From db86919857e7fe31e5680d86b5fd528c5f19519a Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 23 Jun 2026 11:22:14 +0000 Subject: [PATCH] docs(rbac+lift): probe step-4 partial-green + nine-domain promotion decision MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (1) RBAC keystone §10: mark PROBE-OGAR-RBAC-AUTHORIZE step-4 PARTIAL GREEN. The classid-keyed authorize() reproduces the shipped membrane gate (lance_graph_rbac::Policy::evaluate) bit-for-bit — positive ∧ op-gate half + §11 classid re-keying promoted CONJECTURE->FINDING for the in-repo reference. Stage-2 row-scope + projecting Allow{scope,mask} stay CONJECTURE (scope-bearing references Odoo ir.rule / OpenFGA are the follow-on probes). Impl: lance-graph/crates/lance-graph-rbac/src/authorize.rs. (2) Nine-domain promotion DECISION: no bulk Cross-walk. The Lift-tested domains correctly stay un-minted — most are upstream-owned (arago/almato coordination-gated), Accounting/Audit are already homed (0x02XX / ADR-013), WorkOrder (ours) waits on woa-rs consumer-collapse. Lift-tested → Cross-walked is demand-driven + ownership-gated, never a completeness sweep. Per-domain gate table + general rule in EPIPHANIES E-NINE-DOMAIN-PROMOTION-DEFERRED; catalogue step-4 cross-references it. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01EYvNjD8M8LMNYbRy3gq2FP --- .claude/board/EPIPHANIES.md | 58 ++++++++++++++++++++++++++++++ docs/CLASSID-RBAC-KEYSTONE-SPEC.md | 24 +++++++++++++ docs/OGIT-DOMAIN-LIFT-CATALOGUE.md | 12 +++++++ 3 files changed, 94 insertions(+) diff --git a/.claude/board/EPIPHANIES.md b/.claude/board/EPIPHANIES.md index 1dc921d..3313ed5 100644 --- a/.claude/board/EPIPHANIES.md +++ b/.claude/board/EPIPHANIES.md @@ -4,6 +4,64 @@ > `**Status:**` line (FINDING / CONJECTURE / FRAMING / SUPERSEDED). Only > the Status line is mutable — body and date are immutable. Corrections > append as new dated entries citing the original. + +--- + +## 2026-06-23 — E-NINE-DOMAIN-PROMOTION-DEFERRED — the nine Lift-tested NTO domains correctly stay un-Cross-walked; bulk-minting class_ids is the WRONG move, per the catalogue's own rules + +**Status:** FINDING (promotion decision, 2026-06-23). Question raised: promote the +nine Lift-tested NTO domains (Transport, Accounting, SalesDistribution, Credit, Cost, +ServiceManagement, WorkOrder, Compliance, Audit) from **Lift-tested** to +**Cross-walked** (mint `class_ids` in `ogar-vocab`)? **Decision: NO bulk promotion.** +The deliberate "Lift-tested, not Cross-walked" state is correct, not pending. Grounds, +per `OGIT-DOMAIN-LIFT-CATALOGUE.md`'s own ladder + authorship rules: + +1. **Upstream-owned (needs arago/almato coordination, not a unilateral mint):** + Transport + Compliance (`chris.boos@almato.com`), Cost + ServiceManagement + (`Peter Larem`), Credit (`Ola Irgens Kylling`), SalesDistribution + Audit + (`Marek Meyer`). The catalogue states structural changes to upstream domains + "need arago/almato coordination." A codebook id is **stable forever** (P0 canon); + minting permanent ids for upstream-owned concepts without coordination is exactly + the structural change the rule fences. +2. **Already covered by an existing domain (promotion would duplicate):** + Accounting → `0x02XX` commerce/ERP via the Odoo lift; Audit → ADR-013 + (Audit-as-Lance-version) owns the semantics. A second slot for an already-homed + concept dilutes the codebook. +3. **Ours but speculative (premature mint):** WorkOrder is our extension + (`dcterms:creator` = `bus-compiler` + `family-codec-smith`, authored for woa-rs). + We MAY mint it — but minting before woa-rs's consumer-collapse needs the classid is + speculative permanent allocation. Gate: mint WorkOrder when woa-rs reaches the + `authorize(actor, WoaPort::class_id(...))` step (keystone §11 step 5), not before. +4. **Cross-repo skew hazard (the just-fixed break):** every consumer pulls + `ogar-vocab branch=main` AND the lance-graph mirror; a mint must reach OGAR `main` + **before** the `lance-graph-contract::ogar_codebook` mirror bumps, or the + compile-time `COUNT_FUSE` breaks every consumer (cf. lance-graph ISSUES + `ISS-OGAR-AUTH-MIRROR-DRIFT`, E-CODEBOOK-MINT-IS-A-CROSS-REPO-ARC). Nine + simultaneous mints multiply that coordination cost for no current consumer need. + +**Per-domain promotion gate (the auto-resolve, not a punt):** + +| Domain | Owner | Promote when | Default home today | +|---|---|---|---| +| Transport | upstream (almato) | arago coordination + a consumer needs it | — | +| Compliance | upstream (almato) | arago coordination + a consumer needs it | — | +| Cost | upstream (Larem) | arago coordination + a consumer needs it | — | +| ServiceManagement | upstream (Larem) | arago coordination + a consumer needs it | — | +| Credit | upstream (Kylling) | arago coordination + a consumer needs it | — | +| SalesDistribution | upstream (Meyer) | arago coordination + a consumer needs it | — | +| Accounting | mixed (11 ours) | only if it diverges from `0x02XX` | `0x02XX` commerce | +| Audit | upstream (Meyer) | only if it needs a classid beyond versioning | ADR-013 Lance-version | +| WorkOrder | **ours** (woa-rs) | woa-rs reaches keystone §11 step 5 | Lift-tested form | + +**The general rule promoted from this:** Lift-tested → Cross-walked is **demand-driven +and ownership-gated**, never a completeness sweep. A domain earns a codebook id when (a) +a consumer needs to `authorize()`/route on it AND (b) we own it or have coordination — +not because it round-trips. Round-trip (Lift-tested) proves the *shape lands*; it does +NOT imply the *id should mint*. Cross-ref: `OGIT-DOMAIN-LIFT-CATALOGUE.md` ladder, +P0 canon "codebook ids stable forever," E-CODEBOOK-MINT-IS-A-CROSS-REPO-ARC. + +--- + > > Convention adopted from `AdaWorldAPI/surrealdb`'s `.claude/board/EPIPHANIES.md`. > diff --git a/docs/CLASSID-RBAC-KEYSTONE-SPEC.md b/docs/CLASSID-RBAC-KEYSTONE-SPEC.md index 4322aad..b701b39 100644 --- a/docs/CLASSID-RBAC-KEYSTONE-SPEC.md +++ b/docs/CLASSID-RBAC-KEYSTONE-SPEC.md @@ -180,6 +180,30 @@ reference system's decision **bit-for-bit** on a fixed corpus (Odoo OpenFGA model) before consumer-collapse (step 5) lands. Until green, the keystone is **CONJECTURE**. +> **STEP-4 STATUS (2026-06-23) — PARTIAL GREEN (positive ∧ op-gate half).** +> The classid-keyed kernel is built and the gate is green against the +> **in-repo reference** — the shipped membrane gate +> `lance_graph_rbac::policy::Policy::evaluate` (the "reconcile the shipped +> MembraneGate path with the keystone" framing of +> `ISS-RBAC-AUTHORIZE-BY-CLASSID`). Impl + probe: +> `lance-graph/crates/lance-graph-rbac/src/authorize.rs` — +> `ClassRbac` (§4) · `authorize()` (§5 positive ∧ op-gate, deny-reasons +> mirrored exactly) · `ClassGrants` (`PermissionSpec` re-keyed by `ClassId`, +> §11). `probe_ogar_rbac_authorize` reproduces `Policy::evaluate` +> **bit-for-bit** over a 15-tuple corpus (all roles/ops/deny-reasons + +> depth boundary + unknown actor); `probe_is_falsifiable_under_wrong_keying` +> proves the gate is not vacuous (a wrong classid flips an Allow). +> +> **What this certifies:** the §5 *positive ∧ op-gate* half + the §11 classid +> re-keying — promoted CONJECTURE→FINDING **for the shipped reference**. +> **What remains CONJECTURE:** the §5 stage-2 *row-scope* predicate and the +> projecting `Allow { scope, mask }` return — the shipped reference is +> positive-only, so the scope-bearing references (Odoo `ir.model.access ∧ +> ir.rule`, OpenFGA) are the follow-on probes that exercise stage 2. The +> keystone stays CONJECTURE **as a whole** until a scope-bearing reference is +> green; the positive half is now FINDING. Cross-ref: lance-graph +> `EPIPHANIES.md` E-RBAC-AUTHORIZE-PROBE-GREEN (2026-06-23). + ## 11. Build / PR order + cross-refs Order: **(1)** `lance-graph-contract` `ClassRbac` trait → **(2)** OGAR diff --git a/docs/OGIT-DOMAIN-LIFT-CATALOGUE.md b/docs/OGIT-DOMAIN-LIFT-CATALOGUE.md index c8c2235..2bd0f55 100644 --- a/docs/OGIT-DOMAIN-LIFT-CATALOGUE.md +++ b/docs/OGIT-DOMAIN-LIFT-CATALOGUE.md @@ -74,6 +74,18 @@ arago/almato coordination." 4. **Promote** — update this row's status. Mention it in the next PR description so reviewers know the lift surface grew. +> **Lift-tested → Cross-walked is demand-driven and ownership-gated, NOT a +> completeness sweep** (decision 2026-06-23, `.claude/board/EPIPHANIES.md` +> E-NINE-DOMAIN-PROMOTION-DEFERRED). Round-trip (Lift-tested) proves the +> *shape lands*; it does NOT imply the *id should mint*. A domain earns a +> `class_ids` codebook id (stable forever, P0 canon) only when **(a)** a +> consumer needs to `authorize()`/route on it AND **(b)** we own it or have +> arago/almato coordination for an upstream-owned domain. The nine +> Lift-tested domains are correctly parked un-Cross-walked: most are +> upstream-owned (coordination-gated), Accounting/Audit are already homed +> (`0x02XX` / ADR-013), and WorkOrder (ours) waits on woa-rs's +> consumer-collapse. See the per-domain gate table in that epiphany. + ## Per-domain inventory | Domain | Entities | Attributes | Verbs | Status | Notes |