The DIND harness is the deterministic verification runner for Echo/WARP. It replays canonical intent transcripts and asserts that state hashes and intermediate outputs are identical across runs, platforms, and build profiles.
Location:
crates/echo-dind-harnesscrates/echo-dind-tests(stable test app used by the harness)testdata/dind(scenarios + goldens)
# Via xtask (recommended)
cargo xtask dind run
# Valid subcommands: run, record, torture, converge
# Or directly via cargo
cargo run -p echo-dind-harness -- helpExamples (commands depend on the harness CLI):
cargo run -p echo-dind-harness -- torture
cargo run -p echo-dind-harness -- converge
cargo run -p echo-dind-harness -- repro <scenario>Cross-platform DIND runs weekly in CI via .github/workflows/dind-cross-platform.yml (Windows, macOS, and Linux matrix).
Echo ships guard scripts to enforce determinism in core crates:
scripts/ban-globals.shscripts/ban-nondeterminism.shscripts/ban-unordered-abi.sh
The DIND harness validates footprint enforcement via the slice theorem
proof test suite (crates/warp-core/tests/slice_theorem_proof.rs).
These tests execute the same workload under varying worker counts
(1, 2, 4, 8, 16, 32) and verify that patch_digest, state_root, and
commit_hash remain identical — proving that the footprint declarations
are both correct and complete.
The FootprintGuard is active during DIND test runs in debug builds unless the `unsafe_graph` feature is enabled, meaning any undeclared read/write will surface as a `FootprintViolation` panic before the convergence check even runs.
For commutative scenarios, MANIFEST.json can specify a converge_scope
node label (e.g., sim/state). The converge command compares the
projected hash of the subgraph reachable from that node, while still
printing full hashes for visibility.
What scopes exist today (DIND test app):
sim/state— the authoritative state root for the test app (includes theme/nav/route + kv).sim/state/kv(not currently used) — a narrower root for KV-only projections.
What is included in the projected hash:
- All nodes reachable by following outbound edges from the scope root.
- All edges where both endpoints are reachable.
- All node and edge attachments for the included nodes/edges.
What is excluded:
- Anything not reachable from the scope root (e.g.,
sim/inbox, event history, sequence sidecars). - Inbound edges from outside the scope.
What “commutative” means here:
- The operations are order-independent with respect to the projected subgraph.
- Either they touch disjoint footprints or they are semantically commutative (e.g., set union on disjoint keys).
When you must NOT use projection:
- When event history is semantically meaningful (auditing, causality, timelines).
- When last-write-wins behavior or ordered effects are part of the contract.
- When differences in inbox/order should be observable by the consumer.
converge accepts an override for ad‑hoc debugging:
cargo run -p echo-dind-harness -- converge --scope sim/state --i-know-what-im-doing <scenarios...>This bypasses MANIFEST.json and emits a warning. Do not use it for canonical
test results.
Run them locally or wire them into CI for strict enforcement.