Producer-authoritative typed recursion + descriptor-CID vat routing (clean branch)

Cargo.toml

@@ -41,7 +41,6 @@ base64 = "0.22.1"
 serde_json = "1.0.145"
 serde = { version = "1.0.228", features = ["derive"] }
 futures = "0.3"
-chrono = { version = "0.4.42", features = ["serde"] }
 tracing = "0.1"
 tokio-util = { version = "0.7.17", features = ["codec", "compat"] }
 bytes = "1.11.0"

README.md

@@ -23,7 +23,7 @@ curl http://localhost:2080/status
 }
 ```
 
-The second command hit a WebAssembly cell running inside the daemon. The cell can't read your filesystem, reach the network, or see your environment variables. The only thing it can do is what the membrane handed it; in this case, the `host` capability, so it can report your peer ID and connected peers. The wiring that hands the `host` capability (and nothing else) to the HTTP handler cell lives at `~/.ww/etc/init.d/05-status.glia`:
+The second command hit a WebAssembly cell running inside the daemon. The cell can't read your filesystem, reach the network, or see your environment variables. The only thing it can do is what the membrane handed it; in this case, the `host` capability, so it can report your peer ID and connected peers. The wiring that hands the `host` capability (and nothing else) to the HTTP handler cell lives in `~/.ww/etc/init.d/05-status.glia` (orchestrated by `~/.ww/etc/init.glia`):
 
 ```clojure
 (perform host :listen (cell (load "bin/status.wasm")) "/status")

capnp/system.capnp

@@ -8,6 +8,22 @@
 @0xbf5147b78c0e6a2f;
 
 using MembraneSchema = import "membrane.capnp";
+using Schema = import "/capnp/schema.capnp";
+
+struct SchemaBundle {
+  root @0 :Schema.Node;
+  deps @1 :List(Schema.Node);
+}
+
+struct TypedCap {
+  cap @0 :Capability;
+  schema @1 :SchemaBundle;
+}
+
+struct VatDescriptor {
+  wasiCid @0 :Data;
+  schemaCid @1 :Data;
+}
 
 struct PeerInfo {
   peerId @0 :Data;       # libp2p peer ID, serialized.
@@ -128,9 +144,9 @@ interface Process {
   wait @3 () -> (exitCode :Int32);
   # Block until the process exits and return its exit code.
 
-  bootstrap @4 () -> (cap :AnyPointer);
-  # Return the capability exported by the guest via system::serve().
-  # The cap is type-erased — cast to the expected interface on the guest side.
+  bootstrap @4 () -> (typed :TypedCap);
+  # Return the capability exported by the guest via system::serve() with
+  # producer-attached schema metadata required for recursive attenuation.
   # Errors if the guest didn't export a capability.
 
   kill @5 () -> ();
@@ -141,40 +157,39 @@ struct VatHandler {
   union {
     spawn @0 :Executor;
     # Stateless: spawn a fresh cell per connection.
-    serve @1 :AnyPointer;
+    serve @1 :TypedCap;
     # Stateful: bootstrap all connections with this persistent capability.
   }
 }
 
 interface VatListener {
-  listen @0 (handler :VatHandler, schema :Data,
+  listen @0 (handler :VatHandler, descriptor :VatDescriptor,
              caps :List(MembraneSchema.Export)) -> ();
   # Accept incoming Cap'n Proto RPC connections on /ww/0.1.0/vat/{cid}
-  # where cid = CIDv1(raw, BLAKE3(schema)).
+  # where cid = CIDv1(raw, BLAKE3(canonical VatDescriptor)).
   #
   # handler.spawn: for each connection, spawn a cell via the Executor.
   # The cell calls system::serve() to export a bootstrap capability.
   #
   # handler.serve: bootstrap each connection with the provided capability.
   # No cell spawning — one persistent capability serves all connections.
   #
-  # Schema param is authoritative. WASM custom sections are optional hints.
+  # Routing identity is descriptor-authoritative; recursive attenuation
+  # authority comes from producer-returned TypedCap.schema.
   #
   # caps: optional named capabilities from the init.d `with` block.
   # Forwarded into spawned cells' membranes as graft extras.
   # Empty list (default) = no extra caps.
 }
 
 interface VatClient {
-  dial @0 (peer :Data, schema :Data) -> (cap :AnyPointer);
+  dial @0 (peer :Data, descriptor :VatDescriptor) -> (typed :TypedCap);
   # Open a Cap'n Proto RPC connection to peer on /ww/0.1.0/vat/{cid}
-  # where cid = CIDv1(raw, BLAKE3(schema)).
-  # The schema is the canonical Cap'n Proto encoding of a schema.Node.
+  # where cid = CIDv1(raw, BLAKE3(canonical VatDescriptor)).
   # Bootstraps a Cap'n Proto vat over the stream and returns the remote
   # cell's bootstrap capability.
   #
-  # The returned cap is type-erased (AnyPointer) — cast it to the expected
-  # interface type on the guest side.
+  # Returns a capability plus schema metadata for recursive attenuation.
 }
 
 interface ByteStream {