Liveness, lifecycle and trust

How a UI knows the application is alive and fresh, how each side survives the other restarting, and the trust boundary for v1. This cluster :satisfies: UI connector (MVVM) (FEAT_0092).

Feature: Liveness, lifecycle and trust FEAT_0096
status: open
satisfies: FEAT_0092

A mandatory SystemViewModel heartbeat carries a monotonic counter and a process epoch, giving the UI one canonical alive-and-fresh signal; per-ViewModel staleness is derivable from the envelope timestamp. UI restart is stateless (history depth 1 redelivers manifest and current state); an application restart bumps the epoch, prompting the UI to re-read the manifest and re-validate the hash. The connector’s health state machine reports local publish health only. Trust is OS- and iceoryx2-mediated in v1.

Requirement: Mandatory SystemViewModel heartbeat with epoch REQ_0879
status: implemented
satisfies: FEAT_0096
is implemented by: BB_0046
is verified by: TEST_0880
links outgoing: BB_0046, TEST_0880

The connector shall always publish a SystemViewModel carrying a monotonic counter that advances every publisher-pump tick and a process epoch that uniquely identifies the application process instance. This heartbeat shall be the canonical “application alive and pump running” signal, distinguishable from a static-but-live ViewModel, and shall be exempt from the zero-subscriber skip (Publisher pump skips zero-s... (REQ_0862)).

Requirement: Per-ViewModel staleness from the envelope REQ_0880
status: implemented
satisfies: FEAT_0096
is implemented by: BB_0048
is verified by: TEST_0881
links outgoing: BB_0048, TEST_0881

The client shall be able to compute per-ViewModel staleness from the envelope timestamp_ns and sequence_number (Sequence number monotonical... (REQ_0202) / Timestamp recorded at send (REQ_0203)) carried on every publish, so a frozen or absent ViewModel can be visually distinguished from a fresh one.

Requirement: UI restart is stateless REQ_0881
status: implemented
satisfies: FEAT_0096
is implemented by: BB_0048
is verified by: TEST_0881
links outgoing: BB_0048, TEST_0881

A UI that exits and relaunches shall recover with no application involvement: history-depth-1 delivery (ViewModel published as one ... (REQ_0856) / Single instance-namespaced ... (REQ_0872)) redelivers the current manifest and the current value of every subscribed ViewModel on reconnect. No resync handshake shall be required.

Requirement: Application restart bumps epoch and triggers rebind REQ_0882
status: implemented
satisfies: FEAT_0096
is implemented by: BB_0048
is verified by: TEST_0881
links outgoing: BB_0048, TEST_0881

On application restart the process epoch (Mandatory SystemViewModel h... (REQ_0879)) shall change. A client observing an epoch change shall re-read the manifest and re-validate the contract hash (Manifest carries a contract... (REQ_0874)), rebinding normally on a match and entering read-only fallback (Contract-hash mismatch fail... (REQ_0876)) on a mismatch. In-flight non-idempotent commands at the epoch boundary shall be handled per Idempotent commands are fla... (REQ_0868).

Requirement: Connector health reflects local publish health REQ_0883
status: implemented
satisfies: FEAT_0096
is implemented by: BB_0046
is verified by: TEST_0882
links outgoing: BB_0046, TEST_0882

The connector’s Connector health state machine (subscribe_health returns a ... (REQ_0231)) shall report local publishing health — pump running, publish backpressure or drops — rather than the liveness of any remote peer, since the UI connector has no bus partner. Subscriber presence or absence shall not by itself be a health fault.

Requirement: OS-mediated trust for v1 REQ_0884
status: implemented
satisfies: FEAT_0096
is implemented by: BB_0046
is verified by: TEST_0881
links outgoing: BB_0046, TEST_0881

v1 shall rely on operating-system and iceoryx2 access control for the trust boundary and shall not implement application-level authentication or role separation. The documentation shall state explicitly that command authority is granted to any local process able to open the connector’s services. Capability tokens or read-only/control roles are deferred to a later revision.

Note

Met by design: the connector (taktora-connector-ui crate ... (BB_0046)) ships no authentication surface, so command authority is granted to any local process able to open its iceoryx2 services. Reference client end-to-end... (TEST_0881) exercises exactly that — a distinct local process opens the services and issues commands with no auth handshake. The explicit trust-boundary statement required by this requirement is recorded in the architecture solution strategy under UI connector is a passive, ... (ADR_0107). Capability tokens and control/read-only roles remain deferred.