Elacity · andersalm · Jun 7, 2026 · Jun 7, 2026 · Jun 7, 2026 · Jun 7, 2026
diff --git a/DEBUG.md b/DEBUG.md
@@ -145,3 +145,12 @@ The Home bell regression was caused by replacing frequent summary polling with e
 ## Fix - 2026-05-26 Home Bell And ela.city Balance Regression
 
 Home now refreshes shell summary for wallet/inbox events even when they arrive in the first long-poll payload after SSE fallback. Wallet EVM default updates now also set a `browser_connect` default, and Browser uses that default before generic transaction defaults.
+
+## External Provider Deploy Invariant
+
+When code inside a standalone external provider changes, deployed Home or app
+assets are not enough. Rebuild the provider binary, install it under the active
+`XDG_DATA_HOME/elastos/bin`, update the provider entry in `components.json` with
+the new sha256 and size, and restart the gateway so the provider process is
+respawned. Otherwise Home/Library can serve current JavaScript while the running
+provider still returns stale roots, operations, or schemas.
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -159,6 +159,33 @@ Runtime principals, scoped capabilities, provider-owned effects, and signed
 audit. The current translation is tracked in
 [docs/PC2_CONVERGENCE.md](docs/PC2_CONVERGENCE.md).
 
+The first PC2 migration slices should stay product-useful and boundary-small:
+
+1. **Explorer / Library / WebSpace**: browse, upload, download, open,
+   publish, share, and inspect files/objects through Home/Library,
+   principal-root storage, persisted WebSpace mount/object-head metadata,
+   WebSpace lifecycle/health receipts,
+   `elastos://content/*`, recipient share-grant records, recipient-scoped
+   shared-access checks, and availability receipts with honest
+   peer-selection/quota/repair-worker metadata.
+   Preserve PC2's file-manager UX where it helps users, but translate every
+   operation onto typed Runtime object/provider contracts instead of PC2's older
+   filesystem, Puter, or direct IPFS assumptions. The implementation gate is
+   [docs/FILE_MANAGER_MIGRATION.md](docs/FILE_MANAGER_MIGRATION.md).
+2. **AI Chat**: bring the chat UX over as a provider-backed app capsule where
+   inference, hosted-model credentials, embeddings, and document context
+   expansion stay inside `ai-provider`, `llama-provider`, or an operator-pinned
+   hosted provider.
+3. **dDRM + Elacity Marketplace foundation**: wire protected-content provider
+   contracts before Marketplace/Creator/Player/Viewer UX. The sequence is
+   content status/fetch, rights check, key release, decrypt/render session,
+   receipt, Wallet/Inbox approval where needed, and audit.
+
+Those slices are intentionally ordered so the user can first manage and publish
+ordinary objects, then use provider-backed AI over those objects, then add
+protected-content economics without giving apps raw keys, wallets, chain RPC,
+Kubo/IPFS, Elacity SDKs, or provider credentials.
+
 COMO is a separate runtime-framework research input, not a planned dependency.
 Its C++ component model, runtime reflection, MetaClass packaging idea, Android
 aarch64 history, and safety/redundancy lessons may inform the capsule-kernel ABI
@@ -220,6 +247,9 @@ The first implementation should be deliberately layered:
 - expose `elastos://content/*` as the capsule-facing product contract
 - keep `elastos://ipfs/*` only as the current low-level system/provider backend around Kubo, then retire it from the normal capsule-facing namespace once `elastos://content/*` exists
 - model published objects, signed heads, provenance, and availability receipts with IPLD-compatible JSON/CBOR shapes
+- keep local-only availability receipts honest by carrying explicit
+  peer-selection/quota/repair-worker metadata instead of implying live
+  multi-peer replication
 - use Elacity/supernodes as the first remote availability target
 - add volunteer replication and repair loops behind provider policy
 - add payment/storage incentives only after receipts, quotas, health checks, and abuse controls exist

