New crate. Per-session file proxy that gates filesystem access to an
explicit allowlist of paths passed at startup.
Usage: weft-file-portal <socket_path> [--allow <path>]...
Listens on a Unix domain socket. Each connection receives newline-
delimited JSON requests and returns newline-delimited JSON responses.
File content is base64-encoded. Operations: read, write, list.
Empty allowlist rejects all requests; paths checked with starts_with.
7 unit tests covering access control, read/write roundtrip, and list.
New crate: weft-mount-helper. A privileged helper binary that sets up
dm-verity devices and mounts EROFS images for app isolation.
Commands:
mount <img> <hash_dev> <root_hash> <mountpoint>
- opens a named dm-verity device via veritysetup open
- mounts the resulting /dev/mapper/<name> as EROFS read-only
- cleans up the dm device if mount fails
umount <mountpoint>
- unmounts the mountpoint
- closes the dm-verity device via veritysetup close
Device naming: derives a stable name from the mountpoint path, limited
to 31 chars (DM limit), always prefixed weft-. Root check reads
/proc/self/status euid rather than using unsafe libc calls.
Tests: device_name_sanitizes_path, device_name_truncates_long_paths.
Two new tests cover appd_socket_path():
- appd_socket_path_uses_override_env: WEFT_APPD_SOCKET takes precedence
- appd_socket_path_errors_without_xdg_and_no_override: returns error when
both WEFT_APPD_SOCKET and XDG_RUNTIME_DIR are unset
wsl-test.sh: add --test-threads=1 for weft-appd to prevent WEFT_RUNTIME_BIN
races between the supervisor integration tests.
Two new tests mirror the weft-runtime package_store_roots tests:
- list_installed_roots_uses_weft_app_store_when_set
- list_installed_roots_includes_system_path
wsl-test.sh: add --test-threads=1 for weft-pack to prevent
WEFT_APP_STORE env var races between install, uninstall, and the
new list_roots tests.
main.rs: add dispatch_query_installed_returns_installed_apps to verify
the QueryInstalledApps arm returns Response::InstalledApps.
wsl-test.sh: run weft-runtime tests with --test-threads=1 to prevent
the WEFT_APP_STORE env var race between package_store_roots_includes_
system_path and package_store_roots_uses_weft_app_store_when_set.
New crate: weft-pack — command-line tool for validating WEFT application
package directories against the app-package-format spec.
src/main.rs:
- check <dir>: loads wapp.toml, validates app ID format, verifies
package.name is non-empty and <=64 chars, confirms runtime.module and
ui.entry files exist. Prints 'OK' on success or the list of errors.
- info <dir>: prints all manifest fields to stdout.
- load_manifest(): reads and parses wapp.toml with toml crate.
- is_valid_app_id(): enforces reverse-domain convention (>=3 components,
each starting with a lowercase letter, digits allowed, no hyphens or
uppercase).
Tests (5):
- app_id_valid: accepts well-formed reverse-domain IDs.
- app_id_invalid: rejects two-component, uppercase, hyphen, empty IDs.
- check_package_missing_manifest: error when wapp.toml is absent.
- check_package_valid: full happy-path with real temp files.
- check_package_invalid_app_id: error on a hyphenated app ID.
New deps: toml 0.8, serde 1 (derive).
Added weft-pack to workspace Cargo.toml; wsl-test.sh extended.
New crate: weft-runtime — the child process spawned by weft-appd to
execute WEFT application packages.
src/main.rs:
- Parses CLI arguments: <app_id> <session_id> (as per the supervisor
contract in runtime.rs).
- resolve_package(): searches user store
(~/.local/share/weft/apps/<app_id>) then system store
(/usr/share/weft/apps/<app_id>) for a wapp.toml manifest. Overridden
by WEFT_APP_STORE env var.
- Verifies app.wasm exists in the resolved package directory.
- Stubs Wasmtime execution with a TODO comment; prints 'READY' to
stdout and exits cleanly so weft-appd's supervisor can complete the
session lifecycle during development and integration testing.
Tests (2):
- package_store_roots_includes_system_path: system store path present.
- package_store_roots_uses_weft_app_store_when_set: WEFT_APP_STORE
override replaces default search list.
Also:
- Added weft-runtime to workspace Cargo.toml members.
- wsl-test.sh: added cargo test -p weft-runtime.
ipc.rs tests (4 tests):
- request_msgpack_roundtrip: LaunchApp serializes and deserializes with
correct field values.
- response_msgpack_roundtrip: LaunchAck round-trips through MessagePack.
- frame_write_read_roundtrip: write_frame encodes a 4-byte LE length
header + body; read_frame decodes the framed request correctly.
- read_frame_eof_returns_none: empty stream returns None without error.
main.rs tests (5 tests):
- registry_launch_increments_id: each launch returns a strictly
increasing session ID.
- registry_terminate_known_session: terminate returns true and state
transitions to NotFound.
- registry_terminate_unknown_returns_false: terminate on missing ID
returns false.
- registry_running_ids_reflects_live_sessions: running_ids returns all
active sessions; terminated sessions are removed.
- registry_state_not_found_for_unknown: querying an unknown session ID
returns AppStateKind::NotFound.
Also extends scripts/wsl-test.sh to run weft-appd tests alongside
weft-compositor tests.
Stale identifier rejection (state.rs):
- WeftShellWindowData gains a closed: AtomicBool field (default false).
- Dispatch<ZweftShellWindowV1, WeftShellWindowData>::request() checks the
closed flag before processing any request; posts a DefunctWindow error
(code 0) if the window has been closed, satisfying the error enum
defined in the protocol XML.
Unit tests (protocols/mod.rs, 5 tests):
- window_data_stores_fields: verifies app_id, title, role, and initial
closed state are stored correctly.
- closed_flag_transition: verifies AtomicBool store/load round-trip.
- manager_interface_name_and_version: confirms generated interface name
zweft_shell_manager_v1 and version 1.
- window_interface_name_and_version: confirms generated interface name
zweft_shell_window_v1 and version 1.
- defunct_window_error_code: confirms Error::DefunctWindow == 0 as
declared in the protocol XML.
Also adds scripts/wsl-test.sh for running cargo test with the
libdisplay-info shim in place.
Includes winit Wayland input audit for servo-shell integration planning.
New files:
- crates/weft-servo-shell/: new workspace member
- Cargo.toml: anyhow + tracing deps; no servo dep yet (requires git
dependency on github.com/servo/servo with multi-minute build; deferred
until embedder contract is confirmed)
- src/main.rs: reads WAYLAND_DISPLAY and WEFT_SYSTEM_UI_HTML, locates
system-ui.html from packaged path, calls embed_servo() stub that
returns a descriptive error explaining the integration work remaining
- infra/shell/system-ui.html: system UI document per blueprint Section 5
DOM structure (weft-desktop, weft-wallpaper, weft-taskbar, weft-launcher,
weft-notification-center, weft-window); includes clock and launcher toggle
- infra/systemd/servo-shell.service: Requires+After weft-compositor.service,
Type=simple, Restart=on-failure
- docs/architecture/winit-wayland-audit.md: audit of winit 0.30.x Wayland
backend against WEFT input requirements; identifies keyboard shortcut
inhibit gap, touch gesture gap, IME incomplete (zwp_text_input_v3),
frame pacing absent (wp_presentation_time), DMA-BUF unverified;
none block initial integration; all tracked as pre-GA work items
Modified:
- Cargo.toml: add weft-servo-shell to workspace members
- scripts/wsl-check.sh: switch to --workspace for all three gates
Fixes found by running cargo check + clippy -D warnings + fmt --check
on openSUSE Tumbleweed WSL2 (Rust 1.93.0).
input.rs:
- Add GestureBeginEvent (fingers()), GestureEndEvent (cancelled()),
TouchEvent (slot()) supertrait imports
- Add explicit ::<B> turbofish to all handle_* dispatch calls Rust
cannot reverse-infer B from an associated type bound
- Remove now-redundant specific gesture/touch event trait imports
state.rs:
- Add reposition_request to XdgShellHandler (E0046)
- Wrap protocol-level LayerSurface in desktop::LayerSurface::new for
map_layer (E0308)
- Wrap std::env::set_var in unsafe block (E0133, stabilised unsafe in 1.80)
- Add #[allow(dead_code)] on WeftCompositorState protocol state fields
are held for delegate dispatch, not yet consumed
- Remove spurious mut on display binding
drm.rs:
- Revert initialize_output arg to &output (&Output: Into<OutputModeSource>)
- Specify element type via ::<_, WaylandSurfaceRenderElement<_>> turbofish
on initialize_output (E0277/E0308)
- Handle Result from scan_connectors, collect via IntoIterator (E0308)
- Wrap set_var in unsafe block; remove spurious mut on display
- Collapse nested if/if-let blocks per clippy::collapsible_if
- Remove useless .into() on render_node (clippy::useless_conversion)
drm_device.rs:
- Add #[allow(dead_code)] on WeftOutputSurface (device_id, global used
in hotplug handling)
scripts/wsl-check.sh (new):
- WSL2 helper: injects libdisplay-info 0.2.9 shim .pc to satisfy the
< 0.3.0 constraint while openSUSE ships 0.3.0; runs check/clippy/fmt
