refactor(reborn): remove host runtime origin taxonomy (#3095)

Author: serrrfirat

crates/ironclaw_host_runtime/src/lib.rs

@@ -11,8 +11,9 @@
 //! - callers see structured capability outcomes instead of lower substrate
 //!   handles;
 //! - approval/auth/resource waits are suspension states, not errors;
-//! - request origin and capability projection metadata never grant or bypass
-//!   authority.
+//! - caller/workflow origin taxonomy is intentionally kept outside this lower
+//!   facade; authority remains in `ExecutionContext` and projection selection
+//!   remains explicit surface metadata.
 
 use async_trait::async_trait;
 use ironclaw_host_api::{
@@ -152,20 +153,6 @@ impl fmt::Display for CapabilitySurfaceVersion {
     }
 }
 
-/// Product-owned workflow origin for audit/correlation context.
-///
-/// This is not authority and must never grant or bypass authority. Authority
-/// remains exclusively in `ExecutionContext`, principals, grants, leases, and
-/// policy. Projection differences belong in [`CapabilitySurfaceKind`]. Runtime
-/// adapters are callees of `HostRuntime`, not top-level caller/origin values.
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
-#[non_exhaustive]
-pub enum RuntimeRequestOrigin {
-    TurnCoordinator,
-    MissionService,
-    SystemService,
-}
-
 /// Which host-filtered surface a caller is asking to render.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 #[non_exhaustive]
@@ -176,6 +163,12 @@ pub enum CapabilitySurfaceKind {
 }
 
 /// Request to invoke one capability through the composed host runtime.
+///
+/// Caller/workflow origin is intentionally not part of this lower contract.
+/// Host runtime authorization must be derived from [`ExecutionContext`],
+/// principals, grants, leases, and policy; upper workflow services can attach
+/// audit labels outside this facade when they need product-specific origin
+/// vocabulary.
 #[derive(Debug, Clone, PartialEq)]
 pub struct RuntimeCapabilityRequest {
     pub context: ExecutionContext,
@@ -187,8 +180,6 @@ pub struct RuntimeCapabilityRequest {
     /// and must not trust caller estimates as binding limits or actual usage.
     pub estimate: ResourceEstimate,
     pub input: Value,
-    /// Product workflow origin for audit/correlation only.
-    pub request_origin: RuntimeRequestOrigin,
     pub idempotency_key: Option<IdempotencyKey>,
 }
 
@@ -197,8 +188,8 @@ pub struct RuntimeCapabilityRequest {
 pub struct VisibleCapabilityRequest {
     pub scope: ResourceScope,
     pub correlation_id: CorrelationId,
-    /// Product workflow origin for audit/correlation only.
-    pub request_origin: RuntimeRequestOrigin,
+    /// Projection surface selection only; this is not authority and must not
+    /// grant or bypass authorization.
     pub surface_kind: CapabilitySurfaceKind,
 }
 

crates/ironclaw_host_runtime/tests/host_runtime_contract.rs

@@ -4,9 +4,9 @@ use ironclaw_host_runtime::{
     CapabilitySurfaceVersion, HostRuntime, HostRuntimeError, HostRuntimeHealth, HostRuntimeStatus,
     IdempotencyKey, RuntimeApprovalGate, RuntimeAuthGate, RuntimeBlockedReason,
     RuntimeCapabilityCompleted, RuntimeCapabilityFailure, RuntimeCapabilityOutcome,
-    RuntimeCapabilityRequest, RuntimeFailureKind, RuntimeGateId, RuntimeRequestOrigin,
-    RuntimeResourceGate, RuntimeStatusRequest, RuntimeWorkId, RuntimeWorkSummary,
-    VisibleCapabilityRequest, VisibleCapabilitySurface, testkit::FakeHostRuntime,
+    RuntimeCapabilityRequest, RuntimeFailureKind, RuntimeGateId, RuntimeResourceGate,
+    RuntimeStatusRequest, RuntimeWorkId, RuntimeWorkSummary, VisibleCapabilityRequest,
+    VisibleCapabilitySurface, testkit::FakeHostRuntime,
 };
 use serde_json::json;
 
@@ -40,7 +40,6 @@ async fn fake_runtime_records_invocation_and_preserves_structured_outcomes() {
         capability_id: capability_id.clone(),
         estimate: ResourceEstimate::default(),
         input: json!({"message": "hello"}),
-        request_origin: RuntimeRequestOrigin::TurnCoordinator,
         idempotency_key: Some(IdempotencyKey::new("turn-1/tool-1").unwrap()),
     };
 
@@ -88,7 +87,6 @@ async fn fake_runtime_surfaces_approval_auth_and_resource_waits_as_values_not_er
                 capability_id: capability_id.clone(),
                 estimate: ResourceEstimate::default(),
                 input: json!({}),
-                request_origin: RuntimeRequestOrigin::TurnCoordinator,
                 idempotency_key: None,
             })
             .await
@@ -121,7 +119,6 @@ async fn fake_runtime_returns_versioned_visible_surface_and_records_requests() {
     let request = VisibleCapabilityRequest {
         scope: context.resource_scope.clone(),
         correlation_id: context.correlation_id,
-        request_origin: RuntimeRequestOrigin::TurnCoordinator,
         surface_kind: CapabilitySurfaceKind::AgentLoop,
     };
 
@@ -213,7 +210,6 @@ async fn fake_runtime_reports_sanitized_failures_as_outcomes() {
             capability_id,
             estimate: ResourceEstimate::default(),
             input: json!({}),
-            request_origin: RuntimeRequestOrigin::SystemService,
             idempotency_key: None,
         })
         .await