Sign in to edit tickets from this page.

← all tickets · home

Update Benac package-authoring requirements and glossary for local public-data portable packages

resolved dc3af413-dc52-4b70-afd0-527af9270195

created_at
2026-05-04
updated_at
2026-05-04
priority
P1
resolved_at
2026-05-04
resolution
accepted

Body

Ticket: Update Benac package-authoring requirements and glossary for local public-data portable packages

Type

Specification / requirements / terms update only.

Scope

Update the Benac System Requirements Specification source records and Terms and Definitions source records so independent implementations can interoperate on local public-data portable packages.

Do not change runtime behavior, CLI behavior, PWA behavior, package business logic, tests, package examples, Rust code, TypeScript code, WASM code, or generated build artifacts by hand.

The generated SyRS says to edit records/req.*/*.md and run npm run build:syrs . The generated glossary says to edit records/term.*/*.md and run npm run build:glossary . Follow that record-based workflow.


Non-goals

Do not implement package execution changes.

Do not implement generic request/config runtime behavior.

Do not implement package build commands.

Do not implement fixture execution.

Do not implement schema validation changes.

Do not implement WASM execution changes.

Do not implement package inspection UI/API changes.

Do not write a package authoring guide.

Do not add roadmap shorthand, maturity-level shorthand, numeric station tiers, or unexplained acronyms to requirements.


Required language rule

Use plain English in all new or amended requirements.

Remove numeric station-level shorthand from every requirement touched by this ticket.

Do not use C1, C3, C4, or equivalent station-level shorthand in any requirement statement, rationale, verification text, section heading, or new term definition.

Do not use ABI as the reader-facing term. Use:

WASM package-host calling convention

or:

WASM package-host interface

Use “Application Binary Interface” only if a developer-only note is absolutely necessary. Prefer not to use it at all.


1. Remove numeric station-level shorthand from existing requirements

Update the following existing requirement records.

1.1 Amend records/req.benac-pkg-006/benac-pkg-006.md

Requirement title

Keep:

BENAC-PKG-006 - Portable package profile

Replace statement with

Statement: Baseline portable packages shall provide declarative and/or WASM implementations that can run locally on supported browser and desktop Host Implementations without native binaries, subprocesses, containers, Kubernetes, raw sockets, unrestricted filesystem access, direct document-store access, same-origin package JavaScript, remote storage, remote compute, provider-specific services, or server-side execution.

Replace rationale with

Rationale: Portable packages must be usable across ordinary Benac hosts without relying on privileged platform features or external infrastructure.

Replace verification with

Verification: A portable conformance package imports, validates, receives local approval, runs fixtures, invokes successfully, validates output, and produces comparable invocation, evidence, and effect records on browser and desktop Host Implementations.


1.2 Amend records/req.benac-exec-001/benac-exec-001.md

Requirement title

Keep:

BENAC-EXEC-001 - Declarative execution baseline

Replace statement with

Statement: Benac shall support a baseline declarative package implementation type for local package execution. The declarative implementation type shall define exact supported operations, request binding, descriptor config binding, validation behavior, output mapping, evidence recording, effect recording, error behavior, unsupported-operation behavior, and conformance vectors.

Replace rationale with

Rationale: Independent implementations need the same behavior for declarative packages, not merely the same label.

Replace verification with

Verification: Declarative conformance packages for hello-world, calculator, todo reducer, notes reducer, and invalid-input behavior produce equivalent outputs, validation failures, evidence records, and effect records across conforming implementations.


1.3 Amend records/req.benac-exec-002/benac-exec-002.md

Requirement title

Keep:

BENAC-EXEC-002 - WASM execution baseline

Replace statement with

Statement: Benac shall support baseline local WASM package execution through a host-mediated package interface. The WASM execution baseline shall define the required WASM package-host calling convention, allowed imports, forbidden imports, required exports, memory behavior, input encoding, output encoding, error behavior, and conformance vectors.

Replace rationale with

Rationale: WASM portability requires a shared package-host calling convention, not just agreement that WASM exists.

Replace verification with

Verification: WASM conformance packages for hello-world, calculator, todo reducer, invalid output, forbidden import, and resource-limit behavior produce equivalent results and diagnostics across conforming implementations.


1.4 Amend records/req.benac-exec-005/benac-exec-005.md

Requirement title

Keep:

BENAC-EXEC-005 - Native/container execution optional

Replace statement with

Statement: Native binary, subprocess, container, Kubernetes-backed, GPU, device-specific, or other privileged execution may be supported by Host Implementations as explicitly declared optional behavior, but shall not be required for baseline portable package execution.

Replace rationale with

Rationale: Portable package behavior must not depend on privileged host features.

Replace verification with

Verification: Baseline portable conformance packages run successfully on Host Implementations that do not support native binaries, subprocesses, containers, Kubernetes, GPU, or device-specific execution.


1.5 Amend records/req.benac-int-005/benac-int-005.md

Requirement title

Keep:

BENAC-INT-005 - Same portable package behavior

Replace statement with

Statement: A portable package that passes baseline package conformance shall behave consistently across conforming Host Implementations except where a Host Implementation’s published Station Profile explicitly states a supported limit or unavailable optional feature, and the invocation record captures the resulting decision or failure.

Replace rationale with

Rationale: Package authors need packages to import, inspect, validate, test, approve, invoke, and audit the same way across implementations.

Replace verification with

Verification: The same portable package bundle produces equivalent package CIDs, validation results, implementation selection records, outputs, fixture results, diagnostics, and invocation, evidence, and effect trace shapes across conforming Host Implementations.


1.6 Amend records/req.benac-stor-021/benac-stor-021.md

Requirement title

Keep:

BENAC-STOR-021 - Storage interface

Replace statement with

Statement: Benac implementations that support remote storage shall provide interfaces for Storage Station offer import and inspection, Storage Station authentication, storage descriptor creation, storage lease creation, blob and chunk presence checking, retrieval, upload, pin, unpin, encrypted backup, location claim handling, storage receipt handling, authentication-context handling, and integrity failure reporting. Provider-specific storage APIs shall be package behavior or optional extension behavior, not Benac Core behavior.

Replace rationale with

Rationale: Remote storage support needs stable Benac semantics without putting provider-specific APIs in Benac Core.

Replace verification with

Verification: Storage interface conformance tests exercise offer import, authentication, lease creation, blob retrieval by CID, encrypted backup, receipts, and integrity-failure reporting.


1.7 Amend records/req.benac-comp-011/benac-comp-011.md

Requirement title

Keep:

BENAC-COMP-011 - Compute interface

Replace statement with

Statement: Benac implementations that support remote compute shall provide interfaces for Compute Station offer import and inspection, Compute Station authentication, compute descriptor creation, compute plan review, compute lease creation, data-staging coordination, remote invocation, remote evidence handling, replay protection, remote output validation, and plaintext disclosure recording. Provider-specific compute APIs shall be package behavior or optional extension behavior, not Benac Core behavior.

Replace rationale with

Rationale: Remote compute support needs stable Benac semantics without putting provider-specific compute protocols in Benac Core.

Replace verification with

Verification: Compute interface conformance tests exercise offer import, authentication, lease creation, data staging, remote invocation, evidence handling, replay rejection, output validation, and disclosure recording.


1.8 Amend records/req.benac-sys-004/benac-sys-004.md

Requirement title

Keep:

BENAC-SYS-004 - Station profile publication

Replace statement with

Statement: Each Benac Station shall publish a machine-readable Station Profile describing its Host Platform, Host Implementation, implementation artifact or version where available, supported Benac semantic interfaces, supported package manifest versions, supported schema rulesets, supported implementation kinds, supported declarative implementation rulesets, supported WASM package-host calling conventions, storage features, execution features, authentication features, cryptographic features, replication features, and conservative policy-relevant constraints. A Station Profile shall publish relevant package-authoring limits, including maximum package manifest size, schema size, fixture size, artifact size, request size, descriptor config size, output size, WASM memory, execution time or fuel policy, log size, evidence record size, and effect record size. A Station Profile shall not be treated as proof of current resource availability, proof of physical hardware properties, or authorization to use a capability.

Replace rationale with

Rationale: Agents, users, and package authors need a starting map for planning and compatibility checks, but actual use is governed by Local Policy, capability grants, leases, offers, probes, conformance traces, and failure records.

Replace verification with

Verification: Validate the Station Profile schema. Conformance tests inspect the profile for claimed semantic support, package-authoring limits, and supported package execution behavior, then verify behavior by executing profile-appropriate tests and checking invocation, evidence, effect, and failure records.


