feat(runtime): invoke installed Edict provider mutations#678
Conversation
|
Warning Review limit reached
Next review available in: 15 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (7)
📒 Files selected for processing (42)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c4023a975d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Summary
This PR carries the Echo/Edict provider path across four explicit runtime boundaries without collapsing their authority:
Echo now retains provider-native invocation evidence binding the package identity and exact package reference, semantic operation, Target IR identity, and scheduler rule. An outcome is reported as applied only when the exact installed provider rule appears in the scheduler receipt; the same-scope system acknowledgement cannot masquerade as provider execution.
Advances #583.
Related to #589.
This deliberately does not close either issue. The generic provider-native path is present, but the designated Jim operation, caller/session authentication, target authorization, codec-owned input validation, provider-native reads, and the broader authority/security ramp remain downstream.
Scope
Architectural walkthrough
Proposal admission
TrustedRuntimeHostaccepts an opaque provider proposal only when its complete registry, semantic/release identities, package occurrence, operations, codecs, Target IR, profiles, obstruction declarations, and footprint claims equal a host-ownedProviderContractAdmissionPolicyV1. This crossing does not hash package bytes, install anything, execute callbacks, or grant application authority.Exact occurrence corroboration
echo-wesley-genconsumes the digest-admitted package and Echo-admitted contract material, requires the exactecho.edict-provider@1coordinate and lowercasesha256:package-root agreement, and returns an opaque corroboration proof. This crossing proves occurrence agreement only; it does not infer registry semantics from bytes.Installation
A sealed proof-consuming adapter installs a corroborated package through the trusted runtime-owner port. Installation atomically occupies provider-package, package-root, operation, and scheduler-rule indexes, retains the exact occurrence and complete provider registry, and refuses legacy/provider or rule conflicts without partial mutation. It creates no Wesley/GraphQL surrogate metadata and invokes no callbacks.
Invocation and recovery
The installed-contract ingress path now carries
InstalledInvocationEvidence, with distinct legacy and provider variants. Provider mutation admission requires:Unknown operations, malformed or relabeled EINT, matcher refusal, missing exact rule execution, and unsupported provider inverse targets fail closed through typed errors or obstructions. Provider receipts do not fabricate a legacy contract coordinate.
WAL state-delta evidence remains explicitly tagged:
Fresh-host recovery independently reinstalls the same package as host configuration, recovers the exact prior outcome from the filesystem WAL, treats resubmission as a duplicate, schedules no extra work, and executes no callbacks.
Each crossing proves only its own proposition. Generated authority-facts material is not treated as Echo runtime authority.
RED / GREEN evidence
Focused RED witnesses were introduced before each boundary existed or before the reviewed soundness rule was enforced:
The corresponding GREEN commands include:
Validation
The exact committed tree passed:
The repository no longer exposes an
xtask verifysubcommand;xtask pr-preflight --fullis the current documented full branch gate. It passed all seven preflight checks. The final push hook also passed all 17 selected Rust slices.Dependency rationale
This PR adds no new external runtime dependency.
echo-wesley-gencontinues to use the already-pinned publishedwesley-core = 0.3.0-alpha.1contract and owns the proof-consuming adapter sowarp-coredoes not rediscover, regenerate, or reinterpret provider semantics. The trusted lower installation primitive intentionally does not reauthenticate package bytes; it accepts only the opaque proof from the corroboration crossing.Compatibility
This is an intentional pre-1.0 source evolution:
Option<InstalledInvocationEvidence>rather thanOption<ContractEvidenceIdentity>;InstalledInvocationEvidenceis non-exhaustive, so downstream direct matches require a wildcard arm;LegacyContract,.into(), orlegacy_contract();provider_v1();RuntimeErrorgainsInstalledContractIntentKindMismatchandUnsupportedInstalledProviderContractMutation;ContractInverseObstructiongainsProviderTargetUnsupported; andDocumentation impact
Updated:
warp-coreREADMEs;CHANGELOG.md.The docs explicitly distinguish proposal, admission, corroboration, installation, invocation, receipt, and WAL evidence, and state the remaining authentication, authorization, schema-validation, and bounded-read limitations.
Review
Two independent read-only reviews were completed. Review findings around exact rule selection, EINT kind enforcement, WAL structural validation, fresh-host recovery, public enum extensibility, and compatibility documentation were addressed with focused witnesses. The final seam review found no remaining blocking, high, or medium correctness/soundness issue.
Checklist