Skip to content

feat(resolver): explicit embedder-passthrough recognition (#301 inc 1)#315

Merged
avrabe merged 2 commits into
mainfrom
feat/301-embedder-passthrough
Jun 26, 2026
Merged

feat(resolver): explicit embedder-passthrough recognition (#301 inc 1)#315
avrabe merged 2 commits into
mainfrom
feat/301-embedder-passthrough

Conversation

@avrabe

@avrabe avrabe commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What

Closes the meld side of #301 inc 1: explicit recognition of embedder-provided passthrough imports in the pulseengine:embedder WIT namespace.

The BYO-OS lean-MCU dissolve pipeline (gale#89) routes cabi_realloc to an embedder-provided seam (e.g. pulseengine:embedder/arena's __cabi_arena_realloc), satisfied downstream at native link / synth dissolve — never by a component in the fusion set.

Per avrabe's meld-side answer on #301: core-module passthrough already worked, but only incidentally (the fusion resolver runs allow_unresolved: true). A future strict/aggressive resolver could silently drop or reject these seams, and a bare cabi-arena-realloc magic-name contract is collision-prone and invisible to review. This makes the passthrough explicit — same "explicit, not auto" stance that settled #300.

Changes

  • EMBEDDER_PASSTHROUGH_NAMESPACE (pulseengine:embedder) + is_embedder_passthrough(): matches by package namespace, version-tolerant, no prefix false-positives (embedderx/embed rejected).
  • resolve_component_imports_with_hints recognizes such imports as intentional passthrough — never bound to a coincidental provider, exempt from the strict-mode UnresolvedImport error. The two error sites collapse into one with an explicit embedder arm.
  • LS-R-17 (approved): documents the mis-bind (UCA-R-3, H-1/H-3.1) and false-rejection hazards + the namespace-recognition mitigation.

Tests / gates

  • ls_r_17_embedder_passthrough_survives_strict_resolution — strict resolver keeps the embedder import but still errors on a non-embedder unexported import (exemption is namespace-scoped, not over-broad).
  • test_is_embedder_passthrough_recognizes_namespace_only — namespace match incl. version suffixes; rejects look-alikes.
  • test_298_fork_arena_realloc_... now also asserts the retained arena import is recognized by namespace (ties the real fork fixture to the predicate).
  • 443 lib tests pass; rivet validate PASS; LS gate LS-R-17 [OK].

Scope / follow-up

The --output component (P2 wrap) exposure of embedder imports remains a tracked follow-up — needs a wasm-tools component new --import-passthrough-produced fixture (fork-domain, pulseengine/wasm-tools#2).

Refs: #301, gale#89, pulseengine/wasm-tools#2, pulseengine/wit-bindgen#4, pulseengine/synth#418.

🤖 Generated with Claude Code

The BYO-OS lean-MCU dissolve pipeline (gale#89) routes cabi_realloc to an
embedder-provided seam in the pulseengine:embedder WIT namespace (e.g.
pulseengine:embedder/arena's __cabi_arena_realloc), satisfied downstream at
native link / synth dissolve — never by a component in the fusion set.

Core-module passthrough already worked, but only INCIDENTALLY (the fusion
resolver runs allow_unresolved: true). avrabe's meld-side answer on #301 asked
for explicit recognition instead: a future strict/aggressive resolver could
otherwise silently drop or reject these seams, and a bare cabi-arena-realloc
magic-name contract is collision-prone and invisible to review. Same
"explicit, not auto" stance that settled #300.

- Add EMBEDDER_PASSTHROUGH_NAMESPACE (pulseengine:embedder) +
  is_embedder_passthrough(): matches by package namespace, version-tolerant,
  with no prefix false-positives (embedderx / embed rejected).
- resolve_component_imports_with_hints recognizes such imports as intentional
  passthrough — never bound to a coincidental provider, exempt from the
  strict-mode UnresolvedImport error. The two error sites collapse into one
  with an explicit embedder arm.
- LS-R-17 (approved) documents the mis-bind (UCA-R-3, H-1/H-3.1) and
  false-rejection hazards and the namespace-recognition mitigation.

Tests: ls_r_17_embedder_passthrough_survives_strict_resolution (strict resolver
keeps the embedder import but still errors on a non-embedder unexported import —
exemption is namespace-scoped), test_is_embedder_passthrough_recognizes_namespace_only,
and test_298_fork_arena_realloc... now asserts the retained arena import is
recognized by namespace. 443 lib tests pass; rivet PASS; LS gate LS-R-17 [OK].

The --output component (P2 wrap) exposure of embedder imports remains a tracked
follow-up (needs a wasm-tools component new --import-passthrough fixture).

Refs: #301, gale#89, pulseengine/wasm-tools#2, pulseengine/wit-bindgen#4, synth#418.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

Mythos delta-pass required

This PR modifies one or more Tier-5 source files (per
scripts/mythos/rank.md):

meld-core/src/merger.rs
meld-core/src/resolver.rs

Before merge, run the Mythos discover protocol on the
modified Tier-5 files:

  1. Follow scripts/mythos/discover.md
    — one fresh agent session per touched Tier-5 file.
  2. For each finding, the agent must produce both a Kani
    harness and a failing PoC test (per the protocol's
    "if you cannot produce both, do not report" rule).
  3. Attach a comment on this PR with either the findings
    (formatted per discover.md's output schema) or
    NO FINDINGS.
  4. Add the mythos-pass-done label to this PR.

Why this gate exists: LS-A-10
(CABI alignment padding in async-lift retptr writeback) was
found by the v0.8.0 pre-release Mythos pass — but it had
lived in the callback emitter since #128, across six
releases. A PR-time gate would have caught it at review
time instead of at the release boundary.

The gate check on this PR will pass once the label is
applied.

@github-actions

Copy link
Copy Markdown

LS-N verification gate

58/58 approved LS entries verified

count
Passed (≥1 test, all green) 58
Failed (≥1 test failure) 0
Missing (no ls_*_NN_* test found) 0

Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.

Failed LS entries

(none)

Missing regression tests

(none)

Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.

@github-actions

Copy link
Copy Markdown

Mythos delta-pass (auto)

NO FINDINGS across 2 Tier-5 file(s)

File Verdict Hypothesis
`` ✅ NO FINDINGS
`` ✅ NO FINDINGS

Auto-run via anthropics/claude-code-action@v1
(SHA-pinned) on the touched Tier-5 files, using the
maintainer's Max-plan OAuth token. See
.github/workflows/mythos-auto.yml and
scripts/mythos/discover.md.

@github-actions github-actions Bot added the mythos-pass-done Mythos delta-pass completed on Tier-5 file changes; findings (or NO FINDINGS) attached to PR label Jun 26, 2026
@avrabe

avrabe commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Mythos delta-pass — NO FINDINGS

Per scripts/mythos/HOWTO-gate.md, the Tier-5 discover protocol was run on each touched Tier-5 file (fresh adversarial session, discover.md framing, scoped to this PR's delta).

meld-core/src/resolver.rsNO FINDINGS

The substantive change: EMBEDDER_PASSTHROUGH_NAMESPACE + is_embedder_passthrough, the collapse of the two UnresolvedImport error sites into one computed resolved + an explicit embedder arm, and the strict-mode carve-out. Four adversarial hypotheses, all refuted concretely:

  1. Refactor behavior drift (UCA-R-3) — refuted. Truth table over all four cases (hint-hit, stale-hint→fallback, no-hint-other-export, no-exports) shows the new export_index.get(&import.name).and_then(|exports| hinted.or_else(...)) chain binds identically to the original two-branch logic, including hint precedence. get → None now flows through and_then to the same arms — identical outcome for non-embedder names.
  2. Over-broad recognition / swallowing a satisfiable import (UCA-R-1) — refuted. The bind arm (if let Some(resolved)) runs strictly before the embedder arm, so any real in-set provider still wins; only genuinely-unresolved imports reach the predicate. (A component naming pulseengine:embedder/* to pass strict resolution is the intended fuse: pass through embedder import cabi-arena-realloc instead of trying to satisfy it #301 contract.)
  3. Parsing soundness — refuted by direct execution: pulseengine:embedderx/foo, pulseengine:embed/foo, x/pulseengine:embedder, uppercase, and empty all return false; no cross-namespace false positive.
  4. Downstream / merger interaction — refuted. The component-level path never populated unresolved_imports (only the module-level paths do); the new arm touches neither resolved_imports nor unresolved_imports — exactly the prior non-strict fall-through. Production fusion uses allow_unresolved: true, so the only true behavioral delta is in Resolver::strict(), which has no production caller (test-only) and cannot reach a fused artifact.

meld-core/src/merger.rsNO FINDINGS

This PR's delta to merger.rs is test-only: a single added assertion inside the existing test_298_fork_arena_realloc_fuses_under_shared_rebase_today (asserting the retained arena import is recognized by is_embedder_passthrough). No production logic changed, so the semantic-preservation discover protocol has no new surface.

Adding mythos-pass-done.

@avrabe avrabe added mythos-pass-done Mythos delta-pass completed on Tier-5 file changes; findings (or NO FINDINGS) attached to PR and removed mythos-pass-done Mythos delta-pass completed on Tier-5 file changes; findings (or NO FINDINGS) attached to PR labels Jun 26, 2026
@avrabe avrabe merged commit 10b81ab into main Jun 26, 2026
17 checks passed
@avrabe avrabe deleted the feat/301-embedder-passthrough branch June 26, 2026 19:49
avrabe added a commit that referenced this pull request Jun 26, 2026
…315) (#316)

Downstream-boundary release. Bundles:
- #313 inc 1 (#314): SCPV v3 fusion premises (bounded_memory, closed_world)
  for scry; meld↔scry component-provenance boundary live end-to-end
  (scry v2.0.0 consumer, scry#63).
- #301 inc 1 (#315): explicit pulseengine:embedder passthrough recognition
  for the gale#89 single-address-space MCU lowering (LS-R-17).

Readiness audit green: rivet validate PASS, full meld-core suite passes,
pre-release Mythos delta-pass satisfied by PR-time gates (provenance.rs +
resolver.rs NO FINDINGS, mythos-pass-done; closed_world hardened through 3
findings). Carried gap disclosed in CHANGELOG: fuse --output component still
rejects embedder passthrough (#301 inc 2, fixture-gated).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

mythos-pass-done Mythos delta-pass completed on Tier-5 file changes; findings (or NO FINDINGS) attached to PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant