Module load 

The fail-closed load gate — admit a .prx only after re-deriving its root and checking it against the trusted root.

This is the runtime’s verify-before-interpret kernel primitive. The runtime never trusts a self-asserted identity: it decodes the bytes, re-derives the archive’s Merkle root from the content it is about to admit, and accepts the archive only if that root equals the externally-trusted root (the pin a peer or the lock supplies). A tampered, stale, or mis-addressed archive is refused, not loaded.

The loaded Archive is the OPEN form — generators + relations + connections as data, the free-category presentation. Rebinding it into the closed-world compiled Category (via FreeExtension, driven by each connection’s action-on-generators) is the next layer.

Enums

LoadError

Why a .prx failed to load.

Functions

emit

Emit an Archive to its canonical .prx bytes (DAG-CBOR). The archive’s identity is its Archive::root, derived from the content — NOT these bytes — so the gate re-derives the root on load rather than hashing the wire.

load

Load a .prx archive from its canonical bytes, FAIL-CLOSED against trusted_root: decode, re-derive the Merkle root, and admit the archive only if it matches. The trusted root comes from OUTSIDE the bytes (a peer’s claim, a lock pin) — that is what makes the check meaningful.