void_core/pipeline/seal/

commit.rs

//! Commit logic for seal pipeline.


use crate::collab::manifest::{detect_repo_mode, load_manifest, RepoMode, SigningPubKey};
use crate::crypto::{
    decrypt, encrypt, AAD_COMMIT, AAD_MANIFEST, AAD_REPO_MANIFEST,
};
use crate::index::{read_index, IndexEntry};
use crate::metadata::Commit;

use crate::staged;
use crate::store::{ObjectStoreExt, StagedStore};
use crate::cid::ToVoidCid;
use crate::{cid, refs, Result, VoidContext, VoidError};
use ed25519_dalek::SigningKey;

use super::types::{CommitOptions, CommitResult, SealResult};
use super::workspace::{build_commit_stats, build_tree_manifest, seal_index, seal_workspace};

/// Load file entries from a commit via its TreeManifest (for comparing staged changes).
fn load_commit_entries(
    ctx: &VoidContext,
    commit_cid: &void_crypto::CommitCid,
) -> Result<Vec<IndexEntry>> {
    let store = ctx.open_store()?;
    let commit_cid = cid::from_bytes(commit_cid.as_bytes())?;
    let (commit, reader) = ctx.load_commit(&store, &commit_cid)?;

    let manifest = ctx.load_manifest(&store, &commit, &reader)?
        .ok_or_else(|| VoidError::IntegrityError {
            expected: "manifest_cid present on commit".into(),
            actual: "None".into(),
        })?;

    manifest.iter()
        .map(|me| {
            let me = me?;
            Ok(IndexEntry {
                path: me.path.clone(),
                content_hash: me.content_hash,
                mtime_secs: 0,
                mtime_nanos: 0,
                size: me.length,
                materialized: true,
            })
        })
        .collect()
}

/// Check if there are any staged changes by comparing index to HEAD.
/// Returns true if there are adds, modifications, or deletions staged.
fn has_staged_changes(index: &crate::index::WorkspaceIndex, head_entries: &[IndexEntry]) -> bool {
    // Different count means files were added or deleted
    if index.entries.len() != head_entries.len() {
        return true;
    }
    // Same count - check if any paths or content differ
    index
        .entries
        .iter()
        .zip(head_entries.iter())
        .any(|(a, b)| a.path != b.path || a.content_hash != b.content_hash)
}

/// Commits a workspace snapshot (seal + commit object + HEAD update)
pub fn commit_workspace(opts: CommitOptions) -> Result<CommitResult> {
    // In collaboration mode, enforce mandatory signing
    let mode = detect_repo_mode(opts.seal.ctx.paths.void_dir.as_std_path());
    if mode == RepoMode::Collaboration {
        // Require signing
        if opts.seal.ctx.crypto.signing_key.is_none() {
            return Err(VoidError::Unauthorized(
                "Commits must be signed in collaboration mode. Configure your identity with 'void identity init'.".into()
            ));
        }

        // Verify signer is a contributor
        let signing_key = opts.seal.ctx.crypto.signing_key.as_ref()
            .expect("signing_key presence checked by guard above");
        let signer = get_pubkey_from_signing_key(signing_key)?;

        // Load manifest and check if signer is a contributor
        if let Some(manifest) = load_manifest(opts.seal.ctx.paths.void_dir.as_std_path())? {
            if manifest.find_contributor(&signer).is_none() {
                return Err(VoidError::Unauthorized(
                    "Signer is not a contributor to this repository".into()
                ));
            }
        }
    }

    // Read index (the staging area)
    let index = match read_index(opts.seal.ctx.paths.workspace_dir.as_std_path(), opts.seal.ctx.crypto.vault.index_key()?) {
        Ok(idx) => Some(idx),
        Err(VoidError::NotFound(_)) => None,
        Err(err) => return Err(err),
    };

    // Load HEAD entries (empty vec if first commit or foreign parent)
    let head_entries = match &opts.parent_cid {
        Some(parent_cid) if !opts.foreign_parent => {
            load_commit_entries(&opts.seal.ctx, parent_cid)?
        }
        _ => Vec::new(),
    };

    // Check for staged changes: compare index to HEAD
    // Staged changes = (files in index but not HEAD) + (modified files) + (files in HEAD but not index)
    if let Some(ref idx) = index {
        if !has_staged_changes(idx, &head_entries) {
            return Err(VoidError::NothingToCommit(
                "no changes staged for commit (use 'void add' to stage files)".to_string(),
            ));
        }
    }
    // Note: if no index, we proceed to seal_workspace which collects all workspace files.
    // For first commits this allows committing without explicit staging.

    // Generate per-commit derived key for envelope encryption (via vault)
    let (content_key, key_nonce) = opts.seal.ctx.crypto.vault.derive_commit_key()?;

    // Set content_key for metadata encryption (shards always use root key
    // in workspace.rs because they are reused across commits).
    let mut seal_opts = opts.seal.clone();
    seal_opts.content_key = Some(content_key);

    // Extract parent's content_key for re-wrapping reused shard keys
    // (skip for foreign parents — their commit is encrypted with a different repo's key)
    if let Some(ref parent_cid) = opts.parent_cid {
        if !opts.foreign_parent {
            let parent_store = opts.seal.ctx.open_store()?;
            let parent_cid_obj = cid::from_bytes(parent_cid.as_bytes())?;
            let parent_encrypted: void_crypto::EncryptedCommit = parent_store.get_blob(&parent_cid_obj)?;
            let (_, parent_reader) = opts.seal.ctx.open_commit(&parent_encrypted)?;
            seal_opts.parent_content_key = Some(parent_reader.content_key().clone());
        }
    }

    // Now do the actual seal operation
    let t0 = std::time::Instant::now();
    let seal_result = match index {
        Some(idx) => seal_index(&seal_opts, &idx.entries)?,
        None => seal_workspace(seal_opts.clone())?,
    };
    let t_seal = t0.elapsed();

    // Check if we actually sealed any files (catches empty workspace case)
    if seal_result.stats.files_sealed == 0 && head_entries.is_empty() {
        return Err(VoidError::NothingToCommit(
            "nothing to commit: working tree is empty".to_string(),
        ));
    }

    // Data loss guard: block commits that delete a large percentage of files
    // This catches silent failures where files became unreadable and weren't staged
    let new_file_count = seal_result.stats.files_sealed;
    let parent_file_count = head_entries.len();
    const MIN_FILES_FOR_GUARD: usize = 10;
    const MAX_DELETION_RATIO: f64 = 0.7; // Block if current < 70% of parent (>30% loss)

    if parent_file_count >= MIN_FILES_FOR_GUARD && !opts.allow_data_loss {
        let ratio = new_file_count as f64 / parent_file_count as f64;
        if ratio < MAX_DELETION_RATIO {
            return Err(VoidError::DataLossGuard {
                parent_files: parent_file_count,
                new_files: new_file_count,
                deleted_pct: ((1.0 - ratio) * 100.0) as u8,
            });
        }
    }

    let SealResult {
        metadata_cid,
        shard_cids,
        stats,
        index_entries,
        ..
    } = seal_result.clone();

    let t_guard = t0.elapsed();

    // Create StagedStore for atomic publishing of manifest and commit
    let staged_store = StagedStore::new(opts.seal.ctx.paths.void_dir.as_std_path())?;

    // Build TreeManifest from per-file shard assignments computed during sealing
    let manifest = build_tree_manifest(&seal_result)?;
    let manifest_stats = build_commit_stats(&manifest);

    // Save stats for returning in CommitResult
    let result_total_files = manifest_stats.total_files;
    let result_total_bytes = manifest_stats.total_bytes;

    // Encrypt the pre-serialized manifest bytes
    let manifest_encrypted = encrypt(content_key.as_bytes(), manifest.as_bytes(), AAD_MANIFEST)?;

    // Stage the manifest - on error, discard all staged objects
    let manifest_void_cid = staged_store.stage_or_discard(&manifest_encrypted)?;
    let manifest_cid = void_crypto::ManifestCid::from_bytes(cid::to_bytes(&manifest_void_cid));

    let timestamp = std::time::SystemTime::now()
        .duration_since(std::time::UNIX_EPOCH)
        .unwrap_or_default()
        .as_millis() as u64;

    let mut commit = Commit::new(
        opts.parent_cid.clone(),
        metadata_cid.clone(),
        timestamp,
        opts.message,
    );

    // Set manifest_cid and stats
    commit.manifest_cid = Some(manifest_cid.clone());
    commit.stats = Some(manifest_stats);

    // Embed repo manifest if in collaboration mode
    if mode == RepoMode::Collaboration {
        if let Ok(Some(collab_manifest)) = load_manifest(opts.seal.ctx.paths.void_dir.as_std_path()) {
            let manifest_json = serde_json::to_vec(&collab_manifest)
                .map_err(|e| VoidError::Serialization(format!("repo manifest: {}", e)))?;
            let rm_encrypted = encrypt(content_key.as_bytes(), &manifest_json, AAD_REPO_MANIFEST)?;
            let rm_cid = staged_store.stage_or_discard(&rm_encrypted)?;
            commit.repo_manifest_cid = Some(void_crypto::RepoManifestCid::from_bytes(cid::to_bytes(&rm_cid)));
        }
    }

    // Sign commit if signing key is provided
    if let Some(ref signing_key) = opts.seal.ctx.crypto.signing_key {
        commit.sign(signing_key);
    }

    let commit_bytes = crate::support::cbor_to_vec(&commit)?;
    // Use envelope encryption for commit (wraps the derived key nonce via vault)
    let commit_encrypted =
        opts.seal.ctx.crypto.vault.seal_commit_with_nonce(&commit_bytes, &key_nonce)?;

    // Stage the commit for atomic publishing
    let commit_cid = staged_store.stage_blob_or_discard(&commit_encrypted)?;

    // Verify staged objects can be read back AND decrypted before publishing
    // This catches corruption or AAD mismatches early

    // Verify manifest can be decrypted (uses derived content key)
    let manifest_void_cid = manifest_cid.to_void_cid()?;
    match staged_store.get(&manifest_void_cid) {
        Ok(encrypted) => {
            if let Err(e) = decrypt(content_key.as_bytes(), &encrypted, AAD_MANIFEST) {
                let _ = staged_store.discard_all();
                return Err(VoidError::Io(std::io::Error::new(
                    std::io::ErrorKind::Other,
                    format!("staged manifest verification failed: {}", e),
                )));
            }
        }
        Err(e) => {
            let _ = staged_store.discard_all();
            return Err(VoidError::Io(std::io::Error::new(
                std::io::ErrorKind::Other,
                format!("staged manifest read failed: {}", e),
            )));
        }
    }

    // Verify repo manifest can be decrypted (if present)
    if let Some(ref rm_cid_typed) = commit.repo_manifest_cid {
        let rm_cid = rm_cid_typed.to_void_cid()?;
        match staged_store.get(&rm_cid) {
            Ok(encrypted) => {
                if let Err(e) = decrypt(content_key.as_bytes(), &encrypted, AAD_REPO_MANIFEST) {
                    let _ = staged_store.discard_all();
                    return Err(VoidError::Io(std::io::Error::new(
                        std::io::ErrorKind::Other,
                        format!("staged repo manifest verification failed: {}", e),
                    )));
                }
            }
            Err(e) => {
                let _ = staged_store.discard_all();
                return Err(VoidError::Io(std::io::Error::new(
                    std::io::ErrorKind::Other,
                    format!("staged repo manifest read failed: {}", e),
                )));
            }
        }
    }

    // Verify commit can be decrypted (uses envelope format with root key)
    match staged_store.get(&commit_cid) {
        Ok(encrypted) => {
            if let Err(e) = opts.seal.ctx.decrypt(&encrypted, AAD_COMMIT) {
                let _ = staged_store.discard_all();
                return Err(VoidError::Io(std::io::Error::new(
                    std::io::ErrorKind::Other,
                    format!("staged commit verification failed: {}", e),
                )));
            }
        }
        Err(e) => {
            let _ = staged_store.discard_all();
            return Err(VoidError::Io(std::io::Error::new(
                std::io::ErrorKind::Other,
                format!("staged commit read failed: {}", e),
            )));
        }
    }

    let t_verify = t0.elapsed();

    // Publish all staged objects atomically
    if let Err(e) = staged_store.publish_all() {
        let _ = staged_store.discard_all();
        return Err(e);
    }

    let commit_cid_typed = void_crypto::CommitCid::from_bytes(cid::to_bytes(&commit_cid));

    let t_publish = t0.elapsed();

    crate::index::write_index(
        opts.seal.ctx.paths.workspace_dir.as_std_path(),
        opts.seal.ctx.crypto.vault.index_key()?,
        Some(commit_cid_typed.clone()),
        index_entries,
    )?;
    let t_index = t0.elapsed();

    // Clear all staged blobs — content is now sealed into shards in the object store.
    // Staged blobs are only needed between `void add` and `void commit`.
    let _ = staged::clear_all_staged(opts.seal.ctx.paths.workspace_dir.as_std_path());
    let t_prune = t0.elapsed();

    eprintln!("[commit timing] seal={:?} guard={:?} verify={:?} publish={:?} index={:?} prune={:?}",
        t_seal, t_guard - t_seal, t_verify - t_guard, t_publish - t_verify,
        t_index - t_publish, t_prune - t_index);

    match refs::read_head(&opts.seal.ctx.paths.workspace_dir)? {
        Some(refs::HeadRef::Symbolic(branch)) => {
            refs::write_branch(&opts.seal.ctx.paths.void_dir, &branch, &commit_cid_typed)?;
        }
        Some(refs::HeadRef::Detached(_)) => {
            refs::write_head(
                &opts.seal.ctx.paths.workspace_dir,
                &refs::HeadRef::Detached(commit_cid_typed.clone()),
            )?;
        }
        None => {
            let default_branch = "trunk".to_string();
            refs::write_head(&opts.seal.ctx.paths.workspace_dir, &refs::HeadRef::Symbolic(default_branch.clone()))?;
            refs::write_branch(&opts.seal.ctx.paths.void_dir, &default_branch, &commit_cid_typed)?;
        }
    }

    Ok(CommitResult {
        commit_cid: commit_cid_typed,
        metadata_cid,
        shard_cids,
        stats,
        manifest_cid: Some(manifest_cid),
        total_files: Some(result_total_files),
        total_bytes: Some(result_total_bytes),
        repo_manifest_cid: commit.repo_manifest_cid.clone(),
    })
}

// ============================================================================
// Collaboration Mode Helpers
// ============================================================================

/// Extract public key from an Ed25519 signing key.
fn get_pubkey_from_signing_key(signing_key: &SigningKey) -> Result<SigningPubKey> {
    Ok(SigningPubKey::from_bytes(signing_key.verifying_key().to_bytes()))
}