Module diff 

Capability Change Diffs (CAP-DIFF) for Phase 4B.

This module provides:

• DiffOp - Individual diff operations (add/remove tags, models, tools, etc.)
• CapabilityDiff - Versioned diff message with operations
• DiffEngine - Generate and apply diffs between capability sets

Performance Targets

• Diff generation: < 1µs for typical changes
• Diff application: < 500ns
• Diff size (1 op): < 50 bytes
• Bandwidth savings: > 90% vs full CAP-ANN

Structs

CapabilityDiff

Capability diff message

DiffEngine

Engine for generating and applying capability diffs

Enums

DiffError

Error during diff application

DiffOp

Individual diff operation

DiffSizeError

Error returned by CapabilityDiff::try_to_bytes when the diff would exceed the wire-format caps the receiver enforces.

Constants

MAX_DIFF_BYTES

Maximum byte length for a wire-format CapabilityDiff. Chosen at 64 KiB — generous against real diffs (estimated_size() for a busy capability set with several model and tag changes is well under 4 KiB) while blocking a balloon-DoS vector where a peer ships a 100 MB JSON to make from_slice allocate that much heap.

MAX_DIFF_OPS

Maximum number of operations per CapabilityDiff. A real announcement-driven diff has O(changed-fields) ops (typically well under 50); 1024 is far past that and still bounds the cost of apply to a constant rather than O(peer-controlled). Chosen so a fully-packed op-flood payload (each op is the smallest JSON encoding, e.g. {"AddTag":"t0"}) stays well under MAX_DIFF_BYTES, keeping both caps coherent: byte cap guards heap during parsing, op cap guards CPU during apply.