fix(lithoglyph): migrate Zig 0.15.2 API changes across core-zig and gql-dt/bridge

core-zig:
- build.zig: wire _crypto_tests (unused const) into test step; rename to crypto_tests
- src/crypto.zig: full 0.15.2 migration — fix 3-arg @memcpy → std.mem.writeInt,
  @ptrCast old syntax → typed *const [N]u8 params, [N]u8{val} → std.mem.zeroes,
  block.header.encrypted (non-existent field) → flags bitmask checks,
  @truncate(enum) → @intFromEnum, runtime-sized stack array → caller-owned out_buf,
  key_bytes.len on many-ptr → loop modulo AES256_KEY_SIZE constant
- src/blocks.zig: isEncrypted() — use flag bitmask instead of non-existent .encrypted field
- src/crypto_test.zig: [N]u8{0} (1 element) → std.mem.zeroes([N]u8)

gql-dt/bridge:
- lith_persist.zig: fix test assertions — lith_init returns i32 (not LithStatus),
  add missing dummy args to lith_is_init(0) and lith_save(0)

Test results: core-zig 33/33, ffi/zig 10/10, gql-dt/bridge 15/15.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: hyperpolymath

lithoglyph/core-zig/build.zig

@@ -56,7 +56,7 @@ pub fn build(b: *std.Build) void {
     });
 
     // Unit tests for crypto
-    const _crypto_tests = b.addTest(.{
+    const crypto_tests = b.addTest(.{
         .name = "crypto-tests",
         .root_module = b.createModule(.{
             .root_source_file = b.path("src/crypto_test.zig"),
@@ -66,8 +66,10 @@ pub fn build(b: *std.Build) void {
     });
 
     const run_blocks_tests = b.addRunArtifact(blocks_tests);
+    const run_crypto_tests = b.addRunArtifact(crypto_tests);
 
     const test_step = b.step("test", "Run unit tests");
     test_step.dependOn(&run_bridge_tests.step);
     test_step.dependOn(&run_blocks_tests.step);
+    test_step.dependOn(&run_crypto_tests.step);
 }

lithoglyph/core-zig/src/blocks.zig

@@ -247,7 +247,7 @@ pub const Block = struct {
 
     /// Check if block payload is encrypted
     pub fn isEncrypted(self: *const Block) bool {
-        return self.header.encrypted;
+        return (self.header.flags & 0x02) != 0; // bit 1 = encrypted in BlockFlags
     }
 
     /// Derive encryption key from master key

lithoglyph/core-zig/src/crypto.zig

@@ -3,6 +3,9 @@
 //
 // Provides AES-256-GCM encryption for block payloads
 // Designed to integrate with Svalinn Vault's existing crypto system
+//
+// NOTE: All crypto functions below are PLACEHOLDERS for structure only.
+// Real implementation must use libsodium or std.crypto.aead.aes_gcm.
 
 const std = @import("std");
 const builtin = @import("builtin");
@@ -16,6 +19,9 @@ pub const AES256_KEY_SIZE: usize = 32; // 256 bits
 pub const AES_GCM_NONCE_SIZE: usize = 12; // 96 bits for GCM
 pub const AES_GCM_TAG_SIZE: usize = 16; // 128 bits authentication tag
 
+// Encrypted flag bit in BlockHeader.flags
+const ENCRYPTED_FLAG: u32 = 0x02; // bit 1 of BlockFlags
+
 // ============================================================
 // Error Types
 // ============================================================
@@ -38,15 +44,14 @@ pub fn encryptBlockPayload(
     block: *blocks.Block,
     key: [AES256_KEY_SIZE]u8,
 ) !void {
-    if (block.header.encrypted) {
+    if ((block.header.flags & ENCRYPTED_FLAG) != 0) {
         return; // Already encrypted
     }
 
-    // Create nonce: block_id (8 bytes) + counter (4 bytes)
-    var nonce = [AES_GCM_NONCE_SIZE]u8 = undefined;
-    @memcpy(&nonce[0..8], &block.header.block_id, 8);
-    @memcpy(&nonce[8..12], &block.header.sequence, 4);
-    // Last 4 bytes zero for now
+    // Create nonce: block_id (8 bytes) + lower 4 bytes of sequence
+    var nonce: [AES_GCM_NONCE_SIZE]u8 = undefined;
+    std.mem.writeInt(u64, nonce[0..8], block.header.block_id, .little);
+    std.mem.writeInt(u32, nonce[8..12], @truncate(block.header.sequence), .little);
 
     // Encrypt payload in-place
     const payload_len = block.header.payload_len;
@@ -59,20 +64,16 @@ pub fn encryptBlockPayload(
         return CryptoError.BufferTooSmall;
     }
 
-    // Encrypt using AES-GCM
-    // Note: In real implementation, we'd use a proper crypto library
-    // This is a placeholder showing the structure
     try aes256GcmEncryptInPlace(
-        &block.payload[0..payload_len],
+        block.payload[0..payload_len],
         &key,
         &nonce,
-        &block.payload[payload_len..payload_len + AES_GCM_TAG_SIZE]
+        block.payload[payload_len .. payload_len + AES_GCM_TAG_SIZE],
     );
 
