{"id":50673162,"url":"https://github.com/intendednull/myrhiza","last_synced_at":"2026-06-08T13:30:36.723Z","repository":{"id":357099669,"uuid":"1234511607","full_name":"intendednull/myrhiza","owner":"intendednull","description":"P2P app runtime: WCM-typed components, capability-secure host surface, event-log replay convergence.","archived":false,"fork":false,"pushed_at":"2026-06-03T10:50:19.000Z","size":4237,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-03T11:23:27.230Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/intendednull.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-10T09:27:33.000Z","updated_at":"2026-06-03T10:50:24.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/intendednull/myrhiza","commit_stats":null,"previous_names":["intendednull/myrhiza"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/intendednull/myrhiza","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intendednull%2Fmyrhiza","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intendednull%2Fmyrhiza/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intendednull%2Fmyrhiza/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intendednull%2Fmyrhiza/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/intendednull","download_url":"https://codeload.github.com/intendednull/myrhiza/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/intendednull%2Fmyrhiza/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34065347,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-08T02:00:07.615Z","response_time":111,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-08T13:30:35.991Z","updated_at":"2026-06-08T13:30:36.712Z","avatar_url":"https://github.com/intendednull.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Myrhiza\n\nA peer-to-peer application runtime. A small kernel hosts typed, capability-mediated,\ncontent-addressed apps built as bundles of WebAssembly components.\n\n**Status:** pre-runtime. The master design spec is `[draft]`; foundation crates\n(kernel, manifest, backend, network, types, test-utils) are in place and the\nplan B-1 event DAG + cross-peer convergence acceptance has just landed on `main`.\nNo runnable end-user binary yet.\n\n**License:** [AGPL-3.0-only](#license).\n\n---\n\n## What Myrhiza is\n\nThe kernel owns identity, peer protocol, the event/DAG primitives, the component\nloader, and the capability arbiter. Everything else — chat, wikis, kanban, polls,\nwhatever someone builds in two years — is an app. Apps cannot touch private keys,\nthe network, persistent storage, or other apps' state directly: every operation\nis mediated by a kernel-arbitrated capability.\n\nTwo load-bearing commitments shape the rest of the design:\n\n- **Peers are infrastructure.** Storage, replication, sync, replay buffering,\n  and snapshot custody are work performed by participants, not by deployed\n  services. As more peers join an app, its maintenance capacity grows. No\n  infrastructure deploy is required to scale.\n- **Capabilities are the only host surface.** WASM execution is non-negotiable\n  on every backend (native, browser, mobile). Compiling apps to native code for\n  performance is explicitly rejected — sandboxing is the point.\n\n### What Myrhiza is not\n\n- Not a chat client. Chat is one app among many.\n- Not a plugin framework for a host application. Apps are the product; the\n  kernel is the substrate.\n- Not a CRDT library. Apps may use CRDTs internally; the kernel stays generic.\n- Not a service to deploy. Peers are the runtime.\n\nThe novel combination is: WASM-Component-Model-typed components + capability-secure\nhost surface + no CRDT in kernel + author-bounded scale at v1 + event-log-replay\nconvergence with TUTTI-shaped drift detection. The individual pieces are borrowed\nfrom Holochain, Agoric/Endo, Spritely OCapN, Croquet, Pears, and the in-house\nancestor Willow. See [`docs/prior-art/`](docs/prior-art/) for the receipts.