hephaestus/Cargo.toml

[workspace]
resolver = "2"
members = ["crates/heph-core", "crates/hephd", "crates/heph"]

[workspace.package]
edition = "2021"
version = "0.0.0"
license = "LicenseRef-Proprietary"
publish = false
authors = ["Erich Blume <blume.erich@gmail.com>"]
rust-version = "1.85"

[workspace.dependencies]
rusqlite = { version = "0.32", features = ["bundled"] }
ulid = "1"
thiserror = "2"
anyhow = "1"
pulldown-cmark = { version = "0.13", default-features = false }
rrule = "0.13"
yrs = "0.26"
chrono = { version = "0.4", default-features = false, features = ["clock"] }
serde = { version = "1", features = ["derive"] }
serde_json = "1"
tokio = { version = "1", features = [
  "rt-multi-thread",
  "net",
  "io-util",
  "macros",
  "sync",
  "time",
] }
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter"] }
clap = { version = "4", features = ["derive"] }
fs4 = "0.12"
axum = "0.8"
jsonwebtoken = { version = "10", features = ["rust_crypto"] }
keyring = { version = "3", features = [
  "apple-native",
  "sync-secret-service",
  "crypto-rust",
  "vendored",
] }
ureq = { version = "3", features = ["json"] }
reqwest = { version = "0.13", default-features = false, features = [
  "json",
  "query",
] }

[profile.release]
lto = "thin"
Scaffold cargo workspace + heph-core foundation Kick off Phase 1 (v1 prototype) per tech-spec §11.1. Sets up the Cargo workspace and the first TDD slice of heph-core: - Migration runner + §4.5 SQLite schema (nodes, tasks, links, aliases, users, oplog, sync_state, conflicts), versioned via PRAGMA user_version. - Clock-injected `Clock` trait (no ambient wall-clock reads; §2). - `Store` trait + `LocalStore` SQLite backend with node create/get, bootstrapping the single local user (oidc_sub NULL, §13). - Node model (kinds: doc/task/project/tag/journal). Repo housekeeping: fill AGENTS.md Project Structure (last template TODO), ignore /target, add self-bootstrapping .forgejo/scripts/build that runs cargo fmt/clippy/test in CI (§9), changelog fragment. Tests green: 4 unit tests (migration version, local-user idempotency, create/get round-trip, missing-node None). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 18:52:15 -07:00			`[workspace]`
			`resolver = "2"`
heph CLI + export Slice 7 (tech-spec §1, §5, §9). - Export (heph-core): render each non-tombstoned node to `<kind>/<id>.md` with YAML frontmatter (id, kind, title, timestamps, task scalars, aliases, outgoing links) + body. One-way snapshot; `Store::export` writes the tree; tombstones excluded. Added `export` RPC method and Error::Io. - `heph` CLI (clap): thin client of hephd over the socket — `next` (concise ranked rows), `task`, `doc`, `get`, `export`. Never touches SQLite directly. Tests: 3 export render unit + 2 export round-trip integration + 3 CLI process tests driving the real `heph` binary against a real daemon (task→next, empty-store message, export writes files). 70 tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 20:33:59 -07:00			`members = ["crates/heph-core", "crates/hephd", "crates/heph"]`
Scaffold cargo workspace + heph-core foundation Kick off Phase 1 (v1 prototype) per tech-spec §11.1. Sets up the Cargo workspace and the first TDD slice of heph-core: - Migration runner + §4.5 SQLite schema (nodes, tasks, links, aliases, users, oplog, sync_state, conflicts), versioned via PRAGMA user_version. - Clock-injected `Clock` trait (no ambient wall-clock reads; §2). - `Store` trait + `LocalStore` SQLite backend with node create/get, bootstrapping the single local user (oidc_sub NULL, §13). - Node model (kinds: doc/task/project/tag/journal). Repo housekeeping: fill AGENTS.md Project Structure (last template TODO), ignore /target, add self-bootstrapping .forgejo/scripts/build that runs cargo fmt/clippy/test in CI (§9), changelog fragment. Tests green: 4 unit tests (migration version, local-user idempotency, create/get round-trip, missing-node None). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 18:52:15 -07:00
			`[workspace.package]`
			`edition = "2021"`
			`version = "0.0.0"`
			`license = "LicenseRef-Proprietary"`
			`publish = false`
			`authors = ["Erich Blume <blume.erich@gmail.com>"]`
			`rust-version = "1.85"`

			`[workspace.dependencies]`
			`rusqlite = { version = "0.32", features = ["bundled"] }`
			`ulid = "1"`
			`thiserror = "2"`
			`anyhow = "1"`
heph-core: markdown extraction (wiki-links + checkboxes) Slice 2 (tech-spec §5). Pure, deterministic derivation from a body: - `[[wiki-links]]` → wiki-link targets, in first-seen order, deduped, honoring `[[target\|display]]`. Scans the raw body (CommonMark mangles `[[ ]]` brackets in inline parsing) and excludes matches inside code, whose byte ranges come from pulldown-cmark's offset iterator. - GFM `- [ ]` / `- [x]` task items → the local context-item index (Fork A): label keeps raw markdown (for promotion) + checked state. - Code blocks are correctly skipped for both. 10 extraction unit tests incl. idempotency; 14 total green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 18:56:59 -07:00			`pulldown-cmark = { version = "0.13", default-features = false }`
heph-core: recurrence (roll-forward in place) + per-task logs Slice 5 (tech-spec §4.4). Completing a recurring task rolls it forward in place instead of marking it done — the Todoist-corner-avoiding model. Pure recurrence module: - next_occurrence(rrule, anchor, after): lazy RRULE expansion (rrule + chrono/UTC) returning the next instance strictly after `after`, skipping missed occurrences; None when a finite series is exhausted. - reset_checkboxes(body): the fresh-checklist transform — unchecks every `- [x]`, idempotent, preserves indentation/bullet/line-endings. Storage roll-forward (one transaction, on set_state(done) of a recurring task): reset the canonical context doc's checklist, append the completed occurrence to the task's log, advance do_date to the next instance after now (skipping misses); finite series finally goes done. `skip` advances the same way without logging. Non-recurring done is unchanged. Per-task append-only log (`log-of` doc): log_append / log_tail — the resumption breadcrumb + recurring-completion narrative ([[design]] §6.4). Tests: 7 recurrence unit + 2 proptests (no checked marker survives reset; reset idempotent for any body) + 6 end-to-end incl. five-occurrence no-carry-forward and missed-collapse-to-one. 53 tests green. This completes the heph-core library layer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 19:14:22 -07:00			`rrule = "0.13"`
heph-core: body text-CRDT via yrs (sync 8d) Replace last-writer-wins for node bodies with the yrs text CRDT, so concurrent edits to different regions of a body merge instead of one clobbering the other (tech-spec §5, §12). - New crate::crdt module wraps yrs: a device authors under a stable client_id derived from its sync origin; a whole-buffer write is diffed (common prefix/suffix, char-boundary safe) into the doc and the yrs delta is captured; merge is commutative/idempotent. - nodes::create/update/journal maintain the body_crdt BLOB and put the yrs delta in the node.create/node.set op payload (body_crdt field). Recurrence's local checklist reset goes through the same path to keep body and body_crdt consistent (still records no op, as before). - apply::node_upsert merges the body delta through the CRDT regardless of HLC order and drops body-conflict recording; titles + task scalars stay LWW with the conflict queue. - convergence test now asserts disjoint concurrent body edits both survive and enqueue no conflict. 97 tests green; clippy -D warnings + fmt + prek clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-01 09:06:17 -07:00			`yrs = "0.26"`
heph-core: recurrence (roll-forward in place) + per-task logs Slice 5 (tech-spec §4.4). Completing a recurring task rolls it forward in place instead of marking it done — the Todoist-corner-avoiding model. Pure recurrence module: - next_occurrence(rrule, anchor, after): lazy RRULE expansion (rrule + chrono/UTC) returning the next instance strictly after `after`, skipping missed occurrences; None when a finite series is exhausted. - reset_checkboxes(body): the fresh-checklist transform — unchecks every `- [x]`, idempotent, preserves indentation/bullet/line-endings. Storage roll-forward (one transaction, on set_state(done) of a recurring task): reset the canonical context doc's checklist, append the completed occurrence to the task's log, advance do_date to the next instance after now (skipping misses); finite series finally goes done. `skip` advances the same way without logging. Non-recurring done is unchanged. Per-task append-only log (`log-of` doc): log_append / log_tail — the resumption breadcrumb + recurring-completion narrative ([[design]] §6.4). Tests: 7 recurrence unit + 2 proptests (no checked marker survives reset; reset idempotent for any body) + 6 end-to-end incl. five-occurrence no-carry-forward and missed-collapse-to-one. 53 tests green. This completes the heph-core library layer. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 19:14:22 -07:00			`chrono = { version = "0.4", default-features = false, features = ["clock"] }`
hephd local mode: file lock + JSON-RPC over unix socket Slice 6 (tech-spec §3, §6, §10). First async component — the per-device daemon in local mode. - `LockGuard`: exclusive advisory flock on a sidecar `<db>.lock`; a second acquire fails and releases on drop (the §3.1 lock handoff). - JSON-RPC (line-delimited): `rpc::dispatch` maps node/task/next/links/log methods onto the heph-core Store; `Daemon::serve` accepts unix-socket connections and runs dispatch on tokio's blocking pool behind an Arc<Mutex<LocalStore>> (DB never touches an async worker). - Synchronous `Client` for surfaces/CLI; `hephd` binary (clap) opens the store under lock and serves the default socket. - heph-core model/ranking types are now serde-(de)serializable; added node.tombstone + Store::tombstone_node. Tests: 2 lock unit tests + 5 real-socket e2e (round-trip with clock injection, next, error paths, recurring roll-forward over RPC, 8-client concurrency). 60 tests green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 20:28:15 -07:00			`serde = { version = "1", features = ["derive"] }`
			`serde_json = "1"`
			`tokio = { version = "1", features = [`
			`"rt-multi-thread",`
			`"net",`
			`"io-util",`
			`"macros",`
			`"sync",`
			`"time",`
			`] }`
			`tracing = "0.1"`
			`tracing-subscriber = { version = "0.3", features = ["env-filter"] }`
			`clap = { version = "4", features = ["derive"] }`
			`fs4 = "0.12"`
hephd: network sync over HTTP — hub + spoke (sync 9a) Wire the existing merge engine over the network so the everyday config (local + hub_url) syncs through a hub. Transport ratified = axum HTTP/JSON (tech-spec §6.1, §12). - heph-core: SyncCursors model + Store::sync_state/record_sync over the sync_state table (per-peer push/pull HLC cursors). Incremental, so each exchange transfers only the tail. - hephd::sync: the hub router (POST /sync/push, GET /sync/pull?after=<hlc>) served from the shared LocalStore, and sync_once — a spoke's pull-then- merge, then push-tail exchange, advancing the cursors. Idempotent: a re-pushed op the hub already has is a no-op. - Daemon carries optional hub config; sync.now/sync.status handled at the daemon (they need the hub transport the store can't reach). conflicts. list/resolve now reachable over the unix socket too. - main: --mode local\|server, --hub-url, --http-addr. server mode binds the hub HTTP endpoint on the same store; a local+hub_url spoke background- syncs on a 30s interval. - tests/sync_http.rs: two spokes converge through a real-HTTP hub on an ephemeral port — node propagation and a divergent-scalar conflict. Unauthenticated/single-owner for now; OIDC + per-user scoping is slice 10, client mode + RemoteStore is 9b. 100 tests green; clippy -D warnings + fmt + prek clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-01 15:14:20 -07:00			`axum = "0.8"`
hephd: OIDC hub authentication — verification side (auth 10a) Authenticate op exchange at the network boundary (tech-spec §13). The hub now requires a valid OIDC bearer token on /sync/* and /rpc; local mode is unchanged (no auth). - heph-core: Store::authorize_owner_sub — single-tenant gate that claims the owner's oidc_sub on first sight, then authorizes only that sub (403 for any other identity). LocalStore impl over users.oidc_sub; RemoteStore stub. - hephd auth module: TokenVerifier trait (mockable seam) + OidcVerifier (jsonwebtoken, rust_crypto). Strict validation: RS256 pinned, exact iss + aud, exp/nbf, required sub; JWKS discovered + cached, refetched on unknown kid (rotation). Claims/AuthError. - Hub router takes Option<verifier>; an axum middleware on every route extracts the Bearer token, verifies it off the async worker, and runs the owner gate — 401 missing/invalid, 403 wrong identity, 503 IdP-unreachable. Open (no auth) when unconfigured, for local dev. - main: --oidc-issuer/--oidc-audience enable the hub verifier (server mode). - Security tests, all offline: stub-verifier middleware (missing/bad/valid + owner gate) and an adversarial battery driving OidcVerifier against an in-process mock IdP — rejects expired, wrong iss/aud, unknown kid, tampered signature, alg confusion (HS256/none), and missing sub. The RSA key + JWKS are generated at runtime (rsa/rand/base64 dev-deps) so no key is committed. - tech-spec: add an end-of-v1 dependency-refresh pass to the roadmap. 108 tests green; clippy -D warnings + fmt + prek clean. Next: client-side device-code login + keyring (10b). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-01 15:58:20 -07:00			`jsonwebtoken = { version = "10", features = ["rust_crypto"] }`
hephd: OIDC client auth — device-code flow + token attach (auth 10b) Close the auth loop: clients obtain a bearer token and present it to the hub (tech-spec §13). - oauth module: DeviceFlow (RFC 8628 — discover, start, poll handling authorization_pending/slow_down, refresh) + StoredToken + TokenStore (OS keyring via `keyring`, in-memory for tests) + current_bearer (loads and refreshes-on-expiry). - heph auth login/logout: runs the device flow, prints the verification URL + user code, caches the token in the keyring. - sync_once gains a bearer arg; the daemon (Daemon::spawn_sync_loop + sync.now) obtains it via current_bearer; RemoteStore attaches it to /rpc. --oidc-issuer/--oidc-client-id configure the spoke/client. - Fix a latent panic: reqwest::blocking spins its own runtime and panics inside the daemon's spawn_blocking pool. All blocking auth/proxy HTTP (OidcVerifier JWKS, DeviceFlow, RemoteStore) now uses runtime-free `ureq`; async reqwest remains only for sync_once. (Caught by the new e2e test.) - Tests (offline): device flow + refresh + token store vs a mock OAuth server; a full spoke->authenticated-hub loop (valid token accepted, missing token rejected) signed by a runtime-generated RSA key. 112 tests green; clippy -D warnings + fmt + prek clean. Slice 10 (auth) complete; next is heph.nvim. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-01 16:27:36 -07:00			`keyring = { version = "3", features = [`
			`"apple-native",`
			`"sync-secret-service",`
			`"crypto-rust",`
			`"vendored",`
			`] }`
			`ureq = { version = "3", features = ["json"] }`
hephd: network sync over HTTP — hub + spoke (sync 9a) Wire the existing merge engine over the network so the everyday config (local + hub_url) syncs through a hub. Transport ratified = axum HTTP/JSON (tech-spec §6.1, §12). - heph-core: SyncCursors model + Store::sync_state/record_sync over the sync_state table (per-peer push/pull HLC cursors). Incremental, so each exchange transfers only the tail. - hephd::sync: the hub router (POST /sync/push, GET /sync/pull?after=<hlc>) served from the shared LocalStore, and sync_once — a spoke's pull-then- merge, then push-tail exchange, advancing the cursors. Idempotent: a re-pushed op the hub already has is a no-op. - Daemon carries optional hub config; sync.now/sync.status handled at the daemon (they need the hub transport the store can't reach). conflicts. list/resolve now reachable over the unix socket too. - main: --mode local\|server, --hub-url, --http-addr. server mode binds the hub HTTP endpoint on the same store; a local+hub_url spoke background- syncs on a 30s interval. - tests/sync_http.rs: two spokes converge through a real-HTTP hub on an ephemeral port — node propagation and a divergent-scalar conflict. Unauthenticated/single-owner for now; OIDC + per-user scoping is slice 10, client mode + RemoteStore is 9b. 100 tests green; clippy -D warnings + fmt + prek clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-06-01 15:14:20 -07:00			`reqwest = { version = "0.13", default-features = false, features = [`
			`"json",`
			`"query",`
			`] }`
Scaffold cargo workspace + heph-core foundation Kick off Phase 1 (v1 prototype) per tech-spec §11.1. Sets up the Cargo workspace and the first TDD slice of heph-core: - Migration runner + §4.5 SQLite schema (nodes, tasks, links, aliases, users, oplog, sync_state, conflicts), versioned via PRAGMA user_version. - Clock-injected `Clock` trait (no ambient wall-clock reads; §2). - `Store` trait + `LocalStore` SQLite backend with node create/get, bootstrapping the single local user (oidc_sub NULL, §13). - Node model (kinds: doc/task/project/tag/journal). Repo housekeeping: fill AGENTS.md Project Structure (last template TODO), ignore /target, add self-bootstrapping .forgejo/scripts/build that runs cargo fmt/clippy/test in CI (§9), changelog fragment. Tests green: 4 unit tests (migration version, local-user idempotency, create/get round-trip, missing-node None). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> 2026-05-31 18:52:15 -07:00
			`[profile.release]`
			`lto = "thin"`