Skip to content

epiphany(board): E-CONTRACT-NO-SERIALIZE-2 — correct #415, the audit event stays inside #417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AdaWorldAPI merged 1 commit into from
May 27, 2026
Merged

epiphany(board): E-CONTRACT-NO-SERIALIZE-2 — correct #415, the audit event stays inside #417

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .claude/board/EPIPHANIES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,19 @@
## 2026-05-27 — E-CONTRACT-NO-SERIALIZE-2 — correction to E-CONTRACT-NO-SERIALIZE (below): the audit event never leaves the inside; "serialize at the membrane" was the wrong half — audit is not membrane traffic at all

**Status:** FINDING (sharpens the entry directly below; user correction via the question "why should the audit event go outside?"). The §1 half of the prior entry — *contracts compile types, never serialize; build-time serde codegen is fine* — stands. This entry replaces its "outer membrane's job" framing (board is append-only, so the prior entry is left intact and corrected here).

The audit event does **not go outside**, and there is no reason for it to. It is a **cognitive-compliance witness** — a merkle-chained event (`merkle_root` / `prev_merkle`) that **calcifies into SPO + a Lance columnar tombstone** (cf. `E-LADDER-SERVES-MAILBOX` §6). It is **examined in place** — lance-graph *is* a query engine, so HIPAA §164.312(b) "audit review" is a query against the witness, not an export to a SIEM. The merkle chain is the tamper-evidence; no external append-only file is needed for integrity.

- **No JSON by default.** `JsonlAuditSink` / `with_jsonl_audit` are the legacy "ship logs to Splunk" pattern this stack obsoletes — not a sanctioned boundary.
- **The audit sink is inner, not membrane.** It belongs with the SPO/Lance tissue, behind the membrane — never in the outer client-facing layer. "Emit via the membrane sink" (prior entry's "Correct shape") was wrong.
- **Off-box durability / external-auditor copies are an infra concern** — replicate the durable Lance/merkle artifact, or do a deliberate on-request export *action* at the storage edge. Egress as an explicit act on the artifact, never the sink's standing behavior, never the client membrane.

So the lance-graph-side direction stands but with a corrected target: relocate the concrete `JsonlAuditSink` out of `lance-graph-callcenter` as an at-most-optional export adapter; callcenter keeps only the `AuditSink` trait + `UnifiedAuditEvent` type; the **canonical sink is the SPO/Lance witness projection**, not a JSON file at the membrane.

@coderabbitai coderabbitai Bot May 27, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Clarify this as target-state, not current-state.

Line 11 currently reads as if callcenter already “keeps only” trait+type, but code still contains/export-gates concrete sinks (including JsonlAuditSink). Please mark this explicitly as a migration target to avoid architecture drift in follow-up planning.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/board/EPIPHANIES.md at line 11, Change the sentence to state this as
the intended migration target (not current state): explicitly say that the
callcenter module currently still exports concrete sinks (e.g., JsonlAuditSink)
and that the desired target is to refactor callcenter to expose only the
AuditSink trait and UnifiedAuditEvent type while relocating JsonlAuditSink into
lance-graph-callcenter as an optional adapter, and that the canonical sink
should be the SPO/Lance witness projection; reference JsonlAuditSink, AuditSink,
UnifiedAuditEvent, lance-graph-callcenter and SPO/Lance witness projection in
the updated phrasing so readers know these symbols are the target of the
migration.


Cross-ref: medcare-rs `CLAUDE.md` commitment #7 (corrected in MedCare-rs #159); prior entry `E-CONTRACT-NO-SERIALIZE` below.

---

## 2026-05-27 — E-CONTRACT-NO-SERIALIZE — a contract crate is a compile-time handshake (shared types + traits), NOT an outer serialization boundary; JSON emission belongs at the membrane, never on the BBB/contract surface

**Status:** FINDING (architectural vow, user-stated 2026-05-27 via the medcare-rs consumer session; recorded for the next session that touches the audit-sink / bridge surface — no lance-graph code change in this entry).
Expand Down