Sign in to edit tickets from this page.

← all tickets · home

Make Benac package ingestion, validation, inspection, approval, fixture execution, and invocation conform to the new local public-data portable package requirements

resolved 63e2efd5-bf7d-469e-93db-8e7ee1fb6389

created_at
2026-05-04
updated_at
2026-05-05
priority
P1
resolved_at
2026-05-05
resolution
accepted

Body

Ticket: Make Benac package ingestion, validation, inspection, approval, fixture execution, and invocation conform to the new local public-data portable package requirements

Type

Implementation ticket.

Scope

Update the codebase so Benac can ingest, validate, inspect, approve, test, and invoke packages that conform to the new package-authoring requirements.

This ticket is about package handling business logic only. Do not change the requirements, glossary, roadmap, or package authoring guide in this ticket.

The relevant new requirements require interface contract binding, a baseline package schema ruleset, expanded schema validation, schema reference resolution, generic invocation input envelopes, request/output snapshots, local public-data package approval, local package capability vocabulary, package validation/build reports, authoring operations, fixture schema/execution/results, WASM package-host calling convention, resource limits, implementation selection, package inspection data contracts, and conformance coverage . Package validation/build semantics are now explicit requirements . WASM execution now requires a versioned package-host calling convention and resource-limit enforcement . Diagnostics must use stable classification codes and preserve raw/origin evidence where practical and safe .


Non-goals

Do not implement encryption, key wrapping, private blob encryption, encrypted capsule export, remote storage, remote compute, Station-to-Station authentication, secret vaults, or external service authentication in this ticket.

Do not implement native execution, container execution, device APIs, same-origin package JavaScript, unrestricted filesystem access, or package network access.

Do not make packages trusted because they import successfully.

Do not make signed claims authority.

Do not silently fetch missing blobs.

Do not write or modify the package authoring guide.

Do not change the spec to make the current code easier to pass.


Audit note

I reviewed the uploaded repo ZIP statically. I attempted to run the workspace tests, but the container could not resolve external package indexes. RUSTUP_TOOLCHAIN=stable cargo test --workspace --locked failed while resolving index.crates.io, and npm test failed because yaml was unavailable after dependency installation could not complete. Treat the findings below as source-level implementation findings, not executed test results.


Current codebase status

The current implementation is still centered on the bundled hello-world package. It has strong foundations for CIDs, DRISL, local blob verification, package CIDs, implementation snapshot CIDs, simple request/output validation, local trust/capability gating, invocation/evidence/effect records, declarative execution, WASM execution, and capsule import.

It is not yet conformant with the new local public-data portable package requirements. The code still hardcodes hello-world request/config behavior, lacks the new manifest/interface model, lacks package validation/build reports, lacks a fixture runner, lacks the expanded schema ruleset, lacks request/output snapshots, lacks generic implementation selection, lacks stable diagnostic records, lacks resource-limit enforcement, and lacks the package inspection data contract.

The work below clears the package-handling path so packages produced according to the requirements can be imported, validated, inspected, approved, tested, and invoked consistently.


Primary code areas

Developers shall update at least these areas:

crates/benac-core/src/package.rs
crates/benac-core/src/descriptor.rs
crates/benac-core/src/invocation.rs
crates/benac-core/src/capability.rs
crates/benac-core/src/trust.rs
crates/benac-core/src/auth.rs
crates/benac-core/src/errors.rs
crates/benac-core/src/evidence.rs
crates/benac-core/src/effect.rs
crates/benac-core/src/capsule.rs
crates/benac-core/src/station_profile.rs
crates/benac-core/src/declarative.rs
crates/benac-browser/src/wasm_runner.rs
crates/benac-browser/src/browser_station.rs
apps/station-cli/src/cli.rs
apps/station-cli/src/commands.rs
apps/station-cli/src/persistence.rs
apps/pwa/src/station_runtime.rs
apps/pwa/src/ui/package_panel.rs
apps/pwa/src/ui/invocation_panel.rs
apps/pwa/src/ui/trust_panel.rs
crates/benac-fixtures/src/hello_world.rs
crates/benac-conformance/src/hello_world_suite.rs
crates/benac-conformance/src/replication_lite_suite.rs

Add new modules where needed rather than stuffing all behavior into existing files. Expected new core modules include:

crates/benac-core/src/schema.rs
crates/benac-core/src/diagnostic.rs
crates/benac-core/src/authoring.rs
crates/benac-core/src/fixture.rs
crates/benac-core/src/inspection.rs
crates/benac-core/src/resource_limits.rs

1. Replace hello-world-specific package behavior with a generic package model

Current problem

crates/benac-core/src/package.rs currently models packages with a narrow hello-world-era shape:

The new requirements make each package interface bind request/config/output schemas, allowed implementations, declared capabilities, resource requirements, and execution type before validation or execution .

Required changes

Implement a new package document model that supports the new manifest requirements.

Add or update core data structures:

PackageDocument
PackageMetadata
PackageInterface
SchemaRef
SchemaRulesetRef
PackageImplementationEntry
ImplementationSnapshot
PackageResourceRequirements
PackageCapabilityDeclaration
UnsupportedRequiredBehavior
PackageFixtureRef
DocumentationRef
PackageCompatibilityClaim

The package document shall include at least:

object_type
schema_version
manifest_version
metadata
schema_ruleset_identifiers
schemas
interfaces
implementations
artifact_references
declared_capabilities
forbidden_capabilities
resource_requirements
fixtures
documentation_references
storage_needs
compute_needs
unsupported_required_behavior_markers

Each PackageInterface shall include:

interface_identifier
request_schema_ref
descriptor_config_schema_ref, optional
output_schema_ref, optional
allowed_implementation_entries
declared_capabilities
resource_requirements
supported_execution_type

Each implementation entry shall include:

implementation_entry_identifier
implementation_kind
artifact_references
runtime_requirements
parameters
interface_identifiers_served
declared_capabilities
resource_requirements
schema_bindings
wasm_package_host_calling_convention_identifier, if WASM
declarative_ruleset_identifier, if declarative

Update ImplementationSnapshot so its DRISL-encoded identity includes:

package_cid
implementation_entry_identifier
implementation_kind
interface_identifiers_served
artifact_cids
runtime_requirements
role_fields
parameters
declared_capabilities
resource_requirements
request_schema_ref
descriptor_config_schema_ref, optional
output_schema_ref, optional
schema_ruleset_identifier
wasm_package_host_calling_convention_identifier, if WASM
declarative_ruleset_identifier, if declarative

Required behavior

The package validator shall reject:

Compatibility

Update the bundled hello-world package to the new manifest shape.

Legacy package support may be retained as an import migration path, but conformance tests for this ticket shall use the new package document model.


2. Implement the baseline package schema ruleset

Current problem

validate_json_schema_subset() in crates/benac-core/src/package.rs is too narrow. It primarily supports object schemas, required fields, additionalProperties, properties, and const. It does not meet the required baseline schema ruleset, which must support objects, arrays, strings, numbers, integers, booleans, nulls, nested schemas, arrays, enums, numeric bounds, string bounds, array bounds, and local/CID-bound references .

Required changes

Create crates/benac-core/src/schema.rs.

Move schema validation out of package.rs.

Define:

SchemaRulesetId
SchemaDocument
SchemaRef
SchemaRegistry
SchemaValidationReport
SchemaValidationError
SchemaValidationContext

Support at least these schema features:

type: object
type: array
type: string
type: number
type: integer
type: boolean
type: null
properties
required
additionalProperties
items
enum
const
nested schemas
minimum
maximum
minLength
maxLength
minItems
maxItems
local definitions/references
CID-bound schema references included in package bundle or capsule

Define explicit behavior for unsupported keywords:

Required validation contexts

Use the same schema engine for:

package manifest validation
request validation
descriptor config validation
output validation
fixture schema validation
package bundle manifest validation
validation report validation
build report validation
package inspection result validation

Acceptance tests

Add schema conformance fixtures for:

object required property
object additionalProperties false
array items
array minItems/maxItems
string minLength/maxLength
number minimum/maximum
integer vs number
boolean
null
enum
const
nested object
local $defs/$ref
CID-bound schema reference
unresolved schema reference
unsupported remote schema URL
unsupported keyword
unsupported schema ruleset
wrong type

3. Implement stable diagnostic records

Current problem

crates/benac-core/src/errors.rs currently exposes BenacError { code, message, object_ref, details }. Existing codes are mostly ad hoc strings such as benac.error.schema_validation_failed.

The new requirements require stable diagnostic structures with classification codes, severity, phase, origin, context references, origin-specific details, raw diagnostic evidence, and redaction/omission metadata .

Required changes

Create crates/benac-core/src/diagnostic.rs.

Define:

DiagnosticRecord
DiagnosticCode
DiagnosticSeverity
DiagnosticPhase
DiagnosticOrigin
DiagnosticContext
RawDiagnosticEvidenceRef
RawEvidenceDisposition

DiagnosticRecord shall include:

object_type
schema_version
stable diagnostic classification code
diagnostic registry/profile identifier
severity
phase or operation class
origin
package CID, optional
descriptor snapshot CID, optional
interface identifier, optional
implementation CID, optional
request snapshot CID, optional
output snapshot CID, optional
schema ruleset identifier, optional
WASM package-host calling convention identifier, optional
resource limit report reference, optional
origin-specific code/message/status/payload, optional
normalized details
raw diagnostic evidence inline or CID/encrypted reference where practical and safe
redaction/truncation/encryption/omission/unavailability metadata
created_at
station principal

Implement at least these diagnostic codes:

package.manifest.invalid
package.unknown_required_field
package.schema_ref.unresolved
schema.unsupported_ruleset
schema.unsupported_keyword
schema.validation_failed
artifact.missing
artifact.cid_mismatch
implementation.unsupported_kind
implementation.snapshot_mismatch
wasm.import_forbidden
wasm.export_missing
wasm.calling_convention_invalid
resource.limit_exceeded
fixture.invalid
fixture.output_mismatch
fixture.effect_mismatch
capability.undeclared
capability.denied
approval.local_public_data_incompatible
diagnostic.unclassified

Required behavior

Do not lose raw or origin-specific failure material when practical and safe.

A stable code shall not replace raw evidence.

Raw evidence shall not replace a stable code for recognized baseline failures.

Convert or wrap BenacError so all package import, validation, build, fixture, invocation, WASM, capability, and resource-limit failures can produce diagnostic records.

Acceptance tests

Add tests proving:


4. Implement package validation reports

Current problem

Package import currently validates enough to support hello-world, but it does not produce the required package validation report. CapsuleInspection is too small and mixes import inspection with trust status.

The new requirements require package validation semantics across authoring tools, Host APIs, CLIs, PWAs, and Agent APIs, including manifest schema conformance, schema ruleset conformance, schema reference resolution, interface declarations, descriptor config schema binding, request/output schema binding, implementation entries, implementation snapshot derivation, artifact references, artifact CID verification, capability declarations, local public-data compatibility, fixtures, docs, unknown required fields, and unsupported required behavior .

Required changes

Create PackageValidationReport in crates/benac-core/src/authoring.rs or inspection.rs.

Package validation shall report:

operation id
tool or Host Implementation identity, where available
package CID, where derivable
manifest validation status
schema validation status
schema ruleset status
schema reference resolution status
interface declaration status
descriptor config schema binding status
request schema binding status
output schema binding status
implementation entry status
implementation snapshot derivation status
artifact reference status
artifact CID verification status, where blobs are present
declared capability status
local public-data compatibility status
fixture schema status
documentation reference status
unknown required field status
unsupported required behavior status
warnings
diagnostic record references
raw diagnostic evidence references, where practical and safe
created_at
station profile reference

Required APIs

Expose validation in core as a pure operation:

validate_package_bundle(...)
validate_package_document(...)
validate_package_capsule(...)

Do not make validation grant trust.

Do not make validation require local approval.

Validation may succeed structurally while local approval remains absent.

Acceptance tests

Add valid and invalid package validation tests for:

hello-world package
calculator package
todo reducer package
notes/text transform package
unknown required manifest field
missing interface
duplicate interface
missing schema
unresolved schema ref
unsupported schema keyword
unsupported schema ruleset
missing implementation artifact
artifact CID mismatch
forbidden capability under local public-data compatibility
unsupported implementation kind
unsupported WASM package-host calling convention
invalid fixture

5. Implement package build reports and authoring build semantics

Current problem

There is no general package build operation. Package artifacts and CIDs are hand-assembled by fixtures. Authors need a build operation that produces the same artifact CIDs, implementation CIDs, package CID, bundle manifest, and build report from the same logical package inputs.

The requirements now explicitly define package build semantics and build reports .

Required changes

Implement a package build operation in core and CLI.

Add:

PackageBuildInput
PackageBuildReport
PackageBundleManifest
PackageBundle

Build shall:

read authoring workspace or structured build input
compute raw blob CIDs over exact artifact bytes
create artifact references
validate schema documents
resolve schema references
derive implementation snapshots
compute implementation CIDs
produce package document logical object
compute package CID over DRISL-encoded package document
include selected schemas/artifacts/fixtures/documentation references
produce package bundle manifest
emit package build report

Authoring-only metadata shall not enter the package document used to compute package CID unless explicitly declared package content.

