From adffaf7632d7ce6f793b55e2272c0372f6084b82 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:31:33 -0400 Subject: [PATCH 01/20] Replay RetryLoopFingerprint schema on current main --- schemas/RetryLoopFingerprint.json | 118 ++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 schemas/RetryLoopFingerprint.json diff --git a/schemas/RetryLoopFingerprint.json b/schemas/RetryLoopFingerprint.json new file mode 100644 index 0000000..7b6cfe5 --- /dev/null +++ b/schemas/RetryLoopFingerprint.json @@ -0,0 +1,118 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/RetryLoopFingerprint.json", + "title": "RetryLoopFingerprint", + "description": "A bounded summary of a repeated runtime failure or retry loop, preserving count, cadence, burst density, policy validity, and terminal state.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "signature", + "sourceComponent", + "firstSeen", + "lastSeen", + "count", + "retryClass", + "terminalState", + "policyValidity" + ], + "properties": { + "id": { + "type": "string", + "pattern": "^urn:srcos:retry-loop:" + }, + "type": { + "const": "RetryLoopFingerprint" + }, + "specVersion": { + "type": "string" + }, + "signature": { + "type": "string", + "minLength": 1 + }, + "sourceComponent": { + "type": "string", + "minLength": 1 + }, + "firstSeen": { + "type": "string", + "format": "date-time" + }, + "lastSeen": { + "type": "string", + "format": "date-time" + }, + "count": { + "type": "integer", + "minimum": 1 + }, + "medianIntervalMs": { + "type": "number", + "minimum": 0 + }, + "maxEventsPerSecond": { + "type": "integer", + "minimum": 1 + }, + "retryClass": { + "enum": [ + "polling", + "burst", + "backoff", + "sweep", + "respawn", + "unknown" + ] + }, + "terminalState": { + "enum": [ + "resolved", + "still-looping", + "suppressed", + "quarantined", + "escalated", + "unknown" + ] + }, + "policyValidity": { + "enum": [ + "expected", + "unexpected", + "denied-correctly", + "denied-but-noisy", + "invalid-retry", + "unknown" + ] + }, + "severity": { + "enum": [ + "debug", + "info", + "warn", + "error", + "critical" + ] + }, + "sampleEventRefs": { + "type": "array", + "items": { + "type": "string" + } + }, + "causalParentRef": { + "type": "string" + }, + "suppressionPolicy": { + "type": "string" + }, + "userVisibleImpact": { + "type": "string" + }, + "remediationHint": { + "type": "string" + } + } +} From 3978d3a155e6b3d3f183e9b5f617f28745fb4411 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:32:26 -0400 Subject: [PATCH 02/20] Replay SecurityVerdictState schema on current main --- schemas/SecurityVerdictState.json | 82 +++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 schemas/SecurityVerdictState.json diff --git a/schemas/SecurityVerdictState.json b/schemas/SecurityVerdictState.json new file mode 100644 index 0000000..93dae4b --- /dev/null +++ b/schemas/SecurityVerdictState.json @@ -0,0 +1,82 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/SecurityVerdictState.json", + "title": "SecurityVerdictState", + "description": "A typed state record for security or network-flow verdict availability, including degraded provider states such as no-verdict-provider or policy-unavailable.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "subjectRef", + "decision", + "observedAt", + "verdictProviderState" + ], + "properties": { + "id": { + "type": "string", + "pattern": "^urn:srcos:security-verdict:" + }, + "type": { + "const": "SecurityVerdictState" + }, + "specVersion": { + "type": "string" + }, + "subjectRef": { + "type": "string", + "minLength": 1 + }, + "objectRef": { + "type": "string" + }, + "flowRef": { + "type": "string" + }, + "observedAt": { + "type": "string", + "format": "date-time" + }, + "decision": { + "enum": [ + "allow", + "deny", + "ask", + "defer", + "no-verdict", + "unknown" + ] + }, + "verdictProviderState": { + "enum": [ + "ready", + "no-verdict-provider", + "provider-invalid", + "provider-not-ready", + "policy-unavailable", + "evidence-insufficient", + "unknown" + ] + }, + "policyRef": { + "type": "string" + }, + "providerRef": { + "type": "string" + }, + "evidenceRefs": { + "type": "array", + "items": { + "type": "string" + } + }, + "userVisibleImpact": { + "type": "string" + }, + "remediationHint": { + "type": "string" + } + } +} From 7c4b2398d7a1365afbe4fe75f4b16ffd4c95c0d7 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:34:02 -0400 Subject: [PATCH 03/20] Replay NetworkTruthState schema on current main --- schemas/NetworkTruthState.json | 45 ++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 schemas/NetworkTruthState.json diff --git a/schemas/NetworkTruthState.json b/schemas/NetworkTruthState.json new file mode 100644 index 0000000..522b0bc --- /dev/null +++ b/schemas/NetworkTruthState.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/NetworkTruthState.json", + "title": "NetworkTruthState", + "description": "A layered network-state observation that separates radio, association, DHCP, DNS, route, captive portal, internet, mesh, overlay, and trusted-peer reachability instead of reducing connectivity to online/offline.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "observedAt", + "networkEpoch", + "radioState", + "associationState", + "dhcpState", + "dnsState", + "routeState", + "internetReachability", + "localMeshReachability" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:network-truth:" }, + "type": { "const": "NetworkTruthState" }, + "specVersion": { "type": "string" }, + "observedAt": { "type": "string", "format": "date-time" }, + "networkEpoch": { "type": "string", "minLength": 1 }, + "interfaceRef": { "type": "string" }, + "deviceIdentityState": { "enum": ["present", "missing", "nil", "ambiguous", "unknown"] }, + "radioState": { "enum": ["off", "on", "resetting", "unavailable", "unknown"] }, + "associationState": { "enum": ["not-associated", "associating", "associated", "unstable", "unknown"] }, + "authenticationState": { "enum": ["not-authenticated", "authenticating", "authenticated", "failed", "unknown"] }, + "dhcpState": { "enum": ["not-started", "acquiring", "leased", "failed", "observer-failed", "unknown"] }, + "dnsState": { "enum": ["not-configured", "configured", "degraded", "failed", "observer-failed", "unknown"] }, + "routeState": { "enum": ["no-route", "route-present", "route-conflict", "route-failed", "unknown"] }, + "captivePortalState": { "enum": ["not-detected", "detected", "credential-missing", "authenticated", "unknown"] }, + "internetReachability": { "enum": ["reachable", "unreachable", "degraded", "unknown"] }, + "localMeshReachability": { "enum": ["reachable", "unreachable", "degraded", "not-configured", "unknown"] }, + "vpnOrPrivacyOverlayState": { "enum": ["off", "on", "degraded", "policy-blocked", "unknown"] }, + "trustedPeerPathState": { "enum": ["available", "unavailable", "degraded", "not-evaluated", "unknown"] }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleSummary": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From e4e052e06896e060e0e9639e503a13db648a5fe1 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:35:30 -0400 Subject: [PATCH 04/20] Replay BrowserLaunchTransaction schema on current main --- schemas/BrowserLaunchTransaction.json | 43 +++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 schemas/BrowserLaunchTransaction.json diff --git a/schemas/BrowserLaunchTransaction.json b/schemas/BrowserLaunchTransaction.json new file mode 100644 index 0000000..abeb557 --- /dev/null +++ b/schemas/BrowserLaunchTransaction.json @@ -0,0 +1,43 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/BrowserLaunchTransaction.json", + "title": "BrowserLaunchTransaction", + "description": "A preflighted launch transaction for browser or browser-like child processes, ensuring capability, identity, broker, profile, extension, and network truth preconditions are satisfied.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "componentRef", + "phaseStatus", + "capabilityPreflightPassed", + "identityGraphValid", + "desktopBrokerValid", + "profileStoreValid", + "extensionRegistryValid", + "networkTruthSnapshotCaptured", + "childProcessSpawnAllowed", + "observedAt" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:browser-launch-transaction:" }, + "type": { "const": "BrowserLaunchTransaction" }, + "specVersion": { "type": "string" }, + "componentRef": { "type": "string", "minLength": 1 }, + "phaseStatus": { "enum": ["preflight", "degraded", "failed", "completed"] }, + "capabilityPreflightPassed": { "type": "boolean" }, + "identityGraphValid": { "type": "boolean" }, + "desktopBrokerValid": { "type": "boolean" }, + "profileStoreValid": { "type": "boolean" }, + "extensionRegistryValid": { "type": "boolean" }, + "networkTruthSnapshotCaptured": { "type": "boolean" }, + "childProcessSpawnAllowed": { "type": "boolean" }, + "childProcessAttested": { "type": "boolean" }, + "pageLoadStarted": { "type": "boolean" }, + "observedAt": { "type": "string", "format": "date-time" }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleImpact": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From d52c5fd7c59307d6c9b30bb88c65942e2030a31f Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:36:44 -0400 Subject: [PATCH 05/20] Replay DiagnosticStormRecord schema on current main --- schemas/DiagnosticStormRecord.json | 56 ++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 schemas/DiagnosticStormRecord.json diff --git a/schemas/DiagnosticStormRecord.json b/schemas/DiagnosticStormRecord.json new file mode 100644 index 0000000..d60b07d --- /dev/null +++ b/schemas/DiagnosticStormRecord.json @@ -0,0 +1,56 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/DiagnosticStormRecord.json", + "title": "DiagnosticStormRecord", + "description": "A bounded diagnostic-storm summary that preserves repeated event signatures, timing, count, severity, representative samples, suppression state, terminal state, and linked incidents.