2. Add a new requirements section

Add a new section near package/execution requirements.

New section heading

Local public-data portable package authoring

Section text

This section defines the minimum package behavior needed for interoperable package authoring. A package in this section runs locally, uses public request and descriptor configuration data, declares schemas, declares capabilities, uses content-addressed artifacts, and executes through declarative or WASM implementations. It does not require network access, remote storage, remote compute, secrets, decryption, signing authority, native execution, direct document-store access, unrestricted blob-store access, raw filesystem access, device access, same-origin package JavaScript, or provider-specific host behavior.

This section supports simple interoperable packages such as hello-world packages, calculators, todo reducers, notes reducers, text formatters, and other pure local transforms.


3. Package model requirement changes

3.1 Amend records/req.benac-pkg-002/benac-pkg-002.md

Requirement title

Keep:

BENAC-PKG-002 - Required package document

Replace statement with

Statement: A package shall include a package document declaring package metadata, schemas, schema ruleset identifiers, interfaces, interface contract bindings, implementations, implementation entry identifiers, implementation kinds, WASM package-host calling convention identifiers where applicable, artifact CIDs, requested capabilities, resource requirements, storage needs where relevant, compute needs where relevant, fixtures, and documentation references. The package CID shall be derived from the DRISL-encoded package document and shall not be a required field inside that document. A Couch/Pouch envelope, index record, import record, package bundle, capsule, or external provenance record may carry the package CID and related claim references.

Replace rationale with

Rationale: The kernel must inspect package behavior, interface contracts, schemas, implementations, artifacts, capabilities, and resource requirements before trust or execution.

Replace verification with

Verification: Manifest schema validation tests verify that required package document fields are present, that package CID derivation excludes external claim references, and that adding or removing external claims does not change the package CID.


3.2 Amend records/req.benac-pkg-003/benac-pkg-003.md

Requirement title

Keep:

BENAC-PKG-003 - Manifest schema

Replace statement with

Statement: Benac shall define a versioned manifest schema for baseline packages and reject unknown required manifest fields unless an explicitly supported optional behavior permits them. The baseline manifest schema shall include stable fields for manifest version, package metadata, interfaces, request schema references, descriptor config schema references, output schema references, schema ruleset identifiers, implementations, implementation entry identifiers, implementation kinds, WASM package-host calling convention identifiers where applicable, artifact references, declared capabilities, resource requirements, fixtures, documentation references, storage needs, compute needs, and unsupported required behavior markers.

Replace rationale with

Rationale: Independent implementations need compatible manifest interpretation and fail-closed handling for package behavior they do not understand.

Replace verification with

Verification: Unknown mandatory field fixtures fail validation. Valid package manifests for hello-world, calculator, todo reducer, notes reducer, declarative implementation, and WASM implementation packages validate consistently across conforming implementations.


3.3 Amend records/req.benac-pkg-005/benac-pkg-005.md

Requirement title

Keep:

BENAC-PKG-005 - Package interfaces

Replace statement with

Statement: Packages shall declare supported interfaces such as source, tool, transform, storage, compute, display, device, game, policy, or other supported interfaces. Each interface declaration shall identify the interface identifier, request schema reference, descriptor config schema reference where applicable, output schema reference where applicable, allowed implementation entries, declared capabilities, resource requirements, and supported execution type.

Replace rationale with

Rationale: Interfaces describe how a package may be invoked and which contract applies before validation, implementation selection, execution, or capability review.

Replace verification with

Verification: Interface declaration controls compatible invocation requests. A package with calculator and formatter interfaces validates and invokes each interface under the correct request, config, and output schemas.


3.4 Amend records/req.benac-pkg-007/benac-pkg-007.md

Requirement title

Keep:

BENAC-PKG-007 - Package fixtures

Replace statement with

Statement: Packages that claim local public-data portable package compatibility shall include fixtures or test vectors for manifest validation, request validation, descriptor config validation where applicable, output validation, implementation behavior, selected implementation identity, and declared evidence/effect behavior. Other packages should include fixtures appropriate to their declared behavior.

Replace rationale with

Rationale: Package authors and independent implementations need repeatable package tests before trust or broad use.

Replace verification with

Verification: Fixture execution produces local fixture result records or test result claims. A package claiming local public-data portable package compatibility without required fixtures fails package validation.


3.5 Amend records/req.benac-pkg-009/benac-pkg-009.md

Requirement title

Keep:

BENAC-PKG-009 - Implementation identity

Replace statement with

Statement: Each executable or declarative package implementation shall have a stable implementation CID for use in portable trust, invocation, audit, storage, and compute records. If the implementation is represented as a standalone structured object, its implementation CID shall be the DASL CID of its DRISL-encoded payload. If the implementation is embedded inside a package document, or if it is represented by an artifact blob plus schema-defined role, runtime, parameters, or compatibility metadata, Benac shall derive an implementation snapshot before invocation. That snapshot shall include package CID, implementation entry identifier, implementation kind, interface identifiers served, artifact CIDs, runtime requirements, schema-defined role fields, schema-defined parameters, WASM package-host calling convention identifier where applicable, declared capabilities, resource requirements, and request/config/output schema bindings relevant to invocation. The implementation CID shall be the DASL CID of the DRISL-encoded implementation snapshot. Artifact blob CIDs may be components of implementation identity, but shall not by themselves replace the implementation CID unless the implementation schema explicitly defines an artifact-only implementation snapshot rule.

Replace rationale with

Rationale: Invocation, trust, audit, and remote compute records refer to implementation identity. Independent implementations must agree on what implementation was selected and which exact implementation contract was trusted.

Replace verification with

Verification: Multi-implementation package fixtures produce deterministic implementation CIDs across Host Platforms. Embedded implementation entries, artifact-backed implementations, standalone implementation objects, declarative implementations, and WASM implementations resolve to stable implementation CIDs before invocation.


3.6 Add records/req.benac-pkg-010/benac-pkg-010.md

Requirement title

BENAC-PKG-010 - Interface contract binding

Statement

Statement: Each invokable package interface shall bind an interface identifier, request schema reference, descriptor config schema reference where applicable, output schema reference where applicable, allowed implementation entries, declared capabilities, resource requirements, and supported execution type. Invocation shall resolve the interface identifier before request validation, descriptor config validation, implementation selection, or package execution.

Rationale

Rationale: A package may expose multiple behaviors. The host must know which contract is being invoked before it validates input or chooses an implementation.

Verification

Verification: A package with calculator and formatter interfaces validates and invokes each interface under the correct schemas. A request valid for one interface but invalid for another fails under the wrong interface.

Status

draft


4. Descriptor and schema validation requirement changes

4.1 Amend records/req.benac-desc-002/benac-desc-002.md

Requirement title

Keep:

BENAC-DESC-002 - Descriptor config validation

Replace statement with

Statement: Descriptor configuration shall be validated against the package’s descriptor config schema before trust, invocation, storage use, compute use, or execution. Descriptor config validation shall use the declared package schema ruleset or another explicitly declared and supported schema ruleset. A Host Implementation shall not substitute implementation-specific schema behavior without recording the schema ruleset used and passing conformance vectors for that ruleset.

Replace rationale with

Rationale: Invalid configuration should fail loudly before effects occur, and independent implementations must validate descriptor configuration the same way.

Replace verification with

Verification: Invalid descriptor config is rejected. Descriptor config validation fixtures produce equivalent valid/invalid decisions and diagnostic codes across conforming implementations.


4.2 Add records/req.benac-schema-001/benac-schema-001.md

Requirement title

BENAC-SCHEMA-001 - Baseline package schema ruleset

Statement

Statement: Benac shall define a versioned baseline package schema ruleset for package manifests, request schemas, descriptor config schemas, output schemas, and fixture schemas. The ruleset shall identify the supported schema language, supported keywords, unsupported keywords, schema-reference behavior, validation result format, and diagnostic behavior. Host Implementations shall use this ruleset when validating local public-data portable packages.

Rationale

Rationale: Independent implementations need the same validation behavior for the same package.

Verification

Verification: Cross-implementation schema vectors produce equivalent valid/invalid decisions and diagnostic codes.

Status

draft


4.3 Add records/req.benac-schema-002/benac-schema-002.md

Requirement title

BENAC-SCHEMA-002 - Minimum JSON Schema vocabulary

Statement

Statement: The baseline package schema ruleset shall support at least JSON values of type object, array, string, number, integer, boolean, and null; object properties; required properties; additionalProperties; array items; enum; const; nested schemas; minimum and maximum for numbers; minLength and maxLength for strings; minItems and maxItems for arrays; and local schema definitions/references as defined by the ruleset. Unsupported validation keywords shall either be rejected as unsupported or treated as annotations only according to explicit ruleset behavior.