diff --git a/TASKS.md b/TASKS.md
@@ -156,25 +156,29 @@ section if a higher section is incoherent, unverified, or too large to review.
 ### Runtime primitives missing for the PC2 world-computer model
 - [ ] Replace hardcoded `Users/self` assumptions with first-class principals: passkey-owned user roots, user DID, device DID, personas, agents, active session, and capability tokens bound to principal + capsule + session.
 - [ ] Add authenticated Carrier envelopes as the default application contract: sender DID, object identity, signature, capability context, replay protection, and verified delivery status. Keep raw gossip/transport as an explicit unsafe/provider-level lane.
-- [ ] Add a real WebSpace mount/object model: mount table, resolver selection, object heads, local cache, access policy, sync cursors, and typed viewer resolution.
+- [ ] Keep the `object-provider` / `content-provider` ontology stable while completing the remaining WCI object/content work: `object-provider` owns mutable principal-root objects, and `content-provider` owns published content identity, availability, and Carrier-backed delivery authority.
+- [ ] Extract pure object-provider core out of `elastos-server::library` into a smaller provider-core crate when modularity becomes the release bar: preserve the existing `object-provider` capsule/API boundary, move principal-root object request handling, path rules, archive/event helpers, and tests without changing Library behavior, and keep publish/share/availability authority separated through `content-provider` and Runtime coordination.
+- [ ] Keep Public placement and Published content separate in every Library/Home/Spaces surface: `Public` is a user-facing placement/projection under the active principal root, while `published_cid`/`elastos://<cid>` is the only public content-link truth. Do not add hidden auto-publish side effects for rename/move/copy/upload into Public; if auto-publish is desired later, make it an explicit user policy prompt backed by content-provider receipts.
 - [ ] Add signed package identity for every installable capsule: manifest hash, full bundle hash/Merkle root, publisher DID, signature chain, interface descriptors, and install/update receipts.
 - [ ] Add an interface registry primitive: signed interface descriptors, semantic versions, required/provided capability schema, compatibility resolution, and fail-closed launch when required interfaces are missing.
 - [ ] Complete wallet/EID/chain providers behind the runtime boundary. The runtime should expose capability-gated signing, approval, credential, node-read, proof, broadcast, and provenance operations; it should not embed chain business logic.
 - [ ] Keep network-drive/provider operating systems outside the trusted core. The runtime owns verification, capability routing, and audit; provider capsules/services own Telegram/Nostr/Matrix/Facebook/IPFS/Carrier-specific behavior.
 
 ### WebSpace / WCI contract
-- [ ] Expand the current `webspace-provider` slice into fuller resolver outputs and deeper typed traversal.
 - [ ] Clarify the relationship between rooted localhost paths, `elastos://...`, and mounted WebSpace views without freezing syntax too early.
+- [ ] Make the Spaces UX model explicit before expanding Library roots: `Home` is the friendly alias for the active principal's local `localhost://Users/<principal>` space; a future `Localhost`/`This Device` Space may expose the same authorized principal tree and selected system roots, but never raw all-host data or other principals. `elastos://` should remain the global content/capability namespace, not a writable file path. A future `elastos://vault` (name TBD) should be an encrypted, DID-anchored, provider-backed replicated object space that can fork/sync selected local objects; quota/accounting applies there and to published/federated storage, not to ordinary local-only `localhost://` bytes.
 - [ ] Define the CAS object model so paths stay the comfort layer rather than the real identity model.
 - [ ] Keep capsule execution substrate (`type`), product role (`shell`/`app`/`viewer`/`provider`/`content`), and launch exposure as separate runtime concepts instead of letting one field imply the others.
 - [ ] Document and enforce the object/capsule/space split consistently across UI copy, manifests, runtime docs, and shell/catalog surfaces.
+- [ ] BLOCKER - production multi-peer availability/storage markets require real external infrastructure before this can close: production independent provider-network quota-ledger federation beyond the configured bounded endpoint quorum, production network-wide abuse throttles/banlists/abuse ledgers beyond the configured bounded abuse-control endpoint quorum, production federated operator fleet dashboards/UI/peer-health subscriptions beyond the current provider-local dashboard plus configured alert-exchange endpoint, production cross-runtime peer reputation trust policy, third-party attestations, revocation, and fleet-wide reputation exchange beyond the configured Carrier peer-attestation endpoint quorum, production storage-market offer/pricing/SLA execution beyond the configured storage-market endpoint-quorum admission gate, repair-fleet worker attestation/SLA/settlement beyond configured dispatch quorum, and live settlement/escrow execution.
 
 ### Collaboration and messaging
 - [ ] Earn IRC only as an explicit packaged path with honest runtime prerequisites and proof.
 - [ ] Build toward a first-class collaboration provider instead of letting compatibility bridges define the architecture.
 
 ### Documents and Library
 - [ ] Add import/fork flows for immutable `elastos://<cid>` document revisions through the same provider contract.
+- [ ] Future generic archive dependency approval: only after a format-specific review passes, enable an extra non-tar/non-zip family through the existing provider-owned archive list/preview/selective-extract/WebSpace policy contract. Current branch support for ZIP/tar/tar.gz/tgz browsing, preview, selected import/extract, WebSpace archive policy, and Archive UX is complete; unsupported generic families remain policy-gated by design.
 - [ ] Unify the markdown packaging model so local documents, viewer/editor content, and `elastos share` do not keep using three different markdown stories.
 - [ ] Decide the first collaborative document core intentionally; prefer a Rust/WASM CRDT evaluation (`Yrs` first, `Automerge` second) over ad hoc editor glue or a direct port of external JS products.
 - [ ] Keep keystroke-level local editing local-first and low-latency; Carrier should carry remote sync/share/collaboration updates, not gate every same-runtime write.