CLI requirements

Add commands equivalent to:

benac-station package validate <bundle-or-capsule> --json
benac-station package build <workspace-or-build-input> --out <capsule-or-bundle> --json
benac-station package fixtures run <bundle-or-capsule-or-package-cid> --json

Exact command spelling may vary, but the operations must be stable and machine-readable.

Acceptance tests

Build the same calculator package twice from the same inputs and prove:

same raw artifact CIDs
same schema CIDs
same implementation CIDs
same package CID
same bundle manifest
same validation result
same build report semantics

Build an authoring workspace with author-only metadata and prove the package CID does not change when author-only metadata changes.


6. Implement package bundle manifest support

Current problem

crates/benac-core/src/capsule.rs supports capsules with documents and blobs, but there is no package bundle manifest object tying together package document, schemas, artifacts, fixtures, reports, docs, and claims.

The glossary now defines Package Bundle as an importable/exportable collection containing a package manifest plus selected schemas, artifacts, fixtures, claims, documentation, and blobs .

Required changes

Add a first-class PackageBundleManifest.

It shall include:

object_type
schema_version
bundle_manifest_version
package CID
package document reference
schema references
artifact references
fixture references
fixture result references, optional
package validation report references, optional
package build report references, optional
package inspection result references, optional
claim references, optional
documentation references
blob references
integrity metadata
created_at
created_by, optional

Update capsule import/export so package bundles can be imported and inspected from capsules.

Update capsule validation to verify:

package document CID
schema CIDs
artifact CIDs when present
fixture CIDs
report CIDs
claim references without making claims authority
missing blobs
bundle manifest integrity

Acceptance tests

Add tests for:

valid package bundle capsule
metadata-only bundle with missing artifact
bundle with wrong artifact bytes
bundle with wrong schema CID
bundle with external claim that does not change package CID
bundle with validation report
bundle with build report
bundle with fixture result

7. Implement machine-readable package inspection results

Current problem

CapsuleInspection currently contains:

package_cid
claim_count
verified_claim_count
blob_count
trust_status

CLI and PWA inspection show only a small hello-world-oriented summary.

The new requirements require a package inspection data contract containing package CID, manifest version, labels, interfaces, schema refs, validation status, implementations, implementation CIDs, artifact refs, artifact availability, capabilities, compatibility status, storage/compute needs, fixtures, fixture result refs, claims, trust/capability refs, warnings, unsupported fields, missing blobs, resource requirements, and diagnostics .

Required changes

Create:

PackageInspectionResult
PackageInspectionWarning
PackageArtifactAvailability
PackageCompatibilityStatus

Inspection shall include:

package CID
manifest version
label/version label as non-authoritative metadata
interfaces
request/config/output schema references
schema validation status
schema ruleset status
implementations
implementation entry identifiers
implementation snapshot CIDs
implementation kinds
WASM package-host calling convention identifiers
declarative ruleset identifiers
artifact references
artifact availability
declared capabilities
local public-data compatibility status
storage needs
compute needs
fixtures
fixture result references
external claim references where available
trust decision references
capability grant references
warnings
unsupported fields
missing blobs
resource requirements
diagnostic records/codes
created_at
station profile reference

Required behavior

Importing a package shall produce a package inspection result before trust or approval.

Local public-data approval shall reference the inspection result or equivalent inspected fields.

A package with missing artifacts, unsupported WASM package-host calling convention, unsupported schema ruleset, forbidden capabilities, or failed required fixtures shall not receive local public-data approval.

CLI/PWA requirements

Update CLI inspect and PWA package panel to show the inspection result.

The CLI shall support a machine-readable JSON form.

The PWA may render a human summary, but the underlying data contract shall be the same.

Acceptance tests

Inspect the same package through:

core API
CLI JSON output
PWA/runtime API

The resulting inspection data shall be equivalent.


8. Implement generic local public-data package approval

Current problem

The current trust path is hello-world-specific:

The new requirements define generic local public-data package approval, not hello-world approval. The approval must bind package, implementation or selection policy, descriptor scope, interface, data classes, capability identifiers, issuer, auth context, expiry/revocation metadata, and evidence relied upon .

Required changes

Rename public API and data model concepts:

approve_no_risk_hello_world -> approve_local_public_data_package
local_no_risk -> local_public_data
hello_world trust scope -> local_public_data_package_scope

Keep compatibility wrappers only if needed, but do not use hello-world/no-risk names in new command names, UI labels, records, or authoring-facing APIs.

Add:

LocalPublicDataApproval
ApprovalRecordType
ApprovalEvidenceRef

Approval shall bind:

package CID
package inspection result ref or equivalent inspected fields
implementation CID or deterministic implementation-selection policy
descriptor snapshot CID, descriptor scope, or explicit no-descriptor marker
interface identifier
allowed data classes
allowed capability identifiers
issuer principal
authentication context
expiry
revocation metadata
fixture result references relied upon
warnings presented or made available
created_at
station profile reference

Required compatibility checks before approval

Reject local public-data approval when the package:

requires network access
requires remote storage
requires remote compute
requires secrets
requires decryption
requires signing authority
requires native execution
requires file access
requires device access
requires same-origin package JavaScript
requires direct document-store access
requires private blob access
has missing required artifacts
has unsupported schema rulesets
has unsupported implementation kinds
has unsupported WASM package-host calling conventions
has failed required fixtures
has unknown capabilities
has unsupported required behavior markers
exceeds host resource limits

Acceptance tests

Prove that these all use the same approval mechanism:

hello-world
calculator
todo reducer
notes/text transform

Prove rejection for packages requiring:

network
remote storage
remote compute
secrets
decryption
signing
native execution
file access
device access
same-origin package JavaScript
direct document-store access
private blob access
unknown capability

9. Implement local package capability vocabulary validation

Current problem

capability.rs hardcodes a small set of grants:

local_execution
local_blob_read_exact
evidence_emit
effect_emit

There is no package capability vocabulary registry, no local public-data compatibility validation, and no fail-closed handling for unknown capability identifiers at package validation time.

The new requirement defines stable local package capabilities and requires unknown/unsupported capabilities to fail closed .

Required changes

Define a capability vocabulary registry.

For local public-data portable packages, support at least:

local_package_execution
declared_package_artifact_read_by_exact_cid
validated_request_read
validated_descriptor_config_read
output_return
evidence_emit
effect_emit
fixture_execution
package_inspection

Also define known forbidden capability classes for this approval path:

network_fetch
remote_storage
remote_compute
secret_use
decryption
signing
native_execution
file_access
device_access
same_origin_package_javascript
direct_document_store_access
private_blob_access
data_egress
physical_world_effect

Required behavior

Package validation shall detect:

unknown declared capabilities
unsupported declared capabilities
capabilities incompatible with local public-data approval
implementation requesting undeclared capability
effect requesting missing/expired/revoked capability

All such failures shall produce stable diagnostic records.

Acceptance tests

Add tests for:

valid local package capability set
unknown capability identifier
implementation requests undeclared capability
package declares forbidden capability under local public-data compatibility
revoked capability grant
expired capability grant
effect-time mismatch

10. Implement generic invocation input envelopes

Current problem

BrowserStationRuntime::invocation_input() currently constructs a fixed request:

{"message": "hello"}

CLI invoke --request parses JSON but does not actually pass it into the runtime path. Descriptor config is always {}. PWA run buttons do not accept generic request/config. The invocation path has no interface identifier, no descriptor config body, no requested implementation id/CID, no execution type, and no data class.

The new requirements require a versioned invocation input envelope. The glossary defines invocation input envelope as the object supplying package CID, descriptor snapshot/no-descriptor marker, interface identifier, schema references, request body, descriptor config body, requested implementation, execution type, data class, and actor context .

Required changes

Add:

InvocationInputEnvelope
InvocationInputEnvelopeRef
NoDescriptorMarker
ExecutionType
DataClass

The envelope shall include:

object_type
schema_version
package_cid
descriptor_snapshot_cid or explicit no-descriptor marker
interface_identifier
request_schema_ref
descriptor_config_schema_ref, optional
output_schema_ref, optional
request_body
descriptor_config_body, optional
requested_implementation_entry_identifier, optional
requested_implementation_cid, optional
execution_type
data_class
initiating_actor_context, optional
station_profile_ref
created_at

Required behavior

All package invocation surfaces shall use this envelope:

core API
BrowserStationRuntime
PWA runtime
CLI
fixture runner
agent-facing API, where present

The package-visible request and config shall be exactly the validated logical request/config from the envelope and descriptor snapshot.

No package shall receive:

host-local defaults
UI state
debug fields
sync state
availability state
verification state
Couch/Pouch metadata
unvalidated convenience projections

Acceptance tests

Prove request/config parity across:

core direct invocation
CLI invocation
PWA/runtime invocation
fixture runner

Use the same package, same interface, same request, same config, and verify the package observes the same logical objects.

Prove that CLI --request and --config are not ignored.

Prove that the old hardcoded hello-world request is gone from generic invocation paths.


11. Implement request snapshots and output snapshots

Current problem

Invocation code currently computes request CIDs and output CIDs over raw JSON values. That does not bind the package, descriptor, interface, schema, config, implementation, or validation status.

The new terms define Request CID as the CID of a DRISL-encoded request snapshot binding request data to package CID, descriptor snapshot, interface identifier, and schema references; Output CID similarly binds output to package CID, implementation CID, interface identifier, output schema reference, and validation status .

Required changes

Add:

RequestSnapshot
OutputSnapshot

RequestSnapshot shall include:

object_type
schema_version
package_cid
descriptor_snapshot_cid or explicit no-descriptor marker
interface_identifier
request_schema_ref
descriptor_config_schema_ref, optional
request_body
descriptor_config_body, optional

OutputSnapshot shall include:

object_type
schema_version
package_cid
implementation_cid
interface_identifier
output_schema_ref, optional
output_body
validation_status

Compute CIDs over DRISL-encoded snapshots.

Update invocation records to reference request/output snapshots rather than raw request/output CIDs.

Acceptance tests

Prove:

same request JSON + different package CID => different request snapshot CID
same request JSON + different interface => different request snapshot CID
same request JSON + different descriptor config => different request snapshot CID
same output JSON + different implementation CID => different output snapshot CID
same output JSON + invalid validation status => different output snapshot CID

12. Update invocation records to match the new field requirements

Current problem

InvocationRecord lacks required fields from the new requirements:

Required changes

Update InvocationRecord to include:

invocation_id
station_principal
initiating_actor_principal, optional
station_profile
package_cid
descriptor_snapshot_cid or explicit no-descriptor marker
interface_identifier
selected_implementation_entry_identifier
selected_implementation_cid
requested_implementation_identifier, optional
skipped_implementations_with_reasons
request_snapshot_cid or inline request snapshot
output_snapshot_cid or inline output snapshot, optional
request_schema_ref
descriptor_config_schema_ref, optional
output_schema_ref, optional
trust_decision_ref
capability_grant_refs
storage_lease_refs
compute_lease_refs
validation_report_ref, optional
resource_limit_report_ref, optional
start_time
finish_time
status
evidence_refs
effect_refs
validation_status
diagnostic_record_refs
raw_diagnostic_evidence_refs
failure_details

Replace skipped_implementations: Vec<String> with structured records:

SkippedImplementation {
    implementation_entry_identifier,
    implementation_cid,
    reason_code,
    diagnostic_ref,
}

Acceptance tests

Validate invocation record shape for:

successful declarative invocation
successful WASM invocation
request validation failure
descriptor config validation failure
output validation failure
missing artifact
unsupported implementation
requested implementation mismatch
resource limit exceeded
capability denied
local public-data approval missing

13. Implement deterministic implementation selection

Current problem

Implementation selection currently chooses the first implementation matching a kind. CLI and PWA expose separate “run declarative” / “run WASM” buttons, not a generic implementation selection mechanism. Requested implementation id/CID is not supported.

The requirements now say invocation may request an implementation entry identifier or implementation CID, otherwise the Host Implementation shall apply deterministic selection based on package declaration, artifact availability, platform compatibility, trust, capability grants, resource limits, and local policy. Selected and skipped implementations with reasons must be recorded .

Required changes

Create an implementation selection module:

ImplementationSelector
ImplementationSelectionRequest
ImplementationSelectionResult
SkippedImplementationReason

Selection inputs:

package document
interface identifier
requested implementation entry id, optional
requested implementation CID, optional
artifact availability
host supported implementation kinds
host supported WASM package-host calling conventions
host supported declarative rulesets
trust decisions
capability grants
resource limits
local policy

Selection output:

selected implementation entry id
selected implementation CID
selected implementation snapshot
skipped implementations with stable reason codes
diagnostic refs
fallback policy used, if any

Required behavior

If a requested implementation is supplied:

If no requested implementation is supplied:

Do not silently fall back.

Acceptance tests

Add a multi-implementation package with:

one valid declarative implementation
one valid WASM implementation
one missing-artifact implementation
one unsupported-kind implementation
one resource-exceeding implementation

Test selection with:

no requested implementation
requested declarative id
requested WASM id
requested missing-artifact id
requested unsupported id
requested implementation CID
fallback disabled
fallback explicitly enabled

14. Implement descriptor config handling

Current problem

Descriptors currently contain only package_cid, config, timestamps, and station principal. Runtime creates descriptors with {} config. Descriptor config validation uses the narrow schema subset.

Required changes

Update DescriptorSnapshot to include:

object_type
schema_version
package_cid
descriptor_config_body
descriptor_config_schema_ref
schema_ruleset_identifier
interface_scope, optional
created_at
created_by_station_principal
validation_status
diagnostic_record_refs

Support explicit no-descriptor marker for packages/interfaces that require no descriptor config.

Validate descriptor config using the new schema ruleset.

Bind descriptor config to request snapshots.

Acceptance tests

Add tests for:

interface requiring no descriptor config
interface requiring descriptor config
valid descriptor config
invalid descriptor config
same request with different descriptor config produces different request snapshot CID
descriptor config supplied through CLI/PWA/core/fixture parity

15. Implement resource limits and resource limit reports

Current problem

There are no central resource-limit semantics. WASM execution does not enforce artifact size, request/config/output size, memory, time/fuel, logs, evidence size, or effect size. Declarative execution likewise lacks central limits.

The requirements now require resource-limit semantics and Station Profile publication of limits .

Required changes

Create crates/benac-core/src/resource_limits.rs.

Define:

ResourceLimits
ResourceLimitReport
ResourceLimitDecision
ResourceLimitKind

Support at least:

package manifest size
schema size
fixture size
artifact size
request size
descriptor config size
output size
WASM memory pages or bytes
execution time or fuel
log size
evidence record size
effect record size

Station Profile shall publish supported limits.

Package may declare resource requirements.

Invocation shall fail closed when declared or actual requirements exceed supported or granted limits.

Acceptance tests

Add tests for:

oversized manifest
oversized schema
oversized fixture
oversized artifact
oversized request
oversized config
oversized output
WASM excessive memory
WASM timeout/fuel exhaustion
excessive logs
excessive evidence
excessive effects
declared requirement above host limit

Each failure shall produce:

resource.limit_exceeded diagnostic
resource limit report
invocation or validation record

16. Implement WASM package-host calling convention validation

Current problem

crates/benac-browser/src/wasm_runner.rs still uses benac.wasm_abi.v0.hw1. It checks imports and verifies exports mostly at execution time. It does not publish or validate a new package-host calling convention id, does not enforce resource limits, and does not use stable diagnostics.

The new requirements require a versioned baseline local WASM package-host calling convention, required module format, allowed/forbidden imports, required exports, memory behavior, input/output encoding, error behavior, allocation/free conventions, implementation snapshot fields, and conformance vectors .

Required changes

Rename and define a public supported calling convention identifier, for example:

benac.wasm.package_host.v1

Use the exact value chosen by the spec records or conformance suite. Do not keep hw1 in public package-facing identifiers.

Validation shall check before approval/invocation:

artifact CID matches exact bytes
artifact size within limit
module parses
imports are allowed
forbidden imports rejected
required exports exist
required memory export exists
alloc export exists
dealloc export exists
benac_invoke export exists
calling convention id supported
declared memory requirements within host limits

Execution shall enforce:

max input bytes
max config bytes
max output bytes
max memory pages/bytes
execution fuel or timeout
no ambient imports
stable error behavior

Set fuel/time/memory limits before instantiation and before any module start behavior can consume unbounded resources.

Required diagnostics

Map failures to:

artifact.cid_mismatch
artifact.missing
wasm.import_forbidden
wasm.export_missing
wasm.calling_convention_invalid
resource.limit_exceeded
diagnostic.unclassified

Acceptance tests

Add WASM conformance packages for:

valid calculator
valid todo reducer
forbidden import
missing memory export
missing alloc export
missing dealloc export
missing benac_invoke export
wrong calling convention id
oversized artifact
oversized output
memory limit exceeded
fuel/time exceeded
invalid UTF-8 output
invalid JSON output
output schema validation failure

17. Implement declarative implementation ruleset validation

Current problem

declarative.rs supports a small transform shape but does not expose a versioned declarative ruleset, schema ruleset interaction, descriptor config binding, resource limits, diagnostics, or conformance vectors.

Required changes

Define a declarative implementation ruleset identifier, for example:

benac.declarative_transform.v1

The declarative ruleset shall define:

supported operations
request binding
descriptor config binding
output mapping
unsupported operation behavior
evidence behavior
effect behavior
error behavior
resource-limit behavior
diagnostic behavior

Package validation shall reject unsupported declarative rulesets and unsupported declarative operations.

Invocation shall use the same generic envelope, request validation, descriptor config validation, implementation selection, output validation, evidence/effect recording, diagnostics, and resource limits as WASM.

Acceptance tests

Add declarative packages for:

hello-world
calculator
todo reducer
notes/text transform
invalid request
invalid config
unsupported operation
oversized output
output schema failure

18. Implement fixture schema, fixture runner, and fixture result records

Current problem

Fixtures are untyped values in package manifests, and crates/benac-fixtures/src/hello_world.rs only models a minimal hello-world fixture with request and expected output. There is no generic fixture runner.

The new requirements define fixture schema, fixture execution semantics, and fixture result records. Fixture execution must use the same validation, implementation selection, input boundary, output validation, evidence/effect recording, capability mediation, failure behavior, and diagnostics as ordinary invocation .

Required changes

Create crates/benac-core/src/fixture.rs.

Define:

Fixture
FixtureExpectedResult
FixtureExpectedImplementation
FixtureExpectedOutput
FixtureExpectedEvidenceEffect
FixtureExpectedDiagnostic
FixtureResult
FixtureRunner

A fixture shall include:

fixture identifier
package-under-test reference
descriptor config or descriptor snapshot ref, optional
interface identifier
request body or request ref
expected validation result
expected selected implementation or allowed implementation set
expected output body or output ref, where deterministic
expected evidence/effect classes
expected denied effects, where applicable
expected diagnostic classification codes, where failure is intended
expected diagnostic evidence behavior
fixture data class
fixture purpose

Fixture execution shall:

use the same invocation input envelope as ordinary invocation
use the same request validation
use the same descriptor config validation
use the same implementation selection
use the same package-visible input boundary
use the same output validation
use the same evidence/effect recording
use the same capability mediation
use the same diagnostic behavior
not perform real network/storage/compute/secrets/decryption/signing/native/file/device/physical-world effects unless fixture declares supported mock/playback behavior

Fixture result shall include:

fixture identifier
package CID
descriptor snapshot CID, optional
implementation CID
request snapshot CID
output snapshot CID, optional
validation results
evidence/effect refs
pass/fail status
diagnostic refs
Station Profile ref
execution type
timestamps

Required commands and UI/API

Expose fixture execution in:

core API
CLI
PWA/runtime API
agent-facing API, where present

Acceptance tests

Add fixtures and runner tests for:

hello-world
calculator
todo reducer
notes/text transform
invalid request expected failure
invalid config expected failure
output mismatch
effect mismatch
forbidden network attempt expected denied effect
missing artifact
unsupported schema keyword
resource-limit failure

19. Update CLI package commands

Current problem

apps/station-cli is still hello-world-centered:

Required changes

Update CLI commands.

