feat(capnp-l1.0): add echidna-wire crate with 7 Cap'n Proto schemas

First slice of L1 Cap'n Proto work (ECHIDNA IPC protocol swap). L1.0
scope is schema + build + bindings-compile only; transport layer (UDS,
WebSocket), peer integrations (Julia, Chapel, UI), Idris2 ABI proofs
and core conversion helpers ship in L1.1+.

New workspace member `crates/echidna-wire/` mirrors the
`crates/typed_wasm/` pattern from S3. Contains:

Schemas (4 .capnp files, all high-bit file IDs per capnp convention):
- common.capnp (92 LoC) — Term (15-variant union), Pattern, Tactic
  (10-variant union), Hypothesis, Goal, Theorem, Context, Definition,
  Variable. Term is structured recursive union (not s-expr string) so
  Rust/Julia/Chapel/UI all zero-copy.
- prover.capnp (68 LoC) — AxiomUsage, TrustedOutcome (mirrors
  ProverOutcome's 8-variant taxonomy from provers/outcome.rs +
  TrustFactors from verification/confidence.rs), ProverInvocation.
- proof.capnp (52 LoC) — ProofGoal, ProofResult, RunDiagnostics,
  PerProverRecord. Imports prover.capnp (for TrustedOutcome +
  AxiomUsage — placed in prover.capnp to break what would otherwise
  be a proof↔prover import cycle).
- gnn.capnp (62 LoC) — GnnGraphPayload, GnnServerHints,
  GnnRankRequest, GnnRankResponse, FloatVec, TacticSuggestion. Field
  names preserved verbatim from current JSON shape in
  src/rust/gnn/client.rs so the Julia side needs only a JSON→capnp
  adapter, not a rename table.

ProverKind encoding on the wire: `UInt16` stable discriminant (from
kind_to_u8 in ffi/mod.rs) + `Text` canonical name as defence-in-depth,
never enumerated as a capnp union (105 variants, would churn).

Every root message stamps `schemaVersion :UInt16 = 1`. VERSIONING.md
documents the append-only evolution policy and connection-time Hello
negotiation (schema deferred to L1.1).

Build + tests:
- Cargo.toml: capnp = "0.20" runtime, capnpc = "0.20" build-dep.
- build.rs: capnpc::CompilerCommand over the 4 schemas with
  src_prefix="schemas".
- src/lib.rs: 4 pub mods named `<stem>_capnp` to match capnpc-rust's
  generated cross-file references, plus ergonomic `pub use
  common_capnp as common;` aliases for downstream consumers.
- 3 smoke tests (ProofGoal round-trip, GnnRankRequest construction,
  TrustedOutcome::Proved union) pass under `cargo test -p
  echidna-wire --lib smoke`.

Root Cargo.toml workspace.members gains "crates/echidna-wire". Root
echidna crate does NOT yet depend on echidna-wire — nothing consumes
wire types at L1.0.

Author: claude

Cargo.lock

@@ -112,6 +112,7 @@ harness = false
 
 [workspace]
 members = [
+    "crates/echidna-wire",
     "crates/typed_wasm",
     "src/interfaces/graphql",
     "src/interfaces/grpc",

Cargo.toml

@@ -0,0 +1,17 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+
+[package]
+name        = "echidna-wire"
+version     = "0.1.0"
+edition     = "2021"
+authors     = ["Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk>"]
+license     = "PMPL-1.0-or-later"
+description = "L1 IPC wire types for ECHIDNA (Cap'n Proto schemas + generated bindings)"
+repository  = "https://github.com/hyperpolymath/echidna"
+build       = "build.rs"
+
+[dependencies]
+capnp = "0.20"
+
+[build-dependencies]
+capnpc = "0.20"

crates/echidna-wire/Cargo.toml

@@ -0,0 +1,12 @@
+// SPDX-License-Identifier: PMPL-1.0-or-later
+
+fn main() {
+    capnpc::CompilerCommand::new()
+        .src_prefix("schemas")
+        .file("schemas/common.capnp")
+        .file("schemas/prover.capnp")
+        .file("schemas/proof.capnp")
+        .file("schemas/gnn.capnp")
+        .run()
+        .expect("capnpc build failed");
+}

crates/echidna-wire/build.rs

@@ -0,0 +1,75 @@
+<!-- SPDX-License-Identifier: PMPL-1.0-or-later -->
+
+# ECHIDNA Wire Schema Versioning Policy (`crates/echidna-wire`)
+
+Every root message MUST carry `schemaVersion :UInt16`. Current: **1**.
+File-level capnp IDs (`@0x…;`) are generated once and NEVER changed.
+
+## Compatibility model
+
+Cap'n Proto is structurally forward/backward-compatible within a major
+version provided the rules below are respected. Major version bumps are
+breaking and require a coordinated rollout across Rust core, Julia,
+Chapel, and UI peers.
+
+## Adding a field (SAFE — no version bump)
+
+- Append new fields at the next unused `@N`.
+- New fields MUST either:
+  - (a) have a default value (e.g. `@N :Bool = false`), OR
+  - (b) be paired with a `has<Name> :Bool` sibling for optional semantics.
+- New union variants may be appended at the end of an existing union.
+- New nested structs may be added freely.
+
+## Removing / changing a field (UNSAFE — major bump)
+
+- Reordering `@N` IDs of existing fields.
+- Changing a field's wire type (e.g. `UInt32` → `UInt64`).
+- Removing a non-optional field.
+- Reordering union discriminants.
+- Changing the stable `ProverKind` discriminant mapping
+  (mirrored in `src/rust/ffi/mod.rs`).
+
+## Deprecation flow
+
+1. Mark the field obsolete in this file and in a comment on the `.capnp`
+   line. Add a new replacement field at the next `@N`.
+2. Wait ONE minor version before removal candidacy (L1.0 → L1.1).
+3. Field removal = major bump (L1.x → L2.0). Must ship an
+   `echidna-wire v2` alongside v1 for at least one release cycle.
+
+## Connection-time negotiation
+
+Every transport session opens with a `Hello` exchange (schema deferred
+to L1.1 in `version.capnp`):
+
+```
+client → server : Hello    { supportedMajors :List(UInt16); preferredMajor :UInt16; }
+server → client : HelloAck { agreedMajor :UInt16; agreedMinor :UInt16; }
+```
+
+If no overlap: server returns `HelloAck { agreedMajor = 0 }` and closes.
+
+## ProverKind discriminant governance
+
+Appending a new variant to `ProverKind` (`src/rust/provers/mod.rs`) is
+SAFE iff:
+
+- the next contiguous `u16` is used (currently 105),
+- `kind_from_u8` / `kind_to_u8` are updated in lockstep
+  (`src/rust/ffi/mod.rs`),
+- this file records the assignment.
+
+Holes in the discriminant space are FORBIDDEN — the invertibility test
+at `src/rust/ffi/mod.rs` (see `kind_to_u8_injective` / round-trip tests)
+must keep passing.
+
+## Current assignments
+
+- Schema major: **1**. Minor: **0**.
+- File IDs:
+  - `common.capnp` = `@0xf2f7187fddaa9139`
+  - `proof.capnp`  = `@0xfa73f2ec7415f450`
+  - `prover.capnp` = `@0xf1841ae6bbc44651`
+  - `gnn.capnp`    = `@0xfbb66b8481def8a0`
+- Deprecations in flight: none.

crates/echidna-wire/schemas/VERSIONING.md

@@ -0,0 +1,92 @@
+@0xf2f7187fddaa9139;
+
+# Schema version stamped into every root message. Bumped only on incompatible
+# changes per VERSIONING.md. L1.0 = 1.
+const schemaVersionMajor :UInt16 = 1;
+const schemaVersionMinor :UInt16 = 0;
+
+struct Term {
+  union {
+    var      @0 :Text;
+    const    @1 :Text;
+    app      @2 :App;
+    lambda   @3 :Lambda;
+    pi       @4 :Pi;
+    sigma    @5 :Sigma;
+    typeU    @6 :UInt32;
+    sort     @7 :UInt32;
+    universe @8 :UInt32;
+    letBind  @9 :Let;
+    matchE  @10 :Match;
+    fixE    @11 :Fix;
+    hole    @12 :Text;
+    meta    @13 :UInt64;
+    proverSpecific @14 :ProverSpecific;
+  }
+
+  struct App     { func @0 :Term;  args @1 :List(Term); }
+  struct Lambda  { param @0 :Text; paramType @1 :Term;  body @2 :Term; hasParamType @3 :Bool; }
+  struct Pi      { param @0 :Text; paramType @1 :Term;  body @2 :Term; }
+  struct Sigma   { param @0 :Text; paramType @1 :Term;  body @2 :Term; }
+  struct Let     { name  @0 :Text; ty @1 :Term; value @2 :Term; body @3 :Term; hasTy @4 :Bool; }
+  struct Match   { scrutinee @0 :Term; returnType @1 :Term; hasReturnType @2 :Bool;
+                   branches  @3 :List(Branch); }
+  struct Fix     { name  @0 :Text; ty @1 :Term; body @2 :Term; hasTy @3 :Bool; }
+  struct ProverSpecific { prover @0 :Text; dataJson @1 :Text; }
+  struct Branch  { pattern @0 :Pattern; body @1 :Term; }
+}
+
+struct Pattern {
+  union {
+    wildcard    @0 :Void;
+    var         @1 :Text;
+    constructor @2 :Ctor;
+  }
+  struct Ctor { name @0 :Text; args @1 :List(Pattern); }
+}
+
+struct Tactic {
+  union {
+    apply        @0 :Text;
+    intro        @1 :IntroT;
+    cases        @2 :Term;
+    induction    @3 :Term;
+    rewrite      @4 :Text;
+    simplify     @5 :Void;
+    reflexivity  @6 :Void;
+    assumption   @7 :Void;
+    exact        @8 :Term;
+    custom       @9 :Custom;
+  }
+  struct IntroT  { name @0 :Text; hasName @1 :Bool; }
+  struct Custom  { prover @0 :Text; command @1 :Text; args @2 :List(Text); }
+}
+
+struct Hypothesis {
+  name     @0 :Text;
+  ty       @1 :Term;
+  body     @2 :Term;
+  hasBody  @3 :Bool;
+}
+
+struct Goal {
+  id         @0 :Text;
+  target     @1 :Term;
+  hypotheses @2 :List(Hypothesis);
+}
+
+struct Theorem {
+  name      @0 :Text;
+  statement @1 :Term;
+  aspects   @2 :List(Text);
+}
+
+struct Context {
+  theorems    @0 :List(Theorem);
+  axioms      @1 :List(Text);
+  definitions @2 :List(Definition);
+  variables   @3 :List(Variable);
+}
+
+struct Definition { name @0 :Text; ty @1 :Term; body @2 :Term; }
+struct Variable   { name @0 :Text; ty @1 :Term; }

crates/echidna-wire/schemas/common.capnp

@@ -0,0 +1,62 @@
+@0xfbb66b8481def8a0;
+
+using Common = import "common.capnp";
+
+struct GnnGraphPayload {
+  numNodes             @0  :UInt32;
+  numEdges             @1  :UInt32;
+  edgeSrc              @2  :List(UInt32);
+  edgeDst              @3  :List(UInt32);
+  edgeWeights          @4  :List(Float32);
+  edgeKinds            @5  :List(Text);
+  nodeFeatures         @6  :List(Float32);
+  featureDim           @7  :UInt32;
+  nodeKinds            @8  :List(Text);
+  nodeLabels           @9  :List(Text);
+  goalNodeIdx          @10 :UInt32 = 4294967295;
+  hasGoalNode          @11 :Bool;
+  premiseNodeIndices   @12 :List(UInt32);
+}
+
+struct GnnServerHints {
+  numGnnLayers   @0 :UInt16 = 4;
+  useAttention   @1 :Bool   = true;
+}
+
+struct GnnRankRequest {
+  schemaVersion      @0 :UInt16 = 1;
+  requestId          @1 :Text;
+  graph              @2 :GnnGraphPayload;
+  topK               @3 :UInt32 = 20;
+  minScore           @4 :Float32 = 0.05;
+  includeEmbeddings  @5 :Bool    = false;
+  config             @6 :GnnServerHints;
+}
+
+struct FloatVec { values @0 :List(Float32); }
+
+struct GnnRankResponse {
+  schemaVersion      @0 :UInt16 = 1;
+  requestId          @1 :Text;
+  success            @2 :Bool;
+  scores             @3 :List(Float32);
+  premiseNames       @4 :List(Text);
+  embeddings         @5 :List(FloatVec);
+  inferenceTimeMs    @6 :Float32;
+  error              @7 :Text;
+}
+
+struct TacticSuggestion {
+  schemaVersion     @0 :UInt16 = 1;
+  requestId         @1 :Text;
+  tactic            @2 :Text;
+  structuredTactic  @3 :Common.Tactic;
+  hasStructured     @4 :Bool;
+  confidence        @5 :Float32;
+  premise           @6 :Text;
+  hasPremise        @7 :Bool;
+  aspectTags        @8 :List(Text);
+  gnnScore          @9 :Float32 = 0;
+  symbolicScore    @10 :Float32 = 0;
+  fromServer       @11 :Bool   = false;
+}

crates/echidna-wire/schemas/gnn.capnp

@@ -0,0 +1,52 @@
+@0xfa73f2ec7415f450;
+
+using Common = import "common.capnp";
+using Prover = import "prover.capnp";
+
+struct ProofGoal {
+  schemaVersion       @0 :UInt16 = 1;
+  requestId           @1 :Text;
+  sessionId           @2 :Text;
+  goal                @3 :Common.Goal;
+  context             @4 :Common.Context;
+  preferredProverKind @5 :UInt16 = 65535;
+  preferredProverName @6 :Text;
+  timeoutMs           @7 :UInt32 = 300000;
+  minTrustLevel       @8 :UInt8 = 2;
+  crossCheck          @9 :Bool = false;
+  requestDiagnostics  @10 :Bool = false;
+  trackAxioms         @11 :Bool = true;
+  generateCertificate @12 :Bool = false;
+  metadataJson        @13 :Text;
+}
+
+struct ProofResult {
+  schemaVersion       @0 :UInt16 = 1;
+  requestId           @1 :Text;
+  verified            @2 :Bool;
+  trustLevel          @3 :UInt8;
+  proversUsed         @4 :List(Text);
+  proofTimeMs         @5 :UInt64;
+  goalsRemaining      @6 :UInt32;
+  message             @7 :Text;
+  crossChecked        @8 :Bool;
+  outcome             @9 :Prover.TrustedOutcome;
+  axiomReport         @10 :Prover.AxiomUsage;
+  hasAxiomReport      @11 :Bool;
+  certificateHash     @12 :Text;
+  hasCertificate      @13 :Bool;
+  diagnostics         @14 :RunDiagnostics;
+  hasDiagnostics      @15 :Bool;
+}
+
+struct RunDiagnostics {
+  normalizedInput  @0 :Text;
+  proversSelected  @1 :List(Text);
+  perProver        @2 :List(PerProverRecord);
+}
+
+struct PerProverRecord {
+  prover     @0 :Text;
+  outcome    @1 :Prover.TrustedOutcome;
+  elapsedMs  @2 :UInt64;
+}