Skip to content

backlog: recut shadow assets around owner-managed readiness#142

Open
vanilla-wave wants to merge 5 commits into
mainfrom
honest-shadow-substitutions
Open

backlog: recut shadow assets around owner-managed readiness#142
vanilla-wave wants to merge 5 commits into
mainfrom
honest-shadow-substitutions

Conversation

@vanilla-wave

@vanilla-wave vanilla-wave commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Docs-only architectural recut of shadow-substitution delivery: ADR-0249,
ADR-0266, one ready epic, and seven implementation items.

Review changes applied

  • Split generic kernel capabilityPorts into its own ready item and ADR.
    npm-client/shadow-asset-store is blocked by it; kernel owns only validation,
    exact-once transfer, pre-entry publication, rollback, and child-end cleanup.
  • Named the cold-install trade-off. STD adds one serial post-tree fill for the
    13,918,738-byte esbuild member; this is extracted member size, not wire bytes.
    ADR-0201 bounds bytes/no-progress, not total seconds. The store item owns the
    real-Chromium STD row; Eddy may only add a matched row.
  • Reconciled the plan with current main: ADR-0258 provenance, ADR-0261's stamp
    authorities/root-bound claim, and ADR-0231's current esbuild URL bootstrap.
    The plan now specifies v4 lockfile identity, a post-tree partial outcome,
    trusted/snapshot asset hooks, and removal of RIFTY_ESBUILD_WASM_URL.
  • Replaced lossy workspace slugs with one injective storage key shared by guest
    and private roots; colliding legacy inputs cannot read, clear, or delete one
    another's data.
  • Removed the standalone HTML report from the PR. The contracts below and the
    backlog/ADR diff are the source of truth.

Outcome

Applied substitutions declare exact integrity-pinned runtime assets. One
workspace-owner ShadowAssetManager fetches, verifies, persists, receipts, and
serves them. npm install cannot report success until the exact applied set is
ready for its honest storage class; child Workers never own fetch state or read
private store paths.

This separates delivery from package-specific runtime adaptation. Moving
esbuild.wasm out of the app bundle does not claim generic Sass/SWC/sharp ABI or
lifecycle compatibility.

Dependency graph

  1. Ready: kernel/worker-capability-ports — opaque named MessagePort
    bootstrap, failure-atomic lifecycle (ADR-0266).
  2. Ready, blocked by 1: npm-client/shadow-asset-store — exact applied set,
    owner manager, private receipts, STD transport, v4 claim integration, cold
    benchmark, remove bundled wasm URL (ADR-0249).
  3. Ready, blocked by 2: npm-client/eddy-batch-asset-closure — one exact
    missing-set closure, learned-pin fast path, STD fallback, matched benchmark.
  4. Draft, blocked by 2: retire the dead ~20MB esbuild alias after real-Vite
    proof and honest lockfile provenance.
  5. Draft: choose and parity-prove the Sass runtime pattern.
  6. Draft: full-input-digest selective capsule CI after a named second
    derived-runtime capsule exists.
  7. Draft, blocked by 2: external declarative catalogs separated from trusted
    local runtime-adapter code; ADR required before ready.

Platform contracts

  • Kernel sees only opaque name→port transfer. Asset frames, deadlines,
    cancellation, progress, terminal errors, and owner peer cleanup stay in
    npm-client/Playground.
  • ShadowAssetManagerPort stays small: ensure, readVerified,
    inspectReceipt; UI administration has a separate inspect/clear port.
  • One pre-scope composition root closes over raw storage and exposes only the
    guest VFS plus a private-store capability at
    /.rifty-private/workspaces/<workspaceStorageKey>/shadow-assets/v1/. The
    exact same injective key scopes the guest root; raw FsSync never escapes to
    guests or ordinary OwnerVfsAuthority.
  • Publish is verified: temp → object acknowledgement → read-back hash →
    immutable receipt → acknowledged ready pointer last. No OPFS rename-atomicity
    assumption.
  • Storage is opfs-persisted, opfs-best-effort, or memory-session.
    persistedAfter is threaded from page boot; it is never inferred from OPFS.
  • Tree and asset phases are distinct. A typed post-tree asset failure preserves
    treeResult, lets the existing acquisition/stamp authorities promote the
    independently valid tree, then exits nonzero as “tree ready, asset failed”.
  • v4 adds lockfileSha256; fresh, trusted, and snapshot paths re-prove exact
    lockfile bytes and run the same planner/ensure before runtime.
  • ADR-0258 dependency provenance remains dependency-only. Actual asset
    STD/Eddy/cache provenance lives in receipt/error and never relabels lossy
    InstallResult.source.

User-visible behavior

  • Progress is cache-check → fetch → verify → persist → ready; exit 0 follows
    the readiness receipt, never a background start.
  • Terminal/status UI shows asset and phase, then the honest storage class.
    Best-effort/session warnings, structured failure fields, quota usage, and the
    acknowledged “Clear workspace asset cache” recovery stay visible.
  • Persistent OPFS supports reload-offline use after HTTP-cache eviction.
    Best-effort OPFS warns and claims reload only while origin storage remains;
    memory is session-only.
  • Clearing only the asset store rebuilds from a valid tarball cache offline.
    With both stores empty and network unavailable, failure is bounded by the
    configured retry/no-progress contract, named, and actionable.
  • A pin-only update reuses the unchanged tree but fetches/receipts the new exact
    bytes. No update, quota path, or project deletion silently garbage-collects
    workspace assets.

Cold benchmark contract

shadowAssetColdFillMs.standard uses one discarded server/proxy warm-up and five
fresh Chromium contexts. Every sample proves empty asset/tarball caches, STD
transport, one set digest/receipt, and one storage class. It measures aggregate
cache-check through acknowledged/flushed ready, excluding tree install and
Vite boot. The artifact records samples/median, phase-local protocol evidence,
memberBytes=13918738, decoded packument/tarball response-body bytes, client
cache coldness, discarded-run origin warming, registry, and HTTP mode. Missing,
mixed, partial, cache-hit, or fallback proof is unmeasured; no partial median.

Verification

  • pnpm docs:check
  • git diff --check
  • pnpm pr:check on the final committed SHA

Implementation PRs must provide Contract+RED, then Final+GREEN proof for the
ready item they implement, including each fault-matrix row and the real browser
acceptance path.

… batch closure, alias retirement, capsule selective CI)
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

@vanilla-wave vanilla-wave changed the title backlog: honest-shadow-substitutions epic — npm-provenance shadow assets, eddy-optional, capsule CI backlog: recut shadow assets around owner-managed readiness Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant