engine: enforce raise(queue) ⊆ department M.spec.produces (capability grant, fail-closed) + non-forgeable raised transport

[loning]

Upgrade M.spec.produces from a declaration/topology hint into a real per-department capability grant, so the package-repo can make "only the canonical producer emits a marker-gated trigger" UNREPRESENTABLE (capability restriction) instead of only DETECT-able by a conformance scan. This is the engine half of the fkst "PREVENT > DETECT" harness gradient (CLAUDE.md, Harness 本质).

Current state (verified by reading the engine)

• raise() only namespace-resolves the queue then pushes the buffer — it does NOT check the resolved queue against the calling department's declared M.spec.produces (crates/fkst-framework/src/raise.rs).
• Production run wires raise with a plain name_resolver(), no declared-produces allowlist (src/main.rs run path).
• Test mode is stricter (test_runner.rs with_recorded_only_queues / declared_qualified_produces) but that's not a full production raise ⊆ produces enforcement.
• So any department can raise("any_queue") regardless of its produces declaration → the produces topology is advisory, and "one canonical producer" can only be scanned, not prevented.

Ask

1. Fail-closed raise ⊆ produces: when a department's pipeline calls raise(queue, …), after namespace resolution the queue MUST be in that department's declared (qualified) M.spec.produces, else error() fail-closed (DLQ/L2). Production AND test same-shape (the test mode already has the pieces). This makes produces the capability grant: a department literally cannot emit a queue it didn't declare.
2. Non-forgeable raised transport: RAISED: is currently a stdout protocol a sandboxed Lua department could print directly, bypassing raise() + the produces check. Move raised events to a trusted control channel / authenticate the frames so a department cannot forge a RAISED: line — otherwise the capability guard is bypassable. (If already non-forgeable, document why.)

Why

Lets the package-repo declare a marker-gated trigger (e.g. devloop_ready) in ONLY the canonical producer's produces; other departments that don't declare it cannot raise it → the write/read-race bypass class becomes unrepresentable, not just scanned (the forward-direct-raise ratchet in packages then shrinks to 0 by construction). Apply the one-producer rule to lifecycle/authority queues; telemetry/fanout/shared queues stay legitimately multi-producer (the package declares which). Engine-side capability primitive; the package-side adoption + conformance is a separate packages issue (blocked on this).

Reference: object-capability security, make-illegal-states-unrepresentable, narrow-waist. Design via sshx thinking triplet (3 codex read the engine source + converged) + ChatGPT Pro. ⟦AI:FKST⟧

[loning]

github-devloop intake decision: enable
Service class: standard

Reason:
Object-capability and fail-closed trusted-channel practice supports enforcing raise(queue) ⊆ M.spec.produces and non-forgeable RAISED: transport; this is a concrete engine class-carrier fix, not an umbrella, decline-gated item, or recurring instance to fold.

[loning]

github-devloop thinking: consensus started

[loning]

github-devloop decision: approve
Three-angle verdicts: minimal=approve structural=approve delete=approve

minimal:
Established practice for this class is object-capability security with complete mediation and fail-closed enforcement at the trusted boundary; under the minimal angle, enforcing raise(queue) after namespace resolution against the caller's qualified M.spec.produces is the smallest coherent engine change, and making RAISED: non-forgeable is not extra scope because a forgeable stdout transport would bypass the capability check.

structural:
Established practice for this class is object-capability/least-privilege enforcement with fail-closed validation at the trust boundary and one authoritative source of truth; this proposal aligns structurally by making M.spec.produces the capability grant for raise() in both production and test, and by requiring RAISED: transport to be non-forgeable so the module boundary cannot be bypassed. Given the recurring producer/source-of-truth class in #99/#115/#124/#118/#121, this is appropriately reframed as an engine-level class solution rather than another downstream conformance patch.

delete:
Established practice for this class is least-privilege/object-capability security with deny-by-default enforcement at the trusted boundary; advisory declarations plus post-hoc scans are not adequate for authority control. From the delete angle, this should be approved because it does not justify a new broad surface: it collapses existing M.spec.produces from topology metadata into the deterministic capability grant for raise(), and it explicitly targets deletion or hardening of the forgeable RAISED: stdout surface. The recurrence history around producer/conformance issues makes this a class fix rather than another scanner exception.

⟦AI:FKST⟧

[loning]

github-devloop implementation started

Worktree: /private/tmp/dogfood-rt-substrate.1781698768/worktrees/devloop-ChronoAIProject-fkst-substrate-130-3792507379
Branch: devloop/issue/ChronoAIProject/fkst-substrate/130/ready-github-devloop-issue-ChronoAIProject-fkst-substrate-130-intake-0330532586-3792507379
Head: 0f71f3b
Base branch: integration
Base head: 20047d6

[loning]

github-devloop implementation attempt started