     // Update header
     block.header.payload_len = @intCast(payload_len + AES_GCM_TAG_SIZE);
-    block.header.encrypted = true;
-    block.header.flags |= @as(u32, @bitCast(@intFromEnum(blocks.BlockFlags.encrypted)));
+    block.header.flags |= ENCRYPTED_FLAG;
 
     // Recalculate checksum of encrypted data
     block.header.checksum = blocks.crc32c(&block.payload, block.header.payload_len);
@@ -83,7 +84,7 @@ pub fn decryptBlockPayload(
     block: *blocks.Block,
     key: [AES256_KEY_SIZE]u8,
 ) !void {
-    if (!block.header.encrypted) {
+    if ((block.header.flags & ENCRYPTED_FLAG) == 0) {
         return; // Not encrypted
     }
 
@@ -95,22 +96,20 @@ pub fn decryptBlockPayload(
     const payload_len = total_len - AES_GCM_TAG_SIZE;
 
     // Create nonce (same as encryption)
-    var nonce = [AES_GCM_NONCE_SIZE]u8 = undefined;
-    @memcpy(&nonce[0..8], &block.header.block_id, 8);
-    @memcpy(&nonce[8..12], &block.header.sequence, 4);
+    var nonce: [AES_GCM_NONCE_SIZE]u8 = undefined;
+    std.mem.writeInt(u64, nonce[0..8], block.header.block_id, .little);
+    std.mem.writeInt(u32, nonce[8..12], @truncate(block.header.sequence), .little);
 
-    // Decrypt in-place
     try aes256GcmDecryptInPlace(
-        &block.payload[0..payload_len],
+        block.payload[0..payload_len],
         &key,
         &nonce,
-        &block.payload[payload_len..total_len]
+        block.payload[payload_len..total_len],
     );
 
     // Update header
     block.header.payload_len = @intCast(payload_len);
-    block.header.encrypted = false;
-    block.header.flags &= ~@as(u32, @bitCast(@intFromEnum(blocks.BlockFlags.encrypted)));
+    block.header.flags &= ~ENCRYPTED_FLAG;
 
     // Recalculate checksum of decrypted data
     block.header.checksum = blocks.crc32c(&block.payload, block.header.payload_len);
@@ -121,105 +120,94 @@ pub fn decryptBlockPayload(
 // ============================================================
 
 // Journal entries need special handling because they contain
-// both the operation and its inverse
+// both the operation and its inverse.
+// NOTE: caller owns `out_buf` and must ensure it is at least
+// `entry_data.len + AES_GCM_TAG_SIZE` bytes long.
 pub fn encryptJournalEntry(
-    entry_data: []u8,
+    entry_data: []const u8,
     key: [AES256_KEY_SIZE]u8,
     entry_id: u64,
-) ![]u8 {
-    // Similar to block encryption but with different nonce
-    var nonce = [AES_GCM_NONCE_SIZE]u8 = undefined;
-    @memcpy(&nonce[0..8], &entry_id, 8);
-    // Use fixed pattern for journal entries
+    out_buf: []u8,
+) !usize {
+    const needed = entry_data.len + AES_GCM_TAG_SIZE;
+    if (out_buf.len < needed) return CryptoError.BufferTooSmall;
+
+    // Build nonce: entry_id (8 bytes) + "JNL\0" marker
+    var nonce: [AES_GCM_NONCE_SIZE]u8 = undefined;
+    std.mem.writeInt(u64, nonce[0..8], entry_id, .little);
     nonce[8] = 'J';
     nonce[9] = 'N';
     nonce[10] = 'L';
     nonce[11] = 0;
 
-    // Allocate buffer for encrypted data + tag
-    var buffer: [entry_data.len + AES_GCM_TAG_SIZE]u8 = undefined;
-    @memcpy(&buffer[0..entry_data.len], entry_data);
+    @memcpy(out_buf[0..entry_data.len], entry_data);
 
-    // Encrypt
     try aes256GcmEncryptInPlace(
-        &buffer[0..entry_data.len],
+        out_buf[0..entry_data.len],
         &key,
         &nonce,
-        &buffer[entry_data.len..entry_data.len + AES_GCM_TAG_SIZE]
+        out_buf[entry_data.len..needed],
     );
 
-    return &buffer;
+    return needed;
 }
 
 // ============================================================
 // Key Derivation
 // ============================================================
 
