Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .claude/board/EPIPHANIES.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,64 @@
> `**Status:**` line (FINDING / CONJECTURE / FRAMING / SUPERSEDED). Only
> the Status line is mutable — body and date are immutable. Corrections
> append as new dated entries citing the original.

---

## 2026-06-23 — E-NINE-DOMAIN-PROMOTION-DEFERRED — the nine Lift-tested NTO domains correctly stay un-Cross-walked; bulk-minting class_ids is the WRONG move, per the catalogue's own rules

**Status:** FINDING (promotion decision, 2026-06-23). Question raised: promote the
nine Lift-tested NTO domains (Transport, Accounting, SalesDistribution, Credit, Cost,
ServiceManagement, WorkOrder, Compliance, Audit) from **Lift-tested** to
**Cross-walked** (mint `class_ids` in `ogar-vocab`)? **Decision: NO bulk promotion.**
The deliberate "Lift-tested, not Cross-walked" state is correct, not pending. Grounds,
per `OGIT-DOMAIN-LIFT-CATALOGUE.md`'s own ladder + authorship rules:

1. **Upstream-owned (needs arago/almato coordination, not a unilateral mint):**
Transport + Compliance (`chris.boos@almato.com`), Cost + ServiceManagement
(`Peter Larem`), Credit (`Ola Irgens Kylling`), SalesDistribution + Audit
(`Marek Meyer`). The catalogue states structural changes to upstream domains
"need arago/almato coordination." A codebook id is **stable forever** (P0 canon);
minting permanent ids for upstream-owned concepts without coordination is exactly
the structural change the rule fences.
2. **Already covered by an existing domain (promotion would duplicate):**
Accounting → `0x02XX` commerce/ERP via the Odoo lift; Audit → ADR-013
(Audit-as-Lance-version) owns the semantics. A second slot for an already-homed
concept dilutes the codebook.
3. **Ours but speculative (premature mint):** WorkOrder is our extension
(`dcterms:creator` = `bus-compiler` + `family-codec-smith`, authored for woa-rs).
We MAY mint it — but minting before woa-rs's consumer-collapse needs the classid is
speculative permanent allocation. Gate: mint WorkOrder when woa-rs reaches the
`authorize(actor, WoaPort::class_id(...))` step (keystone §11 step 5), not before.
4. **Cross-repo skew hazard (the just-fixed break):** every consumer pulls
`ogar-vocab branch=main` AND the lance-graph mirror; a mint must reach OGAR `main`
**before** the `lance-graph-contract::ogar_codebook` mirror bumps, or the
compile-time `COUNT_FUSE` breaks every consumer (cf. lance-graph ISSUES
`ISS-OGAR-AUTH-MIRROR-DRIFT`, E-CODEBOOK-MINT-IS-A-CROSS-REPO-ARC). Nine
simultaneous mints multiply that coordination cost for no current consumer need.

**Per-domain promotion gate (the auto-resolve, not a punt):**

| Domain | Owner | Promote when | Default home today |
|---|---|---|---|
| Transport | upstream (almato) | arago coordination + a consumer needs it | — |
| Compliance | upstream (almato) | arago coordination + a consumer needs it | — |
| Cost | upstream (Larem) | arago coordination + a consumer needs it | — |
| ServiceManagement | upstream (Larem) | arago coordination + a consumer needs it | — |
| Credit | upstream (Kylling) | arago coordination + a consumer needs it | — |
| SalesDistribution | upstream (Meyer) | arago coordination + a consumer needs it | — |
| Accounting | mixed (11 ours) | only if it diverges from `0x02XX` | `0x02XX` commerce |
| Audit | upstream (Meyer) | only if it needs a classid beyond versioning | ADR-013 Lance-version |
| WorkOrder | **ours** (woa-rs) | woa-rs reaches keystone §11 step 5 | Lift-tested form |

**The general rule promoted from this:** Lift-tested → Cross-walked is **demand-driven
and ownership-gated**, never a completeness sweep. A domain earns a codebook id when (a)
a consumer needs to `authorize()`/route on it AND (b) we own it or have coordination —
not because it round-trips. Round-trip (Lift-tested) proves the *shape lands*; it does
NOT imply the *id should mint*. Cross-ref: `OGIT-DOMAIN-LIFT-CATALOGUE.md` ladder,
P0 canon "codebook ids stable forever," E-CODEBOOK-MINT-IS-A-CROSS-REPO-ARC.

---

>
> Convention adopted from `AdaWorldAPI/surrealdb`'s `.claude/board/EPIPHANIES.md`.
>
Expand Down
24 changes: 24 additions & 0 deletions docs/CLASSID-RBAC-KEYSTONE-SPEC.md
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,30 @@ reference system's decision **bit-for-bit** on a fixed corpus (Odoo
OpenFGA model) before consumer-collapse (step 5) lands. Until green, the
keystone is **CONJECTURE**.

> **STEP-4 STATUS (2026-06-23) — PARTIAL GREEN (positive ∧ op-gate half).**
> The classid-keyed kernel is built and the gate is green against the
> **in-repo reference** — the shipped membrane gate
> `lance_graph_rbac::policy::Policy::evaluate` (the "reconcile the shipped
> MembraneGate path with the keystone" framing of
> `ISS-RBAC-AUTHORIZE-BY-CLASSID`). Impl + probe:
> `lance-graph/crates/lance-graph-rbac/src/authorize.rs` —
> `ClassRbac` (§4) · `authorize()` (§5 positive ∧ op-gate, deny-reasons
> mirrored exactly) · `ClassGrants` (`PermissionSpec` re-keyed by `ClassId`,
> §11). `probe_ogar_rbac_authorize` reproduces `Policy::evaluate`
> **bit-for-bit** over a 15-tuple corpus (all roles/ops/deny-reasons +
> depth boundary + unknown actor); `probe_is_falsifiable_under_wrong_keying`
> proves the gate is not vacuous (a wrong classid flips an Allow).
>
> **What this certifies:** the §5 *positive ∧ op-gate* half + the §11 classid
> re-keying — promoted CONJECTURE→FINDING **for the shipped reference**.
> **What remains CONJECTURE:** the §5 stage-2 *row-scope* predicate and the
> projecting `Allow { scope, mask }` return — the shipped reference is
> positive-only, so the scope-bearing references (Odoo `ir.model.access ∧
> ir.rule`, OpenFGA) are the follow-on probes that exercise stage 2. The
> keystone stays CONJECTURE **as a whole** until a scope-bearing reference is
> green; the positive half is now FINDING. Cross-ref: lance-graph
> `EPIPHANIES.md` E-RBAC-AUTHORIZE-PROBE-GREEN (2026-06-23).

## 11. Build / PR order + cross-refs

Order: **(1)** `lance-graph-contract` `ClassRbac` trait → **(2)** OGAR
Expand Down
12 changes: 12 additions & 0 deletions docs/OGIT-DOMAIN-LIFT-CATALOGUE.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,18 @@ arago/almato coordination."
4. **Promote** — update this row's status. Mention it in the next PR
description so reviewers know the lift surface grew.

> **Lift-tested → Cross-walked is demand-driven and ownership-gated, NOT a
> completeness sweep** (decision 2026-06-23, `.claude/board/EPIPHANIES.md`
> E-NINE-DOMAIN-PROMOTION-DEFERRED). Round-trip (Lift-tested) proves the
> *shape lands*; it does NOT imply the *id should mint*. A domain earns a
> `class_ids` codebook id (stable forever, P0 canon) only when **(a)** a
> consumer needs to `authorize()`/route on it AND **(b)** we own it or have
> arago/almato coordination for an upstream-owned domain. The nine
> Lift-tested domains are correctly parked un-Cross-walked: most are
> upstream-owned (coordination-gated), Accounting/Audit are already homed
> (`0x02XX` / ADR-013), and WorkOrder (ours) waits on woa-rs's
> consumer-collapse. See the per-domain gate table in that epiphany.

## Per-domain inventory

| Domain | Entities | Attributes | Verbs | Status | Notes |
Expand Down
Loading