Skip to content

Enforce LIP-0008 ingress legitimacy in validation#2

Draft
danvoulez wants to merge 2 commits into
add-lip-0008-typesfrom
add-lip-0008-validation-enforcement
Draft

Enforce LIP-0008 ingress legitimacy in validation#2
danvoulez wants to merge 2 commits into
add-lip-0008-typesfrom
add-lip-0008-validation-enforcement

Conversation

@danvoulez
Copy link
Copy Markdown

@danvoulez danvoulez commented May 18, 2026

Summary

Stacked on #1. Adds the enforcement half of LIP-0008: validation now refuses ingress that violates the constitutional tier × grammar matrix, refuses half-context, and refuses capability when no manifest accepts the declared ingress. Per-manifest rejection does not fail early.

This PR has one talent: enforce ingress legitimacy.
It does not become a policy engine, it does not wire dispatch, and it does not call any LLM.

What changed

file change
src/validation.rs + ingress_tier/ingress_grammar on AdmissibilityContext
+ 3 new ValidationError variants
+ validate_ingress_context function
+ per-manifest ingress filter in validate_capability (no early fail)
src/planning_compiler.rs + 3 new arms in validation_error_to_runtime_failure (ingress-tagged reason codes); + ..Default::default() in ctx() test helper
src/plan_executor.rs + ..Default::default() in ctx() test helper
src/lib.rs re-export validate_ingress_context
tests/tier_grammar_validation.rs NEW 10 focused tests

The three Dan-approved adjustments are in

  1. Half-context failsIncompleteIngressContext rejects (Some, None) and (None, Some). Legacy (None, None) still passes.
  2. No early-fail across manifestsvalidate_capability iterates all manifests; NoCapabilityForIngress only fires when none accepts the declared ingress.
  3. No "Operational cannot Execute" — primitive × grammar policy is out of scope here; this PR enforces only ingress legitimacy.

Tests (10)

legacy_both_none_passes                                    ✓
incomplete_tier_only_fails                                 ✓
incomplete_grammar_only_fails                              ✓
mini_plus_strong_fails_constitutionally                    ✓ (TierGrammarIllegitimate)
operator_plus_strong_passes_constitutionally               ✓
manifest_restricts_tier_fails_when_no_alternative          ✓ (NoCapabilityForIngress)
manifest_restricts_grammar_fails_when_no_alternative       ✓ (NoCapabilityForIngress)
multi_manifest_one_accepts_passes                          ✓ (no early fail)
legacy_manifest_passes_when_context_declares_ingress       ✓ (manifest None = permissive)
manifest_explicitly_accepts_passes                         ✓

Lib regression: 141/141 passing, unchanged.

What this PR does NOT do (intentional)

  • ✗ Doesn't wire operational_grammar.rs / strong_grammar.rs to set ingress_tier/ingress_grammar on the context. Caller responsibility; lands in spike PR 4.
  • ✗ Doesn't modify admission.rs. Those types (Boundary/Gate/Passport/Visa) are unchanged; this PR works through the validation.rs pipeline.
  • ✗ Doesn't implement entropy thresholds, Pocket Runtime, Tower/LAB integration, or any LLM call.
  • ✗ Doesn't make Operational unable to lower Execute (primitive × grammar policy — separate PR if/when needed).

Gates

Gate 0 — governance review              LIP-0008 published (governance#2, Proposed)
Gate 1 — consistency pass               clean
Gate 2 — PR 1 (types)                   Draft (#1)
Gate 3 — PR 2 (this, enforcement)       Draft, stacked on PR 1
Gate 4 — Pocket Runtime crate           future (logline-foundation/engine)
Gate 5 — spike GOLDEN-004 end-to-end    future

🤖 Generated with Claude Code

danvoulez and others added 2 commits May 18, 2026 15:17
@claude
Enforce LIP-0008 ingress legitimacy in validation
f278708 
- Extend AdmissibilityContext with ingress_tier and ingress_grammar
  (both Option, default None — legacy callers untouched).
- Add validate_ingress_context: enforces the (None,None) / (Some,Some)
  / half-context discipline and the GrammarKind::admits matrix.
- Modify validate_capability to filter manifests by LIP-0008 ingress
  acceptance (no early fail across multiple manifests).
- Add three ValidationError variants:
    IncompleteIngressContext
    TierGrammarIllegitimate
    NoCapabilityForIngress
- Map all three into RuntimeFailure in the planning compiler's
  back-compat projector with ingress-specific reason codes.
- Add ..Default::default() to two test-helper AdmissibilityContext
  literals so the new fields adopt None.

Tests: tier_grammar_validation.rs — 10 cases covering legacy both-None,
half-context rejection, constitutional matrix, per-manifest restriction
without alternative, multi-manifest with one accepting, legacy manifest
permissiveness, explicit acceptance.

Lib regression: 141/141, unchanged.

Tracks LIP-0008 (Proposed). Stacked on add-lip-0008-types (PR #1).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@claude
Document LIP-0008 validation migration semantics
0b91898 
- Mention LIP-0008 tier/grammar support in README
- Mention LIP-0008 support in crate docs
- Mark legacy permissive manifest behavior as migration bridge
- No behavior changes

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@danvoulez danvoulez force-pushed the add-lip-0008-validation-enforcement branch from 6883187 to 0b91898 Compare May 18, 2026 14:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danvoulez