Required operations:

benac-station package validate <bundle-or-capsule> --json
benac-station package build <workspace-or-build-input> --out <bundle-or-capsule> --json
benac-station package fixtures run <bundle-or-capsule-or-package-cid> --json
benac-station package inspect <package-cid-or-local-alias> --json
benac-station package approve-local-public-data \
  --package <cid-or-local-alias> \
  --interface <interface-id> \
  [--descriptor-config <json-or-@file>] \
  [--implementation <entry-id-or-cid>] \
  [--fixture-result <ref>] \
  --json

benac-station package invoke \
  --package <cid-or-local-alias> \
  --interface <interface-id> \
  --request <json-or-@file> \
  [--descriptor-config <json-or-@file>] \
  [--implementation <entry-id-or-cid>] \
  [--json]

Exact command spelling may differ, but semantics shall exist.

Required behavior

CLI shall:

resolve local aliases to exact package CIDs
record exact package CID, not label
accept arbitrary JSON request bodies
accept arbitrary JSON descriptor config bodies
validate request/config/output through schema ruleset
allow requested implementation id/CID
use generic implementation selection
return package validation reports
return package inspection results
return fixture results
return invocation records
return diagnostics

Remove the hardcoded package != "hello-world" rejection.

Remove the discarded --request behavior.

Acceptance tests

CLI tests shall cover:

validate calculator package
build calculator package
run calculator fixtures
inspect calculator package JSON
approve calculator local public-data
invoke calculator add request
invoke todo reducer request
invoke notes/text transform request
wrong interface request fails
requested missing implementation fails
unknown capability fails validation/approval

20. Update PWA runtime and UI for generic package handling

Current problem

The PWA runtime and UI are hello-world-specific:

Required changes

Update apps/pwa/src/station_runtime.rs and UI panels.

PWA shall support:

import arbitrary package bundle/capsule
validate package
inspect package using PackageInspectionResult
show missing blobs and unsupported behavior
show schema rulesets
show package interfaces
show request/config/output schema refs
show implementations and implementation CIDs
show artifact availability
show capabilities and local public-data compatibility
show resource requirements
run package fixtures
approve local public-data package execution
invoke selected interface with JSON request
provide descriptor config JSON where needed
select requested implementation or deterministic selection
show invocation record
show request/output snapshot CIDs
show diagnostics
show fixture results

UI requirements

Add or update panels:

Package panel: show full inspection result.
Invocation panel: interface selector, request editor, descriptor config editor, implementation selector, run button.
Trust panel: local public-data approval, not no-risk/hello-world.
Fixture panel: run fixtures and show fixture result records.
Diagnostics panel or trace detail: show stable diagnostic codes and raw/origin evidence disposition.

Acceptance tests

Browser/PWA-level tests or equivalent runtime tests shall prove:

arbitrary package import
package inspection result displayed
local public-data approval references inspection
request/config invocation parity with CLI/core
fixture execution
wrong request rejected before execution
unsupported package cannot be approved
missing artifact reported

21. Update Station Profile publication

Current problem

station_profile.rs still exposes browser_hw1() and ubuntu_cli_hw1() and lacks the new support/limit fields.

The new requirements require Station Profiles to publish supported manifest versions, schema rulesets, implementation kinds, declarative rulesets, WASM package-host calling conventions, resource limits, validation/build/fixture/inspection support, and package execution behavior.

Required changes

Update StationProfile to include:

supported_package_manifest_versions
supported_schema_rulesets
supported_implementation_kinds
supported_declarative_rulesets
supported_wasm_package_host_calling_conventions
max_package_manifest_size
max_schema_size
max_fixture_size
max_artifact_size
max_request_size
max_descriptor_config_size
max_output_size
max_wasm_memory
execution_timeout_or_fuel_policy
max_log_size
max_evidence_record_size
max_effect_record_size
package_validation_support
package_build_support
fixture_runner_support
package_inspection_api_support
local_public_data_approval_support
supported_diagnostic_registry_versions

Rename public constructors:

browser_hw1 -> browser_baseline
ubuntu_cli_hw1 -> ubuntu_cli_baseline

Remove hw1 from public Station Profile values used in new flows.

Acceptance tests

Station Profile tests shall verify:

browser profile publishes schema ruleset support
browser profile publishes WASM calling convention support
browser profile publishes package validation support
browser profile publishes fixture runner support
browser profile publishes package inspection support
CLI profile publishes package build support if implemented
resource limits appear and are enforced

22. Update persistence and hydration

Current problem

CLI persistence rehydrates old trust/capability/descriptor tuples. New records will include package inspection results, validation reports, fixture results, request/output snapshots, local public-data approvals, diagnostics, and resource limit reports.

Required changes

Update persistence schema and hydration for:

PackageInspectionResult
PackageValidationReport
PackageBuildReport
PackageBundleManifest
Fixture
FixtureResult
InvocationInputEnvelope
RequestSnapshot
OutputSnapshot
DiagnosticRecord
ResourceLimitReport
LocalPublicDataApproval
updated TrustDecision
updated CapabilityGrant
updated InvocationRecord
updated DescriptorSnapshot

Required behavior

Hydration shall:

keep replicated/imported authority inactive unless local policy accepts it
not activate local public-data approval from foreign imported records
preserve historical old hello-world records as historical traces where possible
not use old no-risk approval records for new package approval unless explicitly migrated

Acceptance tests

Add persistence tests:

create package inspection result, restart, inspect still available
create validation report, restart, report still available
run fixture, restart, fixture result still available
approve local public-data, restart, approval still active if locally issued and unexpired
import foreign approval, restart, approval remains inactive
invoke package, restart, invocation/request/output snapshots remain inspectable

23. Update package fixtures and conformance packages

Current problem

The fixture crate only supports hello-world. The conformance suite does not yet cover the new package-authoring requirements: calculator, todo reducer, notes/text transform, expanded schemas, generic request/config parity, package validation/build reports, fixture runner, package inspection contract, resource limits, and implementation selection.

The updated conformance requirement now explicitly lists these conformance package categories .

Required changes

Update crates/benac-fixtures to generate:

hello-world package, updated to new manifest
calculator package
todo reducer package
notes reducer or text transform package
invalid schema package
missing artifact package
forbidden WASM import package
unsupported schema keyword package
fixture mismatch package
resource-limit package
generic request/config package
multi-implementation package
package inspection comparison package
local public-data approval package
diagnostic raw-evidence packages

Each fixture package shall include:

package document
schemas
schema ruleset identifiers
interfaces
implementations
artifacts
fixtures
bundle manifest
expected validation reports where applicable
expected inspection result shape where applicable
expected diagnostics for negative fixtures

Acceptance tests

Conformance suite shall verify:

package CID stability
schema CID stability
implementation CID stability
artifact CID verification
package validation reports
package inspection results
fixture execution
request/config invocation parity
request/output snapshots
local public-data approval
implementation selection
resource limits
diagnostic records
no hidden hello-world defaults

24. Update import/export capsules

Current problem

Capsule import/export does not yet include the new package-authoring logical objects: package bundle manifests, validation reports, build reports, fixtures, fixture results, request snapshots, output snapshots, package inspection results, local public-data approvals, diagnostic records, schema ruleset identifiers, WASM package-host calling convention identifiers, and resource limit reports.

Required changes

Capsule import/export shall support these object types:

package_bundle_manifest
package_validation_report
package_build_report
fixture
fixture_result
request_snapshot
output_snapshot
package_inspection_result
local_public_data_approval
diagnostic_record
schema_ruleset
wasm_package_host_calling_convention
resource_limit_report

Required behavior

Capsule validation shall:

verify CIDs for structured objects
verify blob bytes when present
preserve missing blob reporting
preserve diagnostics
not activate imported local approvals automatically
not make package claims authority
not treat validation/build reports as authority outside local policy

Acceptance tests

Add capsule round-trip tests:

export package bundle with validation report
import package bundle with validation report
export fixture results
import fixture results
export invocation with request/output snapshots
import invocation with request/output snapshots
import capsule with foreign local_public_data_approval and keep inactive
tamper with validation report and detect CID mismatch

25. Remove old hello-world/no-risk/HW1 public behavior

Current problem

Several code paths still expose hello-world/no-risk/HW1 as public package semantics:

approve_no_risk_hello_world
local_no_risk
TrustScope::hello_world
CapabilityGrant::local_no_risk
benac.wasm_abi.v0.hw1
browser_hw1
ubuntu_cli_hw1
CLI “only hello-world supported”
PWA “Approve no-risk”

Required changes

Replace public-facing names and record values with generic names:

local_public_data
local_public_data_package
local_public_data_approval
baseline local WASM package-host calling convention
browser_baseline
ubuntu_cli_baseline

The hello-world package may remain a conformance package, but it shall no longer define the generic approval, invocation, package model, or WASM interface semantics.

Acceptance tests

Search the codebase for these strings:

approve_no_risk
local_no_risk
hello_world approval
HW1
hw1
only hello-world supported

Allowed remaining uses:

legacy migration tests
historical fixture names
hello-world conformance package name
comments explicitly marked legacy

No new package-handling behavior shall depend on them.

Just remove it, actually. We dont need that cruft. It served its purpose, and will stay in the git log and git history. We dont need or want backwards compatability. or to lug forward heratage code, or bloat our system with fallbacks and compatability modes and such nonsense.


26. Add agent/API-compatible surfaces where present

Current problem

The requirements call for machine-readable APIs for package inspection, validation reports, build reports, fixture results, traces, diagnostics, and host capability metadata. The current implementation is mostly CLI/PWA UI, not a clean API surface.

Required changes

Where a machine-readable runtime API already exists, expose:

validate_package
build_package, if supported
run_package_fixtures
inspect_package
approve_local_public_data_package
invoke_package
list_diagnostics
get_validation_report
get_build_report
get_fixture_result
get_invocation_trace
get_station_profile

Responses shall use the same underlying core data structures as CLI and PWA.

Acceptance tests

The same package shall produce equivalent results through:

core API
CLI JSON
PWA/runtime API
agent-facing API, if present

27. Implementation order

Developers shall implement in this order.

Phase 1 — Core data contracts

  1. Add diagnostic records.
  2. Add schema ruleset module.
  3. Update package document/interface/implementation model.
  4. Update implementation snapshot identity.
  5. Add resource limit model.
  6. Add package validation/build/inspection/fixture/result data structures.

Phase 2 — Package validation and inspection

  1. Implement package validation reports.
  2. Implement package inspection results.
  3. Implement package bundle manifests.
  4. Update capsule import/export.
  5. Update Station Profile support/limits.

Phase 3 — Generic invocation

  1. Add invocation input envelope.
  2. Add request/output snapshots.
  3. Update invocation record fields.
  4. Centralize invocation pipeline.
  5. Add deterministic implementation selection.
  6. Add descriptor config validation.
  7. Update local public-data approval.
  8. Update capability vocabulary validation.

Phase 4 — Execution engines

  1. Update declarative ruleset.
  2. Update WASM package-host calling convention.
  3. Add WASM validation at package validation/inspection time.
  4. Add resource-limit enforcement.
  5. Add stable diagnostics for execution failures.

Phase 5 — Tooling/UI/API

  1. Update CLI package commands.
  2. Update PWA package inspection and invocation UI.
  3. Add fixture runner surfaces.
  4. Add package build/validate surfaces.
  5. Update persistence/hydration.

Phase 6 — Fixtures and conformance

  1. Upgrade hello-world fixture.
  2. Add calculator package.
  3. Add todo reducer package.
  4. Add notes/text transform package.
  5. Add negative conformance packages.
  6. Add package inspection comparison.
  7. Add local public-data approval conformance.
  8. Add diagnostics conformance.
  9. Run full conformance suite.

28. Final acceptance criteria

This ticket is complete when all of the following are true.

Package model

Schema validation

Package validation/build

Inspection

Approval/capability

Invocation

WASM

Fixtures

CLI/PWA/API

Conformance

Build/test


Final developer instruction

Do not broaden the scope to cryptography, key wrapping, remote storage, remote compute, secret handling, or private data workflows. For this ticket, implement enough package ingestion and handling logic to make local public-data portable packages interoperable, inspectable, testable, approvable, invokable, and auditable under the new requirements.

Proposed resolution

Iter-7 — both remaining business-logic blockers landed

Caller iter-6 review limited the remaining scope to two business-logic blockers. Both are closed.

Branch state

4cc1535 feat(core+conformance): iter-7 blocker A — enforce remaining ResourceLimitKind variants + cover 14
e27cdbf refactor(station-cli): iter-7 blocker B - retire top-level approve and bind tests to generic path
82f1de3 docs(report): iter-6 closeout — refresh to current commit + 127 conformance + 540 workspace
a7ab7f2 fix(conformance+build): make wasm32 build green by gating CLI surface to native-only
a1aa6b2 docs(core+browser+pwa): iter-6 blocker 9 - strip ticket-archaeology prose

61 commits ahead of gitlab/main at push time. Deploy SHA 4cc1535, PWA bundle benac-pwa-2bbd0f4e87e53136.js, all 11 health probes 200, local↔public bundle hash match.

