Skip to content

refactor(dig-browser): SoC re-arch — pure external-RPC consumer, drop cache UI, custom-node setting (#44)#2

Merged
MichaelTaylor3d merged 2 commits into
masterfrom
soc/dig-browser-rearch-44
Jul 5, 2026
Merged

refactor(dig-browser): SoC re-arch — pure external-RPC consumer, drop cache UI, custom-node setting (#44)#2
MichaelTaylor3d merged 2 commits into
masterfrom
soc/dig-browser-rearch-44

Conversation

@MichaelTaylor3d

Copy link
Copy Markdown

Separation-of-concerns re-arch — DIG Browser → pure external-RPC consumer (super ungoogled-software#44)

Implements the four code items of super-repo issue DIG-Network/dig_ecosystem#44, per the ungoogled-software#41 SoC ruling recorded by @MT-Dev. Normative target = SPEC.md (merged in PR #1) + SYSTEM.md "Roles — serving vs consuming": the browser is a pure RPC consumer — it keeps client-side verify+decrypt (the trustless tier that powers Shields) but owns NO node functionality.

DO NOT MERGE until built + verified on C:\d. This is an ungoogled-Chromium fork; the native C++/patch changes cannot be compiled or run here, and the tag-driven release build is currently broken (16-stage timeout, ungoogled-software#26). The JS policy layer (the single source of truth) is fully tested; the native patches mirror it and are build-gated. Verification steps are at the bottom.

Per-item status

# Item Status
1 Remove the in-process node -> external RPC (§5.3 ladder) DONE (consumer read path) · full node removal needs a companion dig-node change + build verify
2 Single-source read-crypto -> shared dig_client wasm PENDING (build-gated) — designed + flagged, not implemented (needs a V8/wasm context + a build)
3 Remove chrome://settings/dig cache config + DigCacheHandler Mojo + "My Node" cache card DONE
4 Add a user-facing custom-node setting DONE

The single source of truth is the dig/ JS policy (tested); the C++ mirrors it

Per SPEC.md §9 ("ladder parity"), dig/node/dig_source_resolution.mjs is authoritative and the native dig_url_loader_factory.cc mirrors it. All 11 dig/**/*.test.mjs suites pass (node <suite>), including the rewritten resolution suite (16/16) and a new regression test that the My Node cache card is gone.

Item 1 — remove the in-process node (consumer read path)

  • dig/node/dig_source_resolution.mjs: dropped the in-process terminal; the §5.3 ladder now terminates at the public gateway rpc.dig.net. Added RPC_DIG_NET, SOURCE_PUBLIC_GATEWAY, SOURCE_CUSTOM; removed SOURCE_IN_PROCESS.
  • windows-dig-browser-ux.patch -> dig_url_loader_factory.cc: the loader no longer calls the runtime node RPC (dig_rpc/CallDigRpc). New terminal = an off-machine POST to rpc.dig.net (PostToRemote + kDigGatewayTrafficAnnotation). CallNode now: custom override (exclusive) -> local dig.local/localhost:8080 (probe) -> rpc.dig.net.
  • dig_native_runtime.{h,cc}: dropped the dig_rpc/CallDigRpc FFI; the DLL is loaded only for the in-browser wallet (CallWalletRpc + StartNativeRuntime). chrome_browser_main.cc comment updated (wallet host only).

Genuine cross-repo gap (flagged, not silently dropped): the wallet (SPEC §6) still needs dig_runtime.dll, and today dig_runtime_start() also starts the node. Fully removing the node process requires a companion dig-node change so dig_runtime_start() starts only the wallet (drop dig_rpc/P2P/cache). That is out of scope for this dig-browser-only PR. Until it lands, the browser no longer consumes the in-process node for content (content is external, terminal rpc.dig.net), and the dig-installer ships a standalone local dig-node (ungoogled-software#40). Recommend a follow-up dig-node issue for the wallet-only runtime split.

Item 2 — single-source read-crypto (PENDING, build-gated)

The native net::dig::* C++ crypto (net/url_request/dig_crypto.*, dig_urn.*, from windows-add-dig-protocol.patch) is a third copy of the read-crypto and is still the loader's verify+decrypt. The SoC target (SPEC §5) is to route verify+decrypt through the shared digstore dig_client wasm (the byte-identical artifact the extension/hub/SDK use). This is not implemented because it genuinely can't be done blind:

  • The dig_client wasm runs in a JS/V8 context; the loader is browser-process C++ with no V8. Single-sourcing means moving verify+decrypt into a JS/wasm execution context (the model the extension already uses) — a substantial re-architecture that requires a Chromium build to wire and verify, plus a design decision on where the wasm runs (recommended options below).
  • I did not rip out the native crypto, because doing so without the wasm wired would leave a browser that cannot verify content (broken) — violating "don't ship a browser that can't verify."

Recommended design for @MT-Dev (build required): mirror the extension's proven pipeline — a bundled JS module that imports the shared dig_client wasm and does fetch(ladder)+verify+decrypt, replacing the native net::dig path (either as a built-in component or a utility-process wasm runner). Client-side decrypt stays; only the duplicate C++ copy is retired. Flagged inline in the loader header comment and SPEC.md §10.

Item 3 — remove the cache config (done)

  • windows-dig-settings-section.patch rewritten: the DigCacheHandler Mojo, the cache-cap slider/usage/Clear controls, and all their C++ wiring (mojom, handler, settings_ui, interface binders, ui/webui + chrome/browser/ui BUILD deps, settings mojo_files) are gone. (Unrelated branding string edits it carried — search-no-results, alt-page-title, safety-check — are preserved.)
  • dig/node/dig_node.html: the "Local cache" card + loadCache() + capApply/cacheClear handlers + control.cache.* calls removed (regression test added).
  • dig/node/dig_node_controller.mjs: cacheGet/cacheSetCap/cacheClear dropped from CONTROL_METHODS (now 9 methods).

The rest of "My Node" (status / hosted-stores / sync / upstream / publish) stays — the audit rated it the sanctioned browser-as-controller-of-an-external-node pattern; only the cache surface was ruled a leak.

Item 4 — custom-node setting (done)

  • chrome://settings/dig is repurposed from the cache section into a "DIG Network" section whose sole control is a persisted custom node endpoint (cr-input bound via PrefsMixin to a plain pref — no Mojo).
  • New pref dig.custom_node_url registered in browser_ui_prefs.cc; read by the loader via user_prefs::UserPrefs::Get(...) -> NormalizeCustomEndpoint(...).
  • §5.3 precedence: when set, the custom endpoint overrides the ladder entirely (used exclusively, no silent fallback) — implemented + tested in dig_source_resolution.mjs (resolveSourcePlan -> {kind:'override'}) and mirrored in the C++ CallNode.

Blast radius checked

Consumer read path (chia:///dig:// loader), the source-resolution ladder (JS + C++ mirror), the runtime FFI (dig_native_runtime — node FFI removed, wallet FFI kept), the settings section (fully rewritten), the My Node controller (cache surface removed), and prefs registration. The wallet path (dig_wallet_rpc*, dig://wallet, StartNativeRuntime) is deliberately untouched (SPEC §6). The native crypto core (net::dig) is deliberately untouched (item 2, build-gated). Docs (SPEC.md, README.md, USER_JOURNEY.md) updated for coherence; obsolete dig/plans/chrome-settings-dig-section.md removed.

Patch hygiene

All @@ hunk line-counts were recomputed to match their bodies. The bundled applier is GNU patch.exe (lenient), but regenerate the patches from the built tree on C:\d after applying (that is how these windows-*.patch files are produced), and confirm they still apply cleanly on the current Chromium base.

Required C:\d build + verification (before merge)

  1. Apply + build the fork with these patches (build.py) on the 149 tree. Expect to fix/regenerate patch offsets against the current base.
  2. BUILD.gn deps: confirm //chrome/browser/dig builds with the new //components/prefs + //components/user_prefs deps (needed by UserPrefs::Get in dig_url_loader_factory.cc); adjust if the target graph needs it elsewhere.
  3. Settings section: open chrome://settings/dig -> confirm the "DIG Network" section shows the custom-node input (no cache slider/Clear); set https://.../a bare host/blank and confirm it persists to dig.custom_node_url and normalizes.
  4. Ladder / item 1: with no local node, load a chia:// page -> confirm it resolves via rpc.dig.net (external) and renders verified (Shields ledger populated). With a local dig-node, confirm dig.local/localhost:8080 is preferred. With a custom endpoint set, confirm it is used exclusively.
  5. No in-process node: confirm the browser no longer serves content from an embedded node (only the wallet host + dig://wallet remain from the runtime DLL).
  6. My Node: open dig://node -> confirm no cache card and that status/stores/sync/upstream/publish still work against a local node.
  7. Item 2 (separate, build-gated): decide + implement the wasm single-source (see design above); until then the native net::dig crypto remains.
  8. Companion dig-node change: file/land the dig_runtime_start() -> wallet-only split so the runtime no longer starts a node at all.

Closes item set #1/#3/ungoogled-software#4 of ungoogled-software#44 pending build-verify; item #2 + the dig-node runtime split remain (tracked on ungoogled-software#44).

… cache UI, custom-node setting (ungoogled-software#44)

Per the ungoogled-software#41 separation-of-concerns ruling (SYSTEM.md "Roles — serving vs
consuming"), make DIG Browser a PURE RPC CONSUMER of an external dig-node. It
keeps client-side verify+decrypt (the trustless tier that powers Shields) but
owns no node functionality.

Item 1 — remove the in-process node (consumer read path):
- dig/node/dig_source_resolution.mjs: drop the `in-process` terminal; the §5.3
  ladder now terminates at the public gateway rpc.dig.net. Tests updated (16/16).
- windows-dig-browser-ux.patch: the loader (dig_url_loader_factory.cc) no longer
  calls the runtime node RPC (dig_rpc/CallDigRpc); its terminal is an off-machine
  POST to rpc.dig.net (PostToRemote + a gateway traffic annotation).
- dig_native_runtime.{h,cc}: drop the dig_rpc/CallDigRpc FFI; the runtime DLL is
  loaded only for the in-browser WALLET (CallWalletRpc + StartNativeRuntime).
  NOTE: fully dropping the node from the runtime is a companion dig-node change
  (dig_runtime_start → wallet-only); until then rpc.dig.net is the guaranteed
  fallback and the dig-installer ships a standalone local dig-node (ungoogled-software#40).

Item 2 — single-source read-crypto (PENDING, build-gated): the native net::dig
C++ crypto stays for now; the SoC target is to route verify+decrypt through the
shared digstore dig_client wasm. That needs a V8/wasm context + a Chromium build
to wire and verify — designed + flagged in SPEC §10 and the loader header.

Item 3 — remove chrome://settings/dig cache config + DigCacheHandler Mojo + the
"My Node" cache card:
- windows-dig-settings-section.patch rewritten: no Mojo/cache controls.
- dig/node/dig_node.html: cache card + control.cache.* calls removed (+ regression test).
- dig/node/dig_node_controller.mjs: cache.* dropped from CONTROL_METHODS (9 methods).

Item 4 — custom-node setting: chrome://settings/dig now hosts a persisted custom
node endpoint pref (dig.custom_node_url) bound via cr-input; the §5.3 override
(custom endpoint wins entirely) is implemented in dig_source_resolution.mjs and
mirrored in the C++ loader (NormalizeCustomEndpoint + read via UserPrefs).

Docs: SPEC.md §10 transition status; README + USER_JOURNEY updated to the
pure-consumer model; obsolete dig/plans/chrome-settings-dig-section.md removed.

Build-gated: this is a Chromium fork; the native C++/patch changes cannot be
compiled here. Do NOT merge until built + verified on C:\d (see the PR body).
… delete native C++ crypto (ungoogled-software#44)

Per @MT-Dev's ruling on ungoogled-software#44: the native browser uses the digstore Rust
read-crypto DIRECTLY via FFI — wasm is webpages-only. This supersedes the
earlier "route through the shared dig_client wasm" plan.

- dig_url_loader_factory.cc: FinishResolve() now calls the dig_runtime FFI
  dig::ReadVerifyDecrypt (verify Merkle inclusion against the chain-anchored
  root + AES-256-GCM-SIV decrypt, fail-closed) instead of
  net::dig::VerifyInclusion / DeriveContentKey / DecryptResource. The FFI
  distinguishes a proof failure from a decrypt failure, so Shields records the
  correct per-resource verdict. root_ is always a concrete chain-anchored root
  here, so the FFI's strict proof-root match is the trust gate (the former
  "latest" soft-trust path is correctly dropped).
- dig_native_runtime.{h,cc}: bind dig_read_verify_decrypt + dig_bytes_free and
  expose dig::ReadVerifyDecrypt; start the runtime WALLET-ONLY via
  dig_runtime_start_wallet (dig-node ungoogled-software#47) so the browser runs no in-process
  node engine (no dig_rpc / P2P / cache).
- net/url_request/dig_crypto.{h,cc}: DELETE the third read-crypto copy
  (VerifyInclusion / DecryptChunk / DecryptResource / DeriveContentKey). net::dig
  keeps ONLY URN addressing (CanonicalRootlessUrn / RetrievalKeyHex) the loader
  needs to build fetch requests — not a trust duplication.
- SPEC.md §1/§5/§9/§10: the browser uses the digstore Rust read-crypto directly
  via FFI; wasm is the webpage binding only.

BUILD-GATED: dig-browser is a grandfathered Chromium fork that cannot be built
here (§3.6a). The patch hunks are hand-regenerated (new-file line-counts
reconciled); the C:\d build must apply them, link dig_runtime.dll's new exports
(dig_runtime_start_wallet / dig_read_verify_decrypt / dig_bytes_free), and verify
end-to-end. All 182 dig/**/*.test.mjs JS-policy suites pass.

Depends on dig-node PR ungoogled-software#4 (dig_runtime_start_wallet + dig_read_verify_decrypt).
Refs ungoogled-software#44, ungoogled-software#47.
@MichaelTaylor3d MichaelTaylor3d merged commit b0f31cb into master Jul 5, 2026
5 checks passed
@MichaelTaylor3d MichaelTaylor3d deleted the soc/dig-browser-rearch-44 branch July 5, 2026 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant