Expand description
The single shared, fail-closed bundle loader (load + WorkbookBundle +
BundleLoadError) — the ONLY parse+integrity-verify path for any
BundleSource (WBSV-08).
The single shared, fail-closed [load] bundle verifier (Phase 92, Plan 01 —
WBSV-08, threats T-92-01/02/04/22).
Every crate::bundle_source::BundleSource (local-dir or embedded) is parsed
and integrity-checked HERE and ONLY here, so no source impl can skip the gate
(the trait returns raw bytes only — threat T-92-03). [load]:
- enforces a FAIL-CLOSED membership allow-set — any unexpected/extra member
is rejected with
BundleLoadError::UnexpectedMemberBEFORE parsing (frozen-bundle contract, threat T-92-22); - recomputes the evidence-dir hash (path+length-prefixed, SORTED) via the
runtime’s own shared
crate::artifact_model::fold_evidence_hash; - recomputes the per-artifact + combined
BUNDLE.lockhashes via the runtime’s owncrate::artifact_model::build_bundle_lock(it does NOT re-implement hashing), and fails closed on any mismatch (BundleLoadError::IntegrityMismatch, threat T-92-01); - cross-checks the lock’s identity/provenance triple against
independently-hash-covered members (
BundleLoadError::StampMismatch, threat T-92-02); - parses every member total + panic-free (
BundleLoadError::Parse, threat T-92-04) and builds the per-cell DAG ONCE.
It returns a fully-verified WorkbookBundle.
Structs§
- Workbook
Bundle - The fully-parsed, integrity-verified bundle the served tools operate on.
Enums§
- Bundle
Load Error - Errors
loadsurfaces — every one is fail-closed (the bundle is rejected, the server never boots on a tampered/malformed bundle).
Constants§
- ALLOWED_
MEMBERS - The FROZEN member allow-set (threat T-92-22): the bundle MUST contain exactly these members — any member outside this set fails closed BEFORE parsing.
- EVIDENCE_
FOLD_ MEMBERS - The members folded into the evidence-dir hash — the evidence members PLUS
cell_map.json+layout.json, matching the emitter’s fold (Pitfall 2: the generator and loader MUST fold the identical set). Declared in SORTED relative-path order (asserted by test) so the fold iterates it directly. - MEMBER_
CELL_ MAP - The bundle member holding the I/O cell map.
- MEMBER_
CHANGELOG - The bundle member holding the recorded version changelog.
- MEMBER_
IR - The bundle member holding the executable IR (a
HashMap<String, Cell>). - MEMBER_
LAYOUT - The bundle member holding the captured layout descriptor.
- MEMBER_
LOCK - The bundle member holding the integrity lock.
- MEMBER_
MANIFEST - The bundle member holding the logical manifest.
- MEMBER_
PARSER_ EQUIV - The bundle member holding the parser-equivalence evidence record.
Functions§
- load
- Load + fail-closed integrity-verify a bundle from any
BundleSource.