v0.3.2: foundation 0.5.2 floor — FP_MAX tower generalization (Hasher<64> fix)

Adopts the upstream bugfix in uor-foundation / uor-foundation-sdk 0.5.2.

The bug (foundation 0.5.1): the resolver/pipeline tower was pinned to
`Hasher<FP_MAX = 32>` — the `AxisTuple` blanket impl and every ψ-stage
resolver trait required `FP_MAX = 32` — so a 64-byte-fingerprint hasher
(`Sha512Hasher: Hasher<64>`) could not flow through the pipeline at all.
A downstream project on prism 0.3.1 / foundation 0.5.1 was blocked.

The fix (0.5.2): the tower is generalized over `FP_MAX`. The `AxisTuple`
blanket is `impl<INLINE_BYTES, FP_MAX, H: Hasher<FP_MAX>>`, the resolver
traits take an unbounded `H`, and `run` / `run_route` / `Grounded` /
`PrismModel` / `certify_from_trace` carry `FP_MAX` as a const parameter.

prism adoption:
- Tests thread the new `FP_MAX` const parameter through every
  `run` / `run_route` / `PrismModel` / `Grounded` call site
  (principal_data_path, scaling, large_input_grounding at FP_MAX = 32;
  prism_model.rs witnesses made generic over `const FP_MAX`).
- NEW `tests/wide_hasher_pipeline.rs`: the regression witness — grounds
  a unit through `run` with `Sha512Hasher` at `FP_MAX = 64` (under a
  `HostBounds` declaring `FINGERPRINT_MAX_BYTES = 64`), asserts the
  certificate fingerprint width is the full 64 bytes, and verifies the
  QS-05 replay round-trip. This is the case 0.5.1 rejected.
- AGENTS.md + Cargo.toml: floor 0.5.1 → 0.5.2 with the FP_MAX
  generalization documented; workspace 0.3.1 → 0.3.2; path-dep +
  prism-verify pins → 0.3.2; Cargo.lock refreshed.

No library source change beyond version pins — the fix is in foundation;
prism's adoption is the test-surface FP_MAX threading + the regression
test proving Sha512Hasher flows end-to-end.

NOT tagged: lands on main only; no v0.3.2 tag, so the release workflow
does not fire.

CI green: fmt-check, clippy -D warnings, full test suite (28 binaries,
incl. the Sha512 pipeline regression), wiki-link-check (139 backlinks,
0 broken), rustdoc, no_std x6, publish-dry x6.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: afflom

AGENTS.md

@@ -281,13 +281,24 @@ that contribute the built-in axes and built-in types it re-exports.
   `prism`'s pin on `uor-foundation` may lag the latest published
   version; updates to this repo are demand-driven (a needed surface
   change) rather than calendar-driven.
-- **`uor-foundation`**: `^0.5` (effective floor 0.5.1 — completes the
-  ADR-060 input path: `IntoBindingValue` gains a `'a` lifetime and
-  replaces the `MAX_BYTES` const + `into_binding_bytes` writer with
+- **`uor-foundation`**: `^0.5` (effective floor 0.5.2 — generalizes the
+  resolver/pipeline tower over the fingerprint width `FP_MAX`: the
+  `AxisTuple` blanket impl is now
+  `impl<INLINE_BYTES, FP_MAX, H: Hasher<FP_MAX>>`, the eight ψ-stage
+  resolver traits take an unbounded `H`, and `run` / `run_route` /
+  `Grounded` / `PrismModel` / `certify_from_trace` carry `FP_MAX` as a
+  const parameter (`Hasher<const FP_MAX = 32>`). 0.5.1 had pinned the
+  whole tower to `Hasher<32>`, so a 64-byte-fingerprint hasher
+  (`Sha512Hasher: Hasher<64>`) could not flow through the pipeline at
+  all — fixed in 0.5.2 (regression-tested in
+  `crates/uor-prism/tests/wide_hasher_pipeline.rs`). Earlier floor 0.5.1
+  completed the ADR-060 input path: `IntoBindingValue` gains a `'a`
+  lifetime and replaces the `MAX_BYTES` const + `into_binding_bytes`
+  writer with
   `as_binding_value<INLINE_BYTES>(&self) -> TermValue<'a, INLINE_BYTES>`,
   returning the source-polymorphic carrier directly so `run_route`
   admits arbitrarily large inputs with no byte-width cap;
-  `PrismModel` / `Grounded` / `run_route` gain the same `'a`. Earlier
+  `PrismModel` / `Grounded` / `run_route` gain the `'a`. Earlier
   floor 0.5.0 introduced the ADR-060 source-polymorphic value carrier:
   `TermValue` becomes the const-generic enum
   `TermValue<'a, INLINE_BYTES>` with
@@ -341,14 +352,13 @@ that contribute the built-in axes and built-in types it re-exports.
   `PrimitiveOp::{Le, Lt, Ge, Gt, Concat}` per ADR-026;
   `Output: IntoBindingValue` per ADR-023 value-flow expansion.
   `default-features = false`, `no_std`-clean.
-- **`uor-foundation-sdk`**: `^0.5` (effective floor 0.5.1 — tracks
-  the foundation 0.5.1 release completing the ADR-060 input path; the
+- **`uor-foundation-sdk`**: `^0.5` (effective floor 0.5.2 — tracks
+  the foundation 0.5.2 `FP_MAX` tower generalization; the
   `axis!` / `verb!` / `prism_model!` / `partition_product!` /
   `register_shape!` macro names and grammar are unchanged, but the
-  `verb!`-emitted `<verb>_term_arena()` accessors and the model/route
-  surface are const-generic over the ADR-060 `INLINE_BYTES` carrier
-  width and the `prism_model!`-emitted impls now carry the
-  `IntoBindingValue<'a>` lifetime. Earlier floors: 0.4.15 added the optional
+  `prism_model!`-emitted impls now carry the `FP_MAX` const parameter
+  alongside `INLINE_BYTES` and the `IntoBindingValue<'a>` lifetime
+  (0.5.1). Earlier floors: 0.4.15 added the optional
   `resolver!` macro `shape_registry: MyRegistry` clause that wires an
   application's `ShapeRegistryProvider` marker into the emitted
   `ResolverTuple` impl as the `ShapeRegistry` associated type;

Cargo.lock

@@ -11,7 +11,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.3.1"
+version = "0.3.2"
 edition = "2021"
 rust-version = "1.83"
 license = "MIT"
@@ -24,25 +24,27 @@ readme = "README.md"
 # Per wiki ADR-031, the `prism` standard library and its Layer-3
 # sub-crates close under the foundation substrate (`uor-foundation`) and
 # its SDK macro lane (`uor-foundation-sdk` per ADR-022 / ADR-030 /
-# ADR-036). Both are floored at v0.5 (effective floor 0.5.0 — the
-# ADR-060 source-polymorphic value carrier: `TermValue` becomes the
-# `Inline`/`Borrowed`/`Stream` carrier enum over a `ChunkSource`, the
-# fictional 4096 byte-width caps and the foundation-provided
-# `DefaultHostBounds` are removed, and per-stage carrier widths derive
-# from app-declared structural-count primitives via the foundation
-# `*_carrier_bytes::<B>()` const fns. Wire format byte-identical
-# (`TRACE_REPLAY_FORMAT_VERSION` stays 10); MSRV stays 1.83).
+# ADR-036). Both are floored at v0.5 (effective floor 0.5.2 — the
+# resolver/pipeline tower is generalized over the fingerprint width
+# `FP_MAX` so a 64-byte hasher (`Sha512Hasher: Hasher<64>`) flows
+# through the pipeline; 0.5.1 had pinned it to `Hasher<32>`. Builds on
+# the 0.5.0/0.5.1 ADR-060 source-polymorphic value carrier: `TermValue`
+# is the `Inline`/`Borrowed`/`Stream` enum over a `ChunkSource`, the
+# fictional 4096 byte-width caps and `DefaultHostBounds` are removed,
+# and `IntoBindingValue::as_binding_value` returns the carrier directly.
+# Wire format byte-identical (`TRACE_REPLAY_FORMAT_VERSION` stays 10);
+# MSRV stays 1.83).
 uor-foundation = { version = "0.5", default-features = false }
 uor-foundation-sdk = { version = "0.5", default-features = false }
 
