mur-common 2.18.0

Shared types and traits for the MUR ecosystem
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282

//! Shared trust store at `~/.mur/trust/trust.yaml`.
//!
//! Spec §7.1: Hub and Commander share the same trust store.
//! File-locked writes; lock-free reads with retry.

pub mod legacy;
pub mod revocations;
pub mod rotation;

pub use revocations::{RevocationsList, RevokedEntry};

use crate::muragent::MuragentError;
use serde::{Deserialize, Serialize};
use std::path::PathBuf;

#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum TrustLevel {
    Known,
    Pending,
    Rejected,
    Superseded,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TrustEntry {
    pub public_key: String,
    pub display_name_seen: String,
    pub first_seen: String,
    pub last_seen: String,
    pub last_seen_surface: String,
    pub trust_level: TrustLevel,
    pub fingerprint: String,
    pub word_list: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub rotated_from: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub superseded_at: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub last_rotation_at: Option<String>,
}

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct TrustStore {
    #[serde(default)]
    pub agents: Vec<TrustEntry>,
}

impl TrustStore {
    /// Load trust store from `~/.mur/trust/trust.yaml`.
    /// If the file doesn't exist, returns an empty store.
    /// Runs legacy migration if `~/.mur/trust.json` exists.
    pub fn load() -> Result<Self, MuragentError> {
        let path = trust_store_path();
        if let Some(parent) = path.parent() {
            std::fs::create_dir_all(parent).map_err(MuragentError::Io)?;
        }

        let legacy_path = mur_home().join("trust.json");
        if legacy_path.exists() && !path.exists() {
            legacy::migrate_legacy(&legacy_path, &path)?;
        }

        if !path.exists() {
            return Ok(Self::default());
        }

        let yaml = std::fs::read_to_string(&path).map_err(MuragentError::Io)?;
        serde_yaml_ng::from_str(&yaml)
            .map_err(|e| MuragentError::Other(format!("trust store parse: {e}")))
    }

    /// Atomically save the trust store.
    pub fn save(&self) -> Result<(), MuragentError> {
        let path = trust_store_path();
        if let Some(parent) = path.parent() {
            std::fs::create_dir_all(parent).map_err(MuragentError::Io)?;
        }
        let yaml = serde_yaml_ng::to_string(self)
            .map_err(|e| MuragentError::Other(format!("trust store serialize: {e}")))?;
        let tmp = path.with_extension("yaml.tmp");
        std::fs::write(&tmp, &yaml).map_err(MuragentError::Io)?;
        std::fs::rename(&tmp, &path).map_err(MuragentError::Io)?;
        Ok(())
    }

    /// Find an entry by public key (base64).
    pub fn find_by_pubkey(&self, pubkey_b64: &str) -> Option<&TrustEntry> {
        self.agents.iter().find(|e| e.public_key == pubkey_b64)
    }

    /// Find known entries by display name (for key-change detection).
    pub fn find_by_display_name(&self, name: &str) -> Vec<&TrustEntry> {
        self.agents
            .iter()
            .filter(|e| e.display_name_seen == name)
            .collect()
    }

    /// Insert or update an entry.
    pub fn upsert(&mut self, entry: TrustEntry) {
        if let Some(existing) = self
            .agents
            .iter_mut()
            .find(|e| e.public_key == entry.public_key)
        {
            *existing = entry;
        } else {
            self.agents.push(entry);
        }
    }

    /// Remove an entry by public key.
    pub fn remove(&mut self, pubkey_b64: &str) {
        self.agents.retain(|e| e.public_key != pubkey_b64);
    }
}

/// Derive a 4-word fingerprint from a public key, using SHA-256(pubkey).
///
/// Takes 52 bits of the hash and splits them into 4 × 13-bit indices into
/// a wordlist. The wordlist is sized to a power of two so all 13-bit values
/// are valid (no modulo bias). v1 uses a small placeholder list; the full
/// EFF long word list will be embedded via include_str! in a follow-up.
pub fn word_list_fingerprint(pubkey: &[u8; 32]) -> String {
    use sha2::Digest;
    let hash = sha2::Sha256::digest(pubkey);
    // Pack 7 hash bytes (56 bits) into the low end of a u64, then take the
    // top 52 bits (shift right 4).
    let raw: u64 = u64::from_be_bytes([
        0, hash[0], hash[1], hash[2], hash[3], hash[4], hash[5], hash[6],
    ]);
    let bits = raw >> 4; // 52 bits in low
    let w0 = ((bits >> 39) & 0x1FFF) as usize;
    let w1 = ((bits >> 26) & 0x1FFF) as usize;
    let w2 = ((bits >> 13) & 0x1FFF) as usize;
    let w3 = (bits & 0x1FFF) as usize;

    let list = PLACEHOLDER_WORD_LIST;
    format!(
        "{} {} {} {}",
        list[w0 % list.len()],
        list[w1 % list.len()],
        list[w2 % list.len()],
        list[w3 % list.len()],
    )
}

