parked: v3.7-external-deltas.md — actionable briefs for #14, #15, #16, #24

styk-tv · styk-tv · commit deb0f0f6d6cf · 2026-04-25T22:41:35.000+01:00
Consolidated artefact for the four tasks that fall outside the v3.7
documentation overhaul itself:

  #14 — `static` kernel type missing from external SPEC.CK.NEW
  #15 — 10-step reconciliation lifecycle: external SPEC missing
        deploy.security and deploy.graph
  #16 — 18+12 module enumeration: external SPEC treats both libraries
        as opaque
  #24 — CK.Operator code drift: RO-FS action.save(), hostname
        synthesis, dual kopf handlers

Each task section is structured for direct use:

  - "v3.7 spec position" with file:line citations from this site so
    the external doc can quote the canonical statement
  - "Discrepancy" naming the gap exactly
  - "Recommended insertion into SPEC.CK.NEW" — paste-ready text
    blocks for #14, #15, #16
  - "Code-side fix brief" — paste-ready dev ticket bodies for the
    three #24 sub-items, each citing the v3.7 contract being violated

Bonus: a small internal-drift note in #15 about changelog.md showing
a 12-step versioned breakdown without deploy.security while
reconciliation.md is the canonical 10-step lifecycle. Flagged for a
follow-up clarification pass on this site, kept separate from the
external delta work.

The file lives at parked/v3.7-external-deltas.md (repo root, outside
docs/), with frontmatter ingest:false / visibility:internal /
status:external. VitePress never builds it, sitemap.xml never
indexes it, llms.txt never references it. It is a working artefact
for the user's external SPEC.CK.NEW reconciliation and for the
operator-dev briefs.
diff --git a/parked/v3.7-external-deltas.md b/parked/v3.7-external-deltas.md
@@ -0,0 +1,278 @@
+---
+title: v3.7 External Deltas — for SPEC.CK.NEW reconciliation and operator-dev briefs
+status: external
+ingest: false
+visibility: internal
+revisit: pending
+---
+
+# v3.7 External Deltas
+
+Tasks **#14, #15, #16, #24** from the v3.7 documentation overhaul. These items are not changes to the published v3.7 spec docs — they are notes and recommendations targeted at:
+
+- the user's external `SPEC.CK.NEW` (#14, #15, #16)
+- the `CK.Operator` codebase (#24)
+
+Each section is self-contained and citation-ready. Paste blocks of "Recommended insertion" text directly into the target document; paste "Code-side fix brief" blocks into a developer ticket.
+
+This file is held outside `docs/v3.7/` and `docs/public/` so it is never served by VitePress, never indexed by `sitemap.xml`, and never referenced by `llms.txt`.
+
+---
+
+## #14 — `static` kernel type missing from external SPEC.CK.NEW
+
+### v3.7 spec position
+
+`static` is one of five kernel types in the v3.7 normative `qualities.type` enum. It is used by at least one system kernel and described consistently across the spec:
+
+| Citation (v3.7) | Statement |
+|---|---|
+| `docs/v3.7/crd.md:49` | ConceptKernel CRD `spec.type` enum: `["node:hot", "node:cold", "inline", "static", "agent"]` |
+| `docs/v3.7/conformance.md:137` | "One of four deployment profiles: `node:hot` (always-on), `node:cold` (on-demand), `inline` (browser-side), `static` (filer-served, no process)." |
+| `docs/v3.7/bfo-grounding.md:80` | `static` ↔ `ckp:StaticKernel`, "Filer-served web only — No process — gateway serves files — No NATS (read-only web surface)" |
+| `docs/v3.7/auth.md:48` | Kernel Type Authentication Requirements: `static` row, "None / None / No NATS connection" |
+| `docs/v3.7/message-envelope.md:267` | `static` row, "No NATS connection / None / None / None" |
+| `docs/v3.7/taxonomy.md:24` | Declarator archetype example: `CK.Project` is `qualities.type: static` |
+| `docs/v3.7/project.md:14,19` | "CK.Project is a `static` kernel because it holds only declarations; it has no processor that executes actions at runtime." |
+| `docs/public/ontology/v3.7/core.ttl` | `ckp:StaticKernel` is a subClassOf `ckp:Kernel` |
+
+Internal note: `conformance.md:137` says **four** deployment profiles, omitting `agent`. That sentence is itself a v3.7 internal drift bug (the enum has five). It should be fixed independently to: "One of five deployment profiles: `node:hot`, `node:cold`, `inline`, `static`, `agent`." — but it does *include* `static`.
