Skip to content

docs: a2ui-rs screen-addressing proposal — address the screen, not the pixels#204

Merged
AdaWorldAPI merged 1 commit into
mainfrom
claude/a2ui-screen-addressing-proposal
Jul 14, 2026
Merged

docs: a2ui-rs screen-addressing proposal — address the screen, not the pixels#204
AdaWorldAPI merged 1 commit into
mainfrom
claude/a2ui-screen-addressing-proposal

Conversation

@AdaWorldAPI

Copy link
Copy Markdown
Owner

What

The charter for the operator's 2026-07-14 ask: a Citrix-shaped remote desktop that addresses the screen instead of pushing pixelsAdaWorldAPI/A2UI reimagined as the OGAR render target a2ui-rs, on ClassView × WideFieldMask.

docs/A2UI-SCREEN-ADDRESSING-PROPOSAL.md + the D-A2UI-SCREEN-ADDRESSING ledger entry.

The shape

  • Wire: down = (GUID key 16 B, WideFieldMask delta, changed LE values); up = ActionInvocations. No pixels, no JSON/proto in the hot path (Firewall ADR-022/023) — askama renders from borrowed memory, zero serialization (the ERB-pattern fieldview).
  • The client holds the ClassView/template codebookthe ClassView registry is the font of the desktop: you don't stream glyph rasters, you reference codepoints (D-AMORT). The same Rust (ClassView resolve + askama) compiles to wasm, so the browser IS the thin client — no bespoke client needed for v1.
  • Screen = document = one projection (doc-layer A3 extended): DocRenderer gains its 4th adapter — tesseract-PDF / Spire.Doc / askama / a2ui (live surface).
  • RBAC by projection: what leaves the server = WideFieldMask ∩ role-mask (FieldMask::intersect) — an unauthorized field is absent from the wire, not hidden client-side. Pixel streams can't make that guarantee.
  • rdp-2graph security = reuse: ogar-auth (Argon2 KDF) + ogar-encryption (transport). No new crypto.
  • Events upstream are live Klickwege — a click is a navigates_to/ActionInvocation edge in the same closed vocabulary the C# harvest emits statically.

Grounded preflight (fork cloned + verified this session)

Upstream A2UI pattern confirmed ("agents speak UI"; renderers/{react,angular,flutter,lit,web_core}). Prior art in the fork regraded, not deleted: proto/a2ui/hamming.proto (bitpacked fingerprint frames, XOR deltas, BindSpace-era) is the pre-V3 carrier — its service shape survives (RenderStream / ActionStream / codebook sync), its payload is replaced by the V3 facet (16 B key + mask + values vs 1,250 B frames, ~78× smaller per addressed node, key prerenders layout with zero value decode).

Traps named before they bite

T1 component-vocabulary fork (widget skins are templates, never a second closed vocabulary) · T2 behavior-in-tree (the SURREAL-AST trap, UI edition — actions are ActionDef refs on the Core node) · T3 serialization creep (LE end-to-end; membrane adapters only at the edge).

The killer probe — P-REHOST (the transpile endgame)

Re-render one harvested MedCare screen from its CompiledClass × ClassView × askama and fire one of its harvested ActionDefs round-trip: harvest the app → re-render the app, no WinForms. Everything needed exists (Klickwege golden v2, 162 CompiledClass / 2,748 ActionDefs, ogar-render-askama).

Gates (W0 — not jumped)

Mint AdaWorldAPI/a2ui-rs (operator) · council verifies this spec · hamming.proto regrade in the fork. Canon-free: no mints in v1 (widget skins are templates, not concepts).

Generated with Claude Code


Generated by Claude Code

…e pixels

Operator ask (2026-07-14): Citrix-shaped remote desktop via ClassView x
WideFieldMask addressing; askama/ERB fieldview rendering from memory without
serialization; Argon2 for the rdp-2graph; A2UI fork -> a2ui-rs as the OGAR
render target, reimagined with the workspace's optimizations.

The charter (docs/A2UI-SCREEN-ADDRESSING-PROPOSAL.md):
- One sentence: down the wire (GUID 16B, mask delta, LE values), up the wire
  ActionInvocations; the client holds the ClassView/template codebook — the
  ClassView registry is the font of the desktop.
- Screen = document = the SAME positional projection (doc-layer A3 extended);
  DocRenderer gains its 4th adapter: a2ui (live surface).
- RBAC by projection: wire content = WideFieldMask INTERSECT role-mask — an
  unauthorized field is absent, not hidden. Pixels cannot make that guarantee.
- Thin-client answer: wasm = the same Rust (ClassView resolve + askama)
  compiled for the browser; no bespoke thin client needed for v1.
- A2UI fork verified: upstream pattern kept (declarative intent, native
  render, renderers/{react,angular,flutter,lit}); prior-art hamming.proto
  REGRADED pre-V3 (service shape kept, 1250B fingerprint payload replaced by
  16B key + mask + values).
- Traps: component-vocab fork / behavior-in-tree (SURREAL-AST, UI edition) /
  serialization creep.
- Killer probe P-REHOST: re-render one harvested MedCare screen from
  CompiledClass x ClassView x askama + fire one harvested ActionDef — the
  transpile endgame (harvest the app -> re-render the app).
- Waves W0-W5; W0 gates: mint AdaWorldAPI/a2ui-rs (operator) + council.

Ledger: D-A2UI-SCREEN-ADDRESSING appended ([S]).

Co-Authored-By: Claude <noreply@anthropic.com>
@cursor

cursor Bot commented Jul 14, 2026

Copy link
Copy Markdown

Bugbot couldn't run - usage limit reached

Bugbot is counted against Cursor usage for this user or team, and this run hit a usage or spend limit.

A user or team admin can review and increase usage limits in the Cursor dashboard.

(requestId: serverGenReqId_42841671-1657-4788-92b5-836d22294842)

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b0ae858052

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +60 to +62
4. **RBAC by projection (the security headline):** what leaves the server is
`WideFieldMask ∩ role-mask` (`FieldMask::intersect`, the existing RBAC
brick from the SoC/dedup pipeline). A field the role may not see is not

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Require wide role masks before claiming projection security

For any addressed surface with fields past 64, this guarantee is not implementable with the current RBAC mask seam: ClassRbac::field_mask still returns a narrow FieldMask (docs/CLASSID-RBAC-KEYSTONE-SPEC.md:85-90), while the wide renderer exists specifically because WideFieldMask is needed to address every position past FieldMask::MAX_FIELDS (crates/ogar-render-askama/src/rust_class.rs:154-180). Intersecting a WideFieldMask with a narrow role mask (or relying on FieldMask::intersect) either cannot express permissions for fields >=64 or risks falling back to an all-fields sentinel, so the stated “unauthorized field is absent from the wire” property can silently stop holding for the wide screens this proposal targets; the spec should require a WideFieldMask role projection or page the surface before applying RBAC.

Useful? React with 👍 / 👎.

@AdaWorldAPI AdaWorldAPI merged commit dd1ce7a into main Jul 14, 2026
2 checks passed
AdaWorldAPI added a commit that referenced this pull request Jul 14, 2026
docs(a2ui): C1.4 correction — projection security requires WIDE role masks (codex P2 on #204)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants