carries no CID hint. Suitable for in-memory + /// or test backends that have no notion of a master-stamped etag. + pub fn none() -> Self { + Self { cid: None } + } + + /// Construct a result with a known CID. Currently unused (W.9.2 PUT + /// impls direct-construct via `BlobPutResult { cid }` because they + /// already have an `Option` from `etag.parse().ok()`). Retained + /// for W.9.3+ writer integration where `BlobBackend` impls that + /// always have a definite CID (e.g. an in-memory backend that + /// computes the ciphertext CID locally for tests) can call this + /// directly instead of going through `Some(_)`. + #[allow(dead_code)] + pub fn with_cid(cid: Cid) -> Self { + Self { cid: Some(cid) } + } +} + /// Minimal storage-backend interface used by [`V7NodeStore`]. /// /// Implementors provide opaque get/put by path. All crypto (AEAD + content @@ -55,18 +93,61 @@ const NONCE_LEN: usize = 12; /// the plaintext hash, two honest writers producing the same plaintext will /// write identical objects — conflict resolution for v7 always lives at the /// manifest ETag level, never per node. +/// +/// `put` returns a [`BlobPutResult`]; the `cid` field carries the master's +/// PUT-response ETag parsed as a [`Cid`] for walkable-v8. Backends that +/// don't have a CID (test, bench) return `BlobPutResult::none()`. +/// +/// **Walkable-v8 (W.9.4) — `get_with_cid_hint`**: the cid-hint variant lets +/// a caller that learned a child's `Cid` from a parent's `PointerWire::LinkV2` +/// plaintext request the same bytes via the offline-aware path: when the +/// backend is master-aware (e.g. `S3BlobBackend`), this routes through the +/// gateway race so a master-down bucket walk continues over public IPFS. +/// The default impl ignores the hint and delegates to [`get`] — backends +/// that don't have a master/gateway distinction (in-memory test backends) +/// keep the simpler `get` semantics. The hint is **advisory**: callers +/// must NOT skip subsequent integrity checks (AEAD + storage_key recompute) +/// just because a CID was supplied — those layers defend against parent- +/// pointer manipulation independently of the gateway content-address check. #[cfg(not(target_arch = "wasm32"))] #[async_trait::async_trait] pub trait BlobBackend: Send + Sync { async fn get(&self, path: &str) -> Result>; - async fn put(&self, path: &str, bytes: Vec) -> Result<()>; + async fn put(&self, path: &str, bytes: Vec) -> Result; + + /// Walkable-v8 (W.9.4) — fetch with an optional content-address + /// hint. Default impl ignores the hint and falls through to [`get`]; + /// `S3BlobBackend` overrides to use the cold-cache gateway-race + /// fallback when `cid_hint` is `Some` and master is unreachable. + async fn get_with_cid_hint( + &self, + path: &str, + _cid_hint: Option<&Cid>, + ) -> Result> { + self.get(path).await + } } #[cfg(target_arch = "wasm32")] #[async_trait::async_trait(?Send)] pub trait BlobBackend { async fn get(&self, path: &str) -> Result>; - async fn put(&self, path: &str, bytes: Vec) -> Result<()>; + async fn put(&self, path: &str, bytes: Vec) -> Result; + + /// Walkable-v8 (W.9.4) — fetch with an optional content-address + /// hint. Default impl ignores the hint and falls through to [`get`]. + /// On wasm32 the offline-fallback infrastructure (block_cache + + /// gateway race) is gated out, so the override on `S3BlobBackend` + /// is currently a thin no-op delegate; the trait surface stays + /// symmetric across targets so cross-target call sites compile + /// without `cfg` gating. + async fn get_with_cid_hint( + &self, + path: &str, + _cid_hint: Option<&Cid>, + ) -> Result> { + self.get(path).await + } } /// AEAD-encrypted, content-addressed node store for a v7 shard. @@ -127,12 +208,28 @@ impl V7NodeStore { } } -#[cfg(not(target_arch = "wasm32"))] -#[async_trait::async_trait] -impl HamtNodeStore for V7NodeStore { - async fn get_node(&self, key: &StorageKey) -> Result { - let path = Self::object_path(key); - let blob = self.inner.get(&path).await?; +impl V7NodeStore { + /// Walkable-v8 (W.9.4) — shared decrypt + integrity-check pipeline used + /// by both `get_node` and `get_node_with_cid_hint`. Centralised here so + /// the offline cid-hint variant cannot accidentally drop the + /// `recomputed == key` check that defends against parent-pointer + /// manipulation (the third integrity layer per advisor design notes). + /// + /// Three layers, all enforced regardless of which `BlobBackend.get*` + /// variant supplied `blob`: + /// 1. AEAD decrypt under shard DEK with `(bucket, shard_idx)` AAD — + /// defends cross-bucket / cross-shard replay. + /// 2. Recompute `BLAKE3(bucket_salt ‖ plaintext)[..22]` and compare + /// to the caller-supplied `key` — defends a redirect where the + /// gateway returns valid-CID bytes whose plaintext addresses a + /// DIFFERENT storage_key than the parent's pointer claimed. + /// 3. (Out of this function: gateway content-address verify happens + /// inside `get_object_with_offline_fallback_known_cid`.) + fn decrypt_and_verify( + &self, + key: &StorageKey, + blob: Vec, + ) -> Result { if blob.len() < NONCE_LEN { return Err(CryptoError::Decryption( "v7 node blob shorter than nonce".into(), @@ -146,7 +243,9 @@ impl HamtNodeStore for V7NodeStore { // Belt-and-suspenders: AEAD already authenticated the ciphertext // against AAD, but re-derive the content hash from the plaintext to - // catch any path/key mix-up in the caller. + // catch any path/key mix-up in the caller — and, on the cid-hint + // path, to reject a malicious parent that pointed at the right + // cid but the wrong storage_key. let recomputed = compute_v7_node_key(&self.bucket_salt, &plaintext); if recomputed.as_slice() != key.as_slice() { return Err(CryptoError::Hamt( @@ -155,8 +254,37 @@ impl HamtNodeStore for V7NodeStore { } Ok(plaintext) } +} - async fn put_node(&self, bytes: HamtNodeBytes) -> Result { +#[cfg(not(target_arch = "wasm32"))] +#[async_trait::async_trait] +impl HamtNodeStore for V7NodeStore { + async fn get_node(&self, key: &StorageKey) -> Result { + let path = Self::object_path(key); + let blob = self.inner.get(&path).await?; + self.decrypt_and_verify(key, blob) + } + + /// Walkable-v8 (W.9.4) — forward `cid_hint` to the backing + /// `BlobBackend::get_with_cid_hint` so the offline gateway race + /// engages when master is unreachable, then run the same + /// `decrypt_and_verify` pipeline as `get_node`. The `recomputed + /// == key` check is preserved verbatim — a malicious parent + /// pointing at `LinkV2 { storage_key: A, cid: hash_of_B }` would + /// pass the gateway content-address check (bytes hash to the + /// supplied cid) but fail at this layer (plaintext hashes to B, + /// not the requested A). + async fn get_node_with_cid_hint( + &self, + key: &StorageKey, + cid_hint: Option<&Cid>, + ) -> Result { + let path = Self::object_path(key); + let blob = self.inner.get_with_cid_hint(&path, cid_hint).await?; + self.decrypt_and_verify(key, blob) + } + + async fn put_node(&self, bytes: HamtNodeBytes) -> Result { let key_v7: V7StorageKey = compute_v7_node_key(&self.bucket_salt, &bytes); // V7StorageKey and StorageKey are both [u8; 22]; asserted by construction. let key: StorageKey = key_v7; @@ -170,8 +298,8 @@ impl HamtNodeStore for V7NodeStore { blob.extend_from_slice(&ciphertext); let path = Self::object_path(&key); - self.inner.put(&path, blob).await?; - Ok(key) + let put_result = self.inner.put(&path, blob).await?; + Ok(NodePutResult { storage_key: key, cid: put_result.cid }) } } @@ -181,27 +309,20 @@ impl HamtNodeStore for V7NodeStore { async fn get_node(&self, key: &StorageKey) -> Result { let path = Self::object_path(key); let blob = self.inner.get(&path).await?; - if blob.len() < NONCE_LEN { - return Err(CryptoError::Decryption( - "v7 node blob shorter than nonce".into(), - )); - } - let (nonce_bytes, ciphertext) = blob.split_at(NONCE_LEN); - let nonce = Nonce::from_bytes(nonce_bytes)?; - let aad = self.aad(); - let aead = Aead::new(&self.shard_dek, AeadCipher::ChaCha20Poly1305); - let plaintext = aead.decrypt_with_aad(&nonce, ciphertext, &aad)?; + self.decrypt_and_verify(key, blob) + } - let recomputed = compute_v7_node_key(&self.bucket_salt, &plaintext); - if recomputed.as_slice() != key.as_slice() { - return Err(CryptoError::Hamt( - "v7 node content-address mismatch".into(), - )); - } - Ok(plaintext) + async fn get_node_with_cid_hint( + &self, + key: &StorageKey, + cid_hint: Option<&Cid>, + ) -> Result { + let path = Self::object_path(key); + let blob = self.inner.get_with_cid_hint(&path, cid_hint).await?; + self.decrypt_and_verify(key, blob) } - async fn put_node(&self, bytes: HamtNodeBytes) -> Result { + async fn put_node(&self, bytes: HamtNodeBytes) -> Result { let key_v7: V7StorageKey = compute_v7_node_key(&self.bucket_salt, &bytes); let key: StorageKey = key_v7; let nonce = Nonce::generate(); @@ -214,8 +335,8 @@ impl HamtNodeStore for V7NodeStore { blob.extend_from_slice(&ciphertext); let path = Self::object_path(&key); - self.inner.put(&path, blob).await?; - Ok(key) + let put_result = self.inner.put(&path, blob).await?; + Ok(NodePutResult { storage_key: key, cid: put_result.cid }) } } @@ -265,12 +386,14 @@ impl BlobBackend for InMemoryBackend { .ok_or_else(|| CryptoError::Hamt(format!("object not found: {}", path))) } - async fn put(&self, path: &str, bytes: Vec) -> Result<()> { + async fn put(&self, path: &str, bytes: Vec) -> Result { self.objects .lock() .unwrap() .insert(path.to_string(), bytes); - Ok(()) + // In-memory backend does not have a master-stamped etag; v8 readers + // see `cid: None` and fall through to the storage_key path. + Ok(BlobPutResult::none()) } } @@ -286,12 +409,14 @@ impl BlobBackend for InMemoryBackend { .ok_or_else(|| CryptoError::Hamt(format!("object not found: {}", path))) } - async fn put(&self, path: &str, bytes: Vec) -> Result<()> { + async fn put(&self, path: &str, bytes: Vec) -> Result { self.objects .lock() .unwrap() .insert(path.to_string(), bytes); - Ok(()) + // In-memory backend does not have a master-stamped etag; v8 readers + // see `cid: None` and fall through to the storage_key path. + Ok(BlobPutResult::none()) } } @@ -328,7 +453,7 @@ mod tests { root.set(k, i, &store).await.unwrap(); } - let root_key = root.store(&store).await.unwrap(); + let root_key = root.store(&store).await.unwrap().storage_key; // Load from a freshly-constructed store (simulates a separate reader // on the same bucket/shard) and confirm every entry. @@ -360,8 +485,8 @@ mod tests { ); let plaintext: Vec = (0..64u8).collect(); - let key1 = store.put_node(plaintext.clone()).await.unwrap(); - let key2 = store.put_node(plaintext.clone()).await.unwrap(); + let key1 = store.put_node(plaintext.clone()).await.unwrap().storage_key; + let key2 = store.put_node(plaintext.clone()).await.unwrap().storage_key; assert_eq!(key1, key2, "content-addressed key must be deterministic"); // The nonce is random → ciphertext differs, but the stored path is @@ -381,7 +506,7 @@ mod tests { backend.clone(), ); let plaintext = b"payload".to_vec(); - let key = writer.put_node(plaintext.clone()).await.unwrap(); + let key = writer.put_node(plaintext.clone()).await.unwrap().storage_key; // A reader that mislabels the shard index must fail AEAD. let wrong_shard = V7NodeStore::new( @@ -404,7 +529,7 @@ mod tests { test_dek(), backend.clone(), ); - let key = writer.put_node(b"payload".to_vec()).await.unwrap(); + let key = writer.put_node(b"payload".to_vec()).await.unwrap().storage_key; let wrong_bucket = V7NodeStore::new( "bucket-b", @@ -426,7 +551,7 @@ mod tests { test_dek(), backend.clone(), ); - let key = store.put_node(b"untampered".to_vec()).await.unwrap(); + let key = store.put_node(b"untampered".to_vec()).await.unwrap().storage_key; // Flip one byte in the ciphertext region (past the 12-byte nonce). let path = V7NodeStore::::object_path(&key); diff --git a/crates/fula-flutter/src/api/client.rs b/crates/fula-flutter/src/api/client.rs index 1c000a1..3645ca4 100644 --- a/crates/fula-flutter/src/api/client.rs +++ b/crates/fula-flutter/src/api/client.rs @@ -75,6 +75,14 @@ fn build_inner_config( inner.users_index_ipfs_gateway_urls = config.users_index_ipfs_gateway_urls.clone(); + // Walkable-v8 (W.9.3) — writer flag. Cross-platform: works on + // every fula-flutter target (Android/iOS/Windows/macOS/Ubuntu) + // and on the wasm32 browser target. Default `false` keeps writes + // byte-identical to v0.5; flipping `true` activates the v8 wire + // surface. See `walkable_v8_writer_enabled` in `FulaConfig` for + // the full self-verify rationale. + inner.walkable_v8_writer_enabled = config.walkable_v8_writer_enabled; + // Phase 19 — always wire a forwarding callback into the gate so // Dart-side subscribers can observe health transitions. The // dispatcher is per-handle, so events from this client never @@ -640,5 +648,35 @@ mod tests { assert!(!inner.gateway_fallback_enabled); assert_eq!(inner.gateway_fallback_urls.len(), 0); assert_eq!(inner.gateway_race_concurrency, 3); + // **#89 (2026-05-09)**: walkable-v8 writer flipped to default-on + // per user decision ("when we roll out everyone will update"). + // The previous test asserted default-off as the rollout-window + // safety; that's been retired. Now we assert the flipped default + // both in the Dart-side and the inner Rust-side config. + assert!( + inner.walkable_v8_writer_enabled, + "walkable_v8_writer_enabled must default to true post-#89 — \ + flipping back is a deliberate operator action only" + ); + } + + #[test] + fn walkable_v8_writer_enabled_plumbs_through_to_inner_config() { + // W.9.3: when the Dart-side flag is on, the Rust-side flag + // must reflect it. Without this plumbing, FxFiles cannot + // activate walkable-v8 even when an operator flips the + // setting in the app config. + let cfg = FulaConfig { + walkable_v8_writer_enabled: true, + ..Default::default() + }; + let handle = create_client(cfg).expect("create_client"); + let inner = handle.inner.config(); + assert!( + inner.walkable_v8_writer_enabled, + "Dart-side walkable_v8_writer_enabled = true must plumb to \ + fula_client::Config — otherwise the FRB binding would silently \ + swallow the operator's opt-in" + ); } } diff --git a/crates/fula-flutter/src/api/error.rs b/crates/fula-flutter/src/api/error.rs index bf1ae2e..6c01506 100644 --- a/crates/fula-flutter/src/api/error.rs +++ b/crates/fula-flutter/src/api/error.rs @@ -94,6 +94,21 @@ pub enum FulaError { #[error("Users-index resolution failed: {0}")] UsersIndexResolutionFailed(String), + /// **#81 (2026-05-09)** — wire format version unsupported. + /// Surfaced when the SDK encounters a postcard-encoded blob with + /// an unknown enum variant tag (e.g. an old SDK reading a newer + /// wire format the master upgraded to). Apps should display "this + /// bucket requires FxFiles vX.Y or later" to the user. The bucket + /// data itself is intact; the SDK just can't decode the new wire + /// format. Defined unconditionally so the Dart binding has the + /// same enum shape across native (Android, iOS, desktop) and wasm + /// (web). + #[error("Wire format version unsupported: {context}: {postcard_error}")] + WireVersionUnsupported { + context: String, + postcard_error: String, + }, + /// Phase 3.3 — replay defense: a payload's embedded sequence /// regressed below what the SDK has seen before. Dart apps /// should NOT silently retry; surface as a clear "stale-state" @@ -183,13 +198,35 @@ impl From for FulaError { ClientError::SequenceRegression { observed, highest_seen, channel } => { FulaError::SequenceRegression { observed, highest_seen, channel } } + // #81 — propagate the typed variant so Dart code can + // pattern-match on `FulaError::WireVersionUnsupported` + // without parsing the generic `Encryption(...)` string. + ClientError::WireVersionUnsupported { context, postcard_error } => { + FulaError::WireVersionUnsupported { context, postcard_error } + } } } } impl From for FulaError { fn from(err: fula_crypto::CryptoError) -> Self { - FulaError::Encryption(err.to_string()) + // #81 (2026-05-09) — preserve the typed variant when a raw + // CryptoError is converted directly (bypassing the ClientError + // route). Without this arm the variant gets flattened to + // generic `Encryption(...)` and Dart pattern-match on + // `FulaError.wireVersionUnsupported` misses, defeating the + // telemetry-stability purpose. Mirrors the `From` + // arm above. + match err { + fula_crypto::CryptoError::WireVersionUnsupported { + context, + postcard_error, + } => FulaError::WireVersionUnsupported { + context, + postcard_error, + }, + other => FulaError::Encryption(other.to_string()), + } } } @@ -250,6 +287,7 @@ impl FulaError { FulaError::CacheError(_) => "CACHE_ERROR", FulaError::UsersIndexResolutionFailed(_) => "USERS_INDEX_RESOLUTION_FAILED", FulaError::SequenceRegression { .. } => "SEQUENCE_REGRESSION", + FulaError::WireVersionUnsupported { .. } => "WIRE_VERSION_UNSUPPORTED", FulaError::Internal(_) => "INTERNAL", } } diff --git a/crates/fula-flutter/src/api/types.rs b/crates/fula-flutter/src/api/types.rs index 0ba41f6..3d23107 100644 --- a/crates/fula-flutter/src/api/types.rs +++ b/crates/fula-flutter/src/api/types.rs @@ -152,6 +152,31 @@ pub struct FulaConfig { /// Empty Vec = use SDK-shipped 6-gateway default list. /// Native-only. pub users_index_ipfs_gateway_urls: Vec, + + // ============================================================ + // Walkable-v8 (W.9.3) — encrypted-tree CID stamping + // ============================================================ + /// Emit walkable-v8 CID hints in HAMT internal-node pointers, + /// manifest pages, dir-index, and forest file-index entries from + /// master's PUT-response ETag (= `BLAKE3(ciphertext)` raw-codec). + /// Off by default during the v0.6.x rollout — when off, every + /// write is byte-identical to v0.5 and old SDKs (FxFiles installs + /// that haven't updated yet) read newly-written buckets without + /// any wire-format awareness. + /// + /// Each parsed CID is **self-verified** locally before being + /// stamped: `BLAKE3(ciphertext)` is recomputed by the SDK and + /// compared to the master-returned CID. On mismatch the SDK + /// soft-fails to `None` (logging the divergence at warn level, + /// rate-limited per (bucket,key) per session) so a compromised + /// master cannot redirect future offline walkers to attacker- + /// controlled IPFS bytes. + /// + /// Cross-platform: works identically on every fula-flutter target + /// (Android, iOS, Windows, Ubuntu, macOS) and on the wasm32 + /// browser target. Offline reading via these hints lands in + /// W.9.4; today the writer just records them for a future reader. + pub walkable_v8_writer_enabled: bool, } impl Default for FulaConfig { @@ -184,6 +209,16 @@ impl Default for FulaConfig { users_index_user_key: String::new(), users_index_ipns_gateway_urls: Vec::new(), users_index_ipfs_gateway_urls: Vec::new(), + // Walkable-v8 (W.9.3) writer. + // + // #89 (2026-05-09): default flipped from `false` to `true` + // per user decision ("when we roll out everyone will + // update"). Mirrors `fula_client::Config::default()` for + // cross-platform parity (non-negotiable rule). Pre-v0.6 + // FxFiles installs reading buckets written under this + // default will surface `WireVersionUnsupported` (#81 typed + // variant). Set explicitly to `false` to opt out. + walkable_v8_writer_enabled: true, } } } diff --git a/crates/fula-js/src/lib.rs b/crates/fula-js/src/lib.rs index 0aecd58..1d3e1e6 100644 --- a/crates/fula-js/src/lib.rs +++ b/crates/fula-js/src/lib.rs @@ -169,9 +169,43 @@ pub struct JsFulaConfig { /// at runtime.** #[serde(default)] pub users_index_ipfs_gateway_urls: Vec, + + // ============================================================ + // Walkable-v8 (W.9.3) — encrypted-tree CID stamping + // ============================================================ + /// Emit walkable-v8 CID hints in HAMT internal-node pointers, + /// manifest pages, dir-index, and forest file-index entries from + /// master's PUT-response ETag (= `BLAKE3(ciphertext)` raw-codec). + /// + /// **#89 (2026-05-09): default flipped to `true`** per user + /// decision ("when we roll out everyone will update"), mirroring + /// `fula_client::Config::default()` and `FulaConfig::default()` + /// (cross-platform parity is non-negotiable). Pre-v0.6 SDKs + /// reading newly-written buckets surface `WireVersionUnsupported` + /// (#81 typed variant; mapped to `WIRE_VERSION_UNSUPPORTED` JS + /// error code via `client_error_to_js_error`). + /// + /// Each parsed CID is **self-verified** locally before being + /// stamped: the SDK recomputes `BLAKE3(ciphertext)` and compares + /// to the master-returned CID. On mismatch the SDK soft-fails to + /// `None` (logging at warn, rate-limited per (bucket,key) per + /// session) so a compromised master cannot redirect future + /// offline walkers to attacker-controlled IPFS bytes. + /// + /// **Cross-platform.** Works identically on the wasm32 web target + /// and on any native `fula_client::Config` consumer. Offline + /// reading via these hints lands in W.9.4; today the writer just + /// records them for a future reader. + /// `#[serde(default = "default_walkable_v8_writer_enabled")]` so + /// JSON omitting the field gets the post-#89 default of `true`. + /// `#[serde(default)]` would fall back to `bool::default()` which + /// is `false` and would silently drift from the Rust-side defaults. + #[serde(default = "default_walkable_v8_writer_enabled")] + pub walkable_v8_writer_enabled: bool, } fn default_timeout() -> u64 { 30 } +fn default_walkable_v8_writer_enabled() -> bool { true } fn default_health_gate_ttl() -> u64 { 30 } fn default_block_cache_max_bytes() -> u64 { 256 * 1024 * 1024 } fn default_gateway_race_concurrency() -> u32 { 3 } @@ -579,6 +613,13 @@ fn build_inner_config( inner.users_index_ipns_gateway_urls = config.users_index_ipns_gateway_urls; inner.users_index_ipfs_gateway_urls = config.users_index_ipfs_gateway_urls; + // Walkable-v8 (W.9.3) — writer flag. Cross-platform: works on the + // wasm32 web target identically to native. Default `false` keeps + // writes byte-identical to v0.5; flipping `true` activates the + // v8 wire surface. See `walkable_v8_writer_enabled` in + // `JsFulaConfig` for the full self-verify rationale. + inner.walkable_v8_writer_enabled = config.walkable_v8_writer_enabled; + inner } @@ -635,6 +676,21 @@ fn client_error_to_js_error(operation: &str, e: fula_client::ClientError) -> JsE serde_json::json!({ "bucket": bucket, "expiresAt": expires_at }), ), ClientError::Encryption(_) => ("ENCRYPTION", serde_json::json!(null)), + // #81 (2026-05-09) — typed wire-version-skew variant. Without + // this arm the variant falls through to the `_` wildcard and + // surfaces as "INTERNAL", defeating the telemetry-stability + // purpose of the typed variant. Mirrors fula-flutter's + // `error_code()` returning "WIRE_VERSION_UNSUPPORTED". + ClientError::WireVersionUnsupported { + context, + postcard_error, + } => ( + "WIRE_VERSION_UNSUPPORTED", + serde_json::json!({ + "context": context, + "postcardError": postcard_error, + }), + ), ClientError::Http(_) => ("HTTP", serde_json::json!(null)), _ => ("INTERNAL", serde_json::json!(null)), }; diff --git a/docs/website/security.html b/docs/website/security.html index 70bc90e..1c05f68 100644 --- a/docs/website/security.html +++ b/docs/website/security.html @@ -72,6 +72,7 @@

On This Page

  • HPKE Implementation
  • Symmetric Encryption
  • Data Integrity
    • +
  • Walkable HAMT (v8)
  • Key Management
  • Secure Sharing
  • Complete Sharing Example
    • @@ -860,6 +861,127 @@

    Bao Verified Streaming

    + +
    +

    Walkable HAMT (v8) — Encrypted Link Integrity

    +

    How Fula preserves native-IPLD-grade integrity when CIDs live inside encrypted parent plaintext, and how that compares to native IPLD and stock WNFS.

    + +
    +

    Plain-English Summary

    +

    In native IPLD, every block has a CID that is the hash of its bytes. A reader fetches by CID and re-hashes; if the bytes don't match, tampering is rejected. This single property gives IPLD self-verifying integrity.

    +

    In stock WNFS, the HAMT internal nodes are stored as plaintext IPLD blocks with plaintext Link(cid) references. Only the leaves (the encrypted PrivateNode blobs) are encrypted. So a non-keyholder with the HAMT root CID can enumerate the tree shape, count entries, and list every leaf-level encrypted-blob CID — even though they cannot decrypt content.

    +

    In Fula v7 (today), HAMT internal nodes are AEAD-encrypted; parent → child references are 22-byte StorageKeys routing to master S3 paths, not CIDs. Stronger privacy than WNFS, but not walkable via public IPFS gateways without master.

    +

    In Fula v8 (walkable), parent pointers gain an Option<Cid> inside the encrypted parent's plaintext, alongside the existing StorageKey. Keyholders can walk the tree via public IPFS gateways without master. Non-keyholders see only the manifest CID; the link graph remains hidden because the CIDs only exist behind AEAD that requires forest_dek to open.

    +
    + +
    +

    Three Layers of Integrity

    +

    Walkable-v8 stacks three independent integrity binders. Layer 1 reproduces native IPLD's keyless property exactly; Layers 2 and 3 add stronger guarantees the encrypted case requires.

    +
    +
    +
    1
    +

    CID Re-Hash on Every Gateway Fetch

    +

    Keyless — identical to native IPLD. Every gateway fetch re-hashes the bytes and rejects on mismatch. Anyone with the CID can verify independently.

    +

    crates/fula-client/src/gateway_fetch.rs:116-142 verify_cid_against_bytes

    +
    + + Detects: gateway tampering, transport corruption, wrong-block-served-for-CID +
    +
    +
    +
    2
    +

    AEAD Tag with Bucket+Shard AAD

    +

    Key-required — beyond native IPLD. ChaCha20-Poly1305 with AAD fula:hamt-node:v7: || bucket || shard_idx. Forging a tag without shard_dek is computationally infeasible.

    +

    crates/fula-crypto/src/wnfs_hamt/v7_store.rs:178-180 + private_forest.rs:1442-1449

    +
    + + Detects: plaintext tampering, cross-bucket replay, cross-shard replay +
    +
    +
    +
    3
    +

    Storage-Key Cross-Check

    +

    Key-required — beyond native IPLD. After decryption, re-derive BLAKE3(bucket_salt ‖ plaintext)[..22] and compare to the storage_key the parent committed to. Two independent integrity binders for the same node: CID over ciphertext + storage_key over plaintext.

    +

    crates/fula-crypto/src/wnfs_hamt/v7_store.rs:182-189

    +
    + + Detects: wrong-content-for-this-pointer (e.g. malicious master returning wrong CID at write) +
    +
    +
    +
    + +
    +

    Property Comparison — Native IPLD vs WNFS vs Fula v7 vs Fula v8

    + + + + + + + + + + + + + + + + + + + + + + + + +
    PropertyNative IPLDStock WNFSFula v7 (today)Fula v8 (walkable)
    hash(bytes) == cid self-verifying✅ (HAMT internal)n/a (uses storage_key)✅ Layer 1
    Anyone keyless can verify integrity❌ (master path)✅ Layer 1
    Keyless observer can enumerate tree shape from root CIDn/aleaks❌ hidden❌ hidden
    Keyless observer can see leaf-encrypted-blob CID listn/aleaks❌ hidden❌ hidden
    Keyless observer can diff snapshots / infer write locationsn/aleaks❌ hidden❌ hidden
    Keyless observer can find a specific file by pathn/a
    Keyless observer can decrypt contentn/a
    Plaintext tampering blocked❌ (no encryption)per-leaf only✅ AEAD✅ AEAD (Layer 2)
    Cross-bucket / cross-shard replay blockedn/ascope-dependent✅ AAD-bound✅ AAD-bound (Layer 2)
    Plaintext content-address committed by parent✅ storage_key✅ storage_key (Layer 3)
    Walkable from root via public IPFS gateways alone❌ (master required)✅ (with forest_dek)
    Walkable from root without keys (= no privacy gate on tree shape)n/a❌ (privacy preserved)
    +

    Two takeaways: (1) walkable-v8 reproduces native IPLD's keyless integrity property exactly via Layer 1 on every gateway fetch. (2) Walkable-v8 is strictly more private than stock WNFS at the tree-structure level — keyless observers cannot enumerate HAMT shape, count entries, see leaf CIDs, or diff snapshots, because all of that lives behind AEAD.

    +
    + +
    +

    Tampering Walk-Through

    + + + + + + + + + + + + + + + + + +
    Attack classDefenseOutcome
    Gateway returns wrong bytes for the requested CIDLayer 1 re-hashes bytes; mismatch → rejectREJECT (same as native IPLD)
    Substitute different bytes + a forged matching CIDForging a CID is a BLAKE3 / SHA-256 preimage attackComputationally infeasible
    Compromised gateway replays a STALE parent ciphertextGrandparent's pointer commits to specific cid; stale parent has different CID → Layer 1 mismatchREJECT
    Cross-bucket replay (bucket A's ciphertext served as bucket B's)Layer 2 AAD differs → ChaCha20-Poly1305 tag mismatchREJECT
    Tamper parent plaintext to point at attacker-controlled child CIDParent's plaintext is itself AEAD-protected; modifying requires forging a tag without shard_dekREJECT
    Compromised master returns WRONG CID at write timeRead fetches by wrong CID; even if attacker placed bytes there, Layer 2 fails (no shard_dek) and Layer 3 storage-key cross-check failsREAD FAILS (DoS); no silent corruption
    Rollback to an older forest_manifest_cidPhase 3.3 chain anchor (FulaUsersIndexAnchor) enforces strict-monotonic require(newSequence > sequence)REJECT at chain layer
    +
    + +
    +

    What This Means for End Users

    +
      +
    • Your data integrity is at least as strong as native IPLD for every block fetched via a gateway, even when master is offline (Layer 1).
      • +
    • Tampering is detected, not hidden. A malicious gateway, transport corruption, or compromised master triggers a clean error rather than silent data corruption. Even a malicious master cannot make you accept invalid bytes — the worst they can do is cause your read to fail.
      • +
    • Privacy of the tree structure is preserved. Unlike stock WNFS, an attacker who learns your bucket's forest_manifest_cid cannot enumerate your file count, observe your folder shape, or watch which subtrees you write to. Without forest_dek they cannot even decrypt the manifest itself; they only see one opaque ciphertext.
      • +
    • Walkability requires the key, by design. This is a deliberate privacy choice: walkability for keyholders, opacity for everyone else. It mirrors the intuition that your filesystem is your own private structure, not just your file contents are your own.
      • +
    • Chunked files (photos, videos, PDFs > 768 KB) are walkable too as of v0.6.0 / W.9.4–A2 (task #32). Per-chunk CID hints in ChunkedFileMetadata.chunk_cids let an offline reader fetch each chunk via gateway race when master is down. Without these hints, the W.9.4 HAMT walker only reaches the file index, not the underlying chunks — the gap that #32 closed.
      • +
    + +

    Operator-facing Caveats (must-read before flipping the writer flag)

    +
      +
    • Single-directory cliff at ~60-100k files (tracked as #72). A ForestDirectoryEntry with 100k+ filenames in its files: Vec<String> exceeds the 1 MiB IPFS gateway limit. Verified empirically by the W.9.7 stress test (100k entries in a single dir → 1.66 MiB blob). Typical FxFiles users distribute photos / PDFs across folders, so this affects only flat-folder enterprise edge cases. Distributed across many dirs, the same 100k test produces a max blob of 17.1 KiB — well under both the 1 MiB hard ceiling and the 64 KiB architectural early-warning threshold.
      • +
    • Public put_object_chunked debug API doesn't stamp storage_cid (#51 still pending). FxFiles users on the production encrypted chunked path (put_object_encrypted_with_typeput_object_chunked_internal) DO get full per-chunk walkability via #32 — the gap is limited to the public unencrypted-debug API, which is rarely used in production.
      • +
    • chunk_cids privacy posture: plaintext, by design. Per-chunk CID hints sit alongside chunk_nonces, root_hash, num_chunks, total_size, chunk_size in the encrypted index object's chunked JSON field. Only the wrapped_key and private_metadata siblings are AEAD-encrypted; the chunked block is plaintext-readable to anyone who can fetch the index object. This is not a privacy regression: every existing field in the same plaintext block was already plaintext-readable at the same level pre-v0.6.0. An attacker with the index body could already enumerate child storage paths via chunk_key(storage_key, i) and fetch the same encrypted chunk bytes via gateway. The hints simply make legitimate offline reads cheaper for content already addressable. Future security audits should treat chunk_cids as joining an existing public set, not introducing a new leak.
      • +
    +
    +
    +

