dsfb-densor-runtime 0.1.0

A thin, deterministic execution-substrate skeleton for DSFB densor pipelines: load manifest -> validate authority hashes -> execute stages -> seal evidence -> emit receipts. Carries no domain or cross-domain claims.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245

//! `dsfb-densor-runtime` — a thin, deterministic execution-substrate skeleton for DSFB densor pipelines.
//!
//! Its only job is to standardise how DSFB evidence objects ("densors") are **loaded, validated against frozen
//! authority hashes, executed stage by stage, sealed, and reported** — so future DSFB work shares one disciplined
//! spine instead of re-implementing it. The flow is exactly:
//!
//! ```text
//! load manifest  ->  validate authority hashes  ->  execute stages  ->  seal evidence  ->  emit receipt
//! ```
//!
//! **Discipline (the substrate is deliberately small and strict):**
//! - no network, no hidden downloads, no filesystem side effects in the core;
//! - no probabilistic runtime behaviour — every output is a pure function of the inputs;
//! - no authority mutation during execution (authorities are a frozen allow-list);
//! - **no claim without an authority hash** — a stage that declares no authority is refused.
//!
//! **Non-claim.** This crate is a *mechanism*, not an authority. It carries **no chemical-engineering content and
//! makes no cross-domain claims** — the meaning of any pipeline lives entirely in the authorities a run cites and
//! in the domain crate that defines the stages (e.g. `dsfb-chemical-engineering-edge`). The runtime only attests
//! *which stages ran over which densors against which frozen authorities, sealing to which digest*.
//!
//! See [`runtime::Runtime`] for the spine, [`receipt::RuntimeReceiptV1`] for the sealed output, and the worked
//! `tests` below for a complete two-stage example (with determinism + tamper + authority-gate coverage).

#![forbid(unsafe_code)]

pub mod authority;
pub mod densor;
pub mod errors;
pub mod index;
pub mod manifest;
pub mod receipt;
pub mod runtime;
pub mod seal;
pub mod stage;

pub use authority::AuthorityHash;
pub use densor::{Densor, DensorKind};
pub use errors::{DensorError, RuntimeError};
pub use index::RuntimeIndex;
pub use manifest::{DensorEntry, DensorManifest};
pub use receipt::RuntimeReceiptV1;
pub use runtime::Runtime;
pub use stage::{RuntimeStage, StageReceipt};

#[cfg(test)]
mod tests {
    use super::*;
    use crate::seal::{sha256, CanonicalHasher};

    // ── A worked two-stage example pipeline over a residual-like Vec<i64> ──────────────────────────────
    // Stage A scales the input by a fixed factor (a "scale policy"); Stage B counts entries beyond a band
    // (an "envelope"). Both are pure + deterministic, each bound to one frozen authority. This is illustrative
    // only — it carries no chemical meaning; it exercises the substrate's load/validate/execute/seal/emit spine.

    fn scale_authority() -> AuthorityHash {
        AuthorityHash::new("scale_policy_v1", sha256(b"scale=1000000"))
    }
    fn envelope_authority() -> AuthorityHash {
        AuthorityHash::new("envelope_v1", sha256(b"abs_band=3"))
    }

    fn hash_i64s(label: &str, xs: &[i64]) -> [u8; 32] {
        let mut h = CanonicalHasher::new();
        h.field("schema", label.as_bytes());
        for x in xs {
            h.u64("x", *x as u64);
        }
        h.finalize()
    }

    struct ScaleStage {
        factor: i64,
        authorities: Vec<AuthorityHash>,
    }
    impl RuntimeStage<Vec<i64>, Vec<i64>> for ScaleStage {
        fn stage_id(&self) -> &str {
            "scale"
        }
        fn authority_hashes(&self) -> &[AuthorityHash] {
            &self.authorities
        }
        fn execute(&self, input: Vec<i64>) -> Result<StageReceipt<Vec<i64>>, RuntimeError> {
            let input_hash = hash_i64s("scale.in", &input);
            let output: Vec<i64> = input
                .iter()
                .map(|x| x.saturating_mul(self.factor))
                .collect();
            let output_hash = hash_i64s("scale.out", &output);
            Ok(StageReceipt {
                stage_id: self.stage_id().to_string(),
                input_hash,
                output_hash,
                authority_hashes: self.authorities.clone(),
                output,
            })
        }
    }

    struct CountBeyondStage {
        band: i64,
        authorities: Vec<AuthorityHash>,
    }
    impl RuntimeStage<Vec<i64>, usize> for CountBeyondStage {
        fn stage_id(&self) -> &str {
            "count_beyond"
        }
        fn authority_hashes(&self) -> &[AuthorityHash] {
            &self.authorities
        }
        fn execute(&self, input: Vec<i64>) -> Result<StageReceipt<usize>, RuntimeError> {
            let input_hash = hash_i64s("count.in", &input);
            let output = input
                .iter()
                .filter(|x| x.unsigned_abs() as i64 > self.band)
                .count();
            let mut h = CanonicalHasher::new();
            h.u64("count", output as u64);
            Ok(StageReceipt {
                stage_id: self.stage_id().to_string(),
                input_hash,
                output_hash: h.finalize(),
                authority_hashes: self.authorities.clone(),
                output,
            })
        }
    }

    fn manifest() -> DensorManifest {
        DensorManifest {
            pipeline_id: "example_residual_pipeline".into(),
            densors: vec![DensorEntry {
                id: "residual_vec".into(),
                kind: DensorKind::Residual,
                evidence_hash: sha256(b"residual_vec"),
            }],
            authorities: vec![scale_authority(), envelope_authority()],
        }
    }

    fn run_example() -> RuntimeReceiptV1 {
        let m = manifest();
        let mut rt = Runtime::start(&m).unwrap();
        let scaled = rt
            .run_stage(
                &ScaleStage {
                    factor: 2,
                    authorities: vec![scale_authority()],
                },
                vec![1, -5, 2],
            )
            .unwrap();
        let _count = rt
            .run_stage(
                &CountBeyondStage {
                    band: 3,
                    authorities: vec![envelope_authority()],
                },
                scaled,
            )
            .unwrap();
        rt.seal()
    }

    #[test]
    fn pipeline_runs_seals_and_is_deterministic() {
        let a = run_example();
        let b = run_example();
        assert_eq!(
            a.receipt_hash, b.receipt_hash,
            "the sealed run receipt must be deterministic"
        );
        assert_eq!(a.receipt_hash.len(), 64);
        assert_eq!(a.stages.len(), 2);
        assert!(
            a.verify(&manifest()),
            "the receipt must self-verify against its manifest"
        );
    }

    #[test]
    fn tampering_a_stage_breaks_the_seal() {
        let mut r = run_example();
        // Forge a different output hash on the first stage → the seal must no longer verify.
        r.stages[0].output_hash = sha256(b"forged");
        assert!(
            !r.verify(&manifest()),
            "a tampered stage summary must fail verification"
        );
    }

    #[test]
    fn stage_without_authority_is_refused() {
        // No claim without an authority anchor: a stage declaring no authorities is rejected by the gate.
        let m = manifest();
        let mut rt = Runtime::start(&m).unwrap();
        let err = rt
            .run_stage(
                &ScaleStage {
                    factor: 2,
                    authorities: vec![],
                },
                vec![1, 2],
            )
            .unwrap_err();
        assert!(matches!(err, RuntimeError::MissingAuthority { .. }));
    }

    #[test]
    fn stage_citing_an_unpinned_authority_is_refused() {
        // A stage may only cite authorities the manifest froze; an unknown authority is rejected.
        let m = manifest();
        let mut rt = Runtime::start(&m).unwrap();
        let rogue = AuthorityHash::new("rogue_v1", sha256(b"not-in-manifest"));
        let err = rt
            .run_stage(
                &ScaleStage {
                    factor: 2,
                    authorities: vec![rogue],
                },
                vec![1, 2],
            )
            .unwrap_err();
        assert!(matches!(err, RuntimeError::AuthorityMismatch { .. }));
    }

    #[test]
    fn empty_pipeline_id_manifest_is_invalid() {
        let mut m = manifest();
        m.pipeline_id = "  ".into();
        assert!(matches!(
            Runtime::start(&m),
            Err(RuntimeError::ManifestInvalid(_))
        ));
    }

    #[test]
    fn runtime_index_summarises_the_run() {
        let r = run_example();
        let idx = RuntimeIndex::of(&r);
        assert_eq!(idx.stage_ids, vec!["scale", "count_beyond"]);
        assert_eq!(idx.authorities, vec!["envelope_v1", "scale_policy_v1"]); // sorted, de-duped
        assert!(idx.summary_line().contains("example_residual_pipeline"));
    }
}