Rationale

Rationale: Calculator, todo, notes, and simple transform packages need numbers, booleans, arrays, nested objects, enums, and strings. The hello-world subset is too small for interoperable package authoring.

Verification

Verification: Calculator schema, todo reducer schema, notes reducer schema, nested object schema, array schema, enum schema, and invalid-type fixtures validate consistently across implementations.

Status

draft


4.4 Add records/req.benac-schema-003/benac-schema-003.md

Requirement title

BENAC-SCHEMA-003 - Schema reference resolution

Statement

Statement: Package schema references shall resolve only to package-declared schemas, local definitions within a schema document, or CID-bound schema documents included in the package bundle or capsule unless an explicitly supported optional behavior permits another source. Schema reference resolution shall not silently fetch remote schemas. Unresolved, ambiguous, unsupported, or cyclic references where cycles are unsupported shall fail closed with diagnostic records.

Rationale

Rationale: Remote schema URLs must not become hidden dependencies or mutable authorities.

Verification

Verification: A package referencing a missing schema CID fails validation. A package referencing an HTTPS schema URL without approved retrieval behavior fails validation or treats the URL as non-authoritative metadata only.

Status

draft


5. Invocation requirement changes

5.1 Amend records/req.benac-inv-002/benac-inv-002.md

Requirement title

Keep:

BENAC-INV-002 - Invocation fields

Replace statement with

Statement: Invocation records shall include invocation id, Station principal, initiating actor principal where applicable, Station Profile, package CID, descriptor snapshot CID or explicit no-descriptor marker, interface identifier, selected implementation entry identifier, selected implementation CID, requested implementation identifier where applicable, skipped implementations with reasons, request snapshot CID or inline request snapshot, output snapshot CID or inline output snapshot where applicable, request schema reference, descriptor config schema reference where applicable, output schema reference where applicable, trust decision reference, capability grants, storage lease references, compute lease references, validation report reference where applicable, resource-limit decision where applicable, start and finish times, status, evidence references, effect references, validation status, and failure details.

Replace rationale with

Rationale: Cross-platform audit needs a common record shape that binds package, interface, request, descriptor config, implementation selection, validation, output, and policy decisions.

Replace verification with

Verification: Invocation schema conformance tests verify all required fields for successful execution, validation failure, capability denial, missing artifact, unsupported implementation, resource-limit failure, and requested implementation mismatch.


5.2 Amend records/req.benac-inv-003/benac-inv-003.md

Requirement title

Keep:

BENAC-INV-003 - Request validation

Replace statement with

Statement: Invocation requests shall be validated against the package’s request schema before execution. Request validation shall use the declared package schema ruleset or another explicitly declared and supported schema ruleset. The request body supplied through any CLI, PWA UI, Host API, Agent API, or fixture runner shall be the exact logical request body made visible to the package after validation.

Replace rationale with

Rationale: Packages should receive well-formed input, and the same invocation request must mean the same thing across host surfaces and implementations.

Replace verification with

Verification: Invalid request data is rejected before package execution. The same request supplied through CLI, PWA UI, Host API, Agent API, and fixture runner produces the same package-visible request object or the same validation failure.


5.3 Amend records/req.benac-inv-004/benac-inv-004.md

Requirement title

Keep:

BENAC-INV-004 - Output validation

Replace statement with

Statement: Package outputs shall be validated against the package’s output schema when an output schema is declared. Output validation shall use the declared package schema ruleset or another explicitly declared and supported schema ruleset. Invalid output shall be recorded as a validation failure and shall not masquerade as valid output.

Replace rationale with

Rationale: Downstream composition needs reliable contracts, and independent implementations must validate outputs the same way.

Replace verification with

Verification: Invalid output records validation failure. Output validation fixtures produce equivalent valid/invalid decisions and diagnostic codes across conforming implementations.


5.4 Add records/req.benac-inv-007/benac-inv-007.md

Requirement title

BENAC-INV-007 - Generic invocation input envelope

Statement

Statement: Benac shall define a versioned invocation input envelope for local package invocation. The envelope shall include package CID, descriptor snapshot CID or explicit no-descriptor marker, interface identifier, request schema reference, descriptor config schema reference where applicable, output schema reference where applicable, request body, descriptor config body where applicable, requested implementation entry identifier or implementation CID where applicable, execution type, data class, and initiating actor context where applicable. The request body and descriptor config body supplied through any CLI, PWA UI, Host API, Agent API, or fixture runner shall be the exact logical objects made visible to the package after validation.

Rationale

Rationale: Package invocation must not depend on hello-world defaults, UI-specific state, debug values, local convenience projections, or implementation-specific plumbing.

Verification

Verification: Invoke the same package through CLI, PWA UI, Host API, Agent API, and fixture runner with the same request/config. The package observes the same logical request/config and produces the same output or same validation failure.

Status

draft


5.5 Add records/req.benac-inv-008/benac-inv-008.md

Requirement title

BENAC-INV-008 - Request and output snapshots

Statement

Statement: Benac shall define request snapshot and output snapshot logical objects for invocations that content-address requests or outputs. A request snapshot shall bind object type, schema version, package CID, descriptor snapshot CID or explicit no-descriptor marker, interface identifier, request schema reference, descriptor config schema reference where applicable, request body, and descriptor config body where applicable. An output snapshot shall bind object type, schema version, package CID, implementation CID, interface identifier, output schema reference where applicable, output body, and validation status. Request and output snapshot CIDs shall be computed from DRISL-encoded snapshot objects.

Rationale

Rationale: The same JSON body can mean different things under different packages, descriptors, interfaces, or schemas. Request and output identity must include that context.

Verification

Verification: Identical request JSON under different package CIDs, descriptor snapshots, interface identifiers, or schema references produces different request snapshot CIDs. Mutating the body or context changes the snapshot CID.

Status

draft


6. Host interface and package-visible input changes

6.1 Amend records/req.benac-host-001/benac-host-001.md

Requirement title

Keep:

BENAC-HOST-001 - Host API baseline semantics

Replace statement with

Statement: Benac Host Implementations shall expose a stable Host API to Benac Core and package implementations. The exact transport may differ by implementation, but the semantics shall include storage, DASL CID creation/parsing/verification, DRISL encoding and decoding for Benac logical payloads, local user authentication, Station-to-Station authentication, agent session authentication, authentication-context reporting, signing support where authorized, signature verification, local and remote authentication support, encryption/decryption where authorized, key wrapping where authorized, schema validation, package import/export, package validation, package build where supported, fixture execution, package inspection, trust query, capability request, invocation lifecycle, evidence emission, effect emission, disclosure recording, secret and credential mediation, local blob access, remote storage access where supported, remote compute access where supported, clock, random bytes, Station Profile inspection, supported schema ruleset reporting, supported declarative implementation reporting, supported WASM package-host calling convention reporting, resource-limit reporting, and supported execution types.

Replace rationale with

Rationale: Benac Core, agents, and portable packages need stable host semantics even when the host transport differs by platform.

Replace verification with

Verification: Host API conformance tests exercise CID creation/parsing/verification, DRISL encoding and decoding, package import/export, package validation, fixture execution, package inspection, trust/capability queries, invocation lifecycle, evidence/effect emission, supported schema ruleset reporting, supported WASM package-host calling convention reporting, and supported execution-type reporting.


6.2 Amend records/req.benac-host-002/benac-host-002.md

Requirement title

Keep:

BENAC-HOST-002 - Package host interface mediation

Replace statement with

Statement: WASM and other executable packages shall interact with the host through mediated imports or equivalent mediated calls only. Required baseline package-host behavior shall include validated request retrieval, validated descriptor config retrieval, evidence emission, effect request, output return, log event, blob read for authorized exact blob CIDs, blob write through capability grant, HTTPS fetch through capability grant, secret or credential use through capability grant, authenticated external-service operation through capability grant, encryption/decryption requests through capability grant, storage operation requests through storage lease, compute operation requests through compute lease, clock where granted, random bytes where granted, authentication-context introspection where allowed, and capability introspection. For local public-data portable package invocation, package-visible request and descriptor config data shall come only from the validated invocation input envelope and validated descriptor snapshot. Packages shall not receive raw private keys, raw authentication credentials, unrestricted signing authority, unrestricted decryption authority, direct document-store access, host-local defaults, UI state, operational document metadata, debug fields, local indexes, sync state, local availability state, local verification state, or unvalidated convenience projections.

Replace rationale with

Rationale: Package execution must be mediated by host policy and capability grants rather than ambient authority. A package can use any input it can observe, so package-visible input must be deliberately bounded.

Replace verification with

Verification: Package-host conformance tests prove authorized mediated calls succeed through scoped grants and forbidden direct access to keys, credentials, signing, decryption, document-store APIs, host metadata, UI state, debug fields, and unvalidated projections fails closed or omits the data.


6.3 Amend records/req.benac-host-003/benac-host-003.md

Requirement title

Keep:

BENAC-HOST-003 - Package-visible input boundary

Replace statement with

Statement: Executable package implementations shall receive only schema-defined invocation requests, descriptor/configuration data, package-declared inputs, and host-mediated capability responses that the Host Station explicitly supplies through the package host interface. For local public-data portable package invocation, the package-visible request and descriptor config shall be the validated logical objects from the invocation input envelope and descriptor snapshot. Packages shall not receive raw operational document envelopes, Couch/Pouch-managed metadata, host-local operational metadata, sync state, UI/cache/index state, local availability state, local verification state, debug fields, acceptance instrumentation fields, local defaults, or unvalidated convenience projections. If such data is exposed to a package, it shall be exposed only through a schema-defined logical object or a host-mediated API response whose use is authorized, recorded, and subject to capability policy.

Replace rationale with

Rationale: A package can use any input it can observe. Operational metadata must not become hidden package input unless deliberately exposed through schema and policy.

Replace verification with

Verification: Conformance packages attempt to read _id, _rev, local availability state, sync state, UI state, verification state, debug fields, local defaults, and convenience projection fields through the package host interface. The Host Station denies access or omits the fields. If the same value is placed in descriptor configuration or invocation request data, the relevant descriptor or invocation record changes and validation applies.


7. Trust and capability requirement changes

7.1 Amend records/req.benac-trust-003/benac-trust-003.md

Requirement title

Keep:

BENAC-TRUST-003 - Authenticated and attributed trust decisions

Replace statement with

Statement: Trust decisions shall record issuer principal, authenticated approval context where applicable, target object, package trust scope, implementation trust scope, descriptor trust scope, interface scope, allowed data classes, allowed capabilities, approval record type where applicable, constraints, expiry, revocation status, Host Station context, and evidence relied on.

Replace rationale with

Rationale: Trust decisions are local authority-bearing records and must be accountable, scoped, and distinguishable from broader approval.

Replace verification with

Verification: Approve a package under limited local public-data scope and inspect the trust decision record for issuer, authentication context, package CID, implementation CID or implementation-selection policy, descriptor scope, interface scope, allowed data classes, allowed capabilities, expiry, and evidence relied on.


7.2 Add records/req.benac-trust-006/benac-trust-006.md

Requirement title

BENAC-TRUST-006 - Local public-data package approval

Statement

Statement: Benac shall define a generic local public-data package approval record for packages that operate only on public invocation data and public descriptor configuration, execute locally through declarative or WASM implementations, and do not request network access, remote storage, remote compute, secrets, decryption, signing authority, native execution, file access, device access, same-origin package JavaScript, direct document-store access, or private blob access. The approval record shall bind package CID, implementation CID or deterministic implementation-selection policy, descriptor snapshot CID or descriptor scope, interface identifier, allowed data classes, allowed capability identifiers, issuer principal, authentication context where applicable, expiry or revocation metadata, and evidence relied upon. The record type and approval name shall not be specific to hello-world or any other individual package.

Rationale

Rationale: The first reusable approval path must work for calculators, todo reducers, notes reducers, and other simple packages. It should state what power is granted instead of relying on a package-specific name.

Verification

Verification: Hello-world, calculator, todo reducer, and notes reducer packages can all be approved under the same local public-data approval semantics. A package requesting network, remote storage, remote compute, secrets, decryption, signing, native execution, file access, device access, private data, or direct document-store access cannot receive this approval.

Status

draft


7.3 Add records/req.benac-cap-007/benac-cap-007.md

Requirement title

BENAC-CAP-007 - Local package capability vocabulary

Statement

Statement: Benac shall define stable capability identifiers for local public-data portable packages. The allowed capability vocabulary shall include local package execution, declared package artifact read by exact CID, validated request read, validated descriptor config read, output return, evidence emission, effect emission, fixture execution, and package inspection. Unknown capability identifiers, unsupported capability identifiers, or capabilities outside the local public-data package scope shall fail closed unless a separate explicit authorization record grants them.

Rationale

Rationale: Independent implementations cannot interoperate if one host treats local package execution or public-data approval differently from another.

Verification

Verification: Packages using known local package capability identifiers validate successfully. Packages using unknown capability identifiers fail closed. Packages declaring network, remote storage, remote compute, secret use, decryption, signing, native execution, file access, device access, or private data access are rejected by local public-data approval.

Status

draft


8. Authoring, build, and validation requirements

8.1 Add records/req.benac-author-001/benac-author-001.md

Requirement title

BENAC-AUTHOR-001 - Package validation semantics

Statement

Statement: Benac shall define package validation semantics for authoring tools, Host APIs, CLIs, PWAs, and Agent APIs. Package validation shall verify manifest schema conformance, package schema ruleset conformance, schema reference resolution, package interface declarations, descriptor config schema binding, request schema binding, output schema binding, implementation entries, implementation snapshot derivation, artifact references, artifact CID verification where blobs are present, declared capabilities, local public-data package compatibility where claimed, fixture schema conformance, documentation references, unknown required fields, and unsupported required behavior. Validation shall produce a stable machine-readable validation report.

Rationale

Rationale: Package authors, agents, and independent implementations need the same answer to “is this package structurally valid?”

Verification

Verification: The same valid and invalid package bundles produce equivalent validation pass/fail results and diagnostic codes across conforming implementations.

Status

draft


8.2 Add records/req.benac-author-002/benac-author-002.md

Requirement title

BENAC-AUTHOR-002 - Package build semantics

Statement

Statement: Benac shall define package build semantics that convert an authoring workspace into a portable package bundle or capsule. Build semantics shall compute raw blob CIDs over exact artifact bytes, produce artifact references, validate schema documents, derive implementation snapshots, compute implementation CIDs, produce the package manifest logical object, compute the package CID over the DRISL-encoded package document, include selected schemas, artifacts, fixtures, and documentation references, and emit a build report. Authoring-only metadata shall not be included in the package document used to compute the package CID unless explicitly declared as package content.

Rationale

Rationale: Independent build tools must produce the same package CID, artifact CIDs, and implementation CIDs from the same logical package.

Verification

Verification: Two independent build tools build the same authoring workspace and produce the same artifact CIDs, implementation CIDs, package CID, validation result, and bundle manifest.

Status

draft


8.3 Add records/req.benac-author-003/benac-author-003.md

Requirement title

BENAC-AUTHOR-003 - Package validation and build reports

Statement

Statement: Package validation and build operations shall produce stable machine-readable reports containing operation id, tool or Host Implementation identity where available, package CID where derivable, manifest validation status, schema validation status, artifact status, implementation status, fixture status, local public-data package compatibility status, warnings, errors, and diagnostic codes. Reports may be local records or signed claims. Unsigned local reports shall not become authority outside local policy.

Rationale

Rationale: Humans and agents need structured feedback. Build and validation reports are evidence, not automatic trust.

Verification

Verification: Invalid manifest, missing artifact, unsupported schema keyword, forbidden WASM import, missing WASM export, fixture mismatch, CID mismatch, and resource-limit failure all produce predictable diagnostic objects.

Status

draft


8.4 Add records/req.benac-author-004/benac-author-004.md

Requirement title

BENAC-AUTHOR-004 - Authoring operations exposed through tools and APIs

Statement

Statement: Benac shall expose package validation, package build, and package fixture execution as machine-readable authoring operations. Command-line Host Implementations shall expose these operations as stable commands or documented command equivalents. Browser and agent-facing Host Implementations shall expose equivalent operations through UI and/or machine-readable APIs. All surfaces shall use the same validation, build, fixture, diagnostic, and report semantics.

Rationale

Rationale: A package should not validate differently because it was tested in a CLI, browser UI, or agent workflow.

Verification

Verification: The same package bundle validates, builds, and runs fixtures through command-line tooling, browser/API tooling, and agent-facing APIs with equivalent results.

Status

draft


8.5 Amend records/req.benac-agt-003/benac-agt-003.md

Requirement title

Keep:

BENAC-AGT-003 - Agent package authoring

Replace statement with

Statement: Agents shall be able to author package manifests, schemas, declarative implementations, WASM artifacts, fixtures, descriptors, documentation references, package validation reports, package build reports, package bundles, fixture result records, and signed or unsigned claims through Benac-compatible import workflows.

