Swith to Rust core#70
Conversation
Bundle Size ReportChunks over 500 KB:
All files
Commit: 3af13bf |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
⚡ Performance Report
|
fca2d01 to
ede458e
Compare
Replace the Nova host-container, auth, and signing path with the worker-backed Rust core. Keep dotli responsible only for browser policy, persistence, UI, and physical chain transports.
Notification grants do not alter iframe Permissions Policy. Reloading disposed the in-flight Rust request before its response reached the product.
ff8115e to
95b810c
Compare
The pending-message flush drops send failures silently, matching the pre-port behavior. Surfacing them as JSON-RPC errors moves to a follow-up PR with test coverage.
|
Seems unable to connect? https://host-playground.dotli.dev/?chainBackend=smoldot-direct |
Nova exposes synthetic follow ids to legacy products, while the Rust core requires the subscription wire request id. Translate only at the legacy window boundary so existing product-sdk apps keep working without weakening core validation.
All OpenUrl requests are normalized and scheme-validated by the Rust core before they reach this browser callback, so duplicating that policy in TypeScript would create a second allowlist that can drift. Add the noopener window feature to every routing branch instead. This prevents an allowed destination from retaining window.opener access to the dotli host while preserving the existing dot-domain, localhost, and external URL routing behavior. Cover all three branches with a regression test that verifies each new tab is opened with noopener.
Changing a permission dispatched a synchronous permission-changed event whose listener started rendering the open popover, then the dropdown success path started a second render directly. Both asynchronous renders appended their rows after the same clear, doubling every entry. Remove only the redundant success-path render and keep the catch-path render for recovery. The permission event remains the single successful refresh trigger for both device and non-device permissions. Add a regression test that changes a dropdown and asserts the popover still contains exactly one row per permission.
The topbar login promise previously listened only for response frames. If the core provider closed during pairing, no response could arrive and the pending promise retained its message subscription indefinitely. Subscribe to provider close events and reject with the transport error. Centralize settlement and cleanup so message responses, malformed frames, send failures, and provider closure all unsubscribe both listeners exactly once. The cleanup also handles the provider contract where an already-closed provider invokes the close callback during subscription. Add a regression test that closes a pending provider and verifies rejection plus listener cleanup.
The confirmation adapter already rendered and resolved the newer review variants, but its suite exercised only legacy payload signing and omitted transaction creation and the dedicated preimage flow. Add product-account payload and transaction assertions so account formatting and transaction fields are locked down. Add both allow and cancel cases for preimage submission to verify that the dedicated modal maps user intent to the boolean host response. This intentionally changes tests only: the existing production behavior satisfies the review request once these untested branches are covered.
The legacy window transport accepted inbound frames based only on Window identity and sent outbound frames with a wildcard target. The iframe keeps its real origin because its sandbox includes allow-same-origin; credentialless mode does not make that origin opaque. Require the resolved product origin for inbound provider frames, use it as the outbound postMessage target, and enforce it on the initial modern-versus-legacy probe before replaying the first frame. This closes the wildcard path without changing the legacy Nova wire compatibility layer. Add coverage for the exact outbound target and for rejecting both wrong-origin and wrong-source inbound messages.
Preimage lookup trusted non-empty bytes returned by both the IPFS gateway and Bitswap and cached them under the requested key. A faulty or hostile backend could therefore poison the process-wide cache and serve mismatched bytes to later subscribers. Recompute the requested Blake2b-256 content hash with the existing content verification utility before either cache write. Verification failures follow the existing backend-error stream path and never populate the cache. Cover successful verified caching and corrupt responses from both backend modes. The corruption cases subscribe twice to prove that rejected bytes are fetched again rather than retained.
|
Tested everything manually on: https://host-playground.dotli.dev
Is this a product issue? May be requesting the product-account before checking if it is even connected? |
|
Let me know if some of those will be addressed in subsequent PR's instead of this one |
|
thanks for the report @leonardocustodio that should be fixed in this PR |
Port the dot.li web host to the shared TrUAPI Rust core
This supersedes #54 and keeps its Rust-runtime port while adding the Bulletin preimage path now owned by the core. dot.li moves off the
@novasamatech/host-apistack and onto the shared TrUAPI Rust core. Protocol logic previously maintained in TypeScript now lives once intruapi-server(Rust -> WASM); the web host becomes a byte transport plus typed platform callbacks.Architecture
A product iframe speaks TrUAPI over a
MessageChannel. The host forwards SCALE frames to a Web Worker runningtruapi-serverWASM without decoding the protocol. The core executes protocol logic and calls typedtruapi-platformcallbacks for browser capabilities.The same core is embedded by native hosts over UniFFI, keeping protocol behavior and wire formats aligned across platforms.
Changed surface
packages/auth, the old Nova container/statement-store adapters, allowance-signer bridge, wallet queue, and related@novasamatech/*dependencies.@parity/truapi-hostand@parity/truapi.Permission grants are core-owned state. The dot.li topbar admin screen projects them into browser-specific iframe permissions and reload behavior rather than maintaining a second protocol policy store.
Legacy product compatibility
Existing applications such as
host-playgroundstill use the Nova host wrapper. Nova exposes synthetic PAPI chain-head follow IDs such asfollow_0, while the Rust core intentionally requires the exact wire request ID from the follow subscription start frame. Passing the synthetic ID through makes otherwise valid legacy header, body, storage, call, unpin, continue, and stop-operation requests fail core validation.The legacy window bridge now tracks active follow wire IDs per genesis hash and rewrites only those follow-bound legacy frames. Modern
MessagePortproducts are unchanged, and strict subscription-ID validation remains in the shared Rust core. Keeping this compatibility at the deprecated boundary also avoids a new TrUAPI package release solely for a host-specific migration shim.Packages
This branch depends on the published
@parity/truapi@0.4.0and@parity/truapi-host@0.1.0.bun run link:truapiswaps them for symlinks to a sibling TrUAPI checkout (andunlink:truapirestores the published packages), so the parent truapi repo'smake e2e-dotliruns against this branch directly while a direct dotli checkout installs and tests the published packages.Scope
The primary PR contains only the Nova-stack removal, the typed Rust-runtime host architecture, the Bulletin preimage integration, and the permission-lifecycle behavior required to keep Rust callback requests alive. Everything else is consolidated in the stacked follow-up #77: preimage lookup retries, protocol-broker hardening, login-failure UX copy, permission-prompt rate limiting, allowance-key at-rest encryption, the per-frame wire debug tap, debug-panel fixes, resolver dependency hygiene, and chainSend flush error surfacing.
Deferred architecture work: SharedWorker topology, eliminating the per-CID
*.app.dot.lisandbox iframe, and moving content fetching into Rust behind thePreimageHostboundary.Left before merge
@parity/truapiand@parity/truapi-host, and depend on the published versions.Related
Verification
Primary branch:
bun install --frozen-lockfilebun run format:checkbunx --bun turbo run lint --forcebunx --bun turbo run typecheck --forcebunx --bun turbo run test --forcebunx --bun turbo run build:prod --forcebun auditCompatibility patch:
make testpasses.make e2e-dotliruns each completed 43 methods successfully, including everyChain/*legacy compatibility method. The sole failure in both runs wasPreimage/lookup_subscribe: the external signer-bot authority request timed out at its 45-second boundary. A subsequent authority request in each run succeeded, isolating the failure from the chain bridge patch.