feat(dig-runtime): wallet-only start + native read-crypto FFI#4
Merged
MichaelTaylor3d merged 1 commit intoJul 5, 2026
Merged
Conversation
Add two additive C-ABI surfaces to the dig-runtime cdylib so the DIG Browser can drop its in-process node (super #44) and verify+decrypt .dig content by calling the digstore Rust read-crypto DIRECTLY, not through wasm (wasm is webpages-only — @MT-Dev ruling on #44). - dig_runtime_start_wallet(): wallet-only start — brings up the wallet host + tokio runtime with NO node engine (no P2P / cache / dig_rpc dispatch). The existing full dig_runtime_start() is unchanged; the first dig_runtime_start* call fixes the mode (OnceLock). In wallet-only mode dig_rpc returns a well-formed JSON-RPC "node engine not available" error rather than spinning up a node. (super #47) - dig_read_verify_decrypt() / dig_bytes_free(): the digstore-core .dig verify+decrypt exported as C-ABI — the SAME Rust the webpage dig-client-wasm wraps (ONE impl, two bindings: native FFI for the browser, wasm for webpages). Verifies the served ciphertext's Merkle inclusion against the chain-anchored root, then AES-256-GCM-SIV decrypts, fail-closed (DIG_READ_* status codes). Needs no runtime and no node engine — pure crypto over bytes fetched from an external node. digstore-core is pinned to the same rev dig-node-core/dig-wallet use so cargo unifies to one crypto impl. SPEC.md §15/§15.1 + the conformance index updated. Version 0.1.0 -> 0.2.0 (additive; minor).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLDR
Adds two additive C-ABI surfaces to the
dig-runtimecdylib so the DIG Browser can (a) start the runtime wallet-only — no in-process node engine — and (b) verify+decrypt.digcontent by calling the digstore Rust read-crypto DIRECTLY via FFI, NOT wasm (wasm is webpages-only — @MT-Dev's ruling on super #44). Implements super-repo #47 and the Rust side of #44 item 2. All existing exports unchanged.What changed (
crates/dig-runtime/src/lib.rs)dig_runtime_start_wallet()— wallet-only start (#47). Brings up the wallet host + tokio runtime with NO node engine (no P2P / cache /dig_rpcdispatch). The existing fulldig_runtime_start()is unchanged; the FIRSTdig_runtime_start*call fixes the mode (OnceLock). In wallet-only modedig_rpcreturns a well-formed JSON-RPC error (code -32000, "node engine not available: dig-runtime started wallet-only") rather than spinning up a node.dig_read_verify_decrypt()/dig_bytes_free()— native read-crypto FFI (#44 item 2). Exports thedigstore-core.digverify+decrypt as C-ABI — the SAME Rust the webpagedig-client-wasmwraps (ONE impl, two bindings). Verifies the served ciphertext's Merkle inclusion against the chain-anchored root, THEN AES-256-GCM-SIV decrypts, fail-closed (DIG_READ_OK/BAD_INPUT/VERIFY_FAILED/DECRYPT_FAILED/INTERNAL). Needs no runtime and no node engine — pure crypto over bytes the caller already fetched from an external node (§5.3). Byte-parity with the wasm'sdecryptResource(samecanonical_resource_urn+derive_decryption_key+ inclusion-proof core).digstore-coreis pinned to the same rev (bcb84a6…)dig-node-core/dig-walletuse, so cargo unifies to one crypto impl.FFI contract (for the dig-browser C++ loader)
Tests (TDD) — 14 pass
build_runtime(false)constructs no node engine (tokio still live);build_runtime(true)does;dig_rpcwith no engine returns a JSON-RPC error, never a panic.index.html; private-salt round-trip (+ wrong salt ⇒DECRYPT_FAILED); multi-chunk; tampered ciphertext ⇒VERIFY_FAILED; decoy/wrong-root ⇒VERIFY_FAILED; bad hex ⇒BAD_INPUT; null out-params ⇒BAD_INPUT.dig_rpc,dig_wallet_rpcenvelope, null-pointer safety) unchanged.Verification (this session)
cargo test -p dig-runtime→ 14 passed, 0 failed.cargo clippy -p dig-runtime --all-targets -- -D warnings→ clean (fixed acast_slice_from_raw_partslint indig_bytes_free).cargo fmt --all -- --check→ clean.Blast radius
dig-runtimeis a leaf cdylib — nothing in the workspace depends on it (it is the browser's DLL). All changes are additive: new exports + an internalwith_nodesplit of the runtime constructor; existingdig_rpc/dig_wallet_rpc/dig_freesemantics preserved. Consumer is the dig-browser C++ loader (super #44 Part B), migrated separately.Docs
SPEC.md§15 reworked (two start modes + the three FFI surfaces), new §15.1 (read-crypto FFI: signatures, inputs, status codes, buffer ownership), §1.3 corrected (browser starts wallet-only), conformance-index row 15 updated.Version
dig-runtime0.1.0 → 0.2.0 (minor — additivefeat, no breaking change to existing exports).Refs super-repo #44, #47.