DragonX/ObsidianDragon
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

docs(lite): archive superseded lite design/planning docs out of git tracking

Browse Source 
Consolidate the lite-wallet documentation down to the single active plan
(lite-wallet-implementation-plan-v2-2026-06-04.md). The 8 prior design/planning
docs — the superseded v1 plan, its runtime-promotion-matrix, the two phase2
runtime-bridge plans, and the four backend artifact/signing design docs — are
moved to docs/_archive/ (added to .gitignore), preserving them locally as
reference while decluttering the tracked tree.

The v2 plan's References section is rewritten to be self-contained: it points to
docs/_archive/ for the historical design docs and to the actual shipping
mechanisms (scripts/build-lite-backend-artifact.sh, lite_backend_artifact_*,
lite_bridge_runtime.cpp) so there are no dangling tracked links. No code,
CMake, or scripts referenced these docs.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
DanS
2026-06-05 20:14:56 -05:00
parent 59b8c4da81
commit cd60bded9f
10 changed files with 11 additions and 3393 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -40,4 +40,6 @@ asmap.dat
/ObsidianDragon-agent/
# macOS
.DS_Store
.DS_Store
# Local-only archive of superseded lite-wallet design/planning docs (untracked)
docs/_archive/

587
docs/full-lite-wallet-implementation-plan-2026-05-18.md
View File

File diff suppressed because one or more lines are too long

97
docs/lite-wallet-backend-artifact-link-contract-2026-05-18.md
View File

@@ -1,97 +0,0 @@
# Lite Wallet Backend Artifact Link Contract - 2026-05-18
## Phase 1 Decision
The first production backend path is an explicitly configured imported CMake library. Runtime dynamic loading remains a Phase 2 bridge-runtime-owner task. External executable bridge mode is not part of the Phase 1 production contract.
The default build remains unchanged: `DRAGONX_ENABLE_LITE_BACKEND=OFF`. Full-node builds do not require Rust, SDXL, or lite backend artifacts.
## CMake Gate
The enabled lite backend path requires:
- `DRAGONX_BUILD_LITE=ON`
- `DRAGONX_ENABLE_LITE_BACKEND=ON`
- `DRAGONX_LITE_BACKEND_LIBRARY=<path to static or shared library>`
- `DRAGONX_LITE_BACKEND_SYMBOLS_FILE=<path to generated symbol inventory>`
- `DRAGONX_LITE_BACKEND_LINK_MODE=imported`
- `DRAGONX_LITE_BACKEND_ABI=sdxl-c-v1`
- `DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON` only when a release builder wants CMake to require verified signature metadata in the manifest
- `DRAGONX_LITE_BACKEND_EXTRA_LIBS=<verified platform extras>` only when a platform linker proves additional backend-native dependencies are required
When those values are accepted, CMake imports the library as `dragonx_lite_backend` and links it into `ObsidianDragonLite`. No runtime dynamic loading is attempted by this Phase 1 contract.
`DRAGONX_LITE_BACKEND_MANIFEST=<path to generated artifact manifest>` is optional, but if supplied it must exist. The symbol inventory is mandatory so enabled backend builds fail closed before link-time or runtime when the artifact does not expose the expected C ABI. If `DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON`, the manifest becomes mandatory and CMake rejects it unless the read-only signature metadata is verified and matches the artifact SHA-256.
`DRAGONX_LITE_BACKEND_EXTRA_LIBS` is intentionally a cache string instead of hardcoded platform guesses. Release builders should keep it empty for platforms that link successfully with the imported artifact and existing app/system libraries, and should document any non-empty value next to the platform artifact manifest that required it.
## Artifact Production
`scripts/build-lite-backend-artifact.sh` builds or inventories the SDXL-compatible backend artifact and writes:
- the copied backend library artifact,
- `lite-backend-symbols.txt`, one exported symbol per line,
- `lite-backend-artifact-manifest.json`, including SHA-256, byte size, source revisions, builder label, ABI, platform, and provenance facts.
See `docs/lite-wallet-backend-artifact-production-2026-05-18.md` for platform commands and the no-build inventory mode.
The relative backend source layout and signature metadata boundary are recorded in `docs/lite-wallet-backend-source-signature-plan-2026-05-20.md`. The maintained dependency source is now vendored under `external/SilentDragonXLite/silentdragonxlite-cli`, and the wrapper uses `silentdragonxlitelib = { path = "../silentdragonxlite-cli/lib" }`. The portable override remains available for comparison against an external checkout, but release verification should move to the relative source layout. Signature metadata is read-only verification inventory under `docs/lite-wallet-backend-signing-policy-2026-05-22.md`; signing itself stays outside CMake, runtime code, and Phase 1 artifact production.
## Platform Artifact Status
As of 2026-05-22, artifact production has moved past local Linux proof into clean-builder reproducibility and imported-link checks:
- Linux static artifact production is reproducible when built with `--reproducible`, an isolated `--cargo-target-dir`, and a remap for the current external `silentdragonxlitelib` path. Two clean Linux builds produced byte-identical archives with SHA-256 `12228f5b895db6cdafb0f643ecb5fbad1a3760b57b7fe98d7084a34644f34622`.
- Windows GNU static artifact production is reproducible on this host with `x86_64-pc-windows-gnu` and MinGW tools. Two clean Windows builds produced byte-identical archives with SHA-256 `bdf1e0175a89560d15232f6430d162c6c009806e048062c124ec40c0744e49be`.
- The artifact script now has a portable dependency override through `--silentdragonxlitelib-dir`, which prepares a generated backend wrapper under the output directory and records the override in artifact provenance instead of relying on the local absolute dependency path in the checked-in wrapper manifest.
- Clean Linux and Windows GNU builds using `--silentdragonxlitelib-dir /home/d/external/silentdragonxlite-cli/lib` are reproducible. The portable Linux archive SHA-256 is `aaef46b99fdc304be88427852797d6674ac330209b377be5447c1b0805635ea2`; the portable Windows GNU archive SHA-256 is `635a9e9bf3254955e63d1e9032e714488fa433cc249c8aabe636b5f18d2d1e3b`.
- The checked-in backend source now carries the relative `silentdragonxlitelib` layout. A Linux build without `--silentdragonxlitelib-dir` produced `build/lite-backend-relative-linux-b/linux/libsilentdragonxlite.a` with SHA-256 `8fd6c66ff661e13f768754de69d39e1a15ee55b6fdd530625a6018c867edde10`; its manifest records `portable_dependency_override: false`, `silentdragonxlitelib_revision: 6a178c8d08d9c1c153fb22759a68177cdb787be7`, `reproducible: true`, and `signing_requested: false`.
- Windows GNU clean builds from the checked-in relative source layout are reproducible. Two clean builds produced byte-identical `build/lite-backend-relative-windows-gnu-a/windows/libsilentdragonxlite.a` and `build/lite-backend-relative-windows-gnu-b/windows/libsilentdragonxlite.a` archives with SHA-256 `ca7677af58f61de4bd56311e76e32961d977da8fac2a3c5d158c1702f8807439`; both manifests record `portable_dependency_override: false`, `silentdragonxlitelib_revision: 6a178c8d08d9c1c153fb22759a68177cdb787be7`, `rust_target: x86_64-pc-windows-gnu`, `reproducible: true`, and `signing_requested: false`.
- The portable Linux artifact was accepted by CMake in `build/lite-backend-portable-verify`, linked into `ObsidianDragonTests`, and the focused suite printed `Focused service tests passed`. The same artifact also linked into the `ObsidianDragon` app target with `DRAGONX_LITE_BACKEND_EXTRA_LIBS` empty, producing `build/lite-backend-portable-verify/bin/ObsidianDragonLite` for inspection without launch.
- Windows GNU imported app linking is verified for the portable artifact from `/tmp/od-win-lite-link`. The first no-extra link proved missing `AcquireCredentialsHandleA`, `FreeCredentialsHandle`, `FreeContextBuffer`, and `GetUserProfileDirectoryW`; the successful builder value is `DRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv`, producing `/tmp/od-win-lite-link/bin/ObsidianDragonLite.exe` as a PE32+ GUI x86-64 Windows executable. The executable was inspected but not run.
- Windows GNU imported app linking is also verified for the relative-source artifact from `/tmp/od-win-relative-link` with the same `DRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv` value, producing `/tmp/od-win-relative-link/bin/ObsidianDragonLite.exe` as a PE32+ GUI x86-64 Windows executable. The import table includes `Secur32.dll` and `USERENV.dll`; the executable was inspected but not run.
- The Windows GNU link run also proved the need for a Windows-only short CMake wrapper for the overlong Batch 90 generated source basename, because MinGW dependency files append `.obj.d` and exceed the filename component limit otherwise.
- macOS artifact production is blocked on this Linux workspace until an Apple Rust target and Apple/osxcross linker toolchain are available, and is deferred for now by operator request. The blocker was rechecked twice on 2026-05-20 and again on 2026-05-22; the host still has no installed Apple Rust targets, no Xcode, no `/opt/osxcross`, no Apple/osxcross compiler wrappers, and no Apple linker environment variables. The 2026-05-22 checked-in relative-source attempt with `--rust-target x86_64-apple-darwin` reached Cargo and failed with missing `compiler_builtins`, `core`, `alloc`, and `std` for that target. No macOS archive, symbol inventory, manifest, imported-link result, or extra-link-library value has been produced yet. The macOS builder prerequisites, command shape, acceptance criteria, and platform link-library planning notes remain recorded in the artifact production guide for a future continuation.
- Platform native link libraries are not being guessed in CMake. Linux test/app linking currently succeeds with `DRAGONX_LITE_BACKEND_EXTRA_LIBS` empty, Windows GNU app linking succeeds with `secur32;userenv`, and macOS imported-link verification must record any actual extra backend-specific libraries after Darwin linker proof.
Both verified platform artifacts expose `blake3_PW` plus all eight required `litelib_*` symbols. These checks still do not load, resolve, or call the backend at runtime.
## Required C ABI
The artifact must export these C symbols, matching `LiteClientBridgeApi`:
| Symbol | Purpose | Return ownership |
| --- | --- | --- |
| `litelib_wallet_exists` | Check wallet existence for a chain | caller does not free |
| `litelib_initialize_new` | Create a new wallet | returned string must be freed |
| `litelib_initialize_new_from_phrase` | Restore wallet from seed phrase | returned string must be freed |
| `litelib_initialize_existing` | Open an existing wallet | returned string must be freed |
| `litelib_execute` | Execute SDXL command strings such as sync, syncstatus, balance, list, send, import, export, save, shield, and encryption commands | returned string must be freed |
| `litelib_rust_free_string` | Free strings returned by the Rust backend | cleanup function |
| `litelib_check_server_online` | Check lite server availability | caller does not free |
| `litelib_shutdown` | Shut down backend resources | no returned value |
The supported ABI version label is `sdxl-c-v1`.
## Contract Helper
`src/wallet/lite_backend_artifact_contract.h/.cpp` adds `LiteBackendArtifactContract`. It validates caller-supplied artifact metadata and exported-symbol inventory, then produces a `LiteBackendArtifactResolverInput` for the existing read-only resolver.
The helper verifies:
- contract owner and read-only gate are ready,
- link mode is the Phase 1 imported-library path,
- artifact path is configured,
- artifact kind is static or shared library,
- ABI version is `sdxl-c-v1`,
- required signature metadata is complete and verified when release policy requires it,
- symbol inventory owner is ready,
- all required C ABI symbols are present,
- no artifact mutation, dynamic library load/unload, symbol resolution, SDXL call, bridge call, server check, lifecycle, sync, worker, `WalletState`, persistence, upload, signing, or publication action is requested.
The helper never loads the artifact, resolves symbols, calls the bridge, calls SDXL, or enables runtime activation.
## Remaining Phase 1 Work
- macOS artifact and imported-link verification is deferred for now by operator request; when resumed on a macOS host or configured osxcross builder, record any proven `DRAGONX_LITE_BACKEND_EXTRA_LIBS` values next to the artifact manifests.
- Read-only signature metadata capture and the optional CMake signature gate are implemented; signing itself remains outside wallet runtime code. Capture real signed-artifact evidence only when a release builder provides sidecar signatures.

