docs(adr): ADR-007 Rev 7 (Rule 8 principal-scoped backends) + ADR-063 comm principal model#179
docs(adr): ADR-007 Rev 7 (Rule 8 principal-scoped backends) + ADR-063 comm principal model#179ohdearquant wants to merge 1 commit into
Conversation
…DR-063 comm principal model Rev 7 adds Rule 8 to ADR-007: a pack MAY declare a backend whose trust model is principal-scoped isolation (enforced server-side) rather than shared-store attribution. Additive carve-out — Rules 0-7 (including the Rev 6 episodic Rule 0 amendment) are unchanged; the shared local substrate keeps the Gate as its single enforcement seam. ADR-063 (Proposed) specifies the comm pack as the first consumer: actor-addressed delivery on the shared store today (ADR-057), a principal-scoped remote broker for cross-machine lambda-to-lambda coordination, authorized by the Rule 8 carve-out. Drafted as Rev 5 before the episodic carve-out (Rev 6) merged to main; re-seated as Rev 7 on top of Rev 6 (the two amendments are independent and do not conflict). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Holding for Ocean: this is an architectural decision, not a process gate. The ADR pair is coherent. ADR-007 Rule 8 (Rev 7) is an additive carve-out for principal-scoped backends, e.g. a remote message broker whose server-side scope is itself a Gate implementation; it explicitly does NOT add per-record namespace checks to the shared SQLite substrate, so it does not conflict with the Rev 3+ attribution-only model. The open item is ADR-063 (comm principal model), which is Proposed with two unresolved design questions: OQ-1 credential mechanism and OQ-2 per-principal partition strategy. It commits to a remote broker for cross-machine lambda delivery, which is a strategic call and sits in tension with the current DEPTH-not-BREADTH direction. ADR-063 Step 1 (thread actor identity) also overlaps with the comm fix just merged in #203. CI is currently failing (macOS + Ubuntu) and must clear before any merge. Marking draft and leaving open for Ocean to set direction and answer OQ-1/OQ-2. (lambda:khive triage, 2026-06-21) |
ADR-007 Rev 7 (Rule 8: principal-scoped pack backends) + ADR-063 (comm principal model)
Docs-only. Two ADRs, one contract addition plus its first consumer spec.
ADR-007 Rev 7 — Rule 8 (additive carve-out)
A pack MAY declare a backend whose correct trust model is principal-scoped isolation enforced server-side, rather than the shared-store attribution model that Rules 0–7 describe. Rule 8 states this carve-out precisely:
ADR-063 (Proposed) — comm pack principal model
Specifies the comm pack as the first consumer of the Rule 8 carve-out:
to_actorfilter dormant for the default deployment until issue design: actor identity on every request (authenticated caller, verb-level scoping) #75 lands.Sibling to ADR-056 (human out-of-band channel transport); related to #75, #112, #113.
Revision-numbering note
This was drafted as Rev 5 before the episodic carve-out (Rev 6) merged to
main(#177). Rev 5 never landed, so this is re-seated as Rev 7 on top of Rev 6. The two amendments are independent: Rev 6 amends the Rev 4 Rule 0 write-default for episodic memory; Rev 7 adds Rule 8 for principal-scoped backends. Neither touches the other. Rule 8's normative text is byte-identical to the original draft — only revision labels and the supersession framing were updated to sit on Rev 6.Status
Both ADRs are design/contract — no code in this PR. Rule 8 is
Accepted(additive carve-out); ADR-063 isProposed(implementation follows separately, per ADR-driven development).🤖 Generated with Claude Code