Madhava/multiparty

.github/workflows/release.yml

@@ -511,6 +511,7 @@ jobs:
         run: |
           for root in \
             src-tauri/resources/syftbox \
+            src-tauri/resources/syqure \
             src-tauri/resources/bundled/uv \
             src-tauri/resources/bundled/java \
             src-tauri/resources/bundled/nextflow; do
@@ -526,12 +527,14 @@ jobs:
         run: |
           # Create placeholder directories and files for resources that tauri.conf.json expects
           mkdir -p src-tauri/resources/syftbox
+          mkdir -p src-tauri/resources/syqure
           mkdir -p src-tauri/resources/bundled/java
           mkdir -p src-tauri/resources/bundled/nextflow
           mkdir -p src-tauri/resources/bundled/uv
 
           # Create placeholder files
           touch src-tauri/resources/syftbox/syftbox
+          touch src-tauri/resources/syqure/syqure
           echo "Placeholder - bundled deps not included in arm64 build" > src-tauri/resources/bundled/README.txt
           touch src-tauri/resources/bundled/java/.placeholder
           touch src-tauri/resources/bundled/nextflow/.placeholder
@@ -599,6 +602,68 @@ jobs:
             Pop-Location
           }
 
+      - name: Build syqure and bundle codon libs
+        if: matrix.build_kind == 'tauri' && runner.os != 'Windows' && matrix.target != 'linux-arm64'
+        shell: bash
+        run: |
+          chmod +x syqure/syqure_bins.sh
+          ./syqure/syqure_bins.sh
+          mkdir -p src-tauri/resources/syqure
+          if [[ -f syqure/target/debug/syqure ]]; then
+            cp syqure/target/debug/syqure src-tauri/resources/syqure/syqure
+            chmod +x src-tauri/resources/syqure/syqure
+          else
+            echo "❌ syqure binary not found at syqure/target/debug/syqure" >&2
+            exit 1
+          fi
+          # Bundle codon/sequre libs alongside syqure so dyld/$ORIGIN finds them
+          if [[ -d syqure/target/dist/syqure/lib/codon ]]; then
+            echo "Copying codon/sequre libs to resources/syqure/lib/codon..."
+            rm -rf src-tauri/resources/syqure/lib/codon
+            mkdir -p src-tauri/resources/syqure/lib/codon
+            cp -RL syqure/target/dist/syqure/lib/codon/. src-tauri/resources/syqure/lib/codon/
+          fi
+          # Fix dylib paths on macOS: bundle transitive homebrew deps and rewrite absolute paths
+          if [[ "$(uname -s)" == "Darwin" ]]; then
+            CODON_LIB="src-tauri/resources/syqure/lib/codon"
+            # Bundle libzstd (transitive dep of libcodonrt/libcodonc)
+            ZSTD_LIB=""
+            if command -v brew >/dev/null 2>&1; then
+              ZSTD_PREFIX="$(brew --prefix zstd 2>/dev/null || true)"
+              if [[ -n "$ZSTD_PREFIX" && -f "$ZSTD_PREFIX/lib/libzstd.1.dylib" ]]; then
+                ZSTD_LIB="$ZSTD_PREFIX/lib/libzstd.1.dylib"
+              fi
+            fi
+            for candidate in /opt/homebrew/opt/zstd/lib/libzstd.1.dylib /usr/local/opt/zstd/lib/libzstd.1.dylib; do
+              if [[ -z "$ZSTD_LIB" && -f "$candidate" ]]; then
+                ZSTD_LIB="$candidate"
+              fi
+            done
+            if [[ -n "$ZSTD_LIB" ]]; then
+              echo "Bundling libzstd from $ZSTD_LIB"
+              cp -L "$ZSTD_LIB" "$CODON_LIB/libzstd.1.dylib"
+              chmod u+w "$CODON_LIB/libzstd.1.dylib"
+            else
+              echo "Warning: libzstd not found; codon dylibs may fail to load" >&2
+            fi
+            # Rewrite absolute homebrew paths to @loader_path in all dylibs
+            echo "Rewriting dylib paths to @loader_path..."
+            for dylib in "$CODON_LIB"/*.dylib; do
+              [[ -f "$dylib" ]] || continue
+              otool -L "$dylib" 2>/dev/null | awk '{print $1}' | { grep -E '/(opt|usr/local)/' || true; } | while read -r abs_path; do
+                lib_name="$(basename "$abs_path")"
+                echo "  $(basename "$dylib"): $abs_path -> @loader_path/$lib_name"
+                install_name_tool -change "$abs_path" "@loader_path/$lib_name" "$dylib"
+              done
+              current_id="$(otool -D "$dylib" 2>/dev/null | tail -1)"
+              if [[ "$current_id" == /opt/* || "$current_id" == /usr/local/opt/* ]]; then
+                lib_name="$(basename "$current_id")"
+                echo "  Fixing install name: $(basename "$dylib") -> @loader_path/$lib_name"
+                install_name_tool -id "@loader_path/$lib_name" "$dylib"
+              fi
+            done
+          fi
+
       - name: Verify syftbox binary architecture + smoke run
         if: matrix.build_kind == 'tauri' && runner.os != 'Windows'
         shell: bash
@@ -741,6 +806,21 @@ jobs:
             codesign --force --options runtime --timestamp --entitlements "$ENTITLEMENTS" --sign "$APPLE_SIGNING_IDENTITY" "$SYFTBOX_BIN"
           fi
 
+          # Sign syqure binary
+          SYQURE_BIN="src-tauri/resources/syqure/syqure"
+          if [[ -f "$SYQURE_BIN" ]]; then
+            echo "Signing syqure binary..."
+            codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$SYQURE_BIN"
+          fi
+
+          # Sign codon/sequre libs bundled with syqure
+          if [[ -d "src-tauri/resources/syqure/lib/codon" ]]; then
+            find src-tauri/resources/syqure/lib/codon -type f \( -name "*.dylib" -o -name "*.so" -o -perm +111 \) | while read -r bin; do
+              echo "Signing syqure codon lib: $bin"
+              codesign --force --options runtime --timestamp --sign "$APPLE_SIGNING_IDENTITY" "$bin" || true
+            done
+          fi
+
           # Sign all uv binaries
           if [[ -d "src-tauri/resources/bundled/uv" ]]; then
             find src-tauri/resources/bundled/uv -type f -perm +111 | while read -r bin; do
@@ -775,7 +855,8 @@ jobs:
 
           echo "Verifying bundled binaries (codesign only)..."
           # Per-file spctl is intentionally skipped; nested tools are validated by final app notarization.
-          for f in "$SYFTBOX_BIN" \
+          for f in "$SYFTBOX_BIN" "$SYQURE_BIN" \
+            $(find src-tauri/resources/syqure/lib/codon -type f \( -name "*.dylib" -o -name "*.so" -o -perm +111 \) 2>/dev/null) \
             $(find src-tauri/resources/bundled/uv -type f -perm +111 2>/dev/null) \
             $(find src-tauri/resources/bundled/nextflow -type f -perm +111 2>/dev/null) \
             $(find src-tauri/resources/bundled/java/macos-aarch64 -type f \( -perm +111 -o -name \"*.dylib\" \) 2>/dev/null); do

.github/workflows/test.yml

@@ -46,42 +46,29 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          # flows-pause-resume (linux only for next push)
-          - scenario: flows-pause-resume
+          # pipelines-multiparty-flow smoke test (linux)
+          - scenario: pipelines-multiparty-flow
             platform: linux-x86_64
             runner: namespace-profile-linux-medium
             client_mode: rust
             tauri_binary: src-tauri/target/release/bv-desktop
             run_prefix: "xvfb-run -a"
-          # flows-collab (linux + windows)
-          - scenario: flows-collab
+
+          # syqure-multiparty-flow secure-only smoke test (linux)
+          - scenario: syqure-multiparty-flow-secure-only
             platform: linux-x86_64
             runner: namespace-profile-linux-medium
             client_mode: rust
             tauri_binary: src-tauri/target/release/bv-desktop
             run_prefix: "xvfb-run -a"
-          - scenario: flows-collab
-            platform: windows-x86_64
-            runner: namespace-profile-windows-medium
-            client_mode: rust
-            tauri_binary: src-tauri/target/release/bv-desktop.exe
-          # jupyter-collab (linux + mac + windows)
-          - scenario: jupyter-collab
+
+          # syqure-multiparty-allele-freq (linux)
+          - scenario: syqure-multiparty-allele-freq
             platform: linux-x86_64
-            runner: namespace-profile-linux-medium
+            runner: namespace-profile-linux-large
             client_mode: rust
             tauri_binary: src-tauri/target/release/bv-desktop
             run_prefix: "xvfb-run -a"
-          - scenario: jupyter-collab
-            platform: macos-arm64
-            runner: namespace-profile-mac-medium
-            client_mode: rust
-            tauri_binary: src-tauri/target/release/bv-desktop
-          - scenario: jupyter-collab
-            platform: windows-x86_64
-            runner: namespace-profile-windows-medium
-            client_mode: rust
-            tauri_binary: src-tauri/target/release/bv-desktop.exe
 
     defaults:
       run:
@@ -129,6 +116,9 @@ jobs:
             workspace-deps-${{ runner.os }}-
 
