|
| 1 | +schema_version: "0.2.0" |
| 2 | +kind: "adr" |
| 3 | +id: "adr:0615" |
| 4 | +number: 615 |
| 5 | +slug: "downstream-assurance-language-ceilings" |
| 6 | +title: "Downstream assurance-language ceilings for feature target claim tiers" |
| 7 | +status: "accepted" |
| 8 | +origin: "ssot-origin" |
| 9 | +decision_date: null |
| 10 | +tags: [] |
| 11 | +summary: "SSOT downstream repositories use feature target claim tiers, linked claims, tests, and evidence to describe what a system can responsibly claim about a feature. The shared `T0` through `T4` tiers describe assurance strength, but downstream reports, release notes, README content, generated summaries, and certification artifacts also need a common language ceiling so weakly evidenced features are not described with stronger assurance language than their proof chains support." |
| 12 | +supersedes: [] |
| 13 | +superseded_by: [] |
| 14 | +status_notes: [] |
| 15 | +references: [] |
| 16 | +body: |- |
| 17 | + ## Context |
| 18 | + |
| 19 | + SSOT downstream repositories use feature target claim tiers, linked claims, tests, and evidence to describe what a system can responsibly claim about a feature. The shared `T0` through `T4` tiers describe assurance strength, but downstream reports, release notes, README content, generated summaries, and certification artifacts also need a common language ceiling so weakly evidenced features are not described with stronger assurance language than their proof chains support. |
| 20 | + |
| 21 | + This ADR is an `ssot-origin` decision. It is intended to apply to downstream repositories that synchronize and conform to SSOT origin documents, not only to the `ssot-registry` package repository. |
| 22 | + |
| 23 | + ## Decision |
| 24 | + |
| 25 | + Downstream SSOT repositories must treat each feature's effective target claim tier as the ceiling for assurance language used in SSOT-controlled outputs. A feature may be described with language from its effective tier or any weaker tier. It must not be described with stronger language unless a linked claim passes claim-closure checks at the stronger tier and the feature evaluation requires or accepts that stronger tier. |
| 26 | + |
| 27 | + The effective tier is resolved by the applicable evaluation policy. For direct feature evaluation, use `feature.plan.target_claim_tier`. For profile evaluation, use the feature target tier when present, otherwise the profile claim tier when the profile policy permits that fallback. If no effective tier can be resolved, downstream tooling must fail closed and must not emit assurance claims stronger than inventory-level language. |
| 28 | + |
| 29 | + Acceptable language by tier: |
| 30 | + |
| 31 | + | Tier | Assurance ceiling | Acceptable claims language | |
| 32 | + |---|---|---| |
| 33 | + | `T0` | Declared intent or inventory-level | declared, tracked, intended, planned, in scope, inventory-level support | |
| 34 | + | `T1` | Maintainer-asserted with local evidence | maintainer-asserted, locally evidenced, supported by local evidence, observed in maintainer-run checks | |
| 35 | + | `T2` | Reproducible project-controlled verification | reproducibly verified, project-verified, verified by project-controlled tests or CI, repeatably validated | |
| 36 | + | `T3` | Release-grade certified claim | release-certified, release-grade verified, certified for a named release or frozen boundary | |
| 37 | + | `T4` | Independently reviewed or externally attested claim | independently reviewed, externally attested, third-party validated, validated by a named external source or artifact | |
| 38 | + |
| 39 | + Disallowed escalations: |
| 40 | + |
| 41 | + - `T0` features must not be described as working, verified, tested, certified, or attested. |
| 42 | + - `T1` features must not be described as reproducibly verified, release-certified, or independently reviewed. |
| 43 | + - `T2` features must not be described as release-certified or independently reviewed. |
| 44 | + - `T3` features must not be described as independently reviewed or externally attested unless `T4` evidence exists. |
| 45 | + |
| 46 | + Canonical wording templates: |
| 47 | + |
| 48 | + - `T0`: Feature `<id>` is declared in scope for `<capability>`. |
| 49 | + - `T1`: Maintainers assert that feature `<id>` supports `<capability>`, backed by local evidence `<evidence-id>`. |
| 50 | + - `T2`: Feature `<id>` is reproducibly verified by project-controlled checks for `<capability>`. |
| 51 | + - `T3`: Feature `<id>` is release-certified for `<release-or-boundary>` with passing claim closure at tier `T3` or higher. |
| 52 | + - `T4`: Feature `<id>` is independently reviewed or externally attested for `<capability>` by `<source-or-artifact>`. |
| 53 | + |
| 54 | + Claim status remains orthogonal to claim tier. Status may describe lifecycle progress, but it does not authorize stronger assurance language. Evidence tier alignment, linked test status, and feature target tier evaluation remain the enforcement mechanisms for whether stronger language is valid. |
| 55 | + |
| 56 | + ## Consequences |
| 57 | + |
| 58 | + Downstream generated summaries, READMEs, release notes, certification reports, review comments, and human-authored SSOT-controlled documentation must choose assurance language from the feature's effective tier or a weaker tier. |
| 59 | + |
| 60 | + Downstream projects may adopt stricter vocabulary, additional review gates, or domain-specific phrasing, but they must not permit stronger assurance wording than the feature's passing proof chain supports. |
| 61 | + |
| 62 | + Reviewers and automation should treat over-strong assurance language as a policy defect even when the underlying feature is implemented. |
0 commit comments