Skip to main content

arkhe_forge_platform/
lib.rs

1//! # ArkheForge Runtime — L2 Services / Platform (`arkhe-forge-platform`)
2//!
3//! L2 services surface — Manifest loader, L2 projection observer, Policy,
4//! Rate limit, Audit receipt issuance, Cascade scheduler, Idempotency dedup,
5//! GDPR erasure-cascade service, DR coordinator. Depends on L0
6//! `arkhe-kernel` plus L1 `arkhe-forge-core` only — no upward edge
7//! into shell crates (layer-independence directive).
8//!
9//! # Feature flags
10//!
11//! | Flag                       | Pulls in | Role |
12//! | :------------------------- | :------- | :--- |
13//! | *(none — default)*         | —        | Tier-0 dev: `MockKmsBackend` + in-memory crypto-erasure + `NoopHookHost` + `NoopObserverHost`. |
14//! | `tier-1-kms`               | `argon2`, `chacha20poly1305` | Tier-1 KMS free-tier — `XChaCha20-Poly1305` AEAD. |
15//! | `tier-2-multi-kms`         | `tier-1-kms` + `aes-gcm` + `aes-gcm-siv` | Tier-2 production AEAD surface (implies `tier-1-kms`). |
16//! | `tier-2-aws-kms`           | `aws-sdk-kms`, `aws-config`, `tokio` | Orthogonal AWS KMS backend opt-in — `AwsKmsBackend` impl of [`hf2_kms::KmsBackend`]. |
17//! | `tier-2-hook-host-v2`      | `wasmtime`, `wasmtime-wasi` | Hook host v2 wasmtime sandbox — chain-affecting compute path (E14.L2-Allow). |
18//! | `tier-2-observer-host-v2`  | `wasmtime`, `wasmtime-wasi` | Observer host v2 wasmtime sandbox — chain-non-affecting side-effect path (E15). |
19//!
20//! The L0 kernel WAL chain signing inherits Hybrid Ed25519 + ML-DSA 65
21//! transitively via `arkhe-kernel`. Forge L2 attestation surfaces emit
22//! Ed25519.
23//!
24//! Cloud KMS backends are orthogonal to the AEAD tiering — a deployment can
25//! run `tier-1-kms` AEAD with `tier-2-aws-kms` key storage, or any other
26//! mix. GCP / Azure backends land as their own `tier-2-<vendor>-kms` flags
27//! in future releases. The two wasmtime hosts (`tier-2-hook-host-v2` /
28//! `tier-2-observer-host-v2`) are independent — a deployment may enable
29//! just one, the other, or both; Cargo dedups the shared `wasmtime` dep.
30
31// `unsafe_code` is `deny` (not `forbid`) because `process_protection` must call
32// platform FFI (mlockall / prctl / setrlimit / ptrace / VirtualLock / ...) —
33// every other module keeps the safe-only invariant through the crate-wide deny
34// plus the `#[deny(unsafe_code)]` attribute inherited below. The per-target
35// FFI files opt in with a scoped `#![allow(unsafe_code)]` and document each
36// `unsafe` block with SAFETY notes.
37#![deny(unsafe_code)]
38#![warn(missing_docs)]
39
40pub mod crypto;
41pub mod crypto_erasure;
42pub mod dedup;
43pub mod dispatcher;
44pub mod hf2_kms;
45pub mod hook_host;
46pub mod manifest;
47pub mod observer_host;
48pub mod process_protection;
49pub mod projection;
50pub mod verifier;
51pub mod wal_export;
52
53// Shared wasmtime-sandbox helpers — used by `hook_host/` and
54// `observer_host/`. Compiled only when at least one wasmtime feature is
55// enabled. `pub(crate)` visibility — sandbox-implementation detail.
56#[cfg(any(feature = "tier-2-hook-host-v2", feature = "tier-2-observer-host-v2"))]
57pub(crate) mod wasm_runtime_common;
58
59/// ArkheForge Runtime Platform semver — matches the repo release.
60pub const PLATFORM_SEMVER: (u16, u16, u16) = (0, 13, 0);