ADR-007 Rev 6 states by-ID operations (get, update, delete, merge) are namespace-agnostic: namespace is attribution, not isolation, and authorization lives at the Gate.
Two paths still apply namespace scoping to exact-ID lookups:
-
brain.auto_feedback target validation: passing a full canonical UUID for a record whose namespace differs from the caller default fails with not found: target_id <uuid> not found in namespace 'local'. Reproduced against a memory note with namespace = <non-local>, deleted_at IS NULL — the row exists and is recallable, but cannot be credited.
-
Short-prefix resolution behind get/link and the feedback verbs inherits the multi-record default WHERE namespace='local' scan, so a prefix that uniquely identifies a record in another namespace reports no match.
Consequence: cross-namespace recall results structurally cannot receive feedback, so recall posteriors for profiles serving cross-namespace content never train.
Proposed fix:
- Make the exact-ID validation in the feedback path resolve by ID only (no namespace predicate), consistent with the other by-ID verbs.
- Route short-prefix resolution through the same namespace-agnostic candidate scan (prefix uniqueness should be evaluated across namespaces; ambiguity remains an error).
- Audit
brain.feedback and memory.feedback for the same scoped-lookup pattern; if they share a helper, fix at the helper.
Tests should cover: full-UUID feedback on a record in a non-default namespace succeeds; prefix resolution finds a unique cross-namespace record; ambiguous prefix across namespaces errors.
ADR-007 Rev 6 states by-ID operations (get, update, delete, merge) are namespace-agnostic: namespace is attribution, not isolation, and authorization lives at the Gate.
Two paths still apply namespace scoping to exact-ID lookups:
brain.auto_feedback target validation: passing a full canonical UUID for a record whose namespace differs from the caller default fails with
not found: target_id <uuid> not found in namespace 'local'. Reproduced against a memory note withnamespace = <non-local>,deleted_at IS NULL— the row exists and is recallable, but cannot be credited.Short-prefix resolution behind get/link and the feedback verbs inherits the multi-record default
WHERE namespace='local'scan, so a prefix that uniquely identifies a record in another namespace reports no match.Consequence: cross-namespace recall results structurally cannot receive feedback, so recall posteriors for profiles serving cross-namespace content never train.
Proposed fix:
brain.feedbackandmemory.feedbackfor the same scoped-lookup pattern; if they share a helper, fix at the helper.Tests should cover: full-UUID feedback on a record in a non-default namespace succeeds; prefix resolution finds a unique cross-namespace record; ambiguous prefix across namespaces errors.