Commit 3e6ae98
docs(architecture): manifesto Layer 3 trust boundaries (draft) (#147)
* chore(gitignore): extend research-buffer exclusions for Layer 3 tooling
Adds ADVISOR-, NYQUIST-AUDIT-, PATTERN-MAP-, and layer*.md patterns.
Layer 3 introduced three new review-tooling shapes (gsd-advisor-researcher,
gsd-nyquist-auditor, gsd-pattern-mapper) on top of the §02 set
(REVIEW, CROSS-REVIEW, PLAN-CHECK, SUMMARY, CONTRADICTION-CHECK).
The buffer files cite gitignored paths and carry phrases we keep out of
committed prose. Canonical work lives in docs/architecture/; these stay local.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): manifesto Layer 3 trust boundaries (draft)
Lands docs/architecture/02-trust-boundaries.md (226 lines) and the canonical
trust-zone diagram at docs/architecture/diagrams/02-trust-boundaries.mmd.
Five drawn zones: Control plane / Credential broker / Compute plane /
Egress trust-edge / Audit pipeline. Eleven external actors. Eight content-keyed
data classes mapped to NYDFS, GLBA, SEC, GDPR, EU AI Act, PCI DSS. T0-T5
tenant-isolation menu. Three egress modes (transparent / MITM / DLP-ICAP).
Workload-identity floor minimal vs full-capability. Signer-identity-per-boundary
table (§8.1) covering egress JWT, internal RPC, broker scoped-JWT, MITM cert,
Merkle head, image admission. Encryption matrix and regulator citation map
verbatim per §02 NFR anchors.
Closes follow-up #71 (transport variants documented in §7).
Goes through six review passes: gsd-code-reviewer, gsd-advisor-researcher
cross-review, gsd-plan-checker, gsd-advisor-researcher on three structural
decisions, gsd-nyquist-auditor gap audit, gsd-pattern-mapper. Re-review verdict
READY-TO-COMMIT: all 5 blockers RESOLVED, all 5 cross-review CRs RESOLVED,
advisor PKI table verified, all 11 Nyquist gaps closed.
Open Questions tracked in §13 with five entries (placeholder GH-issue slugs
land as real URLs in a follow-up PR before draft → proposed).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(docs-lint): allow top-level numbered cross-cutting artifacts
Adds `[0-9][0-9]-*.md` pattern to ALLOWED for files at docs/architecture/
root. Layer 3 (02-trust-boundaries.md) is the first such file; future
Layer 4 (C4 Context) and Layer 5 (deployment topologies) follow the same
shape. Per PROCESS.md, cross-cutting artifacts cited by every component
spec live at the top level rather than under manifesto/ or components/.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): shrink Layer 3 inline mermaid to honour ≤15-line cap
CodeRabbit flagged the §5 inline mermaid as 17 lines (fences + init directive
+ 15 content), exceeding the CLAUDE.md ≤15-line cap. Drops the init directive
(elk renderer still applied via the canonical .mmd source) and shortens four
arrow labels. Block now 16 lines total (2 fences + 14 mermaid). Canonical
diagram at docs/architecture/diagrams/02-trust-boundaries.mmd unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): drop "bank" wrapper words from Layer 3 prose
Removes four "bank"/"bank-reviewer" occurrences from §1 + §11 prose where
they were marketing wrappers, not load-bearing referents. The audience
stays the same (regulator-reviewer + self-hosting developer per §01);
the prose just doesn't keep saying "bank" in front of it.
Keeps one mention as "(CFR-cited financial-institution rules)" in §6 retention
column — that one is the actual CFR referent, not a wrapper word.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): cut AI-slop from Layer 3 prose
User flagged residual slop. Sweep removed:
- self-referential meta-noise about line caps and CI conventions in §1
- triple "It does NOT restate / NOT describe / NOT carry" formulation in §1
- "no phone-home, no license-check, no telemetry" no-no-no pattern in §1
- "Each is a place where our code runs and where a reviewer can point and ask"
preamble in §2
- "the contract is ready when X lands" hedge in §2
- repeated "External actors appear on the diagram but are not zones we own"
preamble in §3 (already in §1)
- repeated "Layer 3 names the isolation tiers we ship" preamble in §4
- "(including elk-renderer init directive, 11 actors, and the optional-marking
dashed strokes)" list-of-three slop in §5
- duplicate "Optional configurations" paragraph in §5
- "binding artifact for the contract" pompous in §6
- "the minimal-config shape is honest about not being a compliance posture"
hedge in §6
- "Both NFRs hold in spirit on both shelves; the substrate differs" hedge
in §8 (replaced with what actually happens)
- "the signer's key custody and rotation are properties of that boundary,
not a separate zone" design-defence in §8.1
- "The full matrix lives in the canonical encryption table here; component
specs cite this matrix and never restate it" cite-rules in §9
- duplicate substrate-specific TLS paragraph in §9 (already in §2)
- "robust(ness) appears verbatim... preserved against banned-vocab list"
meta-noise in §11
- "useful as background while the buffer is migrated" framing in §12
Layer 3 down to 211 lines from 225. Inline mermaid 16 lines including
fences. Zero "bank" / "hardened" wrapper words.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): drop LLM/S3 from External actors; clarify Control plane is not a model proxy
User flagged that LLM upstream as a named External actor with a ModelProvider
abstraction contract overstates what we own. Outbound traffic from the
sandbox or Control plane to an LLM endpoint, a customer MCP server, or
a customer object store is just traffic through the Egress trust-edge —
the egress policy decides where it can go, the credential broker decides
which scoped token reaches it. None of these are zones with a contract
we hold at the boundary.
Removed from §3: LLM upstream row, Customer object store row. Both fold
into "endpoints behind the egress policy" framing added at the top of §3.
Reworded §2 Control plane row: dropped "LLM-upstream proxy (we proxy, we
do not host)" phrasing that read like we host a model proxy. Replaced with
"outbound to LLM and any other upstream goes through Egress trust-edge like
any other request; the Control plane is not a model proxy".
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): cut second-pass slop from Layer 3 + add TTL to diagram labels
Removed 6 more slop patterns user flagged:
- preamble "Names the trust zones, the data classifications, ..." list-of-five
- §1 first paragraph "Layer 3 is the zoning map: what zones exist, ..." duplicate
- triple "X stay in Y; X' stay in Y'; X'' stay in Y''" parallelism in §1
- list-of-six "LLM hosting, chat UI, the caller of ..." in §1 scope sentence
- "Five zones appear as subgraphs on the canonical diagram" preamble in §2
- "These are the only systems with which we hold a published contract"
pompous framing in §3
- "(elk renderer, 11 external actors, optional-marking dashed strokes...)"
internal-kitchen list in §5
- "the inverse mapping (our class → customer class) is what the contract binds"
pompous in §6
Diagram label fix from v3 reviewer: appended TTLs to two boundary edges so
the §5 inline mermaid is self-sufficient without cross-checking §8.1:
- "Ed25519 JWT" → "Ed25519 JWT (session ≤4h + RPC ≤60min)"
- "scoped JWT" → "scoped JWT (≤15min)"
Reconciled §1 / §3 contradiction (v3 reviewer Focus 2): §1 scope sentence
now says "Everything else is either an external actor (§3) or an outbound
endpoint behind the egress policy"; LLM endpoints stay outside §3 per
explicit user direction.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(docs-lint): extend ai-slop-detector with 6 new pattern classes
User flagged that the slop seen in Layer 3 should be caught by the linter
on every future PR, not relied on for manual sweeps. Adds six new checks:
- 6. Self-referential CI / doc-rules meta-noise: "kept within the X budget",
"≤N-line form", "CLAUDE.md rules/conventions/budget", "backticks preserve …
against banned-vocab". Reader does not need rules-about-itself; rules live
in CLAUDE.md.
- 7. Hedge / pompous phrasing: "holds in spirit", "honest about (not) being",
"the binding artifact for the contract", "is what the contract binds".
- 8. Boastful "is the only X and …" superlative without measurable referent.
- 9. Triple-parallel "X verbs in Y; X' verbs in Y'; X'' verbs in Y''"
construction (the verb appearing three times in one semicoloned line).
- 10. Triple-negation "It does not X. It does not Y. It does not Z."
- 11. List-of-three "(no X, no Y, no Z)" parenthetical construction.
All patterns observed in Layer 3 drafts before manual cleanup; none should
have reached the doc in the first place. Linter would have caught them.
Tested: passes on Layer 3 (zero hits); existing pre-existing failure on
adr/0001-layer-0-gate-legacy-exclusion.md "Amendments" stub heading is
not new.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): drop prompt-redaction + Merkle-signing claims from Layer 3 scope
User flagged two scope grabs we should not be making:
1. Prompt-redaction is not our zone. AI-guardrail policy (PII masking,
prompt-injection detection, content filtering) is the customer's AI
gateway responsibility — LiteLLM, Lakera, Lasso, in-perimeter model
with its own guardrails, customer's own redactor service. We route
the traffic and audit the egress event; what the gateway does with
the prompt is its contract, not ours. §6 paragraph rewritten; §2
Egress trust-edge row updated; NFR-COMP-26 flagged for revisit in §02.
2. Merkle-head signing is not ours either. We submit audit batches to a
transparency log of the customer's choice (public Sigstore Rekor,
customer-private Rekor, customer-operated CT log). The log operator
signs the Merkle head; we sign only the submission envelope (envelope
auth, not log integrity). §8.1 signer row reframed; §10 paragraph
updated; NFR-SEC-03 flagged for revisit in §02 to match this split.
Both NFRs in §02 need a follow-up rev to match (separate PR).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): name scope ownership per NFR — DELIVER vs ENABLE vs REVISIT
User flagged that several §02 rows tighten the platform's responsibility
in ways Layer 3 has already corrected (prompt-redaction, Merkle-head
signing). Adds a Scope-ownership section to §02 that classifies every
row as one of three:
- DELIVER: we ship the code, we are accountable for the measurable target.
Sandbox escape, egress proxy, credential broker, audit pipeline,
RTO/RPO of our planes, encryption defaults.
- ENABLE: we publish the contract / telemetry / integration point; the
customer is the principal and owns the policy/content. DORA major-
incident timeline, NYDFS § 500.17, IdP posture (relying-party).
- REVISIT: claims more than our scope or names a customer-side
responsibility (AI gateway / data-controller / regulator-facing
process). Eight current rows listed by ID with the corrected position:
NFR-FS-03 (LLM cache), NFR-REL-04 (LLM failover),
NFR-SEC-21 (model-level threats), NFR-COMP-09 (PMS Art. 72 is deployer),
NFR-COMP-10 (DPIA is data controller), NFR-COMP-14 (model accuracy),
NFR-COMP-18 (42001 binds the deployer), NFR-COMP-25 (ZDR is customer
contract), NFR-COMP-26 (prompt redaction is AI gateway),
NFR-SEC-03 Merkle-head wording (tx-log signs the head, not us).
REVISIT rows keep their IDs and current wording in §02 until the next
revision; Layer 3 already takes the corrected position. Layer 3 §1 now
links the Scope-ownership section so the row-by-row decision is reachable
in one hop.
§02 grew 33 lines (246 → 279); Layer 3 grew 2 lines (209 → 211). Both
under cap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): citation map indicative-not-verbatim; drop legacy buffer refs; NFR-IDs as links
User flagged that the §11 "Reviewers copy this into their workpapers; section
/ control IDs are verbatim, not paraphrased" claim is the dangerous bit, not
prose slop. A doc that invites verbatim regulator-citation reuse without a
verification trail and then carries misattributed citations becomes an audit
liability the moment a reviewer copies a cell.
§11 reframed: "Mapping is indicative, not verbatim. Verify every cell against
the source text before reproducing in an audit workpaper. Layer 3 does not
represent these citations as audit evidence by itself." Inline a list of
confirmed defects tracked at `arch/regulator-citations-verify-pass`:
- DORA Art. 12 is backup / restoration / recovery, not retention. 10-year
retention floor lives in SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1).
- DORA Art. 9 is "Protection and prevention". ICT-risk framework is Art. 6;
detection / logging is Art. 10.
- NYDFS § 500.7 is access privileges (PAM, least privilege, JIT). Segmentation
is not a § 500.7 requirement.
- DORA Art. 28(2)(c) "location of processing" likely lives in Art. 30 key
contractual provisions; source-check pending.
- CRI Profile v2 column was lifting CSF 1.1 subcategory codes (PR.PT-N,
DE.DP-N) which were restructured in CSF 2.0; CRI Profile uses its own
diagnostic-statement numbers. Whole CRI column removed pending source pass.
§12 "See also" section listing legacy buffer files dropped — legacy doc
references in a canonical artifact are an antipattern.
NFR-IDs converted to markdown links pointing at manifesto/02-nfrs.md. Reader
clicks to land on §02; Ctrl+F finds the row. 64 NFR-ID occurrences linked.
A per-ID anchor pass is a separate task (would need anchor headings or HTML
anchors in §02 tables).
Doc preamble after front-matter dropped (user flagged it as boilerplate the
reader does not need).
§11 verbatim/copy-into-workpapers self-praise removed. §11 inline `robust(ness)`
linter-comment removed.
Line count 207 / 600.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(docs-lint): catch verbatim-citation claims + 'is the only' superlatives
User flagged citation-map "verbatim / copy into workpapers" claim as the
dangerous slop pattern that pure-prose tools miss. Adds two more checks:
- 12. "Reviewers copy this … workpapers" / "verbatim, not paraphrased"
pompous audit-evidence framing. A draft doc cannot represent itself as
a verbatim regulator-citation source.
- 13. "is the only X" / "is unique among/in X" superlatives without a
measurable referent (CLAUDE.md "no adjectives without measurable
referent").
Both observed in Layer 3 v1 before cleanup; both should not have reached
the doc.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): collapse double blank line in Layer 3 (markdownlint MD012)
Trailing empty line left after removing the `robust(ness)` linter-comment
created two consecutive blanks before §12 heading. Markdownlint MD012
caught it.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): consolidated tree sweep — slop / consistency / scope fixes
Cross-reviewer triangulation (code-reviewer FLAG, plan-checker ON-TRACK,
pattern-mapper 3 top-risk) converged on this fix batch.
§02 NFRs:
- drop default-tier vs bank-tier framing in NFR-SEC-03 / COMP-07 / COMP-15
(was contradicting §01 "one product, not a tiered SKU"); rewrite as
configuration-conditional on HSM-rooted custody per NFR-FLEX-04
- flip NFR-FLEX-15 egress default to transparent pass-through (was MITM;
contradicted the one-click solo-install invariant); DLP-ICAP demoted
to a configuration of the MITM mode, not a third mode
- replace the §02 embedded trust-zone diagram with a link to the Layer 3
canonical (single source of truth)
- rename data-plane → Compute plane, egress-proxy / egress gateway →
Egress trust-edge across all NFR rows
- drop tech-brand parentheticals from NFR-PERF-03 / NFR-SEC-02 / NFR-SEC-25 /
NFR-SEC-28 / NFR-FLEX-03 / NFR-COMP-29 (brand picks belong in component
specs, not portability-NFR rows; vendor lists kept only in NFR-FLEX-01/04/13
where the matrix IS the testable property)
- strip self-referential CI / doc-rules meta-noise from the intro
Layer 3 trust-boundaries:
- fix four forward references (§12.4/5, components/<egress-proxy>.md,
"Layer 7", MANIFESTO non-goals)
- drop T4 / T5 isolation tiers (no named workload) into open question 1
- collapse egress posture from three modes to two; DLP-ICAP is an MITM
configuration
- reconcile §3 actor table with diagram: LLM / object-store drawn for
orientation only; SIEM / KMS marked optional
- shrink §9 encryption matrix to a single-sentence invariant citing
NFR-SEC-37; per-boundary table moves to component specs
- shrink §8.1 signer-identity table to a single paragraph; per-boundary
table moves with the PKI decision
- strip remaining tech names from prose (SIEM brand list, PKI tool
shortlist, vendor lists)
Diagram:
- remove vendor lists from external-actor labels (LLM upstream / SIEM /
outbound proxy / DLP-ICAP / KMS / transparency log)
- LLM upstream + customer object store reclassified as `endpoint` nodes
(dashed grey) to match prose "drawn for orientation, not actors"
Glossary:
- backfill 10 entries for terms used in ≥ 2 architecture docs (Control
plane / Compute plane / Egress trust-edge / Credential broker / Audit
pipeline / Capability shelf / Isolation tier T0-T3 / Egress posture /
Egress JWT / OCSF / Transparency log / Compute-time metering)
Primitives backlog:
- prune 8 drained primitives that landed in §02 NFR rows (kill switch /
replay bundle / tamper-evident audit / WORM retention / BYOK / SPIFFE /
MITM egress / MCP allow-list)
- remove Anthropic-srt entry — internal-research reference must not load-
bear in the canonical tree
- drop "first FSL adopter" superlative
- record drained-list at the file end as audit trail
ADR-0001:
- fix Amendments stub heading (ai-slop-detector hit on every prior run)
Linter:
- ai-slop-detector check 14 — block internal research-artifact phrasing
(anthropic srt / sandbox-runtime / sandboxd paths / reverse-engineering
wording) from leaking into the architecture set
Out of scope (deferred): ADR stubs for PKI / FIPS / k8s-distros / licence-
allowlist are per-plan on-demand artifacts, not bulk-generated stubs; the
open-question slugs in Layer 3 §12 + §02 stay as bare slugs until the
TBD-to-issue batch lands. Layer 3.5 §03 non-negotiables slot decision
also deferred.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): v2 review follow-ups — collateral cleanup
Eleven small fixes surfaced by gsd-code-reviewer v2 + gsd-plan-checker v2
+ gsd-pattern-mapper v2 after the consolidated batch landed. Each fix
≤ 5 lines; CI green locally before push.
