0.3.0: Matter verified-core — protocol+crypto as a WASM component (SWARCH-WOHL-008)#36
Merged
Merged
Conversation
…pile!=run
Executable proof for SWARCH-WOHL-008's open question. A full SPAKE2+ PASE
handshake (PBKDFParamReq/Resp -> Pake1/2/3 -> secure session) executes
end-to-end inside a wasm32-wasip2 component under wasmtime:
wasmtime run pase_exec.wasm
PASE-RUNS-OK: full SPAKE2+ handshake completed under wasmtime (wasip2)
exit 0
Local measurement oracle (cargo wasip2 + wasmtime), NOT a landed artifact:
standalone crate with its own [workspace], excluded from the wohl workspace
and not a bazel target. The landed component (WIT transport seam +
wac_compose + rules_wasm_component) is Spike 2b/2c/2d.
Mirrors rs-matter's tests/pase.rs but (1) swaps localhost UDP for an
in-memory loopback NetworkSend/NetworkReceive pipe (no os/sockets), and
(2) supplies a wasip2 embassy-time driver. The driver is the key enabler:
rs-matter calls Instant::now()/Timer::after() pervasively (incl. inside
PASE); os normally gives embassy-time/std; without it wasip2 has none. A
minimal driver (real now() from std monotonic clock scaled to TICK_HZ +
no-op schedule_wake) works because block_on busy-polls and Timer::poll
re-checks now() each poll.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Automated review for PR #36pulseengine/wohl: Verdict: 💬 Comment Summary: This pull request introduces a measurement harness for proving that the PASE handshake in the rs-matter core can execute when compiled to wasm32-wasip2 and run under wasmtime. The harness is designed as a standalone artifact, isolated from the main workspace, and uses plain cargo build and wasmtime run as the execution oracle. Findings: 0 mechanical (rivet) · 5 from local AI model. Findings (5):
Generated by a local AI model and post-validated against a strict JSON contract. Each finding includes the verbatim line being criticised — verify by reading the file at the cited location. Reviewed at |
Feature-loop steps 1-2 for the Matter verified-core split (next version). Spike 2 proved the rs-matter protocol+crypto core compiles (PR #35) and runs (PR #36) as a wasm32-wasip2 component. The architectural consequence: the core lives inside the verified WASM boundary, with host-bound non-determinism pulled across an import seam. Beyond the already-modeled network transport (message_in/message_out = NetworkReceive/NetworkSend), the spike revealed two newly-explicit host dependencies the core cannot self-supply in the sandbox: - clock_in (MonotonicTime): rs-matter calls embassy-time Instant::now() pervasively, incl. inside PASE; Spike 2a sourced it from the wasi monotonic clock via a custom embassy-time driver. - entropy_in (EntropyBytes): the CSPRNG. Modeled both as in event data ports on MatterStackEventLoop + the MatterBridgeProcess boundary, with connections. spar analyze: 0 errors (17 pre-existing structural warnings, none from this change). WIT regenerated via the canonical "spar codegen --format wit" path (per spar/generated/ README) — matter.wit gains on-clock_in / on-entropy_in. NOT hand-written (spar-generates-wit). This walks back SWARCH-WOHL-006/007's "whole Matter stack is host-side": transport+clock+entropy are host-side, protocol+crypto are verifiable-in-component. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Typed traceability for the Matter verified-core split. SWARCH-WOHL-008 (sw-arch-component, proposed): refines SWARCH-WOHL-007, allocated-from SWREQ-MATTER-002. Records the revised split — protocol+ crypto INSIDE the verified WASM boundary; transport/clock/entropy host- side across the spar-generated WIT seam (matter-world). Walks back the SWARCH-WOHL-006/007 "whole Matter stack is host-side" claim with the Spike 1 (compiles, CI-green) + Spike 2a (runs under wasmtime) evidence. SWV-MATTER-002 (sw-verification, proposed): verifies SWREQ-MATTER-002. Honestly split into proven-today vs owed, per the SWV-MATTER-001 precedent (proposed until evidence is CI-wired): C1 core compiles as WASM component — CI-GATED (PR #35) C2 PASE runs in WASM — reproduced, not yet CI-gated (PR #36) C3 handshake across wac_compose seam — owed C4 composed graph builds + runs in CI — owed (promotes 008/002 to approved) C5 witness MC/DC on seam glue — owed (008 reopens what SWV-MATTER-001 scoped out) rivet validate: PASS. rivet check gaps-json: exit 0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
avrabe
changed the title
… C3)
Spike 2a proved PASE runs inside one wasm component; this proves it runs
across a two-component wac_compose graph, every Matter packet crossing the
WIT seam:
wac plug mcore.wasm --plug transport.wasm -o composed-matter.wasm
wasmtime run composed-matter.wasm
PASE-RUNS-OK: SPAKE2+ handshake completed across the wac-composed WIT seam
- mcore/ verified core (wasi:cli command): 2a's handshake, but the
NetworkSend/Receive endpoints call the imported `wire` seam
(push/pop/peek) so every packet leaves the component.
- transport/ host shell (provider): two channelled packet queues, exports wire.
- wit/world.wit: the seam.
Sync WIT funcs busy-polled by block_on sidestep wasmtime component-async.
Local measurement oracle (own [workspace], excluded from the wohl
workspace, not bazel targets), like spike2-exec. Fidelity caveat (see
README): the `wire` seam is a hand-written simplification, NOT the exact
spar-generated matter-world seam, and clock/entropy stay component-internal.
Proves the architecture is RUNNABLE; binding the real spar seam + routing
clock/entropy across it is the rules_wasm_component bazel landing
(Spike 2d / SWV-MATTER-002 C4), which is also where it becomes a CI gate.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Spike 2c proved C3 locally (wasmtime run of the wac_compose'd graph, PASE-RUNS-OK across the WIT seam). Marked reproduced-not-yet-CI-gated with the fidelity caveat (hand-written seam, not the spar matter-world seam). The faithful spar-seam binding folds into C4 (the bazel landing). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cold verifier (no inherited context) independently CONFIRMED C1/C2/C5 — notably rebuilt spike2-exec and reproduced PASE-RUNS-OK char-for-char, exit 0. C3/C4 precursors all confirmed (exact filenames, exact success string, exact on-clock_in/on-entropy_in signatures); the compose/codegen steps themselves were sandbox-denied to the agent and were captured in the authoring session instead. No claim refuted. Also records witness/sigil as tool-blocked-in-env (deferred to the landing PR; artifact is ready). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
0.3.0 — Matter verified-core: protocol+crypto in a WASM component
Walks the PulseEngine feature loop (spar → WIT → rivet → code → witness → sigil → clean-room → release) for the SWARCH-WOHL-008 verified-core split: moving the rs-matter protocol+crypto core inside the verified WASM boundary, with transport/clock/entropy host-imported. Walks back SWARCH-WOHL-006/007's "the whole Matter stack is host-side."
The breakthrough (what makes this possible)
A full SPAKE2+ PASE handshake (PBKDFParamReq/Resp → Pake1/2/3 → secure session) executes inside a
wasm32-wasip2component under wasmtime:Key enabler: rs-matter calls
embassy_time::Instant::now()pervasively (incl. inside PASE); theosfeature normally suppliesembassy-time/std. A minimal wasip2 driver (realnow()+ no-opschedule_wake, busy-polled byblock_on) suffices.Feature-loop progress
wohl_matter.aadl— SWARCH-WOHL-008 clock+entropy host seam;spar analyze0 errorsspar/generated/matter.wit—on-clock_in/on-entropy_in(spar-generated, not hand-written)SWARCH-WOHL-008+SWV-MATTER-002;rivet validatePASS,gaps-jsonexit 0crates/wohl-matter-core/spike2-exec— PASE runs under wasmtimerules_wasm_componentbazel targets, green CI; wasmtime exec in CISWV-MATTER-002records the honest split: C1 (compiles) is CI-gated (PR #35); C2 (runs) is reproduced but not yet CI-gated; C3–C5 (composed graph, CI execution, MC/DC) are owed and promote SWARCH-WOHL-008 fromproposedtoapprovedwhen met.Scope / honesty
spike2-execis a local measurement oracle — standalone cargo bin, own[workspace], excluded from the wohl workspace, not a bazel target. CI does not build it.spar-generates-wit); the steps-4+ component must build via rules_wasm_component (per the build directive) — which can't run in this dev sandbox (nix/wasi-sdk egress), so it's CI-verified.🤖 Generated with Claude Code