+
+### Discrepancy
+
+External `SPEC.CK.NEW §1.2` and the §7 manifest template list four kernel types (no `static`). v3.7 needs five.
+
+### Recommended insertion into SPEC.CK.NEW
+
+Add a fifth kernel type to the §1.2 enum and the §7 manifest template:
+
+> ```yaml
+> qualities:
+>   type: static    # filer-served, no process; gateway serves storage/web/ directly
+> ```
+>
+> A `static` kernel:
+> - has **no** processor pod and **no** NATS connection
+> - is served by the project gateway from its `tool/web/` (or equivalent) DATA-organ path
+> - is the canonical type for **declaration-only** kernels (e.g., CK.Project, which materialises a `.ckproject` manifest but does not execute actions at runtime)
+> - is mapped to `ckp:StaticKernel` in `core.ttl`
+>
+> Conformance: implementations that omit `static` cannot represent declaration-only kernels. CKP requires support for all five types.
+
+---
+
+## #15 — 10-step reconciliation lifecycle: external SPEC missing `deploy.security` and `deploy.graph`
+
+### v3.7 spec position (canonical 10-step lifecycle)
+
+`docs/v3.7/reconciliation.md` defines the lifecycle. `docs/v3.7/operator.md:67-76` repeats it as the high-level overview. Both agree on 10 steps in this order:
+
+| # | Step | Purpose | v3.7 citation |
+|---|---|---|---|
+| 1 | `deploy.namespace` | Create namespace `ck-{subdomain}` | `reconciliation.md:33-37` |
+| 2 | **`deploy.security`** | ServiceAccount + 4 NetworkPolicies (default-deny-all, allow-nats, allow-dns, allow-gateway); `automountServiceAccountToken: false` | `reconciliation.md:39-51` |
+| 3 | `deploy.storage` | PV/PVC per three-loop spec (CK ReadOnlyMany + DATA ReadWriteMany) | `reconciliation.md:53-62` |
+| 4 | `deploy.processors` | ConfigMap (`boot.py`) + Deployment for processor pods | `reconciliation.md:64-68` |
+| 5 | `deploy.web` | Generated `index.html` + web Deployment + Service | `reconciliation.md:70-81` |
+| 6 | `deploy.routing` | HTTPRoute via Gateway API `parentRef` | `reconciliation.md:83-94` |
+| 7 | `deploy.ck_resources` | ConceptKernel CRs per kernel | `reconciliation.md:96-99` |
+| 8 | `deploy.auth` | Keycloak realm reuse / `KeycloakRealmImport` create | `reconciliation.md:~100`, `auth.md` Step-by-Step Execution |
+| 9 | **`deploy.graph`** | RDF materialisation to Jena Fuseki `/ckp` dataset, named graph per project (`urn:ckp:fleet:{hostname}`) | `reconciliation.md:124-148`, `graph.md` |
+| 10 | `deploy.endpoint` | External endpoint verification (HTTP 200) | `reconciliation.md:~150` |
+
+### Internal v3.7 drift (bonus finding)
+
+`docs/v3.7/changelog.md:73-86` shows a "Reconciliation Lifecycle (Versioned -- 12 Steps)" that splits storage into `deploy.materialise` + `deploy.storage.ck` + `deploy.storage.tool` + `deploy.storage.data`, and **omits `deploy.security`** entirely from the listing. This is an internal documentation drift bug independent of the external-spec reconciliation:
+
+- `reconciliation.md` is the canonical lifecycle (10 logical steps)
+- `changelog.md` shows a versioned-implementation breakdown (12 implementation steps for the v3.7 multi-version materialisation feature)
+- The two should cross-reference each other and clarify which is the protocol-level lifecycle vs. which is the implementation breakdown — currently a reader hits both and cannot tell
+
+Suggest adding to `changelog.md:73` a sentence: "This 12-step breakdown is the implementation expansion of the canonical 10-step lifecycle from [Reconciliation](./reconciliation), with `deploy.materialise` introduced and `deploy.storage` split per organ. The canonical lifecycle remains 10 steps." (Tracked as a candidate Pass-3 follow-up; not part of this externals delta.)
+
+### Discrepancy with external SPEC
+
+External `SPEC.CK.NEW §4` defines a 5-check contract. The two steps missing relative to v3.7's 10:
+
+- **`deploy.security`** — default-deny NetworkPolicies per project namespace
+- **`deploy.graph`** — RDF materialisation to Jena Fuseki at `/ckp`
+
+### Recommended insertion into SPEC.CK.NEW
+
+Extend §4 from the 5-check minimum to the v3.7 10-step lifecycle (table above). The two new entries:
+
+> **`deploy.security`** (between `deploy.namespace` and `deploy.storage`)
+>
+> Per-project Kubernetes namespace isolation via:
+> - `ServiceAccount: ckp-runtime` with `automountServiceAccountToken: false` (kernel pods cannot reach the Kubernetes API)
+> - `NetworkPolicy: ckp-default-deny` denying all ingress and egress
+> - `NetworkPolicy: ckp-allow-nats` permitting egress to NATS service on port 4222
+> - `NetworkPolicy: ckp-allow-dns` permitting egress to kube-dns
+> - `NetworkPolicy: ckp-allow-gateway` permitting ingress from the gateway namespace on port 80
+>
+> Rationale: defence in depth. A compromised kernel pod cannot reach services outside the allowed egress list, cannot inspect cluster state via the Kubernetes API, and cannot accept traffic from outside its declared gateway.
+>
+> **`deploy.graph`** (between `deploy.auth` and `deploy.endpoint`)
+>
+> RDF materialisation. After all kernel resources exist, CK.Operator publishes kernel metadata, edges, and instance pointers as RDF triples to a SPARQL endpoint (reference implementation: Jena Fuseki, dataset `/ckp`). Each project's fleet lives in a named graph identified as `urn:ckp:fleet:{hostname}`. Graph materialisation is best-effort: `deploy.endpoint` verification MUST succeed even if the SPARQL endpoint is unreachable.
+>
+> Rationale: the ontological graph is the queryable index of fleet state alongside the Kubernetes API.
+
+---
+
+## #16 — 18-module CK.Lib.Py + 12-module CK.Lib.Js: external SPEC treats as opaque
+
+### v3.7 spec position (precise enumeration)
+
+**CK.Lib.Py — 18 modules** (from `docs/v3.7/project.md:144-165`):
+
+| # | Module | Ontology Class | Purpose |
+|---|---|---|---|
+| 1 | `processor.py` | `ckp:Kernel` | Base class for all kernel processors |
+| 2 | `events.py` | `ckp:Action` | Action handler decorator (`@on`) and typed event emission |
+| 3 | `instance.py` | `ckp:InstanceManifest`, `ckp:SealedInstance` | Instance lifecycle: create, seal, ledger, proof |
+| 4 | `ledger.py` | `ckp:LedgerEntry` | Kernel-wide append-only JSONL action log |
+| 5 | `schema.py` | `ckp:SealedInstance` validation | LinkML `ontology.yaml` loading and validation |
+| 6 | `context.py` | N/A | Three-loop-aware context builder |
+| 7 | `capacity.py` | N/A | Concurrency control via file-based capacity management |
+| 8 | `occurrent.py` | `ckp:Occurrent` (BFO:0000015) | Action substeps with PROV-O proof and hash chains |
+| 9 | `edges.py` | `ckp:Edge`, `ckp:RelationshipType` | Edge subscription materialisation for NATS |
+| 10 | `actions.py` | `ckp:Action`, `rbac.ttl` | Action type resolution, composition, RBAC |
+| 11 | `dispatch.py` | `ckp:EdgeCommunication` | Local inter-kernel action dispatch and FIFO queue |
+| 12 | `serve.py` | `ckp:WebServing`, `ckp:APIServing` | FastAPI HTTP server wrapping `@on` handlers |
+| 13 | `auth.py` | `rbac.ttl` | Keycloak JWT verification + API token fallback |
+| 14 | `urn.py` | CKP URN scheme | URN parser, validator, builder (17 entity types) |
+| 15 | `prov.py` | `prov:Activity` | PROV-O session recording for any kernel |
+| 16 | `execution.py` | `ckp:ProofRecord`, `ckp:ProofCheck` | Multi-step execution proofs with hash chains |
+| 17 | `entities.py` | N/A | In-memory entity store with code-based lookup |
+| 18 | `nats_loop.py` | `ckp:NATSListening` | NATS subscriber loop implementing CK processing cycle |
+
+**CK.Lib.Js — 12 modules** (from `docs/v3.7/project.md:249-262`):
+
+| # | Module | Export Path | Ontology Grounding | Purpose |
+|---|---|---|---|---|
+| 1 | `ck-client.js` | `.` / `./client` | `ckp:NATSBrowserClient` | Core NATS WSS client; connection, auth, send, subscribe |
+| 2 | `ck-page.js` | `./page` | `ckp:InlineKernel` | Page harness; auto-detects kernel, renders chrome |
+| 3 | `ck-bus.js` | `./bus` | `ckp:EdgeCommunication` | In-browser event bus for decoupled component communication |
+| 4 | `ck-kernel.js` | `./kernel` | — | Kernel-specific CSS variables and theming |
+| 5 | `ck-registry.js` | `./registry` | `ckp:Project` | Kernel registry for multi-kernel page composition |
+| 6 | `ck-runtime.js` | `./runtime` | — | Client-side runtime utilities |
+| 7 | `ck-materializer.js` | `./materializer` | — | Client-side resource materialisation |
+| 8 | `ck-store.js` | `./store` | — | Client-side state persistence (localStorage + server filer) |
+| 9 | `ck-shapes.js` | `./shapes` | `sh:NodeShape` | SHACL shape rendering and validation UI |
+| 10 | `ck-anim.js` | `./anim` | — | Animation engine for kernel visualisations |
+| 11 | `ck-anim-grammar.js` | (internal) | — | Animation grammar parser |
+| 12 | `ck-sound.js` | `./sound` | — | Web Audio API integration |
+
+### Discrepancy with external SPEC
+
+External `SPEC.CK.NEW` treats both `CK.Lib.Py` and `CK.Lib.Js` as opaque — referring to them by name without enumerating modules. This means any divergence in module count or naming between v3.7 and `SPEC.CK.NEW` is silent: an implementer cannot conform to one and validate against the other.
+
+### Recommended insertion into SPEC.CK.NEW
+
+Add (or replace) the libraries section with citation-style references back to v3.7:
+
+> **CK.Lib.Py** — the canonical Python runtime library; npm-equivalent package `conceptkernel` on PyPI. Conformant implementations MUST provide all 18 modules listed in the v3.7 specification, with the ontology class bindings declared per `docs/v3.7/project.md:144-165`. The 18 modules are: `processor`, `events`, `instance`, `ledger`, `schema`, `context`, `capacity`, `occurrent`, `edges`, `actions`, `dispatch`, `serve`, `auth`, `urn`, `prov`, `execution`, `entities`, `nats_loop`.
+>
+> **CK.Lib.Js** — the canonical JavaScript client library; npm package `@conceptkernel/cklib`. Conformant implementations MUST provide all 12 modules listed in the v3.7 specification, with export paths and ontology grounding per `docs/v3.7/project.md:249-262`. The 12 modules are: `ck-client`, `ck-page`, `ck-bus`, `ck-kernel`, `ck-registry`, `ck-runtime`, `ck-materializer`, `ck-store`, `ck-shapes`, `ck-anim`, `ck-anim-grammar`, `ck-sound`.
+
+### Verification step (do this on the actual code, separate from the spec edit)
+
+The 18+12 module list above is taken from `project.md`. Before relying on it, verify against the live packages:
+
+```bash
+# Python (in a checkout that has cklib/)
+python -c "import cklib, pkgutil; print(sorted(m.name for m in pkgutil.iter_modules(cklib.__path__)))"
+
+# JS (in a checkout with @conceptkernel/cklib installed)
+node -e "console.log(Object.keys(require('@conceptkernel/cklib/package.json').exports))"
+```
+
+If the actual exports differ, treat that as a separate bug and reconcile both v3.7 docs and the external spec to the live truth.
+
+---
+
+## #24 — Operator-implementation drift (code briefs, not spec changes)
+
+These three items are runtime/code bugs in `CK.Operator`. Each violates a clear v3.7 spec contract; the spec is correct, the code disagrees. Hand these as discrete dev tickets.
+
+### #24.a — RO-FS violation: `action.save()` writes to a ReadOnly organ
+
+**Reported**: `action.save()` writes proof artefacts to `/ck/CK.Operator/storage/proof/`. `storage/` is also a stale path (renamed `data/` in v3.6); the more important defect is that proofs are landing in the **CK** organ (ReadOnlyMany at runtime) rather than the **DATA** organ (ReadWriteMany).
+
+**Spec contract violated**:
+
+| Citation | Statement |
+|---|---|
+| `docs/v3.7/proof.md:256` | "Action proofs MUST be stored in the kernel's `data/proof/` directory as `proof-{action}-{timestamp}.json`." |
+| `docs/v3.7/proof.md:281` | Conformance: "Proofs MUST be stored in `data/proof/` — REQUIRED" |
+| `docs/v3.7/three-loops.md`, `docs/v3.7/isolation.md` | CK organ is ReadOnlyMany at runtime, no exceptions (post-v3.7 retirement of `serving.json`). |
+
+**Code-side fix brief**:
+
+> In CK.Operator, change `action.save()` to write to `/ck/CK.Operator/data/proof/proof-{action}-{timestamp}.json` instead of `/ck/CK.Operator/storage/proof/`. The current path is wrong on both axes:
+> - It targets the **CK organ**, which is mounted ReadOnlyMany at runtime (post-v3.7 retirement of `serving.json` there are no write-through exceptions). The current `EROFS` failure is the kernel's defence working correctly.
+> - It uses the legacy `storage/` directory name; v3.7 renamed this to `data/`.
+>
+> The DATA organ is mounted ReadWriteMany; `data/proof/` is the canonical proof location per `docs/v3.7/proof.md:256,281`. After the fix, proofs are sealed instances and inherit the standard sealed-instance immutability contract documented in `docs/v3.7/data-loop.md`.
+
+### #24.b — Hostname synthesis bug
+
+**Reported**: a code path ignores `serving.hostname` (or `spec.hostname`) and synthesises a hostname from other fields.
+
+**Spec contract violated**:
+
+| Citation | Statement |
+|---|---|
+| `docs/v3.7/project.md` Required Fields table | `domain` (string, REQUIRED), `serving.subdomain` (string, REQUIRED). The `.ckproject` manifest declares serving identity. |
+| `docs/v3.7/operator.md:107` | CKProject CR example shows `spec.hostname: hello.tech.games` as a top-level required field. |
+| `docs/v3.7/crd.md:449` | CKProject CRD conformance: "`spec.hostname`, `spec.storage`, `spec.gateway.parentRef`, and `spec.versions` MUST be present — REQUIRED". |
+| `docs/v3.7/crd.md` CKProject schema | `spec.hostname` is the canonical fully-qualified hostname; `domain` and `serving.subdomain` are derivation sources, optional in the CR but required (in some form) in the manifest. |
+
+**Code-side fix brief**:
+
+> `spec.hostname` is the authoritative project hostname per the CKProject CRD schema (`docs/v3.7/crd.md` §CKProject CRD). CK.Operator MUST read it directly and use it for:
+> - DNS / serving subdomain
+> - Filer path prefix (`/ck-data/{hostname}/...`)
+> - Namespace naming (derived: `ck-{serving.subdomain}` where subdomain is the hostname's leftmost label, unless `serving.subdomain` is explicitly set)
+> - All gateway HTTPRoute hostnames
+>
+> If `spec.hostname` is absent, the reconcile MUST fail with a clear error before any resources are created, not silently synthesise a fallback. Synthesising hides operator-config errors and produces hostnames that will conflict with whatever `.ckproject` later declares.
+>
+> Spot-check after the fix: `kubectl get ckp -A -o jsonpath='{range .items[*]}{.metadata.name}{":"}{.spec.hostname}{" → ns="}{.status.namespace}{"\n"}{end}'` should show one-to-one alignment between `.spec.hostname`'s leftmost label and the namespace prefix.
+
+### #24.c — Dual kopf handlers for the same CR
+
+**Reported**: two kopf handlers fire on the same `CKProject` CR event.
+
+**Spec contract violated** (interpretation, since the spec doesn't enumerate handler counts directly):
+
+| Citation | Statement |
+|---|---|
+| `docs/v3.7/operator.md:212-217` | "Dual Control Plane: kopf + NATS" — two **entry points** (kopf CRD watch and NATS message listener) trigger the **same `reconcile()` function**. The dual entry refers to *transports*, not duplicated handlers on the same transport. |
+| `docs/v3.7/operator.md:33` | `kopf operator watching CKProject CR` is described as a single watcher. |
+| `docs/v3.7/changelog.md:59` | "kopf + NATS dual control plane" — explicitly two entry points triggering one `reconcile()`. |
+
+The spec does not contemplate two kopf handlers competing for the same CR event, and the dual-control-plane design assumes a single `reconcile()` is the convergence point. Two handlers means non-deterministic ordering, possible double-creation, and split log/proof streams.
+
+**Code-side fix brief**:
+
+> Per `docs/v3.7/operator.md:212-217` and `changelog.md:59`, the kopf+NATS dual control plane is two **entry points** converging on a single `reconcile()` function. There should be exactly one kopf handler per CR kind:
+> - `@kopf.on.create('ck.tech.games', 'v1', 'ckprojects')`
+> - `@kopf.on.update('ck.tech.games', 'v1', 'ckprojects')`
+> - `@kopf.on.delete('ck.tech.games', 'v1', 'ckprojects')`
+>
+> All three must call into the same `reconcile()` function (with the action variant — `project.deploy`, `project.update`, `project.teardown` — selected by handler kind). The NATS listener calls the same `reconcile()` for the same actions; there is one convergence point.
+>
+> Audit step: `grep -rnE '@kopf\.on\.|kopf\.handler' <operator-src>` should produce one handler per (kind, verb), not multiple. If there are two `@kopf.on.create('ckprojects')` decorators in the codebase, that is the bug.
+
+---
+
+## How to use this document
+
+1. Treat each `### Recommended insertion into SPEC.CK.NEW` block (in #14, #15, #16) as paste-ready text for the external spec.
+2. Treat each `**Code-side fix brief**` block (in #24.a/b/c) as a paste-ready dev ticket description.
+3. The internal v3.7 drift noted in #15 (changelog 12-step breakdown without `deploy.security`) is a candidate for a small follow-up Pass on this site, separate from the external work.
+4. Once external reconciliations land in `SPEC.CK.NEW` and operator fixes land in `CK.Operator`, the corresponding tasks (#14, #15, #16, #24) can be closed.
+
+This file is a working artefact, not a specification. Do not link it from any published CKP page.
