Skip to content

Commit 4b88f8e

Browse files
authored
Merge pull request #112 from AdaWorldAPI/claude/medcare-bridge-lance-graph-wmx76z
docs(rbac+lift): probe step-4 partial-green + nine-domain promotion decision
2 parents ac4b416 + db86919 commit 4b88f8e

3 files changed

Lines changed: 94 additions & 0 deletions

File tree

.claude/board/EPIPHANIES.md

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,64 @@
44
> `**Status:**` line (FINDING / CONJECTURE / FRAMING / SUPERSEDED). Only
55
> the Status line is mutable — body and date are immutable. Corrections
66
> append as new dated entries citing the original.
7+
8+
---
9+
10+
## 2026-06-23 — E-NINE-DOMAIN-PROMOTION-DEFERRED — the nine Lift-tested NTO domains correctly stay un-Cross-walked; bulk-minting class_ids is the WRONG move, per the catalogue's own rules
11+
12+
**Status:** FINDING (promotion decision, 2026-06-23). Question raised: promote the
13+
nine Lift-tested NTO domains (Transport, Accounting, SalesDistribution, Credit, Cost,
14+
ServiceManagement, WorkOrder, Compliance, Audit) from **Lift-tested** to
15+
**Cross-walked** (mint `class_ids` in `ogar-vocab`)? **Decision: NO bulk promotion.**
16+
The deliberate "Lift-tested, not Cross-walked" state is correct, not pending. Grounds,
17+
per `OGIT-DOMAIN-LIFT-CATALOGUE.md`'s own ladder + authorship rules:
18+
19+
1. **Upstream-owned (needs arago/almato coordination, not a unilateral mint):**
20+
Transport + Compliance (`chris.boos@almato.com`), Cost + ServiceManagement
21+
(`Peter Larem`), Credit (`Ola Irgens Kylling`), SalesDistribution + Audit
22+
(`Marek Meyer`). The catalogue states structural changes to upstream domains
23+
"need arago/almato coordination." A codebook id is **stable forever** (P0 canon);
24+
minting permanent ids for upstream-owned concepts without coordination is exactly
25+
the structural change the rule fences.
26+
2. **Already covered by an existing domain (promotion would duplicate):**
27+
Accounting → `0x02XX` commerce/ERP via the Odoo lift; Audit → ADR-013
28+
(Audit-as-Lance-version) owns the semantics. A second slot for an already-homed
29+
concept dilutes the codebook.
30+
3. **Ours but speculative (premature mint):** WorkOrder is our extension
31+
(`dcterms:creator` = `bus-compiler` + `family-codec-smith`, authored for woa-rs).
32+
We MAY mint it — but minting before woa-rs's consumer-collapse needs the classid is
33+
speculative permanent allocation. Gate: mint WorkOrder when woa-rs reaches the
34+
`authorize(actor, WoaPort::class_id(...))` step (keystone §11 step 5), not before.
35+
4. **Cross-repo skew hazard (the just-fixed break):** every consumer pulls
36+
`ogar-vocab branch=main` AND the lance-graph mirror; a mint must reach OGAR `main`
37+
**before** the `lance-graph-contract::ogar_codebook` mirror bumps, or the
38+
compile-time `COUNT_FUSE` breaks every consumer (cf. lance-graph ISSUES
39+
`ISS-OGAR-AUTH-MIRROR-DRIFT`, E-CODEBOOK-MINT-IS-A-CROSS-REPO-ARC). Nine
40+
simultaneous mints multiply that coordination cost for no current consumer need.
41+
42+
**Per-domain promotion gate (the auto-resolve, not a punt):**
43+
44+
| Domain | Owner | Promote when | Default home today |
45+
|---|---|---|---|
46+
| Transport | upstream (almato) | arago coordination + a consumer needs it ||
47+
| Compliance | upstream (almato) | arago coordination + a consumer needs it ||
48+
| Cost | upstream (Larem) | arago coordination + a consumer needs it ||
49+
| ServiceManagement | upstream (Larem) | arago coordination + a consumer needs it ||
50+
| Credit | upstream (Kylling) | arago coordination + a consumer needs it ||
51+
| SalesDistribution | upstream (Meyer) | arago coordination + a consumer needs it ||
52+
| Accounting | mixed (11 ours) | only if it diverges from `0x02XX` | `0x02XX` commerce |
53+
| Audit | upstream (Meyer) | only if it needs a classid beyond versioning | ADR-013 Lance-version |
54+
| WorkOrder | **ours** (woa-rs) | woa-rs reaches keystone §11 step 5 | Lift-tested form |
55+
56+
**The general rule promoted from this:** Lift-tested → Cross-walked is **demand-driven
57+
and ownership-gated**, never a completeness sweep. A domain earns a codebook id when (a)
58+
a consumer needs to `authorize()`/route on it AND (b) we own it or have coordination —
59+
not because it round-trips. Round-trip (Lift-tested) proves the *shape lands*; it does
60+
NOT imply the *id should mint*. Cross-ref: `OGIT-DOMAIN-LIFT-CATALOGUE.md` ladder,
61+
P0 canon "codebook ids stable forever," E-CODEBOOK-MINT-IS-A-CROSS-REPO-ARC.
62+
63+
---
64+
765
>
866
> Convention adopted from `AdaWorldAPI/surrealdb`'s `.claude/board/EPIPHANIES.md`.
967
>

docs/CLASSID-RBAC-KEYSTONE-SPEC.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -180,6 +180,30 @@ reference system's decision **bit-for-bit** on a fixed corpus (Odoo
180180
OpenFGA model) before consumer-collapse (step 5) lands. Until green, the
181181
keystone is **CONJECTURE**.
182182

183+
> **STEP-4 STATUS (2026-06-23) — PARTIAL GREEN (positive ∧ op-gate half).**
184+
> The classid-keyed kernel is built and the gate is green against the
185+
> **in-repo reference** — the shipped membrane gate
186+
> `lance_graph_rbac::policy::Policy::evaluate` (the "reconcile the shipped
187+
> MembraneGate path with the keystone" framing of
188+
> `ISS-RBAC-AUTHORIZE-BY-CLASSID`). Impl + probe:
189+
> `lance-graph/crates/lance-graph-rbac/src/authorize.rs`
190+
> `ClassRbac` (§4) · `authorize()` (§5 positive ∧ op-gate, deny-reasons
191+
> mirrored exactly) · `ClassGrants` (`PermissionSpec` re-keyed by `ClassId`,
192+
> §11). `probe_ogar_rbac_authorize` reproduces `Policy::evaluate`
193+
> **bit-for-bit** over a 15-tuple corpus (all roles/ops/deny-reasons +
194+
> depth boundary + unknown actor); `probe_is_falsifiable_under_wrong_keying`
195+
> proves the gate is not vacuous (a wrong classid flips an Allow).
196+
>
197+
> **What this certifies:** the §5 *positive ∧ op-gate* half + the §11 classid
198+
> re-keying — promoted CONJECTURE→FINDING **for the shipped reference**.
199+
> **What remains CONJECTURE:** the §5 stage-2 *row-scope* predicate and the
200+
> projecting `Allow { scope, mask }` return — the shipped reference is
201+
> positive-only, so the scope-bearing references (Odoo `ir.model.access ∧
202+
> ir.rule`, OpenFGA) are the follow-on probes that exercise stage 2. The
203+
> keystone stays CONJECTURE **as a whole** until a scope-bearing reference is
204+
> green; the positive half is now FINDING. Cross-ref: lance-graph
205+
> `EPIPHANIES.md` E-RBAC-AUTHORIZE-PROBE-GREEN (2026-06-23).
206+
183207
## 11. Build / PR order + cross-refs
184208

185209
Order: **(1)** `lance-graph-contract` `ClassRbac` trait → **(2)** OGAR

docs/OGIT-DOMAIN-LIFT-CATALOGUE.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,18 @@ arago/almato coordination."
7474
4. **Promote** — update this row's status. Mention it in the next PR
7575
description so reviewers know the lift surface grew.
7676

77+
> **Lift-tested → Cross-walked is demand-driven and ownership-gated, NOT a
78+
> completeness sweep** (decision 2026-06-23, `.claude/board/EPIPHANIES.md`
79+
> E-NINE-DOMAIN-PROMOTION-DEFERRED). Round-trip (Lift-tested) proves the
80+
> *shape lands*; it does NOT imply the *id should mint*. A domain earns a
81+
> `class_ids` codebook id (stable forever, P0 canon) only when **(a)** a
82+
> consumer needs to `authorize()`/route on it AND **(b)** we own it or have
83+
> arago/almato coordination for an upstream-owned domain. The nine
84+
> Lift-tested domains are correctly parked un-Cross-walked: most are
85+
> upstream-owned (coordination-gated), Accounting/Audit are already homed
86+
> (`0x02XX` / ADR-013), and WorkOrder (ours) waits on woa-rs's
87+
> consumer-collapse. See the per-domain gate table in that epiphany.
88+
7789
## Per-domain inventory
7890

7991
| Domain | Entities | Attributes | Verbs | Status | Notes |

0 commit comments

Comments
 (0)