Skip to content

feat: add opaque application asset handles#62

Merged
flyingrobots merged 9 commits into
mainfrom
feat/opaque-asset-handles
Jul 13, 2026
Merged

feat: add opaque application asset handles#62
flyingrobots merged 9 commits into
mainfrom
feat/opaque-asset-handles

Conversation

@flyingrobots

Copy link
Copy Markdown
Member

Linked Issue

Design / Proof

  • Design doc: docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md
  • Implementation witness: docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
  • Real-Git proof: test/integration/application-storage.test.js

What Changed

  • Add canonical immutable AssetHandle, StagedAsset, and generation-scoped RetentionWitness values.
  • Add cas.assets.put/adopt/open, cas.retention.retain, and allowlisted compare-and-swap cas.publications.commit.
  • Preserve ordered application commit parents while retaining single-parent port compatibility.
  • Validate complete handle graphs, parent commit kinds, ref namespaces, expected heads, SHA-1/SHA-256 OID widths, and structured failure evidence.
  • Document the high-level lifecycle while preserving existing low-level, RootSet, and vault APIs.

Self-Review / Code Lawyer

  • Graft reports an additive minor-version export change with no removed exports or breaking signatures.
  • Corrected tree peeling as insufficient parent-type proof; publication now validates parents as commits.
  • Corrected SHA-1-only create-ref null OIDs for SHA-256 repositories.
  • Corrected overlapping allowlist provenance and dual ref-write/read failure normalization.
  • Corrected staged evidence from an overclaim about grace-only protection to not-established under deduplication.

Validation

pnpm lint
pnpm test
pnpm test:integration:node
docker compose run --build --rm test-bun bunx vitest run test/integration/application-storage.test.js --no-file-parallelism
docker compose run --build --rm test-deno deno run -A npm:vitest run test/integration/application-storage.test.js --no-file-parallelism
  • Unit: 198 files, 1,720 passed, 2 skipped.
  • Full Node integration: 7 files, 161 passed.
  • New application-storage integration: 3/3 passed on Node, Bun, and Deno.

Release Impact

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ee8733c2-a6ad-4dfe-88d0-6beb5a2514bd

📥 Commits

Reviewing files that changed from the base of the PR and between 18cd397 and 49ff073.

📒 Files selected for processing (1)
  • docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (1)
docs/design/**

📄 CodeRabbit inference engine (AGENTS.md)

Use docs/design/ directory for durable design contracts and proof plans

Files:

  • docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
🔇 Additional comments (2)
docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md (2)

1-4: LGTM!

Also applies to: 12-172


7-10: 📐 Maintainability & Code Quality

Keep the correction-commit list and citations in sync.

The header’s “Review correction commits” list and the body citations should reference the same set of hashes; otherwise the witness trail is incomplete and harder to trust. If fd7e6e5d1b540ad879730adf526d187441155e59 is the intended correction for the StagedAsset.js citations, add it to the header; if not, replace the stale citation with the intended commit.


📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Added application storage with streaming asset ingestion (put/open), adoption from existing tree data, retention, and allowlisted publication commits.
    • Introduced portable, canonical opaque asset handles plus structured retention/publication witness output, with support for both SHA-1 and SHA-256 identifiers.
  • Documentation
    • Updated README, API docs, guides, changelog, and design notes to cover the full application storage lifecycle and new options (application ref allowlist and injectable clock).
  • Bug Fixes / Compatibility
    • Improved create-only ref updates by deriving the Git null-OID width from the repository.
  • Tests
    • Added integration and unit tests for asset retention/publication behavior and portable handle transfer.

Walkthrough

Adds opaque asset handles, streaming asset ingestion, generation-scoped retention witnesses, allowlisted compare-and-swap publications, multi-parent Git commits, SHA-256-compatible ref updates, public declarations, documentation, and tests.

Changes

Application storage

Layer / File(s) Summary
Contracts and immutable evidence
src/domain/value-objects/*, src/domain/errors/Codes.js, src/domain/helpers/*, index.d.ts, index.js, docs/API.md, test/unit/...
Defines canonical handles, staged assets, retention witnesses, capability types, errors, timestamps, and public APIs.
Streaming asset ingestion
src/domain/services/AssetService.js, index.js, test/unit/domain/services/AssetService.test.js
Stages, adopts, validates, and streams asset graphs through the facade.
Retention witness creation
src/domain/services/RetentionService.js, test/unit/domain/services/RetentionService.test.js
Installs retained handles into root-set generations and returns immutable evidence.
Application publication and Git updates
src/domain/services/PublicationService.js, src/infrastructure/adapters/GitRefAdapter.js, src/ports/GitRefPort.js, test/helpers/*, test/unit/domain/services/PublicationService.test.js, test/integration/*
Validates publication inputs, preserves ordered parents, performs expected-head updates, and reports conflicts and failures.
Documentation and implementation evidence
README.md, GUIDE.md, BEARING.md, CHANGELOG.md, docs/design/...
Documents lifecycle behavior, portability constraints, API contracts, implementation evidence, and validation results.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Application
  participant ContentAddressableStore
  participant AssetService
  participant RetentionService
  participant PublicationService
  Application->>ContentAddressableStore: assets.put(source, metadata)
  ContentAddressableStore->>AssetService: put(options)
  AssetService-->>Application: StagedAsset with AssetHandle
  Application->>ContentAddressableStore: retention.retain(handle, root)
  ContentAddressableStore->>RetentionService: retain(options)
  RetentionService-->>Application: RetentionWitness
  Application->>ContentAddressableStore: publications.commit(root, commit, ref)
  ContentAddressableStore->>PublicationService: commit(options)
  PublicationService-->>Application: publication result with RetentionWitness
Loading

Possibly related PRs

Poem

A rabbit hops through handles bright,
Streams a payload into night.
Roots hold fast through generations,
Git refs guard their expectations.
“Hop hooray for storage!” sings me.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 5.88% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately reflects the main change: introducing opaque application asset handles.
Description check ✅ Passed The description covers the required sections and includes linked issues, design/proof, validation, and release impact.
Linked Issues check ✅ Passed The changes implement the #54 scope: opaque handles, streaming put/open, retention, publication, and JS/TS surface updates.
Out of Scope Changes check ✅ Passed No clear out-of-scope changes are evident; the docs, tests, and code additions all support the stated issue scope.

Comment @coderabbitai help to get the list of available commands.

@flyingrobots

Copy link
Copy Markdown
Member Author

Self-Review and Code Lawyer Verdict

Verdict: ready for external review. No unresolved findings.

Reviewed the complete main...HEAD range for API compatibility, Git reachability, compare-and-swap behavior, portability, runtime neutrality, and documentation truth. Graft classifies the public change as additive/minor and reports no removed exports or breaking signatures.

Corrections made before submission:

  1. Parent validation now proves a commit rather than relying on ^{tree}, which also accepts tree objects. [cite: src/domain/services/PublicationService.js#80-99@a9e47ef]
  2. Create-only ref updates derive null-OID width from the repository hash format. [cite: src/infrastructure/adapters/GitRefAdapter.js#106-121@a9e47ef]
  3. Overlapping publication prefixes record the most specific authorized namespace. [cite: src/domain/services/PublicationService.js#188-211@a9e47ef]
  4. Dual ref-update/head-observation failures preserve both causes as structured evidence. [cite: src/domain/services/PublicationService.js#101-134@a9e47ef]
  5. Staged results say protection was not-established; they do not infer global orphanhood under deduplication. [cite: src/domain/value-objects/StagedAsset.js#29-39@fd7e6e5]

The real-Git fixture proves prune candidacy, RootSet anchoring and replacement, exact witness edges, ordered publication, stale-head conflict behavior, mirror portability, and missing-graph failure. [cite: test/integration/application-storage.test.js#102-199@a9e47ef]

Residual constraints are explicit in the committed witness: manifest metadata remains materialized by the existing model, explicit whole encryption retains its bounded compatibility buffer, witnesses are generation-scoped, and bundle/page handle publication belongs to #51.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/domain/services/AssetService.js`:
- Around line 103-111: Update `#assertChunkGraph` to validate all unique
chunk.blob values concurrently instead of awaiting `#assertObjectType` inside the
loop. Continue deduplicating blobs with the existing seen Set, collect one
validation promise per unique blob, and await their completion before returning.

In `@src/domain/services/PublicationService.js`:
- Around line 147-212: Update `#authorizeRef` and `#normalizePrefixes` to reject
Git-managed namespaces, including refs/heads/, refs/tags/, refs/notes/, and
refs/remotes/, in addition to refs/cas/. Ensure both configured prefixes and
candidate refs are blocked consistently while preserving allowlisting for valid
application-owned namespaces.

In `@src/domain/value-objects/RetentionWitness.js`:
- Around line 94-107: Extract the duplicated canonical UTC timestamp validation
from RetentionWitness.#assertTimestamp and StagedAsset into a shared
assertCanonicalTimestamp validator. Update both value objects to call the helper
while preserving each class’s existing invalid-error factory, message, and
observedAt payload; remove the duplicated private validation methods.

In `@test/unit/domain/services/RetentionService.test.js`:
- Around line 54-132: Add a negative-path test in the RetentionService tests
that calls retain() with a root.ref outside the refs/cas/rootsets/* namespace,
and assert it rejects before any root-set ref is mutated. Use the existing
makeServices setup and verify the relevant root-set state remains unchanged
after rejection, covering the `#assertRoot` validation path.

In `@test/unit/domain/value-objects/ApplicationStorageResults.test.js`:
- Around line 12-43: Add a separate “StagedAsset validation” test block covering
the constructor’s slug, filename, size, and observedAt validation branches with
invalid overrides, and assert each construction throws an error whose code is
HANDLE_INVALID. Reuse the existing valid fixture values and parameterize the
cases to keep the tests concise.
- Around line 88-107: Refactor the invalid-evidence test setup around the `root`
and `options` objects so `override.root` cannot overwrite the fully constructed
`root`; preserve other override fields while removing the confusing
`options.root = root` double-write. Keep each test’s intended root overrides and
invalid evidence cases unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8ddb3f62-013e-4538-89ab-ce7f3e3f4a46

📥 Commits

Reviewing files that changed from the base of the PR and between ee1be5d and 73c61d7.

📒 Files selected for processing (28)
  • BEARING.md
  • CHANGELOG.md
  • GUIDE.md
  • README.md
  • docs/API.md
  • docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md
  • docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
  • index.d.ts
  • index.js
  • src/domain/errors/Codes.js
  • src/domain/services/AssetService.js
  • src/domain/services/PublicationService.js
  • src/domain/services/RetentionService.js
  • src/domain/value-objects/AssetHandle.js
  • src/domain/value-objects/RetentionWitness.js
  • src/domain/value-objects/StagedAsset.js
  • src/infrastructure/adapters/GitRefAdapter.js
  • src/ports/GitRefPort.js
  • test/helpers/MemoryRefAdapter.js
  • test/integration/application-storage.test.js
  • test/unit/domain/services/AssetService.test.js
  • test/unit/domain/services/PublicationService.test.js
  • test/unit/domain/services/RetentionService.test.js
  • test/unit/domain/value-objects/ApplicationStorageResults.test.js
  • test/unit/domain/value-objects/AssetHandle.test.js
  • test/unit/facade/ContentAddressableStore.application-storage.test.js
  • test/unit/infrastructure/adapters/GitRefAdapter.test.js
  • test/unit/types/declaration-accuracy.test.js
📜 Review details
⏰ Context from checks skipped due to timeout. (3)
  • GitHub Check: test-docker (node)
  • GitHub Check: test-docker (bun)
  • GitHub Check: test-docker (deno)
🧰 Additional context used
📓 Path-based instructions (5)
BEARING.md

