refactor(dig-browser): SoC re-arch — pure external-RPC consumer, drop cache UI, custom-node setting (#44)#2
Merged
Conversation
… cache UI, custom-node setting (ungoogled-software#44) Per the ungoogled-software#41 separation-of-concerns ruling (SYSTEM.md "Roles — serving vs consuming"), make DIG Browser a PURE RPC CONSUMER of an external dig-node. It keeps client-side verify+decrypt (the trustless tier that powers Shields) but owns no node functionality. Item 1 — remove the in-process node (consumer read path): - dig/node/dig_source_resolution.mjs: drop the `in-process` terminal; the §5.3 ladder now terminates at the public gateway rpc.dig.net. Tests updated (16/16). - windows-dig-browser-ux.patch: the loader (dig_url_loader_factory.cc) no longer calls the runtime node RPC (dig_rpc/CallDigRpc); its terminal is an off-machine POST to rpc.dig.net (PostToRemote + a gateway traffic annotation). - dig_native_runtime.{h,cc}: drop the dig_rpc/CallDigRpc FFI; the runtime DLL is loaded only for the in-browser WALLET (CallWalletRpc + StartNativeRuntime). NOTE: fully dropping the node from the runtime is a companion dig-node change (dig_runtime_start → wallet-only); until then rpc.dig.net is the guaranteed fallback and the dig-installer ships a standalone local dig-node (ungoogled-software#40). Item 2 — single-source read-crypto (PENDING, build-gated): the native net::dig C++ crypto stays for now; the SoC target is to route verify+decrypt through the shared digstore dig_client wasm. That needs a V8/wasm context + a Chromium build to wire and verify — designed + flagged in SPEC §10 and the loader header. Item 3 — remove chrome://settings/dig cache config + DigCacheHandler Mojo + the "My Node" cache card: - windows-dig-settings-section.patch rewritten: no Mojo/cache controls. - dig/node/dig_node.html: cache card + control.cache.* calls removed (+ regression test). - dig/node/dig_node_controller.mjs: cache.* dropped from CONTROL_METHODS (9 methods). Item 4 — custom-node setting: chrome://settings/dig now hosts a persisted custom node endpoint pref (dig.custom_node_url) bound via cr-input; the §5.3 override (custom endpoint wins entirely) is implemented in dig_source_resolution.mjs and mirrored in the C++ loader (NormalizeCustomEndpoint + read via UserPrefs). Docs: SPEC.md §10 transition status; README + USER_JOURNEY updated to the pure-consumer model; obsolete dig/plans/chrome-settings-dig-section.md removed. Build-gated: this is a Chromium fork; the native C++/patch changes cannot be compiled here. Do NOT merge until built + verified on C:\d (see the PR body).
… delete native C++ crypto (ungoogled-software#44) Per @MT-Dev's ruling on ungoogled-software#44: the native browser uses the digstore Rust read-crypto DIRECTLY via FFI — wasm is webpages-only. This supersedes the earlier "route through the shared dig_client wasm" plan. - dig_url_loader_factory.cc: FinishResolve() now calls the dig_runtime FFI dig::ReadVerifyDecrypt (verify Merkle inclusion against the chain-anchored root + AES-256-GCM-SIV decrypt, fail-closed) instead of net::dig::VerifyInclusion / DeriveContentKey / DecryptResource. The FFI distinguishes a proof failure from a decrypt failure, so Shields records the correct per-resource verdict. root_ is always a concrete chain-anchored root here, so the FFI's strict proof-root match is the trust gate (the former "latest" soft-trust path is correctly dropped). - dig_native_runtime.{h,cc}: bind dig_read_verify_decrypt + dig_bytes_free and expose dig::ReadVerifyDecrypt; start the runtime WALLET-ONLY via dig_runtime_start_wallet (dig-node ungoogled-software#47) so the browser runs no in-process node engine (no dig_rpc / P2P / cache). - net/url_request/dig_crypto.{h,cc}: DELETE the third read-crypto copy (VerifyInclusion / DecryptChunk / DecryptResource / DeriveContentKey). net::dig keeps ONLY URN addressing (CanonicalRootlessUrn / RetrievalKeyHex) the loader needs to build fetch requests — not a trust duplication. - SPEC.md §1/§5/§9/§10: the browser uses the digstore Rust read-crypto directly via FFI; wasm is the webpage binding only. BUILD-GATED: dig-browser is a grandfathered Chromium fork that cannot be built here (§3.6a). The patch hunks are hand-regenerated (new-file line-counts reconciled); the C:\d build must apply them, link dig_runtime.dll's new exports (dig_runtime_start_wallet / dig_read_verify_decrypt / dig_bytes_free), and verify end-to-end. All 182 dig/**/*.test.mjs JS-policy suites pass. Depends on dig-node PR ungoogled-software#4 (dig_runtime_start_wallet + dig_read_verify_decrypt). Refs ungoogled-software#44, ungoogled-software#47.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Separation-of-concerns re-arch — DIG Browser → pure external-RPC consumer (super ungoogled-software#44)
Implements the four code items of super-repo issue DIG-Network/dig_ecosystem#44, per the ungoogled-software#41 SoC ruling recorded by @MT-Dev. Normative target =
SPEC.md(merged in PR #1) + SYSTEM.md "Roles — serving vs consuming": the browser is a pure RPC consumer — it keeps client-side verify+decrypt (the trustless tier that powers Shields) but owns NO node functionality.Per-item status
dig_clientwasmchrome://settings/digcache config +DigCacheHandlerMojo + "My Node" cache cardThe single source of truth is the
dig/JS policy (tested); the C++ mirrors itPer
SPEC.md§9 ("ladder parity"),dig/node/dig_source_resolution.mjsis authoritative and the nativedig_url_loader_factory.ccmirrors it. All 11dig/**/*.test.mjssuites pass (node <suite>), including the rewritten resolution suite (16/16) and a new regression test that the My Node cache card is gone.Item 1 — remove the in-process node (consumer read path)
dig/node/dig_source_resolution.mjs: dropped thein-processterminal; the §5.3 ladder now terminates at the public gatewayrpc.dig.net. AddedRPC_DIG_NET,SOURCE_PUBLIC_GATEWAY,SOURCE_CUSTOM; removedSOURCE_IN_PROCESS.windows-dig-browser-ux.patch->dig_url_loader_factory.cc: the loader no longer calls the runtime node RPC (dig_rpc/CallDigRpc). New terminal = an off-machine POST torpc.dig.net(PostToRemote+kDigGatewayTrafficAnnotation).CallNodenow: custom override (exclusive) -> localdig.local/localhost:8080(probe) ->rpc.dig.net.dig_native_runtime.{h,cc}: dropped thedig_rpc/CallDigRpcFFI; the DLL is loaded only for the in-browser wallet (CallWalletRpc+StartNativeRuntime).chrome_browser_main.cccomment updated (wallet host only).Genuine cross-repo gap (flagged, not silently dropped): the wallet (
SPEC§6) still needsdig_runtime.dll, and todaydig_runtime_start()also starts the node. Fully removing the node process requires a companiondig-nodechange sodig_runtime_start()starts only the wallet (dropdig_rpc/P2P/cache). That is out of scope for this dig-browser-only PR. Until it lands, the browser no longer consumes the in-process node for content (content is external, terminalrpc.dig.net), and the dig-installer ships a standalone local dig-node (ungoogled-software#40). Recommend a follow-up dig-node issue for the wallet-only runtime split.Item 2 — single-source read-crypto (PENDING, build-gated)
The native
net::dig::*C++ crypto (net/url_request/dig_crypto.*,dig_urn.*, fromwindows-add-dig-protocol.patch) is a third copy of the read-crypto and is still the loader's verify+decrypt. The SoC target (SPEC§5) is to route verify+decrypt through the shareddigstoredig_clientwasm (the byte-identical artifact the extension/hub/SDK use). This is not implemented because it genuinely can't be done blind:dig_clientwasm runs in a JS/V8 context; the loader is browser-process C++ with no V8. Single-sourcing means moving verify+decrypt into a JS/wasm execution context (the model the extension already uses) — a substantial re-architecture that requires a Chromium build to wire and verify, plus a design decision on where the wasm runs (recommended options below).Recommended design for @MT-Dev (build required): mirror the extension's proven pipeline — a bundled JS module that imports the shared
dig_clientwasm and does fetch(ladder)+verify+decrypt, replacing the nativenet::digpath (either as a built-in component or a utility-process wasm runner). Client-side decrypt stays; only the duplicate C++ copy is retired. Flagged inline in the loader header comment andSPEC.md§10.Item 3 — remove the cache config (done)
windows-dig-settings-section.patchrewritten: theDigCacheHandlerMojo, the cache-cap slider/usage/Clear controls, and all their C++ wiring (mojom, handler,settings_ui, interface binders,ui/webui+chrome/browser/uiBUILD deps, settingsmojo_files) are gone. (Unrelated branding string edits it carried — search-no-results, alt-page-title, safety-check — are preserved.)dig/node/dig_node.html: the "Local cache" card +loadCache()+capApply/cacheClearhandlers +control.cache.*calls removed (regression test added).dig/node/dig_node_controller.mjs:cacheGet/cacheSetCap/cacheCleardropped fromCONTROL_METHODS(now 9 methods).The rest of "My Node" (status / hosted-stores / sync / upstream / publish) stays — the audit rated it the sanctioned browser-as-controller-of-an-external-node pattern; only the cache surface was ruled a leak.
Item 4 — custom-node setting (done)
chrome://settings/digis repurposed from the cache section into a "DIG Network" section whose sole control is a persisted custom node endpoint (cr-inputbound viaPrefsMixinto a plain pref — no Mojo).dig.custom_node_urlregistered inbrowser_ui_prefs.cc; read by the loader viauser_prefs::UserPrefs::Get(...)->NormalizeCustomEndpoint(...).dig_source_resolution.mjs(resolveSourcePlan->{kind:'override'}) and mirrored in the C++CallNode.Blast radius checked
Consumer read path (
chia:///dig://loader), the source-resolution ladder (JS + C++ mirror), the runtime FFI (dig_native_runtime— node FFI removed, wallet FFI kept), the settings section (fully rewritten), the My Node controller (cache surface removed), and prefs registration. The wallet path (dig_wallet_rpc*,dig://wallet,StartNativeRuntime) is deliberately untouched (SPEC §6). The native crypto core (net::dig) is deliberately untouched (item 2, build-gated). Docs (SPEC.md,README.md,USER_JOURNEY.md) updated for coherence; obsoletedig/plans/chrome-settings-dig-section.mdremoved.Patch hygiene
All
@@hunk line-counts were recomputed to match their bodies. The bundled applier is GNUpatch.exe(lenient), but regenerate the patches from the built tree on C:\d after applying (that is how thesewindows-*.patchfiles are produced), and confirm they still apply cleanly on the current Chromium base.Required C:\d build + verification (before merge)
build.py) on the 149 tree. Expect to fix/regenerate patch offsets against the current base.//chrome/browser/digbuilds with the new//components/prefs+//components/user_prefsdeps (needed byUserPrefs::Getindig_url_loader_factory.cc); adjust if the target graph needs it elsewhere.chrome://settings/dig-> confirm the "DIG Network" section shows the custom-node input (no cache slider/Clear); sethttps://.../a bare host/blank and confirm it persists todig.custom_node_urland normalizes.chia://page -> confirm it resolves viarpc.dig.net(external) and renders verified (Shields ledger populated). With a local dig-node, confirmdig.local/localhost:8080is preferred. With a custom endpoint set, confirm it is used exclusively.dig://walletremain from the runtime DLL).dig://node-> confirm no cache card and that status/stores/sync/upstream/publish still work against a local node.net::digcrypto remains.dig_runtime_start()-> wallet-only split so the runtime no longer starts a node at all.Closes item set #1/#3/ungoogled-software#4 of ungoogled-software#44 pending build-verify; item #2 + the dig-node runtime split remain (tracked on ungoogled-software#44).