docs(proposals/0001): Criterion 2 appendix — wire↔Idris2-spec mapping#110
Merged
Conversation
Adds "Appendix A — Wire-vs-Idris2-spec mapping (Criterion 2)" with three
sub-sections:
A.1 typedwasm.regions ↔ Region.idr + Pointer.idr — per-field table
mapping every wire field (version, region_count, name,
field_count, field_name, kind, wasm_ty, target_region,
nullability, cardinality, region_byte_size) to the
corresponding Idris2 type or extractor.
A.2 typedwasm.capabilities ↔ ResourceCapabilities.idr — per-field
table covering the capability table and per-function required
list. Documents that the strict-increasing required[]
invariant is the operational counterpart to three spec facts
at once: DistinctCaps (line 104), ContainedIn (L15-B line
312), and canonical-order producer obligation.
A.3 What is NOT carried on the wire (deliberate). Tabulates the
spec constructs the v1 carriers do NOT encode and why:
ContainedIn proof witnesses (verifier reconstructs),
CallCompatible (L15-C deferred to #96), LayoutValid (verifier
recomputes), SchemaEq (single-module v1), RegionDisjoint
(runtime concern), ExclusiveWitness (lives in ownership
section).
A.4 Soundness shape — a single NOTE block listing the
per-emission proof obligations the verifier (PR #109) and
codec (PR #107) already enforce.
Criterion 2 line in §"Acceptance criteria" annotated "(Satisfied — see
Appendix A below.)" to close the gate explicitly.
Refs #106 (acceptance roadmap), #34 (proposal 0001 umbrella), PR #107
(codec), PR #109 (verifier).
Closes proposal 0001 §"Acceptance criteria" Criterion 2.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 96 issues detected
View findings[
{
"reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
"type": "unpinned_action",
"file": "governance.yml",
"action": "pin_sha",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in boj-build.yml",
"type": "unknown",
"file": "boj-build.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in c5-regenerate.yml",
"type": "unknown",
"file": "c5-regenerate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in cargo-audit.yml",
"type": "unknown",
"file": "cargo-audit.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in codeql.yml",
"type": "unknown",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in dogfood-gate.yml",
"type": "unknown",
"file": "dogfood-gate.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This was referenced May 30, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
## Summary Closes [#94](#94) — the only remaining open question on proposal 0001 before `[review] → [accepted]` flip. **Decision: WBool is 4 bytes on the wire** (i32.store/load; 0 = false, nonzero = true). The narrower 1-byte encoding is reserved for a future `WBoolPacked` variant in v2. ## Two changes | File | Change | |---|---| | `docs/proposals/0001-multi-producer-carrier-section.adoc` | New `§"WBool wire width — pinned at 4 bytes"` subsection (~36 LOC) inside `§"Wire format — typedwasm.regions"`. Documents rationale, reserves `WBoolPacked` v2, references the rejected lenient alternative. | | `src/abi/TypedWasm/ABI/Region.idr` | `sizeOf WBool = 4` (was `1`) with inline comment pointing at the proposal text and producer-side evidence files. | ## Why 4-byte, not 1-byte, not mixed-width 1. **Producer reality**: both shipping producers already emit 4-byte `i32.store` for boolean fields (AffineScript `lib/codegen.ml:180-190+:373`; Ephapax `src/ephapax-wasm/src/lib.rs:2937-2944`). Pinning at 4 = zero codegen changes. 2. **Spec self-consistency**: `Region.idr` was the outlier at 1 byte; this PR brings spec into alignment with producer reality. `alignOf = sizeOf` (Region.idr:113) carries through to field-alignment math. No proofs or tests hardcode `WBool=1` — verified by grep. 3. **Verifier simplicity**: single canonical width means no new `MixedWidthBoolean` error variant; `region_byte_size` cross-check is deterministic per schema. 4. **Future flexibility**: a 1-byte `WBoolPacked` (or named-equivalent) remains the v2 escape hatch as a new `WasmType` constructor, NOT a width flag on the existing `WBool` codepoint. Additive, not breaking. ## Rejected: lenient mixed-width The `§A` sketch in #94's recommendation (allow either width per field, validate consistency) is rejected because: - `region_byte_size` becomes producer-choice-dependent — same schema → different `schemaSize` values - Forces a new `MixedWidthBoolean` verifier error variant for marginal flexibility - Complicates cross-module schema agreement: a 1-byte WBool field in one module is structurally incompatible with a 4-byte WBool field of the same name in another module ## Risk assessment - Idris2 `sizeOf` change cascades to `schemaSize` / `computeOffsets` / `alignOf` — none of these is hardcoded against `WBool=1` in any test or proof. `MultiModule.idr`'s `Example` schema uses WBool but only via `SchemaEq`/`SchemaSub` structural relations. - `TypedAccess.idr:51` (`HostType WBool = Bool`) is host-side type mapping; unaffected by wire width. - `crates/typed-wasm-verify` `region_byte_size` validation is currently `MAY cross-check` (not enforced) — when implemented later, the canonical 4-byte rule makes the check deterministic. ## Acceptance update for #94 - [x] Proposal 0001 amended with explicit `WBool` wire width. - [n/a] No `MixedWidthBoolean` error variant (strict resolution chosen). - [x] Forward-pointer to `WBoolPacked` future-extension added. ## What this means for 0001 [review] → [accepted] This was the last load-bearing open question on proposal 0001. After merge: | Acceptance gate | State | |---|---| | Criterion 1 (producer signoff) | ✅ | | Criterion 2 (wire↔spec mapping) | ✅ Appendix A (PR #110) | | Criterion 3 (draft codec) | ✅ PR #107 | | Criterion 4 (draft spec doc) | ✅ PR #108 | | Criterion 5 (cross-repo issues filed) | ✅ affinescript#444 + ephapax#221 | | OQ #94 (WBool width) | ✅ **this PR** | | OQ #95 (region-imports) | ✅ proposal 0003 [draft] (PR #112) | | OQ #96 (capability-grants) | ✅ proposal 0004 [draft] (PR #111) | Proposal 0001 is **fully ready for `[accepted]`** after this lands — owner decision is the only remaining step. ## Test plan - [x] `git grep` confirms no hardcoded `WBool=1` size assertions in proofs or tests. - [x] `sizeOf WBool` only used via `computeOffsets`/`alignOf`/`fieldSize` (derived, not hardcoded). - [ ] Idris2 build passes (CI will verify). - [ ] Cargo build + test passes (no Rust code changes — should be a no-op). ## Related - #94 (this PR closes it) - #106 (acceptance roadmap tracker) - #34 (proposal 0001 umbrella) - ephapax#165 §2-Q1 / affinescript#402 §3-Q1 — paired producer reviews - PR #76 (proposal 0001 original landing) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
…loses #97) (#114) ## Summary Closes [#97](#97) — addresses both halves of the paired-review meander finding. ## (A) Producer-readiness checklist — Appendix B in proposal 0001 (~120 LOC) Tabulates each carrier section's IR prerequisites, current producer-side status, and roadmap-issue identifier in each producer's tracker where the gap is named: | Carrier | IR prerequisites | Status | |---------|-----------------|--------| | `typedwasm.ownership` | per-fn ownership-kind tracking | **SHIPPING** | | `typedwasm.regions` | region decls + field offsets + stable indices | **NOT YET EMITTABLE** (AS Roadmap C1 deferred; Ephapax dead code) | | `typedwasm.capabilities` | per-fn cap decl + module budget + effect IR | **NOT YET EMITTABLE** (AS Roadmap C2 not started; Ephapax Perform/Handle stubbed) | | `typedwasm.region-imports` (0003) | + cross-module region tracking + wasm-module-name resolution | **NOT YET EMITTABLE** | | `typedwasm.access-sites` (0002) | + per-instr tracking + post-rewrite hook | **NOT YET EMITTABLE** (depends on regions) | | `typedwasm.capability-grants` (0004) | + per-callsite grant tracking | **NOT YET EMITTABLE** (depends on capabilities) | NOTE block surfaces the all-or-nothing implication: **do not emit a section you cannot populate.** Proposal 0002 gains a §"Producer-readiness (cross-reference)" subsection (~28 LOC) pointing to 0001's Appendix B plus three access-sites-specific items: per-instruction tracking, post-rewrite hook discipline, region-index stability across sections. ## (B) Canonical emit ordering — extends 0001 §"Producer obligations" New 5th item specifying the recommended emit order matching the runtime dependency graph: ``` 1. typedwasm.ownership 2. typedwasm.regions 3. typedwasm.region-imports (proposal 0003) 4. typedwasm.capabilities 5. typedwasm.access-sites (proposal 0002) 6. typedwasm.capability-grants (proposal 0004) ``` **Consumers MUST NOT depend on this order** — the verifier reads sections by custom-section name, so any order is parseable. The canonical order exists for cross-producer module comparability (byte-equal carrier sequences for two producers of the same logical module — useful for `cmp` / `diff` / content-addressing). ## Acceptance update for #97 - [x] Proposal 0001 gains §"Producer-readiness checklist" appendix listing the IR prerequisites for each section. - [x] Proposal 0002 gains a one-line cross-reference (expanded to a full subsection with access-sites-specific items) to 0001's checklist. - [x] Proposal 0001 §"Producer obligations" specifies the canonical emit order with a "consumer MAY accept any order" note. - [ ] When AffineScript / Ephapax start their respective Roadmap C1/C2/C3 implementations, those issues cross-reference this checklist. *(Producer-side action, not a typed-wasm gate.)* ## What this closes Together with #94, #95, #96 (resolved in PRs #110/#111/#112/#113), this completes all the documentation-side gates around proposals 0001 and 0002. Both proposals are now fully ready for `[review] → [accepted]` owner decision. ## Test plan - [x] AsciiDoc renders cleanly (cols-tables, lower-alpha sub-list, code-block fences). - [x] Cross-reference link to Appendix B from proposal 0002 uses AsciiDoc anchor format. - [x] No code changes — no Cargo/Idris2 build required. ## Related - #97 (this PR closes it) - #34 (proposal 0001 umbrella) - #106 (acceptance roadmap tracker) - ephapax#165 §3+§6 / affinescript#402 §4+§7 — paired reviews surfacing the gap - affinescript#462 (access-sites codegen issue — referenced from Appendix B) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 30, 2026
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
…115) ## Summary Owner-decision close of the proposal-acceptance arc. Both proposals satisfied every acceptance gate this session ([see #106 wrap-up comment](#106 (comment))); this PR applies the status flip. ## Status changes - `docs/proposals/0001-multi-producer-carrier-section.adoc` — `review → accepted` - `docs/proposals/0002-access-site-carrier.adoc` — `review → accepted` - `docs/proposals/README.adoc` — "Current proposals" table updated; NOTE block clarifies files remain in `docs/proposals/` (ADR promotion is a separate file-restructure follow-up). ## LEVEL-STATUS.md updates | Level | Before | After | |-------|--------|-------| | L2 (region binding) | proposal-stage | **YES** (carrier-backed) — `verify_access_sites_from_module` (PR #109); gated `unstable-l2` | | L3–L6 (type-compat, null, bounds, result-type) | proposal-stage | **YES** (carrier-backed, schema half) — regions codec PR #107; per-access enforcement gated on producer codegen | | L15-A/B (capabilities) | proposal-stage | **YES** (carrier-backed) — `verify_capabilities_from_module` (PR #109); gated `unstable-l15` | | L13 cross-module (positive form) | — | proposal-stage — proposal 0003 `[draft]` (new row) | "Open gating items" section rewritten to remove obsolete pre-acceptance gates (all shipped via #107/#109) and enumerate the remaining producer-side prerequisites + [draft] proposal 0003/0004 work. ## What this DOES NOT change - **File locations**: proposals stay in `docs/proposals/`. ADR promotion to `docs/decisions/` (with renumbering — existing ADR 0001 is "adopt-rsr-standard", so proposals 0001/0002 would become ADRs 0002/0003) is a deliberate separate PR to keep the status flip cleanly auditable. - **Code**: no source or test changes. Verifier passes already shipped in #107/#109 behind `unstable-l2` / `unstable-l15` feature flags. - **Producer-side codegen**: still pending per Appendix B prerequisites in proposal 0001. ## Test plan - [x] Status field flipped on both proposals. - [x] README table reflects new statuses with date. - [x] LEVEL-STATUS L2/L3-L6/L15 rows show carrier-backed YES. - [x] Open gating items rewritten (4 items: producer codegen, L13 cross-module, L15-C, ADR promotion). - [ ] CI passes (doc-only changes; no Cargo/Idris2 build risk). ## Related - #34 (proposal 0001 umbrella) - #78 (proposal 0002 RFC) - #106 (acceptance roadmap tracker — full wrap-up comment) - This session's 5-PR sprint that satisfied every gate: #107 (codec), #108 (spec doc), #109 (verifier), #110 (Criterion 2 appendix), #111 (proposal 0004 draft for #96), #112 (proposal 0003 draft for #95), #113 (WBool pin for #94), #114 (producer-readiness for #97). 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
2 tasks
hyperpolymath
added a commit
that referenced
this pull request
May 30, 2026
…ss stale references (#117) ## Summary Companion to #115 (acceptance flip) and #116 (ADR promotion). Sweeps the remaining files that still carried `[draft]` / `[review]` proposal status or referenced now-closed cross-repo gating issues. ## Files changed | File | What changed | |---|---| | \`README.adoc\` | Proposal status flipped to \`[accepted]\` + ADR links; added 0003/0004 to forward-looking section; rewrote the verifier-pass status sentence (was "gated on proposal 0002's acceptance"; now reflects PR #109 having shipped). | | \`CHANGELOG.md\` | New Unreleased section "Multi-producer carrier ABI: proposals 0001 + 0002 accepted, promoted to ADRs (2026-05-30)" covering PRs #110-#116 + the seven closed issues + producer-side gates that remain. | | \`crates/typed-wasm-verify/Cargo.toml\` | Feature-flag comments updated to reflect post-acceptance state. \`unstable-l2\` / \`unstable-l15\` feature gates retained while Phase 3 stabilisation is open. | | \`docs/PRODUCTION-PATH.adoc\` | Proposals 0001/0002 flipped to \`[accepted]\` with PR pointers; added 0003/0004 to active-design-work list. | | \`spec/type-safety-levels-for-wasm.adoc\` | Wire-section status column updated for \`typedwasm.regions\` / \`typedwasm.capabilities\` / \`typedwasm.access-sites\`; tail references enumerate all four proposals with current status. | | \`.machine_readable/6a2/STATE.a2ml\` | Capabilities-by-level entries flipped 30→100; rewrote critical-next-actions; rewrote \`[carrier-abi]\` section with accepted-date / acceptance-pr / adr-pr for both proposals + added \`[draft]\` entries for 0003/0004. | ## What was deliberately left alone \`spec/{ARG,CRG,FRG,TRG}-PROFILE.adoc\` — these are point-in-time audit snapshots, not config. They mention the proposals as the live RFC corpus, but rewriting audit history adds more noise than signal. ## Test plan - [ ] CI green (docs + config only; no source changes) - [ ] Cross-links resolve in rendered AsciiDoc 🤖 Generated with [Claude Code](https://claude.com/claude-code)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes proposal 0001 §"Acceptance criteria" Criterion 2 — the last write-up gate before
[review] → [accepted]. Adds a 247-line "Appendix A — Wire-vs-Idris2-spec mapping" todocs/proposals/0001-multi-producer-carrier-section.adoc.Appendix structure
typedwasm.regionswire fields ↔Region.idr+Pointer.idr— per-field table (version, region_count, name, field_count, field_name, kind, wasm_ty, target_region, nullability, cardinality, region_byte_size)typedwasm.capabilitieswire fields ↔ResourceCapabilities.idr— capability table + per-function required list; documents that strict-increasingrequired[]encodes DistinctCaps + ContainedIn + canonical-order at onceContainedInproof witnesses (verifier reconstructs),CallCompatible(L15-C deferred to #96),LayoutValid(verifier recomputes),SchemaEq(single-module v1),RegionDisjoint(runtime concern),ExclusiveWitness(in ownership section)Criterion 2 line in §"Acceptance criteria" updated to "(Satisfied — see Appendix A below.)".
Why a write-up not a property test
Criterion 2's text reads "every wire field maps cleanly to a spec witness" — a write-up satisfies it (and is what a reviewer reads). A future task (filed in the appendix's closing paragraph, not blocking
[accepted]) is to encode the same mapping as Idris2 property tests insrc/abi/(WireSchemaEquiv.idrshowingencode/decoderound-trips preserve the spec witnesses).Acceptance-roadmap state after this PR
After this lands, proposal 0001's only remaining gate is the open questions converging (
WBoolwire-width pin, region-imports proposal placeholder, capability-grants v1.4.x). The acceptance criteria themselves are all green.Test plan
Related
🤖 Generated with Claude Code