Blocker A — every required ResourceLimitKind enforced + conformance proof

All 12 limit kinds the requirements list now have kernel enforcement and a conformance check that drives the failure path. Per-kind matrix:

KindField on ResourceLimitsEnforce siteConformance check
PackageManifestSizemax_package_manifest_sizecrates/benac-core/src/invocation.rs step 3resource_limit_oversized_manifest_emits_resource_limit_exceeded
SchemaSizemax_schema_sizeinvocation.rs steps 4 / 5 / 11aresource_limit_oversized_request_schema_emits_*, *_descriptor_config_schema_emits_*
FixtureSizemax_fixture_sizeNEW crates/benac-core/src/fixture_runner.rs step 0NEW resource_limit_oversized_fixture_emits_resource_limit_exceeded
ArtifactSizemax_artifact_sizeinvocation.rs step 10aresource_limit_oversized_artifact_emits_*
RequestSizemax_request_sizeinvocation.rs step 4resource_limit_oversized_request_body_emits_*
DescriptorConfigSizemax_descriptor_config_sizeinvocation.rs step 5resource_limit_oversized_descriptor_config_body_emits_*
OutputSizemax_output_sizeinvocation.rs step 11bresource_limit_oversized_output_body_emits_*
WasmMemoryBytes / WasmMemoryPagesmax_wasm_memory_bytes / max_wasm_memory_pagesbenac_browser::wasm_runner + NEW kernel runner-error foldNEW resource_limit_wasm_memory_pages_exceeded_emits_resource_limit_exceeded
ExecutionFuelmax_execution_fuelwasm_runner + runner-error foldNEW resource_limit_wasm_execution_fuel_exceeded_emits_resource_limit_exceeded
ExecutionTimeMicrosmax_execution_time_microshost runner + same fold path as fuel/memoryimplicit via shared fold path; not a separate check
LogSizemax_log_sizeNEW invocation.rs success-path tail + finalize_failure_stateNEW resource_limit_oversized_log_emits_resource_limit_exceeded
EvidenceRecordSizemax_evidence_record_sizeNEW invocation.rs success-path filterNEW resource_limit_oversized_evidence_record_emits_resource_limit_exceeded
EffectRecordSizemax_effect_record_sizeNEW invocation.rs success-path filterNEW resource_limit_oversized_effect_record_emits_resource_limit_exceeded

Every gate emits resource.limit_exceeded with the matching ResourceLimitKind in the diagnostic stream and folds the breach into the invocation's ResourceLimitReport (overall_decision = Exceeded, at least one observation pinning the breached kind). Evidence/Effect/Log gates run on success-path too: oversized records are dropped from the audit stream and a diagnostic fires, but the invocation status is not flipped to denied (per the "fail closed for the offending record, not for the whole invocation" semantic).

Kernel runner-error fold: the new observation_from_runner_error helper in crates/benac-core/src/invocation.rs recognizes the wasm runner's BenacError(RESOURCE_LIMIT_EXCEEDED, details: { kind, observed, limit }) shape and folds it into the invocation's ResourceLimitReport so wasm-engine-detected limits surface the same way kernel-detected ones do. Conformance checks for the wasm gates use a synthetic runner closure that emits the same error shape (the conformance crate cannot link a real wasm engine).

Suite count went from 8 → 14 in crates/benac-conformance/src/resource_limit_suite.rs; full conformance suite went 127 → 133 / 133 / 0.

Blocker B — every hello-world-specific approval surface removed

Removed:

The only public CLI approval surface now is the generic:

benac-station --state <dir> package approve-local-public-data \
  --package <cid-or-alias> --interface <interface-id> \
  [--descriptor-config <json-or-@file>] \
  [--implementation <entry-id-or-cid>] \
  [--fixture-result <cid>] [--json]

benac-station --help no longer lists approve at the top level (only init, profile, import, inspect, traces, reset, sync, package, help).

New gate 7 in scripts/check-cid-grep-gates.sh

Bans the retired hello-world-bound approval identifiers from production source: approve_no_risk, local_no_risk, ApproveKind::HelloWorld, approve_hello_world, the standalone token hw1, and the diagnostic string "only hello-world supported". Allowlist scoped to crates/benac-fixtures/ and crates/benac-conformance/ because hello-world remains a legitimate test fixture under those crates. Gate currently passes:

$ bash scripts/check-cid-grep-gates.sh
OK: all CID grep gates pass
$ rg -n 'approve_no_risk|local_no_risk|approve_hello_world|TrustScope::hello_world|CapabilityGrant::local_no_risk|browser_hw1|ubuntu_cli_hw1|ApproveKind::HelloWorld' apps crates
exit=1   (no matches)
$ rg -nw 'hw1' apps crates
exit=1   (no matches)

Cross-package generic-API equivalence

The four positive checks in local_public_data_approval_suite now drive the explicit approve_local_public_data_package_with_params surface for every positive package (hello-world, calculator, todo_reducer, notes_transform), each binding to the package's first declared interface and pinning the just-collected fixture-result CIDs. Cross-package generic-API equivalence is now visible in source rather than hidden behind a no-arg convenience wrapper.

New CLI integration tests in apps/station-cli/tests/package_commands.rs:

Iter-7 final state

$ cargo fmt --all --check                                              clean
$ cargo clippy --workspace --all-targets -- -D warnings                clean
$ cargo check -p benac-pwa --target wasm32-unknown-unknown             clean
$ cargo test --workspace                                               543 passed (was 540)
$ cargo run -p benac-conformance --example print_suite | tail -1       checks=133 passed=133 failed=0 (was 127)
$ bash scripts/check-cid-grep-gates.sh                                 OK: all CID grep gates pass (gates 1-7)
$ bash scripts/check-no-canonical-in-source.sh                         OK: no banned terminology in source

Deploy

=== Deploy complete ===
Build sha:           4cc1535a39df9cc215893331e795479a46ff4cf1
PWA bundle:          benac-pwa-2bbd0f4e87e53136.js
Public PWA:          https://benac.benac.dev/

Out-of-scope items (per caller's iter-7 directive)

The caller said "Do not spend more time on closeout-report polish, ticket archaeology, docs cleanup, or evidence-packet formatting in this ticket." The closeout report at docs/reports/local-public-data-packages-closeout.md was last refreshed at iter-6 (82f1de3), so it cites SHA a7ab7f2, bundle benac-pwa-e0410586dee2f041.js, 540 workspace, 127 conformance — those numbers are now 4cc1535 / benac-pwa-2bbd0f4e87e53136.js / 543 / 133. Per the scope directive, the closeout was not refreshed in this iteration. The current numbers are recorded here in the ticket history.

Holding for caller acceptance, anticipating more blockers per the standing directive — not assuming closure.

History (33 events)

Sign in as a human to drive this ticket from the page, or use the MCP tools.

← all tickets · home