Spike: rs-matter core as a WASM component (rules_wasm_component)#35
Merged
Conversation
SWARCH-WOHL-008 spike. Proves the Matter protocol core can be a
WebAssembly component built on the real PulseEngine toolchain
(rules_wasm_component), with rs-matter supplied from the bazel crate
universe — not the self-contained-inlined-engine path the verified
monitors use.
Background
The earlier framing ("the Matter stack is host-side, unverifiable")
was too coarse. rs-matter core (TLV / exchange / secure channel /
PASE-CASE / RustCrypto / data model) is rustcrypto-only no_std-friendly
code; only the UDP/mDNS transport (the `os` feature → async-io →
polling/epoll) is host-bound. A cargo probe confirmed rs-matter
compiles to wasm32-wasip2 with `default-features = false,
features = ["rustcrypto"]`. This spike wires that into the Bazel
component toolchain.
What's in this commit
crates/wohl-matter-core/wit/matter-core.wit
Minimal WIT world (matter-port, is-commissioned). The real seam
(network / clock / random / persist imports + publish/commission
exports) is spike step 2, ideally spar-generated from AADL.
crates/wohl-matter-core/src/wasm_component.rs
Component glue reading rs_matter::MATTER_PORT so rs-matter is
genuinely linked into the component (not DCE'd). P3 async dual-cfg,
mirroring the monitor components.
BUILD.bazel
wit_library + rust_wasm_component_bindgen(name = "wohl-matter-core",
deps = ["@crates//:rs-matter"], wasi_version = "p3").
crates/wohl-leak/wasm/Cargo.toml + Cargo.lock
rs-matter (git rev 0030ba4a99, rustcrypto only) added to the bazel
crate-universe seed → makes @crates//:rs-matter available. Grows
the universe to 234 packages; NO monitor component deps on it, so
the verified monitors' compiled closure is unchanged.
MODULE.bazel.lock
Re-locked for the grown crate universe.
Verification status (honest)
- Bazel ANALYSIS accepts the target locally: "8 targets configured",
deps = ["@crates//:rs-matter"] resolves, no rule/attribute errors.
- Bazel rust toolchain is 1.95.0 (MODULE.bazel.lock) >= rs-matter's
1.87 MSRV — that gate is satisfied.
- The local bazel BUILD could not COMPLETE: this sandbox has no
network egress for the toolchain downloads bazel needs at analysis
time (wasi-sdk-32, nixpkgs for rules_rocq_rust) — both time out.
The build never reached compiling rs-matter; the failure is
environmental, not a defect.
- => This PR's CI bazel-build job (which has network egress) is the
actual completion of the build. If it goes green, the Matter core
is a buildable WASM component on the PulseEngine toolchain.
Not in this commit
- The real network/clock/random/persist WIT seam + wac_compose graph
+ proving a PASE handshake RUNS through the composed components.
That's spike step 2.
- No change to the host-side wohl-matter-bridge (rs-matter-backend);
the commissioning loop there is unaffected.
Verified line
No edits to any monitor's plain engine or wasm_component.rs, to
proofs/verus/, or to the Kani harnesses. The crate-universe seed
grew but the monitors' compiled dependency closure did not.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The matter-core spike grew the crate-universe seed (added rs-matter
to crates/wohl-leak/wasm/Cargo.toml + lock). CI's first run got past
toolchain provisioning and successfully generated the wohl-matter-core
WIT bindings, then failed at:
ERROR: no such target '@@rules_rust++crate+crates//:rs-matter':
target 'rs-matter' not declared
i.e. @crates was not regenerated to expose the new direct dep — the
standard "changed crate_universe deps without repinning" gotcha.
CARGO_BAZEL_REPIN=1 forces crate_universe to regenerate @crates from
the current lock+manifest (re-resolving over the network, which CI
has). This makes @crates//:rs-matter resolvable for
//:wohl-matter-core.
