[Reborn] Compose ironclaw_host_runtime services

[serrrfirat]

Parent

#2987

Current split

#3095 now provides the ironclaw_host_runtime contract plus a first DefaultHostRuntime wrapper:

HostRuntime
  -> CapabilityHost
     over ExtensionRegistry
        + CapabilityDispatcher trait object
        + TrustAwareCapabilityDispatchAuthorizer
        + run-state / approval-request / capability-lease stores
        + optional ProcessManager

This issue owns the full concrete HostRuntimeServices graph around/behind that wrapper. The goal is not to add product workflow logic to host runtime; it is to assemble the concrete kernel services so upper Reborn layers do not manually wire dispatcher/runtime/process/resource/event/filesystem/memory/secrets/network/trust/obligation pieces.

What to build

Compose the Reborn kernel services into ironclaw_host_runtime so callers can construct one coherent host runtime service graph instead of manually wiring CapabilityHost, authorization/approvals/run-state, RuntimeDispatcher, process services, resources, events/audit, filesystem, memory, secrets/network policy, trust evaluation, obligations, runtime HTTP egress, and runtime adapters piecemeal.

This should stay composition-only: service-owned logic remains in the owning crates, and host runtime owns assembly/default wiring only.

Acceptance criteria

• ironclaw_host_runtime exposes a narrow HostRuntimeServices/builder-style composition API for the kernel service graph.
• Composition includes the feat(reborn): add host runtime contract facade #3095 DefaultHostRuntime/HostRuntime boundary and wires CapabilityHost, authorization/approvals/run-state, dispatcher, process services, resources, event/audit sink, filesystem, memory services, secrets/network services, and Script/MCP/WASM runtime adapters where available.
• The concrete RuntimeDispatcher is constructed by composition code and Script/MCP/WASM lanes are registered via RuntimeAdapter; no direct concrete runtime dependencies are reintroduced into dispatcher/capabilities.
• Required production services fail closed when missing or unconfigured; in-memory/dev fallbacks are explicit test/local profile choices only.
• Trust evaluation is wired at the host-runtime boundary:
  • package/provider identity + manifest trust input are evaluated by host policy before visible-surface or invocation decisions;
  • user manifests cannot self-assert effective FirstParty/System trust;
  • the resulting TrustDecision is passed into CapabilityHost for action-time authorization;
  • trust downgrade/revocation fails closed for future invocations and does not leave stale privileged authority.
• Capability surface inputs are composition-ready for [Reborn] Add ToolSurfaceService and CapabilityCatalog #3090: visible surfaces are derived from registry/grants/trust/runtime policy, while visibility remains only an affordance and every invocation still goes through CapabilityHost.
• Built-in obligations from Decision::Allow { obligations } are routed to the configured obligation handler path from feat(reborn): wire built-in obligations and handoffs #3080:
  • unsupported/unconfigured obligations fail closed;
  • resource reservation, scoped mounts, network policy, one-shot secret injection, output limit/redaction, and audit before/after are either satisfied or rejected before publication.
• Runtime HTTP egress is wired through the shared Use shared Reborn runtime HTTP egress for WASM, Script, and MCP #3085/feat(reborn): add shared runtime HTTP egress #3098 path where available:
  • host-mediated HTTP uses RuntimeHttpEgress/network policy enforcement;
  • runtimes do not receive raw socket-opening clients as an authority bypass;
  • credential injection remains brokered through [Reborn] Wire production secrets/network boundary #3088/[Reborn Cutover Blocker] Preserve brokered HTTP credential injection #3068, not runtime-owned raw secrets.
• Backend-aware health, cancel_work, and runtime_status replace production stubs:
  • health() reports missing/unhealthy required backends and registered runtime lanes without leaking infrastructure details;
  • cancel_work() fans out to process/runtime/capability cancellation ports where supported and returns explicit unknown/no-op outcomes where not supported;
  • runtime_status() reports scoped active run/process/runtime work from the real stores/backends with redacted metadata only.
• Composition-level tests prove immediate invoke, approval-blocked invoke, spawn/process, and at least one Script/MCP/WASM runtime path flows through host runtime into dispatcher/runtime/process/event services with sanitized results.
• Tests prove secrets, host paths, raw backend/provider errors, approval internals, lease metadata, and raw runtime output do not leak through public HostRuntime outcomes/status/health/errors.
• Boundary tests keep ironclaw_host_runtime orchestration-focused and prevent product workflow, loop strategy, adapter UX, or v1 bridge policy from moving into it.

