Skip to content

Commit 3e6ae98

Browse files
Yambrclaude
andauthored
docs(architecture): manifesto Layer 3 trust boundaries (draft) (#147)
* chore(gitignore): extend research-buffer exclusions for Layer 3 tooling Adds ADVISOR-, NYQUIST-AUDIT-, PATTERN-MAP-, and layer*.md patterns. Layer 3 introduced three new review-tooling shapes (gsd-advisor-researcher, gsd-nyquist-auditor, gsd-pattern-mapper) on top of the §02 set (REVIEW, CROSS-REVIEW, PLAN-CHECK, SUMMARY, CONTRADICTION-CHECK). The buffer files cite gitignored paths and carry phrases we keep out of committed prose. Canonical work lives in docs/architecture/; these stay local. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): manifesto Layer 3 trust boundaries (draft) Lands docs/architecture/02-trust-boundaries.md (226 lines) and the canonical trust-zone diagram at docs/architecture/diagrams/02-trust-boundaries.mmd. Five drawn zones: Control plane / Credential broker / Compute plane / Egress trust-edge / Audit pipeline. Eleven external actors. Eight content-keyed data classes mapped to NYDFS, GLBA, SEC, GDPR, EU AI Act, PCI DSS. T0-T5 tenant-isolation menu. Three egress modes (transparent / MITM / DLP-ICAP). Workload-identity floor minimal vs full-capability. Signer-identity-per-boundary table (§8.1) covering egress JWT, internal RPC, broker scoped-JWT, MITM cert, Merkle head, image admission. Encryption matrix and regulator citation map verbatim per §02 NFR anchors. Closes follow-up #71 (transport variants documented in §7). Goes through six review passes: gsd-code-reviewer, gsd-advisor-researcher cross-review, gsd-plan-checker, gsd-advisor-researcher on three structural decisions, gsd-nyquist-auditor gap audit, gsd-pattern-mapper. Re-review verdict READY-TO-COMMIT: all 5 blockers RESOLVED, all 5 cross-review CRs RESOLVED, advisor PKI table verified, all 11 Nyquist gaps closed. Open Questions tracked in §13 with five entries (placeholder GH-issue slugs land as real URLs in a follow-up PR before draft → proposed). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(docs-lint): allow top-level numbered cross-cutting artifacts Adds `[0-9][0-9]-*.md` pattern to ALLOWED for files at docs/architecture/ root. Layer 3 (02-trust-boundaries.md) is the first such file; future Layer 4 (C4 Context) and Layer 5 (deployment topologies) follow the same shape. Per PROCESS.md, cross-cutting artifacts cited by every component spec live at the top level rather than under manifesto/ or components/. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): shrink Layer 3 inline mermaid to honour ≤15-line cap CodeRabbit flagged the §5 inline mermaid as 17 lines (fences + init directive + 15 content), exceeding the CLAUDE.md ≤15-line cap. Drops the init directive (elk renderer still applied via the canonical .mmd source) and shortens four arrow labels. Block now 16 lines total (2 fences + 14 mermaid). Canonical diagram at docs/architecture/diagrams/02-trust-boundaries.mmd unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): drop "bank" wrapper words from Layer 3 prose Removes four "bank"/"bank-reviewer" occurrences from §1 + §11 prose where they were marketing wrappers, not load-bearing referents. The audience stays the same (regulator-reviewer + self-hosting developer per §01); the prose just doesn't keep saying "bank" in front of it. Keeps one mention as "(CFR-cited financial-institution rules)" in §6 retention column — that one is the actual CFR referent, not a wrapper word. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): cut AI-slop from Layer 3 prose User flagged residual slop. Sweep removed: - self-referential meta-noise about line caps and CI conventions in §1 - triple "It does NOT restate / NOT describe / NOT carry" formulation in §1 - "no phone-home, no license-check, no telemetry" no-no-no pattern in §1 - "Each is a place where our code runs and where a reviewer can point and ask" preamble in §2 - "the contract is ready when X lands" hedge in §2 - repeated "External actors appear on the diagram but are not zones we own" preamble in §3 (already in §1) - repeated "Layer 3 names the isolation tiers we ship" preamble in §4 - "(including elk-renderer init directive, 11 actors, and the optional-marking dashed strokes)" list-of-three slop in §5 - duplicate "Optional configurations" paragraph in §5 - "binding artifact for the contract" pompous in §6 - "the minimal-config shape is honest about not being a compliance posture" hedge in §6 - "Both NFRs hold in spirit on both shelves; the substrate differs" hedge in §8 (replaced with what actually happens) - "the signer's key custody and rotation are properties of that boundary, not a separate zone" design-defence in §8.1 - "The full matrix lives in the canonical encryption table here; component specs cite this matrix and never restate it" cite-rules in §9 - duplicate substrate-specific TLS paragraph in §9 (already in §2) - "robust(ness) appears verbatim... preserved against banned-vocab list" meta-noise in §11 - "useful as background while the buffer is migrated" framing in §12 Layer 3 down to 211 lines from 225. Inline mermaid 16 lines including fences. Zero "bank" / "hardened" wrapper words. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): drop LLM/S3 from External actors; clarify Control plane is not a model proxy User flagged that LLM upstream as a named External actor with a ModelProvider abstraction contract overstates what we own. Outbound traffic from the sandbox or Control plane to an LLM endpoint, a customer MCP server, or a customer object store is just traffic through the Egress trust-edge — the egress policy decides where it can go, the credential broker decides which scoped token reaches it. None of these are zones with a contract we hold at the boundary. Removed from §3: LLM upstream row, Customer object store row. Both fold into "endpoints behind the egress policy" framing added at the top of §3. Reworded §2 Control plane row: dropped "LLM-upstream proxy (we proxy, we do not host)" phrasing that read like we host a model proxy. Replaced with "outbound to LLM and any other upstream goes through Egress trust-edge like any other request; the Control plane is not a model proxy". Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): cut second-pass slop from Layer 3 + add TTL to diagram labels Removed 6 more slop patterns user flagged: - preamble "Names the trust zones, the data classifications, ..." list-of-five - §1 first paragraph "Layer 3 is the zoning map: what zones exist, ..." duplicate - triple "X stay in Y; X' stay in Y'; X'' stay in Y''" parallelism in §1 - list-of-six "LLM hosting, chat UI, the caller of ..." in §1 scope sentence - "Five zones appear as subgraphs on the canonical diagram" preamble in §2 - "These are the only systems with which we hold a published contract" pompous framing in §3 - "(elk renderer, 11 external actors, optional-marking dashed strokes...)" internal-kitchen list in §5 - "the inverse mapping (our class → customer class) is what the contract binds" pompous in §6 Diagram label fix from v3 reviewer: appended TTLs to two boundary edges so the §5 inline mermaid is self-sufficient without cross-checking §8.1: - "Ed25519 JWT" → "Ed25519 JWT (session ≤4h + RPC ≤60min)" - "scoped JWT" → "scoped JWT (≤15min)" Reconciled §1 / §3 contradiction (v3 reviewer Focus 2): §1 scope sentence now says "Everything else is either an external actor (§3) or an outbound endpoint behind the egress policy"; LLM endpoints stay outside §3 per explicit user direction. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(docs-lint): extend ai-slop-detector with 6 new pattern classes User flagged that the slop seen in Layer 3 should be caught by the linter on every future PR, not relied on for manual sweeps. Adds six new checks: - 6. Self-referential CI / doc-rules meta-noise: "kept within the X budget", "≤N-line form", "CLAUDE.md rules/conventions/budget", "backticks preserve … against banned-vocab". Reader does not need rules-about-itself; rules live in CLAUDE.md. - 7. Hedge / pompous phrasing: "holds in spirit", "honest about (not) being", "the binding artifact for the contract", "is what the contract binds". - 8. Boastful "is the only X and …" superlative without measurable referent. - 9. Triple-parallel "X verbs in Y; X' verbs in Y'; X'' verbs in Y''" construction (the verb appearing three times in one semicoloned line). - 10. Triple-negation "It does not X. It does not Y. It does not Z." - 11. List-of-three "(no X, no Y, no Z)" parenthetical construction. All patterns observed in Layer 3 drafts before manual cleanup; none should have reached the doc in the first place. Linter would have caught them. Tested: passes on Layer 3 (zero hits); existing pre-existing failure on adr/0001-layer-0-gate-legacy-exclusion.md "Amendments" stub heading is not new. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): drop prompt-redaction + Merkle-signing claims from Layer 3 scope User flagged two scope grabs we should not be making: 1. Prompt-redaction is not our zone. AI-guardrail policy (PII masking, prompt-injection detection, content filtering) is the customer's AI gateway responsibility — LiteLLM, Lakera, Lasso, in-perimeter model with its own guardrails, customer's own redactor service. We route the traffic and audit the egress event; what the gateway does with the prompt is its contract, not ours. §6 paragraph rewritten; §2 Egress trust-edge row updated; NFR-COMP-26 flagged for revisit in §02. 