Replay RuntimeIdentityGraph contract follow-up

.github/workflows/runtime-diagnostics.yml

@@ -0,0 +1,66 @@
+name: Runtime Diagnostics
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths:
+      - "schemas/RetryLoopFingerprint.json"
+      - "schemas/SecurityVerdictState.json"
+      - "schemas/NetworkTruthState.json"
+      - "schemas/BrowserLaunchTransaction.json"
+      - "schemas/DesktopServiceBrokerState.json"
+      - "schemas/MaintenanceEpoch.json"
+      - "schemas/RuntimeRegistryIntegrityRecord.json"
+      - "schemas/BootSessionPhaseState.json"
+      - "schemas/DiagnosticStormRecord.json"
+      - "examples/retry_loop_fingerprint.json"
+      - "examples/security_verdict_state.json"
+      - "examples/network_truth_state.json"
+      - "examples/browser_launch_transaction.json"
+      - "examples/desktop_service_broker_state.json"
+      - "examples/maintenance_epoch.json"
+      - "examples/runtime_registry_integrity_record.json"
+      - "examples/boot_session_phase_state.json"
+      - "examples/diagnostic_storm_record.json"
+      - "tools/validate_runtime_causality_examples.py"
+      - ".github/workflows/runtime-diagnostics.yml"
+  push:
+    branches: ["main", "replay/s100-current"]
+    paths:
+      - "schemas/RetryLoopFingerprint.json"
+      - "schemas/SecurityVerdictState.json"
+      - "schemas/NetworkTruthState.json"
+      - "schemas/BrowserLaunchTransaction.json"
+      - "schemas/DesktopServiceBrokerState.json"
+      - "schemas/MaintenanceEpoch.json"
+      - "schemas/RuntimeRegistryIntegrityRecord.json"
+      - "schemas/BootSessionPhaseState.json"
+      - "schemas/DiagnosticStormRecord.json"
+      - "examples/retry_loop_fingerprint.json"
+      - "examples/security_verdict_state.json"
+      - "examples/network_truth_state.json"
+      - "examples/browser_launch_transaction.json"
+      - "examples/desktop_service_broker_state.json"
+      - "examples/maintenance_epoch.json"
+      - "examples/runtime_registry_integrity_record.json"
+      - "examples/boot_session_phase_state.json"
+      - "examples/diagnostic_storm_record.json"
+      - "tools/validate_runtime_causality_examples.py"
+      - ".github/workflows/runtime-diagnostics.yml"
+
+permissions:
+  contents: read
+
+jobs:
+  validate-runtime-diagnostics:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - name: Install validator dependencies
+        run: python -m pip install --upgrade pip jsonschema
+      - name: Validate runtime diagnostic examples
+        run: python tools/validate_runtime_causality_examples.py

examples/boot_session_phase_state.json

@@ -0,0 +1,34 @@
+{
+  "id": "urn:srcos:boot-session-phase:synthetic-locked-001",
+  "type": "BootSessionPhaseState",
+  "specVersion": "2.0.0",
+  "observedAt": "2026-05-06T22:36:15Z",
+  "bootId": "boot-synthetic-001",
+  "sessionId": "session-synthetic-locked",
+  "phase": "post-login-locked",
+  "phaseVerdict": "not-ready",
+  "availableKeyrings": [],
+  "availablePortals": ["notification"],
+  "allowedComponents": [
+    {
+      "componentRef": "urn:srcos:component:synthetic-observer",
+      "state": "allowed-degraded",
+      "reason": "May observe coarse transitions while user stores remain unavailable."
+    }
+  ],
+  "blockedComponents": [
+    {
+      "componentRef": "urn:srcos:component:synthetic-registry-sweep",
+      "requiredPhase": "unlocked-user-session",
+      "state": "deferred",
+      "reason": "Registry maintenance requires unlocked stores and should not run during locked post-login state.",
+      "remediationHint": "Queue maintenance until unlock or recovery session."
+    }
+  ],
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-session-locked",
+    "urn:srcos:telemetry:synthetic-key-store-locked"
+  ],
+  "userVisibleSummary": "The session is post-login but still locked; components requiring unlocked state must be deferred.",
+  "remediationHint": "Transition to unlocked-user-session before running preflight checks that require user stores."
+}

examples/browser_launch_transaction.json

@@ -0,0 +1,24 @@
+{
+  "id": "urn:srcos:browser-launch-transaction:synthetic-001",
+  "type": "BrowserLaunchTransaction",
+  "specVersion": "2.0.0",
+  "componentRef": "urn:srcos:component:synthetic-browser-surface",
+  "phaseStatus": "preflight",
+  "capabilityPreflightPassed": false,
+  "identityGraphValid": true,
+  "desktopBrokerValid": false,
+  "profileStoreValid": true,
+  "extensionRegistryValid": false,
+  "networkTruthSnapshotCaptured": true,
+  "childProcessSpawnAllowed": false,
+  "childProcessAttested": false,
+  "pageLoadStarted": false,
+  "observedAt": "2026-05-06T22:37:03Z",
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-child-preflight",
+    "urn:srcos:telemetry:synthetic-broker-state",
+    "urn:srcos:telemetry:synthetic-extension-state"
+  ],
+  "userVisibleImpact": "Preflight blocked browser launch because required broker and extension checks are not ready.",
+  "remediationHint": "Verify desktop broker availability and extension registry integrity before retrying launch."
+}

examples/desktop_service_broker_state.json

@@ -0,0 +1,38 @@
+{
+  "id": "urn:srcos:desktop-service-broker-state:synthetic-browser-001",
+  "type": "DesktopServiceBrokerState",
+  "specVersion": "2.0.0",
+  "observedAt": "2026-05-06T22:37:03Z",
+  "componentRef": "urn:srcos:component:synthetic-browser-surface",
+  "overallState": "degraded",
+  "brokers": [
+    {
+      "brokerKind": "pasteboard",
+      "state": "policy-blocked",
+      "fallback": "disable clipboard integration for the synthetic content surface",
+      "userVisibleImpact": "Copy and paste may be unavailable inside the sandboxed surface.",
+      "remediationHint": "Route pasteboard access through the desktop broker and require user gesture gating."
+    },
+    {
+      "brokerKind": "core-services",
+      "state": "policy-blocked",
+      "fallback": "prevent direct host desktop-service lookup",
+      "userVisibleImpact": "The child surface cannot directly register with host desktop services.",
+      "remediationHint": "Move host desktop-service calls into a parent-process broker."
+    },
+    {
+      "brokerKind": "extension-registry",
+      "state": "degraded",
+      "fallback": "quarantine extension discovery for this launch transaction",
+      "userVisibleImpact": "Extensions are disabled until registry integrity is verified.",
+      "remediationHint": "Refresh the extension registry before enabling extension discovery."
+    }
+  ],
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-pasteboard-denial",
+    "urn:srcos:telemetry:synthetic-desktop-service-denial",
+    "urn:srcos:telemetry:synthetic-extension-query"
+  ],
+  "userVisibleSummary": "Desktop service brokers are degraded, so child-surface desktop access remains brokered or disabled.",
+  "remediationHint": "Verify pasteboard, desktop-service, and extension-registry brokers before launch."
+}

examples/diagnostic_storm_record.json

@@ -0,0 +1,30 @@
+{
+  "id": "urn:srcos:diagnostic-storm:synthetic-registry-miss-001",
+  "type": "DiagnosticStormRecord",
+  "specVersion": "2.0.0",
+  "signature": "synthetic_registry_lookup_miss",
+  "sourceComponent": "synthetic-runtime-observer",
+  "normalizedFailureClass": "registry-integrity-failure",
+  "firstSeen": "2026-05-06T22:37:00Z",
+  "lastSeen": "2026-05-06T22:37:18Z",
+  "repeatCount": 492,
+  "medianIntervalMs": 4.5,
+  "maxEventsPerSecond": 136,
+  "severity": "error",
+  "sampleEvents": [
+    {
+      "eventRef": "urn:srcos:telemetry:synthetic-registry-miss-001",
+      "messageTemplate": "Requested synthetic registry descriptor is unavailable",
+      "observedAt": "2026-05-06T22:37:00Z"
+    }
+  ],
+  "suppressionPolicy": "summarize",
+  "terminalState": "still-active",
+  "linkedIncidentRef": "urn:srcos:incident:synthetic-runtime-registry-degraded-001",
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-registry-miss",
+    "urn:srcos:retry-loop:synthetic-registry-miss-001"
+  ],
+  "userVisibleSummary": "Synthetic registry lookup misses repeated during a maintenance sweep.",
+  "remediationHint": "Summarize repeated misses and defer further lookups until the registry epoch changes."
+}

examples/maintenance_epoch.json

@@ -0,0 +1,29 @@
+{
+  "id": "urn:srcos:maintenance-epoch:synthetic-registry-sweep-001",
+  "type": "MaintenanceEpoch",
+  "specVersion": "2.0.0",
+  "startedAt": "2026-05-06T22:37:00Z",
+  "endedAt": "2026-05-06T22:37:21Z",
+  "epochKind": "registry-sweep",
+  "state": "degraded",
+  "sourceComponent": "synthetic-registry-maintenance",
+  "allowedDuringInteractiveLaunch": false,
+  "bootPhaseRequirement": "unlocked-user-session",
+  "lockRequirements": [
+    "runtime-registry",
+    "launch-index",
+    "namespace-cache"
+  ],
+  "emissionBudget": {
+    "maxEventsPerMinute": 60,
+    "onBudgetExceeded": "summarize"
+  },
+  "observedStormRefs": [
+    "urn:srcos:diagnostic-storm:synthetic-registry-miss-001"
+  ],
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-registry-miss"
+  ],
+  "userVisibleSummary": "Background registry maintenance emitted repeated synthetic misses during an interactive launch window.",
+  "remediationHint": "Defer registry sweeps during interactive launches and summarize repeated missing descriptors."
+}

examples/network_truth_state.json

@@ -0,0 +1,27 @@
+{
+  "id": "urn:srcos:network-truth:synthetic-epoch-001",
+  "type": "NetworkTruthState",
+  "specVersion": "2.0.0",
+  "observedAt": "2026-05-06T22:36:20Z",
+  "networkEpoch": "synthetic-network-epoch-001",
+  "interfaceRef": "synthetic-interface",
+  "deviceIdentityState": "unknown",
+  "radioState": "on",
+  "associationState": "not-associated",
+  "authenticationState": "unknown",
+  "dhcpState": "observer-failed",
+  "dnsState": "observer-failed",
+  "routeState": "route-failed",
+  "captivePortalState": "credential-missing",
+  "internetReachability": "unreachable",
+  "localMeshReachability": "unknown",
+  "vpnOrPrivacyOverlayState": "unknown",
+  "trustedPeerPathState": "not-evaluated",
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-dns-observer",
+    "urn:srcos:telemetry:synthetic-route-observer",
+    "urn:srcos:telemetry:synthetic-radio-state"
+  ],
+  "userVisibleSummary": "Radio state is available, but association and route observers are degraded.",
+  "remediationHint": "Re-evaluate association, DHCP, DNS, and route state before remote synchronization or browser launch."
+}

examples/retry_loop_fingerprint.json

@@ -0,0 +1,20 @@
+{
+  "id": "urn:srcos:retry-loop:synthetic-denial-loop-001",
+  "type": "RetryLoopFingerprint",
+  "specVersion": "2.0.0",
+  "signature": "synthetic_denial_loop",
+  "sourceComponent": "synthetic-runtime-observer",
+  "firstSeen": "2026-05-06T22:35:44Z",
+  "lastSeen": "2026-05-06T22:37:54Z",
+  "count": 176,
+  "medianIntervalMs": 556,
+  "maxEventsPerSecond": 2,
+  "retryClass": "polling",
+  "terminalState": "still-looping",
+  "policyValidity": "denied-but-noisy",
+  "severity": "warn",
+  "sampleEventRefs": ["urn:srcos:telemetry:synthetic-001"],
+  "suppressionPolicy": "deduplicate_and_summarize",
+  "userVisibleImpact": "Repeated denial is being summarized for the operator.",
+  "remediationHint": "Review the policy boundary and reduce retry cadence."
+}

examples/runtime_identity_graph.json

@@ -0,0 +1,51 @@
+{
+  "id": "urn:srcos:runtime-identity-graph:bearbrowser_001",
+  "type": "RuntimeIdentityGraph",
+  "specVersion": "2.0.0",
+  "observedAt": "2026-05-06T22:37:03Z",
+  "rootComponentRef": "urn:srcos:component:BearBrowser",
+  "identityVerdict": "degraded",
+  "nodes": [
+    {
+      "nodeId": "app.bearbrowser",
+      "nodeKind": "app",
+      "displayName": "BearBrowser",
+      "processId": 54990,
+      "bundleOrPackageId": "application.dev.sourceos.BearBrowser",
+      "verificationVerdict": "valid"
+    },
+    {
+      "nodeId": "child.webcontent.54997",
+      "nodeKind": "browser-child",
+      "displayName": "WebContent",
+      "processId": 54997,
+      "bundleOrPackageId": "com.apple.WebKit.WebContent",
+      "verificationVerdict": "degraded"
+    },
+    {
+      "nodeId": "audit.webcontent.54997",
+      "nodeKind": "audit-token",
+      "displayName": "WebContent audit token",
+      "auditIdentity": "audit-token-unresolved",
+      "verificationVerdict": "ambiguous"
+    }
+  ],
+  "edges": [
+    {
+      "from": "app.bearbrowser",
+      "to": "child.webcontent.54997",
+      "relationship": "spawned"
+    },
+    {
+      "from": "child.webcontent.54997",
+      "to": "audit.webcontent.54997",
+      "relationship": "observed-as"
+    }
+  ],
+  "evidenceRefs": [
+    "urn:srcos:telemetry:te_invalid_product_id",
+    "urn:srcos:telemetry:te_audit_token_unresolved"
+  ],
+  "userVisibleImpact": "A browser child process launched, but its runtime identity could not be fully resolved.",
+  "remediationHint": "Verify child-process package identity, audit-token mapping, and broker registration before allowing page load."
+}

examples/runtime_registry_integrity_record.json

@@ -0,0 +1,32 @@
+{
+  "id": "urn:srcos:runtime-registry-integrity:synthetic-registry-001",
+  "type": "RuntimeRegistryIntegrityRecord",
+  "specVersion": "2.0.0",
+  "observedAt": "2026-05-06T22:37:00Z",
+  "componentRef": "urn:srcos:component:synthetic-registry",
+  "bundleOrPackageIdentity": "synthetic.package.identifier",
+  "verificationVerdict": "degraded",
+  "registryRecords": [
+    {
+      "recordKind": "extension-record",
+      "recordRef": "synthetic-extension-record",
+      "state": "missing",
+      "errorCode": "SYNTHETIC_MISSING_RECORD",
+      "userVisibleImpact": "The runtime could not construct an extension record from the synthetic registry.",
+      "remediationHint": "Refresh or rebuild the runtime extension registry before enabling extension discovery."
+    },
+    {
+      "recordKind": "namespace-descriptor",
+      "recordRef": "synthetic-namespace-descriptor",
+      "state": "missing",
+      "userVisibleImpact": "Synthetic namespace metadata could not be resolved during maintenance.",
+      "remediationHint": "Suppress repeated namespace lookups and emit a DiagnosticStormRecord until the namespace cache changes."
+    }
+  ],
+  "evidenceRefs": [
+    "urn:srcos:telemetry:synthetic-extension-record-missing",
+    "urn:srcos:telemetry:synthetic-namespace-descriptor-missing"
+  ],
+  "userVisibleSummary": "Registry integrity is degraded because synthetic records are missing.",
+  "remediationHint": "Run bounded registry repair or defer registry-dependent launch work until integrity is restored."
+}

examples/security_verdict_state.json

@@ -0,0 +1,14 @@
+{
+  "id": "urn:srcos:security-verdict:synthetic-flow-001",
+  "type": "SecurityVerdictState",
+  "specVersion": "2.0.0",
+  "subjectRef": "urn:srcos:component:synthetic-extension",
+  "decision": "no-verdict",
+  "verdictProviderState": "no-verdict-provider",
+  "observedAt": "2026-05-06T22:36:00Z",
+  "policyRef": "urn:srcos:policy:synthetic-flow-policy",
+  "providerRef": "urn:srcos:verdict-provider:synthetic",
+  "evidenceRefs": ["urn:srcos:telemetry:synthetic-002"],
+  "userVisibleImpact": "Flow observation exists but no provider verdict is available.",
+  "remediationHint": "Verify provider availability and continue with fail-closed review posture."
+}