Replace rationale with

Rationale: Agents will expand the package ecosystem, but agent-authored package artifacts must remain inspectable, attributable, testable, and subject to local trust.

Replace verification with

Verification: Agent-authored hello-world, calculator, and todo reducer package bundles import as untrusted, validate structurally, and expose validation/build reports and fixture results where present.


8.6 Amend records/req.benac-agt-010/benac-agt-010.md

Requirement title

Keep:

BENAC-AGT-010 - Machine-readable errors

Replace statement with

Statement: Agent-facing APIs shall return structured errors for validation failures, package authoring failures, package build failures, fixture failures, trust denials, capability denials, missing blobs, artifact CID mismatches, schema failures, WASM package-host calling convention failures, resource-limit failures, encryption failures, storage failures, compute failures, and conformance failures. Structured errors shall use the stable error format and diagnostic-code registry defined by Benac.

Replace rationale with

Rationale: Agents need to recover from problems without guessing.

Replace verification with

Verification: Invalid package import, missing artifact, unsupported schema keyword, fixture mismatch, forbidden WASM import, missing WASM export, resource-limit failure, and capability denial return structured diagnostic objects.


8.7 Amend records/req.benac-int-003/benac-int-003.md

Requirement title

Keep:

BENAC-INT-003 - Stable error format

Replace statement with

Statement: Benac shall define stable machine-readable error structures and diagnostic codes for validation, package authoring, package build, fixture execution, trust, capability, cryptographic, missing blob, artifact CID mismatch, schema validation, WASM package-host calling convention, resource limit, storage, compute, encryption, decryption, and invocation failures.

Replace rationale with

Rationale: Agents, humans, package tools, and conformance tests need consistent failure semantics.

Replace verification with

Verification: Error fixtures validate expected code, object references, reason, affected package/descriptor/interface/implementation references where applicable, and stable diagnostic structure.

Add required diagnostic codes

Add at least these diagnostic codes to the requirement text or to a referenced diagnostic-code table:

Diagnostic codeMeaning
package.manifest.invalidPackage manifest does not satisfy the manifest schema.
package.unknown_required_fieldManifest contains a required field the implementation does not support.
package.schema_ref.unresolvedA schema reference cannot be resolved.
schema.unsupported_rulesetA schema uses an unsupported schema ruleset.
schema.unsupported_keywordA schema uses an unsupported keyword.
schema.validation_failedRequest, config, output, manifest, or fixture validation failed.
artifact.missingA required artifact blob is not locally available.
artifact.cid_mismatchArtifact bytes do not match the declared CID.
implementation.unsupported_kindImplementation type is not supported.
implementation.snapshot_mismatchDerived implementation snapshot does not match the expected identity.
wasm.import_forbiddenWASM module imports a forbidden function or namespace.
wasm.export_missingWASM module lacks required exports.
wasm.calling_convention_invalidWASM module does not satisfy the required package-host calling convention.
resource.limit_exceededPackage, request, output, memory, time, log, evidence, effect, or artifact limit exceeded.
fixture.invalidFixture does not satisfy the fixture schema.
fixture.output_mismatchFixture output differs from expected output.
fixture.effect_mismatchFixture evidence/effects differ from expected behavior.
capability.undeclaredImplementation requested an undeclared capability.
capability.deniedRequested capability was denied by policy.
approval.local_public_data_incompatiblePackage cannot be approved under local public-data package rules.

9. Fixture runner requirements

9.1 Add records/req.benac-test-001/benac-test-001.md

Requirement title

BENAC-TEST-001 - Fixture schema

Statement

Statement: Benac shall define a versioned fixture schema. A fixture shall identify package-under-test reference, descriptor config or descriptor snapshot reference where applicable, interface identifier, request body or request reference, expected validation result, expected selected implementation or allowed implementation set, expected output body or output reference where deterministic, expected evidence/effect classes, expected denied effects where applicable, expected diagnostic codes where failure is intended, fixture data class, and fixture purpose.

Rationale

Rationale: Fixtures need to test validation, implementation selection, package behavior, capability denials, trace shape, and expected failures.

Verification

Verification: Fixture schema validation accepts valid hello-world, calculator, todo reducer, and notes reducer fixtures. It rejects missing request data, unresolved schema references, unsupported fixture behavior, ambiguous expected output, and malformed expected diagnostics.

Status

draft


9.2 Add records/req.benac-test-002/benac-test-002.md

Requirement title

BENAC-TEST-002 - Fixture execution semantics

Statement

Statement: Benac shall define fixture execution semantics for local test mode. Fixture execution shall use the same request validation, descriptor config validation, implementation selection, package-visible input boundary, output validation, evidence recording, effect recording, capability mediation, failure behavior, and diagnostic behavior as ordinary invocation. Fixture execution shall not use real network access, remote storage, remote compute, secrets, decryption, signing, native execution, file access, device access, or physical-world capabilities unless the fixture explicitly declares a mock or playback behavior supported by the Host Implementation.

Rationale

Rationale: Package tests are useful only if they exercise the same kernel behavior as real invocation while avoiding unintended external effects.

Verification

Verification: A fixture that attempts unauthorized network access records a denied effect and fails or passes according to the fixture’s expected denied-effect behavior.

Status

draft


9.3 Add records/req.benac-test-003/benac-test-003.md

Requirement title

BENAC-TEST-003 - Fixture result records

Statement

Statement: Fixture execution shall produce a fixture result record or test result claim containing fixture identifier, package CID, descriptor snapshot CID where applicable, implementation CID, request snapshot CID, output snapshot CID where applicable, validation results, evidence/effect references, pass/fail status, diagnostics, Station Profile reference, execution type, and timestamps.

Rationale

Rationale: Fixture results become evidence for local approval, package review, agents, and conformance testing.

Verification

Verification: Running the same fixture across conforming implementations produces comparable fixture result records and equivalent pass/fail status.

Status

draft


10. WASM package-host calling convention and resource limit requirements

10.1 Add records/req.benac-wasm-001/benac-wasm-001.md

Requirement title

BENAC-WASM-001 - Baseline local WASM package-host calling convention

Statement

Statement: Benac shall define a versioned baseline local WASM package-host calling convention for portable package implementations. The calling convention shall define required module format, allowed imports, forbidden imports, required exports, memory requirements, input encoding, output encoding, error return behavior, UTF-8 handling, JSON handling, allocation/free conventions, implementation snapshot fields, and conformance vectors. A WASM implementation shall receive package-visible input only through the calling-convention-defined invocation path and shall return output only through the calling-convention-defined output mechanism.

Rationale

Rationale: “Runs WASM” is not enough. Package authors need one WASM package-host calling convention that works across browser and desktop hosts.

Verification

Verification: A WASM calculator package compiled against the calling convention runs on conforming Host Implementations and produces the same validated output and trace shape.

Status

draft


10.2 Add records/req.benac-wasm-002/benac-wasm-002.md

Requirement title

BENAC-WASM-002 - Local pure-transform WASM restrictions

Statement

Statement: The baseline local WASM package-host calling convention shall forbid ambient imports and direct access to network, DOM, document store, blob store except approved exact artifact reads, local storage, raw secrets, private keys, signing authority, decryption authority, filesystem, devices, native calls, timers except approved host-mediated clock behavior, and random bytes except approved host-mediated randomness. Any import not allowed by the calling convention shall fail validation before execution.

Rationale

Rationale: Local public-data portable packages should be safe to inspect and test without invisible host power.

Verification

Verification: WASM modules with forbidden imports are rejected before execution and produce stable diagnostics.

Status

draft


10.3 Add records/req.benac-wasm-003/benac-wasm-003.md

Requirement title

BENAC-WASM-003 - WASM package template

Statement

Statement: Benac shall publish a non-authoritative reference WASM package template for the baseline local WASM package-host calling convention. The template shall demonstrate request/config decoding, output encoding, error output, memory allocation, memory release, fixture creation, and manifest wiring. Use of the reference template shall not be required for conformance; conformance shall be determined by calling-convention behavior and test vectors.

Rationale

Rationale: Package developers need a working template without making a specific SDK the standard.

Verification

Verification: A package built from the template passes the baseline local WASM package-host calling convention conformance vectors. A package not built from the template also passes if it satisfies the calling convention.