\n\n---\n\n## Architecture at a glance\n\n### Three tiers\n\n```\n   ┌──────────────────────────────────────────────────────────┐\n   │                       KERNEL                             │\n   │  Identity. Peer protocol. Event/DAG primitives.          │\n   │  Component loader. Capability arbiter. Crypto            │\n   │  primitives. Narrow native imports.                      │\n   └──────────────────────────────────────────────────────────┘\n                              ▲\n                              │ host imports (WIT-typed)\n                              │\n   ┌──────────────────────────────────────────────────────────┐\n   │              MODULES  (myrhiza-* WASM components)        │\n   │  Cross-cutting concerns reusable across apps:            │\n   │  participation, permission, crypto (MLS, channel-key),   │\n   │  state helpers (snapshot-cache, CRDT adapters),          │\n   │  identity, UI primitives.                                │\n   └──────────────────────────────────────────────────────────┘\n                              ▲\n                              │ component imports / wac composition\n                              │\n   ┌──────────────────────────────────────────────────────────┐\n   │                         APPS                             │\n   │  counter, poll, chat, kanban, wiki, etc.                 │\n   │  Compose modules + add app-specific state-apply,         │\n   │  state-propose, interaction, and behavior components.    │\n   └──────────────────────────────────────────────────────────┘\n```\n\nKernel is privileged; modules and apps are sandboxed. Modules and apps are\nmechanically the same shape (WASM components with manifest + signature) — the\ndistinction is intent. Identity custody, capability arbitration, deterministic\nreplay, and network plumbing have to live in the kernel because they need\nprivileged native resources; everything else stays out.\n\n### Four component profiles\n\nComponents declare a runtime profile. Profiles differ in determinism rules and\npermitted host imports.\n\n| Profile | Purpose | Determinism | Where it runs |\n|---|---|---|---|\n| `state-apply` | Materialize event into state; authority verdict | **Strict** — pure function of `(prior state, event)` plus the deterministic helper set | Every peer materializing the topic |\n| `state-propose` | Build a candidate event from intent | Loose — kernel re-checks via `state-apply` in dry-run | The peer originating the event |\n| `interaction` | UI / user-facing surface | Non-deterministic OK; per-peer | Any peer with a UI host |\n| `behavior` | Bots, bridges, automations | Non-deterministic OK; per-`(peer, instance)` identity | Designated peer(s) |\n\nPre-check and apply are mechanically the same WASM function, called by the\nkernel in dry-run vs. real-apply mode. Cross-peer convergence is proved by\nconstruction: two peers that run the same `state-apply` against the same event\nlog get the same state hash. Floats are banned at v1; fuel is instruction-count\nbased; clocks, randomness, network, filesystem, and threads are denied to\n`state-apply`.\n\nFull host-import-by-profile matrix lives in\n[`docs/specs/2026-05-09-myrhiza-master-design/architecture.md`](docs/specs/2026-05-09-myrhiza-master-design/architecture.md) §3.5.\n\n---\n\n## Repository layout\n\n```\nmyrhiza/\n├── Cargo.toml                  workspace root (resolver = \"2\", edition 2024)\n├── Justfile                    fmt / lint / test / fixtures / spec-coverage / ci\n├── rust-toolchain.toml         pinned to 1.95.0\n├── crates/\n│   ├── types/                  shared core types\n│   ├── manifest/               manifest schema, canonical encoding, Ed25519 verify\n│   ├── backend/                backend trait abstraction (Wasmtime + jco satisfy)\n│   ├── wasmtime-backend/       Wasmtime impl: capability-gated linker, fuel, float-ban\n│   ├── kernel/                 install flow + state-apply ABI + state-digest\n│   ├── network/                Network trait + in-process MemNetwork double\n│   └── test-utils/             dev-only fixtures and doubles\n├── wit/myrhiza-kernel/         WIT contracts (frozen + name-resolved)\n├── tests/\n│   ├── fixtures/               wasm component fixtures (built via wasm-tools)\n│   ├── snapshots/              golden artifacts\n│   └── spec-coverage.md        spec-heading ↔ test mapping (CI-validated)\n├── docs/                       specs, plans, reports, prior-art (see docs/README.md)\n└── scripts/                    CI helpers\n```\n\nThe workspace deliberately keeps each crate small and single-purpose. New crates\nland when their first non-trivial code does, not before.\n\n---\n\n## Build and test\n\nRequires Rust 1.95 (pinned via `rust-toolchain.toml`) and, for the WASM fixtures,\nthe `wasm32-unknown-unknown` target plus [`wasm-tools`](https://github.com/bytecodealliance/wasm-tools).\n\n```bash\njust              # default = ci: fmt-check + lint + test + spec-coverage-check\njust fmt          # cargo fmt --all\njust lint         # cargo clippy --workspace --all-targets -- -D warnings\njust test         # cargo test --workspace --all-targets\njust check        # cargo check --workspace --all-targets\njust build-fixtures   # compile + wrap the 5 wasm component fixtures\njust spec-coverage    # regenerate tests/spec-coverage.md\n```\n\nRaw `cargo` equivalents work too; the `just` recipes just bake in the right flags.\nZero clippy warnings is enforced; `unsafe_code = \"forbid\"` workspace-wide;\n`panic` / `unwrap_used` / `expect_used` are `warn`-level on the state-apply\nruntime path with a documented opt-out for test crates.\n\nFixtures are built for `wasm32-unknown-unknown` (not `wasm32-wasip2`) so they\nimport only the kernel's deterministic helper set — the WASI shim would pull in\nimports the kernel does not provide.\n\n---\n\n## Documentation\n\n- **[CLAUDE.md](CLAUDE.md)** — development guide, conventions, profile rules,\n  prior-art protocol.\n- **[docs/README.md](docs/README.md)** — master catalog of specs, plans,\n  reports, prior-art, and reference indices, with status tags.\n- **[docs/specs/2026-05-09-myrhiza-master-design/](docs/specs/2026-05-09-myrhiza-master-design/)** — the runtime master spec.\n  Start with its `README.md` for the reading order. Child files cover\n  architecture, convergence, determinism, identity, capabilities, ABI,\n  crypto, distribution, networking, maintenance, UI, browser-native\n  dual-stack, MVP acceptance, migration, future direction, tradeoffs,\n  risks, implementation outline, and verification.\n- **[docs/prior-art/](docs/prior-art/)** — researched deep dives on Holochain,\n  Pears, Spritely/OCapN, Agoric/Endo, Willow, Iroh, WASM Component Model,\n  wasmCloud, Spin, Croquet, MLS, and the CRDT library landscape.\n\nWhen you touch a spec, plan, or any non-trivial change: read the master spec\nREADME first. The prior-art folders are launchpads for further research, not\nfinal answers.\n\n---\n\n## Design choices (the short version)\n\n- **Strict-purity state-apply.** Determinism is a load-bearing property. Any\n  non-determinism in `state-apply` is a correctness bug, not a quirk. Pre-check\n  is mechanically the same function.\n- **Capabilities are the only host surface.** Adding a host import is an ABI\n  change. The kernel's deterministic helper set is the minimal trusted ground.\n- **WASM Component Model + WIT.** Wasmtime LTS 36.0.9 on native; jco-shimmed\n  in the browser. Components compose via `wac`. WIT contracts are frozen and\n  CI-checked.\n- **Content-addressed bundles, Ed25519-signed manifests.** Bundle hash is\n  identity; the kernel binary is the trust root.\n- **Event-log replay convergence (not in-kernel CRDTs).** The kernel arbitrates\n  ordering and applies events through `state-apply`; merge semantics live in\n  app code. Apps may pull in CRDT modules as dependencies.\n- **iroh transport.** Dial-by-pubkey QUIC, content-addressed blob distribution,\n  NAT traversal via relays. (B-4 wiring is upcoming; current `network` crate is\n  the trait + in-process double.)\n- **Dual-stack v1: native + browser.** Both targets are first-class. Browser\n  uses jco transpile + submit-and-poll for async surfaces.\n- **No worker class.** Maintenance is a deployment posture, not a runtime\n  profile. Peers self-select into hosting maintenance modules.\n- **AGPL-3.0-only.** Strong copyleft on the runtime.\n\nTradeoffs and runners-up that were rejected are documented inline in the spec\n— see `tradeoffs.md` for the matrix.\n\n---\n\n## Future direction\n\nMaster spec commits direction on these so v1 does not paint corners.\nImplementation lands in child specs when demand emerges; see\n[`docs/specs/2026-05-09-myrhiza-master-design/future.md`](docs/specs/2026-05-09-myrhiza-master-design/future.md)\nfor the full inventory.\n\n- **Scaling.** Event-log replay scales linearly. Likely v2+ evolution: DHT-shape\n  sharding layered on top; cooperative pinning, log-pruning, and derived-state\n  replication are preserved as alternative paths. Decision criteria: measure the\n  bottleneck before committing.\n- **Distributed maintenance.** Default-instantiation heuristics, capability\n  advertisement, fair-share scheduling between topics, bridges between\n  operator-deployed infrastructure and social-graph invitation discipline.\n- **Identity.** Multi-device device-add/revoke, recovery for a lost device,\n  cross-peer behavior continuity, and a quantum-safe signature migration.\n- **Crypto.** A `myrhiza-crypto-mls` module when the first MLS-needing app\n  arrives (Cremers ETK 2025: use Ed25519, never ECDSA). Channel-key, double-\n  ratchet, sealed-content modules to follow. Quantum-safe primitives.\n- **Capability model.** A high-value-op list for per-call gating, capability\n  vocabulary in the manifest schema, cross-app authority composition (out of\n  scope at v1).\n- **Distribution.** Bundle revocation, in-band catalog gossip for app/module\n  discovery, supply-chain hardening tooling.\n- **Networking.** Topic-ID rotation through dumb relays, an `HistorySyncComplete`\n  EOSE-style backfill signal, Negentropy-shape range reconciliation for very\n  large topics.\n- **Determinism.** Opt-in floats via `state-apply.allow-floats = true` in a\n  manifest, snapshot portability across component-version upgrades, additional\n  state-digest formats opt-in.\n- **Interaction.** Full `ui:*` WIT contract details, custom-pixel surface\n  escape hatch on non-web platforms. Hot-reload deferred to v2.\n- **Module ecosystem.** Versioning + semver discipline, bus-factor handling on\n  official `myrhiza-*` modules, audit / curation policy.\n\nThe MVP acceptance is two coexisting apps (counter + poll) on the same kernel,\nwith cross-peer convergence verified via `state-digest`, capability gating\nproven, and per-app namespacing intact. See\n[`docs/specs/2026-05-09-myrhiza-master-design/mvp.md`](docs/specs/2026-05-09-myrhiza-master-design/mvp.md)\n§15.1 for the full acceptance criteria.\n\n---\n\n## Contributing\n\nRead [CLAUDE.md](CLAUDE.md) first — it covers development principles\n(quality + longevity over speed, no hacky workarounds, root-cause every bug,\nverify-before-claiming-done), the spec/plan workflow under `docs/`, and the\nprior-art protocol.\n\nPR hygiene:\n\n- [Conventional Commits](https://www.conventionalcommits.org/) (`feat:`,\n  `fix:`, `docs:`, `refactor:`, `chore:`).\n- One concern per PR. If the description needs three sections, it is two PRs.\n- Never `--no-verify`. If a hook fails, fix the root cause.\n- Never force-push `main`.\n- `just ci` must be green before review.\n\nWhen a spec consults prior art, cite the folder and section\n(e.g. `prior-art/mls/lessons.md §3`), name the runner-up paradigm if a choice\nwas made, and flag remaining gaps.\n\n---\n\n## License\n\nLicensed under the [GNU Affero General Public License v3.0 only](https://www.gnu.org/licenses/agpl-3.0.html)\n(`AGPL-3.0-only`). See workspace `Cargo.toml` for the declaration.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintendednull%2Fmyrhiza","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fintendednull%2Fmyrhiza","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fintendednull%2Fmyrhiza/lists"}