AI Provider Runtime Contract Protocol
Candidate: ai-provider-runtime-contract
Target owner: future-shared-package
Target package: ai-media-product-kit/packages/runtime
Purpose
This protocol freezes the portable runtime contract for image and media providers before any provider code moves out of this vertical template. The goal is to let future AI media products reuse the same descriptor, input policy, result normalization, provider readiness, and canary evidence shape without inheriting one product's prompts, model choices, public copy, or provider credentials.
This is a contract freeze only. Runtime adapters stay product-local until a second AI or media template proves the same lifecycle with different product identity and model configuration.
Shared Contract
The future media runtime package should own schemas and validators for:
- provider descriptors
- provider capability flags
- media input policies
- completed result envelopes
- submitted async job envelopes
- pending collection envelopes
- provider failure categories
- provider readiness and canary evidence summaries
The shared contract may define result kinds, capability labels, media policy field names, public failure categories, and secret-free evidence shapes. It must not define provider SDK calls, model request bodies, prompt builders, provider credentials, account bindings, public plan packaging, or product copy.
Provider Descriptor Boundary
A portable descriptor can include:
- provider id and display name
- model label or model family label
- runtime adapter id
- capability flags for collection, webhook completion, multiple outputs, and gateway logging
- input policy for accepted MIME types, maximum bytes, maximum dimension, transport, encoded request cap, output MIME type, and output quality
- readiness labels for matrix, smoke, and canary reports
Product adapters keep:
- concrete model ids and version pins
- provider SDK clients and credentials
- provider-specific input mapping
- prompt and negative-prompt construction
- environment variable names and Wrangler target shape
- provider selection copy
Runtime Result Boundary
The shared runtime can normalize these result shapes:
completed: one or more media outputs with public-safe metadatasubmitted: an async provider job reference plus optional poll hintpending: collection did not finish yet plus optional poll hintfailed: a public failure category separated from provider response bodies
Browser payloads and release evidence must not expose raw provider execution ids, gateway metadata, storage keys, private URLs, request payloads, image bytes, or token values.
Product Adapters
Each product template keeps adapters for:
- building provider requests
- mapping provider outputs into normalized output envelopes
- classifying provider-specific errors
- collecting async jobs or verifying webhooks
- running provider canaries against product-owned fixtures
- deciding whether provider canary evidence is launch-blocking or deferred
Adapters emit normalized runtime and evidence envelopes into the shared contract. The shared package validates and reports; it does not call providers.
Privacy Rules
The shared validators must reject artifacts containing:
- API tokens, bearer tokens, webhook secrets, or provider credentials
- raw actor, user, account, workspace, provider job, or owner ids
- R2 object keys, provider input keys, output keys, or signed URLs
- raw provider response bodies, gateway metadata, image bytes, or private URLs
- product prompt text, preset copy, or public visual identity
Artifacts may include provider labels, capability flags, public failure categories, aggregate output counts, byte counts, MIME types, public model family labels, redacted references, and reviewer-owned evidence labels.
Acceptance Fixture
The product-free fixture lives at
ai-provider-runtime-contract.media-fixture.json.
Before extraction, the fixture must keep these constraints true:
- it references
ai-provider-runtime-contract - it names
ai-media-product-kit/packages/runtimeas the target - it includes descriptor, input-policy, result-envelope, collection, and readiness stages
- it keeps product adapters separate from shared validators
- it contains no vertical product name, prompt text, raw provider id, storage key, token marker, or actor identifier
Extraction Sequence
- Keep current provider descriptors, runtime adapters, and canaries inside the product template.
- Build or start a second AI/media product that uses the same descriptor and result envelope with different model configuration and public identity.
- Move only descriptor validation, input-policy validation, result envelope validation, failure category normalization, evidence privacy scanning, and report formatting into the media kit.
- Keep provider SDK calls, model payload mapping, prompt builders, product presets, environment variables, and route composition inside each product.
- Re-run both product templates end to end before claiming the extraction complete.
Non-Goals
- No generic third-party provider plugin marketplace.
- No provider credential storage.
- No automatic model selection.
- No prompt registry.
- No public product copy.
- No claim that a provider is staging-proven without real canary evidence.