553
docs/lite-wallet-backend-artifact-production-2026-05-18.md
View File

@@ -1,553 +0,0 @@
# Lite Wallet Backend Artifact Production - 2026-05-18
## Purpose
Phase 1 now has a concrete external artifact-production entry point for the SDXL-compatible lite backend. The wallet runtime still does not load, resolve, call, sign, upload, publish, or mutate backend artifacts.
The production handoff is:
1. Build or inventory the Rust backend from `external/SilentDragonXLite/lib`.
2. Capture a one-symbol-per-line exported-symbol inventory.
3. Capture SHA-256, size, file metadata, source revision, builder label, and artifact-set provenance in a JSON manifest.
4. Optionally capture read-only signature verification metadata after a release builder has already verified a sidecar signature.
5. Pass the artifact path and symbol inventory into CMake when explicitly enabling the lite backend.
## Script
Use `scripts/build-lite-backend-artifact.sh`.
Linux host build:
```bash
scripts/build-lite-backend-artifact.sh --platform linux
```
Clean reproducible Linux host build:
```bash
scripts/build-lite-backend-artifact.sh \
--platform linux \
--silentdragonxlitelib-dir /path/to/silentdragonxlite-cli/lib \
--reproducible \
--cargo-target-dir build/lite-backend-cargo-repro \
--out-dir build/lite-backend-repro \
--builder phase1-repro
```
Windows cross build with the GNU target:
```bash
scripts/build-lite-backend-artifact.sh --platform windows --rust-target x86_64-pc-windows-gnu
```
macOS builds must run on macOS or provide an explicit Apple Rust target from a configured cross toolchain:
```bash
scripts/build-lite-backend-artifact.sh \
--platform macos \
--rust-target x86_64-apple-darwin \
--silentdragonxlitelib-dir /path/to/silentdragonxlite-cli/lib
```
To inventory an already-built artifact without running Cargo:
```bash
scripts/build-lite-backend-artifact.sh --platform linux --artifact /path/to/libsilentdragonxlite.a --no-build
```
To require read-only signature verification metadata after an external verifier has already checked the artifact:
```bash
scripts/build-lite-backend-artifact.sh \
--platform linux \
--artifact /path/to/libsilentdragonxlite.a \
--no-build \
--signature-required \
--signature-file /path/to/libsilentdragonxlite.a.minisig \
--signature-format minisign \
--signature-verification-tool "minisign 0.11" \
--signature-key-fingerprint "<reviewed-public-key-fingerprint>" \
--signature-verified-sha256 "<artifact-sha256>"
```
The script writes:
- `build/lite-backend/<platform>/<artifact>`
- `build/lite-backend/<platform>/lite-backend-symbols.txt`
- `build/lite-backend/<platform>/lite-backend-artifact-manifest.json`
It uses `cargo build --locked --lib --release`, `CARGO_INCREMENTAL=0`, and `SOURCE_DATE_EPOCH` when building. If `SOURCE_DATE_EPOCH` is not already set, the project commit timestamp is used.
`--cargo-target-dir` isolates Cargo output for clean-builder checks. `--reproducible` appends deterministic Rust `--remap-path-prefix` flags for the project, backend source, discovered or overridden `silentdragonxlitelib` source, Cargo home, and selected Cargo target directory. Use repeated `--remap-path-prefix FROM=TO` values only for additional source paths outside those defaults. Reproducibility should be checked by running the same command twice with different clean target directories and comparing the artifact SHA-256 and the filtered symbol inventory.
## Portable Backend Dependency Path Plan
The checked-in wrapper at `external/SilentDragonXLite/lib/Cargo.toml` now references `silentdragonxlitelib` through the relative path `../silentdragonxlite-cli/lib`. The maintained dependency source is vendored under `external/SilentDragonXLite/silentdragonxlite-cli` from revision `6a178c8d08d9c1c153fb22759a68177cdb787be7`, with no `.git` or `target/` build output imported and stale workflow conflict-backup files pruned from the vendored copy.
The Phase 1 portable builder contract is:
- Preferred current path: build with `--backend-dir external/SilentDragonXLite/lib` and no `--silentdragonxlitelib-dir`; the script discovers the relative dependency, validates that it is package `silentdragonxlitelib`, remaps it in reproducible mode, and records it in manifest provenance with `portable_dependency_override: false`.
- Acceptable comparison path: pass `--silentdragonxlitelib-dir /path/to/silentdragonxlite-cli/lib` to compare against an external maintained checkout. The script validates that directory, creates a generated wrapper under `<out>/.prepared-backend/<platform>`, patches only that generated `Cargo.toml`, and records `portable_dependency_override: true`.
- Source cleanup status: the absolute dependency path has been removed from the checked-in wrapper; release runbooks should move from the override path to the relative source layout after Linux/Windows/macOS platform verification is refreshed.
- Rejected release path: depending on `/home/d/external/silentdragonxlite-cli/lib` or any other builder-local absolute path in the committed backend source.
The artifact manifest records `portable_dependency_override`, `cargo_build_source`, `silentdragonxlitelib_source`, and `silentdragonxlitelib_revision` under `provenance` for both the relative source layout and the override path. Reproducible mode remaps the dependency source to `/dragonx-lite-backend-dependency`, so release commands do not need a local `/home/d/external` remap for that dependency.
The target source cleanup and signature metadata boundary are detailed in `docs/lite-wallet-backend-source-signature-plan-2026-05-20.md`. The relative source layout is now implemented; signature metadata remains read-only artifact inventory to add only after a signing policy exists. Phase 1 artifact production must not sign, upload, publish, or mutate artifacts.
The first Linux build from the relative source layout succeeded without `--silentdragonxlitelib-dir`: `build/lite-backend-relative-linux-b/linux/libsilentdragonxlite.a` has SHA-256 `8fd6c66ff661e13f768754de69d39e1a15ee55b6fdd530625a6018c867edde10`, exported `blake3_PW` plus all eight required `litelib_*` symbols, and produced a manifest with `portable_dependency_override: false`, `silentdragonxlitelib_revision: 6a178c8d08d9c1c153fb22759a68177cdb787be7`, `reproducible: true`, and `signing_requested: false`.
## Signature Metadata Plan
The signing policy is defined in `docs/lite-wallet-backend-signing-policy-2026-05-22.md`. The manifest now always includes a `signature_verification` object using policy `dragonx-lite-backend-signature-policy-v1` while keeping `signing_requested: false`.
For unsigned local inventory, `metadata_provided` is `false` and `verification_status` is `not-provided`. When any signature metadata flag is supplied, or when `--signature-required` is used, the script fails closed unless the sidecar signature exists, the format is accepted, the verifier tool is recorded, a reviewed key fingerprint or certificate identity is present, and the verified artifact SHA-256 matches the artifact bytes recorded in the manifest.
The wallet runtime, `LiteBackendArtifactContract`, CMake gate, and release readiness scaffolds continue to reject signing requests and do not create signatures. `DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON` is available for release builders that want CMake to require verified signature metadata before importing the backend library.
## Required Symbols
The exported-symbol inventory must contain the Phase 1 ABI surface required by `LiteClientBridgeApi`:
- `litelib_wallet_exists`
- `litelib_initialize_new`
- `litelib_initialize_new_from_phrase`
- `litelib_initialize_existing`
- `litelib_execute`
- `litelib_rust_free_string`
- `litelib_check_server_online`
- `litelib_shutdown`
The inventory may contain extra SDXL symbols such as `blake3_PW`, but CMake and `LiteBackendArtifactContract` require the eight symbols above.
## CMake Use
When the lite backend is explicitly enabled, CMake now requires the generated symbol inventory:
```bash
cmake -S . -B build/lite \
-DDRAGONX_BUILD_LITE=ON \
-DDRAGONX_ENABLE_LITE_BACKEND=ON \
-DDRAGONX_LITE_BACKEND_LIBRARY=build/lite-backend/linux/libsilentdragonxlite.a \
-DDRAGONX_LITE_BACKEND_SYMBOLS_FILE=build/lite-backend/linux/lite-backend-symbols.txt \
-DDRAGONX_LITE_BACKEND_MANIFEST=build/lite-backend/linux/lite-backend-artifact-manifest.json \
-DDRAGONX_LITE_BACKEND_LINK_MODE=imported \
-DDRAGONX_LITE_BACKEND_ABI=sdxl-c-v1
```
`DRAGONX_LITE_BACKEND_MANIFEST` is optional metadata for release traceability, but if supplied it must exist. `DRAGONX_LITE_BACKEND_SYMBOLS_FILE` is mandatory when `DRAGONX_ENABLE_LITE_BACKEND=ON`.
`DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON` is optional and requires `DRAGONX_LITE_BACKEND_MANIFEST`. When enabled, CMake requires `signature_verification.verification_status` to be `verified` and requires `signature_verification.verified_artifact_sha256` to match `artifact.sha256` in the manifest before importing the backend library.
`DRAGONX_LITE_BACKEND_EXTRA_LIBS` is the Phase 1 escape hatch for platform-native or backend-specific static-link dependencies that are discovered by real linker runs. The current contract is to keep it empty until a platform linker proves an additional library or framework is required, then record the exact value used by the release builder.
## Linux Verification
On 2026-05-18, the Linux artifact path was verified on this workspace with:
```bash
scripts/build-lite-backend-artifact.sh \
--platform linux \
--out-dir build/lite-backend-real \
--builder phase1-real-build
```
Result:
- artifact: `build/lite-backend-real/linux/libsilentdragonxlite.a`
- size: `126158088` bytes
- SHA-256: `1a568ac1e90908adeede28e26f478f7b0dce7cf5bd7b9893ce7efa32e842e1ee`
- manifest: `build/lite-backend-real/linux/lite-backend-artifact-manifest.json`
- symbols: `build/lite-backend-real/linux/lite-backend-symbols.txt`
The symbol inventory contains `blake3_PW` plus all eight required `litelib_*` symbols. The manifest reports schema `dragonx.lite.backend-artifact.v1`, ABI `sdxl-c-v1`, link mode `imported`, platform `linux`, kind `static-library`, builder `phase1-real-build`, and no missing required symbols.
The generated artifact was then accepted by CMake:
```bash
cmake -S . -B build/lite-backend-verify \
-DDRAGONX_BUILD_LITE=ON \
-DDRAGONX_ENABLE_LITE_BACKEND=ON \
-DDRAGONX_LITE_BACKEND_LIBRARY="$PWD/build/lite-backend-real/linux/libsilentdragonxlite.a" \
-DDRAGONX_LITE_BACKEND_SYMBOLS_FILE="$PWD/build/lite-backend-real/linux/lite-backend-symbols.txt" \
-DDRAGONX_LITE_BACKEND_MANIFEST="$PWD/build/lite-backend-real/linux/lite-backend-artifact-manifest.json" \
-DDRAGONX_LITE_BACKEND_LINK_MODE=imported \
-DDRAGONX_LITE_BACKEND_ABI=sdxl-c-v1
```
`cmake --build build/lite-backend-verify --target ObsidianDragonTests` linked successfully against the real static backend artifact, and `./build/lite-backend-verify/bin/ObsidianDragonTests` printed `Focused service tests passed`.
This verification proves the Linux imported-library path, symbol inventory gate, manifest handoff, and focused test link path. It does not execute runtime SDXL wallet/network behavior.
## Clean Linux Reproducibility Verification
On 2026-05-18, isolated Linux builds without path remapping produced identical ABI symbol inventories but different static archive bytes because the archive embedded Cargo target-directory paths and LLVM-suffixed internal symbols. Reproducible mode was added for artifact production and then verified with two clean target directories:
```bash
scripts/build-lite-backend-artifact.sh \
--platform linux \
--reproducible \
--remap-path-prefix /home/d/external=/dragonx-external \
--cargo-target-dir build/lite-backend-cargo-repro-a \
--out-dir build/lite-backend-repro-a \
--builder phase1-repro-a
scripts/build-lite-backend-artifact.sh \
--platform linux \
--reproducible \
--remap-path-prefix /home/d/external=/dragonx-external \
--cargo-target-dir build/lite-backend-cargo-repro-b \
--out-dir build/lite-backend-repro-b \
--builder phase1-repro-b
```
Result:
- artifact: `build/lite-backend-repro-a/linux/libsilentdragonxlite.a`
- size: `126147788` bytes
- SHA-256: `12228f5b895db6cdafb0f643ecb5fbad1a3760b57b7fe98d7084a34644f34622`
- manifest reproducible flag: `true`
- second clean artifact SHA-256: `12228f5b895db6cdafb0f643ecb5fbad1a3760b57b7fe98d7084a34644f34622`
- archive byte comparison: identical
- filtered symbol inventory comparison: identical
The filtered inventory contains `blake3_PW` plus all eight required `litelib_*` symbols.
The reproducible Linux artifact was also accepted by CMake in `build/lite-backend-repro-verify`, linked into `ObsidianDragonTests`, and `./build/lite-backend-repro-verify/bin/ObsidianDragonTests` printed `Focused service tests passed`.
On 2026-05-19, the portable dependency override path was verified with two clean Linux builds that supplied `silentdragonxlitelib` through `--silentdragonxlitelib-dir` instead of relying on the checked-in absolute path:
```bash
scripts/build-lite-backend-artifact.sh \
--platform linux \
--silentdragonxlitelib-dir /home/d/external/silentdragonxlite-cli/lib \
--reproducible \
--cargo-target-dir build/lite-backend-cargo-portable-linux-a \
--out-dir build/lite-backend-portable-linux-a \
--builder phase1-portable-linux-a
scripts/build-lite-backend-artifact.sh \
--platform linux \
--silentdragonxlitelib-dir /home/d/external/silentdragonxlite-cli/lib \
--reproducible \
--cargo-target-dir build/lite-backend-cargo-portable-linux-b \
--out-dir build/lite-backend-portable-linux-b \
--builder phase1-portable-linux-b
```
Result:
- artifact: `build/lite-backend-portable-linux-a/linux/libsilentdragonxlite.a`
- size: `126148614` bytes
- SHA-256: `aaef46b99fdc304be88427852797d6674ac330209b377be5447c1b0805635ea2`
- manifest reproducible flag: `true`
- manifest portable dependency override: `true`
- `silentdragonxlitelib` revision: `6a178c8d08d9c1c153fb22759a68177cdb787be7`
- second clean artifact SHA-256: `aaef46b99fdc304be88427852797d6674ac330209b377be5447c1b0805635ea2`
- archive byte comparison: identical
- filtered symbol inventory comparison: identical
The filtered inventory contains `blake3_PW` plus all eight required `litelib_*` symbols. This run proves the portable dependency override can replace the previous `/home/d/external` source-path remap for the dependency itself during Linux artifact production.
The portable Linux artifact was also accepted by CMake in `build/lite-backend-portable-verify` with `DRAGONX_LITE_BACKEND_LIBRARY`, `DRAGONX_LITE_BACKEND_SYMBOLS_FILE`, `DRAGONX_LITE_BACKEND_MANIFEST`, `DRAGONX_LITE_BACKEND_LINK_MODE=imported`, and `DRAGONX_LITE_BACKEND_ABI=sdxl-c-v1` pointing at `build/lite-backend-portable-linux-a/linux/`. `cmake --build build/lite-backend-portable-verify --target ObsidianDragonTests` linked successfully against the portable static backend artifact, and `./build/lite-backend-portable-verify/bin/ObsidianDragonTests` printed `Focused service tests passed`.
On 2026-05-20, the same portable Linux artifact was also linked into the app target without extra backend libraries:
```bash
cmake --build build/lite-backend-portable-verify --target ObsidianDragon
```
Result:
- binary: `build/lite-backend-portable-verify/bin/ObsidianDragonLite`
- size: `100026080` bytes
- file type: ELF 64-bit LSB PIE x86-64 Linux executable, dynamically linked
- backend extras: `DRAGONX_LITE_BACKEND_EXTRA_LIBS:STRING=`
- dynamic dependencies: normal Linux/system/app dependencies including `libcurl.so.4`, `libsodium.so.23`, `libOpenGL.so.0`, `libstdc++.so.6`, `libssl.so.3`, `libcrypto.so.3`, and standard system libraries
This proves the Linux release app target can link the portable imported backend artifact. The app binary was inspected but not launched.
## Windows GNU Verification
On 2026-05-18, this workspace had the `x86_64-pc-windows-gnu` Rust target and MinGW symbol tools available, including `/usr/bin/x86_64-w64-mingw32-gcc` and `/usr/bin/x86_64-w64-mingw32-nm`. The Windows GNU artifact was built with reproducible mode:
```bash
scripts/build-lite-backend-artifact.sh \
--platform windows \
--rust-target x86_64-pc-windows-gnu \
--reproducible \
--remap-path-prefix /home/d/external=/dragonx-external \
--cargo-target-dir build/lite-backend-cargo-windows \
--out-dir build/lite-backend-windows \
--builder phase1-windows-gnu
```
A second clean Windows GNU build with a separate Cargo target directory produced the same archive bytes and the same filtered symbol inventory.
Result:
- artifact: `build/lite-backend-windows/windows/libsilentdragonxlite.a`
- rust target: `x86_64-pc-windows-gnu`
- size: `105565566` bytes
- SHA-256: `bdf1e0175a89560d15232f6430d162c6c009806e048062c124ec40c0744e49be`
- symbol tool: `x86_64-w64-mingw32-nm`
- manifest reproducible flag: `true`
- archive byte comparison with second clean build: identical
- filtered symbol inventory comparison with second clean build: identical
The filtered inventory contains `blake3_PW` plus all eight required `litelib_*` symbols.
On 2026-05-19, the Windows GNU reproducibility check was repeated with `--silentdragonxlitelib-dir` so the wrapper dependency path was supplied through portable builder input instead of the checked-in absolute path:
```bash
scripts/build-lite-backend-artifact.sh \
--platform windows \
--rust-target x86_64-pc-windows-gnu \
--silentdragonxlitelib-dir /home/d/external/silentdragonxlite-cli/lib \
--reproducible \
--cargo-target-dir build/lite-backend-cargo-portable-windows-a \
--out-dir build/lite-backend-portable-windows-a \
--builder phase1-portable-windows-a
scripts/build-lite-backend-artifact.sh \
--platform windows \
--rust-target x86_64-pc-windows-gnu \
--silentdragonxlitelib-dir /home/d/external/silentdragonxlite-cli/lib \
--reproducible \
--cargo-target-dir build/lite-backend-cargo-portable-windows-b \
--out-dir build/lite-backend-portable-windows-b \
--builder phase1-portable-windows-b
```
Result:
- artifact: `build/lite-backend-portable-windows-a/windows/libsilentdragonxlite.a`
- rust target: `x86_64-pc-windows-gnu`
- size: `105565096` bytes
- SHA-256: `635a9e9bf3254955e63d1e9032e714488fa433cc249c8aabe636b5f18d2d1e3b`
- symbol tool: `x86_64-w64-mingw32-nm`
- manifest reproducible flag: `true`
- manifest portable dependency override: `true`
- `silentdragonxlitelib` revision: `6a178c8d08d9c1c153fb22759a68177cdb787be7`
- second clean artifact SHA-256: `635a9e9bf3254955e63d1e9032e714488fa433cc249c8aabe636b5f18d2d1e3b`
- archive byte comparison: identical
- filtered symbol inventory comparison: identical
The filtered inventory contains `blake3_PW` plus all eight required `litelib_*` symbols.
On 2026-05-22, the Windows GNU reproducibility check was repeated from the checked-in relative source layout without `--silentdragonxlitelib-dir`:
```bash
scripts/build-lite-backend-artifact.sh \
--platform windows \
--rust-target x86_64-pc-windows-gnu \
--backend-dir external/SilentDragonXLite/lib \
--reproducible \
--cargo-target-dir build/lite-backend-relative-target-windows-gnu-a \
--out-dir build/lite-backend-relative-windows-gnu-a \
--builder phase1-relative-windows-gnu-a
scripts/build-lite-backend-artifact.sh \
--platform windows \
--rust-target x86_64-pc-windows-gnu \
--backend-dir external/SilentDragonXLite/lib \
--reproducible \
--cargo-target-dir build/lite-backend-relative-target-windows-gnu-b \
--out-dir build/lite-backend-relative-windows-gnu-b \
--builder phase1-relative-windows-gnu-b
```
Result:
- artifact: `build/lite-backend-relative-windows-gnu-a/windows/libsilentdragonxlite.a`
- rust target: `x86_64-pc-windows-gnu`
- SHA-256: `ca7677af58f61de4bd56311e76e32961d977da8fac2a3c5d158c1702f8807439`
- symbol tool: `x86_64-w64-mingw32-nm`
- manifest reproducible flag: `true`
- manifest portable dependency override: `false`
- `silentdragonxlitelib` revision: `6a178c8d08d9c1c153fb22759a68177cdb787be7`
- second clean artifact SHA-256: `ca7677af58f61de4bd56311e76e32961d977da8fac2a3c5d158c1702f8807439`
- archive byte comparison: identical
- filtered symbol inventory comparison: identical
The filtered inventory contains `blake3_PW` plus all eight required `litelib_*` symbols.
On 2026-05-20, the portable Windows GNU artifact was accepted by CMake and linked into the app target from a short build directory:
```bash
cmake -S . -B /tmp/od-win-lite-link \
-DCMAKE_TOOLCHAIN_FILE="$PWD/build/windows/mingw-toolchain.cmake" \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_OBJECT_PATH_MAX=128 \
-DDRAGONX_USE_SYSTEM_SDL3=OFF \
-DDRAGONX_BUILD_LITE=ON \
-DDRAGONX_ENABLE_LITE_BACKEND=ON \
-DDRAGONX_LITE_BACKEND_LIBRARY="$PWD/build/lite-backend-portable-windows-a/windows/libsilentdragonxlite.a" \
-DDRAGONX_LITE_BACKEND_SYMBOLS_FILE="$PWD/build/lite-backend-portable-windows-a/windows/lite-backend-symbols.txt" \
-DDRAGONX_LITE_BACKEND_MANIFEST="$PWD/build/lite-backend-portable-windows-a/windows/lite-backend-artifact-manifest.json" \
-DDRAGONX_LITE_BACKEND_LINK_MODE=imported \
-DDRAGONX_LITE_BACKEND_ABI=sdxl-c-v1 \
'-DDRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv'
cmake --build /tmp/od-win-lite-link --target ObsidianDragon -j $(nproc)
```
The first Windows GNU link attempt without extra backend libraries reached the real linker and failed on `AcquireCredentialsHandleA`, `FreeCredentialsHandle`, `FreeContextBuffer`, and `GetUserProfileDirectoryW`. The successful imported-link value is therefore `DRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv`.
Result:
- binary: `/tmp/od-win-lite-link/bin/ObsidianDragonLite.exe`
- size: `106366143` bytes
- file type: PE32+ executable (GUI) x86-64, for MS Windows
- imported backend-extra DLL evidence: `Secur32.dll` and `USERENV.dll`
- other imported DLLs observed: `ADVAPI32.dll`, `CRYPT32.dll`, `D3DCOMPILER_47.dll`, `GDI32.dll`, `HID.DLL`, `IMM32.dll`, `IPHLPAPI.DLL`, `KERNEL32.dll`, `OLEAUT32.dll`, `PSAPI.DLL`, `SETUPAPI.dll`, `SHELL32.dll`, `USER32.dll`, `VERSION.dll`, `WINMM.dll`, `WS2_32.dll`, `bcrypt.dll`, `d3d11.dll`, `dcomp.dll`, `dwmapi.dll`, `msvcrt.dll`, and `ole32.dll`
MinGW also exposed a path-component issue before link: the generated Batch 90 source basename plus `.obj.d` exceeded the Windows filename component limit. CMake now uses a Windows-only generated wrapper source under `generated/short_sources/lite_batch90_receipt_plan.cpp` that includes the original source, and the successful build log confirmed `generated/short_sources/lite_batch90_receipt_plan.cpp.obj` was compiled. The Windows executable was inspected but not run.
On 2026-05-22, the relative-source Windows GNU artifact was accepted by CMake and linked into the app target from `/tmp/od-win-relative-link`:
```bash
cmake -S . -B /tmp/od-win-relative-link \
-DCMAKE_TOOLCHAIN_FILE="$PWD/build/windows/mingw-toolchain.cmake" \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_OBJECT_PATH_MAX=128 \
-DDRAGONX_USE_SYSTEM_SDL3=OFF \
-DDRAGONX_BUILD_LITE=ON \
-DDRAGONX_ENABLE_LITE_BACKEND=ON \
-DDRAGONX_LITE_BACKEND_LIBRARY="$PWD/build/lite-backend-relative-windows-gnu-a/windows/libsilentdragonxlite.a" \
-DDRAGONX_LITE_BACKEND_SYMBOLS_FILE="$PWD/build/lite-backend-relative-windows-gnu-a/windows/lite-backend-symbols.txt" \
-DDRAGONX_LITE_BACKEND_MANIFEST="$PWD/build/lite-backend-relative-windows-gnu-a/windows/lite-backend-artifact-manifest.json" \
-DDRAGONX_LITE_BACKEND_LINK_MODE=imported \
-DDRAGONX_LITE_BACKEND_ABI=sdxl-c-v1 \
'-DDRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv'
cmake --build /tmp/od-win-relative-link --target ObsidianDragon -j $(nproc)
```
Result:
- binary: `/tmp/od-win-relative-link/bin/ObsidianDragonLite.exe`
- file type: PE32+ executable (GUI) x86-64, for MS Windows
- imported backend-extra DLL evidence: `Secur32.dll` and `USERENV.dll`
- other imported DLLs observed: `ADVAPI32.dll`, `CRYPT32.dll`, `D3DCOMPILER_47.dll`, `GDI32.dll`, `HID.DLL`, `IMM32.dll`, `IPHLPAPI.DLL`, `KERNEL32.dll`, `OLEAUT32.dll`, `PSAPI.DLL`, `SETUPAPI.dll`, `SHELL32.dll`, `USER32.dll`, `VERSION.dll`, `WINMM.dll`, `WS2_32.dll`, `bcrypt.dll`, `d3d11.dll`, `dcomp.dll`, `dwmapi.dll`, `msvcrt.dll`, and `ole32.dll`
This verifies that the checked-in relative source layout preserves the Windows GNU imported app link contract with the previously proven `secur32;userenv` backend extras. The executable was inspected but not run.
## macOS Verification Status
macOS artifact production was not attempted on 2026-05-18 because this Linux workspace is missing the required Darwin cross-build inputs:
- no installed Rust Apple target such as `x86_64-apple-darwin` or `aarch64-apple-darwin`,
- no Apple/osxcross compiler wrapper such as `o64-clang`, `x86_64-apple-darwin-clang`, or `x86_64-apple-darwin20.4-clang`,
- no `osxcross-conf`,
- no `/opt/osxcross` toolchain directory.
macOS remains a Phase 1 platform-artifact verification blocker until a macOS host or configured osxcross builder is available.
The blocker was rechecked on 2026-05-20 from this Linux/WSL workspace. No Apple Rust targets are installed, Xcode is absent, `/opt/osxcross` is absent, and the Apple/osxcross compiler wrappers `o64-clang`, `x86_64-apple-darwin-clang`, `x86_64-apple-darwin20.4-clang`, `aarch64-apple-darwin-clang`, and `aarch64-apple-darwin20.4-clang` are missing. `llvm-nm` is available for future symbol inventory work, but it is not enough without an Apple target and linker. The artifact script also fails closed for a Linux-hosted macOS request without an explicit Rust target: `macOS artifacts require --rust-target when not running on macOS`.
The macOS/osxcross builder preflight was repeated later on 2026-05-20 for the Phase 1 macOS verification slice. This shell is still Linux/WSL, has Rust/Cargo `1.63.0`, `clang`, and `llvm-nm`, but has no installed Apple/Darwin Rust targets, no `xcodebuild`/`xcrun`, no `otool`/`lipo`, no `/opt/osxcross`, no osxcross compiler/archive wrappers, and no Apple linker environment variables such as `CARGO_TARGET_*APPLE_DARWIN_LINKER`, `CC_x86_64_apple_darwin`, or `CC_aarch64_apple_darwin`. The attempted artifact command failed closed before producing a macOS artifact:
```bash
scripts/build-lite-backend-artifact.sh \
--platform macos \
--silentdragonxlitelib-dir /home/d/external/silentdragonxlite-cli/lib \
--reproducible \
--cargo-target-dir /tmp/od-lite-macos-cargo-preflight \
--out-dir /tmp/od-lite-macos-artifact-preflight \
--builder phase1-macos-preflight
```
Result: `[lite-backend] ERROR: macOS artifacts require --rust-target when not running on macOS`. No macOS archive, symbol inventory, manifest, CMake imported-link result, or `DRAGONX_LITE_BACKEND_EXTRA_LIBS` value was produced on this host.
The macOS/osxcross preflight was repeated on 2026-05-22 from the checked-in relative source layout. This shell still has Rust/Cargo `1.63.0`, `clang`, and `llvm-nm`, but has no installed Apple/Darwin Rust targets, no `xcodebuild`/`xcrun`, no `otool`/`lipo`, no `/opt/osxcross`, no osxcross compiler/archive wrappers, and no Apple linker environment variables. The explicit relative-source artifact attempt reached Cargo with `--rust-target x86_64-apple-darwin` and failed because the target standard libraries are unavailable:
```bash
scripts/build-lite-backend-artifact.sh \
--platform macos \
--rust-target x86_64-apple-darwin \
--backend-dir external/SilentDragonXLite/lib \
--out-dir /tmp/od-lite-macos-relative-artifact-preflight \
--cargo-target-dir /tmp/od-lite-macos-relative-cargo-preflight \
--reproducible \
--builder phase1-macos-relative-preflight
```
Result: Cargo exited with code `101` and reported missing `compiler_builtins`, `core`, `alloc`, and `std` for `x86_64-apple-darwin`, with the expected `rustup target add x86_64-apple-darwin` hint. No `/tmp/od-lite-macos-relative-artifact-preflight/macos/libsilentdragonxlite.a` archive or `lite-backend-artifact-manifest.json` manifest was produced, so macOS imported-link verification still cannot proceed on this host.
On 2026-05-22, macOS artifact and imported-link verification was deferred by operator request. The builder prerequisites, command shape, and acceptance criteria remain below for a future macOS/osxcross continuation, but current Phase 1 local work should not keep retrying macOS tasks until that deferral is lifted.
## macOS Artifact Verification Plan
The macOS verification run must be performed on a macOS host or on a Linux builder with a configured osxcross/Apple SDK toolchain. The repository does not vendor the Apple SDK or handle Apple license acceptance.
Builder prerequisites:
- Rust Apple target installed, at minimum `x86_64-apple-darwin`; add `aarch64-apple-darwin` when Apple Silicon artifacts are in scope.
- Apple linker/compiler wrappers available, for example `clang` on macOS or osxcross tools such as `o64-clang`, `x86_64-apple-darwin-clang`, and matching `ar`/`ranlib` tools.
- `llvm-nm` or a Darwin-capable `nm` available for static archive symbol inventory.
- The checked-in relative source layout under `external/SilentDragonXLite/lib` and `external/SilentDragonXLite/silentdragonxlite-cli`; use `--silentdragonxlitelib-dir` only for comparison against an external maintained checkout.
- Isolated Cargo target directories for two clean reproducibility runs.
Command shape for an Intel macOS artifact:
```bash
scripts/build-lite-backend-artifact.sh \
--platform macos \
--rust-target x86_64-apple-darwin \
--backend-dir external/SilentDragonXLite/lib \
--reproducible \
--cargo-target-dir build/lite-backend-relative-target-macos-x64-a \
--out-dir build/lite-backend-relative-macos-x64-a \
--builder phase1-relative-macos-x64-a
```
Repeat the same command with a second clean Cargo target and output directory, then compare the archive SHA-256 values and filtered `lite-backend-symbols.txt` files. For osxcross builders, set the target linker/compiler environment before running the same script command, for example `CARGO_TARGET_X86_64_APPLE_DARWIN_LINKER=o64-clang` and `CC_x86_64_apple_darwin=o64-clang`.
macOS acceptance criteria:
- The script generates a `dragonx.lite.backend-artifact.v1` manifest with platform `macos`, ABI `sdxl-c-v1`, link mode `imported`, and reproducible provenance for build runs that use `--reproducible`.
- `lite-backend-symbols.txt` contains `blake3_PW` if exported plus all eight required `litelib_*` symbols.
- Two clean macOS builds are byte-identical, or any remaining nondeterminism is documented with identical required-symbol inventories and a follow-up owner.
- On a macOS builder capable of linking the wallet tests, CMake accepts the generated artifact through `DRAGONX_LITE_BACKEND_LIBRARY`, `DRAGONX_LITE_BACKEND_SYMBOLS_FILE`, `DRAGONX_LITE_BACKEND_MANIFEST`, `DRAGONX_LITE_BACKEND_LINK_MODE=imported`, and `DRAGONX_LITE_BACKEND_ABI=sdxl-c-v1`, then `ObsidianDragonTests` links and prints `Focused service tests passed`.
- Cross-only osxcross runs that cannot execute the test binary must still prove Cargo build success, Darwin symbol inventory, manifest generation, and CMake configure/link success where the toolchain permits it.
## Platform Link-Library Planning
CMake links the imported `dragonx_lite_backend` target into both `ObsidianDragon` and `ObsidianDragonTests` only when `DRAGONX_ENABLE_LITE_BACKEND=ON` and the artifact gate has passed. The same link sites append `DRAGONX_LITE_BACKEND_EXTRA_LIBS`, so platform release builders can add verified backend-native dependencies without changing full-node defaults or enabling runtime dynamic loading.
Current planning status:
- Linux: the portable static backend artifact linked into both `ObsidianDragonTests` and the `ObsidianDragon` app target on this workspace with `DRAGONX_LITE_BACKEND_EXTRA_LIBS` empty. The app target produced `build/lite-backend-portable-verify/bin/ObsidianDragonLite` and was inspected without launch.
- Windows GNU: artifact production, symbol inventory, clean reproducibility, CMake configure, and app imported-link verification are complete for both the portable override artifact and the checked-in relative source artifact on this host. The first no-extra portable link proved missing `secur32`/`userenv` APIs; the successful release-builder value remains `DRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv`, producing `/tmp/od-win-lite-link/bin/ObsidianDragonLite.exe` for the portable artifact and `/tmp/od-win-relative-link/bin/ObsidianDragonLite.exe` for the relative artifact without running either executable.
- macOS: artifact and link verification are deferred by operator request after the blocked 2026-05-22 relative-source preflight. The first resumed macOS linker pass should use the existing local `libs/libsodium-mac`/`libs/libsodium` search path plus the app's platform frameworks, then add backend-specific libraries or frameworks through `DRAGONX_LITE_BACKEND_EXTRA_LIBS` only when the Darwin linker proves they are needed.
Example shape for a platform builder after it has identified real extra dependencies:
```bash
cmake -S . -B build/lite-platform-verify \
-DDRAGONX_BUILD_LITE=ON \
-DDRAGONX_ENABLE_LITE_BACKEND=ON \
-DDRAGONX_LITE_BACKEND_LIBRARY=/path/to/libsilentdragonxlite.a \
-DDRAGONX_LITE_BACKEND_SYMBOLS_FILE=/path/to/lite-backend-symbols.txt \
-DDRAGONX_LITE_BACKEND_MANIFEST=/path/to/lite-backend-artifact-manifest.json \
-DDRAGONX_LITE_BACKEND_LINK_MODE=imported \
-DDRAGONX_LITE_BACKEND_ABI=sdxl-c-v1 \
-DDRAGONX_LITE_BACKEND_EXTRA_LIBS="<verified-extra-lib-1>;<verified-extra-lib-2>"
```
If no backend-specific extras are needed, omit `DRAGONX_LITE_BACKEND_EXTRA_LIBS` and keep the manifest plus symbol inventory as the evidence of the artifact that was linked.
## Guardrails
The script performs build and read-only artifact inspection only. It does not:
- load dynamic libraries,
- resolve runtime symbols,
- call SDXL or bridge APIs,
- check servers,
- create/open/restore wallets,
- start sync or poll `syncstatus`,
- mutate `WalletState`,
- persist wallet files,
- sign, upload, or publish artifacts.

