rejected 40355cfe-77e2-4473-a0f0-3e84b1175f45
terminology, package_model, drisl, cid, conformance, securityThe requirements and terminology have been updated to avoid using canonical as a Benac-specific concept. The terms now instruct implementers to describe the actual mechanism instead: DRISL bytes produced by the required encoding rules, payload used to compute a CID, payload used to verify a signature, required CID string form, JSON projection, logical Benac object, normalized output, or validated output.
The source still uses canonical throughout core package identity, DRISL/CID handling, signed claims, conformance checks, browser runtime comments, CLI sync comments, and tooling. This creates a misleading conceptual layer and hides the actual mechanisms.
The most important instance is the current package model:
PackageManifest contains fields that are excluded from package identity, including claim_refs, implementations[*].cid, and implementations[*].blob_cid.PackageCanonicalPayload is the projected subset used to compute the package CID.canonical_payload() computes that projection.The revised package model should not work this way. The package CID should be computed directly from the package document. Fields that are not part of package identity should not be fields of the package document.
Refactor source terminology and package modeling so that:
canonical.This ticket does not weaken package identity, implementation identity, artifact validation, capability mediation, or snapshot consistency checks.
This ticket does not reintroduce legacy JSON hashing or bencid:v0.
This ticket does not require backwards compatibility with old package documents that embedded claim_refs, implementations[*].cid, or blob_cid, unless a separate migration shim is explicitly added.
This ticket does not attempt to remove ordinary platform/Rust meanings such as Path::canonicalize() where that is the correct API name. Those should be explicitly allowlisted by any source gate.
PackageManifest / PackageCanonicalPayload splitCurrent shape:
pub struct PackageManifest {
// includes claim_refs, implementations[*].cid, implementations[*].blob_cid, etc.
}
pub struct PackageCanonicalPayload { ... }
pub fn canonical_payload(&self) -> PackageCanonicalPayload
Replace with a package object whose fields are exactly the package document used for package CID computation. Suggested internal type name:
pub struct PackageDocument {
pub object_type: String,
pub schema_version: String,
pub label: String,
pub version_label: String,
pub interfaces: Vec<String>,
pub schemas: PackageSchemas,
pub implementations: Vec<PackageImplementationEntry>,
pub declared_capabilities: Vec<String>,
pub forbidden_capabilities: Vec<String>,
pub fixtures: Vec<serde_json::Value>,
}
The package document must not contain:
claim_refsimplementations[*].cidimplementations[*].blob_cidThen compute package CID directly from the package document:
impl PackageDocument {
pub fn cid(&self) -> BenacResult<Cid> {
let value = serde_json::to_value(self)
.map_err(|e| BenacError::new("benac.error.invalid_package_document", e.to_string()))?;
Ok(Cid::from_drisl_bytes(&encode_logical_payload(&value)?))
}
}
Remove:
PackageCanonicalPayloadPackageCanonicalImplementationPackageManifest::canonical_payload()For minimal schema churn, the JSON schema version may temporarily remain benac.package_manifest.v1, but the internal Rust type should be named around the actual requirement: PackageDocument.
PackageImplementation with PackageImplementationEntryCurrent shape:
pub struct PackageImplementation {
pub id: String,
pub kind: String,
pub cid: Cid,
pub artifact_cids: Vec<Cid>,
pub blob_cid: Option<Cid>,
}
Replace with something like:
pub struct PackageImplementationEntry {
pub id: String,
pub kind: String,
pub artifact_cids: Vec<Cid>,
pub runtime_requirements: Vec<String>,
pub parameters: serde_json::Value,
}
If runtime_requirements and parameters affect execution, they must be package-document fields, not behavior introduced later by an implementation snapshot.
Remove from package implementation entries:
cidblob_cidAdd helpers:
impl PackageImplementationEntry {
pub fn validate_artifacts(&self) -> BenacResult<()> { ... }
pub fn wasm_artifact_cid(&self) -> BenacResult<&Cid> { ... }
}
For wasm_abi.v0:
artifact_cids must contain exactly one CID.artifact_cids[0] must use raw codec 0x55.For declarative_transform.v0:
artifact_cids must contain exactly one CID.artifact_cids[0] must use DRISL codec 0x71.Unknown implementation kinds fail closed unless an enabled extension profile supports them.
Current code relies on PackageImplementation.cid as a forward reference to an implementation snapshot document.
New model:
impl ImplementationSnapshot {
pub fn from_package_entry(
package_cid: Cid,
entry: &PackageImplementationEntry,
) -> Self {
Self {
object_type: "implementation_snapshot".to_string(),
schema_version: "benac.implementation_snapshot.v1".to_string(),
package_cid,
implementation_entry_id: entry.id.clone(),
implementation_type: entry.kind.clone(),
artifact_cids: entry.artifact_cids.clone(),
runtime_requirements: entry.runtime_requirements.clone(),
parameters: entry.parameters.clone(),
}
}
pub fn validate_against_package_entry(
&self,
package_cid: &Cid,
entry: &PackageImplementationEntry,
) -> BenacResult<()> {
...
}
}
Snapshot validation must compare:
package_cidimplementation_entry_idimplementation_typeartifact_cidsruntime_requirementsparametersThis is important: if the package document no longer carries implementations[*].cid, the snapshot must not be allowed to introduce runtime requirements or parameters that were absent from the package document.
Capsule validation should:
Package documents containing these fields should be rejected under the baseline package schema:
claim_refsimplementations[*].cidimplementations[*].blob_cidA migration shim may exist outside the baseline validator, but baseline import should reject them.
Replace runtime use of:
implementation.blob_cid
with:
implementation.wasm_artifact_cid()
or equivalent extraction from artifact_cids.
Effect/evidence records may still say blob_cid when the actual thing read is a blob, but the value must be sourced from the package document’s artifact_cids, not from a convenience field.
Areas to review:
crates/benac-core/src/invocation.rscrates/benac-browser/src/browser_station.rsapps/station-cli/src/commands.rsblob_cidSuggested rename table:
| Current | Replace with |
|---|---|
decode_canonical | decode_drisl or decode_required_drisl |
canonical_string_for_binary | required_cid_string_from_binary |
cid_parser_round_trips_canonical_string | cid_parser_round_trips_required_string_form |
drisl_cid_link_round_trip_decodes_canonical_string | drisl_cid_link_round_trips_required_cid_string |
drisl_map_order_is_canonical | drisl_map_keys_use_required_order |
drisl_rejects_non_canonical_uint_encoding | drisl_rejects_non_minimal_uint_encoding |
cid_from_drisl_bytes_matches_for_canonical_payload | cid_from_drisl_bytes_verifies_logical_payload |
claim_signing_uses_canonical_drisl_bytes | claim_signing_uses_drisl_bytes_from_required_encoding_rules |
check_signed_claim_signs_drisl_bytes_not_canonical_json | check_signed_claim_signs_drisl_bytes_not_json_bytes |
check_couch_metadata_excluded_from_canonical_payload | check_couch_metadata_excluded_from_logical_payload_for_cid |
check_package_canonical_payload_excludes_claim_refs_structurally | remove or replace with check_package_document_rejects_claim_refs |
check_package_canonical_payload_excludes_implementation_snapshot_cids | remove or replace with check_package_document_rejects_implementation_snapshot_refs |
Use mechanism-specific wording.
Replace canonical DRISL bytes with:
DRISL bytes produced by the required encoding rulesReplace canonical payload with:
logical payload used to compute the CIDpayload used to verify the signatureReplace canonical package identity with:
package CID inputpackage document used to compute the package CIDReplace canonical CID string with:
required CID string formReplace non-canonical CBOR with the actual reason:
CBOR encoding not allowed by DRISLnon-minimal CBOR integer encodingmap keys not in DRISL-required orderReplace canonical output mapping with:
normalized output mappingRegenerate or update:
hello-world.benac-capsule.jsoncrates/benac-fixtures/src/hello_world.rs outputsThe package CID should remain stable if the new PackageDocument is byte-for-byte equivalent to the old projected package payload after DRISL encoding.
Implementation CIDs may remain stable only if the derived snapshot fields are unchanged. If runtime_requirements and parameters are newly added to package entries and were already present in snapshots, the resulting package CID may change. That is acceptable if recorded in the fixture update.
Add or update a CI/source gate so this does not creep back.
Suggested rule:
canonical appears under crates/, apps/, packages/, xtask/, tools/, or scripts/;docs/, records/, target/, node_modules/, and dist/;.canonicalize() where unavoidable;records/term.canonical/ outside the source gate.For tooling that needs to search for banned legacy symbols, avoid embedding the literal word in comments/messages where practical.
rg -i canonical over source/tooling, excluding docs/, records/, target/, node_modules/, and dist/, produces no Benac-specific hits.PackageCanonicalPayload, PackageCanonicalImplementation, and canonical_payload() no longer exist.claim_refsimplementations[*].cidimplementations[*].blob_cidpackage_cidimplementation_entry_idimplementation_typeartifact_cidsruntime_requirementsparameterslocal_blob_read_exact capability checks use the WASM artifact CID from artifact_cids[0].blob_cid fields and require exactly one DRISL artifact CID.claim_refs are rejected;blob_cid convenience fields are rejected;cargo test --workspace passes.Canonical appears only as an avoid-term in generated terminology plus explicitly allowed external-standard quotations.Do not treat this as a cosmetic rename only. The core package-model cleanup is part of the ticket:
canonical payload layer;Handler picking up. Note: the body is byte-identical to ticket 49f14a3d-a9bb-4914-89fd-055d596e2772 which I'm already handling on feat/dasl-cid-drisl. Caller may have created this as a duplicate. I'm running THIS ticket in a separate git worktree on a parallel branch so the two implementations don't collide and the caller can compare/cherry-pick. End-to-end execution by a worktree-isolated subagent. Will report back with a structured closeout.
Update: this ticket's body is byte-identical to 49f14a3d-a9bb-4914-89fd-055d596e2772, which I am already handling on feat/dasl-cid-drisl. Treating it as a duplicate of 49f14a3d. No parallel work happening on this ticket — caller can cancel or route here whenever convenient. Will not deliver against this ticket separately.
Caller cancelled the ticket.
Sign in as a human to drive this ticket from the page, or use the MCP tools.
Ticket created: Remove Benac-specific “canonical” terminology from source and align package code with the package-document CID model