1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
//! Self-correcting, on-chain-derived ownership HINT, OPFS-only.
//!
//! `.lh_owner` is NOT authority — the on-chain registry is. This file is
//! purely a first-paint flash-avoider: it stores the on-chain owner
//! ADDRESS this device last *proved* it controls (written only after a
//! `verify::VerifyResult::VerifiedOwner`). On the next load the presence
//! of the hint lets `paint_tenant` paint the studio immediately instead
//! of flashing the public face — but every load still re-verifies against
//! the chain, and the hint is deleted ([`forget`]) the moment the chain
//! disagrees. So the hint can never lie for more than the initial frame.
//!
//! It is per-origin (lives in the subdomain's OPFS sandbox). A different
//! device starts with no hint and earns one by proving ownership.
const OWNER_FILE: &str = ".lh_owner";
/// Read the on-chain owner address this device last proved it controls,
/// if any. Returns `None` when the hint is absent/empty.
pub async
/// Record `owner_address` as the proven on-chain owner of this origin.
/// Called only after a `VerifiedOwner` result (or a successful first
/// claim) so the next load paints the studio without a public-face flash.
/// Idempotent — overwrites any prior hint.
pub async
/// Delete the ownership hint. Called when the chain disagrees with the
/// optimistic studio paint (ownership lost / transferred) so the next
/// load starts from the public face — and via "release" / debug flows.
pub async