    Key Management

    diff --git a/docs/wnfs-comparison.md b/docs/wnfs-comparison.md index d6b703a..c7e16c1 100644 --- a/docs/wnfs-comparison.md +++ b/docs/wnfs-comparison.md @@ -856,3 +856,165 @@ For an IPFS pinning gateway use case: - **Fula's simpler model** (no trusted setup, HPKE for sharing) is easier to deploy in a decentralized manner. - If asynchronous offline sharing with public exchange directories is needed, **borrow the WNFS model** for discovery while keeping Fula's HPKE wrapping for the actual key exchange. + +--- + +## 9. Walkability and Link Integrity (Walkable‑v8) + +> **Why this section exists.** The encrypted private filesystem in Fula is intentionally NOT a drop‑in port of WNFS's HAMT. The deltas matter for two questions readers commonly ask: *(a) can a non‑keyholder walk the tree?* and *(b) how is link integrity preserved when CIDs live inside encrypted plaintext?* This section answers both with code citations. + +### 9.1 Plain‑English summary + +In **native IPLD**, every block has a CID that is the hash of its bytes. A reader fetches by CID and re‑hashes; if the bytes don't match the CID, tampering is rejected. This single property gives IPLD its self‑verifying integrity. + +In **stock WNFS**, the HAMT *internal nodes* are stored as **plaintext IPLD blocks** that contain plaintext `Link(cid)` references to children. Only the *leaves* (the encrypted PrivateNode blobs the HAMT points at) are encrypted. So a non‑keyholder with the HAMT root CID can: + +- enumerate the tree shape, count entries, see fan‑out per level; +- list every leaf‑level encrypted‑blob CID; and +- diff two snapshots over time to see *which subtrees changed*. + +What they cannot do is decrypt the leaves or look up a specific path (the namefilter accumulator depends on the ratchet key). + +In **Fula v7 (today)**, the HAMT internal nodes themselves are AEAD‑encrypted. Parent → child references are 22‑byte `StorageKey`s that route to master S3 paths — not CIDs — so a non‑keyholder learns nothing structural and cannot walk via IPFS gateways either. + +In **Fula v8 (walkable‑v8)**, parent pointers gain an `Option` *inside the encrypted parent's plaintext*, alongside the existing `StorageKey`. Keyholders can decrypt and walk via public IPFS gateways without master. Non‑keyholders see only the manifest CID; the link graph remains hidden because the CIDs only exist in cleartext form behind AEAD that requires `forest_dek` to open. + +### 9.2 Three layers of integrity in Fula v8 + +Walkable‑v8 stacks three independent integrity binders, the first of which reproduces native IPLD's property exactly: + +#### Layer 1 — CID re‑hash on every gateway fetch (keyless, identical to native IPLD) + +`crates/fula-client/src/gateway_fetch.rs:116-142`: + +```rust +pub fn verify_cid_against_bytes(cid: &Cid, data: &[u8]) -> Result<(), VerifyError> { + let mh = cid.hash(); + let code = mh.code(); + let expected_digest = mh.digest(); + match code { + MULTIHASH_BLAKE3 => { + let actual = blake3::hash(data); + if actual.as_bytes().as_slice() == expected_digest { + Ok(()) + } else { + Err(VerifyError::DigestMismatch { code }) + } + } + MULTIHASH_SHA2_256 => { /* same shape with sha2 */ } + other => Err(VerifyError::UnsupportedHashCode { code: other }), + } +} +``` + +Every gateway fetch in walkable‑v8 calls this before handing the bytes to any decryption step. **Anyone with the CID can independently verify**, no keys required. This is byte‑identical to native IPLD's property. + +#### Layer 2 — AEAD tag check with bucket+shard AAD (key‑required) + +`crates/fula-crypto/src/wnfs_hamt/v7_store.rs:178-180`: + +```rust +let aad = self.aad(); +let aead = Aead::new(&self.shard_dek, AeadCipher::ChaCha20Poly1305); +let plaintext = aead.decrypt_with_aad(&nonce, ciphertext, &aad)?; // tag check +``` + +`crates/fula-crypto/src/private_forest.rs:1442-1449`: + +```rust +pub fn hamt_node_v7_aad(bucket: &str, shard_idx: u16) -> Vec { + let prefix = b"fula:hamt-node:v7:"; + let mut aad = Vec::with_capacity(prefix.len() + bucket.len() + 2); + aad.extend_from_slice(prefix); + aad.extend_from_slice(bucket.as_bytes()); + aad.extend_from_slice(&shard_idx.to_be_bytes()); + aad +} +``` + +ChaCha20‑Poly1305 with bucket + shard AAD catches: +- **Plaintext tampering** — forging a tag without `shard_dek` is computationally infeasible. +- **Cross‑bucket replay** — bucket A's ciphertext fed to bucket B's reader produces a different AAD → tag mismatch. +- **Cross‑shard replay** — different `shard_idx` → different AAD → tag mismatch. + +#### Layer 3 — Storage‑key cross‑check (key‑required) + +`crates/fula-crypto/src/wnfs_hamt/v7_store.rs:182-189`: + +```rust +// Belt-and-suspenders: AEAD already authenticated the ciphertext +// against AAD, but re-derive the content hash from the plaintext to +// catch any path/key mix-up in the caller. +let recomputed = compute_v7_node_key(&self.bucket_salt, &plaintext); +if recomputed.as_slice() != key.as_slice() { + return Err(CryptoError::Hamt("v7 node content-address mismatch".into())); +} +``` + +After decryption, re‑derive `BLAKE3(bucket_salt ‖ plaintext)[..22]` and compare to the `storage_key` the parent committed to. The CID content‑addresses the *ciphertext*; the storage_key content‑addresses the *plaintext*. **Two independent integrity binders for the same node.** Either one alone would catch most tampering; together they cover an attacker that somehow finds bytes whose CID matches the requested one (Layer 1) but whose plaintext doesn't (Layer 3). + +### 9.3 Comparison table — link integrity properties + +| Property | Native IPLD | Stock WNFS | Fula v7 (today) | Fula v8 (walkable) | +|---|---|---|---|---| +| `hash(bytes) == cid` self‑verifying | ✅ | ✅ (HAMT internal) | n/a (uses storage_key) | ✅ (Layer 1) | +| Anyone keyless can verify integrity | ✅ | ✅ | ❌ (master path only) | ✅ (Layer 1) | +| Keyless observer with root CID can enumerate tree shape | n/a (no encryption) | ✅ **leaks** | ❌ hidden | ❌ hidden | +| Keyless observer can see encrypted‑leaf CID list | n/a | ✅ **leaks** | ❌ hidden | ❌ hidden | +| Keyless observer can diff snapshots and infer write locations | n/a | ✅ **leaks** | ❌ hidden | ❌ hidden | +| Keyless observer can find a specific file by path | n/a | ❌ | ❌ | ❌ | +| Keyless observer can decrypt content | n/a | ❌ | ❌ | ❌ | +| Plaintext tampering blocked | ❌ (no encryption) | per‑leaf only | ✅ AEAD | ✅ AEAD (Layer 2) | +| Cross‑bucket / cross‑shard replay blocked | n/a | scope‑dependent | ✅ AAD‑bound | ✅ AAD‑bound (Layer 2) | +| Plaintext content‑address committed by parent | ❌ | ❌ | ✅ storage_key | ✅ storage_key (Layer 3) | +| Walkable from root via IPFS gateways alone | ✅ | ✅ | ❌ (master required) | ✅ (with `forest_dek`) | +| Walkable from root *without keys* (= no privacy gate on tree shape) | ✅ | ✅ | n/a | ❌ (privacy preserved) | + +The two key takeaways: + +1. **Walkable‑v8 reproduces native IPLD's integrity property (Layer 1) exactly** — the keyless `hash(bytes) == cid` check is run on every gateway fetch. +2. **Walkable‑v8 is strictly more private than stock WNFS** at the tree‑structure level — keyless observers cannot enumerate the HAMT shape, count entries, see leaf CIDs, or diff snapshots, because all of that information lives behind AEAD. The cost (versus a hypothetical "just adopt WNFS") is the design work to weave CID into the encrypted parent's plaintext, which W.9.1a–W.9.6 implement. + +### 9.4 Tampering walk‑through + +For each attack class below, the design rejects it at one of the three layers. Citations are to current code. + +**Attack: gateway returns wrong bytes for the CID we asked for.** +Layer 1 catches it. `verify_cid_against_bytes` mismatches → reject. Same defense as native IPLD. + +**Attack: attacker substitutes different bytes + a forged CID matching them.** +Forging a CID is a BLAKE3/SHA‑256 preimage attack — computationally infeasible. + +**Attack: compromised gateway replays a STALE parent ciphertext.** +The grandparent's pointer (in its AEAD‑protected plaintext) commits to a SPECIFIC `LinkV2 { storage_key, cid }`. SDK fetches by that exact CID. Stale parent's bytes have a different CID → Layer 1 mismatch → reject. + +**Attack: attacker provides bucket A's ciphertext and claims it's bucket B's node.** +Layer 2 fails: bucket B's AAD differs from bucket A's; ChaCha20‑Poly1305 tag mismatch on decrypt → reject. (Layer 1 may or may not pass, depending on whether the attacker knows bucket A's CIDs; Layer 2 is the binding defense here.) + +**Attack: attacker tampers with parent plaintext to point at attacker‑controlled child CID.** +Parent's plaintext is itself AEAD‑protected. Modifying it requires forging the tag without `shard_dek`. Layer 2 catches it. + +**Attack: a compromised master returns a WRONG CID at write time** (`S3BlobBackend::put` records whatever the master's PUT response says). +Later read fetches by the wrong CID. If the attacker registered other bytes under that CID, Layer 1 passes for those bytes — but Layer 2 fails because the attacker doesn't have `shard_dek` and cannot produce a valid AEAD tag. **Result: read fails (DoS), but no silent corruption.** A future hardening (W.9.3 follow‑up) is to have the SDK self‑verify the etag CID at write time (re‑hash its own ciphertext) to detect the wrong CID at write rather than at read. + +**Attack: rollback to an older `forest_manifest_cid`.** +The trusted root for cold‑start comes from the global users‑index CBOR resolved via IPNS + the `FulaUsersIndexAnchor` chain anchor (Phase 3.3). The chain contract enforces strict monotonic sequence: `require(newSequence > sequence)`. A compromised master cannot regress on‑chain state. + +### 9.5 What this means for end users + +- **Your data integrity is at least as strong as native IPLD** for every block fetched via a gateway, even when master is offline (Layer 1). +- **Tampering is detected, not hidden.** A malicious gateway, transport corruption, or compromised master triggers a clean error rather than silent data corruption. The combination of Layer 2 + Layer 3 means even a malicious master cannot make you accept invalid bytes — the worst they can do is cause your read to fail with an error. +- **Privacy of the tree structure is preserved.** Unlike WNFS, an attacker who learns your bucket's `forest_manifest_cid` cannot enumerate your file count, observe your folder shape, or watch which subtrees you write to. Without `forest_dek` they cannot even decrypt the manifest itself; they only see one opaque ciphertext. +- **Walkability requires the key, by design.** This is a deliberate choice: walkability for keyholders, opacity for everyone else. It mirrors the intuition that "your filesystem is your own private structure," not just "your file contents are your own." + +For the implementation status, see the walkable‑v8 task series in the project plan and the v0.6.0 entry of `packages/fula_client/CHANGELOG.md`: + +- **W.9.1a / W.9.1b** ✅ — wire format extension + manifest/file‑index `Option` plumbing. +- **W.9.2** ✅ — V8 node‑store seam: `BlobBackend::put` now returns the master's PUT‑response CID via `BlobPutResult { cid: Option }` so the cascade can stamp it into parent pointers. +- **W.9.3** ✅ — writer integration: cascade stamps `LinkV2` and `shard.root_cid`. SDK self‑verifies master's etag against locally‑recomputed `BLAKE3(ciphertext)` before stamping; mismatches soft‑fail to `None` so a compromised master cannot redirect future offline walkers to attacker‑chosen IPFS bytes. Gated by `Config::walkable_v8_writer_enabled` (default `false` in v0.6.0; flipped to default `true` in v0.6.1 / task #89 — every new‑format‑capable client emits walkable‑v8 wire bytes by default, with the explicit acceptance that pre‑v0.6 SDK readers will surface `WireVersionUnsupported` on newly‑written buckets per the rollout plan). +- **W.9.4** ✅ — HAMT reader integration: offline walk via gateway race + `verify_cid_against_bytes` on every fetch. `ChildPtr::resolve_owned` for `StoredV2` variant routes the embedded CID through `Node::load_with_cid_hint` → `HamtNodeStore::get_node_with_cid_hint` → `BlobBackend::get_with_cid_hint`. The reader path is **not gated on the writer flag** — the wire format itself is the gate. +- **W.9.4‑A2 / task #32** ✅ — per‑chunk CID hints (`ChunkedFileMetadata.chunk_cids: Vec>`). Writer stamps each chunk's verified CID after PUT; reader's windowed / buffered / ranged chunked‑download paths all dispatch on `chunk_cid(i).is_some()` to engage the cold‑cache gateway race per chunk. This is what makes chunked files (the dominant FxFiles content shape — photos, PDFs, videos > 768 KB) walkable offline; without it the W.9.4 HAMT walker only reaches the file index, not the underlying chunks. +- **W.9.5** — fetch‑order obfuscation (parallel‑batch prefetch). Privacy defense‑in‑depth; not load‑bearing for offline walkability. Deferred to a future cycle. +- **W.9.6** ✅ — master‑side pin coverage + batched‑pin endpoint with durable queue. New `pin_queue.rs` (redb‑backed, crash‑safe) + `pin_drainer.rs` (bounded‑concurrency worker with exp‑backoff retry + dead‑letter). PUT and multipart handlers enqueue per‑object + bucket‑root + user‑external pins; drainer dispatches with retry. Verified by a 100‑pin crash‑recovery integration test that drops the queue mid‑drain and observes every pin survives. +- **W.9.7** ✅ — scale + stress tests. Block‑size assertion at 1k (regular) + 100k / 1M (`#[ignore]`, operator‑run). 100k empirically: 12,431 HAMT‑node objects, largest blob 17.1 KiB. Architectural finding: a single directory containing 100k+ files produces a `ForestDirectoryEntry` blob exceeding the 1 MiB IPFS gateway limit (tracked as #72). Distribution across folders — the typical FxFiles user shape — keeps every blob comfortably under the soft 64 KiB warning ceiling at every scale tested. +- **W.9.8** ✅ — documentation, CHANGELOG, release notes. See `packages/fula_client/CHANGELOG.md` v0.6.0 for the full rollup including the operational rollout matrix, compatibility matrix, and the three operator‑facing caveats (single‑directory cliff, public `put_object_chunked` partial coverage, `chunk_cids` plaintext‑posture clarification). diff --git a/encryption_diff.txt b/encryption_diff.txt new file mode 100644 index 0000000000000000000000000000000000000000..f6b941b46967c9cf565b46b4130664be6c965e7c GIT binary patch literal 45500 zcmeI5eRC8?lE&xni@5*p1I+qjIoVzb^R|G`-d(`>%z0S|!0U_HxX=g*uosZ9B*5%0 z_aW{B-(CLd(W9(>o9WRD_H7Uf=$Yy6>a47Mc`~!A`hWjtYx4c%ar{jutMT_FzU{~7 zjmg=`=43aH`;$kLz4-Qc@^bPlzOTmb&*G{_lkGTnHqPzFFK5el?szkK5x;*w*@^RO z@qI5^dw7Da{o~{xqV?^`Ry^^?XnSjNb#f&>UkNHU;)!eV>G9-J{Bm`2adJ7XI5+tu z{(c?bE>5_cey*NyA8GgF@^|vR{oUkuLG9|~eDvX0rAHrEpLOY7}2NkjP1B@I=L3@Z^k#q z`caHQUdP$|b}!CuMvE`vpCqRH+}&t-zet*-M$~>C*T0$EYn{6t*KNnYCvkSSQ1WdY zH=_L)@ypgkcioC>9><-27Nf1d*X7LKWWDt3c|4b=T@Q)g2`RlEEo~n3a_fLUA1}D~ zuY-3_56|2U-Pw=6ph;-a{vln(4>gGIFot8zb^% z^vCzK$N5I|{blfh(cGHcj8B_!HLZ!G>Qz$UTd5x8on9v{jz4QFy->E$x&ZL9t{I z$*bG%KHWBAC!W0N!*{z!tPAt{};i9{on=C z^yj#DGrrB@%=hK$?+cfq9Eq1cOyl!*T=A;(?yJzO+o5Ys%`{!xaV_ICEo1klwE0id zX|(lS{0fceFXtIi?6aP+TE=awoZE}L829O9C1}K=BL^4a`%ch+47fdd%z3OWE&Uk( z&!_9d1F6`FHlSlQxIr5`<@vPpq-uRHeifG=2JJinUxEB41$oVja^|}@Cth;qaon?3 zXi5!dT;9Z!Hsi|2aikZF$;#wR>G`wx6&vODK8??uVU+njY2nNt;|ZIS&!UAZliy4} zj9*scIM2@BEB%m`e-=;uuv{-mOIxB5mDjKh@F;&Y`DpTO^zK=V%tjd_IQgn*!%Cc4 z3(vL|9sry1D6V*3==Sf7B)`*7?qWpo@Na^WPow3J3cuQvOee3448gD2xG*2xQDhGx!sU?WX<# z)bKp%0+hq0>yzJywtgMdT!?X&mqQPCOV7}j4~y=<3Mw}STAc+CnZU;rK1f`a?pmj3WxSC<-P=zUJcsl0nYGkSCwS1bWU`(}fu6Wo zMhTtg?&R@mPy?5I6;JSJiU*g12YuA^{RU3y>WE}rsF?O2g+wR+WFP7Eei=b5KGeSq zj-bOx4F77LCpJq?BY{Zou;r8W1j8fuZWDW~vG9mCWqtKf)~6v=+>0d1VoT%p%CAo* z{~EtT0qD|tf%GBw{oHyOXVDdN+!QcQ^ad%%Yl3Zr-O#Y_ij4v>@5Yl>%d><(E!o0i zwPf02A^(pCsCgaFL{qRrT=k^<57Nrf627bD%m`!}_bQ$Rdm(pF3@3!0_$Kd6+he__ z&^kU+K0r2^c7+F!nYMiXys(p_vaZ(wfwi%_Q50H&oINiV2YzB%9~E0q`~ z`6OhoDPiq)Y_E-MuKBRF%3EDD~h zwmY&@I|mxqZacqQdd(ThS;iztm&XO!8j=#Xm`F^14Ij~z*1m|fj+NG;mv|H`>3;Dg zwp)yv=|svmik#z(ESnjXnV$CXPPDrc7#3{yd5M&e9-$}Dr_R$;utUG5_P0qp&bDOh zvKkrvwC`FzDrOz4x$XA+{Y=;y zXNZp9R(kEGWm`@IO`DHt6_3`=hfDJQZO9l|9(r?hsgh2RLsuM))@76^Jg*4J5m{O^ zdaSHVUwo!WJMr$(xFY)K<4Hwi(~^f@9BFu57ac_*z8_oiGAs$GNKw5J!Q!aoXxwq` zWVyTF4r1P+zSjQEK6x0OBaNUwS;V)8C}pwDds}p1h>HCEX7GA9aKoc$o4)6nMW1Aw zn|@>(`CaM=zYiaHJ+R32$m-oFdA&bG_HaG&@z*B*5yxwhb$k%nzT4rkAA}!U?#ZU? zOk|tkj`LVpb7B?pEMz>;Db;!K%%LNaAY0nkuBYhaU`1FEBG>_HV~3(PvApgZALx$ z*`z7ku+Ig5>v=pUaU&5}#>@6d_{)r<(w{k&Aw%#YXcZ~7tv<8;Q` zTF^bN^~%jMQM~!F$e-3xJ~X9eZd0{Z5ZjC3_TR#b{Vk|ZE8iVc-(BBTdlBv*8@pRR zj6lXnN54Lqs`jyd!i&%&v|M9tnS@VxZ{@S8rO^Ae(C+Q9fq3*6ah52TQTkI<&z#E{ z=1rT5CWh$O(&N?<>Yd?cwpF;wIyvB zLA0^{e0qrmxT4*Dez*QJn?M-9o^9w~LB%_vKRMrUr_-|WqmD+%7b0)`N#NpNmHaVt zi+&w{=MOP+8zbKgea)xfy~&FkiQ6V6{r)8MM3swL5dKzGJRu~q_jN@FE5TeAddxGL z^JcO-3Ua{qY!qYx#v%io*;!@n`Z+9$xSL!TbC^C4sx&);C$wk!s44~Bs%xq)O#Yjh z4PY$l5YF#E4{J{bL0H0E$fGT$(Ad+0u$Y6#Kh5LBN~h-o?@*lw4Lyph>Rzq~MLfIP z3Z6Z=F>FzdZOKE73Wv)n*V^wu$bW;U8RlSH%1j&pt9h5ev1*{>%aBUgA_ z6Y(=O&w$Fa>V?dI6{o~~I0*iIbbvg;zjx#L_##m6xfq{IF~f}`^^>e1Z_lNO=POT4 zZisn)^ocezk4*a+AKVB!n1hM@^E)$xUX=Tg8F2o+xR)%9E3c{>a2K^}VeoleN_37M zkO$Muj#p)@gtE~OW)Lu+!hJ;-HREG5&Z2Knp?MlPPQu%!pCh@ptpoY)`e@5{zZVuZ zNa?O4;`&L#2>opwty<_=ke0jk=n1`r0&2m`sMrr%upWGpWKtD&E>QG9q2}*y6%;dU z^{nsahTByCmBAw#LTZ>L*_8|50Tt*8SE-Ttnm z(QiAO^mH>8wo&c8j^@1C+n|Tg*PV-!b2C@t8qK^w*O5lo`^HeF{5kg9HCN^ZblZ2);TU6e1wfxFz1Ut^6Sd?OrypB_V*B+~QYGz#^+Lh@74$Q)U!CvXs6dZwN=l~H6|$;L4QACC{8 zW+kIoqc~MU+p|e6_daSw6W3`ZC3T5$m}6=zwpVmf*0#oY>R}sYfv)Hq_rETEGFD2I zJZvp&%|OOHk$I(1m|j}5ev!VD%Wm8cT9qFgn^{QR1EJ?yg7p|jW`meYe0N%^MX~VF zV&HMHuVY@zLHB6hC)V&BLO6{KlF`NcY9@B=U+eMFUG#j6FO}B?S7TWjX|OakAk5zoG2ZKf^w4m(IecV(8&XX)hh;%WrK!Z} ztU)8^`a#gatSGIZ$%y!D+#&fUbB^u{lRu9;Bq@ouE{B~XcE1`_5xZXwlyx<}pO0Tp z9&M2eR?cy_?>;kc=K0Fxm%;IjOS>b=FTzHkE{)PJ;}?GaAm(vji`pdqL-V0M8@F9; zFuMCT+R*wUYWbRPkM)3`Lpf*nL)nsH%d{+xku3+oWNc-RUe5_eW{BVHeI$cpJdAsN zFZiW-H+W9`soPrY$ym=wt+(mRS((DPXbww8^JAz&V>LH|HdLFc(TpQ|utTopz(>mm zre(!rw{c*5rnX1VM~zZ*eM;J2{N|m)A*dinU@6fYXQYl_n0*cP?YY*o&{ymbnGsvv zasHP1Y0_@lQCfGjOSO!3GC6L@4*HsLm?AUIny{~H+DJ#@c%(v$JGFg&Es6kgr zuKOz$Y5Rt4fu)TKsPc%kn<%1i2q)t6b5= znKs|V{iD`Ecv9bZ@LSs-)VU4G`RP>{=F6bDyB<_(My_>y5k-r!6%yRUOWh2R^UBmT zt@*@JSd1S_Zc1?-d8^D?C?f=C+x}pz2e(|Pm*&Fok*Mv5VgpU*T3AbdTf`@~nO4*- z7%wlPA?H-NtvtH!!6?_r=~7^)%u`(n#KiY=kqMH8{i}Br}O5}-mZs?;g;jO zF;$bJts3gqTF|BWv>A1D{hzhAMj@I(*^fTP`|v~oW4(AH;=jLKgZXTP+s!oiiu8oW z!(%fHi(@~_!QWff;7WM8dN+})@m;fIPoqYY$k`TY__%D=;P^R$FNz<&b%>{auDOCf zdAAjEoH*oZ##y_0PeA{U9&Nd0(F-P3HX~7xvF7{O3oK8Kx9fYvy>}CPdBomFUYea@ ze$?K^GOO(5kVG%aFD@4W_R*mTLR2J*7>YFP^@g(w$EV14NnTrVPR%);U&NU)eZjJI zy~*47&9fSez`9rY7f187<@oSoWY9k;^A^}Ik98xg7-3c%-*r{a*S{I|EN2doS+48( z!xRXaCyply@cfinR4m!A=ysrR%?z)`Z8I6+)Iz6^Fizt#Z!PAQsI=^Bw`t zIY_GfZD_KqsD1<(3*({vm^pV8FUUkBCbCv|46^8)3bc0R|wNg44k!^fc!@g2?@4qIs1jq!O9 z=4N;vSLPWqtI*t0QKLviuX>NOC}URTi?Xae?1kLq6JN!M{P!=k?+Y|FX9DYK)DqDD z?;^KBoyWB*RZwdQ!y0OqBa*O)TjW3B0ojXoy-ih@<*Q_4^9cR90jlMi4T_&Mc3+F% zw5QNX@0>EsA;-C0%xQgg9#;NfUdAJPCHp=6RLgt%`S+QRly7G<#PQ{4S-kr>7Ses8 z7GtU!zkD7$E#kMjn$O&3Zp7UGjY(8{`nxXGt3WT2HAYiBRVbF-Z>OZ zBK(D|1Tn1!MM5Q-DJDCntLkbMncQokvse~t2TJ`0HD_{M zjQk9HGBK0mleqJw5T|wSG;=cMY*wI#vou{}wr9K4h|Ji@{PZKUF%g;RwO90UI08FfrEYybVxyCbiN?f2Cs&v5@^+bs=Zhi-w_+q@-H%eO zme=cQog`s=R&ktn$XU$&@euKVXFT=mx#;STn&x}d_M9ei!;2%MdDcT7&k>JuGtC&O zzYo^8alUKOe92`z%c8d0b<5hGyLQuGl^<$3^{Fdk=EJ+5Aw4#;C@V~Uv-ySz=G~sg z%xE~=7dP`;onzwrnb7%eEp@qwZOAWsT!w6e&ySx2J?x#)m%856x9Z(BrM2EZTP~%4 zV+QP8wr<_Q+dZzxCtz zF+yhhjjR`~V4PzZQ9O9jRw7(s_W3|Zqag_Je z>S?_n!qpovCb|Qvq^?}ksNF`GVXD1ARu1PS)bCc&4AiG_H+ymZC0YX2f#$%0o@d*w z;ESf~(K<*LOQ$S9G^h#y*3CW7XVFu=^Ppa-d9PfneL`hJ8Gn4U?1Q8MXQsYLHdm;K@l2fl?_nA4#L6($5t{4z>c|3F z9iocy28F&ksLIX`Y9_29X!ls}UV9KUATLdt6c@OU9^us(1L_paztB6$7z=vjy?KV{ z68-e7`BtB^@mx5?9x+4HR79^H*gzj*~x-F^y4ffYxoR%+P-U< z8$wCafjebRzT%_LqAtzs7v8FtBZ!x6bJ;QHOUBbHGHaV1ZY{>&P0 zbo?^T(ALdEEn)3ZbG4+rADkWT{qPy@!^-LrNpM&1($dJzV5?;bj-qv*3pS6YpF-;r zBlweK`C4%QTC5pfJ>ZYuYAFrR`DwEQUxKA)P7${BX|c@Osl>YpAnjgRno_4q@ouq# zaK<#`QPl7jy01f%kUwQUZS&gJlD6?b$i3G0GUJ6E4V05$9!g5FBpj^5`?zE)Q>T&& ze-btKgD+nfO1u_`Rk2u1^dfi9%Y5lqWpC}fagTev+OhMhGh;W=BJ=|rJ3rIIew*}F ztKhv>7E3{dLkOns;2=P|bEt^9P(6B_pPa0{EyEHTD=Id2Wd9OL=#ml4!x z5PgD2g>uH=uc18ZacGBU(4#Dkv%Ji6WDS<~&|5TTcY0(5e zNiU``lh*G8JQuSaug6`9Qu}R)DRa)Me?Q?avX_5C8_}|7A-(h4_j8)DKKIly%aw>^ zJhPEn8nZ)~*?5w3kxhw@^&Tc|i^<+4KZY&vyS4i){s+Zwd{8u#HHzN5#O)6skMm?9 zDLtEa0t`h2c%I$R!#Z~AM&zbZQaL^|>KT*Z-+6nLp=mEdYE@AttA}lvg?tM6&ew2J zl~IcKbF|F1=ben*!(oW3G1REO;T<3FNcOr&IR1{lGGpp~@t?WxE3uQWC96xu4eh24 zzjdYd<724Fd8o9r9hd=&(Hs?_4DB*Ayen7MWxDSOw3PU0ztP6z+K0>WzHq?LYqqCw zyS-KIM~C_{ehaVU7YJwG=;u+wZX6ra8KsfBz={$pC2!< z|CSZM<)B7MHUE8G@{ucv#{3S_Ci<}rz;AJee50*y4yE?|Yj`xR|Q6R1$tAy3XOXT~t)A~Ex z;LMV|!WfF`oC58sT1^zLIV?z^e*H4ei8uR^M;Mzsz;9XqmCGAL75$~(%{`?udeYm( zpr(%Gyx$agFYS=&9@$HRVY<6PjiE@jRNnnN|7u$u>?0QQD2~(ay zYoJJEI5nk;0HAlFatS$?Btz-_KCBpF%9o> zH;f83)$BC?eWA<=}V9uYU^X(%IFnH^QcKr!aP&BLWayF?1l)1s#>`=se9*9apUlb^xppbb{TzqD(x}j44jIeC369v z<;y@tMBd0YbqsWXyd&4J<0GSsbWbP$Trj1xon6aP>k7Wax-wLYFv7PUJMwa#P}zy0 z7(yC*zx1tHZxqUN{@p!l<5M9R;UU|Ux(7mw(spF~L2wyOuCHNKY;p4_%9`~$)<~UZ zeZX0A=2Fk2YMHu#vJY7e;2klmAqhf`NIO=CcZfGHYZF~Yaxe2T=Y=%XV(ED5>{Qp}1-lmDj2IJoc4 zI{D7PX06=ZY}RMsIhqQEX2*tM_97$!~kch9y`POXBJ~;bE3V1&q}=@2~Nb|L^CEtiiIF z0A#_Nz}x5`y&>n{gjR0GHIL(nB~=7i>*vvHN%=NS#a;Pif2#G1`kCUk-S9YYqV`Ld zN~KAA-r$#bH{8kYc>@aezU}PlkF9!Is(NPvAJjAWkozyv`(z99BhKVyq~~?} zNN`f)PtIIz1WkHN2=p=A;>Wm}JXWpkzlc%!Abw$X!bZsAtC0LpD;hqHy@=k%6>tmd znN&DN%1WXs@X?fbXC+B&@&a0#7EBWBE2zVpUu4tikLJld4ST;C6oWc>pM?BmUyn^) zYWjtk^Gc4~ntmz1^WKQlc}v%ED!NF}^0nmUo|w}1E}qu3SgFaB&xNuMwqK{$1?BO5|`Rokz9eR z5aZsmCFDhXjBjhcTdIv3=kaDyj)*K%|NXWzLzPiMFIb5;k&RshCVnrn(3Gk9&3-^<00Xw)Hws?Tp@9EfBXi^WxESDX6B z+*#)N8KQ4W)ajZ0*@tF)hy=5DkD@ZgD$Xh5gE!)w^PY|y({6Hwat-tfw4>OC^`!Ev zMDp~)_9>6jLB+E3ax9MDXV6965d6N@5AAWjz?3_?? zTb~x~e4x5T*W+lcK(vnY!ET;YZ;sbvsm#CeZ@yQ^*Urm5_?o(|%Lon81x`{%Lou$h zqRQvGt!B;#Ny-f8tYMR^;j`fXt;h&iMi@))@nh=eQ-x0a`A~|rt3MG0R0<&zBWC+U zIx1ghx>C+^uCP21F_ohKAx@zMTHnDsG3kpk0a3LZ_>%Z3cA?a$O1?6k7@nkpq(GSu!27ip1lQ4eeGOg)-L1U3fW&=-m_3@d8?kzv} zpv_C=KDyFpt?;qVLyf(s={Fs3FS>j2%!2VV3YsXZ+si(mXsa^p36V)(WiO)L0?Bt} z&C=I2?XEptzs}TFXc->}O~x*MZpx%rgQX@8S;~1-9o@$o4<5~v&ZDW$!!GAzRkJ>d zC!I%6bF8u6^L=brCYSNCZQtvPM|*CIF(Z^)qo<|TNCvPOW!OVy{i)9S+4Ez&wKq+j z@e?9amV_)A^7iB)?loe*9GNSss9qJpPBE7bYN)5NU#2wbs~Cs#C0Cue5&w>tcjOMD zBWF>sKOvv!Tqi4SshSe|Iy2g=)O+@Z-$>i!cXD2zL>c@h3L<~$D9xUg_!f&Id&7CO zeCr^SO~napL?5&(kE_P%|J(B=nmKUcyf$6=oz>vmy_s{yuU`**w|ciYi*+uzs#R4P z?PU(fvry`}Cs_=;umHxjiYNVhn7yFVHIv6n-0mvVC9yTKFXjFc7nKdZu|AOHXW literal 0 HcmV?d00001 diff --git a/packages/fula_client/CHANGELOG.md b/packages/fula_client/CHANGELOG.md index 43623a1..6fa9a0f 100644 --- a/packages/fula_client/CHANGELOG.md +++ b/packages/fula_client/CHANGELOG.md @@ -5,6 +5,142 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [0.6.1] - 2026-05-09 + +**Walkable‑v8 writer flag flipped to default‑on (#89).** This is a wire‑format default flip, not a feature add. v0.6.0 shipped the entire walkable‑v8 stack (writer cascade, reader cid‑hint dispatch, durable pin queue, dual cross‑platform parity) but kept the writer flag default‑off so the v0.6.x rollout window could let pre‑v0.6 SDK readers continue reading newly‑written buckets byte‑identically. Per operator decision (*"that is ok. turn it on globally as when we roll out everyone will update"*), every new fula‑client / fula‑flutter / fula‑js Config now defaults `walkable_v8_writer_enabled = true`. Buckets written by v0.6.1+ SDKs emit `PointerWire::LinkV2` everywhere the cascade fires; pre‑v0.6 SDK readers encountering a `LinkV2` blob surface the typed `WireVersionUnsupported { context, postcard_error }` variant cleanly (no data corruption). Operators relying on the v0.5‑readable wire form must now hold the flag down explicitly via `cfg.walkable_v8_writer_enabled = false`. + +### Changed + +- **`fula-client` `Config::default()`** — `walkable_v8_writer_enabled` now defaults to `true`. Existing tests that constructed a default Config to exercise the v7 path now pass through the v8 writer cascade; the only test that asserted "default‑off" semantics was renamed to `put_with_explicit_writer_disabled_returns_cid_none` (in `crates/fula-client/tests/s3_blob_backend_returns_cid.rs`) and explicitly sets `cfg.walkable_v8_writer_enabled = false` to keep covering the disabled‑writer path. The fula-flutter test `fula_config_default_phase_2_x_fields_are_off` was updated to assert default‑on for this field with a load‑bearing comment that flipping back is now a deliberate operator action. +- **`fula-flutter` `FulaConfig::default()`** — mirrors fula-client (cross‑platform alignment is non‑negotiable per the project memory rule). FRB binding regen tracked separately as #87; until #87 lands, FxFiles mobile users on FRB‑generated bindings continue to see whatever the prior FRB run produced. Apps that pin field values explicitly (the documented FxFiles pattern) are unaffected by the regen lag. +- **`fula-js` `JsConfig`** — the `walkable_v8_writer_enabled` field's `#[serde(default)]` was replaced with `#[serde(default = "default_walkable_v8_writer_enabled")]` plus a new `fn default_walkable_v8_writer_enabled() -> bool { true }` to defend against the silent‑drift trap where `bool::default() = false` would have masked the flip on the JS surface. Verified against `serde_wasm_bindgen::from_value` (the JS→Rust deserialization entry point at `crates/fula-js/src/lib.rs:499`); the custom default fires for any JS caller passing a config object without the field. +- **`docs/wnfs-comparison.md` §9** — W.9.3 status line updated to reflect the v0.6.1 flip; the "default off during the v0.6.x rollout" caveat is now a v0.6.0‑specific historical note. + +### Operational impact + +| Scenario | Behavior under v0.6.1 | +|---|---| +| New SDK install, app does not override `walkable_v8_writer_enabled` | New writes emit `LinkV2`. Buckets become offline‑walkable on first flush. ✅ | +| New SDK install, app explicitly sets `walkable_v8_writer_enabled = false` | New writes emit legacy `Link`. Pre‑v0.6 readable. Same behavior as v0.6.0 default. | +| Pre‑v0.6 SDK reading a v0.6.1‑written bucket | Surfaces typed `WireVersionUnsupported` on the `LinkV2` portions of the tree. v7 portions (siblings of mutations that haven't cascaded yet) read normally. Lazy migration: by the time the cascade has touched every shard the user has, the entire bucket is v8‑only. | +| Rollback to v0.6.0 default semantics | Config flag flip: app sets `walkable_v8_writer_enabled = false` and re‑deploys. New writes resume `Link`. Already‑written `LinkV2` data stays readable by any v0.6+ SDK; pre‑v0.6 readers see the typed error on those nodes. | + +### Verified before release + +- **fula-client lib tests**: 187/187 passing; integration test `s3_blob_backend_returns_cid::put_with_explicit_writer_disabled_returns_cid_none` exercises the explicit‑false path (renamed from `put_default_off_returns_cid_none_*`). +- **fula-flutter lib tests**: 8/8 passing (the inverted `fula_config_default_phase_2_x_fields_are_off` assertion is the gold‑standard regression guard for this flip). +- **fula-crypto lib tests**: 324/324 passing; no behavior change at this layer (the wire format is unchanged from v0.6.0). +- **wasm32 cross‑platform check**: `cargo check --target wasm32-unknown-unknown` clean for both `-p fula-client` and `-p fula-js`. No new warnings introduced. +- **Test‑semantic audit**: the helpers in `crates/fula-client/tests/offline_e2e.rs::build_client` and `build_client_with_cold_start` now mirror the post‑#89 FxFiles config under default‑on; this is intentional (the helper docstring states "Mirror FxFiles config"). Walkable‑v8 reader tests (`walkable_v8_offline_walk.rs`) explicitly note that the reader path is not gated on the writer flag, so the default flip does not affect their coverage. `blob_backend_retries_transient.rs` exercises raw `BlobBackend::get/put` retry logic, not the cascade — unaffected. + +### Limitations (unchanged from v0.6.0) + +All v0.6.0 limitations apply unchanged. Specifically, `put_object_chunked` (public unencrypted‑debug API) still doesn't engage v8 offline reads (#51), and resumable/streaming chunk‑CID stamping was closed under #80 in v0.6.0. + +## [0.6.0] - 2026-05-09 + +**Walkable encrypted HAMT release.** Closes the offline-tree-walk gap **for production-encrypted chunked files** (the dominant FxFiles content shape — every photo / video / PDF > 768 KB written via `put_object_encrypted_with_type`). The encrypted HAMT now carries content-addressed CIDs alongside the existing master-S3 storage keys at every layer (HAMT internal nodes, manifest pages, dir-index, file-index, per-chunk), so a key-holder can walk the entire tree via public IPFS gateways without contacting master. Privacy is preserved: keyless observers still see only opaque ciphertexts and learn nothing about tree shape, file count, or graph topology. Default-off in the SDK so old SDKs can keep reading newly-written buckets byte-identically; flip the flag after the v0.6.x adoption window. The public unencrypted-debug `put_object_chunked` path still needs the redesign tracked in #51 (see Limitations). + +### Wire format (additive, backward-compatible) + +All new fields are `Option` / `Vec>` with `#[serde(default, skip_serializing_if = ...)]`. Pre-v0.6.0 SDKs reading new buckets see unknown fields and ignore them; new SDKs reading pre-v0.6.0 data see `None` everywhere and fall back to the legacy storage-key path. No migration tooling required. Pre-v0.6.0 SDKs encountering a `PointerWire::LinkV2` blob (only emitted when the writer flag is on AND a v0.6+ SDK wrote that node) surface postcard's "unknown variant" decode error and refuse to read that node rather than corrupting state — the postcard enum-variant tag is the forward-incompatibility boundary. Operators filtering error telemetry should match on the typed `ClientError::WireVersionUnsupported { context, postcard_error }` variant (#81 — landed 2026-05-09). The variant fires from `Node::load_with_cid_hint` whenever postcard's variant-tag-decode hits an unknown variant; the parallel `FulaError::WireVersionUnsupported` is plumbed through fula-flutter's `error_code()` returns `"WIRE_VERSION_UNSUPPORTED"`. Pre-#81 telemetry filters that pattern-matched on the postcard error message string still work; the typed variant is the stable handle going forward. + +### Added + +#### Wire format extensions (`fula-crypto`) + +- **`PointerWire::LinkV2 { storage_key, cid }`** — new HAMT pointer variant carrying both addresses. Postcard tag `2` (legacy `Values` = 0, `Link` = 1). Test pinned: `pointer_wire_link_v2_roundtrip`, `legacy_v7_decoder_errors_on_v8_link_v2_blob`, `mixed_link_and_link_v2_in_one_parent_round_trips`. +- **`ManifestRoot.shards[i].root_cid: Option`** — per-shard HAMT-root CID hint, populated by the writer cascade. +- **`ManifestRoot.page_index[*].cid: Option` (PageRef field)** — manifest-page CID hint. +- **`ManifestRoot.dir_index_cid: Option`** — dir-index blob CID hint (dir_index_etag and dir_index_seq stay; cid is added). +- **`ForestFileEntry.storage_cid: Option`** — file-index object CID hint, stamped by the SDK after the encrypted-content PUT returns. +- **`ChunkedFileMetadata.chunk_cids: Vec>`** — per-chunk CID hints, parallel to `chunk_nonces`. Empty Vec = legacy. When non-empty, length must equal `num_chunks`. Test pinned: `chunk_cids_round_trip_via_json`, `legacy_chunked_metadata_without_chunk_cids_field_deserializes_to_none`, `chunk_cids_empty_round_trips_via_json` (verifies field is OFF the wire when empty). +- **`BlobBackend::get_with_cid_hint(path, Option<&Cid>)`** — new trait method (default impl delegates to `get`). Lets the offline reader forward the CID it learned from a parent's `LinkV2` plaintext down to the storage layer. +- **`HamtNodeStore::get_node_with_cid_hint(&StorageKey, Option<&Cid>)`** — same shape at the HAMT abstraction. +- **`Node::load_with_cid_hint(key, Option<&Cid>, store)`** — sibling of `load`; the resolve dispatcher used by `ChildPtr::resolve_owned`. + +#### SDK API surface (`fula-client`) + +- **`Config::walkable_v8_writer_enabled: bool`** (default `false`) — opt-in flag for the writer cascade. When `true`, every PUT through `S3BlobBackend` parses master's response ETag, self-verifies it against `BLAKE3(ciphertext)` recomputed locally, and stamps the verified CID into the appropriate Option field. Default-off for the v0.6.x rollout window so old SDKs can keep reading newly-written buckets without seeing `LinkV2` pointers. +- **`walkable_v8` module** (`crates/fula-client/src/walkable_v8.rs`) — new internal module with two helpers: + - `local_blake3_raw_cid(bytes) -> Cid` — computes the CID master would emit for `bytes` (v1 raw-codec BLAKE3-multihash). + - `verify_etag_against_expected_cid(etag, expected, bucket, path) -> Option` — soft-fails to `None` on mismatch with a rate-limited `tracing::warn!` (deduplicated per `(bucket, path)` per session via a process-wide `DashSet`). The mismatch dedup defends against a chronically-misconfigured proxy flooding production logs. +- **Reader cid-hint dispatch** — `ChildPtr::resolve_owned` for `StoredV2` variant now forwards the CID hint through `Node::load_with_cid_hint` → `HamtNodeStore::get_node_with_cid_hint` → `BlobBackend::get_with_cid_hint`. On `S3BlobBackend` the `Some(cid)` path routes through `FulaClient::get_object_with_offline_fallback_known_cid` (the cold-cache gateway-race entry already shipped in Phase 2.4 / v0.4.0). The reader path is **not gated on the writer flag** — the wire format itself is the gate. Buckets written entirely under v7 produce no `LinkV2` entries, so no `cid_hint` ever reaches the storage layer; lazy migration on next write. +- **Per-chunk reader dispatch** — windowed (`download_chunks_windowed_to_writer`), buffered, and ranged (`get_object_range`) chunked-download paths all check `chunked_meta.chunk_cid(i)` per chunk and route `Some` through the cold-cache cid-hint variant. Without this, even after the W.9.4 HAMT walker reaches the file index, the chunks themselves remained unreachable when master was down — that's the gap #32 closed. +- **Cross-platform parity** — `fula-flutter::FulaConfig::walkable_v8_writer_enabled` and `fula-js::JsConfig::walkable_v8_writer_enabled` plumb the flag through FRB and wasm-bindgen respectively. Both targets compile clean; flipping the flag is a single toggle on every platform fula-client ships against. + +#### Master-side pin durability (`fula-cli`) + +- **`PinQueue` module** (`crates/fula-cli/src/pin_queue.rs`) — redb-backed durable pin queue. Closes task #23. Records keyed by `(cid_bytes ‖ target_byte)` carry `target` (`MasterCluster` or `UserExternal`), `pin_name`, `bearer_token`, `pinning_endpoint`, `attempts`, `next_due_unix_ms`, `dead`, `enqueued_at_unix_ms`. Operations: `enqueue` (idempotent), `pop_due` (per-row corrupt-blob tolerance — one bad postcard record cannot wedge the drainer), `mark_succeeded`, `mark_failed` (exp backoff 500 ms → 5 min cap with 10 % jitter, max 8 attempts then dead-letter), `purge_corrupt_record` (raw-key delete for unparseable rows), `pending_count`, `dead_count`. Crash-safe: every `enqueue` is a redb commit before returning Ok. +- **`pin_drainer` module** (`crates/fula-cli/src/pin_drainer.rs`) — background worker. `drain_once(queue, dispatcher, config)` does ONE batch via bounded semaphore (default 32 concurrent in-flight pins). `spawn_drainer_loop` runs forever with 1-second idle poll. `LivePinDispatcher` wires `BlockStore::pin_with_token` (master cluster) + `PinningServiceClient::add_pin` (user external). +- **`AppState.pin_queue: Option>`** — opens redb at `config.pin_queue_path` (defaults to `/var/lib/fula-gateway/pin_queue.redb`). When `None` (path unset), the PUT and multipart handlers fall back to the legacy fire-and-forget `tokio::spawn`-and-forget pin path so existing tests + minimal dev configs still work. Production deployments MUST set `pin_queue_path`. +- **`server::run_server` spawns the drainer** on startup if `pin_queue.is_some()`. On a clean restart, pending records survive via redb durability; the drainer picks them up on the next tick. Verified by the `crash_recovery_drains_persisted_pins_after_restart` integration test (100 pins enqueued, queue dropped mid-batch, fresh drainer reopens at the same path, every CID eventually pinned). +- **PUT and multipart handler integration** (`crates/fula-cli/src/handlers/object.rs`, `multipart.rs`) — three pin records per encrypted upload: per-object CID (with `v8-node:` / `forest-meta:` / `object:` name prefix per path class for operator `pin ls` triage), bucket-root CID, and user-external CID. Each enqueue has a fire-and-forget fallback when the redb commit itself fails so a user's PUT cannot fail because of a transient queue write error. + +#### Configuration knobs + +- **`pin_queue_path: Option`** in `GatewayConfig` (default `/var/lib/fula-gateway/pin_queue.redb`). + +### Operational rollout (env-flag-gated, instant rollback) + +| Phase | Action | Observable change | +|---|---|---| +| **A** | Cut and ship v0.6.0 SDK to apps. **Walkable-v8 writer flag stays OFF in app config.** | None observable. SDK now contains the writer cascade + reader cid-hint dispatch, but the writer flag default-off keeps every PUT byte-identical to v0.5. | +| **B** | Wait 4–8 weeks for v0.6.0 SDK adoption to reach 80%+ of monthly actives. Watch error telemetry for postcard "unknown variant" decode errors from HAMT-node loads — should stay zero (no v0.6 writes are happening yet). | None observable. | +| **C** | Deploy v0.6.0 master with `pin_queue_path` configured. Pin queue starts surviving crashes; existing PUT semantics unchanged. | Operators see the new `pin_queue.redb` file. `dead_count` should stay 0 in healthy clusters. | +| **D** | Operator flips app-side `walkable_v8_writer_enabled = true` for v0.6+ users (or default it to true in a v0.6.1 SDK push). New writes start emitting `PointerWire::LinkV2` and stamping CID hints. **Reader-side walkable-v8 lights up automatically when reading these new buckets.** | New buckets opened by v0.6+ readers walk via public gateways when master is down. No change for v0.5 readers reading new buckets — they error cleanly with `WireVersionUnsupported` for the LinkV2 portions of the tree, but read v7 portions normally. | +| **E** | Monitor 1–2 week soak. Watch error telemetry for postcard "unknown variant" decode errors from v0.5 SDKs hitting v0.6-written buckets — expected to be zero by step B's 80% threshold but track to confirm. | Telemetry stable. | +| **Rollback at any step** | Flip `walkable_v8_writer_enabled = false` and ship a config push. New writes resume v7 wire format. Already-written v0.6 data stays v0.6 — but readable by any v0.6+ SDK, so no permanent damage. Users on v0.5 SDK who hit a v0.6-written bucket get a postcard "unknown variant" decode error from the HAMT-node load path and can be guided to update. | New writes stop emitting LinkV2 immediately. Existing v0.6-written nodes stay readable by v0.6+ SDKs. | + +### Compatibility matrix + +| SDK version | Master version | Writer flag | Reader behavior | +|---|---|---|---| +| pre-v0.6 | pre-v0.6 | n/a | Legacy v7 — works as today. No walkable-v8 anywhere. | +| pre-v0.6 | v0.6 | n/a | Legacy v7 — pin queue is transparent to old SDKs; reads/writes unchanged. | +| v0.6 | pre-v0.6 | OFF | v0.5-byte-identical. Pre-v0.6 master sees no new headers / behavior. | +| v0.6 | v0.6 | OFF | v0.5-byte-identical for writes. Reader cid-hint dispatch is dormant (no LinkV2 entries exist yet). | +| **v0.6** | **v0.6** | **ON** | **Full walkable-v8.** Writer stamps all CID layers; reader walks via gateway race when master is unreachable. ✅ | +| pre-v0.6 reading a v0.6-written bucket (writer flag had been ON) | any | n/a | Reads v7 portions of the tree normally; surfaces a postcard "unknown variant" decode error from the HAMT-node load path for any LinkV2 it encounters (no data corruption). Online reads via master continue working byte-identically. | +| v0.6 reading a pre-v0.6 bucket | any | n/a | Reads as legacy v7 (no LinkV2 anywhere). Lazy migration: as soon as the user writes anything that triggers a flush, that subtree's nodes upgrade to LinkV2 on the next persist. | + +### Limitations (operator-facing — must-read before flipping the writer flag) + +- **~~Single-directory cliff at ~60-100k files (#72)~~ — RESOLVED 2026-05-09.** See "Fixed" section below; the cliff no longer applies. New users with 100k+ files in a single folder can flip the writer flag without restriction. +- **Public `put_object_chunked` debug API doesn't stamp `storage_cid` (#51 still pending).** This API writes a literal `b"CHUNKED"` marker as the index-object body and carries the encryption metadata in the HTTP `x-fula-encryption` user-metadata header. Stamping the CID would produce a useless cross-file-collision CID (every file's body is the same 7-byte marker), so #32 explicitly skipped this path. **FxFiles users on the production encrypted chunked path (`put_object_encrypted_with_type` → `put_object_chunked_internal`) DO get full per-chunk walkability via #32** — the gap is limited to the public unencrypted-debug `put_object_chunked` API, which is rarely used in production. Track the redesign in #51. +- **chunk_cids privacy posture: plaintext, by design.** Per-chunk CID hints (`ChunkedFileMetadata.chunk_cids`) are serialized into the index object's `chunked` JSON field alongside `chunk_nonces`, `root_hash`, `num_chunks`, `total_size`, `chunk_size`. Only the `wrapped_key` and `private_metadata` siblings are AEAD-encrypted; the `chunked` block is **plaintext-readable** by anyone who can fetch the index object. **This is not a privacy regression**: every existing field in the same plaintext block was already plaintext-readable at the same level pre-v0.6.0. An attacker with the index body could already enumerate child storage paths via `chunk_key(storage_key, i)` and fetch the same encrypted chunk bytes via gateway. The hints simply make legitimate offline reads cheaper for the same content already addressable. Future security audits reviewing the threat model should treat `chunk_cids` as joining an existing public set, not introducing a new leak. +- **Resumable + streaming upload paths don't stamp per-chunk CIDs (#80).** `put_object_encrypted_resumable` and `put_object_encrypted_streaming` write chunks but never call `populate_chunk_cids` on the metadata. Files uploaded via these paths fall back to the warm-cache offline path (still works, just doesn't engage cold-cache gateway race for fresh devices). Lower priority than the main path because resumable + streaming are less commonly used. Tracked as #80. +- **No retry budget for permanently-dead pins.** When a pin record graduates to the dead-letter state after 8 attempts, it stays in the queue for operator audit (visible via `dead_count()`) but never auto-retries. Operators need to inspect dead records and clear them manually. A future internal endpoint to surface the dead-letter list is tracked as part of #67. +- **`put_object_chunked_internal` index PUT body uses `walkable_v8` flag at TWO read sites within the same function.** Cosmetic (the field is `Copy`-shadowable and reads consistent values within a single call), but a future refactor that introduces flag mutability mid-call would need to consolidate the two reads. Not a current correctness issue. + +### Fixed + +- **`walkable_v8_manifest_block_size` integration test now exercises full v7 cascade (#75).** Pre-#75 the test called `put_object_encrypted` (which doesn't touch the forest) and reported only 1000 file-blob PUTs — the v7 manifest-page / dir-index / Phase 2 root commits the test was filed to validate never fired. Post-#75 the test calls `put_object_flat_deferred` (forest-aware), which on a 404-GET catch-all bootstraps a fresh v7 `ShardedHamtPrivateForest` per `encryption.rs:2847-2867`, and `flush_forest` then drives Phase 1.5/1.6/2 commits via `save_sharded_hamt_forest` (`encryption.rs:3723+`). Empirical: 1152 PUTs total (1000 file blobs + ~152 forest blobs); largest blob a HAMT internal-node at ~26.8 KiB — well under the 1 MiB W.8.3 hard ceiling. New positive assertion `hamt_node_max > 0` catches future regressions where the call site changes back to a forest-bypassing path. **Note**: original task scope was "pre-load wiremock with a fake-but-decryptable v7 manifest" (~200 LOC); empirical investigation showed the SDK already bootstraps fresh-v7 on 404, so the actual fix was a one-line call-site change. Test-only / dev-tooling change. +- **Plan W.8.2 wire-format-overhead claim updated with empirical data (#74).** The original plan predicted "5-20% relative growth" for v8's LinkV2 pointer overhead vs v7's Link. The walkable_v8_scale bench's new v7-vs-v8 baseline comparator (added #74) measured **2.2-4.6% growth across N=1k/10k/50k × 16/256-shard configurations** — meaningfully BELOW the lower bound of the prediction. The original prediction for "~32 internal nodes at 1k entries on 16-shard" was empirically **~135** (HAMT_VALUES_BUCKET_SIZE=3 makes the cascade deeper than the prediction assumed). Plan W.8.4's "no extra round trips" claim is consistent with v7-vs-v8 throughput within measurement noise (~5% at N=10k) — suggestive but not proven; tracked separately as #88 for direct round-trip-count instrumentation. **Operational implication**: v8 wire-format overhead is meaningfully cheaper than the original plan suggested; storage-cost projections based on the W.8.2 prediction can be revised down. Bench-only / dev-tooling change; no SDK or production code change. +- **Typed `WireVersionUnsupported` error variant for telemetry stability (#81).** Pre-#81, postcard "unknown variant" decode errors (the v0.6 walkable-v8 forward-incompatibility surface — old SDKs reading new `PointerWire::LinkV2` blobs) surfaced as the generic `CryptoError::Serialization("decode hamt node: ...")` wrapped in `ClientError::Encryption(...)`. Telemetry filters had to substring-match the brittle postcard error message. Now the typed `ClientError::WireVersionUnsupported { context, postcard_error }` variant fires for unknown-variant decode failures specifically, with parallel `FulaError::WireVersionUnsupported` exposed through fula-flutter (Dart-side `error_code() == "WIRE_VERSION_UNSUPPORTED"`). Cross-platform: native + wasm32 verified clean. Implementation classifies postcard errors at the boundary — `DeserializeBadEnum` and `SerdeDeCustom` (postcard 1.x's surface for unknown enum tags) map to the typed variant; other postcard errors stay generic. Master-side and SDK-side change. +- **User-external unpins now durable (#66).** DELETE-handler's `unpin_for_user` was fire-and-forget — failed unpins silently leaked pin slots on the user's external pinning service (e.g., quota slowly fills until manual cleanup). Migrated to the durable pin queue with new `PinKind { Add, Remove }` semantics. The "latest intent wins" idempotency rule (`(cid, target)` collapses pin+unpin into one record per key, conflicting kind overwrites) handles the upload→delete→re-upload race by construction: even if drainer order isn't preserved, the most recent user intent wins. Dispatch maps 404 ("pin already removed") to success. Master-local unpin (`object.rs:955`) stays sync best-effort per #66's minimal-scope advisor brief — failure mode is "kubo briefly down" and the next user write re-aligns state via the bucket-root pin queue. **Operator-impacting**: bumps the pin queue's redb table from `pin_queue_v1` to `pin_queue_v2` on first open; pre-#66 in-flight pin records are dropped (records lacked the new `kind` field). Lazy re-enqueue happens as users touch affected objects. **If `pending_count > 1000`** at upgrade time (e.g., kubo was down for an extended period and the queue backed up), let the drainer flush before deploying — dropped records that were ALREADY failing won't auto-re-enqueue; only freshly-touched CIDs will. Cluster GC eventually reaps any genuinely orphaned blobs regardless. No data loss (master S3 + cluster still hold the blobs). Master-side change only; no SDK / fula-flutter / fula-js / wasm impact. +- **PII-sweep bucket-root pins now survive operator cancel/restart of a slow sweep (#65).** Previously the fire-and-forget `tokio::spawn`'d pin in `admin.rs` lost in-flight pins whenever the operator killed `curl` mid-sweep (the symptom most operators have hit: re-running `admin-pii-sweep.sh` to drain remaining buckets silently lost pins for the buckets the prior run rewrote). With the durable pin queue (W.9.6), enqueued pin records persist in redb; the drainer resumes them after process restart or curl disconnect. End-to-end-equivalent under steady-state (`bearer_token: None` → empty-string short-circuit → `pin_cid()`), strictly better under cancel/restart. Master-side change only; no SDK or cross-platform impact. +- **Single-directory 1 MiB cliff resolved (#72).** Previously a directory containing ~60-100k+ files in flat layout produced a `ForestDirectoryEntry` blob exceeding the 1 MiB IPFS gateway limit (verified 1.66 MiB at 100k entries via the W.9.7 stress test); offline walks failed for affected buckets. Root cause: `ForestDirectoryEntry.files: Vec` accumulated one filename per `upsert_file`, growing linearly. Fix: stop populating `dir.files` on v7 writes; the `ShardedHamtPrivateForest::list_directory` and `list_subtree` methods now walk the HAMT for `F:` entries directly (using dir-local routing — single shard for `list_directory`). `dir.files` remains in the wire format for backward-read compat with legacy buckets; on new buckets it stays empty regardless of file count. Verified end-to-end: 100k files in `/single-dir/` now produces a tiny Dir blob and a max-blob size well under 1 MiB. **Behavior change for direct fula-crypto consumers**: `forest.list_subtree(prefix)` cost is now O(N total entries) instead of O(K under prefix) — acceptable per advisor, the method was not on any hot path. The fula-client SDK API surface (`EncryptedClient::list_directory`, `list_files`) is unaffected: those already used the HAMT-walk path. +- **Resumable + streaming uploads now appear in the encrypted forest (#82).** Previously `put_object_encrypted_resumable`, `put_object_encrypted_streaming`, and `resume_upload` PUT chunks + index to S3 + IPFS but never called `forest_cache.upsert_file` — the file landed durably on master but was invisible to offline forest walks (Phase 2.4 / cold-start). All three paths now register a `ForestFileEntry` after the index PUT succeeds, mirroring the upsert dance in `put_object_encrypted_with_type`. **Behavior change for callers**: these three functions now call `ensure_forest_loaded(bucket)` upfront, so a master-down state surfaces as `Err` BEFORE any chunk is uploaded — replacing the prior silent-success-with-invisible-file mode. Apps that depended on chunks-uploading-while-master-is-down will see honest failures; that's the desired end state. Crash-safety: the resumable manifest file on disk is now deleted only AFTER both the index PUT and forest registration succeed (previously deleted right after the index PUT — a register failure would lose the resumable artifact). + +### Threat-model preservation (changes vs. v0.5) + +The walkable-v8 wire format does not weaken any existing privacy or integrity property: + +- **Three-layer integrity for every offline-fetched node** — gateway content-address verify (`verify_cid_against_bytes` on every gateway response, byte-identical to native IPLD's property), AEAD decrypt with `(bucket, shard_idx)` AAD, plaintext-vs-claimed-storage-key recompute. The third layer specifically defends against a malicious parent claiming `LinkV2 { storage_key: A, cid: hash_of_real_node_B }` — under such a parent the gateway returns valid bytes for cid_B, AEAD passes (legitimate ciphertext under shared bucket DEK), but the recompute layer rejects because plaintext_B addresses B, not the requested A. +- **Self-verify at write time** — the SDK rehashes its own ciphertext locally before stamping the master-attested CID. Mismatches soft-fail to `None`, so a compromised master cannot redirect future offline walkers to attacker-controlled IPFS bytes. +- **Writer flag default-off keeps the option in operator hands** — until the flag flips on, no `LinkV2` ever lands on disk, and the bucket's wire format is byte-identical to v0.5. Rolling back is a config flip, not a data migration. +- **Privacy strictly improves vs. stock WNFS** at the tree-structure level — keyless observers cannot enumerate the HAMT shape, count entries, see leaf CIDs, or diff snapshots, because all of that information lives behind AEAD. + +For full architectural detail see `docs/wnfs-comparison.md` §9 and `docs/website/security.html#walkable-hamt`. + +### Verified before release + +- **~670 unit + integration tests passing** across fula-crypto (~320 in-module incl. 4 chunk_cids round-trip + 5 walkable-v8 reader + 4 W.9.7 block-size), fula-client (187 lib + 26 integration spread across 7 test files), fula-flutter (8), fula-cli (129 incl. 9 pin-queue + 7 pin-drainer + 1 BLOCKER-3 corrupt-blob regression). +- **9 `#[ignore]`-gated stress tests** (1k regular, 100k/1M operator-run release-mode) — 100k re-run completed in 19.49s release-mode, max blob 17.1 KiB, well under both ceilings. +- **Cross-platform clean compile**: native (fula-crypto + fula-client + fula-flutter + fula-cli) and wasm32 (fula-client + fula-js). +- **Two parallel independent reviewers per W.9.x subtask** per the dual-advisor memory rule (W.9.3, W.9.4, W.9.6, W.9.7, W.9.4-A2 / #32). Every BLOCKER and IMPORTANT finding addressed before declaring the subtask done. + ## [0.4.4] - 2026-05-07 **Hotfix release.** Fixes a fundamental cold-start bug: the publisher was emitting MASTER's bucket Prolly Tree CID (CBOR) as the `manifest` field, but the SDK's cold-start needs the SDK's encrypted forest manifest CID (JSON envelope). Result: cold-start (offline reads on a fresh device or when master is unreachable) failed for ALL users with `serde_json` "expected value at line 1 column 1" — CBOR bytes fed into a JSON parser. Cold-start has actually never worked end-to-end against real published data; the bug only manifested once production users tested offline reads. diff --git a/scripts/fxfiles-offline-open-bucket.ps1 b/scripts/fxfiles-offline-open-bucket.ps1 index dc84e4f..35b648b 100644 --- a/scripts/fxfiles-offline-open-bucket.ps1 +++ b/scripts/fxfiles-offline-open-bucket.ps1 @@ -12,13 +12,23 @@ # $env:FULA_USERS_INDEX_ANCHOR_ADDRESS = "0x..." # # Optional: -# $env:FULA_BUCKET = "images" # default; pick a bucket that has -# # forest_manifest_cid populated (images, -# # face-metadata, other in ehsan's index) +# $env:FULA_BUCKET = "images" # default; pick a bucket that has +# # forest_manifest_cid populated (images, +# # face-metadata, other in ehsan's index) +# $env:FULA_PROD_S3 = "https://s3.cloud.fx.land" +# # Real master used for #20 Phase 0 online +# # baseline. Override only when targeting +# # a staging mirror. # # Output: prints what each step (load_forest, list_files_from_forest) -# returned + the first 20 entries. Reports EMPTY-FOREST if 0 files surfaced -# despite the bucket being known to contain files. +# returned + the first 20 entries. +# +# **#20 expansion (2026-05-09)**: the test now runs ONLINE-baseline first +# (against `FULA_PROD_S3`), then offline cold-start, and asserts +# `offline ⊆ online` (HARD) + `online == offline` (SOFT, warn-only — +# publisher tick is 5 min so recent uploads may not have propagated yet). +# A missing online baseline means production is unreachable; investigate +# that BEFORE chasing offline-path bugs. $ErrorActionPreference = 'Stop' diff --git a/sharded_diff.txt b/sharded_diff.txt new file mode 100644 index 0000000000000000000000000000000000000000..9155c42316dadcfd5945a6b289f91b365c60c37f GIT binary patch literal 76734 zcmeI5X_H<>mfxS(j_|wr0M+UUTnt?$kVLaI&?Ar-aI?rrjT~+hdbFcKAX*X#n#Lc( zAK3Q!-GBY-WaiDgRH-D>Gem{-Z1-lKJo}b;|L^~~wYj&s6Ms9Kz4*HupB~5i>zmV? zo12I6`gn7D^C&*u*?hOTAD{Pz?|IlFmv^UCJ+`2XdAVL#rVi*IiP zYV(KL@t?#PcVfKcIl=U9@auz^`Q3o~<}fQ9@w-^v=bP6ypTuwQ z>g9k;{Q2|3JU?yTJB0K>K>jfPxRVh-i;-C8{TR*Tyj0-hUd#nl?*$%jjphMsk{m(K zs`cHyfc<{l^SAhhc`grEmfw1|#6EJS*=`1W_v7z&tp9P0@*prJy#Ewfxe{|ik&k1J zZ->!8hl1=fEzNE)2?+Q5Zp z-Kj$h%#+o2(Lf>z+``}l;;683fmz4q;J4Y=GHuDL%zhIAm& zI{}$s(@fhK``ZJEqz~^6G}#VU?rgT9b#KSL$W{JwBS!u%=D#(p>0Vs%D4^2#(i_ae zJXhl`D7kZ>X}^v;(Baa%th-z-+;Ba96P|@tjr-Ct-sxcuzu(#XbNqRRy%9Fxu&-lv z%y=(k4fwGjP-=JcB)-2Nl6O6RVP5WkJ%0H%K3$Ks!O`$}awn_V53RJnITOEWb^Dt) z;`1vp#*6U^JoWlNkFn5CjL5nl$Gf`&ZTKF%0N=ymw+F+@%>&SPFED&BuKp^nV>RM5 zG{)oL<8r3*{m$m^aeX`UPJGArR|W|5{=1^NAxcz1BG$%dGPV}aAtTqp+FMa zKS5y(8ZYPL8t}VU=qfDV*up%FEAIqPBE{BimM18zwLFR6 zk)W~O{V&5^rv|#Ugg@vTTD*+FhX(uEAe?U6S zIxE-nBz^;Ptam3Mza4nd``e*I`K5)Y#@o)I6La3PF$%Om$CZ{%y6d}u>V91D-sZ!Q z2`nOd5navt?gqqvh+pySteNZ~jI9N5wy_(M;GdP@ z+rnR9muP1v{I+d_F?mC9-A-T^%0bE72W!S^Vu{VgjDhdT_t2WTYYJ=!&qxuUcmRLx z+98MH-3Z%t{E%MHwHQ~{*Y}}iuElp+jaSHZmX~XTUvYP!K6lj;vyBx1<<91}o4*YF z2KT_tyCD~Fma%jpzPk}rxI5r%>}7*Vt{Lmh7dKxV%mMUMeyjN<{a5RDQ+M~!ekPrL z*NXv_*5SKk<#rFO-Si!@q}=6s&|h`U z4db(}fdd}~zVXv?bz@A7F>Wspdf|1GsUYe>ay|`Nv>tqGhz+f8-WkzA(eA?-;p^ZG zv@5EY3OJOV z2YWzCHX?mYeFx;SgMvZ)2XvAT^fLV7DD`>qJhZ|xvKH14x5@XwL$W-8uhg=Z!zmd- zmhg+rRp3+pk7nXn9d@%rlU|LY-H=t+1AUuB&flGQ=NxdZO&L-rsj z#Z_>obdV^C4~%r99guxu2qeMTD6-4@8}iWL86N@JkK8T`*ZT!OceSLujm6q;9 zhez}%{>-7sjv_gKQ(MfGXy8Gn#pyuc=qTm0KPS<4&nNnGtm$^F7<{1%(32Mj`C%2i z2O5*Q16l8e0)Jfp1?u%qS_g6^-yXJufCjZ+t#3;MhgS0H(>g+4eJum5Av z81@;g9~4oNvs6sO8i=Pd7l;huQDw}z6TkA8x<0Ke9Fuj3I?_??3y4Lq+64|4E#w>AJK#k4yw6{$18k$GsR~@? z#B;H_DY?WGfcLRFiaH<1JG>q^Y#YDaiWQ^TZ-$NlW4nW{U>#sj(wi~&t-gZzOfm46*@mGEyjdIkFYUi(`QLgV1{Tw1Sy?;CEqK-dBl< zK3uy8>qUOP37GB&-!U^>Dz3~Lgs>nx#!721%vpHm2Y1(Fb!buiKl0K zYrqGrdoh}_hSEL4fH@~E@U@5mq(`CTg}C=(jBt_`du*Y{HW`@|Myv;c9=d8(e2cx7 zokjjWjo)QEt>ao>9gfDT5{*FjDZcCL19;3wj}u*w>MWy-hj zLv|(Bj2`=8;0#l4+O{)OMo3h{=w*03-~egFud^jn&NAr$ci?r|W0&ks;jGM7KQ8S*N4m4!tkwSI(b{Wf$*Tl>5k_=3``XLrzy&^x^v`7l%7Hara8?0J?xh#<;U zm-t$yqV+C*2h=1Rf>xi)$V$iT#C7^xj+WsCU%fM-Kfv*KLtR-{m)WbVXkHD-dR58H ztgF^Irj4qHe<^T&agfH+liWsRZw)F9Brdi#`govXde}+7-dKt}6?r>{!)r$4m!dN9 z=Rq^URZt5K!W(U~!gX#-oe1y59W{LTn9?w1P6&!hZ?aZf3cRE*1LNO>cX&Exy;0;% zoNa(dFUP%T2gd?%2bL8~&hhyd8}bS@d}Dc$zlPplO^Y- zPCZT>SmUi9J;_qt7^A>nVVxmPnb`~3$oR{a6fVX~yc6Tq zuvrdTjW(B)gX`gdeylj=RatYdiReu>ytUob@p>@Uwg&Gttv9qU>2{PVC)h?_`aM=a zCv5>|z9^WiADDx4U0QR~BmC#Lm4bwe*t1qvWP^ZE|I`27JN*mzZy z(rS@4skPb5hxvHlHP$)KYnZ>(-GpyK$J5uLhb>RZbMiNne;jS3m-g(dX)gt~OX;0o zp=&&uhjmULkKpn!lGdpjMPA1&rL|OV;__YU$dkW8*JwMgxdEF=jmdpw+)>-%5<1tI z5SM}~lY69d z1N(q?Xo`c2#1m1fdN#!m{MvF4I=)XubVyc6mD6TELu-qxdM-0iVRnuYIGrDI53wU0 zuOAEdP3Rjz=R7acl=0YDM%9}{K0#iDeb4q%4@^wp4Ow#=k203DGB{E4*w zUXA5bUclbS3&6L#5+mFlGO^pRFmw@7<-Ha*c^k7^pV+%JrqK)c;yz+CJQ@3zDc!cm zHFf)RC7#(W^p&F-=fpj$>5E^ujW`E6RUQG)ncN0)X#dv!6_ViE{+Qcdp5V0-p6!sA zl{XG7@+{N~b~*A9e;VdRCn2}c!xds#J!hqnZOP@G!`Rxi;;zzyXBSj$XC3d_QY$y` z(y)r>(;oz+8IN3uwLTnT1isBmlzkbm&v_(S<;%kur7z=-8FHXhMYXTvOuWZGU_XmH zW~j~J_w9t2iFKmyZCX>7{crCN7*>U3e8(8#gkA6E{eve#)9EYr4|KzWkS(+%af88yZO~)aHt)nAcZvEfeEE5-Z_r^tIR0g6tZALdc>Q0^ zoe5F>4$ZU^8J|)zE#1l~+Fy{RN86}ILGGf}x2+bh=aNMBWy?Bb3SLW>NAzdEN}u&P zk{PFXt>((PYOc95t|LgLY8OvxC?>4G!j$!a?8#|N{4&zMyz68%y#G^6C(a_R((=ibv z_J3U(vt3&mH}%%;-?O*J>)v)5Eut*6&ijM7p_dTfe9 zrVLR9`yk;Rjq>!Gig8+LwkBJGXG&9P%#+kqjCk^zs<-x&(Nv85^qT4@9^FxO84#YN zE)#`%G4K)>wX%@9j4}JaYD~*TzDj3}KkNI96zHSRNa2m)6FoTeQb(+z*y3&^y7ko#3$TusWU zMG{%dqKiNo9%_r~@5{bnqAONQKUwCxv{Rgn09k+bz!S$2<#N5^U+7Nu))nhDu(jDR z@<4sv0_Dj=I$xvC{;Po{?KsuvnoFS;k@?+#8|m;4jepu%16$^YRHbTp9^SqmoKAk2 zwU;?7pd^>U&aK?R!M9))DVfS(t$~bnk$=ftey)wIlX~d(p>ySBF zlZKLZ_H{soL@3*r@^Uu5CwD_n>Z2iV)7u%k20PAV!ZX_Yf~0x(jCeb_#uXHEjc@?h zA!XScrnMl+^sO#wjj@#}>$~)`Vs)t1!O>Heo~VwKO^^{~n7QliAtN!BhiIuZhQt=L zga{oDR2fGSDZaR%`C5--dG2yfV?pa#2WJn)DSyb&j7J6vc_?%yCQip!mbl70S}aXL z(0X34M}F3x*V(}M%khab5#*b#^M(x3yjL{#hK!BUgP{Y_C#v}O_H`a7&Id2ivZec4 z3>unwD3UUBw5+M#hhW;1n}@)7upBMH;p>mW&#koibIoO(bVcqTzItis6L@2S%Pxnu zm4?J$^!hFh76YFTn_lKer+LMYm|A|tirgQx3S9TipzoC1Wj6$SSveDotb)1~v0`*| z{cxa%RB?VBnhCw{QOB?42%Pc6)w#2>y`IQjtAiuvI?eh0(gAdz1zgJR;`yrspGqSz z{xx2IKA3l!gPz5_K#(z`^YRHzyY`*Xc7JHFY3hNsj1uWEIeW-Q?4;3|P1;%0YOIsv zr50jabK-S&C)^BC z51&2b>`3I?P`6iK z#GQZ*%>hpF_ZiFmBqbHcuS{z zFa}sx-y$%tqoFt+%HNBXkmpu6iYbck4n;E~upMwvcDmD_@p|yKV*)rqr*3#}5V)s9 zT9s;g1lCZ~eM{6BRe#JLwCt5oe@)weKyC<3a}pOGE_qI}MZh4A$j$_50AhnRP~90u z0waomlrd2(uI>wSyLRHe8gtg&#CtJ<`+kV_)c+}nTk5ZYXf4+h;VQ=iJ#0gL`WmD%%)bo|{U~;7{V8&BXM>Zl8{ZCG%&9n7T}~$8)Rc^9*_lVK0Y5=HtIRP$ zr3ZuU7A~Qs;`!^VAgXubAjjx6Me_J2Xk>S)eG?MTXL4_F93F#YPjbqAj`!-wQIub= zo$w~eDY9zTM;^?17%;y(=o+xaUW|kp>1S8o&A2A@1UVh=?nKWbB?;@e`$(EQ|F>SU zMM8t1U$+6FJSd-x!!OB~=x*jii|f=QB2D_C$TS#dXrg7^XzQqzm-Z3=qqUiaM?Ubh z*O+V6JI``AxWJS|8(9MO2mMN1j@Be9HpL%BZ#BCse;9V(*s9?l?8ivh0508M^!9Lqte5c8<#QC@B8w?77kpAIk9z-UmS z6V57UabV^8r(&NZexnt=+?mqBk^)zXuAW7r?9E@AwMbHnG% zL95Rsqc1$jp9ZZmz4qx|4{{wBVuh?#+62$1jmGR zV_MfbLpjd1P0ij?&!3sk6gd;U7dnIgTtM?u_;bGxdf?f;8h^*5is$j_{i^->M851u zBWL-W;1PHU?BZMVDrzXMBhu4OkW*p9!2of(@+(B9_|@bW$V9*c*b0q@Jya$DPb&TC zQ-?fhsK```0yP~J^}HQk*e~g?2jkTPEI5baQ_ji6V2#uR@bCZ&wPcn1WjWt`JpTBb zjLmhLdhUDOJItHqj+(on4>JBm@4Hq$zxQ5seokA5D|-8wdyt{~%6=8@CtgMZpU)m- zd&=o|h?Bg#pDaL$1^QL+-8f;m-WN^;Pn7LS&Bgd!@72gmiK1!!@2rwD06jdp{;n>4 z=JvjB@&oKn2S#>^Y2QbC{mGsg(1Xy~GblH|n-96qeJzPkEC)UZS^=%YiuCjs=O}yg z9_K6pGOB1L?Yct3lp#VJ@$3;G1dgMeAJBtMnVbGl)SqpiNDsDro&|bbPk1mVs!wIA(}HXtyxo&=WsgdU-Wm2k`g~ID<Uh)u=Ymb`GJfBw3|SRehm6 zjX|f);ceMU8;Yy~$Ud<`sA#@M?rB}}I?_mt+&J5698MHvDw+%~49Ljk4?fjZ#I zN=91+Y&mLoSi9)~M_}<-yLBB>42P-q(RTJtNg?(cO*5_mBm}PxSizTbuC#p`!`QCz zoVe_{<6hz|bS;o9J#%4-KH`{pZj|rjr|qCC-FeuzKkEN$pTW@9uM!)AftBFTNOPLo z(?=v~#{W>JZZ3K(pV5H#2gLH4@TTQI5J79UdCa&vPVX^Nk6uO>X^rxXr0ayG>_;Wr zJm+(WyWJt0odZbdJWNxbkaeWJ6Kma;bKxUo5L=JzBX50e_e+Wtfkk+!v7=>u|&-(RlD z@Am^Q?DuC~_(FL0nI#-k%44;7$oLsZMg}W8e1xF;SIbtNOgD ztS6lsu7K-K2QQ&b!R@KgrhR-b!#cGG@|DHBs`AX)CzNMZaf-#!R%@yt7v*a4wvu{0 z32FbSRy&{P#w$VdeH^df4%{Mbv4(TSb>-QbtVNjybmBZdhy?qm?~Km~GspO~l^N-X zsTr-&e78T>@NwprE!h_h?9zTvZ2nnMitpR!JEa#3k2{tmq9tOw7I?4Ex#Ab{EPguV zwU8(1v1}_PN$Nx+2Z5h_RDFFayi~B%;-9&tTZm_g=Whl@h+U~;dtJ=j+VFDp zIV&x{yo^=bNV2R>@PxB6GTg=|JzIp_kxx{-)NoP8Sa>Azq8X>=ty%^wA%YLQ;=___ zkcV&YR}n4#j`wfrX?m_25JO+#efU7?$XEC7adkgC+}7xR*+B8%`bdok=6u8+ z%TfTJV!hO5c6{4HeyX-9>HTO8*;zOCnt!z}$}7z20cme%cgQ4l{0I{QjJM>(;;4_^WL~+P>u|{-9cfYtT0kd(^@7WIq6 z`FKzEQzL#t&3QHlIDBZg`)#gUu@WWU8u*HKv|SXMI-wh-B28LX_9%ie=qg za{qs94+XAgcdBZh_EY+JO>We?zN9kNxO>wPXBoRMTd$+c=)97=-P55BOS?JE6Gxe& zAA>XFxfzeZGuVgn=k_)IGJA~cy+3KM+DiSScz~)Et;vq+Nz?eqPxHj+dH>L{=BMH3 zT?qUAZuCu@k7r+f7=8Nx8kBxFKD`&atF8{;as|)F`Z#t?o*$kjpl&Z}jA!HOFGE|= z0isITH(_b<36+z>Cj54=oKvzxpX3ptBdGm_9I-} zd>;Qki}%vEcp${YR3g<0F$Y!lyMY1QN5|B_L)3;%Q@mT&@(gPmje|#W3Ul*r2WY`a zU5S&A?>zaOSKp zHd&`7VZre&ZKa)MC{Kl%gNo~wWAk}B#GK%Oh{bWaPDt4sW|})8WhW$q9rKJTA9(Dg zy5=|s6@75B2!cb|5TYlZ8OmulV58P>^26mfi#tta^C>#evojX)Gf<{Sf!90-m$5C` z$SyDQGnhMx>ZYxMBes)@AKBA^_JJ4cIMTS9wvC3xGOVtmUsi?^J74CAB<;t`QEGj? zoKhKKz=f~RX2SZOQJ>39_jVl_#Vq%)6UC@=0M2%dc5#qrWgws+5-N>8){$=??m|0? zR`g8dk=8^p?$7N>@$Mnq_%gB(pAIl1dB9IRGuDqOk!vD?J`H3|&j-G+3aL+(rA5-S z_r1&-qD}Oq2kCWs7Ny0>+F6Us1~RHUG|CQ+If%-L5h%(o3tPmrT~uTAbn5qFCi@zG zHWu>>HfoQm<@1?)_L}Ult>GMOI&XpuqwP?yXK-ipzkf5AiKw%s=BMP`t1&tnm>uhL z&?qmO&)I+;(*2n&=CgWBWL1?{Ve~2gYpnnH#+4rSSJ0D?vr6}T5VQ2FH)~hBoPTz- zgD$25)z|V#L`u@+s!%G$1T4On1j5T?C zLZh0CkLyF#GqyT%*}E$5pUc~ygqMX)DCaA6#1apm8vMYt^0u1J1n18F+_NQqmrs^H zg(}vjO}~RxnN{t@@J#D7pw2zjnhn3_bYS3o{A;TRK+0|rYUktpzfLDn_P>qF)YVOO zr1do5I&ug;i-$gS&Z#1veK^=re7!!5KCv_X82lMVqytC$5S6_Ka`mpFWw7#j&W^C? zj5W~Qh-=t0RCWyDfok8^X9H{*Yxg>a!64rI`rdS%g(O&5kK*RUcydOW8^QYpd;Ls$ z>%)wn-*_R`LXP0>;2B+xPxT%IWPxkOb%PfVpHykxkg$Ffci1DE_I##28vA_d|6dIH zsdAd$-;^wh19t;%{KPeP_9bDtl3i;Fq~%(8&e`dpQ?_yk+_gb!6j7GFp5F&=p=GEL z-gxG<>h}UO%QgaPoAIL62DKR5w7s)pg}NgFLCj#4*#8;ZC$J+SZ!9?7Z6x-mbN`^@Sia*Q3M8 zdh#4*&5^p0kxN;tdvhL6#%g_U0M5n=AgN_n6qR8jC)SxAe`TECYF;#ai#M;Q^iulk zXGPc;yi1?CLhMGQMFsNB=9f1k`<_?6wQ`>pYvMU*$Mfyhc3e$)oFxV5R_bHI98qEd zxzjm9=uc#CO5gi#e6Mn6-CT}gt{R?}7HddWoC=6~73L_uCfh|_mGP!KI_`x9z&Ek1 z$`>IEg;a6wCKT;;ajnN~|H`pVIIdk(-m$RDD6?;Io4j)<6Z3O3D3r?-jZ~ zUbRh5F+j)Shf9ZNEm7ahVGX_~z91h;#q`WzqlozbHuTL=Z*QMBA=$*|M{k#PLhN^c zHde#6;yu$`*}9M7w`KqJ*=6p4DgC1T0gETOD@M7u&tsP9Js?y3V{O~!vz99oZGOiw z3pUSnr=?k^_MI%xKE3Z``Q8?CMVUIGV=d&C5l-cT^N>+;?biqX{`Z(=s{JfU*3t4u zwQMeDiMYP>yUeS8ExnOE38{v&uCd_{GHQBxX&*`rF6yF9O5c}G`x2gcO;lQeXWxO= zhsBs0chJl8DPhDbN?*x#Q5v;}uM!iU$FF4tt(=3}+fNf3-1kmr7-|izC$F4LKU?`k zL{(ehlGNE_U&_$7uYI2EJsCz77sV*-V*Gr8+t<(Z%k5!nC2Gp|#Xpxf@^B_nus>_e z_;W1_%XuI9@OVb-wn@JgO`@C$I~CZ;+W(EpHS&VzOXi2TlF^7ah@VH^d_J!N|%fYl?N3SEc%}J-zqidpxI$hbwhH zPFaICTJfnA<=Sd&n-+r2SzF)%cRHaej~JEqBLoKfjWt?ytf=uXsro`DpuGc-H*1Zu9s=xOnN{h@LIY1U)maf^2ZzoD{KN z`*hrsdKLMf%Ms46+j57;xx~rrYHZiB9~2`;3+Bm4tji7dHN0UtslMo=&XU$-yh`(+ zdnR@5G~Jixc4vZYS546zb)I%`3K~lK3F#0OlZVC>HHS-2J`J_Tvp-w9_2w(FIHs9@ zO?+Cj`n6A`-c0g{$u^;tz%`UZztC-Z5;Gjl<2b&Zc1EeR%$B@13uTL)95rRXe+*3~ z%Y>yS8zWuZ%8m3anqsX@MuR%@P*xwu_I4X%>J;~>{yk=;(~8_zu4ybK^IcSZub|F^ zV`I06mdjeBv@(v8`zL2+j~q4vj$}kX(W0*x5qht=y! zvmaB&4B!}w=u}1T?VIm7Z_jzG&%?5};U}GxJ=f5Q&zzAprjp?+pZ>Q**Cju|k{~@f zJ?Av{TDMsHpp&OhKX_J|td9z*Ihl+We$H|(3b{u=@_&8yiurwc4DqY9Y@UU(oRj)B zpJm=_U;DNN&YV6K#V7Ai@0Lyr@;v>HoORCMFt;7mGMA%Ug6*S~mMH!2r37E`k;>L(7zlgqJ)D2Zwv;a`kgJUiH~#16K-i1YP?zpUVp^^@J;zPp1LZY#{r zAXPS1?V^GNm8o9#V5*;k$jTVW=jsYBo?WKCm`mY(KCWuu#ADRSwg>*HqWnA&nUjWj z+PW%a!fg+ZZ9u4g0LAj#z+pei*Dv`r2}SAD19YlU8Pj?!Y(91!3B$J&_EqQWK?5af zzX16rD>}x2R_<;L(-1$0ZV!4X;2G`z)0vN)I1aozgL*s6L`KOc54PT*xQ8?O#Cwd# zY8g#C3(g14lpVJ3MOLKbQg*_MYkZmwl!EJ=eP9I6Y7!rEmJ=K#P8gqhGsWZhNZ`QT zd&0+<=Zz=txj1_O9dfAL5?-%Q@g^6BHpI$nPY3HnKEWK`lf_BYX!#Y%g)-pJm~x)W{M5>?L!vUz2bBh}w6zvUF&^=~b}sc!0tc=# zJL@OHf`9HupFqpC&zhv~32UMFNHrfQTJi&9Pd_gex&oE71bN@j;(Fy9YYYG%8Vin2 zj)VVF?|c=%lD!tDwu6o4)UvN)4&C|3foHvMTM)n9v1`DjwY?Ctei?I;N4Xun_1Jx% zONfm7lvl8p&xn2$GfEP!57?m>=ybq}%$$z#q#4jioYHbSV7{^WxA;UIz`5u?UvaAB z*%QBwX;c9_%%?34AdJ)oSFuq)T?Rw46gO;=#d~jH9T$4-L|d4N#}M zD8v6c4FsQoEIm6_&GYyj=nCt1?1f`k;vuNz{qWkqHd;;Bh zGu~;9whdX2=u^!2PdFs`j0g9nEY|m@qxVm5c!n60*LWK1hMO8Tu&W2&+&XKcvlq_V8bGQKHT$GjQV=? zQ}WkF_x%XPvIKUXZsj^d6V84z)E~@!m*boJLD^}XITBfarSCX8w!x)gJUZUXyV;M| z;@EKc)j0QOzxw-{6aA|&DX*5Ao47{LSQIXyxTTzk-{&sl$?D|fPX}Eg4ti_E9m}-9 z`+;iv!I7!K(OASg=rYxq@E`NMY^qLzJI^BKyR1yz8t&__dmbycsP6`kt1g+6o;sg1 zux;UL>s>x&8vms|1>E|9zLC;H$vw<{s129*IJq0wK8T_&!wO!pD&DD$XK*E~hHRYv zx5qiQU#aouVd?u)vQ_r4uw;&2TkWPjaEf%K#qa^p5Bs5adZ%D-V>F;&f(s7;U0mZB z9c^Cc2Y98TXz? zGz62fO{sn9Jy>(ry+^WUX+PK8N^cGLkiOMtGHE>`TpZs+$#u}hf}B}nV@1~5m(Su#?+ZCe`%+WH^lD#gE422W z)>f^(&-k&$T`wQ&?A~~F55m5(A5VMq^bF_S&EMm1*>bm|)qMC~jH$}`gUFw{4+*}* z!-Oxr3j_`Qc%xH%l|gd^h6XLYf;=%29tF$lf5;~pB<9xQj-BFt`dF6xzmB5yg}9!Jn7c>#mXXZKte# z>k+s6_)Up2%b4dlWSp=Qb(ud8CkE~gK5C0+)%nJeL5X+m>T^_bC)Ul5f-fiZvmhe2 zHigI_LWQ#GL&exsdlY`xz1Xo&e(*v3mGvGlMb3_F8dU~Aw=i*<^u;6TYYf3uMu5A6 zEVNvJ&V4ZCD!f|doWC1p&R!>w@OmC5V8ktdoj@Ep5p#gQ=`lDbtpx zgOUw?FLV+*^wY?nFU<=kOgGEb*xD)k$Vnl3?g`J>;I6W&IbG9aKO$FhzUUG>;KA@1 zA7osiv^0S@WeE>w4zj3N9b}4(N`G!!>9!t2beh>NM>uHc^RXIbB%Kvo7hiC%?^tu5 zKlv77<+28CFT#2N-u+-$;p5O+WnJ<8z#6z>4du+7x0Jh9*)701hwzInkIuYMwuI72dwt-MtYN#v?um7O~HjWjm|FV=(+YB-t?2}cU zfHBZ>b1+el#h-Ov9>^?L=%6$4+_&GytGZVhKeOVjyo5q|7XJTV16Bl;vdUVOYVvdN zq~3AXOJ^-mVIpeMsq&n|;FEKW70U(nYpk+37hLfKf~2Ws6Nsp-upeQH`yCYt#m|eL`5r^;hE8V4F0WXKj32_=ZUqMtx zV>&CGI-Ks<8=jX!_3Y+zmj{x8^PAC zgA7d9+2*N}9s2&MXO?`wAJ~>3gXEkKY@##h4S_f7Ol<4DNRF}#gL)aUG&_SVkM3E) z6M!34rG&%#s})qG=hl<iH@ zzHjOkyJa1}d{#_5O5!)yXZ_Gy=UQFsc}@+Q^nTcVS9kjTo9;(Y4xp5eF}_NwD3>pP zX89Q_hRUz_M(m7&v!n$rHO2vRIbM{!m0hIrA`*vlF%I70(IHG}FZCdr2}sHKmA#SE zv4wj+B}4tV=f&_)`#Q+@@@wi*f78DH95}_df-{$8&38Y0UY4em4mdh5m-;oSUh*L0 zqxD+-DlWnT&e`FU#DAZX_CJhqza97Fu4ETJq0UOoftFWB#W_K+ zT1&l8avDQ2g~Kt=8W%ODo?os|z87{$`+c=1jt)6JnKggM+UTqdcHi+mRTy@`&)Xh( zZpY0D=KO*$dqw4O04Y(La?M1f=}X?3&?JILF}JKSepYr+X%uXIb}eip<}SOmt_B9U z4vqTJ0XEo2zm2=_Vx8OIs&ed_&gOhU1Rv#k6`ztP%h9HL5`d-b5y<}Qoq$hIuVciF zES*=FgUFW1eQM*rG@mk;BiFt$o~HUOU0HiH_*CTbz`A}@k9@*62a~O|z4fn$PRLSs zFwS(QVLPH%d-4n2ZAAA(EsOSkF`@Fz7e0eZ~D}F zcw=t%D@8npETH-4I<@IgB5Tt=%TOJ>_TtnV<$P~;+mmyg&$^n!J`AjV9FWl6sn`z; zaRRY0Q**n!UwLx+*Ow>k{LhSZffUVzj0<2F%JB zqP;!{dQjQ^B)&r$FCYFo6(u=_t|eVj7Gsb5InM{>|9$0AZ=6^r^{z21k~E_JYgrcyCS9W?Q6deu>#S`2uqpJ6SOA zle33K9@L%!GToE!^ibz)Uu{?MjFC!CoFX2?TFJ(!nmR49@*>DG$qI92+D698{h7-( zx3a>e9;h~oFin*oygiwFvc6zl{|Fg6G$2-dK1ymi-`&k%os(OpY_ac~k|6)C2;)MG zgomIWx1?rrq4hO(Mjkp4aGJRHiP$R}dq;Rwe~xRhQt|@(d|Jbl-RYc)_sN01xEv$M zNAXz54K+pC7ixpdBtIG(c|QIw#4EZ&9WD5PQ&z_?Si`{Oo{wzt8b7MnpW0tTS(Tl~ ziQ($iZsl{VyI-;)pB`LM-&~t(YPD^d+orn+38lLWsRwIh0pJe4Svv<*1m|@HdfnP; zzq75bEI}~N!5HU$HBa>RVZj^8E9>ChAF92q)zYQiDvrQ2>piX=JqtFyhqQRs1Qn;GgeqrnA^K?l6uxp|eI94hQ`^utZLVP(FsSaxuh>tdoS2ebGu9i< z%c!G|YVYGgBRq<16}gDoIuZ}k*EfCco_V6wpYmu^LpnN3O*Ni{SWb8({#F;D?6B=w zMuo~FEom-tgm{$d1i`*2cIP|v4Z2?6usfgm{}$hjpZ($$`V}a1$6t%r4=Zc%R?rr# zem*><;HQZg*dzN@I|+z|iA{EgRgjTT{ucO`q4Zcah3Pmvnyzap#R%>|USk95`@#FA zSQR!?cFO!%Vrsnm(5vz5k~O!6vJD36B}#c!+5-vI9QhN0s-wctu6gE!VFd%FEP?}P z1?#;tFLb0D8`A0_H~{~L*Q``v|CMtswTYo|~P600IgeF+azpBcb z1}DiS;I7Vg(U%N%@lDh2tF$3qF|-)QTdEc)V@6DBHdp|Hj-T2t>G$sMP)-UBG9l!t!wJ^{~jDkSyi;UC?MN5hZDSR=Jl{{6MkwV#H4y%-kj zQgq&4jPB+SH~; zYj3VpmbRTM+GwJrIcxSFhNE}KnA)X&Xa9tCpdjjLWGc*@Oo~r}j&v0&HT2y9E-b(N z$=idseS8>Q$2)h>Gw;3~BA6e;jxv)n`HpE6-<1_FP9af##dcGf8M0i|u8t2~sblQF zB`y-9Q{5G&MEkm4CYJo}rQhYB(7TBTLez|Z(DtO4T|1_I&BeMeqX@iH*=#%;kmleuCEZEyA3{8DsYM*7jGrg82&2nnM8@&)<^{a^S&IC@|%72b;&k)Je z6Aj!8?3|;sH)Vv9=M1;m%4MmjGwNjDr4=NB@C-2kUN5?YdMYP<$U2ebFZ&fs4s%@r z`P6A})F`Ive9Lf_l|VEYP__K3YQ8kzhcR!z4?rA^ofz+OvVVb&A-jt$&C|7)p){Sz zNnZ&Fp&^vV?^ETJPu|@`oQY&93MQ^n{DK6JHIZ|dSUIg8-Gq&2KjSiNbXLz0l0w7hxs(l4aj?hov*u$Sd4;Yu<{p={amvAu9qXHW@3HRa z=II^*OJwOybC2@6B{j+lIUbJuay|Qcxvp@u7|5KFP-Xqt*z~Tc(%)E$kUZ|G1@B0i zo#XjDqUD(O%RaNA%X&0=nXEM&++JmfY13})stDzQRIiK$GI)lMb!P_+@AJJ%t6!of#dkN*BM{KEtw)_o$^U6 zRl9-nU;DSrN9GoPZeMK&;ClICvH(w0#~Ax|rJvL1loqaOZ)n~9zxFA$81?6A&EhM} z6Fm)3_bFwi1&csba+D6F`Q7bH8NpxsRG`-THmt0dyVy~v!z(5OQFNk&$t@z#aq4J8BVyN$8ViAGJNa%SbfLQ zz2-6+A-m>EAZsbl%Sb=h`^TKmBmcbKb2g;p@156Hj}9JOTNzQDlQ9NS%+Ci^L;LS- p*57B5WDlrwVn>H^$uHj@GA>7>s(g)g_bglADV}P-*JtzK{{#Igai0JH literal 0 HcmV?d00001 diff --git a/tests/audit2_tests.rs b/tests/audit2_tests.rs index 4262bfa..2696573 100644 --- a/tests/audit2_tests.rs +++ b/tests/audit2_tests.rs @@ -414,6 +414,7 @@ mod forest_cache_dirty_protection { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); @@ -446,6 +447,7 @@ mod forest_cache_dirty_protection { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); } @@ -487,6 +489,7 @@ mod forest_cache_dirty_protection { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }; forest.upsert_file(entry); assert_eq!(forest.file_count(), 1); @@ -800,6 +803,7 @@ mod forest_format_compat { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }); let encrypted = EncryptedForest::encrypt(&forest, &dek).unwrap(); @@ -831,6 +835,7 @@ mod forest_format_compat { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }); } @@ -1164,6 +1169,7 @@ mod realistic_environment { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }); // 3. Save (encrypt + serialize) — this is what "flush" does @@ -1187,6 +1193,7 @@ mod realistic_environment { content_hash: None, user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }); assert_eq!(loaded.file_count(), 2); diff --git a/tests/common/v1_seed.rs b/tests/common/v1_seed.rs index 7d71597..4404b32 100644 --- a/tests/common/v1_seed.rs +++ b/tests/common/v1_seed.rs @@ -149,6 +149,7 @@ pub fn build_v1_private_forest(files: &[SeedFile], dirs: &[SeedDir]) -> PrivateF user_metadata: f.user_metadata.clone(), encrypted: f.encrypted, min_version: 0, + storage_cid: None, }; forest.files.insert(f.path.clone(), entry); } diff --git a/tests/migration_tests.rs b/tests/migration_tests.rs index aa94838..7307516 100644 --- a/tests/migration_tests.rs +++ b/tests/migration_tests.rs @@ -244,6 +244,7 @@ async fn test_v1_to_v7_preserves_subtree_deks() { user_metadata: HashMap::new(), encrypted: false, min_version: 0, + storage_cid: None, }, ); From 5c82c28f8bbd3b04f2df1cb591d6cc2f104641cc Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Sat, 9 May 2026 17:00:51 -0400 Subject: [PATCH 2/6] Enable walkable-v8 default, add tests & counters Flip walkable-v8 writer default on and add supporting changes: forward storage CID hints in EncryptedClient reads to trigger gateway-race cold-fetches; add end-to-end walkable-v8 fresh-bucket upload + walk tests (upload, online warm-cache, cold-cache offline phases); expose and implement CountingBlobBackend and CountSnapshot (cfg-gated) to instrument PUT/GET/get_with_cid_hint RPC counts and validate v7/v8 parity; update fula-flutter types/docs and changelog to reflect the default-on change; adjust registry resolver gateway ordering comment; add PowerShell helper scripts for walkable-v8 testing. These changes enable the cold-start resolver path, provide test coverage for rollout behavior, and add tooling to assert RPC parity between v7 and v8 writers. --- crates/fula-client/src/encryption.rs | 32 +- crates/fula-client/src/registry_resolver.rs | 12 + crates/fula-client/tests/offline_e2e.rs | 599 ++++++++++++++++++ crates/fula-crypto/src/sharded_hamt_forest.rs | 229 +++++++ crates/fula-crypto/src/wnfs_hamt/mod.rs | 6 + crates/fula-crypto/src/wnfs_hamt/v7_store.rs | 133 ++++ crates/fula-flutter/src/api/types.rs | 14 +- docs/flutter-integration.md | 5 +- packages/fula_client/CHANGELOG.md | 14 +- scripts/walkable-v8-fresh-bucket-upload.ps1 | 53 ++ scripts/walkable-v8-fresh-bucket-walk.ps1 | 92 +++ 11 files changed, 1175 insertions(+), 14 deletions(-) create mode 100644 scripts/walkable-v8-fresh-bucket-upload.ps1 create mode 100644 scripts/walkable-v8-fresh-bucket-walk.ps1 diff --git a/crates/fula-client/src/encryption.rs b/crates/fula-client/src/encryption.rs index 2e48c48..6666b01 100644 --- a/crates/fula-client/src/encryption.rs +++ b/crates/fula-client/src/encryption.rs @@ -1262,11 +1262,33 @@ impl EncryptedClient { // path carries the same ciphertext bytes but an empty // `metadata` map — the lookup helpers below pick up the // metadata from the forest entry instead. - let result = self - .inner - .get_object_with_offline_fallback(bucket, storage_key) - .await? - .inner; + // + // Walkable-v8 (#90, 2026-05-09): when the forest entry carries a + // `storage_cid` (single-block encrypted uploads stamp this at + // `put_object_encrypted_with_type` after master's PUT-response + // self-verify), forward the CID through the `_known_cid` + // variant. That activates the cold-cache gateway-race path: + // even when both master is unreachable AND the warm block cache + // is empty (= cold-start scenario), the gateway race fetches + // the encrypted body by CID and content-verifies before handing + // it to the AEAD decrypt step below. Without this branch, + // single-block-encrypted cold-cache reads would fall through to + // the no-hint fallback, which only checks the warm cache by + // storage_key and then errors — exactly the failure mode the + // walkable-v8 fresh-bucket cold-walk test surfaced. + let cid_hint = forest_entry.as_ref().and_then(|e| e.storage_cid.as_ref()); + let result = match cid_hint { + Some(cid) => self + .inner + .get_object_with_offline_fallback_known_cid(bucket, storage_key, cid) + .await? + .inner, + None => self + .inner + .get_object_with_offline_fallback(bucket, storage_key) + .await? + .inner, + }; // Helper: fetch a metadata key, preferring HTTP headers, falling // back to the (AEAD-protected) forest entry's user_metadata. diff --git a/crates/fula-client/src/registry_resolver.rs b/crates/fula-client/src/registry_resolver.rs index 8864d5e..ec307af 100644 --- a/crates/fula-client/src/registry_resolver.rs +++ b/crates/fula-client/src/registry_resolver.rs @@ -264,8 +264,20 @@ pub use crate::user_key::derive_user_key_from_email; /// Default IPNS-aware gateway list. Excludes /// `trustless-gateway.link` (only serves `/ipfs/`, not `/ipns/`). +/// +/// Order is the SDK's per-tick race priority — the resolver tries +/// gateways in order and takes the first content-verified body whose +/// in-payload `sequence` is at least the locally-observed high-water +/// mark. `dget.top` (subdomain-style) is the load-bearing first slot +/// because operator measurement on production (2026-05-09) showed it +/// picks up freshly-published IPNS records the fastest among public +/// IPNS-aware gateways — getting cold-start latency below the next +/// tier's typical first-hit time. Cloudflare and dweb.link follow as +/// the established large-fleet fallbacks; the remaining three are +/// kept for fan-out coverage. pub fn default_ipns_gateway_urls() -> Vec { vec![ + "https://{name}.ipns.dget.top/".into(), "https://cloudflare-ipfs.com/ipns/{name}".into(), "https://dweb.link/ipns/{name}".into(), "https://ipfs.io/ipns/{name}".into(), diff --git a/crates/fula-client/tests/offline_e2e.rs b/crates/fula-client/tests/offline_e2e.rs index 71acfbe..51b6cc4 100644 --- a/crates/fula-client/tests/offline_e2e.rs +++ b/crates/fula-client/tests/offline_e2e.rs @@ -362,6 +362,605 @@ async fn offline_upload_download_e2e() { run_offline_upload_download_e2e(256, "single-legacy-alias").await; } +/// Deterministic file-set used by both the upload-only and walk-only +/// walkable-v8 fresh-bucket tests below. Same content from both sides +/// so the walk phase can recompute the expected payload bytes without +/// having to persist them across test invocations. Mirrors the FxFiles +/// content-shape mix: +/// * 3 small text files (single-block encrypted path) +/// * 1 medium binary file (single-block, larger payload) +/// * 1 chunked binary file > 768 KiB (chunked encrypted path — +/// `put_object_chunked_internal`, what FxFiles uses for photos / +/// videos / PDFs) +fn walkable_v8_fresh_bucket_test_files() -> Vec<(String, Vec)> { + vec![ + ( + "/text/hello.txt".to_string(), + b"Hello, walkable-v8! This is the simplest text file.".to_vec(), + ), + ( + "/text/lorem.txt".to_string(), + b"Lorem ipsum dolor sit amet, consectetur adipiscing elit, \ + sed do eiusmod tempor incididunt ut labore et dolore magna \ + aliqua. Ut enim ad minim veniam, quis nostrud exercitation." + .to_vec(), + ), + ( + "/text/numbers.txt".to_string(), + (0..50) + .map(|i| format!("line {}\n", i)) + .collect::() + .into_bytes(), + ), + ( + "/binary/medium.bin".to_string(), + (0..10_000usize).map(|i| (i % 256) as u8).collect(), + ), + ( + "/binary/chunked.bin".to_string(), + (0..1_500_000usize).map(|i| ((i * 7) % 256) as u8).collect(), + ), + ] +} + +/// Walkable-v8 fresh-bucket UPLOAD test (#20 / #89 follow-up, part 1 of 2). +/// +/// Uploads the deterministic walkable-v8 file set to a fresh bucket on +/// the live master. Prints copy-paste-ready env vars (bucket name + +/// secret) for the matching walk test to consume. +/// +/// **Pair with** `fxfiles_walkable_v8_fresh_bucket_walk`. Recommended +/// flow: +/// +/// ```text +/// 1. Run this upload test. +/// 2. Copy the FULA_TEST_BUCKET + FULA_TEST_SECRET it prints. +/// 3. Wait at least 5 min (default publisher tick cadence) before +/// running the walk test in cold-offline mode. For warm-offline +/// only, no wait is needed. +/// 4. Run the walk test. +/// ``` +/// +/// **Why this is split**: the publisher's bucketsIndex CBOR tick is +/// what surfaces a newly-created bucket to the cold-start resolver. +/// Until the next tick fires, the cold-offline phase of the walk test +/// will fail with `BucketNotFound`. Having upload and walk as separate +/// tests lets the operator wait the right amount of time between them +/// without holding a single test process open. +/// +/// **Required env**: `FULA_JWT`, `FULA_S3`. +/// **Optional env**: `FULA_TIMEOUT_SECS` (default 60), `FULA_TEST_BUCKET` +/// (override generated bucket name), `FULA_TEST_SECRET` (override +/// generated random secret — must be base64). +#[tokio::test] +#[ignore] +async fn fxfiles_walkable_v8_fresh_bucket_upload() { + let jwt = match read_required_env("FULA_JWT") { + Some(v) => v, + None => return, + }; + let s3_url = match read_required_env("FULA_S3") { + Some(v) => v, + None => return, + }; + let timeout_secs: u64 = std::env::var("FULA_TIMEOUT_SECS") + .ok() + .and_then(|s| s.parse().ok()) + .unwrap_or(60); + + // Allow operator override; otherwise generate. + let bucket = std::env::var("FULA_TEST_BUCKET") + .ok() + .filter(|s| !s.is_empty()) + .unwrap_or_else(|| { + let timestamp = std::time::SystemTime::now() + .duration_since(std::time::UNIX_EPOCH) + .unwrap() + .as_secs(); + format!("walkable-v8-test-{}", timestamp) + }); + + let (secret, secret_b64) = if let Some(b64) = std::env::var("FULA_TEST_SECRET") + .ok() + .filter(|s| !s.is_empty()) + { + use base64::Engine as _; + let trimmed = b64.trim().to_string(); + let key_bytes = base64::engine::general_purpose::STANDARD + .decode(&trimmed) + .or_else(|_| base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(&trimmed)) + .or_else(|_| base64::engine::general_purpose::URL_SAFE.decode(&trimmed)) + .expect("FULA_TEST_SECRET must be base64"); + let secret = SecretKey::from_bytes(&key_bytes).expect("32-byte secret"); + (secret, trimmed) + } else { + use base64::Engine as _; + let secret = SecretKey::generate(); + let b64 = base64::engine::general_purpose::STANDARD.encode(secret.as_bytes()); + (secret, b64) + }; + + eprintln!("\n[walkable-v8-upload] master = {}", s3_url); + eprintln!("[walkable-v8-upload] bucket = {}", bucket); + eprintln!("[walkable-v8-upload] timeout = {}s", timeout_secs); + + let cache_dir = TempDir::new().expect("tempdir for upload-side block cache"); + let cache_path = cache_dir.path().join("blocks.redb"); + let files = walkable_v8_fresh_bucket_test_files(); + + eprintln!( + "\n[walkable-v8-upload] uploading {} files (3 small text + 1 medium + 1 chunked >768KB)", + files.len() + ); + { + let client = build_client( + &s3_url, + &jwt, + &cache_path, + secret, + true, + timeout_secs, + ); + + // Ensure the bucket exists. PUT /{bucket} is idempotent at the + // user-scoped level: a second create against the same name + // either returns success or a benign "already exists" error. + // We tolerate any error here and let put_object_flat surface + // anything truly broken with a clearer per-file error message. + match client.create_bucket(&bucket).await { + Ok(_) => eprintln!( + "[walkable-v8-upload] bucket {:?} ready (created or pre-existing)", + bucket + ), + Err(e) => eprintln!( + "[walkable-v8-upload] create_bucket({:?}) returned: {:?} \ + — proceeding; may be already-exists. If the next put_object_flat \ + surfaces NoSuchBucket, this was a real bucket-create failure \ + (auth, permissions, or master-side state).", + bucket, e + ), + } + + for (key, payload) in &files { + let path_class = if payload.len() > 768 * 1024 { + "chunked" + } else { + "single-block" + }; + client + .put_object_flat( + &bucket, + key, + payload.clone(), + Some("application/octet-stream"), + ) + .await + .unwrap_or_else(|e| { + panic!( + "upload failed for {} ({} bytes, {} path): {:?}", + key, + payload.len(), + path_class, + e + ) + }); + eprintln!( + "[walkable-v8-upload] uploaded {:?} ({} bytes, {} path)", + key, + payload.len(), + path_class + ); + } + } + + eprintln!( + "\n[walkable-v8-upload] DONE — copy these env vars to run the walk test:\n\ + \n\ + PowerShell:\n\ + \n\ + $env:FULA_TEST_BUCKET = \"{}\"\n\ + $env:FULA_TEST_SECRET = \"{}\"\n\ + \n\ + Bash:\n\ + \n\ + export FULA_TEST_BUCKET=\"{}\"\n\ + export FULA_TEST_SECRET=\"{}\"\n\ + \n\ + Then: wait 5+ min for publisher tick if you intend to run cold-walk \ + (warm-walk has no wait requirement), and invoke:\n\ + \n\ + cargo test -p fula-client --test offline_e2e --release \\\n\ + -- --ignored fxfiles_walkable_v8_fresh_bucket_walk --nocapture\n", + bucket, secret_b64, bucket, secret_b64, + ); +} + +/// Walkable-v8 fresh-bucket WALK test (#20 / #89 follow-up, part 2 of 2). +/// +/// Reads the bucket name + secret produced by +/// `fxfiles_walkable_v8_fresh_bucket_upload`, then exercises: +/// * **Phase B** — online: list + per-file download + byte equality +/// vs the deterministic test payload (always runs; populates warm +/// cache). +/// * **Phase C — warm-cache offline** — if `FULA_WALK_MODE=warm` or +/// `FULA_WALK_MODE=both`. Uses the cache populated in B. +/// * **Phase D — cold-cache offline** — if `FULA_WALK_MODE=cold` or +/// `FULA_WALK_MODE=both` AND all 5 cold-start env vars are set. +/// Drops the cache before this phase, so every fetch must go via +/// cold-start resolver + gateway race + W.9.4 cid-hint dispatch. +/// +/// **Default `FULA_WALK_MODE` = `warm`** (does not require publisher +/// tick; safe to run immediately after upload). Use `cold` or `both` +/// after waiting 5+ min for the publisher to tick. +/// +/// All operations go through `put_object_flat` / `get_object_flat` — +/// the FxFiles-encrypted file-management path +/// (`fula-flutter::api::forest`). The size-based auto-routing inside +/// these calls selects single-block vs chunked based on the 768 KiB +/// `CHUNKED_THRESHOLD`. The shared deterministic file set (defined by +/// `walkable_v8_fresh_bucket_test_files`) covers both paths plus simple +/// text content — matching what FxFiles actually persists. +/// +/// **Required env**: `FULA_JWT`, `FULA_S3`, `FULA_TEST_BUCKET`, +/// `FULA_TEST_SECRET` (the latter two are produced by the upload test — +/// see its docstring for the copy-paste env var block it prints). +/// **Optional env**: `FULA_TIMEOUT_SECS` (default 60), `FULA_WALK_MODE` +/// (default `warm`; valid: `warm`, `cold`, `both`). +/// +/// **For Phase D (cold-cache)**, additionally set: +/// * `FULA_BLOCK_GATEWAY_URLS` (typically `https:///gateway/{cid}`) +/// * `FULA_USERS_INDEX_CHAIN_RPC_URL` +/// * `FULA_USERS_INDEX_ANCHOR_ADDRESS` +/// * `FULA_USERS_INDEX_IPNS_NAME` +/// * `FULA_USERS_INDEX_USER_KEY` +/// Optional: `FULA_USERS_INDEX_IPNS_GATEWAY_URLS` (comma-separated). +/// +/// **Cleanup**: this test does NOT create or delete buckets — it +/// operates on the bucket the upload test produced. Operator periodic +/// cleanup is recommended for `walkable-v8-test-*` buckets. +#[tokio::test] +#[ignore] +async fn fxfiles_walkable_v8_fresh_bucket_walk() { + let jwt = match read_required_env("FULA_JWT") { + Some(v) => v, + None => return, + }; + let s3_url = match read_required_env("FULA_S3") { + Some(v) => v, + None => return, + }; + let bucket = match read_required_env("FULA_TEST_BUCKET") { + Some(v) => v, + None => return, + }; + let secret_b64 = match read_required_env("FULA_TEST_SECRET") { + Some(v) => v, + None => return, + }; + let timeout_secs: u64 = std::env::var("FULA_TIMEOUT_SECS") + .ok() + .and_then(|s| s.parse().ok()) + .unwrap_or(60); + + let walk_mode = std::env::var("FULA_WALK_MODE") + .ok() + .filter(|s| !s.is_empty()) + .unwrap_or_else(|| "warm".to_string()) + .to_lowercase(); + let do_warm = walk_mode == "warm" || walk_mode == "both"; + let do_cold = walk_mode == "cold" || walk_mode == "both"; + if !do_warm && !do_cold { + panic!( + "FULA_WALK_MODE must be one of: warm, cold, both. Got: {:?}", + walk_mode + ); + } + + use base64::Engine as _; + let trimmed = secret_b64.trim(); + let key_bytes = base64::engine::general_purpose::STANDARD + .decode(trimmed) + .or_else(|_| base64::engine::general_purpose::URL_SAFE_NO_PAD.decode(trimmed)) + .or_else(|_| base64::engine::general_purpose::URL_SAFE.decode(trimmed)) + .expect("FULA_TEST_SECRET must be base64"); + let secret = SecretKey::from_bytes(&key_bytes).expect("32-byte secret"); + + eprintln!("\n[walkable-v8-walk] master = {}", s3_url); + eprintln!("[walkable-v8-walk] bucket = {}", bucket); + eprintln!("[walkable-v8-walk] mode = {} (warm={}, cold={})", walk_mode, do_warm, do_cold); + eprintln!("[walkable-v8-walk] timeout = {}s", timeout_secs); + + let files = walkable_v8_fresh_bucket_test_files(); + let expected_keys: std::collections::BTreeSet = + files.iter().map(|(k, _)| k.clone()).collect(); + + let cache_dir = TempDir::new().expect("tempdir for warm block cache"); + let cache_path = cache_dir.path().join("blocks.redb"); + + // ─── Phase B: online list + download — populate cache + capture baseline ── + eprintln!("\n[walkable-v8-walk] phase B: online list + download (baseline + cache warmup)"); + { + let client = build_client( + &s3_url, + &jwt, + &cache_path, + secret.clone(), + true, + timeout_secs, + ); + + let listed = client + .list_files_from_forest(&bucket) + .await + .expect("phase B: online list must succeed"); + let online_keys: std::collections::BTreeSet = + listed.iter().map(|m| m.original_key.clone()).collect(); + eprintln!( + "[walkable-v8-walk] online list: {} files", + listed.len() + ); + assert_eq!( + online_keys, expected_keys, + "online list keys must equal what the upload test wrote \ + ({} expected, got {}).\n\ + \n\ + If got = 0: master has zero files for FULA_TEST_BUCKET \ + ({}). Most likely cause: FULA_TEST_BUCKET doesn't match \ + what the upload test created. Verify:\n\ + (a) you ran scripts/walkable-v8-fresh-bucket-upload.ps1 \ + first, AND\n\ + (b) FULA_TEST_BUCKET is the EXACT name from that script's \ + trailing 'copy these env vars' block (timestamp will \ + match roughly when upload ran), AND\n\ + (c) FULA_TEST_SECRET also matches that block — a wrong \ + secret would surface as bucket_lookup_h mismatch and \ + master returns the empty forest for an unknown lookup_h.\n\ + \n\ + If 0 < got < {}: real walk regression — some HAMT entries \ + are missing.", + expected_keys.len(), + online_keys.len(), + bucket, + expected_keys.len(), + ); + + for (key, payload) in &files { + let dl = client + .get_object_flat(&bucket, key) + .await + .unwrap_or_else(|e| { + panic!("phase B online download failed for {}: {:?}", key, e) + }); + assert_eq!( + dl.as_ref(), + payload.as_slice(), + "phase B online download bytes mismatch for {} \ + ({} expected, {} got). The decrypted plaintext from \ + master differs from what the upload test wrote — \ + either FULA_TEST_SECRET diverged from the upload, or \ + the file was rewritten between upload and walk.", + key, + payload.len(), + dl.len(), + ); + eprintln!( + "[walkable-v8-walk] online download {:?} OK ({} bytes verified)", + key, + dl.len() + ); + } + } + + // ─── Phase C: warm-cache offline list + download ────────────────── + if do_warm { + eprintln!("\n[walkable-v8-walk] phase C: warm-cache OFFLINE list + download (bogus master)"); + let client = build_client( + "http://127.0.0.1:1", + &jwt, + &cache_path, + secret.clone(), + false, + timeout_secs, + ); + + let listed = client + .list_files_from_forest(&bucket) + .await + .expect("phase C: warm-cache offline list must succeed"); + let warm_keys: std::collections::BTreeSet = + listed.iter().map(|m| m.original_key.clone()).collect(); + eprintln!( + "[walkable-v8-walk] warm-offline list: {} files", + listed.len() + ); + assert_eq!( + warm_keys, expected_keys, + "phase C warm-offline list keys must equal the uploaded set \ + — a diff means HAMT walk silently dropped entries" + ); + + for (key, payload) in &files { + let dl = client + .get_object_flat(&bucket, key) + .await + .unwrap_or_else(|e| { + panic!( + "phase C warm-offline download failed for {}: {:?}\n\ + The forest list succeeded but the chunk fetch \ + did not — likely a per-chunk warm-cache miss \ + that should have been a hit (#32 / W.9.4-A2 \ + regression?).", + key, e + ) + }); + assert_eq!( + dl.as_ref(), + payload.as_slice(), + "phase C warm-offline download bytes mismatch for {} \ + ({} expected, {} got)", + key, + payload.len(), + dl.len(), + ); + eprintln!( + "[walkable-v8-walk] warm-offline download {:?} OK ({} bytes verified)", + key, + dl.len() + ); + } + } else { + eprintln!("\n[walkable-v8-walk] phase C (warm offline) SKIPPED — FULA_WALK_MODE={}", walk_mode); + } + + // ─── Phase D: cold-cache offline ────────────────────────────────── + if do_cold { + let cold_block_gateway = std::env::var("FULA_BLOCK_GATEWAY_URLS") + .ok() + .filter(|s| !s.is_empty()); + let cold_chain_rpc = std::env::var("FULA_USERS_INDEX_CHAIN_RPC_URL") + .ok() + .filter(|s| !s.is_empty()); + let cold_anchor = std::env::var("FULA_USERS_INDEX_ANCHOR_ADDRESS") + .ok() + .filter(|s| !s.is_empty()); + let cold_ipns = std::env::var("FULA_USERS_INDEX_IPNS_NAME") + .ok() + .filter(|s| !s.is_empty()); + let cold_user_key = std::env::var("FULA_USERS_INDEX_USER_KEY") + .ok() + .filter(|s| !s.is_empty()); + + let cold_ready = cold_block_gateway.is_some() + && cold_chain_rpc.is_some() + && cold_anchor.is_some() + && cold_ipns.is_some() + && cold_user_key.is_some(); + + if !cold_ready { + panic!( + "FULA_WALK_MODE={} requires cold-start env vars. \ + Missing one or more of:\n\ + FULA_BLOCK_GATEWAY_URLS\n\ + FULA_USERS_INDEX_CHAIN_RPC_URL\n\ + FULA_USERS_INDEX_ANCHOR_ADDRESS\n\ + FULA_USERS_INDEX_IPNS_NAME\n\ + FULA_USERS_INDEX_USER_KEY", + walk_mode + ); + } + + eprintln!( + "\n[walkable-v8-walk] phase D: cold-cache OFFLINE list + download \ + (resolver + gateway race)" + ); + eprintln!( + "[walkable-v8-walk] pre-req: publisher must have ticked since \ + the upload test ran" + ); + + let cold_cache_dir = TempDir::new().expect("tempdir for COLD block cache"); + let cold_cache_path = cold_cache_dir.path().join("blocks.redb"); + + let block_gateway_urls: Vec = cold_block_gateway + .unwrap() + .split(',') + .map(|s| s.trim().to_string()) + .filter(|s| !s.is_empty()) + .collect(); + let ipns_gateway_urls = std::env::var("FULA_USERS_INDEX_IPNS_GATEWAY_URLS") + .ok() + .map(|s| { + s.split(',') + .map(|t| t.trim().to_string()) + .filter(|t| !t.is_empty()) + .collect() + }) + .unwrap_or_default(); + + let client = build_client_with_cold_start( + "http://127.0.0.1:1", + &jwt, + &cold_cache_path, + secret, + false, + timeout_secs, + cold_chain_rpc.unwrap(), + cold_anchor.unwrap(), + cold_ipns.unwrap(), + cold_user_key.unwrap(), + ipns_gateway_urls, + block_gateway_urls, + ); + + let listed = client + .list_files_from_forest(&bucket) + .await + .unwrap_or_else(|e| { + panic!( + "phase D cold-offline list failed: {:?}\n\ + Most likely cause: publisher has not ticked since the \ + upload test ran. Wait 5+ min (default cadence) and \ + re-run, OR call the master's \ + `/_internal/publish-now` admin endpoint between \ + upload and walk.", + e + ) + }); + let cold_keys: std::collections::BTreeSet = + listed.iter().map(|m| m.original_key.clone()).collect(); + eprintln!( + "[walkable-v8-walk] cold-offline list: {} files", + listed.len() + ); + assert_eq!( + cold_keys, expected_keys, + "phase D cold-offline list keys must equal the uploaded set \ + — a diff means resolver returned the wrong CID OR HAMT \ + walk dropped entries during gateway race" + ); + + for (key, payload) in &files { + let dl = client + .get_object_flat(&bucket, key) + .await + .unwrap_or_else(|e| { + panic!("phase D cold-offline download failed for {}: {:?}", key, e) + }); + assert_eq!( + dl.as_ref(), + payload.as_slice(), + "phase D cold-offline download bytes mismatch for {} \ + ({} expected, {} got)", + key, + payload.len(), + dl.len(), + ); + eprintln!( + "[walkable-v8-walk] cold-offline download {:?} OK ({} bytes verified)", + key, + dl.len() + ); + } + } else { + eprintln!("\n[walkable-v8-walk] phase D (cold offline) SKIPPED — FULA_WALK_MODE={}", walk_mode); + } + + let phases_ran = match (do_warm, do_cold) { + (true, true) => "online + warm-offline + cold-offline", + (true, false) => "online + warm-offline", + (false, true) => "online + cold-offline", + (false, false) => unreachable!("guarded above"), + }; + eprintln!( + "\n[walkable-v8-walk] PASS — v0.6.1 walkable-v8 walk verified \ + on bucket {}: {} files round-tripped (text + binary + chunked) \ + with byte-equality across {}.", + bucket, + files.len(), + phases_ran, + ); +} + // ============================================================================ // 412 reproduction harness against a USER'S EXISTING bucket // ============================================================================ diff --git a/crates/fula-crypto/src/sharded_hamt_forest.rs b/crates/fula-crypto/src/sharded_hamt_forest.rs index 1d26eed..01cc18a 100644 --- a/crates/fula-crypto/src/sharded_hamt_forest.rs +++ b/crates/fula-crypto/src/sharded_hamt_forest.rs @@ -4379,4 +4379,233 @@ mod tests { largest, largest_path ); } + + // ======================================================================== + // #88 — direct RPC-count parity between v7 and v8 writers (W.8.4 claim). + // + // The walkable-v8 plan §W.8.4 stated v8 adds zero new master RPCs vs v7. + // The walkable_v8_scale bench showed throughput equivalence within ~5% + // measurement noise (tracked in the v0.6.0 CHANGELOG entry as + // "suggestive but not proven"). This test closes that gap directly: + // identical write workload through a v7 backend (no CID surfaced) and a + // v8 backend (CID surfaced), compared via `CountingBlobBackend` — + // assertion is byte-equality on `puts` and `gets`, since the v8 cascade + // changes only what gets stamped in the parent's plaintext, NOT how many + // PUTs/GETs happen during the cascade. + // + // The discriminator `gets_with_some_hint` validates that the v8 wiring + // is actually live: under v7 it must be 0 (no LinkV2 entries → no CID + // hints flow); under v8 it must be positive after a read pass that walks + // through internal nodes. + // ======================================================================== + #[tokio::test] + async fn walkable_v8_rpc_count_parity_writes_match_v7() { + use crate::wnfs_hamt::CountingBlobBackend; + + // Same workload for both runs: enough entries that the cascade + // produces internal nodes (singletons-only would never exercise + // parent-pointer write paths). 32 entries with 16 shards + // typically grows ≥ 1 internal node per populated shard. + const N: u64 = 32; + + async fn run(backend: &std::sync::Arc>, label: &str) + where + B: crate::wnfs_hamt::BlobBackend + 'static, + { + let mut forest = + ShardedHamtPrivateForest::new(label, test_dek(), 16); + for i in 0..N { + forest + .upsert_file(file_entry(&format!("/p/f-{:03}.bin", i), i), backend) + .await + .unwrap(); + } + forest.flush_dirty(backend).await.unwrap(); + } + + // v7 path: InMemoryBackend returns BlobPutResult::none() → + // cascade emits legacy `Link` everywhere. + let v7_inner = std::sync::Arc::new(InMemoryBackend::new()); + let v7 = std::sync::Arc::new(CountingBlobBackend::new(v7_inner)); + run(&v7, "rpc-parity-v7").await; + let v7_snap = v7.snapshot(); + + // v8 path: CidCapturingBackend returns Some(BLAKE3 raw CID) → + // cascade emits `LinkV2` everywhere it has parent pointers. + let v8_inner = std::sync::Arc::new(CidCapturingBackend::new()); + let v8 = std::sync::Arc::new(CountingBlobBackend::new(v8_inner)); + run(&v8, "rpc-parity-v8").await; + let v8_snap = v8.snapshot(); + + eprintln!( + "\n[#88 RPC parity — writes only]\n v7: {:?}\n v8: {:?}", + v7_snap, v8_snap + ); + + // Load-bearing equality: every PUT and GET site in the writer + // cascade fires identically under both modes. A drift here would + // mean v8 silently added a backend round-trip somewhere — that + // would invalidate W.8.4 directly. + assert_eq!( + v7_snap.puts, v8_snap.puts, + "W.8.4 violated: v7 and v8 writers must emit identical PUT \ + counts. v7={} v8={} — investigate `flush_dirty` / \ + `node::store` for a v8-only RPC site that wasn't accounted \ + for.", + v7_snap.puts, v8_snap.puts, + ); + assert_eq!( + v7_snap.gets, v8_snap.gets, + "W.8.4 violated: v7 and v8 writers must emit identical GET \ + counts (intermediate-node loads during cascade). v7={} \ + v8={} — investigate the CID-stamping seam for a sneaky \ + extra read.", + v7_snap.gets, v8_snap.gets, + ); + + // Writers don't call `get_with_cid_hint` — that's the reader's + // surface. Both should be 0 here. If this is non-zero, someone + // routed a writer-side load through the cid-hint variant, which + // would be a layering violation. + assert_eq!( + v7_snap.gets_with_hint, 0, + "writer cascade should not call `get_with_cid_hint`. v7={}", + v7_snap.gets_with_hint + ); + assert_eq!( + v8_snap.gets_with_hint, 0, + "writer cascade should not call `get_with_cid_hint`. v8={}", + v8_snap.gets_with_hint + ); + } + + #[tokio::test] + async fn walkable_v8_rpc_count_parity_reader_uses_cid_hints_under_v8_only() { + use crate::wnfs_hamt::CountingBlobBackend; + + // Build a populated v8 bucket, then walk it via `list_all_files`. + // The reader path resolves children through + // `Node::load_with_cid_hint`, which calls + // `BlobBackend::get_with_cid_hint`. Under v8 (LinkV2 present) the + // hint is `Some`; under v7 (legacy Link only) the hint is `None`. + // The discriminator `gets_with_some_hint` should be: + // * 0 on the v7 walk (no LinkV2 → cid_hint is always None) + // * > 0 on the v8 walk (LinkV2 children resolve with Some(cid)) + // This is what proves the v8 cascade is actually wired through to + // the reader, not just stamping `LinkV2` into bytes that nobody + // reads. + const N: u64 = 64; + + // ─── v7 baseline ──────────────────────────────────────────────── + let v7_inner = std::sync::Arc::new(InMemoryBackend::new()); + let v7 = std::sync::Arc::new(CountingBlobBackend::new(v7_inner)); + { + let mut forest = + ShardedHamtPrivateForest::new("rpc-walk-v7", test_dek(), 16); + for i in 0..N { + forest + .upsert_file(file_entry(&format!("/w/f-{:03}.bin", i), i), &v7) + .await + .unwrap(); + } + forest.flush_dirty(&v7).await.unwrap(); + } + v7.reset(); + // Re-load the forest from scratch so the walk actually exercises + // gets (in-memory cache would short-circuit otherwise). + let v7_manifest = { + let mut forest = + ShardedHamtPrivateForest::new("rpc-walk-v7", test_dek(), 16); + for i in 0..N { + forest + .upsert_file(file_entry(&format!("/w/f-{:03}.bin", i), i), &v7) + .await + .unwrap(); + } + forest.flush_dirty(&v7).await.unwrap().clone() + }; + v7.reset(); + // Walk: read each shard root + descendants via list_all_files. + let v7_files = { + let forest = ShardedHamtPrivateForest::from_manifest( + v7_manifest, + "rpc-walk-v7", + test_dek(), + ); + forest.list_all_files(&v7).await.unwrap() + }; + let v7_snap = v7.snapshot(); + + // ─── v8 path ──────────────────────────────────────────────────── + let v8_inner = std::sync::Arc::new(CidCapturingBackend::new()); + let v8 = std::sync::Arc::new(CountingBlobBackend::new(v8_inner)); + let v8_manifest = { + let mut forest = + ShardedHamtPrivateForest::new("rpc-walk-v8", test_dek(), 16); + for i in 0..N { + forest + .upsert_file(file_entry(&format!