In this section: Hands-On Examples
- Chapter 4 Feature Flag Evaluator Tutorial
- Chapter 5 Post Fetcher Runtime Tutorial
- Chapter 6 Universal Microservices Architecture (UMA) Portability Lab Tutorial
- Chapter 7 Metadata Orchestration Tutorial
- Chapter 8 Service Graph Evolution Tutorial
- Chapter 9 Trust Boundaries Tutorial
- Chapter 10 Architectural Tradeoffs Tutorial
- Chapter 11 Evolution Without Fragmentation Tutorial
- Chapter 12 Discoverable Decisions Tutorial
- Chapter 13 Portable MCP Runtime Tutorial
Chapter 9 UMA code example
Trust boundaries tutorial
This tutorial makes trust decisions visible. The runtime evaluates metadata, permissions, dependency provenance, placement, and communication rules before allowing execution.
Keep the path visible beside the tutorial so the trust rules, source folder, and neighboring chapters are easy to jump to.
What you will learn
- why portable systems cannot inherit trust from location alone
- how undeclared permissions and untrusted dependencies fail before execution
- how trust policy governs communication across services
Prerequisites
- Rust 1.76 or newer
- Node.js 20 or newer
- a checkout of the repository
Full tutorial
- Enter the example
cd chapter-09-trust-boundaries - List the trust labs
./scripts/list_labs.sh - Validate the trusted scenario
./scripts/validate_trust.sh lab1-trusted-service - Run the trusted service scenario
./scripts/run_trust_demo.sh lab1-trusted-service - Inspect an undeclared permission change
./scripts/trust_diff.sh lab1-trusted-service lab2-undeclared-permission - Run the untrusted dependency scenario
./scripts/run_trust_demo.sh lab3-untrusted-dependency - Run the restored compliance scenario
./scripts/run_trust_demo.sh lab5-restored-compliance - Run the full smoke path
./scripts/smoke_trust_labs.sh
What to inspect
After each command, look for these proof points. They are the signals that connect the code example back to the UMA architecture claim.
- Outcome: allow or deny
- permission.undeclared
- dependency.provenance.untrusted
- communication.forbidden
Acceptance check
The chapter-level validation path is:
./scripts/smoke_trust_labs.sh
Return to the repository root for the final acceptance gate:
cd ..
./scripts/smoke_reader_paths.sh
Where to go next
Chapter 10 compares architectural tradeoffs through runtime behavior.