Protocol spec

This page collects the stable rules of the current sealed-lattice release boundary.

Public package surface

The only committed public package name is sealed-lattice.
The current public runtime facade is a development verification surface while the final direct encrypted ballot API is being built.
No public subpaths are promised yet.
The selected protocol direction is direct BGV-encrypted ballots, public ciphertext aggregation, deterministic mobile evaluator replay, target finality, and target-bound threshold decryption.
Complete ballot generation, casting, aggregation, evaluator replay, target-bound decryption, and result release APIs are not published yet.

@sealed-lattice/types, @sealed-lattice/protocol, @sealed-lattice/crypto, and @sealed-lattice/wasm are workspace-internal only.
crates/sealed-lattice-kernel is workspace-internal only.
No private package may leak through the public package facade.

Deep imports into another package’s internals are forbidden.
Relative imports that cross package boundaries are forbidden.
No private package may depend on sealed-lattice.
Package-boundary checks must stay green before wider functionality is published.

Node tests, browser tests, public package behavior checks, vector manifest verification, docs verification, pack smoke checks, and release-smoke checks must continue to pass.
The Rust transcript-core must keep building for native tests and wasm32-unknown-unknown.
The internal WASM loader must keep loading the transcript-core artifact in both Node and browser tests.
Direct ballot proof, encrypted aggregation, evaluator replay, target finality, and target-bound decryption checks must stay direct-path-only as those surfaces are implemented.
Default, release, docs, package-smoke, browser, and mobile gates should verify only the selected direct path and shared substrate.