|
7 | 7 |
|
8 | 8 | ### Added |
9 | 9 |
|
| 10 | +- `warp-core` casting a dynamically postured strand to statically shared now returns a semantically precise `PostureObstruction::PostureMismatch` instead of `PostureObstruction::NarrowingRefused`. |
| 11 | +- `warp-core` renamed `ProofEnvelope::verify` to `validate_shape` and updated error variants to `ProofShapeValidationFailed` to accurately reflect shape/input checks rather than full cryptographic proof verification. |
| 12 | +- `warp-core` strand creation now carries explicit `RetentionPosture` through |
| 13 | + `ForkStrandRequest`, `ForkStrandReceipt`, and `Strand`. Session-default and |
| 14 | + debugger fork constructors choose posture policy explicitly, session-default |
| 15 | + work always records `PostureDerivation::SessionDefault`, debugger forks never |
| 16 | + silently become `Shared`, and `StrandRegistry` rejects incoherent retained |
| 17 | + posture such as `Shared` without an admission scope. |
10 | 18 | - `warp-core` import admission receipts now bind local source-shared import |
11 | 19 | admission to an explicit imported artifact identity. A receipt minted for one |
12 | 20 | imported artifact cannot admit another import into a local shared admission |
@@ -545,6 +553,22 @@ Applied, Rejected, Obstructed}` with receipt evidence and typed contract |
545 | 553 |
|
546 | 554 | ### Changed |
547 | 555 |
|
| 556 | +- `warp-core` renamed the generated contract package host API from |
| 557 | + `install_contract_package(...)` to `register_contract_package(...)` so the |
| 558 | + trusted-runtime boundary reads as explicit runtime-owned registration instead |
| 559 | + of process-global installation. |
| 560 | +- `warp-core` sealed braid member lookup now requires authority-bound sealed |
| 561 | + query material, redacts non-public blinding material from debug output, and |
| 562 | + keeps hidden-member commitments stable across parent frontier movement. |
| 563 | +- `warp-core` settlement planning now rejects non-`Shared` strands before |
| 564 | + producing import candidates. Author-only/debugger strand suffixes can remain |
| 565 | + real causal work, but they cannot enter base shared history without an |
| 566 | + explicit shared admission posture. Settlement compare remains local |
| 567 | + revelation/inspection only: it can inspect a locally held strand suffix |
| 568 | + without promoting, planning, admitting, or settling it. |
| 569 | +- `warp-core` settlement plural artifacts and retained braid shells now carry |
| 570 | + the source strand posture instead of hard-coding author-only posture for |
| 571 | + shared settlement records. |
548 | 572 | - Local determinism tooling now fails closed around |
549 | 573 | `scripts/check-warp-core-serialization-boundaries.sh`. The serialization |
550 | 574 | boundary guard is mandatory, runs through `bash` rather than executable mode, |
@@ -617,6 +641,38 @@ Applied, Rejected, Obstructed}` with receipt evidence and typed contract |
617 | 641 |
|
618 | 642 | ### Fixed |
619 | 643 |
|
| 644 | +- `warp-core` evolving braid logs now reject unchecked incremental mutations: |
| 645 | + `Braid::apply` returns typed lifecycle errors, rejects duplicate member |
| 646 | + weaving and mixed revealed/sealed membership, refuses empty-frontier |
| 647 | + settlement finalization, detects member sequence overflow with checked |
| 648 | + arithmetic, rejects empty collapse witnesses, and exposes folded state through |
| 649 | + read-only accessors instead of public mutable fields. Duplicate checks now use |
| 650 | + a deterministic member index instead of scanning the append-ordered frontier. |
| 651 | +- `warp-core` braid-shell digests now bind optional proof-shaped envelopes: |
| 652 | + proof-bearing shells have distinct content identity from proof-less shells, |
| 653 | + mutating proof bytes after assembly is caught by shell validation, and |
| 654 | + `BRAID_SHELL_VERSION` is now `2` for the proof-digest marker shape. |
| 655 | + Shape-only proof envelope admission is limited to replay-trace evidence; |
| 656 | + cryptographic proof kinds require a verifier backend before admission. |
| 657 | +- `warp-core` sealed braid members now require caller-supplied blinding material, |
| 658 | + preserve hidden shared source disclosure in settlement shells, mix a |
| 659 | + settlement-local `MemberBlindingSalt` into hidden settlement member |
| 660 | + commitments, reject mixed revealed/sealed shell member sets, and treat sealed |
| 661 | + member authority as part of duplicate-member identity. |
| 662 | +- `warp-core` retained braid shell queries now distinguish revealed member |
| 663 | + lookup from sealed member lookup: `has_revealed_member_strand` and |
| 664 | + `BraidShellQuery::revealed_member_strand` only match revealed references, |
| 665 | + while `BraidShellMemberQuery` carries blinding material for sealed matches. |
| 666 | +- `warp-core` crate-root braid exports now include `BraidError`, `BraidStatus`, |
| 667 | + and `BraidMemberRef` so external consumers can handle public braid results. |
| 668 | +- `warp-core` shared-strand settlement handles now re-enter the live registry |
| 669 | + path before planning or settling, and crate-internal settlement helpers reject |
| 670 | + stale handles that no longer match registered strand state. `CausalPostureState` |
| 671 | + is sealed to Echo's marker types so external crates cannot add typestate |
| 672 | + implementations outside the runtime posture gate. |
| 673 | +- `warp-wasm` settlement publication now maps non-`Shared` strand admission |
| 674 | + rejection to the stable `INVALID_STRAND` ABI error code instead of |
| 675 | + collapsing the lawful posture denial into `ENGINE_ERROR`. |
620 | 676 | - `echo-file-aperture` now normalizes `HostFileSnapshot` material at the |
621 | 677 | aperture boundary so caller-forged snapshot metadata or fingerprints cannot |
622 | 678 | bind a basis, observation receipt, or materialization verification to bytes |
|
0 commit comments