docs: update v3.6.1 to match Option A — three sibling dirs, per-kernel repos, CKProject CRD

Rewrote versioning.md for Option A (runc constraint discovery, no /ck-tool/ root,
per-kernel bare repos, three sibling dirs under kubelet namespace dir).
Added operator.md sections: per-version deployments, three PVs per kernel,
CKProject CRD with kubectl get ckp, kopf+NATS dual control plane, .status patching,
versioned reconciliation lifecycle (12 steps).
Updated changelog.md v3.6.1 entry with all findings.
Updated introduction.md release train with PROVEN status.

Author: styk-tv

docs/v3.6/changelog.md

@@ -45,52 +45,70 @@ v3.5-alpha6 was the last deployed incremental release. v3.6 adds:
 
 **Date:** 2026-04-06 | **Implements:** CK.Operator v1.3.0
 
-Version materialisation moves from `serving.json` on disk to the CK.Project custom resource. The CK volume becomes purely immutable -- no write-through exceptions.
+Version materialisation moves from `serving.json` on disk to the CK.Project custom resource. The CK volume becomes purely immutable -- no write-through exceptions. Storage uses per-kernel bare repositories and three sibling directories per kernel version (Option A).
 
 ### What Changes
 
 - **serving.json retired** -- no longer exists on disk. The three problems it created (write-through hack, inert file, decorative git refs) are dissolved.
-- **CK.Project `spec.versions`** -- named versions with git commit ref and URL route prefix. Version state is in etcd, not the filesystem.
-- **`spec.repo`** -- upstream git URL. The operator clones to scratch space and runs `git archive` locally (FUSE mounts cannot host bare repos).
-- **`deploy.materialise` step** -- new reconciliation step between `deploy.namespace` and `deploy.storage`. Streams `git archive` output to filer at `/ck/v/{tag}/{kernel}/`.
-- **`.git-ref` stamp** -- each materialised directory contains the exact commit hash. Implements `prov:wasGeneratedBy` from Git2PROV.
-- **Per-version PVs** -- `ck-{project}-{kernel}-{tag}`, each pointing to `/ck/v/{tag}/{kernel}`. When a tag's ref changes, content updates without PV recreation.
+- **Option A: Three sibling dirs** -- in-container mount layout uses `/ck/{kernel}/ck/`, `/ck/{kernel}/tool/`, `/ck/{kernel}/data/` as three sibling PVs under a kubelet-created namespace directory. No nested volume mounts. Driven by the runc constraint: `mkdirat` fails with EROFS in ReadOnly parent overlays before CSI volume content is visible.
+- **Per-kernel bare repos** -- each kernel has its own isolated bare git repository at `/ck/{kernel}/` on the SeaweedFS filer. No monorepo. No `spec.repo`. CK and TOOL loops extract from the same bare repo to sibling `ck/` and `tool/` directories.
+- **CKProject CRD** -- `ck.tech.games/v1` kind `CKProject` with `spec.versions` containing per-kernel `ck_ref` and `tool_ref`. `kubectl get ckp -A` shows Phase, Versions, and Checks.
+- **kopf + NATS dual control plane** -- both kopf CRD watch and NATS message listener trigger the same `reconcile()` function. `kubectl apply` and `nats pub` produce identical results.
+- **CKProject .status patching** -- operator patches `.status` after each reconcile with phase, per-version materialisation state, and aggregate proof.
+- **`deploy.materialise` step** -- new reconciliation step between `deploy.namespace` and `deploy.storage`. Extracts CK loop to `/ck/{kernel}/{version}/ck/` and TOOL loop to `/ck/{kernel}/{version}/tool/` via `git archive` from per-kernel bare repos.
+- **Three PVs per kernel per version** -- `ck-{project}-{kernel}-{version}-ck`, `ck-{project}-{kernel}-{version}-tool`, `ck-{project}-{kernel}-{version}-data`. CK and TOOL ReadOnlyMany, DATA ReadWriteMany.
+- **Per-version deployments** -- each declared version gets its own Deployment and service. Multiple versions run simultaneously at different route prefixes.
 - **Per-version HTTPRoutes** -- longest-prefix-first routing. Each version gets its own deployment and route rule.
-- **Garbage collection** -- filer paths under `/ck/v/` not referenced by any CK.Project version are deleted after reconciliation.
-- **Shared kernel optimisation** -- identical tree hashes across versions share one filer copy.
+- **`.git-ref` stamp** -- each materialised loop directory (`ck/` and `tool/`) contains the exact commit hash. Implements `prov:wasGeneratedBy` from Git2PROV.
+- **Quick setup mode** -- no git required for bootstrapping. Omit `ck_ref`/`tool_ref` and upload files directly to the filer. Transition to git-managed later without changing PVs or mounts.
+- **Garbage collection** -- version directories under `/ck/{kernel}/` not referenced by any CK.Project are deleted. Git internals (`HEAD`, `objects/`, `refs/`) are never GC'd.
+- **Shared kernel optimisation** -- identical refs across versions share one filer copy, PVs point to existing path.
 - **Backward compatible** -- no `spec.versions` means flat layout, existing projects unchanged.
-
-### Git Model (D9)
-
-- One repo per project. CK + TOOL in same repo, DATA never in git.
-- Tag prefix convention: `ck/{kernel}/vX.Y.Z`, `tool/{kernel}/vX.Y.Z` for independent loop versioning.
-- Per-loop overrides: `ck_ref` and `tool_ref` in version declarations for split CK/TOOL tags.
-- Ontological grounding: DOAP for repo metadata, Git2PROV (PROV-O) for commit provenance.
+- **Proven on live cluster** -- `hello-v1-0-0-proc` Running with three sibling PVs on AKS + SeaweedFS 3.93.
+
+### Reconciliation Lifecycle (Versioned -- 12 Steps)
+
+```
+  1. deploy.namespace
+  2. deploy.materialise          -- NEW
+  3. deploy.storage.ck
+  4. deploy.storage.tool         -- NEW (separate TOOL PVs)
+  5. deploy.storage.data
+  6. deploy.processors
+  7. deploy.web
+  8. deploy.routing
+  9. deploy.conceptkernels
+  10. deploy.auth
+  11. deploy.graph
+  12. deploy.endpoint
+```
 
 ### Deficiencies Resolved
 
 | Deficiency | Resolution |
 |-----------|-----------|
-| D1: No version materialisation | `git archive` from bare repo, commit-pinned |
-| D3: No serving.json write-through | serving.json retired, version state in CR |
-| D6: No git integration on filer | Bare repo on scratch, `.git-ref` traceability |
+| D1: No version materialisation | `git archive` from per-kernel bare repos, commit-pinned via `ck_ref`/`tool_ref` |
+| D2: Per-kernel volume isolation | Resolved by three-PV model (ck, tool, data per kernel per version) |
+| D3: No serving.json write-through | serving.json retired, version state in CK.Project CR |
+| D6: No git integration on filer | Per-kernel bare repos on filer, `.git-ref` traceability |
 
 ### New CK.Project CRD Fields
 
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
-| `spec.repo` | string | MUST (if versions declared) | Upstream git URL |
 | `spec.versions` | array | SHOULD | Version declarations |
-| `spec.versions[].name` | string | MUST | Tag name (used in PV names, filer paths, routes) |
-| `spec.versions[].ref` | string | MUST | Git commit hash to materialise |
-| `spec.versions[].route` | string | MUST | URL path prefix |
-| `spec.versions[].ck_ref` | string | MAY | CK loop tag override |
-| `spec.versions[].tool_ref` | string | MAY | TOOL loop tag override |
+| `spec.versions[].name` | string | MUST | Version tag (used in PV names, filer paths, routes) |
+| `spec.versions[].route` | string | MUST | URL path prefix on project hostname |
+| `spec.versions[].data` | string | SHOULD | "isolated" or "shared" -- DATA directory scoping |
+| `spec.versions[].kernels` | array | MUST | Per-kernel declarations |
+| `spec.versions[].kernels[].name` | string | MUST | Concept kernel name |
+| `spec.versions[].kernels[].ck_ref` | string | MAY | Git commit hash for CK loop extraction |
+| `spec.versions[].kernels[].tool_ref` | string | MAY | Git commit hash for TOOL loop extraction |
 
 ### New Ontology Classes
 
-- `VersionDeclaration` -- named version pinned to a git commit, mapped to a URL route
-- `GitRepoConfig` -- upstream git repository location
+- `VersionDeclaration` -- named version with per-kernel refs, mapped to a URL route
+- `KernelVersionRef` -- per-kernel git refs for a specific version deployment
 
 ---
 

docs/v3.6/introduction.md

@@ -175,10 +175,15 @@ v3.5.16 Agent Teams                                              PLANNED
 ---------------------------------------------------------------------
 v3.6    Full release -- sum of all above
 
-v3.6.1  serving-multiversion-unpack (CK.Operator v1.3.0)       SPEC
-        Version materialisation via CK.Project CR
-        serving.json retired, git archive -> filer pipeline
-        Per-version PVs, HTTPRoutes, garbage collection
+v3.6.1  serving-multiversion-unpack (CK.Operator v1.3.0)       PROVEN
+        Option A: three sibling dirs (runc constraint discovery)
+        Per-kernel bare repos (no monorepo, no /ck-tool/ root)
+        CKProject CRD with per-kernel ck_ref/tool_ref
+        kopf + NATS dual control plane
+        Per-version deployments, 3 PVs per kernel per version
+        Quick setup mode (no git required)
+        serving.json retired, version state in CK.Project CR
+        Proven: hello-v1-0-0-proc Running with three sibling PVs
 ```
 
 ### Why This Model

docs/v3.6/operator.md

@@ -81,7 +81,7 @@ For the full step-by-step breakdown, see [Reconciliation Lifecycle](./reconcilia
 ## Version Materialisation (v3.6.1)
 
 ::: info v3.6.1 -- serving-multiversion-unpack
-This section documents the version materialisation model introduced in v3.6.1, implemented in CK.Operator v1.3.0. See [Versioning](./versioning) for the full git model.
+This section documents the version materialisation model introduced in v3.6.1, implemented in CK.Operator v1.3.0. See [Versioning](./versioning) for the full storage layout and runc constraint analysis.
 :::
 
 ### serving.json Is Retired
@@ -96,110 +96,202 @@ v3.6.1 dissolves all three problems by moving version state from the filesystem
 
 ### Version State in CK.Project CR
 
-Version declarations live in the CK.Project custom resource:
+Version declarations live in the CK.Project custom resource. Each version specifies per-kernel git refs for both CK and TOOL loops:
 
 ```yaml
+apiVersion: ck.tech.games/v1
+kind: CKProject
+metadata:
+  name: hello
 spec:
-  repo: https://github.com/ConceptKernel/kernels.git
+  hostname: hello.tech.games
   versions:
-    - name: live
-      ref: abc123f
+    - name: v1.3.2
       route: /
-    - name: staging
-      ref: def4567
-      route: /staging
-    - name: review-pr-42
-      ref: 789feda
-      route: /review/pr-42
+      data: isolated
+      kernels:
+        - name: Hello.Greeter
+          ck_ref: abc123f
+          tool_ref: aaa111
+        - name: CK.Lib.Py
+          ck_ref: eee555
+          tool_ref: fff666
+    - name: v1.3.19
+      route: /next
+      data: isolated
+      kernels:
+        - name: Hello.Greeter
+          ck_ref: def4567
+          tool_ref: bbb222
+        - name: CK.Lib.Py
+          ck_ref: eee555              # same as v1.3.2
+          tool_ref: fff666            # same as v1.3.2
+```
+
+The operator reads `spec.versions`, materialises each version from per-kernel bare repositories on the SeaweedFS filer, and creates per-version deployments, PVs, and HTTPRoute rules. A version promotion is a CK.Project resource update -- `kubectl patch`, NATS command, or operator API. Standard Kubernetes-native workflow with etcd history.
+
+### Per-Version Deployments
+
+Each declared version gets its own Deployment. Pods in one version's deployment mount that version's PVs only. Multiple versions of the same project run simultaneously, each serving its designated route:
+
+```
+hello-v1.3.2-proc    → mounts v1.3.2 PVs, serves /
+hello-v1.3.19-proc   → mounts v1.3.19 PVs, serves /next
+```
+
+This model supports safe canary testing: deploy a new version at `/next`, verify it, then promote by swapping routes in the CK.Project CR.
+
+### Three PVs Per Kernel Per Version
+
+Each kernel in each version gets three independent PVs:
+
+```
+ck-{project}-{kernel}-{version}-ck       → /ck/{kernel}/{version}/ck/         ReadOnlyMany
+ck-{project}-{kernel}-{version}-tool     → /ck/{kernel}/{version}/tool/       ReadOnlyMany
+ck-{project}-{kernel}-{version}-data     → /ck-data/{hostname}/{kernel}/{version}/  ReadWriteMany
+```
+
+Inside the pod, these mount as three sibling directories under the kernel name:
+
+```
+/ck/{kernel}/ck/      ← CK PV (ReadOnly)
+/ck/{kernel}/tool/    ← TOOL PV (ReadOnly)
+/ck/{kernel}/data/    ← DATA PV (ReadWrite)
+```
+
+The kernel name directory is not a volume -- it is a plain directory created by the kubelet. See [Versioning -- Three Sibling Dirs](./versioning#in-container-mount-layout-three-sibling-dirs-option-a) for the runc constraint that drives this design.
+
+### CKProject CRD
+
+v3.6.1 introduces the `CKProject` Custom Resource Definition at `ck.tech.games/v1`:
+
+```bash
+kubectl get ckp -A
+```
+
+```
+NAMESPACE     NAME          PHASE     VERSIONS   CHECKS   AGE
+ck-hello      hello         Running   1          15       1d
+ck-delvinator delvinator    Running   1          15       2d
+```
+
+The CKProject CRD provides:
+
+- **`spec.versions`** -- array of named versions with per-kernel `ck_ref`/`tool_ref`
+- **`spec.hostname`** -- project hostname for HTTPRoute generation
+- **`.status.phase`** -- Running, Degraded, or Failed (patched by operator after reconcile)
+- **`.status.versions`** -- per-version status with materialisation state
+- **`.status.proof`** -- aggregate proof from reconciliation checks
+
+#### CKProject .status Patching
+
+After each reconciliation, the operator patches the CKProject `.status` with the reconciliation result:
+
+```yaml
+status:
+  phase: Running
+  versions:
+    - name: v1.0.0
+      materialised: true
+      deploymentReady: true
+      routeAccepted: true
+  proof:
+    totalChecks: 15
+    totalPassed: 15
+    lastReconciled: "2026-04-06T14:00:00Z"
 ```
 
-The operator reads `spec.versions`, materialises each version from the git repository, and creates per-version PVs and HTTPRoute rules. A version promotion is a CK.Project resource update -- `kubectl patch`, NATS command, or operator API. Standard Kubernetes-native workflow with etcd history.
+This means `kubectl get ckp` always reflects the actual cluster state. If materialisation fails or a deployment is unhealthy, the status shows it.
+
+### Dual Control Plane: kopf + NATS
+
+CK.Operator uses both kopf (Kubernetes watch) and NATS messaging as entry points. Both trigger the same `reconcile()` function:
+
+```
+kopf watch CKProject CR change  ──→ reconcile()
+NATS input.CK.Operator message  ──→ reconcile()
+```
+
+This provides two equivalent paths to the same outcome:
+
+| Path | Use Case |
+|------|----------|
+| `kubectl apply -f ckproject.yaml` | GitOps, CI/CD pipelines, manual ops |
+| `nats pub input.CK.Operator '{"action":"project.deploy",...}'` | Web shell, inter-kernel communication, browser |
+
+Both paths produce identical results. The reconcile function is idempotent -- running it twice with the same input produces no changes.
 
 ### Materialisation Pipeline
 
 The reconciliation lifecycle gains a new step, `deploy.materialise`, inserted between `deploy.namespace` and `deploy.storage`:
 
 ```
-Reconciliation lifecycle (v3.6.1):
+Reconciliation lifecycle (v3.6.1 -- versioned):
 
   1. deploy.namespace
-  2. deploy.materialise          -- NEW: git archive -> filer
+  2. deploy.materialise          -- NEW: git archive -> filer (per-version, per-kernel)
   3. deploy.storage.ck
-  4. deploy.storage.data
-  5. deploy.processors
-  6. deploy.web
-  7. deploy.routing
-  8. deploy.conceptkernels
-  9. deploy.auth
-  10. deploy.graph
-  11. deploy.endpoint
+  4. deploy.storage.tool         -- NEW: separate TOOL PVs
+  5. deploy.storage.data
+  6. deploy.processors
+  7. deploy.web
+  8. deploy.routing
+  9. deploy.conceptkernels
+  10. deploy.auth
+  11. deploy.graph
+  12. deploy.endpoint
 ```
 
+This is 12 steps (11 + the new materialise step). The flat (non-versioned) lifecycle remains 10 steps for backward compatibility.
+
 For each version in `spec.versions`, the materialise step:
 
-1. Checks if `/ck/v/{tag}/{kernel}/.git-ref` exists on filer
-2. If it exists and contains the same ref -- skip (already current)
+1. For each kernel, checks if `/ck/{kernel}/{version}/ck/.git-ref` and `/ck/{kernel}/{version}/tool/.git-ref` exist on filer
+2. If they exist and contain the matching refs -- skip (already current)
 3. If missing or different ref:
-   - Runs `git archive {ref}:{kernel}/` from the bare repo
-   - Uploads the archive to filer at `/ck/v/{tag}/{kernel}/`
-   - Writes the commit hash to `/ck/v/{tag}/{kernel}/.git-ref`
-4. Ensures PV `ck-{project}-{kernel}-{tag}` exists pointing to `/ck/v/{tag}/{kernel}`
-5. Ensures PVC is bound
+   - CK loop: `git -C /ck/{kernel} archive {ck_ref} | upload to /ck/{kernel}/{version}/ck/`
+   - TOOL loop: `git -C /ck/{kernel} archive {tool_ref} | upload to /ck/{kernel}/{version}/tool/`
+   - Writes commit hashes to `.git-ref` in each loop directory
+4. Ensures three PVs per kernel per version exist
+5. Ensures PVCs are bound
 
-### Per-Version PVs and HTTPRoutes
-
-Each declared version gets its own PersistentVolume and routing rule:
-
-```yaml
-# Per-version CK volume
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: ck-delvinator-core-live
-spec:
-  accessModes: [ReadOnlyMany]
-  capacity:
-    storage: 50Gi
-  csi:
-    driver: seaweedfs-csi-driver
-    volumeHandle: ck-delvinator-core-live
-    volumeAttributes:
-      path: "/ck/v/live/Delvinator.Core"
-```
+### Per-Version HTTPRoutes
 
-HTTPRoute rules are ordered longest-prefix first, so `/staging` matches before `/`:
+HTTPRoute rules are ordered longest-prefix first:
 
 ```yaml
 spec:
-  hostnames: [delvinator.tech.games]
+  hostnames: [hello.tech.games]
   rules:
     - matches:
-        - path: { type: PathPrefix, value: /staging }
+        - path: { type: PathPrefix, value: /next }
       backendRefs:
-        - name: delvinator-staging
+        - name: hello-v1.3.19
+          port: 80
     - matches:
         - path: { type: PathPrefix, value: / }
       backendRefs:
-        - name: delvinator-live
+        - name: hello-v1.3.2
+          port: 80
 ```
 
-When a tag's ref changes, the PV is not recreated -- the filer path is stable (keyed by tag name). Content changes when the operator re-materialises. Pods pick up new content on rolling restart.
+When a version's ref changes, the PV is not recreated -- the filer path is stable (keyed by version name). Content changes when the operator re-materialises. Pods pick up new content on rolling restart.
 
 ### Version Lifecycle via CR
 
 | CR Change | Operator Action |
 |-----------|-----------------|
-| Add version | Materialise, create deployment + PV/PVC + route rule |
-| Change version ref | Re-materialise, roll pods |
-| Remove version | Delete deployment, PV/PVC, route rule, GC filer path |
+| Add version | Materialise CK + TOOL, create deployment + 3 PVs/PVCs per kernel + route rule |
+| Change version ck_ref or tool_ref | Re-materialise affected loop, roll pods |
+| Remove version | Delete deployment, PVs/PVCs, route rule, GC filer paths |
 
 ### Garbage Collection
 
-After reconciliation, the operator scans `/ck/v/` on the filer and deletes directories not referenced by any active version in any CK.Project resource. GC logs every deletion and never removes directories referenced by other projects.
+After reconciliation, the operator scans version directories under each kernel on the filer and deletes those not referenced by any active version in any CK.Project resource. GC deletes both `ck/` and `tool/` subdirectories together. GC MUST NOT delete git internals (`HEAD`, `objects/`, `refs/`). GC logs every deletion and never removes directories referenced by other projects.
 
 ### Shared Kernel Optimisation
 
-When two versions reference the same git tree hash for a kernel (e.g., the CK loop has not changed between live and staging), the operator reuses one filer copy. The PV for the second version points to the first version's filer path -- no duplicate storage.
+When two versions reference the same commit for a kernel's loop, the operator does not extract twice. It checks `.git-ref` in the existing version directory. If the hash matches, the new version's PV points to the existing path -- no duplicate storage.
 
 ### Backward Compatibility