Status

draft


10.4 Add records/req.benac-wasm-004/benac-wasm-004.md

Requirement title

BENAC-WASM-004 - Resource limits and enforcement

Statement

Statement: Benac shall define resource-limit semantics for local declarative and WASM package execution. Limits shall include at least package manifest size, schema size, fixture size, artifact size, request size, descriptor config size, output size, WASM memory pages or bytes, execution time or fuel, log size, evidence record size, and effect record size. Each Host Implementation shall publish supported limits in its Station Profile. A package may declare resource requirements. Invocation shall fail closed when declared or actual requirements exceed supported or granted limits.

Rationale

Rationale: Arbitrary WASM and declarative packages need clear bounds before authors begin experimenting.

Verification

Verification: Resource-limit fixtures covering oversized request, oversized output, oversized artifact, excessive memory, timeout/fuel exhaustion, excessive logs, and excessive evidence records fail with stable diagnostic codes and invocation records.

Status

draft


10.5 Amend records/req.benac-exec-007/benac-exec-007.md

Requirement title

Keep:

BENAC-EXEC-007 - Host-mediated package APIs

Replace statement with

Statement: Executable packages shall interact with host resources only through defined host imports or equivalent mediated calls, including blob access, HTTPS fetch, storage use, compute use, secret use, encryption/decryption, evidence emission, effect request, clock, random bytes, and output return. WASM implementations shall use the supported WASM package-host calling convention declared by the package and Host Implementation.

Replace rationale with

Rationale: The host must remain the enforcement and evidence chokepoint.

Replace verification with

Verification: WASM package-host calling convention conformance tests verify allowed imports, denied imports, input encoding, output encoding, memory behavior, and error behavior.


10.6 Add records/req.benac-exec-008/benac-exec-008.md

Requirement title

BENAC-EXEC-008 - Implementation selection input

Statement

Statement: Invocation may request a specific implementation entry identifier or implementation CID. If no implementation is requested, the Host Implementation shall apply a deterministic implementation-selection policy based on package declaration, artifact availability, platform compatibility, trust, capability grants, resource limits, and local policy. The selected implementation and all skipped implementations with reasons shall be recorded. The Host Implementation shall not silently fall back to another implementation unless policy permits fallback and the invocation trace records it.

Rationale

Rationale: Arbitrary packages may ship multiple implementations. Selection must be interoperable and auditable.

Verification

Verification: A package with declarative and WASM implementations records deterministic selection. A requested unsupported implementation fails or falls back only under explicit recorded policy.

Status

draft


11. Package inspection requirements

11.1 Amend records/req.benac-ux-001/benac-ux-001.md

Requirement title

Keep:

BENAC-UX-001 - Package inspection

Replace statement with

Statement: Benac shall allow users and agents to inspect package manifests, manifest versions, package labels and version labels as non-authoritative metadata, schemas, schema rulesets, interfaces, request/config/output schema references, implementations, implementation snapshot CIDs, implementation kinds, WASM package-host calling convention identifiers where applicable, artifact CIDs, artifact availability, declared capabilities, resource requirements, fixtures, claims, storage needs, compute needs, warnings, unsupported fields, missing blobs, and diagnostic codes before trust.

Replace rationale with

Rationale: Trust requires visibility into package identity, implementation identity, schema contracts, artifacts, capabilities, resource requirements, and unsupported behavior.

Replace verification with

Verification: Inspection UI/API displays required package information before trust and before local public-data approval.


11.2 Amend records/req.benac-aud-001/benac-aud-001.md

Requirement title

Keep:

BENAC-AUD-001 - Inspectability

Replace statement with

Statement: Benac shall provide user- and agent-accessible inspection of package manifests, package inspection results, descriptors, claims, trust decisions, capability grants, invocations, evidence, effects, conflicts, encrypted envelopes, storage status, compute status, sync status, validation reports, build reports, fixture results, and diagnostic records.

Replace rationale with

Rationale: Benac is an accountable kernel.

Replace verification with

Verification: UI/API inspection tests verify that users and agents can inspect package information, package validation reports, fixture results, approval records, invocation traces, evidence, effects, and diagnostics.


11.3 Amend records/req.benac-agt-001/benac-agt-001.md

Requirement title

Keep:

BENAC-AGT-001 - Agent-facing API

Replace statement with

Statement: Benac shall expose a schema-driven local API that allows agents to inspect host capabilities, Station Profiles, principal identities, packages, package inspection results, package validation reports, package build reports, schemas, descriptors, claims, trust requests, capability requests, invocations, evidence, effects, storage offers, storage plans, compute offers, compute plans, blob availability, fixture definitions, fixture results, and diagnostic records.

Replace rationale with

Rationale: AI agents should be first-class Benac clients while remaining constrained by schema, trust, capability, and local policy.

Replace verification with

Verification: Agent API conformance tests query and validate structured responses for packages, inspection results, validation reports, fixture results, traces, diagnostics, and host capability metadata.


11.4 Add records/req.benac-ux-008/benac-ux-008.md

Requirement title

BENAC-UX-008 - Package inspection data contract

Statement

Statement: Benac shall define a machine-readable package inspection data contract. The inspection result shall include package CID, manifest version, package labels and version labels as non-authoritative metadata, package interfaces, request/config/output schema references, schema validation status, implementations, implementation snapshot CIDs, implementation kinds, WASM package-host calling convention identifiers where applicable, artifact references, artifact availability, declared capabilities, local public-data package compatibility status, storage needs, compute needs, fixtures, fixture result references, external claim references where available, trust decision references, capability grant references, warnings, unsupported fields, missing blobs, resource requirements, and diagnostic codes.

Rationale

Rationale: Human UI can vary, but agents and independent implementations need the same inspection semantics.

Verification

Verification: Inspecting the same package bundle across conforming implementations produces equivalent machine-readable inspection objects.

Status

draft


11.5 Add records/req.benac-ux-009/benac-ux-009.md

Requirement title

BENAC-UX-009 - Inspection before local public-data approval

Statement

Statement: A Host Implementation shall be able to produce a package inspection result before local trust or capability approval. Local public-data package approval records shall reference the inspected package CID, implementation CID or selection policy, descriptor scope, declared capabilities, fixture results where relied upon, and warnings presented or made available.

Rationale

Rationale: Approval should be based on inspectable package facts, not hidden implementation state.

Verification

Verification: Local public-data package approval references an inspection result or equivalent inspected fields. A package with missing artifacts, unsupported WASM package-host calling convention, unsupported schema ruleset, forbidden capabilities, or failed fixtures cannot receive local public-data approval.

Status

draft


12. Conformance requirement changes

12.1 Amend records/req.benac-int-004/benac-int-004.md

Requirement title

Keep:

BENAC-INT-004 - Conformance test suite

Replace statement with

Statement: Benac shall provide a conformance suite covering DASL CID parsing, generation, rejection, and verification; DRISL encoding and JSON projection; content identity; principal identity; signed claims; encrypted envelopes; Couch/Pouch document replication; blob storage; storage discovery; compute discovery; package manifest validation; package schema validation; package build reports; package validation reports; package inspection results; fixture schemas; fixture execution; declarative execution; WASM execution through the package-host calling convention; capability denial; trust grants; local public-data package approval; invocation ledgers; evidence/effects; resource-limit behavior; implementation selection; and portable package behavior.

Replace rationale with

Rationale: Multiple implementations need objective compatibility tests for package import, validation, inspection, approval, invocation, fixture execution, output validation, trace shape, and failure behavior.

Replace verification with

Verification: Teams run the suite and publish results, including DASL CID and DRISL encoding vectors. A Couch/Pouch fixture with identical logical payload and different _id, _rev, and local state shall produce the same DRISL bytes and same structured CID across implementations. Package conformance fixtures shall include hello-world, calculator, todo reducer, notes reducer or text transform, invalid schema package, missing artifact package, forbidden WASM import package, unsupported schema keyword package, fixture mismatch package, resource-limit package, generic request/config package, multi-implementation package, package inspection comparison, and local public-data approval package.


13. Agent API external interface changes

13.1 Amend records/req.benac-agt-011/benac-agt-011.md

Requirement title

Keep:

BENAC-AGT-011 - Agent API external interface

Replace statement with

Statement: Benac shall expose machine-readable APIs for authenticated or locally scoped agents to inspect allowed state, author draft packages, validate packages, build packages where supported, run fixtures, create trust requests, create capability requests, create storage plans, request storage leases, create compute plans, request compute leases, invoke authorized descriptors, inspect package inspection results, inspect validation reports, inspect build reports, inspect fixture results, inspect traces, inspect signed claims, inspect principal and authentication status, inspect blob availability, and export/import capsules. Agent operations shall be authenticated or session-attributed where required, audited, and attributable.

Replace rationale with

Rationale: Agents need structured interfaces while remaining accountable and unable to self-authorize authority.

