Absgrafx/main (#724)

Author: nomadicrogue

proxy-router/internal/attestation/golden.go

@@ -217,7 +217,11 @@ func (g *GoldenSource) verifyAndExtract(ctx context.Context, version string) (*G
 		return nil, fmt.Errorf("failed to read referrer index manifest: %w", err)
 	}
 
-	trustedRoot, err := root.FetchTrustedRoot()
+	// Use a sandbox-safe TUF cache directory when the mobile embedder has
+	// configured one via [SetSigstoreCacheDir]; falls back to the library
+	// default ($HOME/.sigstore/root) on desktop/server builds. See
+	// sigstore_cache.go for why this override exists.
+	trustedRoot, err := root.FetchTrustedRootWithOptions(tufOptions())
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch Sigstore trusted root: %w", err)
 	}

proxy-router/internal/attestation/sigstore_cache.go

@@ -0,0 +1,55 @@
+package attestation
+
+import (
+	"path/filepath"
+	"sync"
+
+	"github.com/sigstore/sigstore-go/pkg/tuf"
+)
+
+// sigstoreCacheDir, when non-empty, overrides the default TUF cache location
+// (`$HOME/.sigstore/root`) used by [sigstore-go] when fetching the trusted
+// root. The default path blows up inside the iOS app sandbox — the home
+// directory returned by `os.UserHomeDir()` maps to
+// `/private/var/mobile/Containers/Data/Application/<UUID>/` which is
+// read-only at the top level; only `Documents/` and `Library/` are
+// writable. Mobile embedders call [SetSigstoreCacheDir] during SDK init to
+// point TUF at the app's writable data directory instead.
+var (
+	sigstoreCacheMu  sync.RWMutex
+	sigstoreCacheDir string
+)
+
+// SetSigstoreCacheDir configures a writable directory to be used as the
+// Sigstore TUF metadata cache. Pass an empty string to fall back to the
+// library default ($HOME/.sigstore/root), which is the right choice on
+// desktop and server builds.
+//
+// Safe to call from any goroutine; takes effect on the next trusted-root
+// fetch. The supplied path is joined with a `sigstore` subdirectory so
+// mobile apps can share a single data-dir across multiple Go caches
+// without them colliding.
+func SetSigstoreCacheDir(dir string) {
+	sigstoreCacheMu.Lock()
+	defer sigstoreCacheMu.Unlock()
+	if dir == "" {
+		sigstoreCacheDir = ""
+		return
+	}
+	sigstoreCacheDir = filepath.Join(dir, "sigstore")
+}
+
+// tufOptions returns a fresh [tuf.Options] with the sandbox-safe cache path
+// applied if one has been configured. Callers should treat the result as
+// ephemeral and not cache it between fetches — the underlying options hold
+// a mutable CachePath.
+func tufOptions() *tuf.Options {
+	opts := tuf.DefaultOptions()
+	sigstoreCacheMu.RLock()
+	dir := sigstoreCacheDir
+	sigstoreCacheMu.RUnlock()
+	if dir != "" {
+		opts = opts.WithCachePath(dir)
+	}
+	return opts
+}

proxy-router/internal/blockchainapi/compute_session_token_test.go

@@ -0,0 +1,92 @@
+package blockchainapi
+
+import (
+	"math/big"
+	"testing"
+
+	"github.com/MorpheusAIs/Morpheus-Lumerin-Node/proxy-router/internal/blockchainapi/structs"
+	"github.com/MorpheusAIs/Morpheus-Lumerin-Node/proxy-router/internal/lib"
+)
+
+func TestComputeSessionTokenAmount(t *testing.T) {
+	makeBid := func(pricePerSecond int64) *structs.Bid {
+		return &structs.Bid{
+			PricePerSecond: &lib.BigInt{Int: *big.NewInt(pricePerSecond)},
+		}
+	}
+
+	tests := []struct {
+		name          string
+		bid           *structs.Bid
+		duration      *big.Int
+		supply        *big.Int
+		budget        *big.Int
+		directPayment bool
+		want          *big.Int
+		wantErr       bool
+	}{
+		{
+			name:          "direct payment",
+			bid:           makeBid(100),
+			duration:      big.NewInt(3600),
+			supply:        big.NewInt(1_000_000),
+			budget:        big.NewInt(50_000),
+			directPayment: true,
+			want:          big.NewInt(360_000),
+		},
+		{
+			name:          "staked",
+			bid:           makeBid(100),
+			duration:      big.NewInt(3600),
+			supply:        big.NewInt(1_000_000),
+			budget:        big.NewInt(50_000),
+			directPayment: false,
+			want:          big.NewInt(7_200_000),
+		},
+		{
+			name:          "nil bid",
+			bid:           nil,
+			duration:      big.NewInt(3600),
+			supply:        big.NewInt(1_000_000),
+			budget:        big.NewInt(50_000),
+			directPayment: false,
+			wantErr:       true,
+		},
+		{
+			name:          "zero budget",
+			bid:           makeBid(100),
+			duration:      big.NewInt(3600),
+			supply:        big.NewInt(1_000_000),
+			budget:        big.NewInt(0),
+			directPayment: false,
+			wantErr:       true,
+		},
+		{
+			name:          "nil budget",
+			bid:           makeBid(100),
+			duration:      big.NewInt(3600),
+			supply:        big.NewInt(1_000_000),
+			budget:        nil,
+			directPayment: false,
+			wantErr:       true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := computeSessionTokenAmount(tt.bid, tt.duration, tt.supply, tt.budget, tt.directPayment)
+			if tt.wantErr {
+				if err == nil {
+					t.Fatalf("expected error, got result %s", got)
+				}
+				return
+			}
+			if err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got.Cmp(tt.want) != 0 {
+				t.Errorf("got %s, want %s", got, tt.want)
+			}
+		})
+	}
+}