📄 CodeRabbit inference engine (AGENTS.md)

Use BEARING.md to document current execution gravity and active tensions

Files:

  • BEARING.md
CHANGELOG.md

📄 CodeRabbit inference engine (AGENTS.md)

Use CHANGELOG.md to record the historical truth of merged behavior

Files:

  • CHANGELOG.md
README.md

📄 CodeRabbit inference engine (AGENTS.md)

Use README.md as the public front door, core value prop, and quick start documentation

Files:

  • README.md
docs/design/**

📄 CodeRabbit inference engine (AGENTS.md)

Use docs/design/ directory for durable design contracts and proof plans

Files:

  • docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
  • docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md
GUIDE.md

📄 CodeRabbit inference engine (AGENTS.md)

Use GUIDE.md for orientation and productive-fast path documentation

Files:

  • GUIDE.md
🧠 Learnings (2)
📚 Learning: 2026-02-28T19:21:13.982Z
Learnt from: flyingrobots
Repo: git-stunts/git-cas PR: 15
File: test/unit/domain/services/CasService.envelope.test.js:326-330
Timestamp: 2026-02-28T19:21:13.982Z
Learning: In fuzz tests for cryptographic operations, use a seeded PRNG (e.g., xorshift32) for control-flow variables such as plaintext size selection and recipient index selection to ensure reproducibility. Continue to use randomBytes() for cryptographic keys and nonces to preserve realistic randomness and avoid security anti-patterns. This guideline applies to test files that perform fuzz testing of crypto logic; implement a consistent seed setup (e.g., fixed seed in test initialization) and document the rationale to enable deterministic replays across runs.

Applied to files:

  • test/unit/domain/value-objects/AssetHandle.test.js
  • test/unit/types/declaration-accuracy.test.js
  • test/unit/facade/ContentAddressableStore.application-storage.test.js
  • test/unit/domain/services/AssetService.test.js
  • test/unit/infrastructure/adapters/GitRefAdapter.test.js
  • test/unit/domain/value-objects/ApplicationStorageResults.test.js
  • test/unit/domain/services/RetentionService.test.js
  • test/integration/application-storage.test.js
  • test/unit/domain/services/PublicationService.test.js
📚 Learning: 2026-03-30T19:53:48.000Z
Learnt from: flyingrobots
Repo: git-stunts/git-cas PR: 29
File: docs/design/TR-010-planning-index-consistency-review.md:121-131
Timestamp: 2026-03-30T19:53:48.000Z
Learning: In this repo, CHANGELOG.md entries should be user-facing and descriptive (bullet points) rather than cycle-ID headings (e.g., use a phrase like “Planning-index consistency review” instead of a “TR-010 — …” heading). When searching the changelog, don’t rely on grepping for cycle IDs (e.g., “TR-010”) because it may cause false negatives; search for the descriptive keywords/phrases from the bullet entries instead.

Applied to files:

  • CHANGELOG.md
🪛 ast-grep (0.44.1)
test/helpers/MemoryRefAdapter.js

[warning] 5-5: Avoid SHA1 security protocol
Context: createHash('sha1')
Note: [CWE-327] Use of a Broken or Risky Cryptographic Algorithm (SHA-1).

(avoid-crypto-sha1)


[warning] 5-5: Do not use weak hash functions (MD5/SHA1)
Context: createHash('sha1')
Note: [CWE-328] Use of Weak Hash.

(insecure-hash)

test/integration/application-storage.test.js

[warning] 8-8: Importing child_process exposes a command-execution surface; ensure any command/argument built from input is validated, and prefer execFile/spawn with an argument array over exec.
Context: import { spawnSync } from 'node:child_process';
Note: [CWE-78] Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection').

(detect-child-process)

🔇 Additional comments (36)
src/domain/services/RetentionService.js (2)

1-36: LGTM!

Also applies to: 64-86, 102-119


37-62: 🗄️ Data Integrity & Integration

Remove this comment. root.ref is rejected by RootSetRef in RootSet/RootSetPersistence before any write occurs, and policy is validated by RootSetMetadataCodec.normalizeEntries() before rootSet.put().

			> Likely an incorrect or invalid review comment.
test/unit/domain/services/RetentionService.test.js (1)

1-53: LGTM!

Also applies to: 133-133

test/integration/application-storage.test.js (1)

1-201: LGTM!

CHANGELOG.md (2)

18-22: LGTM!

Also applies to: 28-38


23-27: 🗄️ Data Integrity & Integration

No change needed The publication result includes a witness field created from RetentionWitness, so this changelog entry matches the current behavior.

GUIDE.md (2)

45-122: LGTM!

Also applies to: 129-166


123-128: 🎯 Functional Correctness

AssetHandle.parse() is valid here AssetHandle.from() delegates string inputs to AssetHandle.parse(), so this example matches the implementation.

			> Likely an incorrect or invalid review comment.
README.md (1)

26-28: LGTM!

Also applies to: 63-82, 94-94, 113-115

docs/design/0047-application-storage-cache-boundary/application-storage-cache-boundary.md (1)

181-181: LGTM!

Also applies to: 797-799

docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md (1)

1-136: LGTM!

src/domain/services/PublicationService.js (2)

1-297: LGTM!


80-99: 🎯 Functional Correctness

Parent validation is already enforced. git rev-list --parents -n 1 <oid> can return an empty string for tree/blob OIDs, but GitRefAdapter.resolveParents() throws when no commit OID is parsed, so #normalizeParents() does not accept non-commit parents.

			> Likely an incorrect or invalid review comment.
src/infrastructure/adapters/GitRefAdapter.js (2)

91-104: LGTM! The multi-parent -p construction and hash-width-agnostic zero-OID sentinel are both correct and match the accompanying tests.

Also applies to: 114-122


14-15: 📐 Maintainability & Code Quality

No external GIT_NULL_OID consumers GIT_NULL_OID no longer appears anywhere in the repo, and updateRef() still preserves expectedOldOid: null by translating it to the zero OID inline.

			> Likely an incorrect or invalid review comment.
src/ports/GitRefPort.js (1)

34-45: LGTM!

test/helpers/MemoryRefAdapter.js (1)

5-15: LGTM! Multi-parent OID hashing and storage correctly mirror the real adapter's ordered-parent support. The SHA-1 static-analysis warning is a false positive here — this is a test-only in-memory OID generator, not a security-sensitive hash.

Also applies to: 53-61

test/unit/domain/services/PublicationService.test.js (1)

1-172: LGTM! Thorough coverage of witness shape, namespace specificity, ordered parents, and CAS/validation failure modes; assertions correctly match the PublicationService implementation.

test/unit/infrastructure/adapters/GitRefAdapter.test.js (1)

95-107: LGTM!

BEARING.md (1)

65-69: LGTM! Accurately reflects the shipped application-storage capabilities and fits the file's existing "Current State" documentation pattern. Based on coding guidelines, BEARING.md: "Use BEARING.md to document current execution gravity and active tensions."

Source: Coding guidelines

src/domain/errors/Codes.js (2)

33-40: LGTM!


10-14: 🎯 Functional Correctness

No action: these handle error codes are already consumed downstream AssetService.js and PublicationService.js reference HANDLE_TARGET_TYPE_MISMATCH, and AssetService.js also uses HANDLE_CODEC_MISMATCH and HANDLE_TARGET_MISSING.

			> Likely an incorrect or invalid review comment.
src/domain/value-objects/AssetHandle.js (2)

1-27: LGTM!

Also applies to: 58-163


29-47: 🎯 Functional Correctness

Drop this concern: Oid.from only accepts 40- or 64-character hex strings, so hashAlgorithm cannot be misclassified from a valid OID length.

			> Likely an incorrect or invalid review comment.
src/domain/value-objects/RetentionWitness.js (1)

1-93: LGTM!

Also applies to: 109-112

test/unit/domain/value-objects/AssetHandle.test.js (1)

1-55: LGTM!

test/unit/facade/ContentAddressableStore.application-storage.test.js (1)

1-36: LGTM!

test/unit/types/declaration-accuracy.test.js (1)

76-90: 🎯 Functional Correctness

No change needed. The asserted class declarations, readonly capability properties, and optional array fields are all present in index.d.ts.

src/domain/value-objects/StagedAsset.js (1)

1-74: LGTM!

index.d.ts (2)

44-152: LGTM!

Also applies to: 360-381, 407-407, 642-716


267-276: 🗄️ Data Integrity & Integration

No issue here. GitRefAdapter.createCommit() prefers parentOids and falls back to parentOid, so the overload is unambiguous.

docs/API.md (1)

18-26: LGTM!

Also applies to: 79-80, 911-1116, 2546-2564

index.js (1)

13-15: LGTM!

Also applies to: 77-79, 111-151, 153-168, 170-182, 238-258, 279-302

src/domain/services/AssetService.js (2)

1-52: LGTM!

Also applies to: 63-102, 113-143, 163-202


144-161: 🎯 Functional Correctness

No issue here ErrorCodes.GIT_OBJECT_NOT_FOUND is defined in src/domain/errors/Codes.js, so this comparison does not collapse to undefined.

			> Likely an incorrect or invalid review comment.
test/unit/domain/services/AssetService.test.js (1)

1-129: LGTM!

Comment thread src/domain/services/AssetService.js
Comment thread src/domain/services/PublicationService.js
Comment thread src/domain/value-objects/RetentionWitness.js Outdated
Comment thread test/unit/domain/services/RetentionService.test.js
Comment thread test/unit/domain/value-objects/ApplicationStorageResults.test.js
Comment thread test/unit/domain/value-objects/ApplicationStorageResults.test.js

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md`:
- Line 7: Replace the abbreviated Git object ID 3d6eaa4 in the witness artifact
and its cited revisions with the full repository object ID, preserving the
existing revision references and durable evidence structure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b0168905-5940-4a54-b73a-8061f9592b06

📥 Commits

Reviewing files that changed from the base of the PR and between 73c61d7 and 3892ee2.

📒 Files selected for processing (13)
  • CHANGELOG.md
  • docs/API.md
  • docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
  • src/domain/helpers/isCanonicalUtcTimestamp.js
  • src/domain/services/AssetService.js
  • src/domain/services/PublicationService.js
  • src/domain/services/RetentionService.js
  • src/domain/value-objects/RetentionWitness.js
  • src/domain/value-objects/StagedAsset.js
  • test/unit/domain/services/AssetService.test.js
  • test/unit/domain/services/PublicationService.test.js
  • test/unit/domain/services/RetentionService.test.js
  • test/unit/domain/value-objects/ApplicationStorageResults.test.js
📜 Review details
⏰ Context from checks skipped due to timeout. (2)
  • GitHub Check: test-docker (bun)
  • GitHub Check: test-docker (node)
🧰 Additional context used
📓 Path-based instructions (2)
CHANGELOG.md

📄 CodeRabbit inference engine (AGENTS.md)

Use CHANGELOG.md to record the historical truth of merged behavior

Files:

  • CHANGELOG.md
docs/design/**

📄 CodeRabbit inference engine (AGENTS.md)