Related work

• feat(reborn): add host runtime contract facade #3095 / PR4f-a: HostRuntime contract + DefaultHostRuntime wrapper.
• feat(reborn): wire built-in obligations and handoffs #3080 / PR6: built-in obligations and prepared-effect handoff.
• Use shared Reborn runtime HTTP egress for WASM, Script, and MCP #3085 / feat(reborn): add shared runtime HTTP egress #3098: shared runtime HTTP egress mechanics.
• [Reborn] Wire production secrets/network boundary #3088 / [Reborn Cutover Blocker] Preserve brokered HTTP credential injection #3068: production secrets/network boundary and brokered credential injection.
• [Reborn] Add ToolSurfaceService and CapabilityCatalog #3090: ToolSurfaceService / CapabilityCatalog surface computation.
• [Reborn] Add runtime presets and effective runtime policy #3045: runtime presets and effective runtime policy.
• Use existing workspace DB implementations behind Reborn memory adapters #3112: reuse existing workspace DB implementations behind Reborn memory adapters.
• [TEST] Reborn: Add vertical-slice integration test suite #3067 and Reborn cutover blocker: add event substrate integration tests #3022: vertical-slice and event/replay integration evidence.
• feat: add config-driven production composition root #3101 / Reborn cutover blocker: add config-driven production composition root #3026: default-off production composition root and readiness surface.

Sequencing / blockers

• feat(reborn): add capability host base #3071 CapabilityHost base has landed.
• feat(reborn): add WIT-compatible WASM tool runtime #3097 WIT-compatible WASM runtime has landed.
• Build on or rebase after feat(reborn): add host runtime contract facade #3095 so this issue extends the DefaultHostRuntime boundary instead of creating a second host-runtime shape.
• feat(reborn): wire built-in obligations and handoffs #3080, Use shared Reborn runtime HTTP egress for WASM, Script, and MCP #3085/feat(reborn): add shared runtime HTTP egress #3098, [Reborn] Wire production secrets/network boundary #3088/[Reborn Cutover Blocker] Preserve brokered HTTP credential injection #3068, and Use existing workspace DB implementations behind Reborn memory adapters #3112 may land before or after the first full graph slice; any missing optional subsystem must fail closed with a sanitized reason until its production wiring exists.

[serrrfirat]

Patched after the #3095 scope clarification. This issue now explicitly owns the full concrete HostRuntimeServices graph around/behind #3095 DefaultHostRuntime: concrete RuntimeDispatcher + Script/MCP/WASM adapter registration, resources/events/filesystem/memory/secrets/network wiring, host-runtime trust evaluation, #3080 obligations, #3085 runtime egress, and backend-aware health/cancel/status behavior.

[serrrfirat]

Status update after latest merges:

• feat(reborn): add host runtime services graph #3126 has merged the PR4f-b HostRuntimeServices graph.
  • Merge commit: 79e11c682f4225fe882f0fd1cfe7d22543c7b2ce
  • Scope: constructs/registers dispatcher + Script/MCP/WASM adapters and wires DefaultHostRuntime over shared process/run-state/approval/lease/event/audit/health seams.

Keeping this issue open as the broader composition umbrella because several acceptance items are now represented by focused follow-ups rather than fully closed by #3126 alone:

• test(reborn): add host runtime invoke vertical slice #3151 / [TEST] Reborn: Add vertical-slice integration test suite #3067 — first Phase 3b HostRuntime vertical invoke coverage is open/clean + CI green.
• feat(reborn): compose built-in obligation services #3152 / Wire configured built-in obligation handler into production HostRuntime services #3143 — configured built-in obligation services composition is open/clean + CI green.
• Evaluate production TrustDecision before Reborn capability dispatch #3146 — production TrustDecision evaluation before Reborn capability dispatch remains open.
• Wire built-in obligation audit records to production event sinks #3147/[Reborn] Add vertical tests for post-3080 obligation handoffs #3148 — audit records and vertical tests for post-feat(reborn): wire built-in obligations and handoffs #3080 obligation handoffs remain open.
• Wire staged network-policy obligations into runtime egress #3139/fix(reborn): consume staged network policies in runtime egress #3149 and Wire staged one-shot secret injections into runtime adapters #3140/feat(reborn): consume staged runtime secrets #3150 — staged network/secret runtime handoffs are open and currently dirty after the latest base movement.

So: #3126 closes the concrete services-graph slice, but #3087 should stay open until the remaining composition/evidence follow-ups are merged or explicitly dispositioned.

[serrrfirat]

Reborn follow-up status update: opened PR #3153 for #3146 (production host-owned TrustDecision evaluation before capability dispatch).\n\n#3087 remains open pending the remaining HostRuntime composition/evidence follow-ups, including #3152/#3143, #3153/#3146, #3149/#3139, #3150/#3140, and other explicit dispositions.