ChurchNSGate — Unified NS Integrity Architecture

The 3-read + gt_seq-match + CRC-16/CCITT check that previously existed separately in both mLoad and cLoad is now a single shared sub-module. Each caller provides only its own pre- and post-gate logic; the integrity gate runs once, in one place.

mLoad hardware/mload.py ChurchNSGate · shared hardware/ns_gate.py cLoad hardware/cload.py ── Pre-gate (caller-specific) ── ── Pre-gate (caller-specific) ── ── idle, awaiting start pulse ── IDLE wait for sub_start FETCH_SRC read source CR or accept direct_gt CHECK_L L-perm on src cap | m_elevated bypass CHECK_BOUNDS index < src limit_offset FETCH_GT read GT word 0 from c-list memory CHECK_NS result_gt.slot_id < ns_limit (CR15.word2) START_GATE pulse ns_gate_start · gt_word0 = result_gt · → WAIT_GATE IDLE wait for cload_start CHECK_TYPE gt_type == Inform · perms[E] == 1 START_GATE pulse ns_gate_start · gt_word0 = e_gt_latched · → WAIT_GATE IDLE waiting for ns_gate_start gt_word0 and cr15_namespace must be stable on the start cycle delegate delegate ── Gate running ── FETCH_LOC mem[CR15.base + slot_id × 12] → latch raw_base FETCH_W2 mem[NS_entry+4] → latch raw_w2 (gt_seq | limit) [FETCH_W3] mem[NS_entry+8] → latch raw_w3 (CRC | g_bit) ★ sealed CHECK_VERSION e_gt.gt_seq == raw_w2.gt_seq → VERSION fault on mismatch CRC-16/CCITT(gt[24:0]+raw_base+raw_w2) == raw_w3.crc → SEAL fault VERSION SEAL DONE ns_gate_done=1 · raw_base / raw_w2 / raw_w3 valid FAULT ns_gate_fault=1 · fault_type: VERSION or SEAL → IDLE done done ── Post-gate (mLoad-specific) ── ── Post-gate (cLoad-specific) ── WAIT_GATE latch raw_base/w2/w3 on done; latch fault_type on fault [RESET_GBIT] write g_bit=0 to NS_entry[+8] ★ seal check only UPDATE_THREAD write GT word to c-list mirror (if dst CR ≤ 7) COMPLETE write full cap_reg to dest CR · assert sub_done → IDLE FAULT assert sub_fault · latch fault_type → IDLE WAIT_GATE latch raw_base/w2/w3 on done; latch fault_type on fault FETCH_HDR mem[raw_base] → cc / n_minus_6 / lump_size WRITE_CR14 X-only cap · base=raw_base+4 · limit=lumpSize−cc−2 WRITE_CR6 c-list cap · base=raw_base+(lumpSize−cc)×4 · limit=cc−1 DONE assert cload_done · CR14 + CR6 written → IDLE FAULT assert cload_fault · latch fault_type → IDLE ★ States compiled in only when enable_seal_check = True (production default). Dashed borders mark conditional states. Memory bus is muxed: ns_gate_busy=1 → gate drives mem_addr/mem_rd_en; caller drives mem otherwise (FETCH_HDR in cLoad; FETCH_GT, RESET_GBIT in mLoad). CRC input (89 bits): gt_word0[24:0] + raw_base[31:0] + raw_w2[31:0] — identical to the separate computations that previously lived in each caller.