From e445cf754a09b82766f9b98c19141a3e35b01ae6 Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Mon, 25 May 2026 01:22:29 -0400
Subject: [PATCH] feat: add default provider runtime contract

---
 protocol/types.go      | 26 ++++++++++++++++++++++++++
 protocol/types_test.go | 33 +++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/protocol/types.go b/protocol/types.go
index 789efef..17a47c2 100644
--- a/protocol/types.go
+++ b/protocol/types.go
@@ -1327,6 +1327,32 @@ func DefaultProviderRuntimeProfile(executorProvider string, tier ExecutionSecuri
 	}
 }
 
+type ProviderRuntimeContractOptions struct {
+	ConformanceProfiles          []string
+	UpstreamClientConformance    UpstreamClientConformance
+	UpstreamClientEvidenceRef    string
+	UpstreamClientEvidenceDigest string
+}
+
+func DefaultProviderRuntimeContract(executors []string, tiers []ExecutionSecurityTier, proofs []ProofTier, options ProviderRuntimeContractOptions) ProviderRuntimeContract {
+	profiles := make([]ProviderRuntimeProfile, 0, len(executors)*len(tiers)*len(proofs))
+	for _, executorProvider := range executors {
+		for _, tier := range tiers {
+			for _, proof := range proofs {
+				profile := DefaultProviderRuntimeProfile(executorProvider, tier, proof)
+				profile.ConformanceProfiles = append(profile.ConformanceProfiles, options.ConformanceProfiles...)
+				if options.UpstreamClientConformance != "" {
+					profile.UpstreamClientConformance = options.UpstreamClientConformance
+				}
+				profile.UpstreamClientEvidenceRef = options.UpstreamClientEvidenceRef
+				profile.UpstreamClientEvidenceDigest = options.UpstreamClientEvidenceDigest
+				profiles = append(profiles, profile)
+			}
+		}
+	}
+	return ProviderRuntimeContract{Profiles: profiles}
+}
+
 type NetworkProduct struct {
 	ProtocolVersion      string                    `json:"protocol_version"`
 	ID                   string                    `json:"id"`
diff --git a/protocol/types_test.go b/protocol/types_test.go
index 323995e..62d3b05 100644
--- a/protocol/types_test.go
+++ b/protocol/types_test.go
@@ -778,6 +778,39 @@ func TestProviderContractAppliesProviderConformanceEvidence(t *testing.T) {
 	}
 }
 
+func TestDefaultProviderRuntimeContractBuildsRuntimeMatrix(t *testing.T) {
+	contract := protocol.DefaultProviderRuntimeContract(
+		[]string{"sandboxed-command", "service-sandboxed-container"},
+		[]protocol.ExecutionSecurityTier{protocol.ExecutionSandboxedContainer},
+		[]protocol.ProofTier{protocol.ProofArtifactHash},
+		protocol.ProviderRuntimeContractOptions{
+			ConformanceProfiles:       []string{"upstream-client-v1"},
+			UpstreamClientConformance: protocol.UpstreamClientConformanceRealClient,
+			UpstreamClientEvidenceRef: "artifact://providers/example/evidence/upstream-client-v1",
+			UpstreamClientEvidenceDigest: protocol.CanonicalHash(
+				"evidence",
+			),
+		},
+	)
+
+	if len(contract.Profiles) != 2 {
+		t.Fatalf("runtime profiles = %d, want 2: %+v", len(contract.Profiles), contract.Profiles)
+	}
+	for _, profile := range contract.Profiles {
+		if profile.ExecutionSecurityTier != protocol.ExecutionSandboxedContainer ||
+			profile.ProofTier != protocol.ProofArtifactHash ||
+			profile.UpstreamClientConformance != protocol.UpstreamClientConformanceRealClient ||
+			profile.UpstreamClientEvidenceRef == "" ||
+			profile.UpstreamClientEvidenceDigest == "" {
+			t.Fatalf("runtime profile missing shared options: %+v", profile)
+		}
+		if !slices.Contains(profile.ConformanceProfiles, "service-oci-v1") ||
+			!slices.Contains(profile.ConformanceProfiles, "upstream-client-v1") {
+			t.Fatalf("runtime profile missing default or option conformance profiles: %+v", profile.ConformanceProfiles)
+		}
+	}
+}
+
 func countString(values []string, target string) int {
 	count := 0
 	for _, value := range values {