DragonX/ObsidianDragon
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity
Files
59b8c4da81118de3cd15546b680ca8dfe17b3bac
ObsidianDragon/docs/lite-wallet-runtime-promotion-matrix-2026-05-18.md
DanS a78a13edf3 docs(lite): add v2 implementation plan, source-hygiene guard, and CLAUDE.md 
- docs/lite-wallet-implementation-plan-v2-2026-06-04.md: vertical-slice plan that
  supersedes the v1 plan (now banner-marked); carries over the inherited artifact/
  signing/phase-2 design docs for reference.
- scripts/check-source-hygiene.sh: pre-commit/CI guard rejecting >80-char filenames
  and chained churn-token names, to stop the deleted "_plan"/"_batch" scaffolding
  from regrowing.
- CLAUDE.md: repository guidance for future sessions.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 21:15:11 -05:00

24 KiB
Raw Blame History

Lite Wallet Runtime Promotion Matrix - 2026-05-18

Baseline Record

Phase 0 starts from Batch 100 as the disabled readiness ceiling. The focused baseline was verified on 2026-05-18 with:

  • cmake --build build --target ObsidianDragonTests
  • ./build/linux/bin/ObsidianDragonTests

Result: build passed and the test binary printed Focused service tests passed.

Freeze Decision

Batch 100 is the readiness ceiling for runtime promotion work. Additional post-closure disabled batches should stay frozen unless a concrete promotion blocker requires one more typed proof surface. The next work should promote existing facts into reviewed runtime owners.

Promotion Matrix

Batches Disabled readiness surface Runtime owner to feed Minimum Batch 100 fact
32-34 Lifecycle bridge-call preflight and post-lifecycle sync handoff LiteWalletLifecycleRuntime lifecycleRuntimeFeedReady
35-37 SDXL artifact, bridge owner, dispatcher, and runtime owner readiness LiteBridgeRuntime artifact contract syncArtifactInput and syncBackendInput
38-41 Dynamic link, dispatch table, call result cleanup, and shutdown planning LiteBridgeRuntime dispatch table reviewed disabled runtimePlan boundary
42-43 Execution attempt and status handoff planning LiteRuntimeWorkerBridge runtimeExecutionRefused and noRuntimeAttempted
44-47 State apply, persistence commit, recovery, and refresh queue planning LiteWalletStateApplyRuntime stateApplyFeedReady
48-52 UI model, view refresh, completion, and telemetry planning LiteWalletUiRuntimeModel noUiMutation and noUiRefreshExecution
53-57 Enablement review, rollout policy, kill switch, release, and production readiness LiteRuntimeEnablementPolicy runtime activation remains blocked
58-63 Observability, release closure, operations, maintenance, and promotion readiness LiteRuntimeOperationsReadiness telemetry, status, and audit gates
64-72 Promotion decision, activation preflight/runbook/approval/change control/release observation LiteRuntimePromotionRunbook futureRuntimeBoundaryCouldBeEnabled
73-80 Post-closure operations handoff through receipt custody acceptance Historical evidence only Batch 100 accepted ancestor chain
81-89 Receipt custody acceptance confirmation through archive handoff confirmation Historical evidence only Batch 100 accepted ancestor chain
90-100 Final receipt/custody/archive handoff disabled ceiling Batch 100 readiness ceiling final operation and step ready counts

Minimum Runtime Consumers

Future runtime owners should consume the compact Phase 0 surface instead of re-reading the whole Batch 32-100 chain:

  • LiteRuntimePromotionBatch100Result
  • runtimePlan.disabled guardrail flags
  • syncArtifactInput
  • syncBackendInput
  • syncOwnershipInput
  • syncCancellationInput
  • syncShutdownInput
  • lifecycleBridgeAbiFacts
  • flowRuntimeInput
  • stateApplyExecution
  • final operation and step records from the Batch 100 runtime plan

Checklist Helper

The Phase 0 code helper is LiteRuntimePromotionChecklist in src/wallet/lite_wallet_runtime_promotion_checklist.*. It requires:

  • Batch 100 result present, ok, and disabled.
  • Batch 100 acknowledged as the readiness ceiling.
  • Post-closure disabled growth frozen.
  • Required lifecycle, sync, send/import/export, and state-apply feeds ready.
  • No dynamic loading, symbol resolution, bridge call, SDXL call, cleanup, shutdown, sync, lifecycle, UI, persistence, publication, or WalletState mutation observed.
  • Final operation and step records present and fully ready.

The helper never enables runtime activation. A passing checklist means Phase 1 implementation work may start while runtime calls remain blocked.

Post-Ceiling Owner Consumption

The first post-ceiling Phase 2 owner slice is LiteWalletBridgeRuntimeOwnerReadiness consuming LiteRuntimePromotionBatch100Result directly. The projection requires a passing LiteRuntimePromotionChecklist, converts the Batch100 feeds into a disabled dispatcher report and per-operation owner inputs, and keeps runtime activation blocked. It covers lifecycle create/open/restore, sync start/status, server check, wallet exists, shutdown, send, shield, create-address, export, import, save, and encryption operation ownership without enabling dynamic loading, symbol resolution, bridge/SDXL calls, persistence, publication, UI mutation, or WalletState mutation.

The second post-ceiling owner slice is LiteWalletBridgeRuntimeExecutionOwner consuming that Batch100-gated owner-readiness result. The projection marks disabled execution ownership and attempt gates ready for dynamic-library, symbol-resolution, Rust-string cleanup, shutdown, and the same operation set, while preserving executionAttempted=false, executionAccepted=false, executionRefused=true, and all runtime permission flags false.

The third post-ceiling owner slice is LiteWalletBridgeRuntimeDynamicLinkPlan consuming the Batch100 execution-owner projection. The projection maps execution-owner bridge ABI facts into the artifact symbol snapshot, marks disabled dynamic-library and symbol-table planning gates ready, and keeps dynamic loading, unloading, symbol resolution, bridge/SDXL calls, publication, persistence, UI mutation, artifact mutation, and WalletState mutation refused.

The fourth post-ceiling owner slice is LiteWalletBridgeRuntimeDispatchTablePlan consuming the Batch100 dynamic-link projection. The projection marks disabled operation routing, function-pointer slots, symbol-binding review, dispatch envelopes, response ownership, runtime-call ownership, argument marshalling, return-value ownership, error mapping, timeout/cancellation, post-call cleanup, and dispatch/runtime-call gates ready while preserving function-pointer binding, bridge calls, SDXL calls, Rust-string free, shutdown, dynamic loading, symbol resolution, persistence, publication, UI mutation, artifact mutation, and WalletState mutation as refused.

The fifth post-ceiling owner slice is LiteWalletBridgeRuntimeCallResultCleanupPlan consuming the Batch100 dispatch-table projection. The projection marks disabled Rust-string ownership, copy-before-free, free-once, null/error classification, temporary-copy wipe, raw-pointer escape prevention, result-envelope, result parser/classification, error mapping, response redaction, cancellation cleanup, shutdown cleanup, and cleanup/free attempt gates ready while preserving call-result cleanup, Rust-string free, bridge calls, SDXL calls, shutdown, dynamic loading, symbol resolution, persistence, publication, UI mutation, artifact mutation, and WalletState mutation as refused.

The sixth post-ceiling owner slice is LiteWalletBridgeRuntimeExecutionAttemptPlan consuming the Batch100 call-result cleanup projection. The projection marks disabled runtime-attempt ownership, runtime preflight, dispatch-attempt, result-cleanup attempt, status-feed, state-write, worker-queue, persistence, and attempt gates ready while preserving runtime attempts, function-pointer binding, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, worker queue, persistence, publication, UI mutation, artifact mutation, and WalletState mutation as refused.

The seventh post-ceiling owner slice is LiteWalletBridgeRuntimeStatusHandoffPlan consuming the Batch100 execution-attempt projection. The projection marks disabled status-publication owner, user-visible status, operation-status mapper, worker-handoff owner, worker-queue lane/backpressure, state-write, persistence, status-publish, and worker-handoff gates ready while preserving status publication, user-visible status publication, worker handoff, worker queue, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, persistence, publication, UI mutation, artifact mutation, and WalletState mutation as refused.

The eighth post-ceiling owner slice is LiteWalletBridgeRuntimeStateApplyPlan consuming the Batch100 status-handoff projection. The projection produces a disabled dry-run LiteWalletStateApplyExecutionResult, marks disabled state-apply owner, result-to-refresh-model mapper, state-apply plan, state-apply executor, dry-run acceptance, persistence-write plan, WalletState write gate, persistence-write gate, and post-apply status gates ready while preserving WalletState apply execution, WalletState mutation, wallet/settings persistence, status publication, worker queue, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, UI mutation, and artifact mutation as refused.

The ninth post-ceiling owner slice is LiteWalletBridgeRuntimePersistenceCommitPlan consuming the Batch100 state-apply projection. The projection marks disabled commit-owner, wallet persistence, settings persistence, commit-ordering, rollback-marker, recovery-marker, post-commit-status, durability-audit, wallet persistence gate, settings persistence gate, artifact mutation gate, and state commit gate ready while preserving persistence commits, wallet/settings writes, artifact mutation, state commits, WalletState mutation, state-apply execution, status publication, worker queue, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The tenth post-ceiling owner slice is LiteWalletBridgeRuntimePostCommitRecoveryPlan consuming the Batch100 persistence-commit projection. The projection marks disabled recovery-status owner, rollback-status, recovery-status, durability-audit-status, post-commit UI status, worker-status fanout, sync-refresh fanout, send/import/export status fanout, status-publication gate, worker-queue gate, sync-refresh gate, lifecycle-execution gate, and WalletState mutation gate ready while preserving post-commit recovery execution, status publication, user-visible status publication, worker handoff, worker queue, sync refresh, lifecycle execution, persistence commits, durable writes, artifact mutation, WalletState mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The eleventh post-ceiling owner slice is LiteWalletBridgeRuntimeRefreshQueuePlan consuming the Batch100 post-commit recovery projection. The projection marks disabled refresh-queue owner, queue policy, queue lane, queue payload, refresh timer owner, refresh timer snapshot, status consumer owner, UI status consumer, worker status consumer, sync status consumer, send/import/export status consumer, refresh-queue gate, refresh-timer gate, status-consumer gate, worker-queue gate, and WalletState mutation gate ready while preserving refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The twelfth post-ceiling owner slice is LiteWalletBridgeRuntimeUiModelProjectionPlan consuming the Batch100 refresh-queue projection. The projection marks disabled UI model owner, balance model projection, transaction model projection, address model projection, projection snapshot, refresh payload projection, status-consumer projection, UI mutation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI model mutation, balance/transaction/address model mutation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The thirteenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiViewRefreshHandoffPlan consuming the Batch100 UI model projection. The projection marks disabled view-refresh owner, balance view adapter, address-list view adapter, recent-transaction view adapter, render invalidation plan, view-refresh snapshot, status-consumer handoff, UI mutation gate, view-invalidation gate, render-invalidation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The fourteenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshDispatchPlan consuming the Batch100 UI view refresh handoff projection. The projection marks disabled refresh dispatcher owner, balance refresh route, address-list refresh route, recent-transaction refresh route, render scheduler plan, view invalidation router plan, status-consumer dispatch plan, dispatch snapshot plan, UI mutation gate, view-invalidation gate, render-invalidation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The fifteenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshCompletionPlan consuming the Batch100 UI refresh dispatch projection. The projection marks disabled completion owner, completion acknowledgement plan, stale-view suppression plan, post-dispatch status summary plan, completion snapshot plan, UI mutation gate, view-invalidation gate, render-invalidation gate, status-consumer gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, status publication, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The sixteenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshTelemetryPlan consuming the Batch100 UI refresh completion projection. The projection marks disabled telemetry owner, completion metrics plan, suppressed-stale-view counter plan, post-refresh diagnostic summary plan, completion audit snapshot plan, telemetry redaction plan, telemetry publication gate, status-publication gate, audit-persistence gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving telemetry publication, completion metrics publication, suppressed stale-view counter publication, post-refresh diagnostic summary publication, completion audit writes, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The seventeenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshEnablementReviewPlan consuming the Batch100 UI refresh telemetry projection. The projection marks disabled enablement-review owner, main-thread ownership plan, runtime disable-switch plan, rollback plan, operator review plan, operator approval record plan, dispatch/completion/telemetry review, guardrail snapshot plan, telemetry publication gate, status-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving UI refresh runtime enablement, main-thread handoff, runtime disable-switch mutation, rollback execution, operator approval commits, telemetry publication, completion metrics publication, suppressed stale-view counter publication, post-refresh diagnostic summary publication, completion audit writes, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, balance/address-list/recent-transaction view mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The eighteenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshRolloutPolicyPlan consuming the Batch100 UI refresh enablement-review projection. The projection marks disabled rollout-policy owner, staged rollout plan, default-off feature flag plan, operator acknowledgement snapshot, rollback drill plan, deployment cohort plan, rollout percentage plan, metrics gate plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving rollout activation, feature-flag mutation, cohort enrollment, rollout percentage mutation, operator acknowledgement commits, rollback drill execution, metrics publication, UI refresh runtime enablement, main-thread handoff, runtime disable-switch mutation, rollback execution, operator approval commits, telemetry publication, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The nineteenth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshKillSwitchPlan consuming the Batch100 UI refresh rollout-policy projection. The projection marks disabled emergency-disable owner, incident acknowledgement snapshot, feature-flag kill-switch plan, rollback kill-switch plan, kill-switch drill plan, operator escalation gate, post-incident audit plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, audit-persistence gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving emergency-disable activation, feature-flag kill-switch mutation, rollback kill-switch execution, operator escalation publication, incident acknowledgement commits, post-incident audit writes, incident status publication, rollout activation, feature-flag mutation, cohort enrollment, rollout percentage mutation, operator acknowledgement commits, rollback drill execution, metrics publication, UI refresh runtime enablement, main-thread handoff, runtime disable-switch mutation, rollback execution, operator approval commits, telemetry publication, status publication, UI refresh completion acknowledgement, stale-view suppression, post-dispatch status summary publication, UI refresh dispatch, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The twentieth post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshReleaseReadinessPlan consuming the Batch100 UI refresh kill-switch projection. The projection marks disabled operator runbook owner, release checklist snapshot, release approval snapshot, support escalation owner, monitoring handoff plan, post-release verification plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, audit-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving release activation, operator runbook publication, support escalation publication, monitoring handoff publication, post-release verification writes, release approval commits, emergency-disable activation, feature-flag kill-switch mutation, rollback kill-switch execution, operator escalation publication, incident acknowledgement commits, post-incident audit writes, incident status publication, telemetry publication, status publication, UI refresh dispatch, UI refresh completion acknowledgement, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

The twenty-first post-ceiling owner slice is LiteWalletBridgeRuntimeUiRefreshProductionReadinessPlan consuming the Batch100 UI refresh release-readiness projection. The projection marks disabled cutover owner, rollback-freeze checklist snapshot, production support handoff, monitoring verification snapshot, post-cutover audit plan, guardrail snapshot plan, telemetry publication gate, status-publication gate, audit-publication gate, UI mutation gate, view-invalidation gate, render-invalidation gate, refresh-queue gate, refresh-timer gate, and WalletState mutation gate ready while preserving cutover activation, rollback-freeze publication, production support handoff publication, monitoring verification publication, post-cutover audit writes, cutover approval commits, release activation, operator runbook publication, support escalation publication, monitoring handoff publication, post-release verification writes, release approval commits, telemetry publication, status publication, UI refresh dispatch, UI refresh completion acknowledgement, UI mutation, view invalidation, render invalidation, refresh queue insertion, timer mutation, status-consumer publication, worker queue, WalletState mutation, sync refresh, post-commit recovery execution, persistence commits, durable writes, artifact mutation, runtime attempts, bridge calls, SDXL calls, result parsing/redaction, call-result cleanup, Rust-string free, shutdown, dynamic loading, and symbol resolution as refused.

Next command: continue lite wallet Phase 2 real bridge runtime owner implementation from Batch100 UI refresh production readiness.

Reference in New Issue View Git Blame Copy Permalink