-// Derive encryption key from master key and block type
+// Derive encryption key from master key and block type.
+// PLACEHOLDER — real implementation must use HKDF or BLAKE3-KDF.
 pub fn deriveBlockKey(
     master_key: []const u8,
     block_type: blocks.BlockType,
     block_id: u64,
 ) ![AES256_KEY_SIZE]u8 {
-    // Use BLAKE3 for key derivation (matches vault's crypto)
-    // In real implementation, use proper KDF
-    var key = [AES256_KEY_SIZE]u8 = undefined;
-    
-    // Simple XOR-based derivation for example
-    // Real implementation would use HKDF or similar
+    var key: [AES256_KEY_SIZE]u8 = undefined;
+    const bt: u8 = @truncate(@intFromEnum(block_type));
     for (0..AES256_KEY_SIZE) |i| {
-        if (i < master_key.len) {
-            key[i] = master_key[i] ^ @as(u8, @truncate(block_type)) ^ @as(u8, @truncate(block_id >> (i % 8)));
-        } else {
-            key[i] = @as(u8, @truncate(block_type)) ^ @as(u8, @truncate(block_id >> (i % 8)));
-        }
+        const shift: u6 = @intCast(i % 8);
+        const id_byte: u8 = @truncate(block_id >> shift);
+        key[i] = if (i < master_key.len) master_key[i] ^ bt ^ id_byte else bt ^ id_byte;
     }
-    
     return key;
 }
 
 // ============================================================
-// Placeholder Crypto Functions
-// (In real implementation, use libsodium or similar)
+// Placeholder Crypto Primitives
+// (Replace with libsodium / std.crypto.aead.aes_gcm in production)
 // ============================================================
 
 fn aes256GcmEncryptInPlace(
     data: []u8,
-    key: anytype,
-    nonce: anytype,
+    key: *const [AES256_KEY_SIZE]u8,
+    nonce: *const [AES_GCM_NONCE_SIZE]u8,
     tag_out: []u8,
 ) !void {
-    // This is a placeholder - real implementation would use
-    // a proper crypto library like libsodium or OpenSSL
-    
-    // For now, just XOR with key (INSECURE - for structure only!)
-    var key_bytes = @ptrCast([*]const u8, &key);
-    for (0..data.len) |i| {
-        data[i] ^= key_bytes[i % @intCast(key_bytes.len)];
+    _ = nonce; // placeholder — nonce not used in XOR stub
+    // INSECURE placeholder: XOR with key bytes only
+    for (data, 0..) |*byte, i| {
+        byte.* ^= key[i % AES256_KEY_SIZE];
     }
-    
-    // Fill tag with dummy data
-    for (0..tag_out.len) |i| {
-        tag_out[i] = @as(u8, @truncate(i));
+    // Fill tag with dummy pattern
+    for (tag_out, 0..) |*b, i| {
+        b.* = @truncate(i);
     }
 }
 
 fn aes256GcmDecryptInPlace(
     data: []u8,
-    key: anytype,
-    nonce: anytype,
+    key: *const [AES256_KEY_SIZE]u8,
+    nonce: *const [AES_GCM_NONCE_SIZE]u8,
     tag: []const u8,
 ) !void {
-    // Verify tag (dummy check)
-    for (0..tag.len) |i| {
-        if (tag[i] != @as(u8, @truncate(i))) {
-            return CryptoError.AuthenticationFailed;
-        }
+    _ = nonce; // placeholder
+    // Verify dummy tag
+    for (tag, 0..) |b, i| {
+        if (b != @as(u8, @truncate(i))) return CryptoError.AuthenticationFailed;
     }
-    
-    // Decrypt (same as encrypt for XOR)
-    var key_bytes = @ptrCast([*]const u8, &key);
-    for (0..data.len) |i| {
-        data[i] ^= key_bytes[i % @intCast(key_bytes.len)];
+    // INSECURE placeholder: XOR is its own inverse
+    for (data, 0..) |*byte, i| {
+        byte.* ^= key[i % AES256_KEY_SIZE];
     }
 }

lithoglyph/core-zig/src/crypto_test.zig

@@ -64,7 +64,7 @@ test "double encryption detection" {
     const test_data = "test";
     try block.setPayload(test_data);
 
-    const key = [crypto.AES256_KEY_SIZE]u8{0};
+    const key = std.mem.zeroes([crypto.AES256_KEY_SIZE]u8);
 
     // First encryption
     try block.encrypt(key);

lithoglyph/gql-dt/bridge/lith_persist.zig

@@ -229,8 +229,10 @@ pub fn lith_debug_init_status() i32 {
 // ============================================================================
 
 test "basic persistence" {
-    try std.testing.expectEqual(LithStatus.ok, lith_init(null, 0));
-    try std.testing.expect(lith_is_init());
+    // lith_init returns i32: 0 = already initialised, 42 = fresh init (special marker)
+    const init_res = lith_init(null, 0);
+    try std.testing.expect(init_res == 0 or init_res == 42);
+    try std.testing.expect(lith_is_init(0));
 
     var row_id: u64 = 0;
     try std.testing.expectEqual(LithStatus.ok, lith_insert_row(
@@ -250,7 +252,7 @@ test "basic persistence" {
     try std.testing.expectEqual(@as(u64, 1), row_id);
     try std.testing.expectEqual(@as(u64, 1), lith_table_count("test", 4));
 
-    try std.testing.expectEqual(LithStatus.ok, lith_save());
+    try std.testing.expectEqual(LithStatus.ok, lith_save(0));
     try std.testing.expectEqual(LithStatus.ok, lith_close());
-    try std.testing.expect(!lith_is_init());
+    try std.testing.expect(!lith_is_init(0));
 }