§02 NFRs:
- drop NFR-SEC-03 from REVISIT bullet list — already reframed earlier
in same batch (NEW-01)
- §02 "Five zones meet around the Compute plane: ... Compute plane, ..."
duplicate listing → "Five zones interact" (NEW-03)
- drop LiteLLM / Lakera vendor names from REVISIT bullets NFR-REL-04 +
NFR-COMP-26 — same vendor names were stripped from Layer 3 last batch
but resurfaced here (NEW-04)
- capitalise "egress trust-edge" → "Egress trust-edge" in NFR-FS-03
REVISIT bullet (plan-v2-1)
- NFR-FLEX-10: bare "compute" → "Compute plane" (plan-v2-2)
- NFR-PERF-07/08/09 brand-baked IDs (runc / gVisor / kata-fc) rewritten
as substrate-named: container-substrate / user-space-kernel substrate /
microVM substrate (pattern-v2-R3) — symmetric to NFR-SEC-02 brand-
agnostic rewrite from prior batch
Layer 3 trust-boundaries:
- §2 over-claim "every inter-zone arrow is encrypted" → align with
NFR-SEC-37 wording (carve-outs named) (NEW-06)
- §10 "to be revisited in §02 to match this split" — stale, §02 now
matches (NEW-02)
Glossary:
- Transparency log entry: drop "Sigstore Rekor" vendor brand → vendor-
neutral wording (NEW-05); the term itself was held vendor-neutral in
Layer 3 prose, glossary entry shouldn't reintroduce the brand
- Compute plane entry: drop "formerly named data-plane" hedge — §02
rename is complete, hedge no longer needed (pattern-v2-R1)
Diagram:
- CPROXY (customer outbound proxy) and SOAR reclassified ext → extOpt
(dashed border) to match the prose "(optional)" label in Layer 3 §3
actor table (pattern-v2 diagram dashes)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): Layer 3 v3 — close 5 contradictions before proposed
User-flagged before draft → proposed transition. Each item was a real
contradiction or ambiguity inside the canonical doc, not a stylistic one.
1. Retention floor — §6 REGULATED-AUDIT row cited "DORA Art. 12(2) 10 yr
for critical functions" as the retention basis. §11 had already
documented that DORA Art. 12 is backup/restoration, NOT retention; the
10-year floor lives in SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1).
§10 prose said "7-year minimum (NFR-COMP-01)" without naming the
"10y configurable" half. Three numbers, one defective citation. Now:
§6 cell + §10 prose both say "7 y default / 10 y configurable per
NFR-COMP-01; 10 y floor from SEC 17a-4 / FCA SYSC 9 / EU AI Act
Art. 19(1)". Single machine-enforced retention statement.
2. Revoke ≤5 min vs in-flight TTL ≤4 h — §7 said "IdP unreachable →
in-flight sessions continue until TTL expiry"; §8 declared revoke
latency target ≤5 min. Read together those promise that revoke holds
during an IdP outage even though the only named mechanism is
re-authentication. Made the revoke mechanism explicit: kill-switch
maintains a Control-plane session denylist checked on every Compute
RPC + every Egress request via the broker token; revoke is
independent of IdP reachability, NFR-SEC-04 ≤5 min and NFR-SEC-01
≤30 s kill-switch share the denylist. IdP participates in token
issue, not in revoke.
3. T1 namespace + shared kernel for agent-execution — §4 placed T1
(namespace + netpolicy, shared kernel) under "non-NPI workloads",
which is a data-classification argument, not a sandbox-escape argument.