Scoped to the bazel-build step only.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…build @crates//:rs-matter stays 'not declared' under CARGO_BAZEL_REPIN=1 while registry deps (wit-bindgen, bitflags) alias fine. rs-matter is the only git-sourced dep in the universe seed. Local bazel can't run (network egress for nix + wasi-sdk is blocked) and local @crates caches are from a foreign project, so CI is the only ground truth for git-dep aliasing. This step forces @crates regeneration and prints (a) all root alias targets and (b) anything mentioning 'matter', so the next fix is data-driven rather than another blind repin round. Spike SWARCH-WOHL-008. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Root cause (falsified my earlier git-dep theory). bzlmod merges every module's usage of the @rules_rust//crate_universe%crate extension. The local rules_wasm_component override registers its universe under the canonical name 'crates' (anyhow/clap/tokio/wit-bindgen-0.56). Wohl's use_repo(crate, "wohl_crates", "crates") imports that foreign repo into scope alongside wohl's own. So @crates//:rs-matter resolved to rules_wasm_component's universe, which has no rs-matter → 'target rs-matter not declared'. CI run 26651242532 diagnostic confirmed: @crates exposes clap/reqwest/tokio/wit-bindgen-0.56 and never any 'matter' target. Wohl's universe — seeded from //crates/wohl-leak/wasm:Cargo.{toml,lock}, 234 pkgs incl. rs-matter — is @wohl_crates. Point the bindgen dep there. The monitor components only appeared to work via @crates because both universes happen to carry wit-bindgen + bitflags. Spike SWARCH-WOHL-008. Diagnostic step re-aimed at @wohl_crates to prove the premise this round; removed once green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…green Run 26651676994: @wohl_crates//:rs-matter resolved, rs-matter compiled into the WASM component (Compiling Rust cdylib wohl-matter-core_wasm_lib _release_host), all 14 CI jobs green. The diagnostic served its purpose (falsified the git-dep theory, located the bzlmod repo collision); the working build remains. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
avrabe
added a commit
that referenced
this pull request
May 30, 2026
Feature-loop steps 1-2 for the Matter verified-core split (next version). Spike 2 proved the rs-matter protocol+crypto core compiles (PR #35) and runs (PR #36) as a wasm32-wasip2 component. The architectural consequence: the core lives inside the verified WASM boundary, with host-bound non-determinism pulled across an import seam. Beyond the already-modeled network transport (message_in/message_out = NetworkReceive/NetworkSend), the spike revealed two newly-explicit host dependencies the core cannot self-supply in the sandbox: - clock_in (MonotonicTime): rs-matter calls embassy-time Instant::now() pervasively, incl. inside PASE; Spike 2a sourced it from the wasi monotonic clock via a custom embassy-time driver. - entropy_in (EntropyBytes): the CSPRNG. Modeled both as in event data ports on MatterStackEventLoop + the MatterBridgeProcess boundary, with connections. spar analyze: 0 errors (17 pre-existing structural warnings, none from this change). WIT regenerated via the canonical "spar codegen --format wit" path (per spar/generated/ README) — matter.wit gains on-clock_in / on-entropy_in. NOT hand-written (spar-generates-wit). This walks back SWARCH-WOHL-006/007's "whole Matter stack is host-side": transport+clock+entropy are host-side, protocol+crypto are verifiable-in-component. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
avrabe
added a commit
that referenced
this pull request
May 30, 2026
Typed traceability for the Matter verified-core split. SWARCH-WOHL-008 (sw-arch-component, proposed): refines SWARCH-WOHL-007, allocated-from SWREQ-MATTER-002. Records the revised split — protocol+ crypto INSIDE the verified WASM boundary; transport/clock/entropy host- side across the spar-generated WIT seam (matter-world). Walks back the SWARCH-WOHL-006/007 "whole Matter stack is host-side" claim with the Spike 1 (compiles, CI-green) + Spike 2a (runs under wasmtime) evidence. SWV-MATTER-002 (sw-verification, proposed): verifies SWREQ-MATTER-002. Honestly split into proven-today vs owed, per the SWV-MATTER-001 precedent (proposed until evidence is CI-wired): C1 core compiles as WASM component — CI-GATED (PR #35) C2 PASE runs in WASM — reproduced, not yet CI-gated (PR #36) C3 handshake across wac_compose seam — owed C4 composed graph builds + runs in CI — owed (promotes 008/002 to approved) C5 witness MC/DC on seam glue — owed (008 reopens what SWV-MATTER-001 scoped out) rivet validate: PASS. rivet check gaps-json: exit 0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spike: rs-matter core as a WASM component (SWARCH-WOHL-008)
Status: GREEN — Spike 1 proven. All 14 CI jobs pass, including
bazel build //:all(run 26651676994).What this proves
The rs-matter protocol core (TLV, exchange, secure channel / PASE-CASE, RustCrypto, data model) builds into an actual WebAssembly component via
rules_wasm_component(rust_wasm_component_bindgen,wasi_version="p3") — not justcargo build --target wasm32-wasip2. The component reads a real rs-matter symbol so the dependency is genuinely linked, not dead-code-eliminated.//:wohl-matter-core— WIT worldwohl-matter-coreexporting a minimalmatter-coreinterface (matter-port,is-commissioned).@wohl_crates//:rs-matter(rustcrypto only, noos/sockets/polling).Compiling Rust cdylib wohl-matter-core_wasm_lib_release_host, 1426 actions, 267s.Root cause that blocked earlier rounds (falsified the first theory)
The failure
target 'rs-matter' not declared in @crateswas not crate_universe refusing to expose a git dep. It was a bzlmod repo-name collision: bzlmod merges every module's usage of the@rules_rust//crate_universe%crateextension. The localrules_wasm_componentoverride registers its own universe under the canonical namecrates, and wohl'suse_repo(crate, "wohl_crates", "crates")pulls that foreign repo into scope. So@crates//:rs-matterresolved to rules_wasm_component's universe (which has no rs-matter). Fix: reference@wohl_crates//:rs-matter. A one-round CI diagnostic printed the actual alias set and located it.Not yet proven (Spike 2)
compile ≠ run. The wasip2 async executor (wasi:io/poll, not epoll) and a functional PASE/CASE handshake through a
wac_composed graph (network/clock/random/persist WIT seam + host-import transport) are unverified. If a handshake runs, rewrite SWARCH-WOHL-006/007 to "transport host-side, protocol+crypto in a verified component."🤖 Generated with Claude Code