Use docs/design/ directory for durable design contracts and proof plans

Files:

  • docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md
🧠 Learnings (2)
📚 Learning: 2026-02-28T19:21:13.982Z
Learnt from: flyingrobots
Repo: git-stunts/git-cas PR: 15
File: test/unit/domain/services/CasService.envelope.test.js:326-330
Timestamp: 2026-02-28T19:21:13.982Z
Learning: In fuzz tests for cryptographic operations, use a seeded PRNG (e.g., xorshift32) for control-flow variables such as plaintext size selection and recipient index selection to ensure reproducibility. Continue to use randomBytes() for cryptographic keys and nonces to preserve realistic randomness and avoid security anti-patterns. This guideline applies to test files that perform fuzz testing of crypto logic; implement a consistent seed setup (e.g., fixed seed in test initialization) and document the rationale to enable deterministic replays across runs.

Applied to files:

  • test/unit/domain/services/AssetService.test.js
  • test/unit/domain/services/RetentionService.test.js
  • test/unit/domain/value-objects/ApplicationStorageResults.test.js
  • test/unit/domain/services/PublicationService.test.js
📚 Learning: 2026-03-30T19:53:48.000Z
Learnt from: flyingrobots
Repo: git-stunts/git-cas PR: 29
File: docs/design/TR-010-planning-index-consistency-review.md:121-131
Timestamp: 2026-03-30T19:53:48.000Z
Learning: In this repo, CHANGELOG.md entries should be user-facing and descriptive (bullet points) rather than cycle-ID headings (e.g., use a phrase like “Planning-index consistency review” instead of a “TR-010 — …” heading). When searching the changelog, don’t rely on grepping for cycle IDs (e.g., “TR-010”) because it may cause false negatives; search for the descriptive keywords/phrases from the bullet entries instead.

Applied to files:

  • CHANGELOG.md
🪛 ast-grep (0.44.1)
test/unit/domain/services/AssetService.test.js

[warning] 110-110: Avoid using the initial state variable in setState
Context: setTimeout(resolve, 5)
Note: [CWE-710] Improper Adherence to Coding Standards. Security best practice.

(setstate-same-var)

🔇 Additional comments (13)
CHANGELOG.md (1)

18-38: LGTM!

docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md (1)

70-77: LGTM!

Also applies to: 119-145, 165-165

src/domain/helpers/isCanonicalUtcTimestamp.js (1)

1-11: LGTM!

src/domain/value-objects/StagedAsset.js (1)

3-3: LGTM!

Also applies to: 57-58

docs/API.md (1)

79-80: LGTM!

Also applies to: 1064-1080, 2549-2558

src/domain/services/AssetService.js (1)

103-121: LGTM!

test/unit/domain/services/AssetService.test.js (1)

1-1: LGTM!

Also applies to: 16-25, 93-123

src/domain/value-objects/RetentionWitness.js (1)

3-3: LGTM!

Also applies to: 95-103

test/unit/domain/value-objects/ApplicationStorageResults.test.js (1)

12-21: LGTM!

Also applies to: 49-58, 105-112, 121-121

src/domain/services/RetentionService.js (1)

4-4: LGTM!

Also applies to: 87-100

test/unit/domain/services/RetentionService.test.js (1)

1-1: LGTM!

Also applies to: 34-40, 93-109

src/domain/services/PublicationService.js (1)

11-22: LGTM!

Also applies to: 159-167, 200-223, 238-242

test/unit/domain/services/PublicationService.test.js (1)

10-22: LGTM!

Also applies to: 132-184

Comment thread docs/design/0047-application-storage-cache-boundary/witness/asset-handles.md Outdated
@flyingrobots flyingrobots merged commit 863c692 into main Jul 13, 2026
6 checks passed
@flyingrobots flyingrobots deleted the feat/opaque-asset-handles branch July 13, 2026 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add opaque asset handles and retention witnesses

1 participant