feat(runtime): Stage 9 exception-unwind surface + doc 08/15 §9 coverage

Stage 9 lands the minimum 1.0 reserved ExceptionUnwindContract
verifier plus the native-boundary fail-closed guard doc 09 requires,
and folds in the remaining doc 08 §9 / doc 15 §9 spec tests that
were still missing from Stages 5-8 (Commit 4 of the shortcut
clean-up pass).

Verifier surface
  - eh_guard module parses correctness_legality_contract.exception
    _unwind_contract from CanonicalMetadataBytesV1 and rejects any
    profile that: upgrades executable_eh_status above reserved_
    disabled_v1, exposes non-empty handler / cleanup tables, permits
    cross-protected-frame unwind, flips native_boundary_unwind_
    behavior away from translate_to_trap_or_fail_closed, declares
    unknown critical extensions, or advertises a family_specific_
    unwind_surface_ref that does not match the bound family.
  - accept_unit_entry calls the verifier after the Stage 7 payload/
    profile binding checks and maps failures to a new block of
    UnitAcceptError codes (ExceptionUnwindContractMalformed,
    ExecutableEhStatusNotReservedDisabled, HandlerTable/Cleanup
    TableNotReservedEmpty, CrossProtectedFrameUnwindPermitted,
    NativeBoundaryUnwindBehaviorNotFailClosed, UnknownEhCritical
    Extension, FamilySpecificUnwindSurfaceMismatch).

Native-boundary guard
  - guarded_platform_call wraps the platform_call trampoline with a
    structured handler so that C++ throws / SEH (Windows) and the
    SIGSEGV / SIGBUS / SIGILL / SIGFPE family (POSIX) all collapse
    into DiagnosticCode::NativeBoundaryUnwindTrapped instead of
    propagating across a protected VM frame.
  - eh_guard.cpp opts in to /EHa so catch(...) can intercept both
    C++ and Windows structured exceptions in the same TU; the rest
    of the runtime stays on /EHsc.
  - HandlerTraits<NATIVE_CALL>::dispatch now routes through
    guarded_platform_call and surfaces the diagnostic unchanged.

doc 08 §9 / doc 15 §9 tests (Commit 4)
  - AcceptConfig.minimum_policy_floor plus the Debug<Standard<HighSec
    ordering enforced in accept_unit_entry (§9 #1, §9 #4, §9 #5).
  - Profile↔UBR family / policy / profile_id cross-check added to
    accept_unit_entry with its own error codes (§9 #2).
  - vm_stub_entry now cross-checks the inner blob's BLOB_FLAG_DEBUG
    against UBR.requested_policy_id and rejects on mismatch (§9 #6).
  - test_spec_compliance exercises the above plus the tier-neutral
    public failure surface (§9 #7) and the section_table_shape_class
    invariant across debug / standard / highsec artifacts (§9 #10),
    including a negative control that confirms the shape-class
    comparison actually fires when a producer drifts.

Fixture builders
  - ResolvedFamilyProfileBuilder now emits the correctness_legality_
    contract map by default with a reserved ExceptionUnwindContract;
    negative tests inject malformed specs via ExceptionUnwindContract
    Spec so every new error code has a concrete trigger.
  - sha256_of helper and registry build_canonical_bytes() variant let
    tests reuse the production Ed25519-wrapped registry path without
    leaking VMPilot_crypto.hpp namespaces into the runtime surface.

Test coverage
  - test_spec_compliance: 8 cases covering §9 #1, #2, #4, #5, #6, #7,
    #10 (happy + drift).
  - test_eh_guard: contract-level suite (8 cases) plus runtime native-
    boundary tests (Windows C++ throw / SEH raise, POSIX signal). The
    Windows runtime cases opt out under MSVC /fsanitize=address
    because ASAN corrupts SEH unwind through the ASM platform_call
    trampoline; non-ASAN builds and POSIX exercise the full path.

All 116 previously-green runtime tests still pass; the new 16
Stage-9/Commit-4 cases pass under dev-win.

Author: scc-tw

common/include/diagnostic.hpp

@@ -83,6 +83,7 @@ enum class DiagnosticCode : uint32_t {
     EpochResyncFailed          = 0x0006'0011,
     ShadowStackOverflow        = 0x0006'0012,
     InvalidOpcodeAlias         = 0x0006'0013,
+    NativeBoundaryUnwindTrapped= 0x0006'0014,
 
     // --- 0x0007: Loader ---
     PatchInputInvalid          = 0x0007'0001,

common/src/diagnostic_collector.cpp

@@ -83,6 +83,8 @@ const char* to_string(DiagnosticCode code) noexcept {
         case DiagnosticCode::EpochResyncFailed:        return "RT:epoch_resync_failed";
         case DiagnosticCode::ShadowStackOverflow:      return "RT:shadow_stack_overflow";
         case DiagnosticCode::InvalidOpcodeAlias:       return "RT:invalid_opcode_alias";
+        case DiagnosticCode::NativeBoundaryUnwindTrapped:
+            return "RT:native_boundary_unwind_trapped";
         // 0x0007: Loader
         case DiagnosticCode::PatchInputInvalid:          return "LDR:input_invalid";
         case DiagnosticCode::PatchOutputFailed:          return "LDR:output_failed";

runtime/CMakeLists.txt

@@ -59,6 +59,7 @@ add_library(VMPilot_Runtime STATIC
     src/blob_builder.cpp
     src/program_builder.cpp
     src/handler_detail.cpp
+    src/eh_guard.cpp
     src/trust_root_embed.cpp
     src/envelope/outer.cpp
     src/binding/package.cpp
@@ -69,6 +70,16 @@ add_library(VMPilot_Runtime STATIC
     ${PLATFORM_ASM_SOURCES}
 )
 
+# eh_guard.cpp must catch structured exceptions raised by native code
+# (C++ throws, RaiseException, signals) that cross the platform_call
+# trampoline. MSVC /EHsc does not let catch(...) intercept SEH; /EHa
+# removes that restriction. Only eh_guard.cpp needs this — the rest of
+# the runtime keeps /EHsc for the smaller codegen.
+if(MSVC)
+    set_source_files_properties(src/eh_guard.cpp
+        PROPERTIES COMPILE_OPTIONS "/EHa")
+endif()
+
 include(${CMAKE_SOURCE_DIR}/cmake/TrustRoot.cmake)
 vmpilot_configure_trust_root(VMPilot_Runtime)
 
@@ -228,6 +239,11 @@ if(ENABLE_TESTS)
         EXTRA_INCLUDES ${CMAKE_CURRENT_SOURCE_DIR}/include
         WITH_FIXTURES)
 
+    vmpilot_add_runtime_test(test_spec_compliance
+        SOURCES test/fixtures/test_spec_compliance.cpp
+        EXTRA_INCLUDES ${CMAKE_CURRENT_SOURCE_DIR}/include
+        WITH_FIXTURES)
+
     # ── security/ — Doc 15-19 cryptographic invariants ──
 
     foreach(_t IN ITEMS
@@ -241,6 +257,11 @@ if(ENABLE_TESTS)
         vmpilot_add_runtime_test(${_t} SOURCES test/security/${_t}.cpp)
     endforeach()
 
+    vmpilot_add_runtime_test(test_eh_guard
+        SOURCES test/security/test_eh_guard.cpp
+        EXTRA_INCLUDES ${CMAKE_CURRENT_SOURCE_DIR}/include
+        WITH_FIXTURES)
+
     # ── robustness/ — error paths + boundary values ──
 
     foreach(_t IN ITEMS

runtime/include/binding/package.hpp

@@ -11,6 +11,7 @@
 
 #include "envelope/outer.hpp"
 #include "trust_root.hpp"
+#include "vm/family_policy.hpp"
 
 // PackageBindingRecord acceptance.
 //
@@ -42,6 +43,15 @@ struct AcceptConfig {
     std::vector<std::string> supported_schema_versions;
     std::vector<std::string> supported_canonical_encodings;
     RuntimeEpochState epoch;
+
+    // Per-unit policy floor (doc 15 §9 #4-#5). Enforced in
+    // accept_unit_entry: UBR.requested_policy_id must be numerically
+    // >= this floor in the {Debug, Standard, HighSec} ordering.
+    // Default is Debug — i.e. no floor. Highsec runtimes raise this to
+    // HighSec so a standard-tier package silently loaded on a highsec
+    // runtime cannot unlock execution.
+    VMPilot::DomainLabels::PolicyId minimum_policy_floor{
+        VMPilot::DomainLabels::PolicyId::Debug};
 };
 
 // What survives acceptance. Retain enough to let Stages 6/7 verify unit

runtime/include/binding/unit.hpp

@@ -112,6 +112,24 @@ enum class UnitAcceptError : std::uint8_t {
     // Epoch gates.
     AntiDowngradeEpochTooOld,          // UBR vs runtime.minimum_accepted_epoch
     PackageEpochBelowUnitEpoch,        // PBR.anti_downgrade_epoch < UBR's (doc 06 §10)
+
+    // Tier floor (doc 15 §9 #4).
+    PolicyBelowRuntimeFloor,           // UBR.policy < config.minimum_policy_floor
+
+    // Profile ↔ UBR cross-field mismatches (doc 08 §9 #2).
+    ProfileFamilyIdMismatch,           // profile.family_id       != ubr.family_id
+    ProfilePolicyIdMismatch,           // profile.policy_id       != ubr.policy_id
+    ProfileIdMismatch,                 // profile.profile_id      != ubr.profile_id
+
+    // Stage 9 — reserved exception / unwind surface.
+    ExceptionUnwindContractMalformed,
+    ExecutableEhStatusNotReservedDisabled,
+    HandlerTableNotReservedEmpty,
+    CleanupTableNotReservedEmpty,
+    CrossProtectedFrameUnwindPermitted,
+    NativeBoundaryUnwindBehaviorNotFailClosed,
+    UnknownEhCriticalExtension,
+    FamilySpecificUnwindSurfaceMismatch,
 };
 
 tl::expected<AcceptedUnit, UnitAcceptError>

runtime/include/eh_guard.hpp

@@ -0,0 +1,110 @@
+#ifndef VMPILOT_RUNTIME_EH_GUARD_HPP
+#define VMPILOT_RUNTIME_EH_GUARD_HPP
+
+#include <cstddef>
+#include <cstdint>
+#include <string>
+#include <string_view>
+#include <vector>
+
+#include <tl/expected.hpp>
+
+#include "diagnostic.hpp"
+#include "platform_call.hpp"
+#include "vm/family_policy.hpp"
+
+namespace VMPilot::Runtime::EH {
+
+enum class ExecutableEhStatus : std::uint8_t {
+    ReservedDisabledV1 = 1,
+    ExecutableV1_1,
+};
+
+enum class CrossProtectedFrameUnwind : std::uint8_t {
+    Forbidden = 1,
+    PermittedByProfile,
+};
+
+enum class NativeBoundaryUnwindBehavior : std::uint8_t {
+    TranslateToTrapOrFailClosed = 1,
+    ProfileUpgraded,
+};
+
+enum class ReservedTableStatus : std::uint8_t {
+    ReservedEmpty = 1,
+    ProfileSpecific,
+};
+
+struct ExceptionUnwindContract {
+    std::string semantic_contract_version;
+    std::string eh_contract_version;
+    ExecutableEhStatus executable_eh_status;
+    std::string planned_executable_eh_epoch;
+    CrossProtectedFrameUnwind cross_protected_frame_unwind;
+    NativeBoundaryUnwindBehavior native_boundary_unwind_behavior;
+    ReservedTableStatus handler_table_status;
+    ReservedTableStatus cleanup_table_status;
+    std::string frame_contract_ref;
+    std::string stackmap_contract_ref;
+    std::string resume_contract_ref;
+    std::string verifier_rules_ref;
+    std::string family_specific_unwind_surface_ref;
+};
+
+enum class ContractParseError : std::uint8_t {
+    BadCbor = 1,
+    NotAMap,
+    MissingCorrectnessLegalityContract,
+    MissingExceptionUnwindContract,
+    MissingField,
+    WrongFieldType,
+    UnknownEnumValue,
+    UnknownCriticalExtension,
+};
+
+enum class ContractVerifyError : std::uint8_t {
+    MalformedContract = 1,
+    ExecutableEhStatusNotReservedDisabled,
+    CrossProtectedFrameUnwindPermitted,
+    NativeBoundaryBehaviorNotFailClosed,
+    HandlerTableNotReservedEmpty,
+    CleanupTableNotReservedEmpty,
+    UnknownCriticalExtension,
+    FamilySpecificUnwindSurfaceMismatch,
+};
+
+tl::expected<ExceptionUnwindContract, ContractParseError>
+parse_exception_unwind_contract(const std::uint8_t* data,
+                                std::size_t size) noexcept;
+
+inline tl::expected<ExceptionUnwindContract, ContractParseError>
+parse_exception_unwind_contract(
+    const std::vector<std::uint8_t>& bytes) noexcept {
+    return parse_exception_unwind_contract(bytes.data(), bytes.size());
+}
+
+tl::expected<ExceptionUnwindContract, ContractVerifyError>
+verify_reserved_exception_unwind_contract(
+    const std::uint8_t* data,
+    std::size_t size,
+    VMPilot::DomainLabels::FamilyId expected_family) noexcept;
+
+inline tl::expected<ExceptionUnwindContract, ContractVerifyError>
+verify_reserved_exception_unwind_contract(
+    const std::vector<std::uint8_t>& bytes,
+    VMPilot::DomainLabels::FamilyId expected_family) noexcept {
+    return verify_reserved_exception_unwind_contract(
+        bytes.data(), bytes.size(), expected_family);
+}
+
+std::string_view expected_family_specific_unwind_surface_ref(
+    VMPilot::DomainLabels::FamilyId family_id) noexcept;
+
+tl::expected<std::uint64_t, VMPilot::Common::DiagnosticCode>
+guarded_platform_call(const VMPilot::Runtime::PlatformCallDesc* desc,
+                      bool returns_struct,
+                      void* struct_return_ptr) noexcept;
+
+}  // namespace VMPilot::Runtime::EH
+
+#endif  // VMPILOT_RUNTIME_EH_GUARD_HPP

runtime/include/handler_impls.hpp

@@ -37,6 +37,7 @@
 ///   LOAD/POP:   MemVal from guest/ORAM -> im.mem.decode_lut() -> plaintext
 
 #include "handler_traits.hpp"
+#include "eh_guard.hpp"
 #include "platform_call.hpp"
 
 #include <vm/encoded_value.hpp>
@@ -824,18 +825,18 @@ struct HandlerTraits<VmOpcode::NATIVE_CALL, P> {
             is_variadic ? desc.fp_count : static_cast<uint8_t>(0), returns_fp);
 
         // Call via platform-specific ASM trampoline
-        uint64_t result;
-        if (returns_struct && abi == CallABI::AAPCS64) {
-            result = platform_call_struct(&desc, struct_ptr);
-        } else {
-            result = platform_call(&desc);
-        }
+        auto result_or = EH::guarded_platform_call(
+            &desc, returns_struct && abi == CallABI::AAPCS64, struct_ptr);
 
         // Zero plaintext args from stack (forward secrecy)
         secure_zero(raw_args, sizeof(raw_args));
 
+        if (!result_or) {
+            return tl::make_unexpected(result_or.error());
+        }
+
         // Store plaintext result; pipeline will FPE-encode reg 0
-        e.regs[0] = RegVal(result);
+        e.regs[0] = RegVal(*result_or);
         e.native_call_nonce++;
         return {};
     }

runtime/src/binding/unit.cpp

@@ -5,7 +5,9 @@
 
 #include "VMPilot_crypto.hpp"
 #include "binding/inner_partition.hpp"
+#include "binding/resolved_profile.hpp"
 #include "cbor/strict.hpp"
+#include "eh_guard.hpp"
 #include "vm/domain_labels.hpp"
 #include "vm/family_policy.hpp"
 
@@ -78,6 +80,31 @@ bool hash_equals(const std::array<std::uint8_t, 32>& a,
     return std::memcmp(a.data(), b.data(), 32) == 0;
 }
 
+UnitAcceptError map_eh_contract_error(
+    VMPilot::Runtime::EH::ContractVerifyError error) noexcept {
+    using VMPilot::Runtime::EH::ContractVerifyError;
+
+    switch (error) {
+        case ContractVerifyError::MalformedContract:
+            return UnitAcceptError::ExceptionUnwindContractMalformed;
+        case ContractVerifyError::ExecutableEhStatusNotReservedDisabled:
+            return UnitAcceptError::ExecutableEhStatusNotReservedDisabled;
+        case ContractVerifyError::CrossProtectedFrameUnwindPermitted:
+            return UnitAcceptError::CrossProtectedFrameUnwindPermitted;
+        case ContractVerifyError::NativeBoundaryBehaviorNotFailClosed:
+            return UnitAcceptError::NativeBoundaryUnwindBehaviorNotFailClosed;
+        case ContractVerifyError::HandlerTableNotReservedEmpty:
+            return UnitAcceptError::HandlerTableNotReservedEmpty;
+        case ContractVerifyError::CleanupTableNotReservedEmpty:
+            return UnitAcceptError::CleanupTableNotReservedEmpty;
+        case ContractVerifyError::UnknownCriticalExtension:
+            return UnitAcceptError::UnknownEhCriticalExtension;
+        case ContractVerifyError::FamilySpecificUnwindSurfaceMismatch:
+            return UnitAcceptError::FamilySpecificUnwindSurfaceMismatch;
+    }
+    return UnitAcceptError::ExceptionUnwindContractMalformed;
+}
+
 // ─── Field extraction helpers ───────────────────────────────────────────
 
 struct RequireCtx {
@@ -475,6 +502,39 @@ accept_unit_entry(const std::uint8_t* artifact_data,
         return err(UnitAcceptError::ResolvedProfileContentHashMismatch);
     }
 
+    // 6b. Profile ↔ UBR cross-check (doc 08 §9 #2). The profile's own
+    //     embedded (family_id / policy_id / profile_id) must agree with
+    //     the UBR that referenced it. Otherwise a producer could slide a
+    //     debug-policy profile in under a highsec-policy UBR: every
+    //     hash still matches (UBR committed to this exact profile), but
+    //     the profile's declared policy contradicts the UBR's claim and
+    //     the runtime would dispatch on the wrong tier.
+    auto profile_header = parse_resolved_family_profile_header(profile_bytes);
+    if (!profile_header) {
+        return err(UnitAcceptError::ResolvedProfileTableMalformed);
+    }
+    if (profile_header->family_id != ubr.family_id) {
+        return err(UnitAcceptError::ProfileFamilyIdMismatch);
+    }
+    if (profile_header->requested_policy_id != ubr.requested_policy_id) {
+        return err(UnitAcceptError::ProfilePolicyIdMismatch);
+    }
+    if (profile_header->profile_id != ubr.resolved_family_profile_id) {
+        return err(UnitAcceptError::ProfileIdMismatch);
+    }
+
+    // 6c. Stage 9 — 1.0 reserved exception/unwind surface verifier.
+    //     The profile must carry the typed contract, but 1.0 runtime only
+    //     accepts the strictly reserved posture: executable EH disabled,
+    //     empty handler/cleanup tables, cross-frame unwind forbidden, and
+    //     native boundary unwind translated to trap/fail-closed.
+    auto eh_contract =
+        VMPilot::Runtime::EH::verify_reserved_exception_unwind_contract(
+            profile_bytes, ubr.family_id);
+    if (!eh_contract) {
+        return err(map_eh_contract_error(eh_contract.error()));
+    }
+
     // 7. Payload identity: single-unit packaging for now — the whole
     //    payload partition belongs to this unit. Multi-unit payload
     //    slicing is a future stage.
@@ -510,6 +570,15 @@ accept_unit_entry(const std::uint8_t* artifact_data,
         return err(UnitAcceptError::PackageEpochBelowUnitEpoch);
     }
 
+    //    8c. Runtime policy floor (doc 15 §9 #4). The enum ordering is
+    //         Debug(1) < Standard(2) < HighSec(3) — numerically
+    //         comparable. A standard-tier package cannot unlock a
+    //         runtime that requires highsec.
+    if (static_cast<std::uint8_t>(ubr.requested_policy_id) <
+        static_cast<std::uint8_t>(config.minimum_policy_floor)) {
+        return err(UnitAcceptError::PolicyBelowRuntimeFloor);
+    }
+
     AcceptedUnit out;
     out.descriptor               = std::move(desc);
     out.ubr                      = std::move(ubr);