       - name: Setup workspace
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BV_SKIP_SYQURE: ${{ contains(matrix.scenario, 'syqure') && '0' || '1' }}
         run: |
           chmod +x scripts/setup-workspace.sh
           ./scripts/setup-workspace.sh
@@ -228,6 +218,15 @@ jobs:
             build-essential \
             pkg-config
 
+      - name: Install syqure build dependencies (Linux)
+        if: runner.os == 'Linux' && contains(matrix.scenario, 'syqure')
+        run: |
+          UBUNTU_CODENAME=$(lsb_release -cs 2>/dev/null || echo "jammy")
+          wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | sudo tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc >/dev/null
+          echo "deb http://apt.llvm.org/${UBUNTU_CODENAME}/ llvm-toolchain-${UBUNTU_CODENAME}-17 main" | sudo tee /etc/apt/sources.list.d/llvm-17.list
+          sudo apt-get update
+          sudo apt-get install -y llvm-17-dev libgmp-dev zstd
+
       # NOTE: Docker setup for macOS removed since pipelines-collab tests are skipped on macOS
       # (GitHub macOS runners don't support nested virtualization needed for Docker)
       - name: Check Docker availability (macOS)
@@ -331,6 +330,29 @@ jobs:
         run: cargo build --release
         working-directory: src-tauri
 
+      - name: Build native syqure binary
+        if: contains(matrix.scenario, 'syqure')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd ${{ github.workspace }}/../syqure
+          # Override SSH submodule URLs to HTTPS (no SSH keys in CI)
+          git config --file .gitmodules submodule.codon.url https://github.com/madhavajay/codon.git
+          git config --file .gitmodules submodule.sequre.url https://github.com/madhavajay/sequre.git
+          git submodule sync
+          git submodule update --init --depth 1 codon sequre
+          # Build bundle and binary (matches syqure CI smoke test)
+          BUNDLE_ROOT="bin/linux-x86/codon"
+          BUNDLE_DIR="$(mktemp -d)"
+          BUNDLE_TAR="$BUNDLE_DIR/codon-linux-x86.tar.zst"
+          tar -C "$BUNDLE_ROOT" -ch . | zstd -19 -o "$BUNDLE_TAR"
+          export SYQURE_BUNDLE_FILE="$BUNDLE_TAR"
+          export SYQURE_BUNDLE_CACHE="$BUNDLE_DIR/cache"
+          export SYQURE_CPP_INCLUDE="$BUNDLE_ROOT/include"
+          export SYQURE_CPP_LIB_DIRS="$BUNDLE_ROOT/lib/codon"
+          export SYQURE_LLVM_INCLUDE="$(llvm-config-17 --includedir)"
+          cargo build -p syqure
+
       - name: Install maturin (uv)
         if: runner.os != 'Windows' && matrix.scenario == 'jupyter-collab'
         run: |
@@ -441,6 +463,48 @@ jobs:
             ./test-scenario.sh --jupyter-collab biovault-beaver/notebooks/02-advanced-features.json
           fi
 
+      - name: Run pipelines multiparty flow scenario
+        if: matrix.scenario == 'pipelines-multiparty-flow'
+        env:
+          SKIP_PLAYWRIGHT_INSTALL: "1"
+          AUTO_REBUILD_TAURI: "0"
+        run: |
+          if [ -n "${{ matrix.run_prefix }}" ]; then
+            ${{ matrix.run_prefix }} ./test-scenario.sh --pipelines-multiparty-flow
+          else
+            ./test-scenario.sh --pipelines-multiparty-flow
+          fi
+
+      - name: Run syqure multiparty flow secure-only scenario
+        if: matrix.scenario == 'syqure-multiparty-flow-secure-only'
+        env:
+          SKIP_PLAYWRIGHT_INSTALL: "1"
+          AUTO_REBUILD_TAURI: "0"
+          BV_SKIP_SYQURE: "0"
+          SYQURE_SCENARIO_TIMEOUT: "20m"
+        run: |
+          # Hard cap runtime so a stuck syqure flow cannot burn CI minutes indefinitely.
+          if [ -n "${{ matrix.run_prefix }}" ]; then
+            timeout --preserve-status "$SYQURE_SCENARIO_TIMEOUT" ${{ matrix.run_prefix }} ./test-scenario.sh --syqure-multiparty-flow --syqure-secure-only
+          else
+            timeout --preserve-status "$SYQURE_SCENARIO_TIMEOUT" ./test-scenario.sh --syqure-multiparty-flow --syqure-secure-only
+          fi
+
+      - name: Run syqure multiparty allele-freq scenario
+        if: matrix.scenario == 'syqure-multiparty-allele-freq'
+        env:
+          SKIP_PLAYWRIGHT_INSTALL: "1"
+          AUTO_REBUILD_TAURI: "0"
+          BV_SKIP_SYQURE: "0"
+          SYQURE_SCENARIO_TIMEOUT: "20m"
+        run: |
+          # Hard cap runtime so a stuck syqure flow cannot burn CI minutes indefinitely.
+          if [ -n "${{ matrix.run_prefix }}" ]; then
+            timeout --preserve-status "$SYQURE_SCENARIO_TIMEOUT" ${{ matrix.run_prefix }} ./test-scenario.sh --syqure-multiparty-allele-freq
+          else
+            timeout --preserve-status "$SYQURE_SCENARIO_TIMEOUT" ./test-scenario.sh --syqure-multiparty-allele-freq
+          fi
+
       - name: Upload test artifacts on failure
         if: failure()
         uses: actions/upload-artifact@v4
@@ -452,6 +516,7 @@ jobs:
             artifacts/
 
   profiles-e2e:
+    if: false
     name: profiles-e2e (linux-x86_64)
     runs-on: namespace-profile-linux-medium
     env:
@@ -619,6 +684,7 @@ jobs:
             artifacts/
 
   profiles-e2e-macos:
+    if: false
     name: profiles-e2e (macos-arm64)
     runs-on: namespace-profile-mac-medium
     env:
@@ -763,6 +829,7 @@ jobs:
             artifacts/
 
   profiles-e2e-windows:
+    if: false
     name: profiles-e2e (windows-x86_64)
     runs-on: namespace-profile-windows-medium
     defaults:

.gitignore

@@ -16,6 +16,9 @@ dist-ssr
 target/
 src-tauri/resources/syftbox/syftbox
 src-tauri/resources/syftbox/syftbox.exe
+src-tauri/resources/syqure/syqure
+src-tauri/resources/syqure/syqure.exe
+src-tauri/resources/syqure/lib/
 src-tauri/resources/bundled/
 
 # Editor directories and files

biovault-app-dev.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+set -euo pipefail
+
+# Thin wrapper around biovault-app.sh that uses the local debug binary.
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+DEBUG_BIN="${APP_BIN:-$SCRIPT_DIR/src-tauri/target/debug/bv-desktop}"
+FORCE_REBUILD="${BIOVAULT_DEV_REBUILD:-0}"
+
+ARGS=()
+for arg in "$@"; do
+  case "$arg" in
+    --rebuild)
+      FORCE_REBUILD=1
+      ;;
+    *)
+      ARGS+=("$arg")
+      ;;
+  esac
+done
+
+if [[ "$FORCE_REBUILD" == "1" || ! -x "$DEBUG_BIN" ]]; then
+  if [[ "$FORCE_REBUILD" == "1" ]]; then
+    echo "Forcing debug rebuild (cargo build)..."
+  else
+    echo "Debug binary not found at $DEBUG_BIN"
+    echo "Building debug binary (cargo build)..."
+  fi
+  (cd "$SCRIPT_DIR/src-tauri" && cargo build)
+fi
+
+if [[ ! -x "$DEBUG_BIN" ]]; then
+  echo "Debug binary not found at $DEBUG_BIN"
+  echo "Debug binary still missing at $DEBUG_BIN"
+  exit 1
+fi
+
+APP_BIN="$DEBUG_BIN" exec "$SCRIPT_DIR/biovault-app.sh" "${ARGS[@]}"