Replace verification with

Verification: Agent API conformance tests validate authenticated attribution, audit records, denied unauthorized operations, package validation, package fixture execution, package inspection retrieval, diagnostic retrieval, and successful read/proposal operations within scope.


14. Import/export and package bundle requirement changes

14.1 Amend records/req.benac-io-001/benac-io-001.md

Requirement title

Keep:

BENAC-IO-001 - Local import

Replace statement with

Statement: Benac shall support importing packages, package bundles, package bundle manifests, schemas, descriptors, fixtures, fixture results, package validation reports, package build reports, blobs, claims, storage offers, compute offers, and capsules from local files or browser/host-supported file selection.

Replace rationale with

Rationale: Decentralized distribution and package authoring need offline import of packages, supporting artifacts, tests, reports, claims, and capsules.

Replace verification with

Verification: Package bundle imported from file on browser and desktop Host Platforms validates package document identity, artifact CIDs, schema references, fixture references, report references, and claim references.


14.2 Amend records/req.benac-io-003/benac-io-003.md

Requirement title

Keep:

BENAC-IO-003 - Export capsules

Replace statement with

Statement: Benac shall support export of portable capsules containing selected documents, blob manifests, selected blob contents, package manifests, package bundle manifests, schemas, descriptors, fixtures, fixture results, package validation reports, package build reports, claims, evidence, effects, storage metadata, compute metadata, and optional encrypted private material.

Replace rationale with

Rationale: Users need to move packages, tests, reports, traces, and blobs between hosts without a central registry.

Replace verification with

Verification: Capsule exported from one host imports into another and verifies CIDs, signatures, package bundle references, fixture references, validation report references, and build report references.


15. Minimum logical data object changes

15.1 Amend section 12 object table

Add these object types to the minimum logical data object table.

Object typePurpose
package_bundle_manifestDescribes an importable/exportable package bundle containing package document, schemas, artifacts, fixtures, claims, docs, reports, and integrity metadata.
package_validation_reportStructured result of package validation.
package_build_reportStructured result of package build, including derived CIDs and warnings.
fixtureStructured package test vector.
fixture_resultStructured result of fixture execution.
request_snapshotDomain-separated logical request wrapper used for request CIDs.
output_snapshotDomain-separated logical output wrapper used for output CIDs.
package_inspection_resultMachine-readable package inspection object.
local_public_data_approvalTrust/capability approval record for local packages using public data only.
diagnostic_recordStructured machine-readable diagnostic record for validation, build, fixture, invocation, capability, resource, and package-host failures.
schema_rulesetMachine-readable description or identifier for schema validation behavior supported by Benac.
wasm_package_host_calling_conventionMachine-readable description or identifier for how a WASM package exchanges input, output, memory, imports, exports, and errors with the Host Implementation.
resource_limit_reportRecord of resource limits applied, exceeded, or relied upon during validation, fixture execution, or invocation.

15.2 Add records/req.benac-data-002/benac-data-002.md

Requirement title

BENAC-DATA-002 - Package authoring logical objects

Statement

Statement: Benac shall define minimum logical schemas for package bundle manifests, package validation reports, package build reports, fixtures, fixture results, request snapshots, output snapshots, package inspection results, local public-data approval records, diagnostic records, schema ruleset identifiers, WASM package-host calling convention identifiers, and resource limit reports. These objects shall use CIDs where exact content identity is required, DRISL encoding where structured content identity is required, and stable diagnostic codes where validation or execution fails.

Rationale

Rationale: Package authoring, testing, inspection, approval, and diagnostics need portable records, not implementation-specific logs.

Verification

Verification: Conformance fixtures reject package authoring records that omit required CIDs, use bare digest strings where CIDs are required, omit required object type/version fields, use unsupported diagnostic structures, or fail to bind package/interface/implementation context where required.

Status

draft


16. Terms and definitions changes

Update term records under records/term.*/*.md. Rebuild the glossary afterward.

16.1 Delete or deprecate numeric station-level term records

Delete these active terms if the record system permits deletion:

If deletion is not supported, move them into an “avoid/deprecated” section and mark them as not to be used in active requirements, package specs, conformance text, or package authoring text.

Do not replace them with another numeric ladder.


16.2 Amend records/term.browser-pwa-host/browser-pwa-host.md

Replace definition with

A Host Implementation delivered as an HTTPS-served installable Progressive Web App and running inside a mobile or desktop browser.

Replace usage with

Use when describing the browser-hosted Benac implementation. Browser PWA Hosts are an important portability target because they run with ordinary browser capabilities.


16.3 Amend records/term.native-implementation/native-implementation.md

Replace definition with

A platform-specific implementation that may run as native code, a subprocess, container, or other host-native mechanism.

Replace usage with

Native implementations are optional privileged capabilities and require explicit Local Policy. They are not required for baseline portable packages.


16.4 Amend records/term.package/package.md

Replace definition with

A content-addressed reusable behavior unit containing a package document with schemas, schema ruleset identifiers, interfaces, interface contract bindings, implementations, artifact CIDs, declared capabilities, resource requirements, fixtures, and documentation references. Claim references are not part of the package document; they live in bundles, capsules, catalogs, provenance records, trust requests, and other operational or index records that point at the package by CID.


16.5 Amend records/term.package-manifest/package-manifest.md

Replace definition with

The structured package payload that declares package metadata, schemas, schema ruleset identifiers, interfaces, interface contract bindings, implementations, implementation entry identifiers, implementation kinds, artifact CIDs, requested capabilities, resource requirements, storage needs, compute needs, fixtures, and documentation references. Claim references are not part of the package manifest; they live in bundles, capsules, catalogs, provenance records, trust requests, and other operational or index records that point at the package by CID.


16.6 Amend records/term.package-interface/package-interface.md

Replace definition with

A declared surface through which a package can be used. A package interface identifies the request schema, descriptor config schema where applicable, output schema where applicable, allowed implementations, declared capabilities, resource requirements, and execution type for that surface.

Replace usage with

Interfaces describe intended use and validation contracts. Interfaces do not grant capability.


16.7 Amend records/term.request/request.md

Replace definition with

The input object supplied for a specific invocation of a package interface.

Replace usage with

Requests are validated against package-declared request schemas before package execution. The package-visible request is the validated logical request from the invocation input envelope.


16.8 Amend records/term.output/output.md

Replace definition with

The package result returned by a package invocation after package-specific interpretation and validation against the package output schema where one is declared.

Replace usage with

Output is not a substitute for raw evidence. Where output is content-addressed, its identity should include package, interface, implementation, and schema context through an output snapshot.


16.9 Amend records/term.request-cid/request-cid.md

Replace definition with

The CID of a DRISL-encoded request snapshot where the request is content-addressed. A request snapshot binds request data to package CID, descriptor snapshot, interface identifier, and schema references.

Replace usage with

Invocation records may carry request snapshot CIDs, inline request snapshots, or encrypted request references where permitted.


16.10 Amend records/term.output-cid/output-cid.md

Replace definition with

The CID of a DRISL-encoded output snapshot or raw output blob where the output is content-addressed. An output snapshot binds output data to package CID, implementation CID, interface identifier, output schema reference, and validation status.

Replace usage with

Invocation records may carry output snapshot CIDs, inline output snapshots, raw output blob references, or encrypted output references where permitted.


16.11 Amend records/term.implementation-snapshot/implementation-snapshot.md

Replace definition with

A structured object representing a selected implementation, including package CID, implementation entry identifier, implementation kind, interface identifiers served, artifact CIDs, runtime requirements, role fields, parameters, declared capabilities, resource requirements, schema bindings, and WASM package-host calling convention identifier where applicable. The implementation CID is computed from this object after DRISL encoding.


16.12 Amend records/term.implementation-selection/implementation-selection.md

Replace definition with

The process of choosing one package implementation from available implementations based on package declaration, requested implementation where applicable, platform compatibility, artifact availability, trust, capabilities, resource limits, and Local Policy.

Replace usage with

Skipped implementations and reasons should be recorded. No silent fallback.


16.13 Amend records/term.package-host-interface/package-host-interface.md

Replace definition with

The mediated interface through which WASM and other executable packages interact with host resources. Packages do not receive ambient access to the document store, blob store, secrets, keys, signing authority, decryption authority, network, storage, compute, device capabilities, host-local metadata, UI state, debug fields, or unvalidated local defaults.


16.14 Amend records/term.conformance-package/conformance-package.md

Replace definition with

A package designed to test Benac compatibility across implementations.

Replace usage with

Conformance packages should cover manifest validation, package inspection, fixture execution, generic request/config invocation, declarative execution, WASM execution, capability denial, evidence/effects, resource limits, implementation selection, encryption, storage, and compute behavior as applicable.


16.15 Amend records/term.conformance-suite/conformance-suite.md

Replace definition with

The collection of tests used to verify Benac interoperability across Host Platforms and independent implementations. The baseline suite covers DASL CID parsing/generation/rejection/verification, DRISL encoding and JSON projection, content identity, principal identity, signed claims, encrypted envelopes, Couch/Pouch document replication, blob storage, storage discovery, compute discovery, package validation, package inspection, fixture execution, declarative execution, WASM execution through the package-host calling convention, capability denial, trust grants, local public-data package approval, invocation ledgers, evidence/effects, resource limits, implementation selection, and portable package behavior.


16.16 Add records/term.local-public-data-portable-package/local-public-data-portable-package.md

Term

Local public-data portable package

Definition

A package that runs locally, uses public invocation data and public descriptor configuration, declares schemas and capabilities, uses content-addressed artifacts, and executes through declarative or WASM implementations without requiring network access, remote storage, remote compute, secrets, decryption, signing authority, native execution, direct document-store access, unrestricted blob-store access, raw filesystem access, device access, same-origin package JavaScript, or provider-specific host behavior.

Usage

Use this term for simple interoperable packages such as hello-world packages, calculators, todo reducers, notes reducers, text formatters, and other pure local transforms.


16.17 Add records/term.invocation-input-envelope/invocation-input-envelope.md

Term

Invocation input envelope

Definition

A versioned logical object that supplies the package CID, descriptor snapshot CID or no-descriptor marker, interface identifier, schema references, request body, descriptor config body where applicable, requested implementation where applicable, execution type, data class, and initiating actor context for a package invocation.

Usage

The invocation input envelope is the source of package-visible request and descriptor config data after validation.


16.18 Add records/term.request-snapshot/request-snapshot.md

Term

Request snapshot

Definition

A content-addressed logical object that binds request data to package CID, descriptor snapshot CID or no-descriptor marker, interface identifier, request schema reference, descriptor config schema reference where applicable, request body, and descriptor config body where applicable.

Usage

Use request snapshots when invocation records need request CIDs that are not ambiguous across packages, interfaces, descriptors, or schemas.


16.19 Add records/term.output-snapshot/output-snapshot.md

Term

Output snapshot

Definition

A content-addressed logical object that binds package output to package CID, implementation CID, interface identifier, output schema reference where applicable, output body, and validation status.

Usage

Use output snapshots when invocation records need output CIDs that are not ambiguous across packages, interfaces, implementations, or schemas.


16.20 Add records/term.package-validation-report/package-validation-report.md

Term

Package validation report

Definition

A machine-readable report describing the result of package validation, including manifest validation, schema validation, artifact verification, implementation validation, fixture validation, compatibility checks, warnings, errors, and diagnostic codes.

Usage

Validation reports are evidence for authors, agents, reviewers, and Local Policy. Unsigned local reports are not authority outside local policy.


16.21 Add records/term.package-build-report/package-build-report.md

Term

Package build report

Definition

A machine-readable report describing the result of building a package bundle or capsule from an authoring workspace, including derived artifact CIDs, implementation CIDs, package CID, included schemas, included fixtures, warnings, errors, and diagnostic codes.

Usage

Build reports help independent tools prove they produced the same package identity from the same logical package inputs.


16.22 Add records/term.fixture/fixture.md

Term

Fixture

Definition

A structured package test vector that defines package-under-test reference, descriptor config or descriptor snapshot where applicable, interface identifier, request data, expected validation result, expected selected implementation or allowed implementation set, expected output where deterministic, expected evidence/effect behavior, expected denied effects where applicable, and expected diagnostics where failure is intended.

Usage

Fixtures test package behavior, validation, implementation selection, capability mediation, trace shape, and expected failures.


16.23 Add records/term.fixture-result/fixture-result.md

Term

Fixture result

Definition

A structured record describing the result of fixture execution, including fixture identifier, package CID, descriptor snapshot CID where applicable, implementation CID, request snapshot CID, output snapshot CID where applicable, validation results, evidence/effect references, pass/fail status, diagnostics, Station Profile reference, execution type, and timestamps.

Usage

Fixture results are evidence for local approval, package review, agents, and conformance testing.


16.24 Add records/term.package-inspection-result/package-inspection-result.md

Term

Package inspection result

Definition

A machine-readable object describing an inspected package, including package CID, manifest version, package metadata, interfaces, schema references, schema validation status, implementations, implementation CIDs, artifact references, artifact availability, declared capabilities, resource requirements, fixtures, claims, warnings, missing blobs, unsupported behavior, compatibility status, and diagnostic codes.

Usage

Inspection results support human review, agent review, local approval, and cross-implementation comparison.


16.25 Add records/term.local-public-data-approval/local-public-data-approval.md

Term

Local public-data approval

Definition

A local approval record allowing a package to run only with public request/config data and only with local declarative or WASM execution, under explicitly scoped package, implementation, descriptor, interface, data-class, and capability constraints.

Usage

Use this approval for simple local public-data packages. Do not use it for packages that require private data, secrets, network access, remote storage, remote compute, decryption, signing, native execution, file access, device access, or direct document-store access.


16.26 Add records/term.schema-ruleset/schema-ruleset.md

Term

Schema ruleset

Definition

A versioned set of schema validation rules defining the supported schema language, supported keywords, unsupported keywords, reference resolution behavior, validation result format, and diagnostic behavior.

Usage

Use schema ruleset instead of vague references to arbitrary schema behavior. Package manifests, request schemas, descriptor config schemas, output schemas, and fixture schemas should declare or inherit a supported schema ruleset.


16.27 Add records/term.wasm-package-host-calling-convention/wasm-package-host-calling-convention.md

Term

WASM package-host calling convention

Definition

The required low-level interface for a WASM package implementation, including required exports, allowed imports, forbidden imports, memory behavior, input encoding, output encoding, error behavior, allocation/free conventions, and resource-limit behavior.

Usage

Use this term when specifying how a WASM package exchanges data and host calls with a Benac Host Implementation. Do not require readers to know unexplained acronyms.


16.28 Add records/term.resource-limit-report/resource-limit-report.md

Term

Resource limit report

Definition

A structured record describing resource limits applied, exceeded, or relied upon during package validation, package build, fixture execution, or invocation.

Usage

Use resource limit reports to explain failures caused by package size, artifact size, request size, output size, WASM memory, execution time, fuel, logs, evidence records, or effect records.


16.29 Add records/term.diagnostic-record/diagnostic-record.md

Term

Diagnostic record

Definition

A structured machine-readable record describing a validation, build, fixture, invocation, capability, resource, schema, artifact, package-host, storage, compute, encryption, or policy problem using stable diagnostic codes and object references.

Usage

Diagnostic records allow tools, agents, users, and conformance tests to understand failures without parsing prose.


17. Generated document and search acceptance criteria

After editing source records:

  1. Run npm run build:syrs.
  2. Run npm run build:glossary.
  3. Verify the generated System Requirements Specification contains all added and amended requirements.
  4. Verify the generated Terms and Definitions contains all added and amended terms.
  5. Verify the generated System Requirements Specification does not contain numeric station-level shorthand.
  6. Verify no amended or added requirement uses ABI as reader-facing terminology.
  7. Verify no generated requirement refers to hello-world-specific approval names.
  8. Verify local public-data approval wording applies to hello-world, calculator, todo reducer, notes reducer, and similar simple packages.
  9. Verify generated requirement index includes all new requirement IDs.
  10. Verify generated glossary contains no active numeric station-level term definitions. If deprecated terms remain because deletion is not supported, verify they appear only as avoid/deprecated terms and are not referenced by requirements.
  11. Do not manually edit generated SyRS or generated glossary files except through the record build workflow.

Suggested checks:

npm run build:syrs
npm run build:glossary

grep -R -nE '\bC1\b|\bC3\b|\bC4\b' records/req.* docs || true
grep -R -nE '\bABI\b' records/req.* docs || true
grep -R -nE 'hello[_ -]?world.*approval|approval.*hello[_ -]?world' records/req.* docs || true

18. Final acceptance criteria

This ticket is complete when:

No business logic changes are part of this ticket.

Proposed resolution

Updated Benac package-authoring requirements and glossary source records for local public-data portable packages, committed, pushed, deployed, and verified from the browser-download artifact.

Implementation and deploy commits:

Verification completed:

Deploy and archive delivery:

History (18 events)

Sign in as a human to drive this ticket from the page, or use the MCP tools.

← all tickets · home