For LLM-issued tool calls / code, the attack surface is the container
boundary regardless of data class. Added a "Multi-tenant
agent-execution invariant" paragraph under §4: multi-tenant agent
execution requires microVM substrate (the full-capability shelf);
T1 namespace remains valid only for single-tenant agent execution or
for multi-tenant workloads that do not execute LLM-issued code.
4. Token-name taxonomy — §5 diagram and §02 token TTL taxonomy used
different spellings for the same three classes ("session JWT" vs
"Egress JWT"; "RPC token" vs "Generic internal token"). Now: the
canonical class names live in §8 + §02, the §5 diagram + canonical
.mmd both use the same canonical names, and §8 carries a one-line
diagram-label retirement note for the old wording.
5. Mermaid convention encoding — the §5 inline block declared "solid =
always, dashed = optional" but did not encode it (all default solid),
while the canonical .mmd does encode it. Now: caption says the
convention applies in the canonical file, the inline block is a
simplified overview that does not encode dashed-vs-solid, and the
reader is pointed at the canonical file or §3 actor table for the
optional reading.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* chore(gitignore): extend research-buffer ignore pattern to CONSOLIDATED-*
Sibling review artefacts (REVIEW-*, PLAN-CHECK-*, PATTERN-MAP-*) are
already ignored under docs/future-architecture/research/. The
CONSOLIDATED-* family (multi-reviewer synthesis docs the architect-loop
produces between review passes) belongs to the same working buffer and
gets the same treatment.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): mark REVISIT NFR rows informational / non-gating
CodeRabbit Major: REVISIT bullets de-scope NFR-FS-03 / REL-04 / SEC-21 /
COMP-09/10/14/18/25/26, but the rows themselves sit in the catalogue
tables with active-looking Target columns. A CI gate or verifier that
walks §02 row-by-row would enforce a Target the bullets explicitly
de-scoped — contradiction between the gating mechanism and the prose.
Fix:
- §"Scope ownership" intro now states explicitly that REVISIT rows are
informational / non-gating until re-cut; CI gates, release acceptance,
compliance attestations, and verifier passes MUST NOT enforce a
REVISIT row's Target.
- Each of the 9 affected rows carries an inline **[REVISIT — non-gating]**
prefix in its Scenario cell, so a gate-author walking the table cannot
miss the deferral.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): Layer 3 — close peer-review findings M1 / M2 / M3 / m6
Peer review on PR #147 surfaced four substantive items. Each was a real
defect verifiable against the doc itself; all closed in this commit.
M1 (inline mermaid §5 — content defect):
- Edge "CP → VM" was labelled "Egress JWT (≤4h) + Generic internal
(≤60min)". Per §8 token taxonomy + canonical .mmd, Generic internal
token rides Control plane ↔ broker ↔ audit (host-side), NOT
CP → Compute plane. Label now reads "Egress JWT (≤4h)" — matches §8
+ canonical .mmd line 51.
M3 (§1 prose stale):
- Said "the §02 catalogue still carries the old wording … until its next
revision". §02 was updated in this same PR (NFR rows marked
[REVISIT — non-gating] + enforcement-status block). Rewritten to
reflect actual state: "§02 marks each REVISIT row inline as
[REVISIT — non-gating] so CI and verifier passes do not enforce it;
the substantive re-cut lands in a follow-up PR." Also: §"Scope-ownership"
→ §"Scope ownership" (heading spelling match).
m6 (§2 zone 1 prose semantic):
- Said "Outbound to LLM and any other upstream goes through the Egress
trust-edge like any other request" while drawn from Control plane.
Control plane never originates upstream traffic — only Compute plane
does. Rewritten: "Holds no outbound path to upstream; all upstream
traffic originates in the Compute plane and traverses the Egress
trust-edge."
M2 (link-cap structural):
- §2 zone table carried 30+ NFR cross-doc links inline (5+ per zone).
CLAUDE.md doc-discipline: "one outbound link cap: ≤ 3 cross-doc links
per H2 section". Restructured: each zone row keeps a single primary
NFR-anchor link; the rest move to a consolidated "Secondary NFR
anchors per zone" footer immediately below the table. Same pattern
for §8: tables carry bare NFR-ID text in §02-anchor column, single
consolidated link-footer below. Reader still has every cross-reference;
≤3-per-H2 rule no longer broken across the doc.
NOT changed:
- m1 (inline mermaid 16 lines fence-inclusive) — wc-budget.sh counts
content-only; CI passes; trace agreed with peer.
- m7 (§11 retrospective-defects prose) — user explicitly requested this
audit trail earlier in the PR session. Sweeping it to a one-liner
loses the *why* the verification pass exists. Kept as-is.
- m5 (PR title contains "manifesto") — accepted artefact, will use
cleaner naming for next top-level cross-cutting PR (Layer 4 C4
Context).
- n1 / n2 / n3 — all cosmetic; defer.
PR description (m4) will be updated outside the commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): align canonical mmd with §3 actor table + §2/§8.1 wording
Cross-check after peer-batch surfaced three diagram-vs-doc deltas:
1. IdP: was :::ext (solid border = required). §3 actor table now says
"required on full shelf" — minimal-capability solo install runs
without IdP. Reclassed :::extOpt (dashed) to match.
2. Credential broker node label: "no master key full-capability" parsed
poorly. §8.1 + zone 2 wording is "delegated STS on full shelf"
(host-local on minimal, delegated STS on full). Relabeled to match.
3. Egress proxy node label carried "NFR-SEC-08 MCP allow-list" — the
only NFR-ID embedded in a node label across the whole diagram.
Replaced with role wording "MCP allow-list enforcement". NFR-IDs
live in §02 + §-anchor tables in the prose, not in diagram nodes.
No edge changes; classDef set unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): Layer 3 — paper-cut polish before merge
Sweep after the prior batch landed: remove rudiments and meta-comments.
§11 Regulator citation map:
- Drop the 5 "Confirmed defects from a prior pass" prose bullets — the
defects they listed were already fixed in the table itself in earlier
passes (DORA Art. 12 → 19(1); NYDFS § 500.7 → § 500.5; CRI Profile
column removed entirely). The bullets paraphrased the table state
from three revisions ago. CLAUDE.md "If a paragraph paraphrases the
data, delete it." Tracking slug `arch/regulator-citations-verify-pass`
stays in the preamble; full defect list lives in git history.
- Row "Audit pipeline → SIEM" cell: drop trailing "not DORA Art. 12"
— without the prose bullets above it, the negation has no context;
rewritten as "(retention floor cited from SEC 17a-4 / FCA SYSC 9,
see §10)".
- Rows "Credential broker" / "Compute plane" EU AI Act cells: drop
defensive "(direct Art. 15 wording)" parentheticals — leftovers from
earlier vale-lint battle over banned-vocab escapes. The Art. 15(4)
wording stands on its own.
- Drop "(subpoint TBD)" from "Art. 28 ICT third-party general" — TBD
without a tracking slug is just noise.
- Preamble: "before reproducing in an audit workpaper" → "before
reuse" (overkill phrasing).
§6 REGULATED-AUDIT row:
- Retention-floor cell collapsed from long inline explainer to
"7 y default / 10 y configurable (see §10)". The full citation
(SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1)) already lives in
§10 NFR-COMP-01 anchor.
§2 footer Compute plane:
- "Performance targets … live in component specs, not as zone
properties." → "live in component specs." Drop the meta-justification
by negation.
§8:
- Drop the "diagram-label note" about the older "session JWT" / "RPC
token" retired wording. That was about a rev that already shipped;
reader of current doc does not need the history.
§12 item 5:
- Drop hedge "when one of the candidate paths reaches a decision
point" — the per-boundary signer table lands with the ADR, no need
to qualify when that happens.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): align Layer 3 canonical diagram with §7 / §8
Five gaps caught before draft→proposed transition, all in the canonical
.mmd (doc body unchanged):
1. Add ORCH→BR edge with Generic internal token label (host-side RPC,
session policy + scope, TTL ≤60 min). §8 token taxonomy lists three
token classes; without this edge the third class was invisible and
the broker looked free-standing despite §8 stating "Control plane ↔
broker ↔ audit, host-side."
2. Add two dashed revoke edges ORCH-.->VM and ORCH-.->PROXY with
NFR-SEC-04 ≤5 min label. §7 fixed revoke-independent-of-IdP via
Control plane denylist checked on every Compute-plane RPC and Egress
request; this control channel was missing from the canon entirely.
3. Symmetrise PROXY→LLM and PROXY→OBJ labels — both now read
"strict TLS validation / broker-issued credential / fail-closed".
Previous asymmetry ("fail-closed" only on LLM, "broker-issued token"
only on OBJ) misrepresented that both upstreams use broker-issued
credentials.
4. Drop "per DoD ZTRA" claim from palette comment — DoD ZTRA v2.0 does
not normatively define red/amber/green/blue subgraph palette. Honest
label is "project convention". Avoids the same overclaim §11 flags
for regulatory citations.
5. Remove `defaultRenderer: elk` from init. GitHub-native mermaid
renderer and many CI/Mintlify pipelines silently fall back to dagre
when the elk plugin is absent, producing inconsistent layouts across
audiences. Dagre default is stable everywhere.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): disambiguate Layer 3 revoke mechanism on egress path
The §7 sentence "denylist checked on every Compute-plane RPC and on
every Egress trust-edge request via the Credential broker token"
was grammatically ambiguous between two designs: (a) direct denylist
push to the Egress trust-edge, (b) indirect revoke via Credential
broker scoped-JWT non-reissue. The previous .mmd encoded (a) with a
dashed ORCH→PROXY edge; the rest of the architecture only works under
(b):
- §8 sets broker scoped-JWT TTL ≤15 min — the short TTL exists for
revoke-via-non-reissue, otherwise it is unmotivated cost.
- §2 zone 4 keeps the Egress trust-edge intentionally dumb (single
egress, MCP allow-list, no policy state); direct denylist would
add control-plane coupling for no extra coverage.
- PROXY → LLM / OBJ edges already carry "broker-issued credential";
revoke through credential non-reissue uses the same channel.
Two changes, no semantic drift:
1. .mmd — remove the dashed ORCH→PROXY edge. Compute plane keeps its
direct denylist edge because the Egress JWT TTL (≤4 h) makes
indirect-revoke too slow for that path.
2. §7 prose — split the sentence: Compute plane is checked directly;
Egress trust-edge revoke is "indirect via Credential broker
scoped-JWT non-reissue, TTL ≤15 min caps propagation on that path."
Anchor the TTL bound to NFR-SEC-29. Add an explicit note that the
NFR-SEC-01 ≤30 s p99 SLA is the Compute-plane stop bound, not the
upstream-credential revoke bound.
Kill switch SLA is not added to the diagram label: trust-boundary
diagrams show which-channel-carries-what, not timing budgets per
channel. The two SLAs (NFR-SEC-04 ≤5 min revoke, NFR-SEC-01 ≤30 s
kill switch) both live on the same ORCH→VM edge; loading both onto
one arrow degrades readability.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* docs(architecture): Layer 3 close-out — wire §12 + §11 to real issues, draft → proposed
Pre-merge close-out for PR #147. Two changes, one status transition:
1. §12 open questions — replace 5 `arch/*` placeholder slugs with real
GitHub issue URLs (#148 cross-tenant isolation grading, #149 metadata-
only gate, #150 SIEM-bridge transport + backpressure, #151
transparency-log publishing path, #152 PKI tool pick + signer-identity
table). Drop the "Real GitHub issue URLs replace the slugs before draft
→ proposed" footer line.
2. §11 — replace `arch/regulator-citations-verify-pass` with #153.
Cell-by-cell source verification scheduled as a follow-up batch with
other REVISIT slots; not gating Layer 3 draft → proposed.
3. Internal references — §4 footer ([#148]) and §8.1 PKI pointer
([#152]) updated to match. `grep arch/` returns zero matches.
4. Front-matter — status: draft → proposed. last-reviewed: 2026-05-25.
Layer 3 is now the second Manifesto artifact at proposed (after §02
NFRs) and is the source of truth for trust zones, isolation tiers,
egress posture, audit-pipeline pluggability, and the token taxonomy.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>1 parent c822bb2 commit 3e6ae98
9 files changed
Lines changed: 543 additions & 60 deletions
File tree
- docs/architecture
- adr
- diagrams
- manifesto
- scripts/docs-lint
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
120 | 120 | | |
121 | 121 | | |
122 | 122 | | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
123 | 127 | | |
| 128 | + | |
Large diffs are not rendered by default.
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
62 | 62 | | |
63 | 63 | | |
64 | 64 | | |
| 65 | + | |
| 66 | + | |
65 | 67 | | |
66 | 68 | | |
67 | 69 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2 | 2 | | |
3 | 3 | | |
4 | 4 | | |
5 | | - | |
| 5 | + | |
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
11 | | - | |
| 11 | + | |
12 | 12 | | |
13 | | - | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
0 commit comments