Skip to content

canon: ARS bounded-storage policy set + policy-first principle + enforceable-policy template (DRAFT — DO NOT MERGE)#289

Draft
git-repo-auth[bot] wants to merge 2 commits into
mainfrom
canon/ars-bounded-storage-policy-set
Draft

canon: ARS bounded-storage policy set + policy-first principle + enforceable-policy template (DRAFT — DO NOT MERGE)#289
git-repo-auth[bot] wants to merge 2 commits into
mainfrom
canon/ars-bounded-storage-policy-set

Conversation

@git-repo-auth

@git-repo-auth git-repo-auth Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

DRAFT — captain's pen. DO NOT MERGE until you review the exact text (authorial voice).

Encodes the ARS storage redesign — agent-role-service docs/adr/ADR-0001-ars-per-entity-do-sqlite.md (all seven design questions RULED, 2026-07-16) — as enforceable tier-1 canon, per the ruling: "Nothing is built without clear policies that explain what, why, and any other template that makes a good enforceable policy."

What this PR adds (3 files, all status: draft)

  1. canon/principles/policy-first-self-building-self-documenting.md — the captain's framing principle: policies first ensures all code is self-building (the implementation is derivable from the policy — the policy is the buildable spec) and self-documenting (the code traces back — every enforcement/invariant cites its governing policy URI). Scope, confidence, and a retraction condition are stated.
  2. canon/meta/enforceable-policy-anatomy.md — the meta-template the captain asked for: WHAT · WHY · ENFORCEMENT · SCOPE · VERIFICATION. No canonical "what makes a good enforceable policy" rubric existed (only constraint-driven-audits, which it composes with), so it is proposed here. VERIFICATION requires code references its governing policy and policy is precise enough to build from.
  3. canon/constraints/ars-bounded-storage.md — the six-policy set, each conformant to the template, each naming a concrete enforcer (CI gate / runtime invariant / review gate):
    • P1 Bounded rows; no monolithic blob (the ars_state_v1 whole-object put is prohibited).
    • P2 Always-R2 offload for known-huge fields (run result, seed prompt, large log data) + a 64 KB backstop.
    • P3 Shared retention/rotation of log + finished runs at 30 days OR 50 MB OR 100 K rows, transparent paging; RUNS_CAP=32 dropped.
    • P4 R2 mirror alarm-only, off the request path, zero added latency (durable watermark in schema_meta).
    • P5 R2 as the durable source; full DR restore from R2 alone; daily full-reconcile snapshot.
    • P6 Deprecate board.md / board_import / parity_check / dual-run; board is native per-item rows; board_export read-only.

Reconciliation — extends, does not duplicate

This set is the concrete storage discharge of the general obligation in #288 (ratified-model-requires-reconciliation-and-enforcer, also draft). It cross-references, and does not restate, the ratified ARS policies (ars-data-model-philosophy, ars-nouns-and-verbs, ars-v1-operating-policy) and mirrors the tier-1 frontmatter/shape of release-validation-gate.

Adversarial validation

Ran oddkit_challenge (mode canon-tier-1) on the set: no canon tensions, block_until_addressed: false. The prerequisite gaps it raised were addressed in-text — the strong claim is scoped and made falsifiable, confidence is signaled (observed WHY vs proposed enforcers), and alternatives/costs/dependencies/reversibility are named (constraint §"Scope of the Claim…"; principle §"Scope, Confidence, and Retraction"). The lesson was folded back into the meta-template's conformance list.

Build-flight brief (for later)

Implement the policies and cite them in code — every gate/assertion/invariant references its klappy://canon/constraints/ars-bounded-storage#PN anchor, so the code documents itself and drift is impossible to ship silently.

Attribution: klappy <118073+klappy@users.noreply.github.com>.

…rceable-policy template (DRAFT — do not merge)

Encodes the ARS storage redesign (ADR-0001, all 7 rulings) as enforceable
tier-1 canon, per the captain's ruling that nothing is built without clear
policies (what/why/enforcer).

- canon/principles/policy-first-self-building-self-documenting.md — captain's
  framing principle: policies first ensures code is self-building (derivable
  from the policy) and self-documenting (code cites its governing policy URI).
- canon/meta/enforceable-policy-anatomy.md — the WHAT/WHY/ENFORCEMENT/SCOPE/
  VERIFICATION template; composes with constraint-driven-audits and #288.
- canon/constraints/ars-bounded-storage.md — six policies (P1 bounded rows/no
  monolith; P2 always-R2 + 64KB backstop; P3 shared retention/rotation; P4
  mirror off critical path; P5 R2 durable DR; P6 board.md deprecation), each
  with a named enforcer. Extends #288 (ratified-model-requires-reconciliation-
  and-enforcer) as its concrete storage discharge; does not duplicate it.

Adversarially validated via oddkit_challenge (canon-tier-1); claim scoped,
alternatives/costs/dependencies named. Authorial voice — captain reviews
exact text. DO NOT MERGE.
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown

Canon Quality — oddkit_audit

No dead klappy:// references or legacy link patterns found in writings/. 50 files scanned.

Spec: klappy://docs/oddkit/specs/oddkit-audit · Workflow: .github/workflows/canon-quality.yml · Run: #368

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown

Canon Quality — P0010 Retrieval-Readiness ⚠️

Soft report for klappy://canon/constraints/retrieval-disclosure-contract. 702 files scanned. Never blocks — informational until the corpus is ready to enforce.

  • Blocking-class findings: 15 (structural fields the contract would filter on)
  • Warnings: 0 (kind resolves to unknown)
  • Informational: 13 (exempt templates/archive/drafts)

Kind distribution: {'essays': 51, 'canon': 243, 'apocrypha': 38, 'docs': 304, 'journals': 60, 'unknown': 6}
Kind source: {'path': 567, 'frontmatter': 129, 'none': 6} (frontmatter-primary, path-secondary)
Default-include visibility: 598 visible, 104 hidden (journals/apocrypha/unknown)

By rule: {'audience-invalid': 2, 'exposure-missing': 5, 'tier-missing': 5, 'tier-invalid': 7, 'fm-missing': 3, 'kind-unresolvable': 6}

These are not schema violations (see the Frontmatter Schema job for those on writings/). They are corpus-readiness signals for the retrieval contract: invalid/missing audience, exposure, tier, and docs whose kind cannot be resolved. Fix in a corpus-cleanup PR before the contract flips to enforcing. See the retrieval-readiness-findings artifact for the full list.

Validator: scripts/audit-retrieval-readiness.py · Constraint: klappy://canon/constraints/retrieval-disclosure-contract · Run: #368

@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown

Canon Quality — Frontmatter Schema ✅

All 49 file(s) in writings/ conform to klappy://canon/meta/frontmatter-schema.

Validator: scripts/validate-frontmatter.py · Canon: klappy://canon/constraints/frontmatter-validation-before-merge · Run: #368

@github-actions

Copy link
Copy Markdown

Canon Quality — Homepage Surfacing ✅

49 essay(s) scanned. Soft report — never blocks; the hard field gate is the Frontmatter Schema job.

All published essays resolve to the homepage feed.

Report: scripts/surfacing-report.py · Canon: klappy://canon/constraints/frontmatter-validation-before-merge

… policy set

Voice-only pass across all three files (ars-bounded-storage, enforceable-
policy-anatomy meta-template, policy-first principle). These are universal/
public governance docs whose neutral voice should not carry the crew-model
'captain' metaphor. Role term -> 'operator'; historical ruling labels
'Captain-RULED' -> 'Operator-RULED'; transitional draft-posture notes rewritten
neutral/passive. No rulings, thresholds, enforcement, scope, or meaning changed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant