Layer Boundaries¶
Layer boundaries define what belongs in each public implementation repository and what should remain in application or provider code.
Ownership Matrix¶
| Concern | Kernel | Runtime | SDK |
|---|---|---|---|
| RISC-V instruction behavior | Owns | Uses through wasm exports | Does not own |
| ELF loading | Owns | Supplies executable bytes | Resolves executable path and bytes |
| Linux syscall behavior | Owns | Executes host effects and transports state | Does not define |
| Worker lifecycle | Does not own | Owns | Uses |
| Scheduling and blocking decisions | Supervisor owns | Executes selected resume, timer, and worker effects | Does not define |
| Process lifecycle | Supervisor owns guest-visible ordering | Creates/copies/terminates host workers and memory on request | Provides high-level process API |
| Filesystem semantics | Owns guest-visible memfs/fd and control-plane behavior | Owns backing I/O, runtime snapshots, and host RPC execution | Applies files and file layers |
| FD/OFD, pipe, epoll, socket control | Supervisor owns | Executes shared-memory and host-bridge effects | Does not define |
| Package resolution | Does not own | Does not own | Owns provider abstraction |
| Network policy | Does not own | Exposes bridge substrate | Exposes policy/proxy helpers |
| Product UI | Does not own | Does not own | May help integration |
Boundary Diagram¶
flowchart TB
subgraph Product["application-specific layer"]
UI["UI"]
Policy["network and package policy"]
end
subgraph SDK["sdk"]
API["Tidemark API"]
Provider["resolver / PackageProvider"]
NetPolicy["network policy helpers"]
end
subgraph Runtime["runtime"]
Workers["worker lifecycle"]
Executor["supervisor host executor"]
Bridge["generic host bridge"]
Snapshot["snapshots and state transport"]
end
subgraph Kernel["kernel"]
Linux["Linux userland semantics"]
Supervisor["kernel supervisor"]
RISCV["RISC-V execution"]
ABI["wasm ABI exports"]
end
UI --> API
Policy --> Provider
API --> Workers
Workers --> Executor
NetPolicy --> Bridge
Executor <--> ABI
Bridge --> Snapshot
Snapshot --> ABI
ABI --> Supervisor
Supervisor --> Linux
ABI --> Linux
ABI --> RISCV
Ownership Principles¶
Kernel ownership is justified by RISC-V, ELF, memory, filesystem, process, signal, socket, thread, or Linux userland compatibility behavior.
Runtime ownership is justified by host effects that Rust/WASM cannot perform: worker lifecycle, WebAssembly memory creation/copying, backing-store I/O, state transport, host timers, stdio, filesystem snapshots, network bridges, and diagnostics. The presence of TypeScript bookkeeping or a state mirror does not give Runtime authority over guest-visible scheduling, lifecycle, or shared kernel-object policy.
SDK ownership is justified by application ergonomics, provider interfaces, network policy integration, terminal integration, or host tooling.
Application and provider code can know package names, registry names, mirror choices, cache policy, and UI behavior.
Anti-Coupling Rule¶
A lower layer should not branch on a product or workload name. In practice:
- Kernel should not need to know whether a file came from Node.js, Go, apt, or a static layer.
- Runtime should not need package-manager-specific code to coordinate workers.
- SDK providers may know package and layer identities, because that is their job.
This keeps compatibility behavior testable independently from product provisioning policy.