Skip to main content

Module observer_host

arkhe_forge_platform

Module observer_host 

Source
Expand description

Observer host — capability-bounded WASM sandbox for L2 projection observers (E15 — Observer Capability Confinement).

§Spec anchor

  • E15 Observer Capability Confinement — Runtime axiom:
    • E15.a observer panic is contained at the sandbox boundary; the host catches the trap and emits an ObserverQuarantine event. No native unwind reaches the L0 chain (L0 A22 strengthening).
    • E15.b observer side-effects route exclusively through host- declared capability tokens; direct syscalls and wasi-{fs, sockets, clocks, random} are rejected at module-load.
  • Observer path — L2 projection observers operate post-commit on already-chained data; they cannot mutate chain state.

§Chain-non-affecting invariant (cryptographer-anchored firm contract)

Observer execution is chain-non-affecting by construction. Four clauses establish the invariant; together they ensure observer panic / capability-deny / module compromise cannot affect L0 chain integrity:

  1. No chain-mutation host-fn: every binding under arkhe:observer/* is a side-effect to a non-chain destination (PG projection, metric sink, KMS rotation receipt). No binding calls Op::EmitEvent, Op::SpawnEntity, or any chain-head-write primitive.
  2. Effect signature is chain-orthogonal: every host-side [capability_linker::ObserverCapability] impl carries its effect to a layer outside the chain (projection / metric / vault). Enforced by the trait signature shape — the impl receives no chain reference.
  3. Quarantine emission is host-supervised: when an observer wasm traps, the host generates the ObserverQuarantine event. The observer triggers the emission via its trap, but does not generate it — the cryptographic chain anchor is host-owned.
  4. Panic isolation preserves chain progression: the wasmtime trap is caught at the host’s invoke boundary; chain progression continues independently. The chain hash of the next tick is unaffected by observer existence or panic-state.

§L0↔Runtime boundary surface

observer_host/ is a Runtime-layer concept. It uses no L0 source — the L0 KernelObserver trait is referenced only as a conceptual anchor (observer_host exposes the same KernelEvent observation pattern but inside a capability-bounded WASM sandbox).

§Surface

  • ObserverHost trait + NoopObserverHost (default when sandbox- backed observer is not feature-gated).
  • ObserverContext / ObserverError / ObserverTrapClass.
  • ObserverCapToken enum (#[non_exhaustive]) — currently a single variant PgWrite; additional capabilities can be added without breaking external matchers.
  • WasmtimeObserverHost (feature tier-2-observer-host-v2) — wasmtime preview-2 sandbox with fuel-metered execution + capability- bounded arkhe:observer/* host-fn dispatch.

Structs§

NoopObserverHost
Pass-through host — returns Ok(()) without invoking any observer logic. Default when sandbox-backed observer is not feature-gated.
ObserverContext
Observer execution context — opaque to observers themselves; managed by the host. Carries only the capability set; observers are read-only sinks and do not mutate the submission pipeline (cf. hook host’s ExtraBytesBuilder thread).

Enums§

ObserverCapToken
Capability tokens an enabled observer may request from the host.
ObserverError
Observer execution outcome.
ObserverTrapClass
Trap classification for ObserverQuarantine — surfaced into the chain-anchored receipt so replay + audit can distinguish each sandbox-boundary failure mode.

Traits§

ObserverHost
Capability-bounded observer host — runs a registered observer module against a KernelEvent stream with side-effects gated by the configured capability set.