In this section: Hands-On Examples

Chapter 9 UMA code example

Trust boundaries tutorial

This tutorial makes trust decisions visible. The runtime evaluates metadata, permissions, dependency provenance, placement, and communication rules before allowing execution.

Tutorial route

Keep the path visible beside the tutorial so the trust rules, source folder, and neighboring chapters are easy to jump to.

What you will learn

  • why portable systems cannot inherit trust from location alone
  • how undeclared permissions and untrusted dependencies fail before execution
  • how trust policy governs communication across services

Prerequisites

  • Rust 1.76 or newer
  • Node.js 20 or newer
  • a checkout of the repository

Full tutorial

  1. Enter the example
    cd chapter-09-trust-boundaries
  2. List the trust labs
    ./scripts/list_labs.sh
  3. Validate the trusted scenario
    ./scripts/validate_trust.sh lab1-trusted-service
  4. Run the trusted service scenario
    ./scripts/run_trust_demo.sh lab1-trusted-service
  5. Inspect an undeclared permission change
    ./scripts/trust_diff.sh lab1-trusted-service lab2-undeclared-permission
  6. Run the untrusted dependency scenario
    ./scripts/run_trust_demo.sh lab3-untrusted-dependency
  7. Run the restored compliance scenario
    ./scripts/run_trust_demo.sh lab5-restored-compliance
  8. Run the full smoke path
    ./scripts/smoke_trust_labs.sh

What to inspect

After each command, look for these proof points. They are the signals that connect the code example back to the UMA architecture claim.

  • Outcome: allow or deny
  • permission.undeclared
  • dependency.provenance.untrusted
  • communication.forbidden

Acceptance check

The chapter-level validation path is:

./scripts/smoke_trust_labs.sh

Return to the repository root for the final acceptance gate:

cd ..
./scripts/smoke_reader_paths.sh

Where to go next

Chapter 10 compares architectural tradeoffs through runtime behavior.