feat(p3): static resource-lifetime validation for async streams (#142 iv, v0.21.0)

[avrabe]

Summary

Implements #142 (iv) — resource lifetime across async boundaries, the last open item in the static stream-validation checklist, and closes (ii) as not-applicable with rationale.

meld fuse now rejects a fusion where a component declares a stream<T> / future<T> whose element type is a resource handle:

• borrow<R> — definite violation. A borrow is valid only within its lending call, but a stream/future is read by the consumer after that call returns across the async boundary → use-after-scope.
• own<R> — flagged as the drop-while-referenced hazard P3 async — static stream validation at build time (#94 sub-B) #142 names: if the producer drops the handle while the consumer still holds it via the stream, the representation is freed under the consumer.

Surfaced as StreamValidationIssue::ResourceLifetime → Error::StreamValidation.

How detection works (and why it's grounded)

Resource handles don't appear literally in the stream descriptor — they hide behind a type reference, so a handle stream parses as stream<Type(N)> where component type index N resolves to a Defined(Own/Borrow). The check parses the Type(N) index out and reuses ParsedComponent::resolve_to_resource — the exact Type(idx) → Own/Borrow chase meld already applies to function params — rather than trusting the Debug text for the handle kind. The wasmparser ComponentValType::Type(N) Debug form is pinned by a regression test (wasmparser_type_debug_form_is_stable), so a wasmparser upgrade that changes it fails loudly instead of silently disabling the check.

Verification

• LS-R-14 (approved) — gated by ls_r_14_borrow_handle_in_stream_flagged, ls_r_14_own_handle_in_future_flagged_as_owned, and negative test ls_r_14_primitive_element_stream_not_flagged, plus the format pin. run_ls_verification.py: [ OK ] LS-R-14 (3 pass).
• Full suite green; clippy + fmt clean. resolve_to_resource made pub(crate).

(ii) bounded-channel capacity — not applicable

The Component-Model canonical ABI has no bounded-channel / capacity concept: stream.new (CanonicalEntry::StreamNew { ty }) takes no capacity argument and streams are unbounded by construction. There is nothing in the component binary to validate — "declare a capacity" presupposes an annotation mechanism the ABI does not provide. Documented in p3_stream.rs + LS-R-14. This closes the #142 (i)–(iv) checklist: i/iii shipped in v0.13.0/v0.15.0, iv here, ii N/A.

Limitation (acknowledged)

A handle nested inside a composite element (stream<list<own<R>>>) is not flagged — the same boundary as stream_elements_in_valtype.

p3_stream.rs / parser.rs / resolver.rs are Tier-5, so this PR gets the Mythos delta scan.

🤖 Generated with Claude Code

[github-actions]

Mythos delta-pass required

This PR modifies one or more Tier-5 source files (per
scripts/mythos/rank.md):

meld-core/src/p3_stream.rs
meld-core/src/parser.rs
meld-core/src/resolver.rs

Before merge, run the Mythos discover protocol on the
modified Tier-5 files:

1. Follow scripts/mythos/discover.md
   — one fresh agent session per touched Tier-5 file.
2. For each finding, the agent must produce both a Kani
   harness and a failing PoC test (per the protocol's
   "if you cannot produce both, do not report" rule).
3. Attach a comment on this PR with either the findings
   (formatted per discover.md's output schema) or
   NO FINDINGS.
4. Add the mythos-pass-done label to this PR.

Why this gate exists: LS-A-10
(CABI alignment padding in async-lift retptr writeback) was
found by the v0.8.0 pre-release Mythos pass — but it had
lived in the callback emitter since #128, across six
releases. A PR-time gate would have caught it at review
time instead of at the release boundary.

The gate check on this PR will pass once the label is
applied.

[github-actions]

LS-N verification gate

⚠️ 37/39 verified — 2 missing regression tests

	count
Passed (≥1 test, all green)	37
Failed (≥1 test failure)	0
Missing (no ls_*_NN_* test found)	2

_{Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11 →
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.}

Failed LS entries

(none)

Missing regression tests

• LS-R-13
• LS-M-6

_{Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.}

[github-actions]

Mythos delta-pass (auto)

✅ NO FINDINGS across 3 Tier-5 file(s)

File	Verdict	Hypothesis
``	✅ NO FINDINGS	—
meld-core/src/parser.rs	✅ NO FINDINGS	—
``	✅ NO FINDINGS	—

_{Auto-run via anthropics/claude-code-action@v1
(SHA-pinned) on the touched Tier-5 files, using the
maintainer's Max-plan OAuth token. See
.github/workflows/mythos-auto.yml and
scripts/mythos/discover.md.}