epiphany(board): E-CONTRACT-NO-SERIALIZE-2 — correct #415, the audit event stays inside#417
Merged
Conversation
…event stays inside #415 landed E-CONTRACT-NO-SERIALIZE with "serialize at the membrane" — the user sharpened it ("why should the audit event go outside?"): audit is not membrane traffic at all. It is a witness (merkle -> SPO + Lance tombstone), examined in place by the query engine; the merkle chain IS the tamper-evidence. No JSON by default; the sink is inner, not membrane; off-box copies are an infra concern, not the sink's standing behavior. Board is append-only: prepends a correction entry, leaves the prior entry intact. §1 (contracts compile types, never serialize) stands. https://claude.ai/code/session_018FqA8TfgRBHy8zF92kx4TW
📝 WalkthroughWalkthroughThis PR adds a clarifying epiphany entry (E-CONTRACT-NO-SERIALIZE-2) to the design board. It corrects the prior framing by establishing that audit events are in-place, merkle-chained witnesses within the Lance graph—not external membrane traffic—and specifies that JSONL audit sinks should be optional export adapters rather than default trait behavior. ChangesAudit Event Architecture Clarification
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.claude/board/EPIPHANIES.md:
- Line 11: Change the sentence to state this as the intended migration target
(not current state): explicitly say that the callcenter module currently still
exports concrete sinks (e.g., JsonlAuditSink) and that the desired target is to
refactor callcenter to expose only the AuditSink trait and UnifiedAuditEvent
type while relocating JsonlAuditSink into lance-graph-callcenter as an optional
adapter, and that the canonical sink should be the SPO/Lance witness projection;
reference JsonlAuditSink, AuditSink, UnifiedAuditEvent, lance-graph-callcenter
and SPO/Lance witness projection in the updated phrasing so readers know these
symbols are the target of the migration.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 0254c232-acab-4970-bfe6-b88b6daa5462
📒 Files selected for processing (1)
.claude/board/EPIPHANIES.md
| - **The audit sink is inner, not membrane.** It belongs with the SPO/Lance tissue, behind the membrane — never in the outer client-facing layer. "Emit via the membrane sink" (prior entry's "Correct shape") was wrong. | ||
| - **Off-box durability / external-auditor copies are an infra concern** — replicate the durable Lance/merkle artifact, or do a deliberate on-request export *action* at the storage edge. Egress as an explicit act on the artifact, never the sink's standing behavior, never the client membrane. | ||
|
|
||
| So the lance-graph-side direction stands but with a corrected target: relocate the concrete `JsonlAuditSink` out of `lance-graph-callcenter` as an at-most-optional export adapter; callcenter keeps only the `AuditSink` trait + `UnifiedAuditEvent` type; the **canonical sink is the SPO/Lance witness projection**, not a JSON file at the membrane. |
There was a problem hiding this comment.
Clarify this as target-state, not current-state.
Line 11 currently reads as if callcenter already “keeps only” trait+type, but code still contains/export-gates concrete sinks (including JsonlAuditSink). Please mark this explicitly as a migration target to avoid architecture drift in follow-up planning.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.claude/board/EPIPHANIES.md at line 11, Change the sentence to state this as
the intended migration target (not current state): explicitly say that the
callcenter module currently still exports concrete sinks (e.g., JsonlAuditSink)
and that the desired target is to refactor callcenter to expose only the
AuditSink trait and UnifiedAuditEvent type while relocating JsonlAuditSink into
lance-graph-callcenter as an optional adapter, and that the canonical sink
should be the SPO/Lance witness projection; reference JsonlAuditSink, AuditSink,
UnifiedAuditEvent, lance-graph-callcenter and SPO/Lance witness projection in
the updated phrasing so readers know these symbols are the target of the
migration.
3 tasks
AdaWorldAPI
added a commit
that referenced
this pull request
May 28, 2026
…serialize-refine epiphany(board): E-CONTRACT-NO-SERIALIZE-2 — correct #415, the audit event stays inside
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Follow-up correction to #415. That PR landed
E-CONTRACT-NO-SERIALIZEwith the framing "serialization is the outer membrane's job" — the user sharpened it ("why should the audit event go outside?"): the audit event is not membrane traffic at all.Prepends
E-CONTRACT-NO-SERIALIZE-2(board is append-only, so the prior entry stays intact and is corrected here):merkle_root/prev_merkle) that calcifies into SPO + a Lance columnar tombstone (cf.E-LADDER-SERVES-MAILBOX§6). Examined in place — lance-graph is a query engine, so HIPAA §164.312(b) review is a query against the witness, not an export to a SIEM. The merkle chain is the tamper-evidence.JsonlAuditSink/with_jsonl_auditare a legacy "ship logs to Splunk" pattern this stack obsoletes.The §1 half of the prior entry (contracts compile types, never serialize; build-time serde codegen is fine) stands unchanged. Corrected lance-graph target: relocate the concrete
JsonlAuditSinkout of callcenter as an at-most-optional export adapter; the canonical sink is the SPO/Lance witness projection.Cross-refs MedCare-rs #159 (the consumer-side #7 correction). Board/docs-only.
Test plan
https://claude.ai/code/session_018FqA8TfgRBHy8zF92kx4TW
Generated by Claude Code
Summary by CodeRabbit
Note: This release contains no changes visible to end-users.