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "signature", + "sourceComponent", + "normalizedFailureClass", + "firstSeen", + "lastSeen", + "repeatCount", + "severity", + "terminalState", + "suppressionPolicy" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:diagnostic-storm:" }, + "type": { "const": "DiagnosticStormRecord" }, + "specVersion": { "type": "string" }, + "signature": { "type": "string", "minLength": 1 }, + "sourceComponent": { "type": "string", "minLength": 1 }, + "normalizedFailureClass": { "enum": ["capability-denial", "network-observer-failure", "security-verdict-unavailable", "registry-integrity-failure", "maintenance-sweep-failure", "browser-launch-failure", "identity-resolution-failure", "boot-phase-gate-failure", "unknown"] }, + "firstSeen": { "type": "string", "format": "date-time" }, + "lastSeen": { "type": "string", "format": "date-time" }, + "repeatCount": { "type": "integer", "minimum": 1 }, + "medianIntervalMs": { "type": "number", "minimum": 0 }, + "maxEventsPerSecond": { "type": "integer", "minimum": 1 }, + "severity": { "enum": ["debug", "info", "warn", "error", "critical"] }, + "sampleEvents": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": ["eventRef", "messageTemplate"], + "properties": { + "eventRef": { "type": "string" }, + "messageTemplate": { "type": "string" }, + "observedAt": { "type": "string", "format": "date-time" } + } + } + }, + "suppressionPolicy": { "enum": ["none", "deduplicate", "summarize", "suppress", "quarantine", "escalate", "unknown"] }, + "terminalState": { "enum": ["resolved", "still-active", "suppressed", "quarantined", "escalated", "unknown"] }, + "linkedIncidentRef": { "type": "string" }, + "causalParentRef": { "type": "string" }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleSummary": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From 2c16acdcc25d52b101352745f758fdf389ebebc2 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:37:47 -0400 Subject: [PATCH 06/20] Replay MaintenanceEpoch schema on current main --- schemas/MaintenanceEpoch.json | 45 +++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 schemas/MaintenanceEpoch.json diff --git a/schemas/MaintenanceEpoch.json b/schemas/MaintenanceEpoch.json new file mode 100644 index 0000000..ce10b8c --- /dev/null +++ b/schemas/MaintenanceEpoch.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/MaintenanceEpoch.json", + "title": "MaintenanceEpoch", + "description": "A bounded record for background maintenance sweeps such as cleanup, cache deletion, indexing, backup, plugin scans, cloud purge, and experiment/config refresh.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "startedAt", + "epochKind", + "state", + "sourceComponent", + "allowedDuringInteractiveLaunch", + "emissionBudget" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:maintenance-epoch:" }, + "type": { "const": "MaintenanceEpoch" }, + "specVersion": { "type": "string" }, + "startedAt": { "type": "string", "format": "date-time" }, + "endedAt": { "type": "string", "format": "date-time" }, + "epochKind": { "enum": ["cleanup", "cache-delete", "indexing", "backup", "plugin-scan", "cloud-purge", "experiment-refresh", "registry-sweep", "unknown"] }, + "state": { "enum": ["running", "completed", "failed", "degraded", "suppressed", "unknown"] }, + "sourceComponent": { "type": "string", "minLength": 1 }, + "allowedDuringInteractiveLaunch": { "type": "boolean" }, + "bootPhaseRequirement": { "enum": ["sealed-boot", "pre-login", "post-login-locked", "unlocked-user-session", "degraded-session", "recovery-session", "unknown"] }, + "lockRequirements": { "type": "array", "items": { "type": "string" } }, + "emissionBudget": { + "type": "object", + "additionalProperties": false, + "required": ["maxEventsPerMinute", "onBudgetExceeded"], + "properties": { + "maxEventsPerMinute": { "type": "integer", "minimum": 1 }, + "onBudgetExceeded": { "enum": ["summarize", "suppress", "quarantine", "escalate", "unknown"] } + } + }, + "observedStormRefs": { "type": "array", "items": { "type": "string" } }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleSummary": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From f430a549a4c9afb4e3ef0136a354a52c3a1a94a3 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:38:39 -0400 Subject: [PATCH 07/20] Replay BootSessionPhaseState schema on current main --- schemas/BootSessionPhaseState.json | 63 ++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 schemas/BootSessionPhaseState.json diff --git a/schemas/BootSessionPhaseState.json b/schemas/BootSessionPhaseState.json new file mode 100644 index 0000000..59e1374 --- /dev/null +++ b/schemas/BootSessionPhaseState.json @@ -0,0 +1,63 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/BootSessionPhaseState.json", + "title": "BootSessionPhaseState", + "description": "A boot/session phase record used to gate services that require user unlock, keyrings, portals, desktop brokers, or recovery-mode boundaries before execution.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "observedAt", + "bootId", + "sessionId", + "phase", + "phaseVerdict", + "allowedComponents", + "blockedComponents" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:boot-session-phase:" }, + "type": { "const": "BootSessionPhaseState" }, + "specVersion": { "type": "string" }, + "observedAt": { "type": "string", "format": "date-time" }, + "bootId": { "type": "string", "minLength": 1 }, + "sessionId": { "type": "string", "minLength": 1 }, + "phase": { "enum": ["sealed-boot", "pre-login", "post-login-locked", "unlocked-user-session", "degraded-session", "recovery-session", "unknown"] }, + "phaseVerdict": { "enum": ["ready", "not-ready", "degraded", "recovery-only", "unknown"] }, + "availableKeyrings": { "type": "array", "items": { "type": "string" } }, + "availablePortals": { "type": "array", "items": { "type": "string" } }, + "allowedComponents": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": ["componentRef", "state"], + "properties": { + "componentRef": { "type": "string" }, + "state": { "enum": ["allowed", "allowed-degraded", "unknown"] }, + "reason": { "type": "string" } + } + } + }, + "blockedComponents": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "required": ["componentRef", "requiredPhase", "state"], + "properties": { + "componentRef": { "type": "string" }, + "requiredPhase": { "enum": ["sealed-boot", "pre-login", "post-login-locked", "unlocked-user-session", "degraded-session", "recovery-session", "unknown"] }, + "state": { "enum": ["blocked", "deferred", "quarantined", "unknown"] }, + "reason": { "type": "string" }, + "remediationHint": { "type": "string" } + } + } + }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleSummary": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From 45fd9d29c8b144fa94b0e61cb73407976028ae00 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:42:15 -0400 Subject: [PATCH 08/20] Replay DesktopServiceBrokerState schema on current main --- schemas/DesktopServiceBrokerState.json | 60 ++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 schemas/DesktopServiceBrokerState.json diff --git a/schemas/DesktopServiceBrokerState.json b/schemas/DesktopServiceBrokerState.json new file mode 100644 index 0000000..0232924 --- /dev/null +++ b/schemas/DesktopServiceBrokerState.json @@ -0,0 +1,60 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/DesktopServiceBrokerState.json", + "title": "DesktopServiceBrokerState", + "description": "A desktop-service broker availability record for pasteboard, launcher, file provider, notification, extension, credential, and network-settings surfaces consumed by sandboxed apps and child processes.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "observedAt", + "componentRef", + "overallState", + "brokers" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:desktop-service-broker-state:" }, + "type": { "const": "DesktopServiceBrokerState" }, + "specVersion": { "type": "string" }, + "observedAt": { "type": "string", "format": "date-time" }, + "componentRef": { "type": "string", "minLength": 1 }, + "overallState": { "enum": ["ready", "degraded", "unavailable", "policy-blocked", "unknown"] }, + "brokers": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "additionalProperties": false, + "required": ["brokerKind", "state"], + "properties": { + "brokerKind": { + "enum": [ + "pasteboard", + "launcher", + "core-services", + "file-provider", + "notification", + "extension-registry", + "intents", + "network-settings", + "credential-prompt", + "url-opener", + "accessibility", + "unknown" + ] + }, + "state": { "enum": ["ready", "degraded", "unavailable", "policy-blocked", "not-configured", "unknown"] }, + "policyRef": { "type": "string" }, + "fallback": { "type": "string" }, + "userVisibleImpact": { "type": "string" }, + "remediationHint": { "type": "string" } + } + } + }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleSummary": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From 3d81d2840e59c2fc2cb3082395822e453a9af2e8 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:49:57 -0400 Subject: [PATCH 09/20] Replay RuntimeRegistryIntegrityRecord schema on current main --- schemas/RuntimeRegistryIntegrityRecord.json | 47 +++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 schemas/RuntimeRegistryIntegrityRecord.json diff --git a/schemas/RuntimeRegistryIntegrityRecord.json b/schemas/RuntimeRegistryIntegrityRecord.json new file mode 100644 index 0000000..afad764 --- /dev/null +++ b/schemas/RuntimeRegistryIntegrityRecord.json @@ -0,0 +1,47 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://schemas.srcos.ai/v2/RuntimeRegistryIntegrityRecord.json", + "title": "RuntimeRegistryIntegrityRecord", + "description": "An integrity record for runtime registries such as package receipts, extension records, broker registrations, manifests, and desktop-service records.", + "type": "object", + "additionalProperties": false, + "required": [ + "id", + "type", + "specVersion", + "observedAt", + "componentRef", + "verificationVerdict", + "registryRecords" + ], + "properties": { + "id": { "type": "string", "pattern": "^urn:srcos:runtime-registry-integrity:" }, + "type": { "const": "RuntimeRegistryIntegrityRecord" }, + "specVersion": { "type": "string" }, + "observedAt": { "type": "string", "format": "date-time" }, + "componentRef": { "type": "string", "minLength": 1 }, + "bundleOrPackageIdentity": { "type": "string" }, + "manifestDigest": { "type": "string" }, + "verificationVerdict": { "enum": ["valid", "degraded", "missing", "invalid", "quarantined", "unknown"] }, + "registryRecords": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "additionalProperties": false, + "required": ["recordKind", "state"], + "properties": { + "recordKind": { "enum": ["receipt", "extension-record", "extension-point", "broker-record", "package-manifest", "launch-record", "profile-record", "namespace-descriptor", "unknown"] }, + "recordRef": { "type": "string" }, + "state": { "enum": ["present", "missing", "invalid", "stale", "quarantined", "unknown"] }, + "errorCode": { "type": "string" }, + "userVisibleImpact": { "type": "string" }, + "remediationHint": { "type": "string" } + } + } + }, + "evidenceRefs": { "type": "array", "items": { "type": "string" } }, + "userVisibleSummary": { "type": "string" }, + "remediationHint": { "type": "string" } + } +} From 13c543b659e85346e0c5fe9a60b82e660fd02141 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:52:57 -0400 Subject: [PATCH 10/20] Replay RetryLoopFingerprint example on current main --- examples/retry_loop_fingerprint.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 examples/retry_loop_fingerprint.json diff --git a/examples/retry_loop_fingerprint.json b/examples/retry_loop_fingerprint.json new file mode 100644 index 0000000..2d29be2 --- /dev/null +++ b/examples/retry_loop_fingerprint.json @@ -0,0 +1,20 @@ +{ + "id": "urn:srcos:retry-loop:synthetic-denial-loop-001", + "type": "RetryLoopFingerprint", + "specVersion": "2.0.0", + "signature": "synthetic_denial_loop", + "sourceComponent": "synthetic-runtime-observer", + "firstSeen": "2026-05-06T22:35:44Z", + "lastSeen": "2026-05-06T22:37:54Z", + "count": 176, + "medianIntervalMs": 556, + "maxEventsPerSecond": 2, + "retryClass": "polling", + "terminalState": "still-looping", + "policyValidity": "denied-but-noisy", + "severity": "warn", + "sampleEventRefs": ["urn:srcos:telemetry:synthetic-001"], + "suppressionPolicy": "deduplicate_and_summarize", + "userVisibleImpact": "Repeated denial is being summarized for the operator.", + "remediationHint": "Review the policy boundary and reduce retry cadence." +} From 2f8cd9ba3139af3fbe1187f926cf7201246e01d7 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:53:55 -0400 Subject: [PATCH 11/20] Replay SecurityVerdictState example on current main --- examples/security_verdict_state.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 examples/security_verdict_state.json diff --git a/examples/security_verdict_state.json b/examples/security_verdict_state.json new file mode 100644 index 0000000..35ae458 --- /dev/null +++ b/examples/security_verdict_state.json @@ -0,0 +1,14 @@ +{ + "id": "urn:srcos:security-verdict:synthetic-flow-001", + "type": "SecurityVerdictState", + "specVersion": "2.0.0", + "subjectRef": "urn:srcos:component:synthetic-extension", + "decision": "no-verdict", + "verdictProviderState": "no-verdict-provider", + "observedAt": "2026-05-06T22:36:00Z", + "policyRef": "urn:srcos:policy:synthetic-flow-policy", + "providerRef": "urn:srcos:verdict-provider:synthetic", + "evidenceRefs": ["urn:srcos:telemetry:synthetic-002"], + "userVisibleImpact": "Flow observation exists but no provider verdict is available.", + "remediationHint": "Verify provider availability and continue with fail-closed review posture." +} From e712b605b96051733d04a76e9b6430b9a6e22ced Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:54:37 -0400 Subject: [PATCH 12/20] Replay NetworkTruthState example on current main --- examples/network_truth_state.json | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 examples/network_truth_state.json diff --git a/examples/network_truth_state.json b/examples/network_truth_state.json new file mode 100644 index 0000000..ec3f098 --- /dev/null +++ b/examples/network_truth_state.json @@ -0,0 +1,27 @@ +{ + "id": "urn:srcos:network-truth:synthetic-epoch-001", + "type": "NetworkTruthState", + "specVersion": "2.0.0", + "observedAt": "2026-05-06T22:36:20Z", + "networkEpoch": "synthetic-network-epoch-001", + "interfaceRef": "synthetic-interface", + "deviceIdentityState": "unknown", + "radioState": "on", + "associationState": "not-associated", + "authenticationState": "unknown", + "dhcpState": "observer-failed", + "dnsState": "observer-failed", + "routeState": "route-failed", + "captivePortalState": "credential-missing", + "internetReachability": "unreachable", + "localMeshReachability": "unknown", + "vpnOrPrivacyOverlayState": "unknown", + "trustedPeerPathState": "not-evaluated", + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-dns-observer", + "urn:srcos:telemetry:synthetic-route-observer", + "urn:srcos:telemetry:synthetic-radio-state" + ], + "userVisibleSummary": "Radio state is available, but association and route observers are degraded.", + "remediationHint": "Re-evaluate association, DHCP, DNS, and route state before remote synchronization or browser launch." +} From 21a5b0cc41ee68722e0d7df79b6e3e46dcd44be9 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:55:22 -0400 Subject: [PATCH 13/20] Replay BrowserLaunchTransaction example on current main --- examples/browser_launch_transaction.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 examples/browser_launch_transaction.json diff --git a/examples/browser_launch_transaction.json b/examples/browser_launch_transaction.json new file mode 100644 index 0000000..d7c5c83 --- /dev/null +++ b/examples/browser_launch_transaction.json @@ -0,0 +1,24 @@ +{ + "id": "urn:srcos:browser-launch-transaction:synthetic-001", + "type": "BrowserLaunchTransaction", + "specVersion": "2.0.0", + "componentRef": "urn:srcos:component:synthetic-browser-surface", + "phaseStatus": "preflight", + "capabilityPreflightPassed": false, + "identityGraphValid": true, + "desktopBrokerValid": false, + "profileStoreValid": true, + "extensionRegistryValid": false, + "networkTruthSnapshotCaptured": true, + "childProcessSpawnAllowed": false, + "childProcessAttested": false, + "pageLoadStarted": false, + "observedAt": "2026-05-06T22:37:03Z", + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-child-preflight", + "urn:srcos:telemetry:synthetic-broker-state", + "urn:srcos:telemetry:synthetic-extension-state" + ], + "userVisibleImpact": "Preflight blocked browser launch because required broker and extension checks are not ready.", + "remediationHint": "Verify desktop broker availability and extension registry integrity before retrying launch." +} From b1363bed04dc475f33838cd38276122c1d23b147 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:56:21 -0400 Subject: [PATCH 14/20] Replay DiagnosticStormRecord example on current main --- examples/diagnostic_storm_record.json | 30 +++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 examples/diagnostic_storm_record.json diff --git a/examples/diagnostic_storm_record.json b/examples/diagnostic_storm_record.json new file mode 100644 index 0000000..e77ce1e --- /dev/null +++ b/examples/diagnostic_storm_record.json @@ -0,0 +1,30 @@ +{ + "id": "urn:srcos:diagnostic-storm:synthetic-registry-miss-001", + "type": "DiagnosticStormRecord", + "specVersion": "2.0.0", + "signature": "synthetic_registry_lookup_miss", + "sourceComponent": "synthetic-runtime-observer", + "normalizedFailureClass": "registry-integrity-failure", + "firstSeen": "2026-05-06T22:37:00Z", + "lastSeen": "2026-05-06T22:37:18Z", + "repeatCount": 492, + "medianIntervalMs": 4.5, + "maxEventsPerSecond": 136, + "severity": "error", + "sampleEvents": [ + { + "eventRef": "urn:srcos:telemetry:synthetic-registry-miss-001", + "messageTemplate": "Requested synthetic registry descriptor is unavailable", + "observedAt": "2026-05-06T22:37:00Z" + } + ], + "suppressionPolicy": "summarize", + "terminalState": "still-active", + "linkedIncidentRef": "urn:srcos:incident:synthetic-runtime-registry-degraded-001", + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-registry-miss", + "urn:srcos:retry-loop:synthetic-registry-miss-001" + ], + "userVisibleSummary": "Synthetic registry lookup misses repeated during a maintenance sweep.", + "remediationHint": "Summarize repeated misses and defer further lookups until the registry epoch changes." +} From 6e12075ce29f004935928b453941a04c34cdd6c7 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:57:16 -0400 Subject: [PATCH 15/20] Replay MaintenanceEpoch example on current main --- examples/maintenance_epoch.json | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 examples/maintenance_epoch.json diff --git a/examples/maintenance_epoch.json b/examples/maintenance_epoch.json new file mode 100644 index 0000000..13a490b --- /dev/null +++ b/examples/maintenance_epoch.json @@ -0,0 +1,29 @@ +{ + "id": "urn:srcos:maintenance-epoch:synthetic-registry-sweep-001", + "type": "MaintenanceEpoch", + "specVersion": "2.0.0", + "startedAt": "2026-05-06T22:37:00Z", + "endedAt": "2026-05-06T22:37:21Z", + "epochKind": "registry-sweep", + "state": "degraded", + "sourceComponent": "synthetic-registry-maintenance", + "allowedDuringInteractiveLaunch": false, + "bootPhaseRequirement": "unlocked-user-session", + "lockRequirements": [ + "runtime-registry", + "launch-index", + "namespace-cache" + ], + "emissionBudget": { + "maxEventsPerMinute": 60, + "onBudgetExceeded": "summarize" + }, + "observedStormRefs": [ + "urn:srcos:diagnostic-storm:synthetic-registry-miss-001" + ], + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-registry-miss" + ], + "userVisibleSummary": "Background registry maintenance emitted repeated synthetic misses during an interactive launch window.", + "remediationHint": "Defer registry sweeps during interactive launches and summarize repeated missing descriptors." +} From 492f07ef45a9b2fee204c4c65b45f0fb0963f8aa Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:59:00 -0400 Subject: [PATCH 16/20] Replay BootSessionPhaseState example on current main --- examples/boot_session_phase_state.json | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 examples/boot_session_phase_state.json diff --git a/examples/boot_session_phase_state.json b/examples/boot_session_phase_state.json new file mode 100644 index 0000000..92dd711 --- /dev/null +++ b/examples/boot_session_phase_state.json @@ -0,0 +1,34 @@ +{ + "id": "urn:srcos:boot-session-phase:synthetic-locked-001", + "type": "BootSessionPhaseState", + "specVersion": "2.0.0", + "observedAt": "2026-05-06T22:36:15Z", + "bootId": "boot-synthetic-001", + "sessionId": "session-synthetic-locked", + "phase": "post-login-locked", + "phaseVerdict": "not-ready", + "availableKeyrings": [], + "availablePortals": ["notification"], + "allowedComponents": [ + { + "componentRef": "urn:srcos:component:synthetic-observer", + "state": "allowed-degraded", + "reason": "May observe coarse transitions while user stores remain unavailable." + } + ], + "blockedComponents": [ + { + "componentRef": "urn:srcos:component:synthetic-registry-sweep", + "requiredPhase": "unlocked-user-session", + "state": "deferred", + "reason": "Registry maintenance requires unlocked stores and should not run during locked post-login state.", + "remediationHint": "Queue maintenance until unlock or recovery session." + } + ], + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-session-locked", + "urn:srcos:telemetry:synthetic-key-store-locked" + ], + "userVisibleSummary": "The session is post-login but still locked; components requiring unlocked state must be deferred.", + "remediationHint": "Transition to unlocked-user-session before running preflight checks that require user stores." +} From 2fe3c69baa2c006aa678c9d5a5ffc6e58aa4ced8 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 08:59:43 -0400 Subject: [PATCH 17/20] Replay DesktopServiceBrokerState example on current main --- examples/desktop_service_broker_state.json | 38 ++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 examples/desktop_service_broker_state.json diff --git a/examples/desktop_service_broker_state.json b/examples/desktop_service_broker_state.json new file mode 100644 index 0000000..c83d939 --- /dev/null +++ b/examples/desktop_service_broker_state.json @@ -0,0 +1,38 @@ +{ + "id": "urn:srcos:desktop-service-broker-state:synthetic-browser-001", + "type": "DesktopServiceBrokerState", + "specVersion": "2.0.0", + "observedAt": "2026-05-06T22:37:03Z", + "componentRef": "urn:srcos:component:synthetic-browser-surface", + "overallState": "degraded", + "brokers": [ + { + "brokerKind": "pasteboard", + "state": "policy-blocked", + "fallback": "disable clipboard integration for the synthetic content surface", + "userVisibleImpact": "Copy and paste may be unavailable inside the sandboxed surface.", + "remediationHint": "Route pasteboard access through the desktop broker and require user gesture gating." + }, + { + "brokerKind": "core-services", + "state": "policy-blocked", + "fallback": "prevent direct host desktop-service lookup", + "userVisibleImpact": "The child surface cannot directly register with host desktop services.", + "remediationHint": "Move host desktop-service calls into a parent-process broker." + }, + { + "brokerKind": "extension-registry", + "state": "degraded", + "fallback": "quarantine extension discovery for this launch transaction", + "userVisibleImpact": "Extensions are disabled until registry integrity is verified.", + "remediationHint": "Refresh the extension registry before enabling extension discovery." + } + ], + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-pasteboard-denial", + "urn:srcos:telemetry:synthetic-desktop-service-denial", + "urn:srcos:telemetry:synthetic-extension-query" + ], + "userVisibleSummary": "Desktop service brokers are degraded, so child-surface desktop access remains brokered or disabled.", + "remediationHint": "Verify pasteboard, desktop-service, and extension-registry brokers before launch." +} From 63237daf1e685d921e3cdfc31f5bb53d795332cd Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 09:00:22 -0400 Subject: [PATCH 18/20] Replay RuntimeRegistryIntegrityRecord example on current main --- .../runtime_registry_integrity_record.json | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 examples/runtime_registry_integrity_record.json diff --git a/examples/runtime_registry_integrity_record.json b/examples/runtime_registry_integrity_record.json new file mode 100644 index 0000000..2fa94e6 --- /dev/null +++ b/examples/runtime_registry_integrity_record.json @@ -0,0 +1,32 @@ +{ + "id": "urn:srcos:runtime-registry-integrity:synthetic-registry-001", + "type": "RuntimeRegistryIntegrityRecord", + "specVersion": "2.0.0", + "observedAt": "2026-05-06T22:37:00Z", + "componentRef": "urn:srcos:component:synthetic-registry", + "bundleOrPackageIdentity": "synthetic.package.identifier", + "verificationVerdict": "degraded", + "registryRecords": [ + { + "recordKind": "extension-record", + "recordRef": "synthetic-extension-record", + "state": "missing", + "errorCode": "SYNTHETIC_MISSING_RECORD", + "userVisibleImpact": "The runtime could not construct an extension record from the synthetic registry.", + "remediationHint": "Refresh or rebuild the runtime extension registry before enabling extension discovery." + }, + { + "recordKind": "namespace-descriptor", + "recordRef": "synthetic-namespace-descriptor", + "state": "missing", + "userVisibleImpact": "Synthetic namespace metadata could not be resolved during maintenance.", + "remediationHint": "Suppress repeated namespace lookups and emit a DiagnosticStormRecord until the namespace cache changes." + } + ], + "evidenceRefs": [ + "urn:srcos:telemetry:synthetic-extension-record-missing", + "urn:srcos:telemetry:synthetic-namespace-descriptor-missing" + ], + "userVisibleSummary": "Registry integrity is degraded because synthetic records are missing.", + "remediationHint": "Run bounded registry repair or defer registry-dependent launch work until integrity is restored." +} From 34e7717ee6121d55c814dcd4a9a7faeaa10fc45e Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 09:01:16 -0400 Subject: [PATCH 19/20] Replay runtime diagnostic example validator on current main --- tools/validate_runtime_causality_examples.py | 45 ++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 tools/validate_runtime_causality_examples.py diff --git a/tools/validate_runtime_causality_examples.py b/tools/validate_runtime_causality_examples.py new file mode 100644 index 0000000..3b6cb1b --- /dev/null +++ b/tools/validate_runtime_causality_examples.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python3 +"""Validate runtime diagnostic schema/example pairs.""" +from __future__ import annotations + +import json +from pathlib import Path + +import jsonschema + +ROOT = Path(__file__).resolve().parents[1] +PAIRS = [ + (ROOT / "schemas" / "RetryLoopFingerprint.json", ROOT / "examples" / "retry_loop_fingerprint.json"), + (ROOT / "schemas" / "SecurityVerdictState.json", ROOT / "examples" / "security_verdict_state.json"), + (ROOT / "schemas" / "NetworkTruthState.json", ROOT / "examples" / "network_truth_state.json"), + (ROOT / "schemas" / "BrowserLaunchTransaction.json", ROOT / "examples" / "browser_launch_transaction.json"), + (ROOT / "schemas" / "DesktopServiceBrokerState.json", ROOT / "examples" / "desktop_service_broker_state.json"), + (ROOT / "schemas" / "MaintenanceEpoch.json", ROOT / "examples" / "maintenance_epoch.json"), + (ROOT / "schemas" / "RuntimeRegistryIntegrityRecord.json", ROOT / "examples" / "runtime_registry_integrity_record.json"), + (ROOT / "schemas" / "BootSessionPhaseState.json", ROOT / "examples" / "boot_session_phase_state.json"), + (ROOT / "schemas" / "DiagnosticStormRecord.json", ROOT / "examples" / "diagnostic_storm_record.json"), +] +DEFERRED = [ + "schemas/RuntimeIdentityGraph.json", + "examples/runtime_identity_graph.json", +] + + +def validate_pair(schema_path: Path, example_path: Path) -> None: + schema = json.loads(schema_path.read_text(encoding="utf-8")) + jsonschema.validators.validator_for(schema).check_schema(schema) + example = json.loads(example_path.read_text(encoding="utf-8")) + jsonschema.validate(example, schema) + + +def main() -> int: + checks: dict[str, bool] = {} + for schema_path, example_path in PAIRS: + validate_pair(schema_path, example_path) + checks[example_path.name] = True + print(json.dumps({"ok": all(checks.values()), "checks": checks, "deferred": DEFERRED}, indent=2, sort_keys=True)) + return 0 + + +if __name__ == "__main__": + raise SystemExit(main()) From 2344c25a3261e84adc936c6217cb1327c2ba80f1 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Sat, 23 May 2026 09:01:56 -0400 Subject: [PATCH 20/20] Add runtime diagnostic validation workflow on current main --- .github/workflows/runtime-diagnostics.yml | 66 +++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/runtime-diagnostics.yml diff --git a/.github/workflows/runtime-diagnostics.yml b/.github/workflows/runtime-diagnostics.yml new file mode 100644 index 0000000..7f4bbfd --- /dev/null +++ b/.github/workflows/runtime-diagnostics.yml @@ -0,0 +1,66 @@ +name: Runtime Diagnostics + +on: + pull_request: + branches: ["main"] + paths: + - "schemas/RetryLoopFingerprint.json" + - "schemas/SecurityVerdictState.json" + - "schemas/NetworkTruthState.json" + - "schemas/BrowserLaunchTransaction.json" + - "schemas/DesktopServiceBrokerState.json" + - "schemas/MaintenanceEpoch.json" + - "schemas/RuntimeRegistryIntegrityRecord.json" + - "schemas/BootSessionPhaseState.json" + - "schemas/DiagnosticStormRecord.json" + - "examples/retry_loop_fingerprint.json" + - "examples/security_verdict_state.json" + - "examples/network_truth_state.json" + - "examples/browser_launch_transaction.json" + - "examples/desktop_service_broker_state.json" + - "examples/maintenance_epoch.json" + - "examples/runtime_registry_integrity_record.json" + - "examples/boot_session_phase_state.json" + - "examples/diagnostic_storm_record.json" + - "tools/validate_runtime_causality_examples.py" + - ".github/workflows/runtime-diagnostics.yml" + push: + branches: ["main", "replay/s100-current"] + paths: + - "schemas/RetryLoopFingerprint.json" + - "schemas/SecurityVerdictState.json" + - "schemas/NetworkTruthState.json" + - "schemas/BrowserLaunchTransaction.json" + - "schemas/DesktopServiceBrokerState.json" + - "schemas/MaintenanceEpoch.json" + - "schemas/RuntimeRegistryIntegrityRecord.json" + - "schemas/BootSessionPhaseState.json" + - "schemas/DiagnosticStormRecord.json" + - "examples/retry_loop_fingerprint.json" + - "examples/security_verdict_state.json" + - "examples/network_truth_state.json" + - "examples/browser_launch_transaction.json" + - "examples/desktop_service_broker_state.json" + - "examples/maintenance_epoch.json" + - "examples/runtime_registry_integrity_record.json" + - "examples/boot_session_phase_state.json" + - "examples/diagnostic_storm_record.json" + - "tools/validate_runtime_causality_examples.py" + - ".github/workflows/runtime-diagnostics.yml" + +permissions: + contents: read + +jobs: + validate-runtime-diagnostics: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.12" + - name: Install validator dependencies + run: python -m pip install --upgrade pip jsonschema + - name: Validate runtime diagnostic examples + run: python tools/validate_runtime_causality_examples.py