vcl-ut #25 P5c (step 5): recompute-PCC wasm32 entry (fail-closed; isolated unsafe boundary)

[hyperpolymath]

P5c (step 5) — recompute-PCC wasm32 entry (fail-closed; isolated unsafe boundary)

The recompute-PCC tier's executable artefact. Per the locked
two-tier design (VERIFICATION-STANCE.adoc): the consumer is shipped
this wasm module + the wire bytes of a (Statement, OctadSchema) + the
producer's claimed level, re-runs the certified decision here, and
compares. The guarantee is the corpus proof (checkLevelNSound, once)

• the conformance pin (P5c-4) — not the wasm's type system.

New crate src/interface/recompute-wasm

Standalone workspace; only dependency is the in-repo
#![forbid(unsafe_code)] vcltotal-parse (internal path-dep).

• vcl_recompute(stmt_ptr,len,schema_ptr,len) -> i64 (+ vcl_alloc/
  vcl_dealloc for host byte-staging). Fail-closed: any
  WireError, null pointer, or unmet level → -1; the only
  non-negative result is a genuinely recomputed certified level.
• The only unsafe in the whole recompute path is one audited,
  documented host/guest memory-ABI block — which is the declared
  trust boundary. All decode/decision logic stays in the forbid-unsafe
  crate. (Per your call: separate crate + isolated documented unsafe.)
• Builds to real wasm: cargo build --release --target wasm32-unknown-unknown → 50 KB vcltotal_recompute_wasm.wasm.
  panic = "abort".
• Host tests green (garbage/null fail-closed; well-formed → 0); clippy
  -D warnings clean; fmt clean. .gitignore excludes /target.

Mechanism findings (disclosed, not faked — estate doctrine)

• Plain wasm32-unknown-unknown is sufficient for the recompute
  argument: nothing structured crosses the boundary needing
  type-preservation (opaque bytes in, i64 out, decoder+decider run
  inside). AffineScript dependent/affine typing was load-bearing only
  for the rejected proof-term-transport tier.
• affinescriptiser is not used here, for two independent reasons
  (full rationale in AFFINESCRIPTISER-NA.adoc): it structurally
  requires ≥1 [[resources]] and this entry is a pure resource-free
  verdict function — fabricating a resource to satisfy the tool would
  be exactly the cargo-culting the verification-honesty doctrine
  forbids; and its own wasm backend is Phase-2-pending (verified). The
  wasm verdict is identical to the conformance-pinned native verdict
  by construction (deterministic cargo build of the same pinned,
  pure, total source).

Verified locally

cargo test 3/3 (fail-closed garbage/null; well-formed→0) · cargo clippy --all-targets -- -D warnings clean · cargo fmt --check clean
· cargo build --release --target wasm32-unknown-unknown → .wasm
produced.

Scope boundary

The fail-closed C/Zig C-ABI shim (Phase 3d) stays the attestation
fallback tier — unchanged here. The two-tier wiring narrative + the
OWED→RESOLVED stance flip + ADR
docs/decisions/0002-ffi-attestation-trust-boundary.adoc are P5c-6
(the authoritative-doc change; deliberately a separate, reviewable
unit).

Refs #25.

🤖 Generated with Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 25 issues detected

Severity	Count
🔴 Critical	6
🟠 High	9
🟡 Medium	10

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Action actions/upload-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action actions/download-artifact@v4 needs attention",
    "type": "unpinned_action",
    "file": "release.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "codeql.yml lists `language: javascript-typescript` but the repo has no source files in any CodeQL-scannable language. The analyze job will exit 'no source files' on every run. Switch the matrix to `actions` (which scans workflow files — every repo has those).",
    "type": "codeql_language_matrix_mismatch",
    "file": "codeql.yml",
    "action": "switch_codeql_matrix_to_actions",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "assert_smaller bypasses termination checker (1 occurrences, CWE-704)",
    "type": "assert_smaller",
    "file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Checker.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  },
  {
    "reason": "believe_me undermines formal verification (2 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Decide.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "believe_me undermines formal verification (3 occurrences, CWE-704)",
    "type": "believe_me",
    "file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Composition.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "critical"
  },
  {
    "reason": "assert_total bypasses totality checker (1 occurrences, CWE-704)",
    "type": "assert_total",
    "file": "/home/runner/work/vcl-ut/vcl-ut/src/core/Composition.idr",
    "action": "flag",
    "rule_module": "code_safety",
    "severity": "high"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence