docs: a2ui-rs screen-addressing proposal — address the screen, not the pixels#204
Conversation
…e pixels
Operator ask (2026-07-14): Citrix-shaped remote desktop via ClassView x
WideFieldMask addressing; askama/ERB fieldview rendering from memory without
serialization; Argon2 for the rdp-2graph; A2UI fork -> a2ui-rs as the OGAR
render target, reimagined with the workspace's optimizations.
The charter (docs/A2UI-SCREEN-ADDRESSING-PROPOSAL.md):
- One sentence: down the wire (GUID 16B, mask delta, LE values), up the wire
ActionInvocations; the client holds the ClassView/template codebook — the
ClassView registry is the font of the desktop.
- Screen = document = the SAME positional projection (doc-layer A3 extended);
DocRenderer gains its 4th adapter: a2ui (live surface).
- RBAC by projection: wire content = WideFieldMask INTERSECT role-mask — an
unauthorized field is absent, not hidden. Pixels cannot make that guarantee.
- Thin-client answer: wasm = the same Rust (ClassView resolve + askama)
compiled for the browser; no bespoke thin client needed for v1.
- A2UI fork verified: upstream pattern kept (declarative intent, native
render, renderers/{react,angular,flutter,lit}); prior-art hamming.proto
REGRADED pre-V3 (service shape kept, 1250B fingerprint payload replaced by
16B key + mask + values).
- Traps: component-vocab fork / behavior-in-tree (SURREAL-AST, UI edition) /
serialization creep.
- Killer probe P-REHOST: re-render one harvested MedCare screen from
CompiledClass x ClassView x askama + fire one harvested ActionDef — the
transpile endgame (harvest the app -> re-render the app).
- Waves W0-W5; W0 gates: mint AdaWorldAPI/a2ui-rs (operator) + council.
Ledger: D-A2UI-SCREEN-ADDRESSING appended ([S]).
Co-Authored-By: Claude <noreply@anthropic.com>
Bugbot couldn't run - usage limit reachedBugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit. A user or team admin can review and increase usage limits in the Cursor dashboard. (requestId: serverGenReqId_42841671-1657-4788-92b5-836d22294842) |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b0ae858052
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 4. **RBAC by projection (the security headline):** what leaves the server is | ||
| `WideFieldMask ∩ role-mask` (`FieldMask::intersect`, the existing RBAC | ||
| brick from the SoC/dedup pipeline). A field the role may not see is not |
There was a problem hiding this comment.
Require wide role masks before claiming projection security
For any addressed surface with fields past 64, this guarantee is not implementable with the current RBAC mask seam: ClassRbac::field_mask still returns a narrow FieldMask (docs/CLASSID-RBAC-KEYSTONE-SPEC.md:85-90), while the wide renderer exists specifically because WideFieldMask is needed to address every position past FieldMask::MAX_FIELDS (crates/ogar-render-askama/src/rust_class.rs:154-180). Intersecting a WideFieldMask with a narrow role mask (or relying on FieldMask::intersect) either cannot express permissions for fields >=64 or risks falling back to an all-fields sentinel, so the stated “unauthorized field is absent from the wire” property can silently stop holding for the wide screens this proposal targets; the spec should require a WideFieldMask role projection or page the surface before applying RBAC.
Useful? React with 👍 / 👎.
docs(a2ui): C1.4 correction — projection security requires WIDE role masks (codex P2 on #204)
What
The charter for the operator's 2026-07-14 ask: a Citrix-shaped remote desktop that addresses the screen instead of pushing pixels —
AdaWorldAPI/A2UIreimagined as the OGAR render targeta2ui-rs, on ClassView × WideFieldMask.docs/A2UI-SCREEN-ADDRESSING-PROPOSAL.md+ theD-A2UI-SCREEN-ADDRESSINGledger entry.The shape
(GUID key 16 B, WideFieldMask delta, changed LE values); up =ActionInvocations. No pixels, no JSON/proto in the hot path (Firewall ADR-022/023) — askama renders from borrowed memory, zero serialization (the ERB-pattern fieldview).DocRenderergains its 4th adapter — tesseract-PDF / Spire.Doc / askama / a2ui (live surface).WideFieldMask ∩ role-mask(FieldMask::intersect) — an unauthorized field is absent from the wire, not hidden client-side. Pixel streams can't make that guarantee.ogar-auth(Argon2 KDF) +ogar-encryption(transport). No new crypto.navigates_to/ActionInvocationedge in the same closed vocabulary the C# harvest emits statically.Grounded preflight (fork cloned + verified this session)
Upstream A2UI pattern confirmed ("agents speak UI";
renderers/{react,angular,flutter,lit,web_core}). Prior art in the fork regraded, not deleted:proto/a2ui/hamming.proto(bitpacked fingerprint frames, XOR deltas, BindSpace-era) is the pre-V3 carrier — its service shape survives (RenderStream / ActionStream / codebook sync), its payload is replaced by the V3 facet (16 B key + mask + values vs 1,250 B frames, ~78× smaller per addressed node, key prerenders layout with zero value decode).Traps named before they bite
T1 component-vocabulary fork (widget skins are templates, never a second closed vocabulary) · T2 behavior-in-tree (the SURREAL-AST trap, UI edition — actions are
ActionDefrefs on the Core node) · T3 serialization creep (LE end-to-end; membrane adapters only at the edge).The killer probe — P-REHOST (the transpile endgame)
Re-render one harvested MedCare screen from its
CompiledClass× ClassView × askama and fire one of its harvestedActionDefs round-trip: harvest the app → re-render the app, no WinForms. Everything needed exists (Klickwege golden v2, 162 CompiledClass / 2,748 ActionDefs,ogar-render-askama).Gates (W0 — not jumped)
Mint
AdaWorldAPI/a2ui-rs(operator) · council verifies this spec · hamming.proto regrade in the fork. Canon-free: no mints in v1 (widget skins are templates, not concepts).Generated with Claude Code
Generated by Claude Code