2. Merkle-head signing is not ours either. We submit audit batches to a transparency log of the customer's choice (public Sigstore Rekor, customer-private Rekor, customer-operated CT log). The log operator signs the Merkle head; we sign only the submission envelope (envelope auth, not log integrity). §8.1 signer row reframed; §10 paragraph updated; NFR-SEC-03 flagged for revisit in §02 to match this split. Both NFRs in §02 need a follow-up rev to match (separate PR). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): name scope ownership per NFR — DELIVER vs ENABLE vs REVISIT User flagged that several §02 rows tighten the platform's responsibility in ways Layer 3 has already corrected (prompt-redaction, Merkle-head signing). Adds a Scope-ownership section to §02 that classifies every row as one of three: - DELIVER: we ship the code, we are accountable for the measurable target. Sandbox escape, egress proxy, credential broker, audit pipeline, RTO/RPO of our planes, encryption defaults. - ENABLE: we publish the contract / telemetry / integration point; the customer is the principal and owns the policy/content. DORA major- incident timeline, NYDFS § 500.17, IdP posture (relying-party). - REVISIT: claims more than our scope or names a customer-side responsibility (AI gateway / data-controller / regulator-facing process). Eight current rows listed by ID with the corrected position: NFR-FS-03 (LLM cache), NFR-REL-04 (LLM failover), NFR-SEC-21 (model-level threats), NFR-COMP-09 (PMS Art. 72 is deployer), NFR-COMP-10 (DPIA is data controller), NFR-COMP-14 (model accuracy), NFR-COMP-18 (42001 binds the deployer), NFR-COMP-25 (ZDR is customer contract), NFR-COMP-26 (prompt redaction is AI gateway), NFR-SEC-03 Merkle-head wording (tx-log signs the head, not us). REVISIT rows keep their IDs and current wording in §02 until the next revision; Layer 3 already takes the corrected position. Layer 3 §1 now links the Scope-ownership section so the row-by-row decision is reachable in one hop. §02 grew 33 lines (246 → 279); Layer 3 grew 2 lines (209 → 211). Both under cap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): citation map indicative-not-verbatim; drop legacy buffer refs; NFR-IDs as links User flagged that the §11 "Reviewers copy this into their workpapers; section / control IDs are verbatim, not paraphrased" claim is the dangerous bit, not prose slop. A doc that invites verbatim regulator-citation reuse without a verification trail and then carries misattributed citations becomes an audit liability the moment a reviewer copies a cell. §11 reframed: "Mapping is indicative, not verbatim. Verify every cell against the source text before reproducing in an audit workpaper. Layer 3 does not represent these citations as audit evidence by itself." Inline a list of confirmed defects tracked at `arch/regulator-citations-verify-pass`: - DORA Art. 12 is backup / restoration / recovery, not retention. 10-year retention floor lives in SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1). - DORA Art. 9 is "Protection and prevention". ICT-risk framework is Art. 6; detection / logging is Art. 10. - NYDFS § 500.7 is access privileges (PAM, least privilege, JIT). Segmentation is not a § 500.7 requirement. - DORA Art. 28(2)(c) "location of processing" likely lives in Art. 30 key contractual provisions; source-check pending. - CRI Profile v2 column was lifting CSF 1.1 subcategory codes (PR.PT-N, DE.DP-N) which were restructured in CSF 2.0; CRI Profile uses its own diagnostic-statement numbers. Whole CRI column removed pending source pass. §12 "See also" section listing legacy buffer files dropped — legacy doc references in a canonical artifact are an antipattern. NFR-IDs converted to markdown links pointing at manifesto/02-nfrs.md. Reader clicks to land on §02; Ctrl+F finds the row. 64 NFR-ID occurrences linked. A per-ID anchor pass is a separate task (would need anchor headings or HTML anchors in §02 tables). Doc preamble after front-matter dropped (user flagged it as boilerplate the reader does not need). §11 verbatim/copy-into-workpapers self-praise removed. §11 inline `robust(ness)` linter-comment removed. Line count 207 / 600. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(docs-lint): catch verbatim-citation claims + 'is the only' superlatives User flagged citation-map "verbatim / copy into workpapers" claim as the dangerous slop pattern that pure-prose tools miss. Adds two more checks: - 12. "Reviewers copy this … workpapers" / "verbatim, not paraphrased" pompous audit-evidence framing. A draft doc cannot represent itself as a verbatim regulator-citation source. - 13. "is the only X" / "is unique among/in X" superlatives without a measurable referent (CLAUDE.md "no adjectives without measurable referent"). Both observed in Layer 3 v1 before cleanup; both should not have reached the doc. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): collapse double blank line in Layer 3 (markdownlint MD012) Trailing empty line left after removing the `robust(ness)` linter-comment created two consecutive blanks before §12 heading. Markdownlint MD012 caught it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): consolidated tree sweep — slop / consistency / scope fixes Cross-reviewer triangulation (code-reviewer FLAG, plan-checker ON-TRACK, pattern-mapper 3 top-risk) converged on this fix batch. §02 NFRs: - drop default-tier vs bank-tier framing in NFR-SEC-03 / COMP-07 / COMP-15 (was contradicting §01 "one product, not a tiered SKU"); rewrite as configuration-conditional on HSM-rooted custody per NFR-FLEX-04 - flip NFR-FLEX-15 egress default to transparent pass-through (was MITM; contradicted the one-click solo-install invariant); DLP-ICAP demoted to a configuration of the MITM mode, not a third mode - replace the §02 embedded trust-zone diagram with a link to the Layer 3 canonical (single source of truth) - rename data-plane → Compute plane, egress-proxy / egress gateway → Egress trust-edge across all NFR rows - drop tech-brand parentheticals from NFR-PERF-03 / NFR-SEC-02 / NFR-SEC-25 / NFR-SEC-28 / NFR-FLEX-03 / NFR-COMP-29 (brand picks belong in component specs, not portability-NFR rows; vendor lists kept only in NFR-FLEX-01/04/13 where the matrix IS the testable property) - strip self-referential CI / doc-rules meta-noise from the intro Layer 3 trust-boundaries: - fix four forward references (§12.4/5, components/<egress-proxy>.md, "Layer 7", MANIFESTO non-goals) - drop T4 / T5 isolation tiers (no named workload) into open question 1 - collapse egress posture from three modes to two; DLP-ICAP is an MITM configuration - reconcile §3 actor table with diagram: LLM / object-store drawn for orientation only; SIEM / KMS marked optional - shrink §9 encryption matrix to a single-sentence invariant citing NFR-SEC-37; per-boundary table moves to component specs - shrink §8.1 signer-identity table to a single paragraph; per-boundary table moves with the PKI decision - strip remaining tech names from prose (SIEM brand list, PKI tool shortlist, vendor lists) Diagram: - remove vendor lists from external-actor labels (LLM upstream / SIEM / outbound proxy / DLP-ICAP / KMS / transparency log) - LLM upstream + customer object store reclassified as `endpoint` nodes (dashed grey) to match prose "drawn for orientation, not actors" Glossary: - backfill 10 entries for terms used in ≥ 2 architecture docs (Control plane / Compute plane / Egress trust-edge / Credential broker / Audit pipeline / Capability shelf / Isolation tier T0-T3 / Egress posture / Egress JWT / OCSF / Transparency log / Compute-time metering) Primitives backlog: - prune 8 drained primitives that landed in §02 NFR rows (kill switch / replay bundle / tamper-evident audit / WORM retention / BYOK / SPIFFE / MITM egress / MCP allow-list) - remove Anthropic-srt entry — internal-research reference must not load- bear in the canonical tree - drop "first FSL adopter" superlative - record drained-list at the file end as audit trail ADR-0001: - fix Amendments stub heading (ai-slop-detector hit on every prior run) Linter: - ai-slop-detector check 14 — block internal research-artifact phrasing (anthropic srt / sandbox-runtime / sandboxd paths / reverse-engineering wording) from leaking into the architecture set Out of scope (deferred): ADR stubs for PKI / FIPS / k8s-distros / licence- allowlist are per-plan on-demand artifacts, not bulk-generated stubs; the open-question slugs in Layer 3 §12 + §02 stay as bare slugs until the TBD-to-issue batch lands. Layer 3.5 §03 non-negotiables slot decision also deferred. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): v2 review follow-ups — collateral cleanup Eleven small fixes surfaced by gsd-code-reviewer v2 + gsd-plan-checker v2 + gsd-pattern-mapper v2 after the consolidated batch landed. Each fix ≤ 5 lines; CI green locally before push. §02 NFRs: - drop NFR-SEC-03 from REVISIT bullet list — already reframed earlier in same batch (NEW-01) - §02 "Five zones meet around the Compute plane: ... Compute plane, ..." duplicate listing → "Five zones interact" (NEW-03) - drop LiteLLM / Lakera vendor names from REVISIT bullets NFR-REL-04 + NFR-COMP-26 — same vendor names were stripped from Layer 3 last batch but resurfaced here (NEW-04) - capitalise "egress trust-edge" → "Egress trust-edge" in NFR-FS-03 REVISIT bullet (plan-v2-1) - NFR-FLEX-10: bare "compute" → "Compute plane" (plan-v2-2) - NFR-PERF-07/08/09 brand-baked IDs (runc / gVisor / kata-fc) rewritten as substrate-named: container-substrate / user-space-kernel substrate / microVM substrate (pattern-v2-R3) — symmetric to NFR-SEC-02 brand- agnostic rewrite from prior batch Layer 3 trust-boundaries: - §2 over-claim "every inter-zone arrow is encrypted" → align with NFR-SEC-37 wording (carve-outs named) (NEW-06) - §10 "to be revisited in §02 to match this split" — stale, §02 now matches (NEW-02) Glossary: - Transparency log entry: drop "Sigstore Rekor" vendor brand → vendor- neutral wording (NEW-05); the term itself was held vendor-neutral in Layer 3 prose, glossary entry shouldn't reintroduce the brand - Compute plane entry: drop "formerly named data-plane" hedge — §02 rename is complete, hedge no longer needed (pattern-v2-R1) Diagram: - CPROXY (customer outbound proxy) and SOAR reclassified ext → extOpt (dashed border) to match the prose "(optional)" label in Layer 3 §3 actor table (pattern-v2 diagram dashes) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): Layer 3 v3 — close 5 contradictions before proposed User-flagged before draft → proposed transition. Each item was a real contradiction or ambiguity inside the canonical doc, not a stylistic one. 1. Retention floor — §6 REGULATED-AUDIT row cited "DORA Art. 12(2) 10 yr for critical functions" as the retention basis. §11 had already documented that DORA Art. 12 is backup/restoration, NOT retention; the 10-year floor lives in SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1). §10 prose said "7-year minimum (NFR-COMP-01)" without naming the "10y configurable" half. Three numbers, one defective citation. Now: §6 cell + §10 prose both say "7 y default / 10 y configurable per NFR-COMP-01; 10 y floor from SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1)". Single machine-enforced retention statement. 2. Revoke ≤5 min vs in-flight TTL ≤4 h — §7 said "IdP unreachable → in-flight sessions continue until TTL expiry"; §8 declared revoke latency target ≤5 min. Read together those promise that revoke holds during an IdP outage even though the only named mechanism is re-authentication. Made the revoke mechanism explicit: kill-switch maintains a Control-plane session denylist checked on every Compute RPC + every Egress request via the broker token; revoke is independent of IdP reachability, NFR-SEC-04 ≤5 min and NFR-SEC-01 ≤30 s kill-switch share the denylist. IdP participates in token issue, not in revoke. 3. T1 namespace + shared kernel for agent-execution — §4 placed T1 (namespace + netpolicy, shared kernel) under "non-NPI workloads", which is a data-classification argument, not a sandbox-escape argument. For LLM-issued tool calls / code, the attack surface is the container boundary regardless of data class. Added a "Multi-tenant agent-execution invariant" paragraph under §4: multi-tenant agent execution requires microVM substrate (the full-capability shelf); T1 namespace remains valid only for single-tenant agent execution or for multi-tenant workloads that do not execute LLM-issued code. 4. Token-name taxonomy — §5 diagram and §02 token TTL taxonomy used different spellings for the same three classes ("session JWT" vs "Egress JWT"; "RPC token" vs "Generic internal token"). Now: the canonical class names live in §8 + §02, the §5 diagram + canonical .mmd both use the same canonical names, and §8 carries a one-line diagram-label retirement note for the old wording. 5. Mermaid convention encoding — the §5 inline block declared "solid = always, dashed = optional" but did not encode it (all default solid), while the canonical .mmd does encode it. Now: caption says the convention applies in the canonical file, the inline block is a simplified overview that does not encode dashed-vs-solid, and the reader is pointed at the canonical file or §3 actor table for the optional reading. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(gitignore): extend research-buffer ignore pattern to CONSOLIDATED-* Sibling review artefacts (REVIEW-*, PLAN-CHECK-*, PATTERN-MAP-*) are already ignored under docs/future-architecture/research/. The CONSOLIDATED-* family (multi-reviewer synthesis docs the architect-loop produces between review passes) belongs to the same working buffer and gets the same treatment. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): mark REVISIT NFR rows informational / non-gating CodeRabbit Major: REVISIT bullets de-scope NFR-FS-03 / REL-04 / SEC-21 / COMP-09/10/14/18/25/26, but the rows themselves sit in the catalogue tables with active-looking Target columns. A CI gate or verifier that walks §02 row-by-row would enforce a Target the bullets explicitly de-scoped — contradiction between the gating mechanism and the prose. Fix: - §"Scope ownership" intro now states explicitly that REVISIT rows are informational / non-gating until re-cut; CI gates, release acceptance, compliance attestations, and verifier passes MUST NOT enforce a REVISIT row's Target. - Each of the 9 affected rows carries an inline **[REVISIT — non-gating]** prefix in its Scenario cell, so a gate-author walking the table cannot miss the deferral. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): Layer 3 — close peer-review findings M1 / M2 / M3 / m6 Peer review on PR #147 surfaced four substantive items. Each was a real defect verifiable against the doc itself; all closed in this commit. M1 (inline mermaid §5 — content defect): - Edge "CP → VM" was labelled "Egress JWT (≤4h) + Generic internal (≤60min)". Per §8 token taxonomy + canonical .mmd, Generic internal token rides Control plane ↔ broker ↔ audit (host-side), NOT CP → Compute plane. Label now reads "Egress JWT (≤4h)" — matches §8 + canonical .mmd line 51. M3 (§1 prose stale): - Said "the §02 catalogue still carries the old wording … until its next revision". §02 was updated in this same PR (NFR rows marked [REVISIT — non-gating] + enforcement-status block). Rewritten to reflect actual state: "§02 marks each REVISIT row inline as [REVISIT — non-gating] so CI and verifier passes do not enforce it; the substantive re-cut lands in a follow-up PR." Also: §"Scope-ownership" → §"Scope ownership" (heading spelling match). m6 (§2 zone 1 prose semantic): - Said "Outbound to LLM and any other upstream goes through the Egress trust-edge like any other request" while drawn from Control plane. Control plane never originates upstream traffic — only Compute plane does. Rewritten: "Holds no outbound path to upstream; all upstream traffic originates in the Compute plane and traverses the Egress trust-edge." M2 (link-cap structural): - §2 zone table carried 30+ NFR cross-doc links inline (5+ per zone). CLAUDE.md doc-discipline: "one outbound link cap: ≤ 3 cross-doc links per H2 section". Restructured: each zone row keeps a single primary NFR-anchor link; the rest move to a consolidated "Secondary NFR anchors per zone" footer immediately below the table. Same pattern for §8: tables carry bare NFR-ID text in §02-anchor column, single consolidated link-footer below. Reader still has every cross-reference; ≤3-per-H2 rule no longer broken across the doc. NOT changed: - m1 (inline mermaid 16 lines fence-inclusive) — wc-budget.sh counts content-only; CI passes; trace agreed with peer. - m7 (§11 retrospective-defects prose) — user explicitly requested this audit trail earlier in the PR session. Sweeping it to a one-liner loses the *why* the verification pass exists. Kept as-is. - m5 (PR title contains "manifesto") — accepted artefact, will use cleaner naming for next top-level cross-cutting PR (Layer 4 C4 Context). - n1 / n2 / n3 — all cosmetic; defer. PR description (m4) will be updated outside the commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): align canonical mmd with §3 actor table + §2/§8.1 wording Cross-check after peer-batch surfaced three diagram-vs-doc deltas: 1. IdP: was :::ext (solid border = required). §3 actor table now says "required on full shelf" — minimal-capability solo install runs without IdP. Reclassed :::extOpt (dashed) to match. 2. Credential broker node label: "no master key full-capability" parsed poorly. §8.1 + zone 2 wording is "delegated STS on full shelf" (host-local on minimal, delegated STS on full). Relabeled to match. 