Skip to content

By-ID feedback target validation is namespace-scoped, contradicting ADR-007 Rev 6 #391

Description

@ohdearquant

ADR-007 Rev 6 states by-ID operations (get, update, delete, merge) are namespace-agnostic: namespace is attribution, not isolation, and authorization lives at the Gate.

Two paths still apply namespace scoping to exact-ID lookups:

  1. brain.auto_feedback target validation: passing a full canonical UUID for a record whose namespace differs from the caller default fails with not found: target_id <uuid> not found in namespace 'local'. Reproduced against a memory note with namespace = <non-local>, deleted_at IS NULL — the row exists and is recallable, but cannot be credited.

  2. Short-prefix resolution behind get/link and the feedback verbs inherits the multi-record default WHERE namespace='local' scan, so a prefix that uniquely identifies a record in another namespace reports no match.

Consequence: cross-namespace recall results structurally cannot receive feedback, so recall posteriors for profiles serving cross-namespace content never train.

Proposed fix:

  • Make the exact-ID validation in the feedback path resolve by ID only (no namespace predicate), consistent with the other by-ID verbs.
  • Route short-prefix resolution through the same namespace-agnostic candidate scan (prefix uniqueness should be evaluated across namespaces; ambiguity remains an error).
  • Audit brain.feedback and memory.feedback for the same scoped-lookup pattern; if they share a helper, fix at the helper.

Tests should cover: full-UUID feedback on a record in a non-default namespace succeeds; prefix resolution finds a unique cross-namespace record; ambiguous prefix across namespaces errors.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions