Load-time validation — two layers
The runtime contract requires two validation layers.
Layer 1 — closed boolean. Computed once global-control is parsed, before any other section body is read; constant-time per artifact:
tier_valid(.oxbin, runtime)
:= global_control.max_tier_claimed ≤ runtime.max_tier_supported
∧ global_control.max_temporal_claimed ≤ runtime.max_temporal_supported
max_tier_claimed and max_temporal_claimed reflect the highest tier pair (per Decidability and RP-004) of any rule in the artifact. Failure refuses the artifact with OE1204 TierMismatch(want, got).
Layer 2 — per-section verifier. Run after Layer 1 passes:
| Invariant | Section(s) | Diagnostic |
|---|---|---|
| Symbol resolution | references in events/rules/queries | OE1210 SymbolResolutionFailed |
| Standpoint lattice acyclicity | standpoint-lattice | OE1211 LatticeCycle |
| Provenance well-formedness | derivation columns in events | OE1212 ProvenanceNotDNF |
| Composition-signature consistency | preamble + global-control | OE1213 SignatureMismatch |
| Tier consistency | tier-table vs max_tier_claimed | OE1214 TierTableInconsistent |
| Doc-block well-formedness | doc-blocks (when present) | OE1215 DocLinkUnresolved |
Policy is per runtime kind, made explicit at OxbinRuntime::load (Runtime contract):
- Sandboxed runtimes (untrusted content) default strict — any Layer 2 failure refuses the load.
- Trusted runtimes (in-process from a trusted
ox build) default lenient — non-load-bearing failures (e.g.OE1215) warn and proceed; symbol-resolution and lattice failures are always fatal.