feat(runtime): Stage 10 TrustProvider consumer + LocalEmbedded baseline

Lands the capability/evidence/appraisal surface doc 14 defines and
wires it into vm_stub_entry so registry entries with a non-zero
provider_requirement_hash now run the full evaluate_policy_requirement
gate instead of the interim zero-hash short-circuit installed during
Stage 8.

Provider surface (runtime/include/provider.hpp)
  - TrustProvider abstract interface with get_capabilities() /
    attest_runtime() / bind_artifact() entry points per doc 14 §3.
  - CapabilityStatement, ProviderEvidence, PolicyRequirement,
    ProviderResult, VerifiedArtifactContext structs carry exactly the
    fields doc 14 §4–§7 pin; no "tier" / "provider-class string"
    leaks into the public surface.
  - ProviderError enum is limited to the 5 public codes doc 14 §9.1
    authorises so tier / family / provider identity cannot reach
    unauthenticated callers.

Baseline provider (runtime/src/provider/local_embedded.cpp)
  - LocalEmbeddedProvider declares ProviderClass::LocalEmbedded,
    hardware_bound=false, non_exportable_key=false, freshness=None,
    attestation=None, recovery=self-service, supported_policy_floors=
    {Debug, Standard}. Producers that require highsec / hardware /
    remote-attestation are rejected by evaluate_policy_requirement()
    before any evidence exchange.
  - appraise() implements doc 14 §11's evidence-binding rule:
    evidence.package_binding_record_hash /
    resolved_profile_table_hash / policy_requirement_hash must match
    the VerifiedArtifactContext the gate verified independently.
    Evidence claiming a provider class different from the
    capability's class is rejected so a local_embedded instance
    cannot masquerade as local_tpm (doc 10 §4).
  - PolicyRequirement canonicalises to a fixed little-endian layout
    and hashes under VMPilot::DomainLabels::Hash::PolicyRequirement.
    The hash is what RuntimeSpecializationRegistry.entries[].provider
    _requirement_hash commits to, so the runtime reconstructs the
    requirement from UBR + registry context at dispatch time and
    rejects any divergence from the registry-committed hash.

vm_stub_entry integration
  - non-zero provider_requirement_hash now:
      · derives PolicyRequirement from UBR.requested_policy_id +
        family_id,
      · checks derived hash == entry.provider_requirement_hash (any
        drift = fail_closed()),
      · builds VerifiedArtifactContext from the already-verified PBR
        canonical bytes + resolved_profile_table_hash,
      · calls evaluate_policy_requirement on the installed provider,
      · accepts only ProviderStatus::Satisfied; any other status or
        any evidence binding failure collapses to fail_closed().
  - Default installation uses the built-in LocalEmbeddedProvider;
    install_provider_for_testing() lets tests inject alternates
    without touching the singleton getter.

Tests (runtime/test/integration/test_provider_local.cpp)
  - 11 cases exercising doc 14 §10's required behaviours:
    capability shape, highsec rejection (#1), minimal satisfaction
    path (#2), cloud-evidence-as-local rejection / provider_class
    claim mismatch (#3), evidence bound to mismatched package hash
    (#8), disallowed provider class in allowed_provider_classes, and
    provider-swap-does-not-change-UBR-verification (#5).
  - policy_requirement_hash determinism + domain-separation test
    locks the canonical serializer in place so registry producers
    and the runtime agree bit-for-bit on requirement commitments.

All 87 previously-green runtime integration tests remain green.

Author: scc-tw

common/include/vm/domain_labels.hpp

@@ -44,6 +44,10 @@ namespace Hash {
     // 6/7, sharpens the semantics without changing the label.
     constexpr std::string_view UnitBindingTable        = "unit-binding-table-v1";
     constexpr std::string_view ResolvedProfileTable    = "resolved-profile-table-v1";
+    // Provider / entitlement layer (doc 14, doc 10).
+    constexpr std::string_view PolicyRequirement       = "policy-requirement-v1";
+    constexpr std::string_view ProviderEvidence        = "provider-evidence-v1";
+    constexpr std::string_view EntitlementCertificate  = "entitlement-certificate-v1";
 }  // namespace Hash
 
 }  // namespace VMPilot::DomainLabels

runtime/CMakeLists.txt

@@ -67,6 +67,7 @@ add_library(VMPilot_Runtime STATIC
     src/binding/unit.cpp
     src/binding/resolved_profile.cpp
     src/registry/registry.cpp
+    src/provider/local_embedded.cpp
     ${PLATFORM_ASM_SOURCES}
 )
 
