Skip to content

Layer Boundaries

Layer boundaries define what belongs in each public implementation repository and what should remain in application or provider code.

Ownership Matrix

Concern Kernel Runtime SDK
RISC-V instruction behavior Owns Uses through wasm exports Does not own
ELF loading Owns Supplies executable bytes Resolves executable path and bytes
Linux syscall behavior Owns Executes host effects and transports state Does not define
Worker lifecycle Does not own Owns Uses
Scheduling and blocking decisions Supervisor owns Executes selected resume, timer, and worker effects Does not define
Process lifecycle Supervisor owns guest-visible ordering Creates/copies/terminates host workers and memory on request Provides high-level process API
Filesystem semantics Owns guest-visible memfs/fd and control-plane behavior Owns backing I/O, runtime snapshots, and host RPC execution Applies files and file layers
FD/OFD, pipe, epoll, socket control Supervisor owns Executes shared-memory and host-bridge effects Does not define
Package resolution Does not own Does not own Owns provider abstraction
Network policy Does not own Exposes bridge substrate Exposes policy/proxy helpers
Product UI Does not own Does not own May help integration

Boundary Diagram

flowchart TB
  subgraph Product["application-specific layer"]
    UI["UI"]
    Policy["network and package policy"]
  end

  subgraph SDK["sdk"]
    API["Tidemark API"]
    Provider["resolver / PackageProvider"]
    NetPolicy["network policy helpers"]
  end

  subgraph Runtime["runtime"]
    Workers["worker lifecycle"]
    Executor["supervisor host executor"]
    Bridge["generic host bridge"]
    Snapshot["snapshots and state transport"]
  end

  subgraph Kernel["kernel"]
    Linux["Linux userland semantics"]
    Supervisor["kernel supervisor"]
    RISCV["RISC-V execution"]
    ABI["wasm ABI exports"]
  end

  UI --> API
  Policy --> Provider
  API --> Workers
  Workers --> Executor
  NetPolicy --> Bridge
  Executor <--> ABI
  Bridge --> Snapshot
  Snapshot --> ABI
  ABI --> Supervisor
  Supervisor --> Linux
  ABI --> Linux
  ABI --> RISCV

Ownership Principles

Kernel ownership is justified by RISC-V, ELF, memory, filesystem, process, signal, socket, thread, or Linux userland compatibility behavior.

Runtime ownership is justified by host effects that Rust/WASM cannot perform: worker lifecycle, WebAssembly memory creation/copying, backing-store I/O, state transport, host timers, stdio, filesystem snapshots, network bridges, and diagnostics. The presence of TypeScript bookkeeping or a state mirror does not give Runtime authority over guest-visible scheduling, lifecycle, or shared kernel-object policy.

SDK ownership is justified by application ergonomics, provider interfaces, network policy integration, terminal integration, or host tooling.

Application and provider code can know package names, registry names, mirror choices, cache policy, and UI behavior.

Anti-Coupling Rule

A lower layer should not branch on a product or workload name. In practice:

  • Kernel should not need to know whether a file came from Node.js, Go, apt, or a static layer.
  • Runtime should not need package-manager-specific code to coordinate workers.
  • SDK providers may know package and layer identities, because that is their job.

This keeps compatibility behavior testable independently from product provisioning policy.