feat(core): add basis resolution v0 boundary

[flyingrobots]

Adds the narrowest BasisResolution v0 boundary for optic invocation admission.

Exact fixture basis bytes can resolve, but resolved basis still does not admit invocation; it obstructs before aperture resolution. Unsupported basis shapes still obstruct at UnsupportedBasisResolution.

Scope:

• no AdmissionTicket
• no LawWitness
• no aperture resolution
• no budget evaluation
• no runtime support check
• no execution
• no scheduler
• no storage
• no WASM
• no Continuum behavior

Audit follow-up:

• clarifies checkpoint wording so CapabilityValidationUnavailable does not imply identity-covered material after BasisResolution v0 routing.

Summary by CodeRabbit

• New Features

  • Enhanced optic invocation admission to properly handle identity-covered invocations when basis bytes match the expected fixture format, while maintaining obstruction for unsupported basis shapes.

• Tests

  • Added regression tests for basis resolution behavior and admission obstruction ordering.

• Documentation

  • Updated design documentation to clarify the basis resolution checkpoint as a refusal-only boundary and detail fixture matching requirements and transition points.

[coderabbitai]

Warning

Rate limit exceeded

@flyingrobots has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 40 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 21f139e7-828e-4dd4-bfcf-c4a840db8e39

📥 Commits

Reviewing files that changed from the base of the PR and between d3c8fef and 21a9c49.

📒 Files selected for processing (1)

• docs/design/optic-admission-ladder-checkpoint.md

📝 Walkthrough

Walkthrough

Optic invocation admission now implements deterministic BasisResolution v0 fixture matching. When basis request bytes match the fixed v0 fixture, identity-covered invocations proceed past basis resolution to UnsupportedApertureResolution; mismatched bytes obstruct at UnsupportedBasisResolution. Tests validate both paths; design documentation clarifies the checkpoint semantics and tripwire rules for future changes.

Changes

BasisResolution v0 Fixture-Based Admission

Layer / File(s)	Summary
Core basis resolution v0 implementation crates/warp-core/src/optic_artifact.rs	Private OPTIC_BASIS_RESOLUTION_V0_FIXTURE_BYTES constant and resolve_basis_v0 helper return None for exact fixture match (supported) or UnsupportedBasisResolution for mismatches. Updated admit_optic_invocation_with_capability_validator to route identity-covered outcomes through fixture comparison, mapping supported basis to UnsupportedApertureResolution. Obstruction docstring clarified.
Regression test fixture and admission-behavior tests crates/warp-core/tests/optic_invocation_admission_tests.rs	New fixture_invocation_with_resolved_basis_and_presentation(...) helper injects resolved basis bytes. Two tests verify unsupported basis still obstructs at UnsupportedBasisResolution (even with capability validation) and resolved basis proceeds to UnsupportedApertureResolution with correct obstruction fact digest.
Design documentation for BasisResolution v0 checkpoint docs/design/optic-admission-ladder-checkpoint.md	Repositioned as refusal-only BasisResolution v0 boundary checkpoint. Execution order explicitly includes v0 fixture resolution. Obstruction reachability tightened. New sections define exact fixture shape, next transition point (ApertureResolution v0), and tripwire rules.
Changelog entry CHANGELOG.md	Documents narrowed admission behavior when basis bytes match basis-request:resolved-fixture:v0, specifying that identity-covered invocations pass basis resolution with conditional aperture/basis obstruction outcomes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• flyingrobots/echo#347: Extends the same admit_optic_invocation_with_capability_validator logic by discriminating UnsupportedApertureResolution vs UnsupportedBasisResolution based on v0 fixture matching.
• flyingrobots/echo#346: Introduces the capability-validator-assisted admission path that this PR refines with fixture-based basis resolution.
• flyingrobots/echo#331: Extends optic invocation admission skeleton with capability-validator obstruction behavior around basis request bytes.

Poem

A fixture stands firm, basis-request:resolved-v0,
Matching bytes slip through, mismatches below,
Identity-covered invocations now choose their way—
Aperture awaits, or basis blocks the day. 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(core): add basis resolution v0 boundary' directly and concisely identifies the primary change—the introduction of a new BasisResolution v0 boundary in the optic invocation admission system.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stack/basis-resolution-v0-boundary

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/optic-admission-ladder-checkpoint.md`:
- Around line 38-41: The doc's steps implying unconditional execution of
"BasisResolution v0" should be qualified to reflect it only runs when the
validator path yields CapabilityGrantValidationOutcome::IdentityCovered(_);
update the wording around the "BasisResolution v0" steps (mentions of "Resolve
the narrow BasisResolution v0 fixture" and nearby routing text) to explicitly
condition on CapabilityGrantValidationOutcome::IdentityCovered(_) so readers
know the resolution is conditional and not universally reached.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6f0da77f-b496-4e8f-818d-d622fab58674

📥 Commits

Reviewing files that changed from the base of the PR and between 9e3190f and d3c8fef.

📒 Files selected for processing (4)

• CHANGELOG.md
• crates/warp-core/src/optic_artifact.rs
• crates/warp-core/tests/optic_invocation_admission_tests.rs
• docs/design/optic-admission-ladder-checkpoint.md

[flyingrobots]

Issue	Severity	Source	Addressed by	Regression coverage	Outcome
BasisResolution v0 checkpoint wording implied unconditional resolver routing instead of identity-covered validator-path routing.	P3	CodeRabbit PRRC_kwDOQH8Wr87CAD7G	21a9c49	Docs wording guard; `rg -n "If capability validation returns identity-covered material	If that basis fixture resolves

[flyingrobots]

Code Lawyer audit pass.

Issue	Severity	Source	Addressed by	Regression coverage	Outcome
No unresolved review threads or new self-discovered issues remain in this pass. Prior BasisResolution wording feedback is resolved.	N/A	PR + self-audit	21a9c49, d3c8fef, 1f91688	cargo test -p warp-core --test optic_invocation_admission_tests; cargo clippy -p warp-core --all-targets -- -D warnings -D missing_docs; cargo clippy -p warp-core --all-targets --features det_fixed -- -D warnings -D missing_docs; npx markdownlint-cli2 docs/design/optic-admission-ladder-checkpoint.md CHANGELOG.md; git diff --check	Clean