@@ -196,6 +197,7 @@ if(ENABLE_TESTS)
         test_native_call
         test_policy_matrix
         test_tls_intrinsic
+        test_provider_local
     )
         vmpilot_add_runtime_test(${_t} SOURCES test/integration/${_t}.cpp)
     endforeach()

runtime/include/provider.hpp

@@ -0,0 +1,240 @@
+#ifndef VMPILOT_RUNTIME_PROVIDER_HPP
+#define VMPILOT_RUNTIME_PROVIDER_HPP
+
+#include <array>
+#include <cstdint>
+#include <string>
+#include <vector>
+
+#include <tl/expected.hpp>
+
+#include "vm/family_policy.hpp"
+
+// TrustProvider contract (doc 14 §3–§7). A TrustProvider is the
+// abstraction behind provider_requirement_hash lookups on the
+// RuntimeSpecializationRegistry. Baseline runtime ships one provider,
+// `local_embedded` (doc 10 §4), which carries no hardware root; richer
+// providers (`local_tpm`, `local_tee`, `cloud_attested_vm`,
+// `cloud_hsm`, `external_kms`) land in future iterations.
+//
+// Design constraints doc 14 bakes in:
+//   - public surface never exposes tier / family / provider-class strings
+//   - status=degraded never satisfies highsec
+//   - evidence must be bound to the current package + profile table +
+//     policy requirement hash; provider MAC does NOT replace the
+//     vendor signature over the PackageBindingRecord
+
+namespace VMPilot::Runtime::Provider {
+
+enum class ProviderClass : std::uint8_t {
+    LocalEmbedded = 1,
+    LocalTpm,
+    LocalTee,
+    CloudAttestedVm,
+    CloudHsm,
+    ExternalKms,
+};
+
+enum class CloneResistanceClass : std::uint8_t {
+    None = 1,
+    Soft,
+    Hardware,
+};
+
+enum class FreshnessClass : std::uint8_t {
+    None = 1,
+    Periodic,
+    OnlineVerified,
+};
+
+enum class KeyCustodyClass : std::uint8_t {
+    Self = 1,
+    Hsm,
+    Vendor,
+};
+
+enum class RecoveryModel : std::uint8_t {
+    SelfService = 1,
+    SignedReprovision,
+    Quorum,
+};
+
+enum class PrivacyModel : std::uint8_t {
+    Pairwise = 1,
+    Pseudonymous,
+    // Raw hardware identity is forbidden (doc 10 §7) — no enum value.
+};
+
+enum class AttestationFormat : std::uint8_t {
+    None = 1,
+    LocalEmbeddedV1,
+    TpmQuoteV1,
+    TeeReportV1,
+    CloudAttestationV1,
+};
+
+enum class ProviderStatus : std::uint8_t {
+    Satisfied = 1,
+    NotSatisfied,
+    Degraded,  // doc 14 §7.1: never accepted for highsec
+};
+
+// Stable identifier for a rejection reason; public surface must not
+// reveal which provider / tier / family triggered it (doc 14 §9.1).
+enum class ProviderError : std::uint8_t {
+    ArtifactPolicyNotSatisfied = 1,
+    ProviderRequirementNotSatisfied,
+    ProviderEvidenceInvalid,
+    RecoveryRequired,
+    RuntimeSpecializationUnavailable,
+};
+
+// doc 14 §4.
+struct CapabilityStatement {
+    ProviderClass provider_class;
+    std::string provider_instance_pseudonym;  // NOT raw hardware id
+    bool hardware_bound;
+    bool non_exportable_key;
+    bool online_required;
+    bool migratable;
+    CloneResistanceClass clone_resistance_class;
+    FreshnessClass freshness_class;
+    AttestationFormat attestation_format;
+    KeyCustodyClass key_custody_class;
+    RecoveryModel recovery_model;
+    PrivacyModel privacy_model;
+    std::vector<VMPilot::DomainLabels::PolicyId> supported_policy_floors;
+    std::vector<VMPilot::DomainLabels::FamilyId> supported_family_set;
+    std::array<std::uint8_t, 32> provider_measurement_hash;  // zeros → absent
+};
+
+// doc 14 §5. `attestation_payload` and `evidence_signature_or_mac` are
+// provider-specific opaque bytes; the runtime only verifies the field
+// bindings and hands the envelope to the appraiser.
+struct ProviderEvidence {
+    std::string evidence_version;
+    ProviderClass provider_class;
+    std::string provider_instance_pseudonym;
+    std::array<std::uint8_t, 32> nonce;
+    std::array<std::uint8_t, 32> package_binding_record_hash;
+    std::array<std::uint8_t, 32> resolved_profile_table_hash;
+    std::array<std::uint8_t, 32> policy_requirement_hash;
+    std::array<std::uint8_t, 32> runtime_measurement_hash;  // zeros → absent
+    std::vector<std::uint8_t> attestation_payload;
+    std::array<std::uint8_t, 32> freshness_proof_hash;
+    std::vector<std::uint8_t> evidence_signature_or_mac;
+};
+
+// doc 14 §6. Built per-call from ResolvedFamilyProfile +
+// RuntimeSpecializationRegistry. The hash is a stable commitment to
+// every field in this struct and is what entries in
+// RuntimeSpecializationRegistry.entries[].provider_requirement_hash
+// commit to.
+struct PolicyRequirement {
+    std::string requirement_version;
+    VMPilot::DomainLabels::PolicyId required_policy_floor;
+    std::vector<VMPilot::DomainLabels::FamilyId> required_family_set;
+    bool require_hardware_bound;
+    bool require_non_exportable_key;
+    bool require_online_freshness;
+    bool require_remote_attestation;
+    RecoveryModel require_recovery_model;
+    std::vector<ProviderClass> allowed_provider_classes;
+    std::uint64_t minimum_provider_epoch;
+};
+
+// doc 14 §7.
+struct ProviderResult {
+    ProviderStatus status;
+    std::vector<std::string> satisfied_requirements;
+    std::vector<std::string> unsatisfied_requirements;
+    ProviderClass provider_class;
+    std::array<std::uint8_t, 32> evidence_hash;
+    std::array<std::uint8_t, 32> nonce;
+    std::vector<std::uint8_t> result_signature;  // verifier signature
+};
+
+// Context the gate hands down to TrustProvider::bind_artifact. All
+// three hashes must already be verified by the caller (package /
+// profile / requirement); the provider binds its evidence to them,
+// never replaces them.
+struct VerifiedArtifactContext {
+    std::array<std::uint8_t, 32> package_binding_record_hash;
+    std::array<std::uint8_t, 32> resolved_profile_table_hash;
+    std::array<std::uint8_t, 32> policy_requirement_hash;
+};
+
+class TrustProvider {
+public:
+    virtual ~TrustProvider() = default;
+
+    virtual CapabilityStatement get_capabilities() const noexcept = 0;
+
+    virtual tl::expected<ProviderEvidence, ProviderError>
+    attest_runtime(const std::array<std::uint8_t, 32>& nonce,
+                   const std::array<std::uint8_t, 32>& runtime_measurement,
+                   const std::array<std::uint8_t, 32>&
+                       profile_requirement_hash) noexcept = 0;
+
+    virtual tl::expected<ProviderEvidence, ProviderError>
+    bind_artifact(const std::array<std::uint8_t, 32>& nonce,
+                  const VerifiedArtifactContext& ctx) noexcept = 0;
+};
+
+// Canonical domain-separated hash of a PolicyRequirement. Used to
+// verify that the requirement derived at runtime matches what the
+// registry entry committed to (doc 14 §7 + doc 08 §4 rule 4).
+std::array<std::uint8_t, 32>
+policy_requirement_hash(const PolicyRequirement& req) noexcept;
+
+// Core appraisal: checks evidence bindings and maps capability vs
+// requirement into a ProviderResult. Does NOT replace vendor signature
+// verification on the PackageBindingRecord (doc 14 §11).
+ProviderResult appraise(const CapabilityStatement& caps,
+                        const PolicyRequirement& req,
+                        const ProviderEvidence& evidence,
+                        const VerifiedArtifactContext& ctx) noexcept;
+
+// Gate the runtime dispatch path uses. Returns ProviderError on any
+// failure; maps doc 14 §7.1's degraded-vs-highsec rule internally.
+tl::expected<ProviderResult, ProviderError>
+evaluate_policy_requirement(TrustProvider& provider,
+                            const PolicyRequirement& requirement,
+                            const VerifiedArtifactContext& ctx,
+                            const std::array<std::uint8_t, 32>&
+                                requested_policy_floor_override) noexcept;
+
+// Baseline provider bundled with 1.0 runtime. Claims no hardware root,
+// no remote attestation, no freshness guarantees. Consequently it can
+// only satisfy PolicyRequirements that explicitly allow
+// ProviderClass::LocalEmbedded and require none of {hardware_bound,
+// non_exportable_key, online_freshness, remote_attestation}.
+class LocalEmbeddedProvider final : public TrustProvider {
+public:
+    LocalEmbeddedProvider() = default;
+    explicit LocalEmbeddedProvider(std::string instance_pseudonym) noexcept;
+
+    CapabilityStatement get_capabilities() const noexcept override;
+
+    tl::expected<ProviderEvidence, ProviderError>
+    attest_runtime(const std::array<std::uint8_t, 32>& nonce,
+                   const std::array<std::uint8_t, 32>& runtime_measurement,
+                   const std::array<std::uint8_t, 32>&
+                       profile_requirement_hash) noexcept override;
+
+    tl::expected<ProviderEvidence, ProviderError>
+    bind_artifact(const std::array<std::uint8_t, 32>& nonce,
+                  const VerifiedArtifactContext& ctx) noexcept override;
+
+private:
+    std::string instance_pseudonym_{"local-embedded-default"};
+};
+
+// TrustProvider singleton used by the runtime dispatch path. Tests may
+// swap in an alternate provider via install_provider_for_testing().
+TrustProvider& runtime_provider() noexcept;
+void install_provider_for_testing(TrustProvider* provider) noexcept;
+
+}  // namespace VMPilot::Runtime::Provider
+
+#endif  // VMPILOT_RUNTIME_PROVIDER_HPP