Skip to content

build(deps): bump freenet-stdlib 0.3.5 → 0.6.0 with V9/C4 migration entries#8

Merged
sanity merged 2 commits intomainfrom
stdlib-0.6
Apr 15, 2026
Merged

build(deps): bump freenet-stdlib 0.3.5 → 0.6.0 with V9/C4 migration entries#8
sanity merged 2 commits intomainfrom
stdlib-0.6

Conversation

@sanity
Copy link
Copy Markdown
Contributor

@sanity sanity commented Apr 15, 2026
edited
Loading

Problem

Delta pins `freenet-stdlib = "0.3.5"` and is three minor versions behind. freenet-core 0.2.45 is already deployed (stdlib 0.6.0) and both river and ghostkeys have moved to 0.6.0. Delta is the last consumer still on the old stdlib.

Approach

Mechanical stdlib bump with one wildcard-arm fix plus matching V9/C4 migration entries.

Source fix (1 site)

`delegates/site-delegate/src/lib.rs` — the `match origin` block handled only `Some(WebApp)` and `None`. Added an explicit `Some(MessageOrigin::Delegate(caller))` arm that rejects inter-delegate calls (site-delegate is driven exclusively by the Delta web app) plus a trailing wildcard for future `MessageOrigin` variants. All other match sites in `common/`, `contracts/`, and `ui/` already had `_ => {}` wildcards.

Migration

Both entries recorded before any WASM-altering edits via `./scripts/add-migration.sh V9` and `./scripts/add-contract-migration.sh C4`. Skeptical reviewer verified by BLAKE3-hashing the parent-commit WASMs — all hashes are provably correct.

```toml

legacy_delegates.toml V9

delegate_key = "c1fbb764babe708f558636427e1d019554dda9ee9d7f0050c7cdc7b3a1915945"
code_hash = "b7179907eb526754148c60fe9281070c4d8e629a824281455511881b3ee4c807"

legacy_contracts.toml C4

code_hash = "6837a66d8ba5481a6256300368d25caa2250b3a586db372a938e65c2f06b6346"
```

Rebuilt WASMs

File code_hash
`ui/public/contracts/site_delegate.wasm` `4d576358…`
`ui/public/contracts/site_contract.wasm` `8e36f95d…`

Testing

  • `cargo check -p site-delegate -p site-contract -p delta-core` — clean
  • `cargo check -p delta-ui --target wasm32-unknown-unknown` — clean
  • `cargo test -p delta-core` — 19 tests pass
  • `cargo test -p site-delegate` — 5 tests pass (4 existing + 1 new regression for `MessageOrigin::Delegate` rejection — addresses code-first + testing reviewer feedback; this is delta's first Rust test exercising `SiteDelegate::process`)
  • `./scripts/sync-wasm.sh` — delegate + contract rebuild clean
  • `./scripts/check-migration.sh` — "Safe to publish"

Reviewer findings and how they're addressed

Addressed in this PR

  • Missing test for MessageOrigin::Delegate rejection (code-first + testing) — added `rejects_inter_delegate_origin` test (commit `4f5e09c`).

Flagged but not blockers (monitor post-publish)

  • V1-V3 delegate runtime-compat risk (big-picture): V1-V3 were compiled against stdlib 0.3.x, which predates `#[non_exhaustive]` on `MessageOrigin`. Under freenet-core 0.2.45's 0.6.0 runtime, if the host ever dispatches a `MessageOrigin::Delegate(..)` into legacy delegate WASM during a migration probe, the V1-V3 match is not exhaustive for the new discriminant. Same class as river's V4-V6 removal. Mitigation: `ui/` migration code only probes with `WebApp`-origin reads, so V1-V3 should not see the new variant in practice. Watch nova logs post-publish for `de/serialization error.*Invalid size` specifically keyed to V1/V2/V3 delegate hashes.

Flagged and investigated but out-of-scope

  • Pre-C1 contract orphan window (skeptical, medium): commit `ccb0b9f` (2026-03-28, "feat: publish Delta to Freenet gateway") shipped contract WASM hash `d2034ea8d646885e2fd9ff04c9cb5506686cbeeb06a67ecc8a6eeca643991794`, but `legacy_contracts.toml` starts at C1 = `1188d108...` from commit `2e664c3` (the next day). Investigated: commit `2e664c3` changed the parameters format to the current "10-char site prefix" at the same time as the WASM change. Since contract keys are `BLAKE3(BLAKE3(wasm) || params)`, adding a C0 entry with `d2034ea8...` would NOT help because the probe would compute the key using the current parameters format, producing a key that never existed on the network. A proper pre-C1 migration would need parameter-format evolution support in the UI's multi-hop probe logic, which is a separate workstream. The window was pre-alpha (24h), likely has no real users, and is stranded behind a parameters-format change rather than a WASM-only change.

  • Delta has no Rust tests exercising `SiteDelegate::process` prior to this PR (testing): pre-existing gap; this PR adds the first one. Broader "add migration runtime-compat harness" is a separate workstream.

  • Playwright smoke test (testing + big-picture): delta's Playwright setup runs on technic via SSH per AGENTS.md. Not run for this PR. The only UI-code change is in the delegate (no UI component changes), so the Playwright-visible surface is unchanged. Will run manually post-publish before marking the delta rollout complete.

Post-merge publish plan

  1. Merge this PR to main
  2. Pull main locally
  3. `cargo make publish-delta` — publishes delegate + contract WASMs to Freenet
  4. Smoke-test a delta site via the UI against nova
  5. Grep nova logs specifically for:
    • `de/serialization error.*Invalid size` (V4-V6 failure signature)
    • V1/V2/V3 delegate keys appearing in error context (stdlib 0.3.x runtime-compat risk)

Related

  • Closes the ecosystem-wide stdlib 0.6.0 rollout (river + ghostkeys already done)
  • Matches freenet-core 0.2.45 + freenet-stdlib 0.6.0 on nova

[AI-assisted - Claude]

sanity and others added 2 commits April 15, 2026 09:47
@sanity @claude
build(deps): bump freenet-stdlib 0.3.5 → 0.6.0 with V9/C4 migration e…
a1c2226 
…ntries

Catches delta up three minor versions of freenet-stdlib, matching what
freenet-core 0.2.45 and ghostkeys already run. Crosses:

- 0.4.0 seeding→hosting terminology rename (delta doesn't use SystemMetrics,
  no code sites touched).
- 0.5.0 `MessageOrigin::Delegate(DelegateKey)` variant for inter-delegate
  attestation; enum marked `#[non_exhaustive]`.
- 0.6.0 hardening: `#[non_exhaustive]` added to `InboundDelegateMsg`,
  `UpdateData`, `DelegateError`, `ContractError`, `APIVersion`.

## Source fixes (1 site)

`delegates/site-delegate/src/lib.rs` — the `match origin` block only
handled `Some(WebApp)` and `None`. Added an explicit
`Some(MessageOrigin::Delegate(caller))` arm that rejects inter-delegate
calls (site-delegate is driven exclusively by the Delta web app via
WebApp) plus a trailing wildcard for future MessageOrigin variants.
All other match sites in common/, contracts/, and ui/ already had
`_ => {}` wildcards so no further source edits were required.

## Migration (V9 delegate + C4 contract)

Both entries were recorded BEFORE any WASM-altering edits via
`./scripts/add-migration.sh` and `./scripts/add-contract-migration.sh`:

    [[entry]]
    version = "V9"
    description = "Before freenet-stdlib 0.6.0 bump (non_exhaustive hardening + MessageOrigin::Delegate)"
    delegate_key = "c1fbb764babe708f558636427e1d019554dda9ee9d7f0050c7cdc7b3a1915945"
    code_hash    = "b7179907eb526754148c60fe9281070c4d8e629a824281455511881b3ee4c807"

    [[entry]]
    version = "C4"
    description = "Before freenet-stdlib 0.6.0 bump"
    code_hash = "6837a66d8ba5481a6256300368d25caa2250b3a586db372a938e65c2f06b6346"

When users' Delta UIs refresh after this publishes, they will:
1. Probe legacy delegate keys via LEGACY_DELEGATES and migrate signing
   keys + known_sites from V9 to the new V10-era delegate.
2. Probe legacy contract hashes via legacy_contracts.toml (multi-hop
   fallback) and migrate each site's state from the C4-era contract key
   to the new post-bump contract key.

## Rebuilt WASMs

- `ui/public/contracts/site_delegate.wasm` (code_hash 4d576358…)
- `ui/public/contracts/site_contract.wasm` (code_hash 8e36f95d…)

Built via `./scripts/sync-wasm.sh`. `./scripts/check-migration.sh`
confirms both new hashes differ from what's recorded in the legacy
TOMLs and the predecessors are properly registered — "Safe to publish."

## Testing

- `cargo check -p site-delegate -p site-contract -p delta-core` — clean
- `cargo check -p delta-ui --target wasm32-unknown-unknown` — clean
- `cargo test -p delta-core` — 19 tests pass
- `./scripts/sync-wasm.sh` — delegate + contract rebuild clean
- `./scripts/check-migration.sh` — "Safe to publish" on both WASMs

Post-merge: `cargo make publish-delta` from main to deploy the new
delegate + contract WASMs to Freenet.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sanity @claude
test(site-delegate): regression for inter-delegate origin rejection
4f5e09c 
Addresses the code-first and testing reviewer feedback on PR #8.
Both flagged that the new `MessageOrigin::Delegate(caller)` rejection
arm had zero test coverage. Per .claude/rules/pr-quality.md every
behavioral change needs a regression test. This is also delta's
first Rust test exercising `SiteDelegate::process` — the site-delegate
crate previously had only `select_key_bytes` unit tests, none
covering the process() entry point.

The test synthesizes an `InboundDelegateMsg::ApplicationMessage`
carrying a minimal StoreKnownSites request, passes an origin of
`Some(MessageOrigin::Delegate(caller_key))`, and asserts that
SiteDelegate::process returns `DelegateError::Other` containing the
phrase "does not accept inter-delegate calls". This pins the
explicit rejection so a future refactor that reorders the
`match origin` arms cannot silently regress it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@sanity sanity merged commit 403a816 into main Apr 15, 2026
3 checks passed
@sanity sanity deleted the stdlib-0.6 branch April 15, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sanity