61
docs/lite-wallet-backend-signing-policy-2026-05-22.md
View File

@@ -1,61 +0,0 @@
# Lite Wallet Backend Signing Policy - 2026-05-22
## Purpose
This Phase 1 policy defines how backend artifact signature verification evidence is recorded without making the wallet sign, upload, publish, mutate, load, resolve, or call backend artifacts.
Policy identifier: `dragonx-lite-backend-signature-policy-v1`.
## Scope
The artifact producer may capture read-only metadata about a signature verification that has already been performed by a release builder. It does not create signatures and does not run wallet runtime code.
The default development and local verification path does not require a signature. Release builders that require signed artifacts must opt in with `--signature-required` when generating the manifest and `DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON` when configuring CMake.
## Accepted Evidence
When signature metadata is supplied, all of the following are required:
- an existing sidecar signature file,
- signature format `minisign`, `gpg`, `sigstore`, `external`, or `other`,
- verifier tool and version used by the release builder,
- reviewed public-key fingerprint or reviewed certificate identity,
- verified artifact SHA-256 equal to the artifact bytes recorded in the manifest.
The manifest records the signature sidecar SHA-256, optional verifier command, optional certificate issuer, optional transparency log URL, and `verification_status: "verified"`. Missing or inconsistent required metadata fails before manifest generation when `--signature-required` or any signature metadata flag is supplied.
## Script Usage
Example metadata capture after an external verifier has already checked the artifact:
```bash
scripts/build-lite-backend-artifact.sh \
--platform linux \
--artifact build/lite-backend-relative-linux-b/linux/libsilentdragonxlite.a \
--no-build \
--out-dir build/lite-backend-signed-inventory \
--signature-required \
--signature-file /path/to/libsilentdragonxlite.a.minisig \
--signature-format minisign \
--signature-verification-tool "minisign 0.11" \
--signature-verification-command "minisign -Vm libsilentdragonxlite.a -P <reviewed-public-key>" \
--signature-key-fingerprint "<reviewed-public-key-fingerprint>" \
--signature-verified-sha256 "<artifact-sha256>"
```
For unsigned local inventory, omit all signature flags. The manifest still includes `signature_verification.policy_defined: true`, `metadata_provided: false`, and `verification_status: "not-provided"`, while `signing_requested` remains `false`.
## CMake Gate
`DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON` is optional and fail-closed. When enabled, CMake requires `DRAGONX_LITE_BACKEND_MANIFEST`, parses `signature_verification`, requires `verification_status: "verified"`, and checks that `signature_verification.verified_artifact_sha256` matches `artifact.sha256` before importing the backend library.
## Contract Helper
`LiteBackendArtifactContract` accepts unsigned local metadata by default. If `signatureVerification.requiredForRelease` is true, the helper requires a defined policy, complete metadata, a reviewed trust identity, performed verification, verified status, and a matching artifact SHA-256 before producing resolver input.
## Guardrails
- No signing is performed by the artifact script, CMake, contract helper, or wallet runtime.
- No artifact upload or publication is performed.
- No runtime dynamic loading, symbol resolution, SDXL calls, wallet lifecycle, sync, `WalletState` mutation, or persistence is enabled.
- Signature evidence is release inventory only and must describe the same artifact bytes identified by the manifest SHA-256.

106
docs/lite-wallet-backend-source-signature-plan-2026-05-20.md
View File

@@ -1,106 +0,0 @@
# Lite Wallet Backend Source And Signature Metadata Plan - 2026-05-20
## Purpose
This Phase 1 note closes the planning gap between the verified portable dependency override and the eventual release-source layout. It also defines the signature metadata boundary for backend artifacts without enabling signing, upload, publication, runtime loading, SDXL calls, or wallet mutation.
## Current Source State
The checked-in backend wrapper is `external/SilentDragonXLite/lib`. Its Cargo package is `qtlib`, the library name is `silentdragonxlite`, and the crate type is `staticlib`.
The wrapper now depends on `silentdragonxlitelib` through the reviewed relative path:
```toml
silentdragonxlitelib = { path = "../silentdragonxlite-cli/lib" }
```
The maintained dependency branch was imported from `/home/d/external/silentdragonxlite-cli` into `external/SilentDragonXLite/silentdragonxlite-cli` from git revision `6a178c8d08d9c1c153fb22759a68177cdb787be7`. Build outputs, `.git`, and `target/` were not imported, and stale workflow conflict-backup files were pruned from the vendored copy. The imported source carries `DRAGONX_SOURCE_REVISION` so artifact manifests can keep reporting the maintained dependency revision even though the dependency is now vendored under the wrapper source tree.
The release-builder-safe path is now to build from `external/SilentDragonXLite/lib` without `--silentdragonxlitelib-dir`. The override remains available as an escape hatch for comparing against an external maintained checkout, but release builders should prefer the checked-in relative layout.
## Implemented Relative Layout
The reviewed backend source branch should make the dependency relative inside a single release source tree. The preferred layout is:
```text
external/SilentDragonXLite/
lib/ # qtlib C ABI wrapper, crate type staticlib
silentdragonxlite-cli/
Cargo.toml # dependency workspace root
lib/ # package silentdragonxlitelib
```
With that layout, `external/SilentDragonXLite/lib/Cargo.toml` uses:
```toml
silentdragonxlitelib = { path = "../silentdragonxlite-cli/lib" }
```
Acceptable variants are allowed only if they keep both crates inside the reviewed release source tree and use a relative path. Absolute builder-local paths, symlinks to paths outside the tree, generated source patches committed back into the repo, or reliance on `/home/d/external` are not release-acceptable.
## Implementation Status
Completed through 2026-05-22:
1. Imported the maintained `silentdragonxlite-cli` source into the reviewed backend source tree.
2. Changed the wrapper dependency path from the absolute local path to `../silentdragonxlite-cli/lib`.
3. Left `external/SilentDragonXLite/lib/Cargo.lock` unchanged.
4. Updated artifact provenance so the script discovers relative `silentdragonxlitelib` sources, remaps them for reproducible builds, and records `portable_dependency_override: false` unless `--silentdragonxlitelib-dir` is explicitly used.
5. Built a Linux artifact without `--silentdragonxlitelib-dir` from `external/SilentDragonXLite/lib`.
6. Built two Windows GNU artifacts without `--silentdragonxlitelib-dir`, compared them byte-for-byte, and linked the app target against the relative-source artifact.
7. Rechecked macOS from the relative source layout on 2026-05-22; this Linux host still lacks Apple Rust targets and Apple/osxcross linker tooling, so the `x86_64-apple-darwin` attempt failed before artifact production.
8. Defined the Phase 1 signing policy in `docs/lite-wallet-backend-signing-policy-2026-05-22.md`, added read-only signature metadata capture to `scripts/build-lite-backend-artifact.sh`, added optional `DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE` CMake enforcement, and taught `LiteBackendArtifactContract` to validate required signature metadata before producing resolver input.
## Acceptance Criteria
- `external/SilentDragonXLite/lib/Cargo.toml` contains no absolute `silentdragonxlitelib` dependency path.
- The dependency source is present inside the reviewed source tree and is covered by source-control revision/provenance review.
- `scripts/build-lite-backend-artifact.sh --platform linux --backend-dir external/SilentDragonXLite/lib --reproducible ...` succeeds without `--silentdragonxlitelib-dir`.
- The generated manifest records `portable_dependency_override: false`, `cargo_build_source` equal to the reviewed backend source, and reproducible provenance.
- The refreshed Linux no-override artifact is `build/lite-backend-relative-linux-b/linux/libsilentdragonxlite.a` with SHA-256 `8fd6c66ff661e13f768754de69d39e1a15ee55b6fdd530625a6018c867edde10`; its manifest records `portable_dependency_override: false`, `silentdragonxlitelib_revision: 6a178c8d08d9c1c153fb22759a68177cdb787be7`, `reproducible: true`, and `signing_requested: false`.
- The refreshed Windows GNU no-override artifacts are byte-identical at SHA-256 `ca7677af58f61de4bd56311e76e32961d977da8fac2a3c5d158c1702f8807439`; their manifests record `portable_dependency_override: false`, `silentdragonxlitelib_revision: 6a178c8d08d9c1c153fb22759a68177cdb787be7`, `reproducible: true`, `rust_target: x86_64-pc-windows-gnu`, and `signing_requested: false`.
- The relative Windows GNU artifact links into `ObsidianDragon` from `/tmp/od-win-relative-link` with `DRAGONX_LITE_BACKEND_EXTRA_LIBS=secur32;userenv`, producing `/tmp/od-win-relative-link/bin/ObsidianDragonLite.exe` as a PE32+ GUI x86-64 Windows executable. The import table includes `Secur32.dll` and `USERENV.dll`; the executable was inspected but not run.
- macOS uses the same relative layout once a macOS/osxcross builder exists; the 2026-05-22 Linux preflight failed with missing `x86_64-apple-darwin` standard libraries and produced no artifact or manifest, and macOS verification is deferred for now by operator request.
- All artifacts still expose the eight required `litelib_*` symbols for ABI `sdxl-c-v1`.
## Signature Metadata Boundary
Phase 1 backend artifact production records signature verification metadata under policy `dragonx-lite-backend-signature-policy-v1`, defined in `docs/lite-wallet-backend-signing-policy-2026-05-22.md`. It must not create signatures, mutate artifacts, upload artifacts, publish artifacts, or make signatures a runtime wallet concern.
When policy exists, the artifact manifest should add a read-only metadata object with these fields or direct equivalents:
```json
{
"signature_verification": {
"policy_defined": true,
"required_for_release": true,
"verification_performed": true,
"verification_status": "verified",
"signature_format": "minisign|gpg|sigstore|external|other",
"signature_path": "/path/to/artifact.signature",
"signature_file_sha256": "sha256 of sidecar signature file",
"verification_tool": "tool name and version",
"verification_command": "command already run by release builder when recorded",
"key_fingerprint": "reviewed public key fingerprint when applicable",
"certificate_identity": "certificate identity when applicable",
"certificate_issuer": "certificate issuer when applicable",
"transparency_log_url": "transparency log entry when applicable",
"verified_artifact_sha256": "sha256 that was verified"
}
}
```
Unsigned local manifests keep `signing_requested: false`, `metadata_provided: false`, and `verification_status: "not-provided"`. Signed release-builder manifests may set `metadata_provided: true` only when the sidecar signature exists, verifier metadata is recorded, a reviewed trust identity is present, and `verified_artifact_sha256` matches the artifact SHA-256.
## Signature Metadata Acceptance Criteria
- Signature metadata is read-only inventory attached to the artifact manifest.
- The metadata verifies the same artifact bytes identified by the manifest SHA-256.
- If `--signature-required` or `DRAGONX_LITE_BACKEND_REQUIRE_SIGNATURE=ON` is used, missing or invalid signature metadata fails before CMake imported-link use.
- Signature verification tooling and public-key or certificate trust roots are documented outside wallet runtime code.
- `LiteBackendArtifactContract` and runtime bridge code continue to reject signing requests and never sign, upload, publish, or mutate artifacts.
## Remaining Phase 1 Work
- Capture real signed-artifact evidence when a release builder provides sidecar signatures and reviewed trust roots.
- macOS artifact and imported-link verification is deferred by operator request until a macOS host or configured osxcross builder is available and the deferral is lifted.

13
docs/lite-wallet-implementation-plan-v2-2026-06-04.md
View File

@@ -1,6 +1,6 @@
# Lite Wallet Implementation Plan v2 — 2026-06-04
**Status:** Active. **Supersedes** `docs/full-lite-wallet-implementation-plan-2026-05-18.md` (archived).
**Status:** Active. Supersedes the v1 plan (archived locally under `docs/_archive/`, untracked).
## Implementation status — end of 2026-06-05 session
@@ -181,7 +181,7 @@ Crash/recovery of the wallet *file* (the `.dat`/`.dat.bak` rotation) is already
- Further investment in `lite_bridge_runtime` dry-dispatch as an execution path.
- "Readiness ceiling" / "Batch N" framing. Progress is measured by demoable capabilities, not batches.
We retain v1's ground rules, dependency ordering, and the artifact/ABI/signing reference docs (`lite-wallet-backend-artifact-link-contract`, `-production`, `-signing-policy`, `-source-signature-plan`).
We retain v1's ground rules and dependency ordering; the artifact/ABI/signing design docs are kept in `docs/_archive/` (untracked) for reference.
## Verification
@@ -191,6 +191,9 @@ We retain v1's ground rules, dependency ordering, and the artifact/ABI/signing r
## References
- v1 (superseded/archived): `docs/full-lite-wallet-implementation-plan-2026-05-18.md`
- ABI / artifact / signing: `docs/lite-wallet-backend-artifact-link-contract-2026-05-18.md`, `docs/lite-wallet-backend-artifact-production-2026-05-18.md`, `docs/lite-wallet-backend-signing-policy-2026-05-22.md`, `docs/lite-wallet-backend-source-signature-plan-2026-05-20.md`
- Deferred runtime dynamic-loader design (only if M5 needs it): `docs/lite-wallet-phase2-runtime-bridge-dynamic-loader-sublane-plan-2026-05-23.md`, `docs/lite-wallet-phase2-runtime-bridge-loading-symbol-resolution-plan-2026-05-22.md`
This plan is the single tracked lite-wallet doc. The prior design/planning docs were moved out of
version control to **`docs/_archive/`** (git-ignored, kept locally) on 2026-06-05 to declutter the
tracked tree; consult them there if needed:
- v1 (superseded): `full-lite-wallet-implementation-plan-2026-05-18.md` + its `lite-wallet-runtime-promotion-matrix-2026-05-18.md`
- ABI / artifact / signing design: `lite-wallet-backend-artifact-link-contract-2026-05-18.md`, `-artifact-production-2026-05-18.md`, `-signing-policy-2026-05-22.md`, `-source-signature-plan-2026-05-20.md` — the shipping mechanism is `scripts/build-lite-backend-artifact.sh` + `src/wallet/lite_backend_artifact_{contract,resolver}.cpp`; CI signing (M5b) follows the signing-policy/source-signature notes
- Deferred runtime dynamic-loader design (only if M5 needs it): `lite-wallet-phase2-runtime-bridge-dynamic-loader-sublane-plan-2026-05-23.md`, `-loading-symbol-resolution-plan-2026-05-22.md` (the imported-link lane is implemented in `src/wallet/lite_bridge_runtime.cpp`)

1530
docs/lite-wallet-phase2-runtime-bridge-dynamic-loader-sublane-plan-2026-05-23.md
View File

File diff suppressed because it is too large Load Diff

347
docs/lite-wallet-phase2-runtime-bridge-loading-symbol-resolution-plan-2026-05-22.md
View File

File diff suppressed because one or more lines are too long

106
docs/lite-wallet-runtime-promotion-matrix-2026-05-18.md
View File

@@ -1,106 +0,0 @@
# Lite Wallet Runtime Promotion Matrix - 2026-05-18
## Baseline Record
Phase 0 starts from Batch 100 as the disabled readiness ceiling. The focused baseline was verified on 2026-05-18 with:
- `cmake --build build --target ObsidianDragonTests`
- `./build/linux/bin/ObsidianDragonTests`
Result: build passed and the test binary printed `Focused service tests passed`.
## Freeze Decision
Batch 100 is the readiness ceiling for runtime promotion work. Additional post-closure disabled batches should stay frozen unless a concrete promotion blocker requires one more typed proof surface. The next work should promote existing facts into reviewed runtime owners.
## Promotion Matrix
| Batches | Disabled readiness surface | Runtime owner to feed | Minimum Batch 100 fact |
| --- | --- | --- | --- |
| 32-34 | Lifecycle bridge-call preflight and post-lifecycle sync handoff | `LiteWalletLifecycleRuntime` | `lifecycleRuntimeFeedReady` |
| 35-37 | SDXL artifact, bridge owner, dispatcher, and runtime owner readiness | `LiteBridgeRuntime` artifact contract | `syncArtifactInput` and `syncBackendInput` |
| 38-41 | Dynamic link, dispatch table, call result cleanup, and shutdown planning | `LiteBridgeRuntime` dispatch table | reviewed disabled `runtimePlan` boundary |
| 42-43 | Execution attempt and status handoff planning | `LiteRuntimeWorkerBridge` | `runtimeExecutionRefused` and `noRuntimeAttempted` |
| 44-47 | State apply, persistence commit, recovery, and refresh queue planning | `LiteWalletStateApplyRuntime` | `stateApplyFeedReady` |
| 48-52 | UI model, view refresh, completion, and telemetry planning | `LiteWalletUiRuntimeModel` | `noUiMutation` and `noUiRefreshExecution` |
| 53-57 | Enablement review, rollout policy, kill switch, release, and production readiness | `LiteRuntimeEnablementPolicy` | runtime activation remains blocked |
| 58-63 | Observability, release closure, operations, maintenance, and promotion readiness | `LiteRuntimeOperationsReadiness` | telemetry, status, and audit gates |
| 64-72 | Promotion decision, activation preflight/runbook/approval/change control/release observation | `LiteRuntimePromotionRunbook` | `futureRuntimeBoundaryCouldBeEnabled` |
| 73-80 | Post-closure operations handoff through receipt custody acceptance | Historical evidence only | Batch 100 accepted ancestor chain |
| 81-89 | Receipt custody acceptance confirmation through archive handoff confirmation | Historical evidence only | Batch 100 accepted ancestor chain |
| 90-100 | Final receipt/custody/archive handoff disabled ceiling | Batch 100 readiness ceiling | final operation and step ready counts |
## Minimum Runtime Consumers
Future runtime owners should consume the compact Phase 0 surface instead of re-reading the whole Batch 32-100 chain:
- `LiteRuntimePromotionBatch100Result`
- `runtimePlan.disabled` guardrail flags
- `syncArtifactInput`
- `syncBackendInput`
- `syncOwnershipInput`
- `syncCancellationInput`
- `syncShutdownInput`
- `lifecycleBridgeAbiFacts`
- `flowRuntimeInput`
- `stateApplyExecution`
- final operation and step records from the Batch 100 runtime plan
## Checklist Helper
The Phase 0 code helper is `LiteRuntimePromotionChecklist` in `src/wallet/lite_wallet_runtime_promotion_checklist.*`. It requires:
- Batch 100 result present, ok, and disabled.
- Batch 100 acknowledged as the readiness ceiling.
- Post-closure disabled growth frozen.
- Required lifecycle, sync, send/import/export, and state-apply feeds ready.
- No dynamic loading, symbol resolution, bridge call, SDXL call, cleanup, shutdown, sync, lifecycle, UI, persistence, publication, or `WalletState` mutation observed.
- Final operation and step records present and fully ready.
The helper never enables runtime activation. A passing checklist means Phase 1 implementation work may start while runtime calls remain blocked.
## Post-Ceiling Owner Consumption
The first post-ceiling Phase 2 owner slice is `LiteWalletBridgeRuntimeOwnerReadiness` consuming `LiteRuntimePromotionBatch100Result` directly. The projection requires a passing `LiteRuntimePromotionChecklist`, converts the Batch100 feeds into a disabled dispatcher report and per-operation owner inputs, and keeps runtime activation blocked. It covers lifecycle create/open/restore, sync start/status, server check, wallet exists, shutdown, send, shield, create-address, export, import, save, and encryption operation ownership without enabling dynamic loading, symbol resolution, bridge/SDXL calls, persistence, publication, UI mutation, or `WalletState` mutation.
The second post-ceiling owner slice is `LiteWalletBridgeRuntimeExecutionOwner` consuming that Batch100-gated owner-readiness result. The projection marks disabled execution ownership and attempt gates ready for dynamic-library, symbol-resolution, Rust-string cleanup, shutdown, and the same operation set, while preserving `executionAttempted=false`, `executionAccepted=false`, `executionRefused=true`, and all runtime permission flags false.
The third post-ceiling owner slice is `LiteWalletBridgeRuntimeDynamicLinkPlan` consuming the Batch100 execution-owner projection. The projection maps execution-owner bridge ABI facts into the artifact symbol snapshot, marks disabled dynamic-library and symbol-table planning gates ready, and keeps dynamic loading, unloading, symbol resolution, bridge/SDXL calls, publication, persistence, UI mutation, artifact mutation, and `WalletState` mutation refused.
The fourth post-ceiling owner slice is `LiteWalletBridgeRuntimeDispatchTablePlan` consuming the Batch100 dynamic-link projection. The projection marks disabled operation routing, function-pointer slots, symbol-binding review, dispatch envelopes, response ownership, runtime-call ownership, argument marshalling, return-value ownership, error mapping, timeout/cancellation, post-call cleanup, and dispatch/runtime-call gates ready while preserving function-pointer binding, bridge calls, SDXL calls, Rust-string free, shutdown, dynamic loading, symbol resolution, persistence, publication, UI mutation, artifact mutation, and `WalletState` mutation as refused.
The fifth post-ceiling owner slice is `LiteWalletBridgeRuntimeCallResultCleanupPlan` consuming the Batch100 dispatch-table projection. The projection marks disabled Rust-string ownership, copy-before-free, free-once, null/error classification, temporary-copy wipe, raw-pointer escape prevention, result-envelope, result parser/classification, error mapping, response redaction, cancellation cleanup, shutdown cleanup, and cleanup/free attempt gates ready while preserving call-result cleanup, Rust-string free, bridge calls, SDXL calls, shutdown, dynamic loading, symbol resolution, persistence, publication, UI mutation, artifact mutation, and `WalletState` mutation as refused.
The sixth post-ceiling owner slice is `LiteWalletBridgeRuntimeExecutionAttemptPlan` consuming the Batch100 call-result cleanup projection. The projection marks disabled runtime-attempt ownership, runtime preflight, dispatch-attempt, result-cleanup attempt, status-feed, state-write, worker-queue, persistence, and attempt gates ready while preserving runtime attempts, function-pointer binding, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, worker queue, persistence, publication, UI mutation, artifact mutation, and `WalletState` mutation as refused.
The seventh post-ceiling owner slice is `LiteWalletBridgeRuntimeStatusHandoffPlan` consuming the Batch100 execution-attempt projection. The projection marks disabled status-publication owner, user-visible status, operation-status mapper, worker-handoff owner, worker-queue lane/backpressure, state-write, persistence, status-publish, and worker-handoff gates ready while preserving status publication, user-visible status publication, worker handoff, worker queue, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, persistence, publication, UI mutation, artifact mutation, and `WalletState` mutation as refused.
The eighth post-ceiling owner slice is `LiteWalletBridgeRuntimeStateApplyPlan` consuming the Batch100 status-handoff projection. The projection produces a disabled dry-run `LiteWalletStateApplyExecutionResult`, marks disabled state-apply owner, result-to-refresh-model mapper, state-apply plan, state-apply executor, dry-run acceptance, persistence-write plan, WalletState write gate, persistence-write gate, and post-apply status gates ready while preserving WalletState apply execution, WalletState mutation, wallet/settings persistence, status publication, worker queue, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, UI mutation, and artifact mutation as refused.
The ninth post-ceiling owner slice is `LiteWalletBridgeRuntimePersistenceCommitPlan` consuming the Batch100 state-apply projection. The projection marks disabled commit-owner, wallet persistence, settings persistence, commit-ordering, rollback-marker, recovery-marker, post-commit-status, durability-audit, wallet persistence gate, settings persistence gate, artifact mutation gate, and state commit gate ready while preserving persistence commits, wallet/settings writes, artifact mutation, state commits, WalletState mutation, state-apply execution, status publication, worker queue, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The tenth post-ceiling owner slice is `LiteWalletBridgeRuntimePostCommitRecoveryPlan` consuming the Batch100 persistence-commit projection. The projection marks disabled recovery-status owner, rollback-status, recovery-status, durability-audit-status, post-commit UI status, worker-status fanout, sync-refresh fanout, send/import/export status fanout, status-publication gate, worker-queue gate, sync-refresh gate, lifecycle-execution gate, and WalletState mutation gate ready while preserving post-commit recovery execution, status publication, user-visible status publication, worker handoff, worker queue, sync refresh, lifecycle execution, persistence commits, durable writes, artifact mutation, WalletState mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The eleventh post-ceiling owner slice is `LiteWalletBridgeRuntimeRefreshQueuePlan` consuming the Batch100 post-commit recovery projection. The projection marks disabled refresh-queue owner, queue policy, queue lane, queue payload, refresh timer owner, refresh timer snapshot, status consumer owner, UI status consumer, worker status consumer, sync status consumer, send/import/export status consumer, refresh-queue gate, refresh-timer gate, status-consumer gate, worker-queue gate, and WalletState mutation gate ready while preserving refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The twelfth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiModelProjectionPlan` consuming the Batch100 refresh-queue projection. The projection marks disabled UI model owner, balance model projection, transaction model projection, address model projection, projection snapshot, refresh payload projection, status-consumer projection, UI mutation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI model mutation, balance/transaction/address model mutation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The thirteenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiViewRefreshHandoffPlan` consuming the Batch100 UI model projection. The projection marks disabled view-refresh owner, balance view adapter, address-list view adapter, recent-transaction view adapter, render invalidation plan, view-refresh snapshot, status-consumer handoff, UI mutation gate, view-invalidation gate, render-invalidation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The fourteenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshDispatchPlan` consuming the Batch100 UI view refresh handoff projection. The projection marks disabled refresh dispatcher owner, balance refresh route, address-list refresh route, recent-transaction refresh route, render scheduler plan, view invalidation router plan, status-consumer dispatch plan, dispatch snapshot plan, UI mutation gate, view-invalidation gate, render-invalidation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The fifteenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshCompletionPlan` consuming the Batch100 UI refresh dispatch projection. The projection marks disabled completion owner, completion acknowledgement plan, stale-view suppression plan, post-dispatch status summary plan, completion snapshot plan, UI mutation gate, view-invalidation gate, render-invalidation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The sixteenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshTelemetryPlan` consuming the Batch100 UI refresh completion projection. The projection marks disabled telemetry owner, completion metrics plan, suppressed-stale-view counter plan, post-refresh diagnostic summary plan, completion audit snapshot plan, telemetry redaction plan, telemetry publication gate, status-publication gate, audit-persistence gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving telemetry publication, completion metrics publication, suppressed stale-view counter publication, post-refresh diagnostic summary publication, completion audit writes, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The seventeenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshEnablementReviewPlan` consuming the Batch100 UI refresh telemetry projection. The projection marks disabled enablement-review owner, main-thread ownership plan, runtime disable-switch plan, rollback plan, operator review plan, operator approval record plan, dispatch/completion/telemetry review, guardrail snapshot plan, telemetry publication gate, status-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI refresh runtime enablement, main-thread handoff, runtime disable-switch mutation, rollback execution, operator approval commits, telemetry publication, completion metrics publication, suppressed stale-view counter publication, post-refresh diagnostic summary publication, completion audit writes, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The eighteenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshRolloutPolicyPlan` consuming the Batch100 UI refresh enablement-review projection. The projection marks disabled rollout-policy owner, staged rollout plan, default-off feature flag plan, operator acknowledgement snapshot, rollback drill plan, deployment cohort plan, rollout percentage plan, metrics gate plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving rollout activation, feature-flag mutation, cohort enrollment, rollout percentage mutation, operator acknowledgement commits, rollback drill execution, metrics publication, UI refresh runtime enablement, main-thread handoff, runtime disable-switch mutation, rollback execution, operator approval commits, telemetry publication, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The nineteenth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshKillSwitchPlan` consuming the Batch100 UI refresh rollout-policy projection. The projection marks disabled emergency-disable owner, incident acknowledgement snapshot, feature-flag kill-switch plan, rollback kill-switch plan, kill-switch drill plan, operator escalation gate, post-incident audit plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, audit-persistence gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving emergency-disable activation, feature-flag kill-switch mutation, rollback kill-switch execution, operator escalation publication, incident acknowledgement commits, post-incident audit writes, incident status publication, rollout activation, feature-flag mutation, cohort enrollment, rollout percentage mutation, operator acknowledgement commits, rollback drill execution, metrics publication, UI refresh runtime enablement, main-thread handoff, runtime disable-switch mutation, rollback execution, operator approval commits, telemetry publication, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The twentieth post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshReleaseReadinessPlan` consuming the Batch100 UI refresh kill-switch projection. The projection marks disabled operator runbook owner, release checklist snapshot, release approval snapshot, support escalation owner, monitoring handoff plan, post-release verification plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, audit-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving release activation, operator runbook publication, support escalation publication, monitoring handoff publication, post-release verification writes, release approval commits, emergency-disable activation, feature-flag kill-switch mutation, rollback kill-switch execution, operator escalation publication, incident acknowledgement commits, post-incident audit writes, incident status publication, telemetry publication, status publication, UI refresh dispatch, UI refresh completion acknowledgement, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
The twenty-first post-ceiling owner slice is `LiteWalletBridgeRuntimeUiRefreshProductionReadinessPlan` consuming the Batch100 UI refresh release-readiness projection. The projection marks disabled cutover owner, rollback-freeze checklist snapshot, production support handoff, monitoring verification snapshot, post-cutover audit plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, audit-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving cutover activation, rollback-freeze publication, production support handoff publication, monitoring verification publication, post-cutover audit writes, cutover approval commits, release activation, operator runbook publication, support escalation publication, monitoring handoff publication, post-release verification writes, release approval commits, telemetry publication, status publication, UI refresh dispatch, UI refresh completion acknowledgement, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.
Next command: `continue lite wallet Phase 2 real bridge runtime owner implementation from Batch100 UI refresh production readiness`.