/// Short fingerprint: first 8 hex chars of SHA-256(pubkey).
pub fn short_fingerprint(pubkey: &[u8; 32]) -> String {
    use sha2::Digest;
    let hash = sha2::Sha256::digest(pubkey);
    let hex = format!("{:x}", hash);
    hex[..8].to_string()
}

fn trust_store_path() -> PathBuf {
    mur_home().join("trust").join("trust.yaml")
}

/// Resolve `~/.mur` (or `$MUR_HOME` if set). Shared root for the trust store,
/// agent home dirs, and other on-disk state used by every surface.
pub fn mur_home() -> PathBuf {
    if let Some(p) = std::env::var_os("MUR_HOME") {
        return PathBuf::from(p);
    }
    dirs::home_dir().expect("home dir").join(".mur")
}

/// Placeholder wordlist for v1 fingerprints. The full 7776-word EFF long
/// wordlist will be embedded at build time in a follow-up change; until
/// then, fingerprints are derived from this short list (modulo).
const PLACEHOLDER_WORD_LIST: &[&str] = &[
    "abacus",
    "abdomen",
    "able",
    "abrupt",
    "absent",
    "absorb",
    "accept",
    "access",
    "accord",
    "acid",
    "acorn",
    "acquit",
    "acre",
    "active",
    "actor",
    "adapt",
    "adjust",
    "admire",
    "admit",
    "adopt",
    "adult",
    "advance",
    "advice",
    "affair",
    "afford",
    "afraid",
    "agency",
    "agenda",
    "agent",
    "agile",
    "alarm",
    "albatross",
];

#[cfg(test)]
pub(crate) mod test_env_lock {
    use std::sync::Mutex;
    /// Tests in this crate that set MUR_HOME must lock this mutex first —
    /// the env var is process-global and parallel tests trampling it
    /// produce spurious failures.
    pub(crate) static MUR_HOME_LOCK: Mutex<()> = Mutex::new(());
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn word_list_is_deterministic() {
        let pk = [0x42u8; 32];
        let a = word_list_fingerprint(&pk);
        let b = word_list_fingerprint(&pk);
        assert_eq!(a, b);
    }

    #[test]
    fn word_list_has_four_words() {
        let pk = [0x42u8; 32];
        let fp = word_list_fingerprint(&pk);
        assert_eq!(fp.split_whitespace().count(), 4);
    }

    #[test]
    fn short_fingerprint_is_8_chars() {
        let pk = [0x42u8; 32];
        let fp = short_fingerprint(&pk);
        assert_eq!(fp.len(), 8);
        assert!(fp.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn trust_store_roundtrip() {
        let _guard = test_env_lock::MUR_HOME_LOCK.lock().unwrap();
        let tmp = tempfile::TempDir::new().unwrap();
        let prev_home = std::env::var_os("MUR_HOME");
        unsafe { std::env::set_var("MUR_HOME", tmp.path()) };

        let mut store = TrustStore::default();
        store.upsert(TrustEntry {
            public_key: "aaa".into(),
            display_name_seen: "Coach".into(),
            first_seen: "2026-05-20T00:00:00Z".into(),
            last_seen: "2026-05-20T00:00:00Z".into(),
            last_seen_surface: "hub".into(),
            trust_level: TrustLevel::Pending,
            fingerprint: "1234abcd".into(),
            word_list: "a b c d".into(),
            rotated_from: None,
            superseded_at: None,
            last_rotation_at: None,
        });
        store.save().unwrap();

        let loaded = TrustStore::load().unwrap();
        assert_eq!(loaded.agents.len(), 1);
        assert_eq!(
            loaded.find_by_pubkey("aaa").unwrap().display_name_seen,
            "Coach"
        );

        unsafe {
            if let Some(p) = prev_home {
                std::env::set_var("MUR_HOME", p);
            } else {
                std::env::remove_var("MUR_HOME");
            }
        }
    }
}