 # Standard-library sub-crate cross-deps per ADR-031's layered
 # consumption pattern (numerics → foundation; crypto → foundation +
 # numerics; tensor → foundation + numerics + optionally crypto; fhe →
 # foundation). The `prism` façade depends on all four.
-uor-prism-numerics = { version = "0.3.1", path = "crates/uor-prism-numerics", default-features = false }
-uor-prism-crypto = { version = "0.3.1", path = "crates/uor-prism-crypto", default-features = false }
-uor-prism-tensor = { version = "0.3.1", path = "crates/uor-prism-tensor", default-features = false }
-uor-prism-fhe = { version = "0.3.1", path = "crates/uor-prism-fhe", default-features = false }
+uor-prism-numerics = { version = "0.3.2", path = "crates/uor-prism-numerics", default-features = false }
+uor-prism-crypto = { version = "0.3.2", path = "crates/uor-prism-crypto", default-features = false }
+uor-prism-tensor = { version = "0.3.2", path = "crates/uor-prism-tensor", default-features = false }
+uor-prism-fhe = { version = "0.3.2", path = "crates/uor-prism-fhe", default-features = false }
 
 # Cryptographic substrate dependencies for `prism-crypto`'s canonical
 # `HashAxis` impls (ADR-031). These are widely-vetted, no_std-clean

Cargo.toml

@@ -17,7 +17,7 @@ keywords = ["prism", "uor", "verify", "replay", "no-std"]
 name = "prism_verify"
 
 [dependencies]
-uor-prism = { version = "0.3.1", path = "../uor-prism", default-features = false }
+uor-prism = { version = "0.3.2", path = "../uor-prism", default-features = false }
 uor-foundation = { workspace = true }
 
 [features]

crates/uor-prism-verify/Cargo.toml

@@ -124,7 +124,7 @@ fn ground_large_input<H: Hasher>(large_input: &[u8]) {
         .validate()
         .expect("unit well-formed for large input");
     let grounded =
-        run::<ConstrainedTypeInput, _, H, CARRIER>(unit).expect("pipeline admits large input");
+        run::<ConstrainedTypeInput, _, H, CARRIER, 32>(unit).expect("pipeline admits large input");
 
     // The grounded fingerprint width equals the hasher's output width.
     assert_eq!(

crates/uor-prism/tests/large_input_grounding.rs

@@ -50,7 +50,8 @@ fn pipeline_run_then_replay_roundtrip() {
 
     // When: `prism::pipeline::run` consumes the unit with the FNV-1a
     // substrate, producing a sealed `Grounded<T>`.
-    let grounded = run::<ConstrainedTypeInput, _, Fnv16, CARRIER>(unit).expect("pipeline admits");
+    let grounded =
+        run::<ConstrainedTypeInput, _, Fnv16, CARRIER, 32>(unit).expect("pipeline admits");
 
     // And: the grounded value's derivation is replayed into a `Trace`
     // at the foundation's default `HostBounds` capacity

crates/uor-prism/tests/principal_data_path.rs

@@ -57,10 +57,10 @@ const CARRIER: usize = uor_foundation::pipeline::carrier_inline_bytes::<TestHost
 // crate fails to compile and the test binary fails to build.
 
 #[allow(dead_code)]
-fn _accepts_prism_model<'a, H, M>()
+fn _accepts_prism_model<'a, H, M, const FP_MAX: usize>()
 where
-    H: Hasher,
-    M: PrismModel<'a, DefaultHostTypes, TestHostBounds, H, CARRIER>,
+    H: Hasher<FP_MAX>,
+    M: PrismModel<'a, DefaultHostTypes, TestHostBounds, H, CARRIER, FP_MAX>,
 {
     // `PrismModel`'s fourth generic `R` defaults to `NullResolverTuple`
     // per ADR-035/036; the 3-param form below uses that default. Foundation
@@ -70,10 +70,10 @@ where
 }
 
 #[allow(dead_code)]
-fn _associated_type_bounds<'a, H, M>()
+fn _associated_type_bounds<'a, H, M, const FP_MAX: usize>()
 where
-    H: Hasher,
-    M: PrismModel<'a, DefaultHostTypes, TestHostBounds, H, CARRIER>,
+    H: Hasher<FP_MAX>,
+    M: PrismModel<'a, DefaultHostTypes, TestHostBounds, H, CARRIER, FP_MAX>,
     // ADR-060: `IntoBindingValue<'a>` now returns a source-polymorphic
     // `TermValue` carrier (Inline/Borrowed/Stream) rather than
     // serializing into a fixed buffer; the `'a` is the borrowed-input
@@ -85,14 +85,14 @@ where
 }
 
 #[allow(dead_code)]
-fn _run_route_signature<'a, H, M, R, C>(
+fn _run_route_signature<'a, H, M, R, C, const FP_MAX: usize>(
     input: M::Input,
     resolvers: &R,
     commitment: &C,
-) -> Result<Grounded<'a, M::Output, CARRIER>, PipelineFailure>
+) -> Result<Grounded<'a, M::Output, CARRIER, FP_MAX>, PipelineFailure>
 where
-    H: Hasher + 'a,
-    M: PrismModel<'a, DefaultHostTypes, TestHostBounds, H, CARRIER, R, C>,
+    H: Hasher<FP_MAX> + 'a,
+    M: PrismModel<'a, DefaultHostTypes, TestHostBounds, H, CARRIER, FP_MAX, R, C>,
     // ADR-035/036: `R: ResolverTuple` is the substrate parameter for
     // the eight categorical-machinery resolvers (Nerve, ChainComplex,
     // HomologyGroup, CochainComplex, CohomologyGroup, Postnikov,
@@ -120,7 +120,7 @@ where
     // `PrismModel::forward` expands to exactly this call with R / C
     // defaulting to `NullResolverTuple` / `EmptyCommitment` when the
     // model declares neither resolver use nor a typed commitment.
-    prism::pipeline::run_route::<DefaultHostTypes, TestHostBounds, H, M, R, C, CARRIER>(
+    prism::pipeline::run_route::<DefaultHostTypes, TestHostBounds, H, M, R, C, CARRIER, FP_MAX>(
         input, resolvers, commitment,
     )
 }

crates/uor-prism/tests/prism_model.rs

@@ -106,7 +106,7 @@ fn assert_roundtrip<H: Hasher>(witt_ceiling: WittLevel) {
         .target_domains(DOMAINS)
         .result_type::<ConstrainedTypeInput>();
     let unit: Validated<_> = builder.validate().expect("unit well-formed");
-    let grounded = run::<ConstrainedTypeInput, _, H, CARRIER>(unit).expect("pipeline admits");
+    let grounded = run::<ConstrainedTypeInput, _, H, CARRIER, 32>(unit).expect("pipeline admits");
 
     // (2) Hasher contract: width recorded on the fingerprint matches the
     // hasher's declared `OUTPUT_BYTES`.
@@ -230,9 +230,10 @@ fn fingerprints_at_different_widths_are_distinguishable() {
             .expect("unit well-formed")
     }
 
-    let g16 = run::<ConstrainedTypeInput, _, Fnv16, CARRIER>(fresh_unit()).expect("admits");
-    let g24 = run::<ConstrainedTypeInput, _, Fnv24, CARRIER>(fresh_unit()).expect("admits");
-    let g32 = run::<ConstrainedTypeInput, _, Sha256Hasher, CARRIER>(fresh_unit()).expect("admits");
+    let g16 = run::<ConstrainedTypeInput, _, Fnv16, CARRIER, 32>(fresh_unit()).expect("admits");
+    let g24 = run::<ConstrainedTypeInput, _, Fnv24, CARRIER, 32>(fresh_unit()).expect("admits");
+    let g32 =
+        run::<ConstrainedTypeInput, _, Sha256Hasher, CARRIER, 32>(fresh_unit()).expect("admits");
 
     let f16 = g16.content_fingerprint();
     let f24 = g24.content_fingerprint();

crates/uor-prism/tests/scaling.rs

@@ -0,0 +1,104 @@
+//! Regression: a 64-byte-fingerprint hasher (`Sha512Hasher`, i.e.
+//! `Hasher<64>`) must flow through the principal data path.
+//!
+//! Foundation 0.5.1 pinned the entire resolver/pipeline tower to
+//! `Hasher<FP_MAX = 32>` — the `AxisTuple` blanket impl and every ψ-stage
+//! resolver trait required `FP_MAX = 32`, so `Sha512Hasher`
+//! (`Hasher<64>`) could not be selected as the substrate hasher at all;
+//! a downstream project pinned to prism 0.3.1 / foundation 0.5.1 was
+//! blocked. Foundation 0.5.2 generalized the tower: the `AxisTuple`
+//! blanket is `impl<INLINE_BYTES, FP_MAX, H: Hasher<FP_MAX>>`, the
+//! resolver traits take an unbounded `H`, and `run` / `run_route` /
+//! `Grounded` / `PrismModel` carry `FP_MAX` as a const parameter.
+//!
+//! This test grounds a unit through `run` with `Sha512Hasher` at
+//! `FP_MAX = 64`, asserts the certificate's fingerprint width is the
+//! full 64 bytes, and verifies the QS-05 replay round-trip — the
+//! conformance witness that a wide hasher flows end-to-end.
+
+#![allow(clippy::unwrap_used, clippy::expect_used)]
+
+use prism::crypto::Sha512Hasher;
+use prism::operation::Term;
+use prism::pipeline::run;
+use prism::replay::certify_from_trace;
+use prism::seal::Validated;
+use prism::std_types::ConstrainedTypeInput;
+use prism::vocabulary::{CompileUnitBuilder, Hasher, HostBounds, VerificationDomain, WittLevel};
+
+/// An application `HostBounds` whose `FINGERPRINT_MAX_BYTES` is 64,
+/// admitting a 64-byte (SHA-512-class) fingerprint. Per ADR-060 the
+/// foundation ships no default bounds; this is the test's declaration.
+/// Values match the canonical profile except the doubled fingerprint
+/// ceiling.
+struct Bounds64;
+impl HostBounds for Bounds64 {
+    const FINGERPRINT_MIN_BYTES: usize = 32;
+    const FINGERPRINT_MAX_BYTES: usize = 64;
+    const TRACE_MAX_EVENTS: usize = 256;
+    const WITT_LEVEL_MAX_BITS: u32 = 64;
+    const FOLD_UNROLL_THRESHOLD: usize = 8;
+    const BETTI_DIMENSION_MAX: usize = 8;
+    const NERVE_CONSTRAINTS_MAX: usize = 8;
+    const NERVE_SITES_MAX: usize = 8;
+    const JACOBIAN_SITES_MAX: usize = 8;
+    const RECURSION_TRACE_DEPTH_MAX: usize = 16;
+    const OP_CHAIN_DEPTH_MAX: usize = 8;
+    const AFFINE_COEFFS_MAX: usize = 8;
+    const CONJUNCTION_TERMS_MAX: usize = 8;
+    const UNFOLD_ITERATIONS_MAX: usize = 256;
+}
+
+// The inline carrier width derived from the 64-byte-fingerprint bounds,
+// and the matching `FP_MAX`.
+const CARRIER: usize = uor_foundation::pipeline::carrier_inline_bytes::<Bounds64>();
+const FP_MAX: usize = 64;
+
+const ROOT_TERMS: &[Term<'static, CARRIER>] = &[Term::Literal {
+    value: prism::operation::TermValue::from_u64_be(7, 1),
+    level: WittLevel::W8,
+}];
+static DOMAINS: &[VerificationDomain] = &[VerificationDomain::Enumerative];
+
+#[test]
+fn sha512_hasher_flows_through_the_pipeline() {
+    // `Sha512Hasher: Hasher<64>` — the case foundation 0.5.1 rejected.
+    let unit: Validated<_> = CompileUnitBuilder::new()
+        .root_term(ROOT_TERMS)
+        .witt_level_ceiling(WittLevel::W32)
+        .thermodynamic_budget(2048)
+        .target_domains(DOMAINS)
+        .result_type::<ConstrainedTypeInput>()
+        .validate()
+        .expect("unit well-formed");
+
+    let grounded = run::<ConstrainedTypeInput, _, Sha512Hasher, CARRIER, FP_MAX>(unit)
+        .expect("pipeline admits a 64-byte-fingerprint hasher (0.5.2 fix)");
+
+    // The full SHA-512 width flows into the certificate fingerprint —
+    // not truncated to the old FP_MAX = 32 ceiling.
+    assert_eq!(
+        usize::from(grounded.content_fingerprint().width_bytes()),
+        <Sha512Hasher as Hasher<64>>::OUTPUT_BYTES,
+        "fingerprint width must equal Sha512Hasher::OUTPUT_BYTES (64)",
+    );
+    assert_eq!(
+        usize::from(grounded.content_fingerprint().width_bytes()),
+        64
+    );
+
+    // QS-05 replay round-trip holds for the wide hasher. `replay`'s
+    // `TR_MAX` is the trace-buffer bound (the bounds' `TRACE_MAX_EVENTS`);
+    // its `FP_MAX = 64` flows from the `Derivation`, so
+    // `certify_from_trace` re-derives a `ContentFingerprint<64>`.
+    let trace = grounded
+        .derivation()
+        .replay::<{ <Bounds64 as HostBounds>::TRACE_MAX_EVENTS }>();
+    assert!(usize::from(trace.len()) <= <Bounds64 as HostBounds>::TRACE_MAX_EVENTS);
+    let recertified = certify_from_trace(&trace).expect("trace well-formed");
+    assert_eq!(
+        recertified.certificate().content_fingerprint(),
+        grounded.content_fingerprint(),
+        "QS-05: re-certified fingerprint must equal source for a 64-byte hasher",
+    );
+}