("/w/f-{:03}.bin", i), i), &v8) + .await + .unwrap(); + } + forest.flush_dirty(&v8).await.unwrap().clone() + }; + v8.reset(); + let v8_files = { + let forest = ShardedHamtPrivateForest::from_manifest( + v8_manifest, + "rpc-walk-v8", + test_dek(), + ); + forest.list_all_files(&v8).await.unwrap() + }; + let v8_snap = v8.snapshot(); + + eprintln!( + "\n[#88 RPC parity — reader walk]\n v7: {:?}\n v8: {:?}\n \ + v7 file count = {}, v8 file count = {}", + v7_snap, + v8_snap, + v7_files.len(), + v8_files.len(), + ); + + // Same data shape on both sides → same number of files visible. + assert_eq!( + v7_files.len(), + v8_files.len(), + "v7 and v8 walks must surface identical file counts. v7={} v8={}", + v7_files.len(), + v8_files.len(), + ); + + // The total `gets_with_hint` count should match — both walks + // descend through the same number of HAMT nodes. The DIFFERENCE + // is the `Some` vs `None` payload of the cid_hint argument. + assert_eq!( + v7_snap.gets_with_hint, v8_snap.gets_with_hint, + "W.8.4 violated: reader walks must call `get_with_cid_hint` \ + the same number of times under v7 and v8 (only the hint \ + argument differs). v7={} v8={}", + v7_snap.gets_with_hint, v8_snap.gets_with_hint, + ); + + // Discriminator: validates the v8 wiring is LIVE. + assert_eq!( + v7_snap.gets_with_some_hint, 0, + "v7 walk must not surface any Some(cid) hints — there are no \ + LinkV2 entries in a v7 forest. Got {} — investigate whether \ + a stale v8 cid leaked from a prior test run.", + v7_snap.gets_with_some_hint, + ); + assert!( + v8_snap.gets_with_some_hint > 0, + "v8 walk must surface at least one Some(cid) hint — that's \ + how the reader proves the LinkV2 wiring reaches the storage \ + layer. Got 0 hints — investigate `Node::load_with_cid_hint` \ + / `ChildPtr::resolve_owned` for a regression where the \ + stored LinkV2 cid never makes it into the get_with_cid_hint \ + call.", + ); + } } diff --git a/crates/fula-crypto/src/wnfs_hamt/mod.rs b/crates/fula-crypto/src/wnfs_hamt/mod.rs index 58cb0a2..45c8926 100644 --- a/crates/fula-crypto/src/wnfs_hamt/mod.rs +++ b/crates/fula-crypto/src/wnfs_hamt/mod.rs @@ -17,3 +17,9 @@ pub(crate) use node::Node; pub(crate) use pointer::{ChildPtr, Pair, Pointer}; pub(crate) use store::{HamtNodeBytes, HamtNodeStore, NodePutResult, STORAGE_KEY_LEN, StorageKey}; pub use v7_store::{BlobBackend, BlobPutResult, V7NodeStore, V7_NODE_PREFIX}; + +// Test-only RPC-count instrumentation (#88 — W.8.4 validation). +// Visible to fula-crypto's own tests AND to downstream crates that opt in +// via `features = ["test-fault-injection"]` on their fula-crypto dep. +#[cfg(any(test, feature = "test-fault-injection"))] +pub use v7_store::{CountSnapshot, CountingBlobBackend}; diff --git a/crates/fula-crypto/src/wnfs_hamt/v7_store.rs b/crates/fula-crypto/src/wnfs_hamt/v7_store.rs index 2c8b009..baadc62 100644 --- a/crates/fula-crypto/src/wnfs_hamt/v7_store.rs +++ b/crates/fula-crypto/src/wnfs_hamt/v7_store.rs @@ -420,6 +420,139 @@ impl BlobBackend for InMemoryBackend { } } +// ============================================================================= +// CountingBlobBackend — RPC-count instrumentation for #88 (W.8.4 validation). +// +// Wraps any [`BlobBackend`] and counts every operation atomically. Tests use +// this to drive an identical workload through a v7-mode backend (returns +// `BlobPutResult::none()`) and a v8-mode backend (returns +// `BlobPutResult { cid: Some(_) }`) and assert that the `puts` and `gets` +// counts match, validating the W.8.4 plan claim that v8 adds zero new master +// RPCs vs v7. The `gets_with_some_hint` counter is the discriminator that +// SHOULD differ — it's 0 under v7 (no `LinkV2` exists, no CID hints flow) and +// non-zero under v8 (the reader resolves `LinkV2` children with `Some` hints). +// +// Gated on `cfg(any(test, feature = "test-fault-injection"))` so it's visible +// to fula-crypto's own unit tests AND to fula-client integration tests that +// pull in fula-crypto with the feature enabled. +// ============================================================================= + +/// Atomic operation-count snapshot for a [`CountingBlobBackend`]. +#[cfg(any(test, feature = "test-fault-injection"))] +#[derive(Clone, Copy, Debug, Default, PartialEq, Eq)] +pub struct CountSnapshot { + pub puts: u64, + pub gets: u64, + pub gets_with_hint: u64, + pub gets_with_some_hint: u64, +} + +/// [`BlobBackend`] wrapper that counts every operation. See module-level +/// commentary above for usage. +#[cfg(any(test, feature = "test-fault-injection"))] +pub struct CountingBlobBackend { + inner: Arc, + puts: std::sync::atomic::AtomicU64, + gets: std::sync::atomic::AtomicU64, + gets_with_hint: std::sync::atomic::AtomicU64, + gets_with_some_hint: std::sync::atomic::AtomicU64, +} + +#[cfg(any(test, feature = "test-fault-injection"))] +impl CountingBlobBackend { + pub fn new(inner: Arc) -> Self { + Self { + inner, + puts: std::sync::atomic::AtomicU64::new(0), + gets: std::sync::atomic::AtomicU64::new(0), + gets_with_hint: std::sync::atomic::AtomicU64::new(0), + gets_with_some_hint: std::sync::atomic::AtomicU64::new(0), + } + } + + pub fn snapshot(&self) -> CountSnapshot { + use std::sync::atomic::Ordering::Relaxed; + CountSnapshot { + puts: self.puts.load(Relaxed), + gets: self.gets.load(Relaxed), + gets_with_hint: self.gets_with_hint.load(Relaxed), + gets_with_some_hint: self.gets_with_some_hint.load(Relaxed), + } + } + + pub fn reset(&self) { + use std::sync::atomic::Ordering::Relaxed; + self.puts.store(0, Relaxed); + self.gets.store(0, Relaxed); + self.gets_with_hint.store(0, Relaxed); + self.gets_with_some_hint.store(0, Relaxed); + } + + pub fn inner(&self) -> &Arc { + &self.inner + } +} + +#[cfg(all(any(test, feature = "test-fault-injection"), not(target_arch = "wasm32")))] +#[async_trait::async_trait] +impl BlobBackend for CountingBlobBackend { + async fn get(&self, path: &str) -> Result> { + self.gets + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + self.inner.get(path).await + } + + async fn put(&self, path: &str, bytes: Vec) -> Result { + self.puts + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + self.inner.put(path, bytes).await + } + + async fn get_with_cid_hint( + &self, + path: &str, + cid_hint: Option<&Cid>, + ) -> Result> { + self.gets_with_hint + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + if cid_hint.is_some() { + self.gets_with_some_hint + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + } + self.inner.get_with_cid_hint(path, cid_hint).await + } +} + +#[cfg(all(any(test, feature = "test-fault-injection"), target_arch = "wasm32"))] +#[async_trait::async_trait(?Send)] +impl BlobBackend for CountingBlobBackend { + async fn get(&self, path: &str) -> Result> { + self.gets + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + self.inner.get(path).await + } + + async fn put(&self, path: &str, bytes: Vec) -> Result { + self.puts + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + self.inner.put(path, bytes).await + } + + async fn get_with_cid_hint( + &self, + path: &str, + cid_hint: Option<&Cid>, + ) -> Result> { + self.gets_with_hint + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + if cid_hint.is_some() { + self.gets_with_some_hint + .fetch_add(1, std::sync::atomic::Ordering::Relaxed); + } + self.inner.get_with_cid_hint(path, cid_hint).await + } +} + #[cfg(all(test, not(target_arch = "wasm32")))] mod tests { use super::*; diff --git a/crates/fula-flutter/src/api/types.rs b/crates/fula-flutter/src/api/types.rs index 3d23107..7ab3dd7 100644 --- a/crates/fula-flutter/src/api/types.rs +++ b/crates/fula-flutter/src/api/types.rs @@ -159,10 +159,16 @@ pub struct FulaConfig { /// Emit walkable-v8 CID hints in HAMT internal-node pointers, /// manifest pages, dir-index, and forest file-index entries from /// master's PUT-response ETag (= `BLAKE3(ciphertext)` raw-codec). - /// Off by default during the v0.6.x rollout — when off, every - /// write is byte-identical to v0.5 and old SDKs (FxFiles installs - /// that haven't updated yet) read newly-written buckets without - /// any wire-format awareness. + /// + /// Default flipped to `true` on 2026-05-09 (#89) per user + /// decision ("when we roll out everyone will update"). Pre-v0.6 + /// FxFiles installs reading newly-written buckets surface + /// `FulaError::WireVersionUnsupported` (Dart `error_code() == + /// "WIRE_VERSION_UNSUPPORTED"`) on the `LinkV2` portions of the + /// tree; v7 portions still in the bucket read normally. Set this + /// to `false` to keep emitting the v0.5-readable wire form. + /// Mirrors `fula_client::Config::default()` for cross-platform + /// parity (non-negotiable project rule). /// /// Each parsed CID is **self-verified** locally before being /// stamped: `BLAKE3(ciphertext)` is recomputed by the SDK and diff --git a/docs/flutter-integration.md b/docs/flutter-integration.md index 9d664a1..2909750 100644 --- a/docs/flutter-integration.md +++ b/docs/flutter-integration.md @@ -139,10 +139,13 @@ class FulaConfig { final String usersIndexUserKey; // app-derived via deriveUserKeyFromEmail final List usersIndexIpnsGatewayUrls; // default: [] → SDK defaults final List usersIndexIpfsGatewayUrls; // default: [] → SDK defaults + + // Walkable-v8 writer (#89, default-on as of v0.6.1) + final bool walkableV8WriterEnabled; // default: TRUE (apps wanting v0.5-readable wire form must set false explicitly) } ``` -All flags default OFF — apps that don't opt in see byte-identical behavior to pre-Phase-2.x builds. +The Phase 2.x and Phase 3.3 flags listed above default OFF — apps that don't opt in see byte-identical behavior to pre-Phase-2.x builds. The walkable-v8 writer flag is the exception: it defaults ON as of v0.6.1 (#89). Apps that need the v0.5-readable wire form must explicitly set `walkableV8WriterEnabled: false`. #### EncryptionConfig ```dart diff --git a/packages/fula_client/CHANGELOG.md b/packages/fula_client/CHANGELOG.md index 6fa9a0f..805292b 100644 --- a/packages/fula_client/CHANGELOG.md +++ b/packages/fula_client/CHANGELOG.md @@ -7,12 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [0.6.1] - 2026-05-09 -**Walkable‑v8 writer flag flipped to default‑on (#89).** This is a wire‑format default flip, not a feature add. v0.6.0 shipped the entire walkable‑v8 stack (writer cascade, reader cid‑hint dispatch, durable pin queue, dual cross‑platform parity) but kept the writer flag default‑off so the v0.6.x rollout window could let pre‑v0.6 SDK readers continue reading newly‑written buckets byte‑identically. Per operator decision (*"that is ok. turn it on globally as when we roll out everyone will update"*), every new fula‑client / fula‑flutter / fula‑js Config now defaults `walkable_v8_writer_enabled = true`. Buckets written by v0.6.1+ SDKs emit `PointerWire::LinkV2` everywhere the cascade fires; pre‑v0.6 SDK readers encountering a `LinkV2` blob surface the typed `WireVersionUnsupported { context, postcard_error }` variant cleanly (no data corruption). Operators relying on the v0.5‑readable wire form must now hold the flag down explicitly via `cfg.walkable_v8_writer_enabled = false`. +**Walkable‑v8 writer flag flipped to default‑on (#89).** This is a wire‑format default flip, not a feature add. v0.6.0 shipped the entire walkable‑v8 stack (writer cascade, reader cid‑hint dispatch, durable pin queue, dual cross‑platform parity) but kept the writer flag default‑off so the v0.6.x rollout window could let pre‑v0.6 SDK readers continue reading newly‑written buckets byte‑identically. Per operator decision (*"that is ok. turn it on globally as when we roll out everyone will update"*), every new fula‑client / fula‑flutter / fula‑js Config now defaults `walkable_v8_writer_enabled = true`. **This deliberately bypasses the v0.6.0 rollout matrix's Phase B 4–8‑week SDK‑adoption gate** — the operator's coordinated single‑update rollout shape replaces the staged adoption window the v0.6.0 plan assumed; see `docs/wnfs-comparison.md` §9 + the project memory note `project_walkable_v8_default_on.md` for the authorization trail. Buckets written by v0.6.1+ SDKs emit `PointerWire::LinkV2` everywhere the cascade fires; pre‑v0.6 SDK readers encountering a `LinkV2` blob surface the typed `ClientError::WireVersionUnsupported { context, postcard_error }` variant cleanly (no data corruption), with parallel `FulaError::WireVersionUnsupported` on fula‑flutter (Dart `error_code() == "WIRE_VERSION_UNSUPPORTED"`) and the matching `"WIRE_VERSION_UNSUPPORTED"` JS error code on fula‑js — operators filtering error telemetry should match on these typed variants, not the underlying postcard message string. Operators relying on the v0.5‑readable wire form must now hold the flag down explicitly via `cfg.walkable_v8_writer_enabled = false`. ### Changed - **`fula-client` `Config::default()`** — `walkable_v8_writer_enabled` now defaults to `true`. Existing tests that constructed a default Config to exercise the v7 path now pass through the v8 writer cascade; the only test that asserted "default‑off" semantics was renamed to `put_with_explicit_writer_disabled_returns_cid_none` (in `crates/fula-client/tests/s3_blob_backend_returns_cid.rs`) and explicitly sets `cfg.walkable_v8_writer_enabled = false` to keep covering the disabled‑writer path. The fula-flutter test `fula_config_default_phase_2_x_fields_are_off` was updated to assert default‑on for this field with a load‑bearing comment that flipping back is now a deliberate operator action. -- **`fula-flutter` `FulaConfig::default()`** — mirrors fula-client (cross‑platform alignment is non‑negotiable per the project memory rule). FRB binding regen tracked separately as #87; until #87 lands, FxFiles mobile users on FRB‑generated bindings continue to see whatever the prior FRB run produced. Apps that pin field values explicitly (the documented FxFiles pattern) are unaffected by the regen lag. +- **`fula-flutter` `FulaConfig::default()`** — mirrors fula-client (cross‑platform alignment is non‑negotiable per the project memory rule). The published v0.6.1 Dart package on pub.dev exposes `walkableV8WriterEnabled` correctly: the release workflow `.github/workflows/flutter-release.yml` runs `flutter_rust_bridge_codegen generate` (line 67, plus line 136 and 209 in the Android / iOS native-build jobs) on every tag push, so the FRB-generated codecs in the shipped artifact are always in sync with the current Rust struct. The repo-checked-in `crates/fula-flutter/src/frb_generated.rs` is not auto-regenerated on commit and may lag behind the live Rust types — that's the in-scope state of #87 — but it does not affect what FxFiles or any other downstream consumer sees from the published SDK. Apps updating to v0.6.1 from pub.dev get the new field with full Dart-side rollback capability (set `walkableV8WriterEnabled: false` to opt out of the new default). - **`fula-js` `JsConfig`** — the `walkable_v8_writer_enabled` field's `#[serde(default)]` was replaced with `#[serde(default = "default_walkable_v8_writer_enabled")]` plus a new `fn default_walkable_v8_writer_enabled() -> bool { true }` to defend against the silent‑drift trap where `bool::default() = false` would have masked the flip on the JS surface. Verified against `serde_wasm_bindgen::from_value` (the JS→Rust deserialization entry point at `crates/fula-js/src/lib.rs:499`); the custom default fires for any JS caller passing a config object without the field. - **`docs/wnfs-comparison.md` §9** — W.9.3 status line updated to reflect the v0.6.1 flip; the "default off during the v0.6.x rollout" caveat is now a v0.6.0‑specific historical note. @@ -22,14 +22,20 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 |---|---| | New SDK install, app does not override `walkable_v8_writer_enabled` | New writes emit `LinkV2`. Buckets become offline‑walkable on first flush. ✅ | | New SDK install, app explicitly sets `walkable_v8_writer_enabled = false` | New writes emit legacy `Link`. Pre‑v0.6 readable. Same behavior as v0.6.0 default. | -| Pre‑v0.6 SDK reading a v0.6.1‑written bucket | Surfaces typed `WireVersionUnsupported` on the `LinkV2` portions of the tree. v7 portions (siblings of mutations that haven't cascaded yet) read normally. Lazy migration: by the time the cascade has touched every shard the user has, the entire bucket is v8‑only. | +| Pre‑v0.6 SDK reading a v0.6.1‑written bucket | Surfaces typed `WireVersionUnsupported` on the `LinkV2` portions of the tree. v7 portions (siblings of mutations that haven't cascaded yet) read normally. **Lazy migration is per‑shard, not per‑bucket** — a single write only re‑stamps the touched shard's HAMT path; siblings in other shards stay v7 until the next write that lands in their shard. Operators verifying offline‑walk against legacy buckets need to write to enough directories to cover every populated shard before the entire bucket is v8‑only. | | Rollback to v0.6.0 default semantics | Config flag flip: app sets `walkable_v8_writer_enabled = false` and re‑deploys. New writes resume `Link`. Already‑written `LinkV2` data stays readable by any v0.6+ SDK; pre‑v0.6 readers see the typed error on those nodes. | +### Added (#88 — direct W.8.4 validation) + +- **`fula_crypto::wnfs_hamt::CountingBlobBackend`** — `BlobBackend` wrapper that atomically counts every `put`, `get`, and `get_with_cid_hint` call (including a discriminator counter for `cid_hint.is_some()`). Gated on `cfg(any(test, feature = "test-fault-injection"))` so it costs nothing in production builds. Cross‑platform (native + wasm32 trait variants). Used by the two new parity tests below to validate the v0.6.0 plan §W.8.4 claim *"v8 adds zero new master RPCs vs v7"* — pre‑#88 the claim was "suggestive but not proven" via throughput equivalence; post‑#88 it is byte‑equality direct evidence. +- **`walkable_v8_rpc_count_parity_writes_match_v7`** (`crates/fula-crypto/src/sharded_hamt_forest.rs`) — runs identical write workload (32 upserts + flush) through `CountingBlobBackend` (v7 path, `BlobPutResult::none()`) and `CountingBlobBackend` (v8 path, `BlobPutResult { cid: Some(_) }`); asserts `puts` and `gets` counts match byte‑for‑byte. A drift in either direction is a load‑bearing W.8.4 regression. +- **`walkable_v8_rpc_count_parity_reader_uses_cid_hints_under_v8_only`** — write 64 entries, reload from manifest, walk via `list_all_files`. Asserts `gets_with_hint` is identical between v7 and v8 (same call sites; only the argument differs) AND `gets_with_some_hint == 0` under v7 (no `LinkV2` → no CID hints flow) AND `gets_with_some_hint > 0` under v8 (the discriminator that proves the v8 wiring is live, not just stamping bytes nobody reads). + ### Verified before release - **fula-client lib tests**: 187/187 passing; integration test `s3_blob_backend_returns_cid::put_with_explicit_writer_disabled_returns_cid_none` exercises the explicit‑false path (renamed from `put_default_off_returns_cid_none_*`). - **fula-flutter lib tests**: 8/8 passing (the inverted `fula_config_default_phase_2_x_fields_are_off` assertion is the gold‑standard regression guard for this flip). -- **fula-crypto lib tests**: 324/324 passing; no behavior change at this layer (the wire format is unchanged from v0.6.0). +- **fula-crypto lib tests**: 326/326 passing (324 pre‑existing + 2 new W.8.4 parity tests from #88); no behavior change at this layer (the wire format is unchanged from v0.6.0). - **wasm32 cross‑platform check**: `cargo check --target wasm32-unknown-unknown` clean for both `-p fula-client` and `-p fula-js`. No new warnings introduced. - **Test‑semantic audit**: the helpers in `crates/fula-client/tests/offline_e2e.rs::build_client` and `build_client_with_cold_start` now mirror the post‑#89 FxFiles config under default‑on; this is intentional (the helper docstring states "Mirror FxFiles config"). Walkable‑v8 reader tests (`walkable_v8_offline_walk.rs`) explicitly note that the reader path is not gated on the writer flag, so the default flip does not affect their coverage. `blob_backend_retries_transient.rs` exercises raw `BlobBackend::get/put` retry logic, not the cascade — unaffected. diff --git a/scripts/walkable-v8-fresh-bucket-upload.ps1 b/scripts/walkable-v8-fresh-bucket-upload.ps1 new file mode 100644 index 0000000..03e90da --- /dev/null +++ b/scripts/walkable-v8-fresh-bucket-upload.ps1 @@ -0,0 +1,53 @@ +# Walkable-v8 fresh-bucket UPLOAD test (#20 / #89 follow-up, part 1 of 2). +# Creates a fresh bucket, uploads the deterministic test file set, and +# prints copy-paste env vars for the matching walk script to consume. +# +# After this completes: +# 1. Copy the FULA_TEST_BUCKET / FULA_TEST_SECRET it prints into your +# shell. +# 2. (For cold-walk only) wait 5+ minutes for the publisher tick. +# 3. Run scripts/walkable-v8-fresh-bucket-walk.ps1. +# +# Required env (set before running): +# $env:FULA_JWT = "" +# $env:FULA_S3 = "https://s3.cloud.fx.land" +# +# Optional: +# $env:FULA_TIMEOUT_SECS = "60" +# $env:FULA_TEST_BUCKET = "walkable-v8-test-..." # override generated name +# $env:FULA_TEST_SECRET = "" # override generated random secret + +$ErrorActionPreference = 'Stop' + +$required = @('FULA_JWT', 'FULA_S3') +$missing = @() +foreach ($v in $required) { + if (-not (Get-Item -Path "env:$v" -ErrorAction SilentlyContinue)) { $missing += $v } +} +if ($missing.Count -gt 0) { + Write-Error "Missing required env vars: $($missing -join ', ')" + exit 1 +} + +Write-Host "===== fxfiles_walkable_v8_fresh_bucket_upload =====" +Write-Host "FULA_S3 = $env:FULA_S3" +Write-Host "FULA_JWT = (set, $($env:FULA_JWT.Length) chars)" +if ($env:FULA_TEST_BUCKET) { + Write-Host "FULA_TEST_BUCKET (override) = $env:FULA_TEST_BUCKET" +} +if ($env:FULA_TEST_SECRET) { + Write-Host "FULA_TEST_SECRET (override) = (set, $($env:FULA_TEST_SECRET.Length) chars)" +} +Write-Host "====================================================" + +$crateDir = Join-Path $PSScriptRoot ".." | Resolve-Path +Push-Location $crateDir +try { + cargo test -p fula-client ` + --test offline_e2e --release ` + fxfiles_walkable_v8_fresh_bucket_upload ` + -- --ignored --nocapture +} +finally { + Pop-Location +} diff --git a/scripts/walkable-v8-fresh-bucket-walk.ps1 b/scripts/walkable-v8-fresh-bucket-walk.ps1 new file mode 100644 index 0000000..05bfd9d --- /dev/null +++ b/scripts/walkable-v8-fresh-bucket-walk.ps1 @@ -0,0 +1,92 @@ +# Walkable-v8 fresh-bucket WALK test (#20 / #89 follow-up, part 2 of 2). +# Reads the bucket + secret produced by the upload script, then runs: +# * Phase B (online list + download — always) +# * Phase C (warm-cache offline — if -Mode warm or both) +# * Phase D (cold-cache offline — if -Mode cold or both, requires +# publisher tick + cold-start env vars) +# +# Required env (set before running): +# $env:FULA_JWT = "" +# $env:FULA_S3 = "https://s3.cloud.fx.land" +# $env:FULA_TEST_BUCKET = "" +# $env:FULA_TEST_SECRET = "" +# +# Optional: +# $env:FULA_TIMEOUT_SECS = "60" +# $env:FULA_WALK_MODE = "warm" | "cold" | "both" # default warm +# +# For cold-walk (Phase D), additionally set ALL of: +# $env:FULA_BLOCK_GATEWAY_URLS = "https://ipfs.cloud.fx.land/gateway/{cid}" +# $env:FULA_USERS_INDEX_CHAIN_RPC_URL = "https://mainnet.base.org" +# $env:FULA_USERS_INDEX_ANCHOR_ADDRESS = "0x..." +# $env:FULA_USERS_INDEX_IPNS_NAME = "k51qzi5..." +# $env:FULA_USERS_INDEX_USER_KEY = "<32 hex>" +# Optional: +# $env:FULA_USERS_INDEX_IPNS_GATEWAY_URLS = "" +# +# Convenience flag: pass -Mode {warm|cold|both} to override FULA_WALK_MODE. + +param( + [ValidateSet('warm','cold','both')] + [string]$Mode +) + +$ErrorActionPreference = 'Stop' + +if ($Mode) { $env:FULA_WALK_MODE = $Mode } +if (-not $env:FULA_WALK_MODE) { $env:FULA_WALK_MODE = 'warm' } + +$required = @('FULA_JWT', 'FULA_S3', 'FULA_TEST_BUCKET', 'FULA_TEST_SECRET') +$missing = @() +foreach ($v in $required) { + if (-not (Get-Item -Path "env:$v" -ErrorAction SilentlyContinue)) { $missing += $v } +} +if ($missing.Count -gt 0) { + Write-Error "Missing required env vars: $($missing -join ', '). Run walkable-v8-fresh-bucket-upload.ps1 first." + exit 1 +} + +if ($env:FULA_WALK_MODE -eq 'cold' -or $env:FULA_WALK_MODE -eq 'both') { + $coldRequired = @( + 'FULA_BLOCK_GATEWAY_URLS', + 'FULA_USERS_INDEX_CHAIN_RPC_URL', + 'FULA_USERS_INDEX_ANCHOR_ADDRESS', + 'FULA_USERS_INDEX_IPNS_NAME', + 'FULA_USERS_INDEX_USER_KEY' + ) + $coldMissing = @() + foreach ($v in $coldRequired) { + if (-not (Get-Item -Path "env:$v" -ErrorAction SilentlyContinue)) { $coldMissing += $v } + } + if ($coldMissing.Count -gt 0) { + Write-Error "FULA_WALK_MODE=$env:FULA_WALK_MODE requires cold-start env vars. Missing: $($coldMissing -join ', ')" + exit 1 + } +} + +Write-Host "===== fxfiles_walkable_v8_fresh_bucket_walk =====" +Write-Host "FULA_S3 = $env:FULA_S3" +Write-Host "FULA_TEST_BUCKET = $env:FULA_TEST_BUCKET" +Write-Host "FULA_WALK_MODE = $env:FULA_WALK_MODE" +Write-Host "FULA_TEST_SECRET = (set, $($env:FULA_TEST_SECRET.Length) chars)" +Write-Host "FULA_JWT = (set, $($env:FULA_JWT.Length) chars)" +if ($env:FULA_WALK_MODE -ne 'warm') { + Write-Host "FULA_BLOCK_GATEWAY_URLS = $env:FULA_BLOCK_GATEWAY_URLS" + Write-Host "FULA_USERS_INDEX_USER_KEY = $env:FULA_USERS_INDEX_USER_KEY" + Write-Host "FULA_USERS_INDEX_IPNS_NAME = $env:FULA_USERS_INDEX_IPNS_NAME" + Write-Host "FULA_USERS_INDEX_CHAIN_RPC_URL = $env:FULA_USERS_INDEX_CHAIN_RPC_URL" + Write-Host "FULA_USERS_INDEX_ANCHOR_ADDRESS = $env:FULA_USERS_INDEX_ANCHOR_ADDRESS" +} +Write-Host "====================================================" + +$crateDir = Join-Path $PSScriptRoot ".." | Resolve-Path +Push-Location $crateDir +try { + cargo test -p fula-client ` + --test offline_e2e --release ` + fxfiles_walkable_v8_fresh_bucket_walk ` + -- --ignored --nocapture +} +finally { + Pop-Location +} From 4c123041b9fbcaff25687c3c847f15d5b11d9a7c Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Sat, 9 May 2026 17:19:52 -0400 Subject: [PATCH 3/6] update version --- Cargo.lock | 16 ++++++++-------- Cargo.toml | 2 +- packages/fula_client/ios/fula_client.podspec | 2 +- packages/fula_client/pubspec.yaml | 2 +- scripts/watch-images-upload.sh | 4 ++-- 5 files changed, 13 insertions(+), 13 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 93a1438..ee4d09c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1676,7 +1676,7 @@ dependencies = [ [[package]] name = "fula-api" -version = "0.4.9" +version = "0.5.0" dependencies = [ "anyhow", "axum", @@ -1704,7 +1704,7 @@ dependencies = [ [[package]] name = "fula-blockstore" -version = "0.4.9" +version = "0.5.0" dependencies = [ "anyhow", "async-trait", @@ -1742,7 +1742,7 @@ dependencies = [ [[package]] name = "fula-cli" -version = "0.4.9" +version = "0.5.0" dependencies = [ "anyhow", "async-trait", @@ -1794,7 +1794,7 @@ dependencies = [ [[package]] name = "fula-client" -version = "0.4.9" +version = "0.5.0" dependencies = [ "anyhow", "async-trait", @@ -1834,7 +1834,7 @@ dependencies = [ [[package]] name = "fula-core" -version = "0.4.9" +version = "0.5.0" dependencies = [ "anyhow", "async-trait", @@ -1869,7 +1869,7 @@ dependencies = [ [[package]] name = "fula-crypto" -version = "0.4.9" +version = "0.5.0" dependencies = [ "aes-gcm", "anyhow", @@ -1913,7 +1913,7 @@ dependencies = [ [[package]] name = "fula-flutter" -version = "0.4.9" +version = "0.5.0" dependencies = [ "anyhow", "async-lock", @@ -1936,7 +1936,7 @@ dependencies = [ [[package]] name = "fula-js" -version = "0.4.9" +version = "0.5.0" dependencies = [ "base64 0.22.1", "bytes", diff --git a/Cargo.toml b/Cargo.toml index d2b0614..4ffa97c 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -77,7 +77,7 @@ name = "encrypted_upload_test" path = "examples/encrypted_upload_test.rs" [workspace.package] -version = "0.4.9" +version = "0.5.0" edition = "2021" license = "MIT OR Apache-2.0" repository = "https://github.com/functionland/fula-api" diff --git a/packages/fula_client/ios/fula_client.podspec b/packages/fula_client/ios/fula_client.podspec index 64a7f04..c9a1479 100644 --- a/packages/fula_client/ios/fula_client.podspec +++ b/packages/fula_client/ios/fula_client.podspec @@ -6,7 +6,7 @@ Pod::Spec.new do |s| s.name = 'fula_client' - s.version = '0.4.9' + s.version = '0.5.0' s.summary = 'Flutter SDK for Fula decentralized storage' s.description = <<-DESC A Flutter plugin providing client-side encryption, metadata privacy, diff --git a/packages/fula_client/pubspec.yaml b/packages/fula_client/pubspec.yaml index 6e9797a..c15f701 100644 --- a/packages/fula_client/pubspec.yaml +++ b/packages/fula_client/pubspec.yaml @@ -1,6 +1,6 @@ name: fula_client description: Flutter SDK for Fula decentralized storage with client-side encryption, metadata privacy, and secure sharing. -version: 0.4.9 +version: 0.5.0 homepage: https://fx.land repository: https://github.com/functionland/fula-api issue_tracker: https://github.com/functionland/fula-api/issues diff --git a/scripts/watch-images-upload.sh b/scripts/watch-images-upload.sh index af18da3..86ec067 100644 --- a/scripts/watch-images-upload.sh +++ b/scripts/watch-images-upload.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash # Run on the master, then upload an image from FxFiles. This tails the -# gateway log filtered to lines that pinpoint where Phase 1.2 / v0.4.9 +# gateway log filtered to lines that pinpoint where Phase 1.2 / v0.5.0 # migration is succeeding or failing for the user's `images` bucket: # # * "Populated/updated bucket_lookup_h" — Phase 1.2 ran (good — appears on first-flush AND on key-rotation flushes) -# * "Populated forest_manifest_cid" — v0.4.9 ran (good — should appear on every Phase 2 root commit) +# * "Populated forest_manifest_cid" — v0.5.0 ran (good — should appear on every Phase 2 root commit) # * "populate_bucket_lookup_h failed" # * "populate_forest_manifest_cid failed" # * "Failed to flush bucket" From a906387c80193578b717e72d23fc97a646283195 Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Sat, 9 May 2026 18:55:04 -0400 Subject: [PATCH 4/6] CI errors --- crates/fula-client/src/encryption.rs | 38 +++++++++++++++++++--------- tests/audit2_tests.rs | 3 +++ 2 files changed, 29 insertions(+), 12 deletions(-) diff --git a/crates/fula-client/src/encryption.rs b/crates/fula-client/src/encryption.rs index 6666b01..058101b 100644 --- a/crates/fula-client/src/encryption.rs +++ b/crates/fula-client/src/encryption.rs @@ -1276,19 +1276,33 @@ impl EncryptedClient { // the no-hint fallback, which only checks the warm cache by // storage_key and then errors — exactly the failure mode the // walkable-v8 fresh-bucket cold-walk test surfaced. - let cid_hint = forest_entry.as_ref().and_then(|e| e.storage_cid.as_ref()); - let result = match cid_hint { - Some(cid) => self - .inner - .get_object_with_offline_fallback_known_cid(bucket, storage_key, cid) - .await? - .inner, - None => self - .inner - .get_object_with_offline_fallback(bucket, storage_key) - .await? - .inner, + // + // Native-only: `_known_cid` is gated to non-wasm (block_cache + + // gateway_fetch infrastructure isn't compiled into wasm builds). + // wasm32 keeps the legacy no-hint path; cold-cache offline reads + // are not yet supported on browser SDKs. + #[cfg(not(target_arch = "wasm32"))] + let result = { + let cid_hint = forest_entry.as_ref().and_then(|e| e.storage_cid.as_ref()); + match cid_hint { + Some(cid) => self + .inner + .get_object_with_offline_fallback_known_cid(bucket, storage_key, cid) + .await? + .inner, + None => self + .inner + .get_object_with_offline_fallback(bucket, storage_key) + .await? + .inner, + } }; + #[cfg(target_arch = "wasm32")] + let result = self + .inner + .get_object_with_offline_fallback(bucket, storage_key) + .await? + .inner; // Helper: fetch a metadata key, preferring HTTP headers, falling // back to the (AEAD-protected) forest entry's user_metadata. diff --git a/tests/audit2_tests.rs b/tests/audit2_tests.rs index 2696573..050046c 100644 --- a/tests/audit2_tests.rs +++ b/tests/audit2_tests.rs @@ -349,6 +349,7 @@ mod content_type_privacy { root_hash: "00".repeat(32), chunk_nonces: vec![], content_type: None, + chunk_cids: Vec::new(), }; let json = serde_json::to_string(&meta).unwrap(); @@ -649,6 +650,7 @@ mod chunked_metadata_format { root_hash: "abcd".repeat(16), chunk_nonces: vec![], content_type: None, + chunk_cids: Vec::new(), }; let json = serde_json::to_string(&meta).unwrap(); @@ -671,6 +673,7 @@ mod chunked_metadata_format { root_hash: "00".repeat(32), chunk_nonces: vec![], content_type: None, + chunk_cids: Vec::new(), }; assert_eq!(meta.total_size, 9500); } From 4b34ddadbafcca1ffbddba00ae98b101ef9276a1 Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Sat, 9 May 2026 20:13:19 -0400 Subject: [PATCH 5/6] fixed walkability scaling --- crates/fula-client/src/encryption.rs | 98 ++++++++- .../tests/get_object_flat_no_o_n_scan.rs | 206 ++++++++++++++++++ 2 files changed, 299 insertions(+), 5 deletions(-) create mode 100644 crates/fula-client/tests/get_object_flat_no_o_n_scan.rs diff --git a/crates/fula-client/src/encryption.rs b/crates/fula-client/src/encryption.rs index 058101b..7e3dc4d 100644 --- a/crates/fula-client/src/encryption.rs +++ b/crates/fula-client/src/encryption.rs @@ -1222,17 +1222,102 @@ impl EncryptedClient { } /// Get and decrypt an object using the storage key directly - /// + /// /// Use this when you already have the obfuscated storage key /// (e.g., from list_objects_decrypted) - /// + /// /// Handles both single-block and chunked objects automatically. pub async fn get_object_decrypted_by_storage_key( &self, bucket: &str, storage_key: &str, ) -> Result { - // Resolve the forest entry FIRST so we can fall back to its + // Public API: caller has only a storage_key, so we look up the + // forest entry on their behalf. v7 sharded HAMT pays the O(N) + // `find_by_storage_key` linear scan here — see #91. + // + // Callers that already hold the resolved `ForestFileEntry` (e.g. + // `get_object_flat`'s v7 branch, which walks the HAMT once via + // `get_file(path)` to translate a logical path into an entry) + // should use [`Self::get_object_decrypted_by_entry`] instead and + // skip this redundant scan. + let forest_entry = self.forest_entry_lookup(bucket, storage_key).await?; + self.get_object_decrypted_inner(bucket, storage_key, forest_entry).await + } + + /// Entry-aware variant of [`Self::get_object_decrypted_by_storage_key`] + /// for callers that have already resolved the [`ForestFileEntry`] + /// (e.g. `get_object_flat`'s v7 branch via `get_file(path)`). + /// + /// **Why this exists** (#91): the public `_by_storage_key` API does an + /// O(N) `find_by_storage_key` linear scan over every shard's HAMT to + /// recover the entry. For v7 sharded buckets that already walked the + /// HAMT once to resolve the user's path, this is a redundant scan. + /// On large buckets — and especially on cold-cache offline reads + /// where each internal-node fetch is a multi-second gateway race — + /// the scan dwarfs the actual file fetch. Passing the entry forward + /// drops every encrypted GET back to O(log N) HAMT traversal cost. + /// + /// **Single-walk safety** (audited): the post-fix path acquires the + /// `forest_arc` read guard exactly once via `get_file(path)` in + /// `get_object_flat` (line 7218-7224); the pre-fix path would have + /// acquired a SECOND independent read guard later via + /// `forest_entry_lookup` → `find_by_storage_key`. The two guards + /// were always returning the same data because both walked the same + /// `forest_arc`, but a writer that interleaved between the two guard + /// acquisitions could have caused the second read to observe a + /// just-stamped `storage_cid` that the first read missed (or vice + /// versa). Skipping the second guard cannot produce a wrong-bytes + /// case: AEAD AAD `fula:v4:content:{storage_key}` binds bytes to + /// storage_key independently of any race; a stale `storage_cid` of + /// `None` just falls through to the no-hint offline-fallback path, + /// which is safety-equivalent to today's behavior on legacy entries. + /// + /// **Cross-platform**: shared encryption.rs path; no `cfg`-split. + async fn get_object_decrypted_by_entry( + &self, + bucket: &str, + entry: ForestFileEntry, + ) -> Result { + let storage_key = entry.storage_key.clone(); + self.get_object_decrypted_inner(bucket, &storage_key, Some(entry)).await + } + + /// Shared body of `get_object_decrypted_by_storage_key` and + /// `get_object_decrypted_by_entry`. Takes the (optionally pre-resolved) + /// `ForestFileEntry` directly so both code paths can reuse the same + /// decrypt + content-verify + chunk-dispatch logic. + /// + /// Pre-resolved entry: `get_object_flat`'s v7 branch already walked + /// the HAMT once and has the entry in hand — pass `Some(entry)` and + /// skip the O(N) scan. + /// + /// Lookup: `get_object_decrypted_by_storage_key` only has a + /// storage_key — does the lookup itself, which may cost an O(N) + /// scan on v7 sharded buckets. Same as today's behavior. + /// + /// `forest_entry: None` is the share-token / pre-forest-write path + /// where no forest entry exists; the body falls back to HTTP-header + /// metadata for decryption. Unchanged from the pre-#91 behavior. + async fn get_object_decrypted_inner( + &self, + bucket: &str, + storage_key: &str, + forest_entry: Option, + ) -> Result { + // Defense-in-depth: if the caller passed an entry, its + // storage_key must match the storage_key argument. Compiled out + // in release builds; catches caller bugs in debug. + debug_assert!( + forest_entry + .as_ref() + .map(|e| e.storage_key == storage_key) + .unwrap_or(true), + "get_object_decrypted_inner: entry.storage_key != storage_key argument" + ); + + // Forest-entry fallback rationale (preserved from pre-#91 body): + // when the forest entry is available, we can fall back to its // (privacy-preserving, AEAD-protected) `user_metadata` when the // HTTP `x-fula-encryption` header is unavailable — i.e. on the // offline / warm-cache / cold-start paths where the body is @@ -1254,7 +1339,6 @@ impl EncryptedClient { // is the canonical source-of-truth). Forest entry is the // fallback that turns gateway-served bytes into something // decryptable. - let forest_entry = self.forest_entry_lookup(bucket, storage_key).await?; // Phase 2.4 — route through the offline-fallback wrapper so a // master-down read (per `is_master_unreachable_error`) lands on @@ -7226,7 +7310,11 @@ impl EncryptedClient { bucket: bucket.to_string(), key: key.to_string(), })?; - return self.get_object_decrypted_by_storage_key(bucket, &entry.storage_key).await; + // #91: v7 path already walked the HAMT once via `get_file(key)` + // above; pass the entry forward so the decrypt path skips the + // O(N) `find_by_storage_key` re-scan inside + // `get_object_decrypted_by_storage_key`. + return self.get_object_decrypted_by_entry(bucket, entry).await; } // Monolithic v1/v2: already loaded by ensure_forest_loaded diff --git a/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs b/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs new file mode 100644 index 0000000..b485f3a --- /dev/null +++ b/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs @@ -0,0 +1,206 @@ +//! #91 regression guard: `get_object_flat` MUST NOT trigger an O(N) +//! `find_by_storage_key` linear scan over the v7 sharded HAMT. +//! +//! Bug history: prior to #91, the v7 read path in `get_object_flat` +//! walked the HAMT once via `get_file(path)` to translate the user's +//! logical path into a `ForestFileEntry`, then dropped the entry and +//! called `get_object_decrypted_by_storage_key(storage_key)`. That +//! callee invoked `forest_entry_lookup` → `find_by_storage_key` → +//! `list_all_files` — an O(N) full-forest scan. For warm-cache reads +//! the wasted I/O was hidden by master-S3 latency dominating the budget, +//! but for cold-cache offline reads (master down + every internal-node +//! fetch is a 1-30s gateway race) the scan dwarfed the actual file +//! fetch. A 100-entry bucket would issue ~100 gateway races for a +//! single 50KB file read — minutes per read. +//! +//! Fix: `get_object_flat`'s v7 branch now passes the entry directly to +//! a new `get_object_decrypted_by_entry` private method, which +//! delegates to a shared `_inner` body that takes the entry instead of +//! looking it up. Public `_by_storage_key` API unchanged for callers +//! without an entry (share-token path, path-based public API). +//! +//! This test is the load-bearing regression guard. Without it a future +//! refactor could silently re-introduce the O(N) scan and the bug would +//! return invisibly until production cold-cache reads slowed to a +//! crawl. The bound below (`MAX_READ_GETS`) is conservative — a real +//! O(N) scan on N=64 entries would issue ≥64 GETs, comfortably above +//! the threshold; the post-fix path issues ≤O(log N) GETs for the +//! HAMT walk plus 1 for the file fetch, well under the threshold. + +#![cfg(not(target_arch = "wasm32"))] + +use bytes::Bytes; +use cid::multihash::Multihash; +use cid::Cid; +use fula_client::{Config, EncryptedClient, EncryptionConfig}; +use fula_crypto::keys::SecretKey; +use std::collections::HashMap; +use std::sync::atomic::{AtomicBool, AtomicUsize, Ordering}; +use std::sync::{Arc, Mutex}; +use wiremock::matchers::method; +use wiremock::{Mock, MockServer, Request, Respond, ResponseTemplate}; + +/// Number of files to write before issuing the read. Picked to be +/// well above the O(log N) HAMT depth (so an O(N) scan would be +/// distinguishable from the bounded walk) but small enough that the +/// test runs in a couple of seconds. +const N_FILES: usize = 64; + +/// Upper bound on GETs the read phase is allowed to issue against the +/// wiremock master. The post-fix path issues: +/// - 0..=N_HAMT internal-node GETs to walk the path → entry (HAMT +/// depth is O(log N); for N=64 with bucket-size 3 that's ≤8 levels). +/// - 1 GET for the encrypted file body itself. +/// - A handful for forest-load bookkeeping if the cache cooled. +/// The pre-fix bug would have added N_FILES additional GETs (linear +/// scan of every leaf in `list_all_files`). 32 is well below 64 and +/// well above the post-fix expected count, giving healthy slack +/// without risking flakiness. +const MAX_READ_GETS: usize = 32; + +fn blake3_raw_cid(data: &[u8]) -> Cid { + let h = blake3::hash(data); + let mh = Multihash::<64>::wrap(0x1e, h.as_bytes()).expect("blake3 multihash wrap"); + Cid::new_v1(0x55, mh) +} + +/// Body-stashing wiremock responder: PUTs record (path → body) so GETs +/// can replay them; tracks GET counts gated by a flag so we only count +/// GETs in the read phase (not setup-phase forest_load probing). Also +/// returns the body's BLAKE3-raw CID as the `ETag` on PUT response so +/// the SDK's W.9.3 self-verify accepts the round-trip and the v8 +/// LinkV2 cascade actually fires. +struct BodyStashingResponder { + stash: Arc>>>, +} + +impl Respond for BodyStashingResponder { + fn respond(&self, req: &Request) -> ResponseTemplate { + let path = req.url.path().to_string(); + let body = req.body.clone(); + let cid = blake3_raw_cid(&body); + self.stash.lock().unwrap().insert(path, body); + ResponseTemplate::new(200).insert_header("ETag", cid.to_string()) + } +} + +struct ServingGetResponder { + stash: Arc>>>, + get_count: Arc, + counting_active: Arc, +} + +impl Respond for ServingGetResponder { + fn respond(&self, req: &Request) -> ResponseTemplate { + let path = req.url.path().to_string(); + if self.counting_active.load(Ordering::SeqCst) { + self.get_count.fetch_add(1, Ordering::SeqCst); + } + let stash = self.stash.lock().unwrap(); + match stash.get(&path) { + Some(bytes) => { + let cid = blake3_raw_cid(bytes); + ResponseTemplate::new(200) + .insert_header("ETag", cid.to_string()) + .set_body_bytes(bytes.clone()) + } + None => ResponseTemplate::new(404), + } + } +} + +#[tokio::test] +async fn get_object_flat_does_not_o_n_scan_v7_forest() { + let server = MockServer::start().await; + + let stash: Arc>>> = Arc::new(Mutex::new(HashMap::new())); + let get_count = Arc::new(AtomicUsize::new(0)); + let counting_active = Arc::new(AtomicBool::new(false)); + + let put_responder = BodyStashingResponder { + stash: stash.clone(), + }; + let get_responder = ServingGetResponder { + stash: stash.clone(), + get_count: get_count.clone(), + counting_active: counting_active.clone(), + }; + + Mock::given(method("PUT")) + .respond_with(put_responder) + .mount(&server) + .await; + Mock::given(method("GET")) + .respond_with(get_responder) + .mount(&server) + .await; + Mock::given(method("HEAD")) + .respond_with(ResponseTemplate::new(200)) + .mount(&server) + .await; + + let mut config = Config::new(&server.uri()).with_token("test-jwt"); + config.walkable_v8_writer_enabled = true; + let secret = SecretKey::generate(); + let enc_config = EncryptionConfig::from_secret_key(secret); + let client = EncryptedClient::new(config, enc_config).expect("EncryptedClient::new"); + + let bucket = "regression-bucket"; + + // Phase 1: write N files. GET counting is OFF so any forest-load + // probing during ensure_forest_loaded doesn't pollute the read + // measurement. Each file is small (well under chunked threshold) + // so put_object_flat_deferred takes the single-block path that + // stamps `ForestFileEntry.storage_cid` via the W.9.3 self-verify. + for i in 0..N_FILES { + let key = format!("/file-{:04}.txt", i); + let data = format!("payload-for-{}", i).into_bytes(); + client + .put_object_flat_deferred(bucket, &key, Bytes::from(data), None) + .await + .expect("put_object_flat_deferred"); + } + + client + .flush_forest(bucket) + .await + .expect("flush_forest"); + + // Phase 2: pick one file and read it. Turn on GET counting only + // for this read so any forest-load bookkeeping during the prior + // phase doesn't double-count. + let target_idx = N_FILES / 2; + let target_key = format!("/file-{:04}.txt", target_idx); + let expected_payload = format!("payload-for-{}", target_idx).into_bytes(); + + counting_active.store(true, Ordering::SeqCst); + let read_back = client + .get_object_flat(bucket, &target_key) + .await + .expect("get_object_flat must round-trip the just-written file"); + counting_active.store(false, Ordering::SeqCst); + + assert_eq!( + read_back.as_ref(), + expected_payload.as_slice(), + "round-trip plaintext mismatch — refactor must preserve byte-equality \ + of decrypted file contents" + ); + + let observed_gets = get_count.load(Ordering::SeqCst); + assert!( + observed_gets <= MAX_READ_GETS, + "regression: get_object_flat issued {} GETs reading 1 file from a \ + bucket of {} entries (threshold: {}). The pre-#91 O(N) scan via \ + forest_entry_lookup → find_by_storage_key would have produced \ + ≥{} GETs. A count above the threshold means a redundant full-forest \ + scan has been re-introduced into the read path.", + observed_gets, N_FILES, MAX_READ_GETS, N_FILES + ); + + eprintln!( + "#91 regression guard PASS: get_object_flat issued {} GETs (≤{}) on a \ + {}-entry v7 bucket — bounded by O(log N) HAMT walk, not O(N) scan", + observed_gets, MAX_READ_GETS, N_FILES + ); +} From 7a2c292a9f1424d7e6a1b2e2dc08bbe42932c8f2 Mon Sep 17 00:00:00 2001 From: ehsan shariati Date: Sat, 9 May 2026 20:20:25 -0400 Subject: [PATCH 6/6] Update get_object_flat_no_o_n_scan.rs --- .../tests/get_object_flat_no_o_n_scan.rs | 53 +++++++++++++++---- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs b/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs index b485f3a..d790b2b 100644 --- a/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs +++ b/crates/fula-client/tests/get_object_flat_no_o_n_scan.rs @@ -47,16 +47,28 @@ use wiremock::{Mock, MockServer, Request, Respond, ResponseTemplate}; const N_FILES: usize = 64; /// Upper bound on GETs the read phase is allowed to issue against the -/// wiremock master. The post-fix path issues: -/// - 0..=N_HAMT internal-node GETs to walk the path → entry (HAMT -/// depth is O(log N); for N=64 with bucket-size 3 that's ≤8 levels). -/// - 1 GET for the encrypted file body itself. -/// - A handful for forest-load bookkeeping if the cache cooled. -/// The pre-fix bug would have added N_FILES additional GETs (linear -/// scan of every leaf in `list_all_files`). 32 is well below 64 and -/// well above the post-fix expected count, giving healthy slack -/// without risking flakiness. -const MAX_READ_GETS: usize = 32; +/// wiremock master after `invalidate_all_forest_caches` forces a fresh +/// load. +/// +/// **Empirically observed post-fix**: 6 GETs (1 manifest + 1 dir-index +/// probe + 1 shard root + 1 internal-node walk + 1 leaf bucket + 1 file +/// body, roughly). +/// +/// **Pre-fix expected**: ≥40 GETs. `find_by_storage_key` → +/// `list_all_files` → `collect_all_entries` would +/// `ensure_shard_loaded` for every one of the 16 v7 default shards +/// (16 GETs minimum just for shard roots) plus walk every leaf bucket +/// across all shards (~16-30 more GETs depending on HAMT branching +/// and entry distribution). The total is comfortably ≥40 in any +/// realistic shard layout — see `sharded_hamt_forest.rs:1499-1506` +/// for the O(N) scan implementation. +/// +/// **Threshold = 16**: tight enough to catch any regression that +/// re-introduces a per-shard fetch (the cheapest O(N) scan still +/// has to fetch all 16 shard roots), loose enough that the post-fix +/// path's ~6 GETs has 10× slack against unrelated test +/// infrastructure changes. +const MAX_READ_GETS: usize = 16; fn blake3_raw_cid(data: &[u8]) -> Cid { let h = blake3::hash(data); @@ -166,6 +178,27 @@ async fn get_object_flat_does_not_o_n_scan_v7_forest() { .await .expect("flush_forest"); + // CRITICAL: invalidate the forest cache before reading. + // + // `flush_dirty` (sharded_hamt_forest.rs:1772) takes `&self` on the + // node store and does NOT rewrite the in-memory pointer state from + // `InMemory(node)` → `Stored(key)` after persist. The Arc-held node + // tree retains its `InMemory` pointers post-flush. Without + // invalidation, a subsequent `get_object_flat` walks the in-memory + // tree directly without issuing ANY backend GETs — and so does the + // bug-equivalent `find_by_storage_key` linear scan, since it also + // walks via `flat_map` over the same in-memory pointers. The test + // would then trivially pass with or without the fix, defeating the + // regression-guard purpose entirely. + // + // Invalidating the forest cache evicts the in-memory tree. The + // next `ensure_forest_loaded` re-fetches the manifest CBOR from + // wiremock, which decodes shard roots as `Stored`/`StoredV2` + // pointers (the on-disk wire form). Walking those then forces + // real backend GETs — exactly the behavior a fresh-installed + // device would see, which is the scenario the fix targets. + client.invalidate_all_forest_caches(); + // Phase 2: pick one file and read it. Turn on GET counting only // for this read so any forest-load bookkeeping during the prior // phase doesn't double-count.