3. Egress proxy node label carried "NFR-SEC-08 MCP allow-list" — the only NFR-ID embedded in a node label across the whole diagram. Replaced with role wording "MCP allow-list enforcement". NFR-IDs live in §02 + §-anchor tables in the prose, not in diagram nodes. No edge changes; classDef set unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): Layer 3 — paper-cut polish before merge Sweep after the prior batch landed: remove rudiments and meta-comments. §11 Regulator citation map: - Drop the 5 "Confirmed defects from a prior pass" prose bullets — the defects they listed were already fixed in the table itself in earlier passes (DORA Art. 12 → 19(1); NYDFS § 500.7 → § 500.5; CRI Profile column removed entirely). The bullets paraphrased the table state from three revisions ago. CLAUDE.md "If a paragraph paraphrases the data, delete it." Tracking slug `arch/regulator-citations-verify-pass` stays in the preamble; full defect list lives in git history. - Row "Audit pipeline → SIEM" cell: drop trailing "not DORA Art. 12" — without the prose bullets above it, the negation has no context; rewritten as "(retention floor cited from SEC 17a-4 / FCA SYSC 9, see §10)". - Rows "Credential broker" / "Compute plane" EU AI Act cells: drop defensive "(direct Art. 15 wording)" parentheticals — leftovers from earlier vale-lint battle over banned-vocab escapes. The Art. 15(4) wording stands on its own. - Drop "(subpoint TBD)" from "Art. 28 ICT third-party general" — TBD without a tracking slug is just noise. - Preamble: "before reproducing in an audit workpaper" → "before reuse" (overkill phrasing). §6 REGULATED-AUDIT row: - Retention-floor cell collapsed from long inline explainer to "7 y default / 10 y configurable (see §10)". The full citation (SEC 17a-4 / FCA SYSC 9 / EU AI Act Art. 19(1)) already lives in §10 NFR-COMP-01 anchor. §2 footer Compute plane: - "Performance targets … live in component specs, not as zone properties." → "live in component specs." Drop the meta-justification by negation. §8: - Drop the "diagram-label note" about the older "session JWT" / "RPC token" retired wording. That was about a rev that already shipped; reader of current doc does not need the history. §12 item 5: - Drop hedge "when one of the candidate paths reaches a decision point" — the per-boundary signer table lands with the ADR, no need to qualify when that happens. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): align Layer 3 canonical diagram with §7 / §8 Five gaps caught before draft→proposed transition, all in the canonical .mmd (doc body unchanged): 1. Add ORCH→BR edge with Generic internal token label (host-side RPC, session policy + scope, TTL ≤60 min). §8 token taxonomy lists three token classes; without this edge the third class was invisible and the broker looked free-standing despite §8 stating "Control plane ↔ broker ↔ audit, host-side." 2. Add two dashed revoke edges ORCH-.->VM and ORCH-.->PROXY with NFR-SEC-04 ≤5 min label. §7 fixed revoke-independent-of-IdP via Control plane denylist checked on every Compute-plane RPC and Egress request; this control channel was missing from the canon entirely. 3. Symmetrise PROXY→LLM and PROXY→OBJ labels — both now read "strict TLS validation / broker-issued credential / fail-closed". Previous asymmetry ("fail-closed" only on LLM, "broker-issued token" only on OBJ) misrepresented that both upstreams use broker-issued credentials. 4. Drop "per DoD ZTRA" claim from palette comment — DoD ZTRA v2.0 does not normatively define red/amber/green/blue subgraph palette. Honest label is "project convention". Avoids the same overclaim §11 flags for regulatory citations. 5. Remove `defaultRenderer: elk` from init. GitHub-native mermaid renderer and many CI/Mintlify pipelines silently fall back to dagre when the elk plugin is absent, producing inconsistent layouts across audiences. Dagre default is stable everywhere. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): disambiguate Layer 3 revoke mechanism on egress path The §7 sentence "denylist checked on every Compute-plane RPC and on every Egress trust-edge request via the Credential broker token" was grammatically ambiguous between two designs: (a) direct denylist push to the Egress trust-edge, (b) indirect revoke via Credential broker scoped-JWT non-reissue. The previous .mmd encoded (a) with a dashed ORCH→PROXY edge; the rest of the architecture only works under (b): - §8 sets broker scoped-JWT TTL ≤15 min — the short TTL exists for revoke-via-non-reissue, otherwise it is unmotivated cost. - §2 zone 4 keeps the Egress trust-edge intentionally dumb (single egress, MCP allow-list, no policy state); direct denylist would add control-plane coupling for no extra coverage. - PROXY → LLM / OBJ edges already carry "broker-issued credential"; revoke through credential non-reissue uses the same channel. Two changes, no semantic drift: 1. .mmd — remove the dashed ORCH→PROXY edge. Compute plane keeps its direct denylist edge because the Egress JWT TTL (≤4 h) makes indirect-revoke too slow for that path. 2. §7 prose — split the sentence: Compute plane is checked directly; Egress trust-edge revoke is "indirect via Credential broker scoped-JWT non-reissue, TTL ≤15 min caps propagation on that path." Anchor the TTL bound to NFR-SEC-29. Add an explicit note that the NFR-SEC-01 ≤30 s p99 SLA is the Compute-plane stop bound, not the upstream-credential revoke bound. Kill switch SLA is not added to the diagram label: trust-boundary diagrams show which-channel-carries-what, not timing budgets per channel. The two SLAs (NFR-SEC-04 ≤5 min revoke, NFR-SEC-01 ≤30 s kill switch) both live on the same ORCH→VM edge; loading both onto one arrow degrades readability. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(architecture): Layer 3 close-out — wire §12 + §11 to real issues, draft → proposed Pre-merge close-out for PR #147. Two changes, one status transition: 1. §12 open questions — replace 5 `arch/*` placeholder slugs with real GitHub issue URLs (#148 cross-tenant isolation grading, #149 metadata- only gate, #150 SIEM-bridge transport + backpressure, #151 transparency-log publishing path, #152 PKI tool pick + signer-identity table). Drop the "Real GitHub issue URLs replace the slugs before draft → proposed" footer line. 2. §11 — replace `arch/regulator-citations-verify-pass` with #153. Cell-by-cell source verification scheduled as a follow-up batch with other REVISIT slots; not gating Layer 3 draft → proposed. 3. Internal references — §4 footer ([#148]) and §8.1 PKI pointer ([#152]) updated to match. `grep arch/` returns zero matches. 4. Front-matter — status: draft → proposed. last-reviewed: 2026-05-25. Layer 3 is now the second Manifesto artifact at proposed (after §02 NFRs) and is the source of truth for trust zones, isolation tiers, egress posture, audit-pipeline pluggability, and the token taxonomy. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent c822bb2 commit 3e6ae98

9 files changed

Lines changed: 543 additions & 60 deletions

File tree

.gitignore

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,4 +120,9 @@ docs/future-architecture/research/REVIEW-*.md
120120
docs/future-architecture/research/CROSS-REVIEW-*.md
121121
docs/future-architecture/research/PLAN-CHECK-*.md
122122
docs/future-architecture/research/CONTRADICTION-CHECK-*.md
123+
docs/future-architecture/research/ADVISOR-*.md
124+
docs/future-architecture/research/NYQUIST-AUDIT-*.md
125+
docs/future-architecture/research/PATTERN-MAP-*.md
126+
docs/future-architecture/research/CONSOLIDATED-*.md
123127
docs/future-architecture/research/nfr-*.md
128+
docs/future-architecture/research/layer*.md

docs/architecture/02-trust-boundaries.md

Lines changed: 192 additions & 0 deletions
Large diffs are not rendered by default.

docs/architecture/adr/0001-layer-0-gate-legacy-exclusion.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,8 @@ None directly. The legacy code's threats (root containers, XXE, SSRF via `urllib
6262

6363
## Amendments
6464

65+
Each amendment names the discovery commit and the affected exclusion entries.
66+
6567
### 2026-05-24 — initial exclusion-list completion
6668

6769
The first version of `.semgrepignore` shipped in commit `709db53` missed three legacy areas that the SAST gate scans:
Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
%% SPDX-License-Identifier: FSL-1.1-Apache-2.0
2+
%% Copyright (c) 2025 Open Computer Use Contributors
3+
%% Canonical Layer 3 trust-zone diagram. Referenced from docs/architecture/02-trust-boundaries.md §5.
4+
%% Convention: solid subgraph border = always present; dashed border = optional configuration.
5+
%% Palette (project convention): red untrusted / amber semi-trusted / green trusted / blue isolated.
6+
7+
%%{init: {"theme": "neutral"} }%%
8+
flowchart LR
9+
10+
%% ─── external actors (untrusted; rendered as plain nodes, not subgraphs) ───
11+
MCPC[MCP client<br/>external actor]:::ext
12+
IDP[Customer IdP<br/>SAML / OIDC]:::extOpt
13+
LLM[LLM upstream]:::endpoint
14+
OBJ[Customer object store]:::endpoint
15+
CPROXY[Customer outbound proxy]:::extOpt
16+
ICAP[Customer DLP-ICAP service]:::extOpt
17+
SIEM[Customer SIEM]:::extOpt
18+
KMS[Customer KMS / HSM]:::extOpt
19+
SOAR[SOAR<br/>signed webhook + admin API]:::extOpt
20+
OPER[Admin / Operator<br/>PAM-JIT human]:::ext
21+
TLOG[Transparency log]:::extOpt
22+
23+
%% ─── our zones ───
24+
subgraph CP[Control plane]
25+
ORCH[orchestrator + RPC<br/>MCP server<br/>session lifecycle]
26+
end
27+
28+
subgraph BROKER[Credential broker]
29+
BR[per-VM secrets-injection<br/>HOST-side<br/>loopback / vsock / UDS<br/>delegated STS on full shelf]
30+
end
31+
32+
subgraph COMPUTE[Compute plane]
33+
VM[session sandbox<br/>guest agent PID 1<br/>container minimal · microVM full<br/>one per session · ephemeral]
34+
end
35+
36+
subgraph EDGE[Egress trust-edge]
37+
PROXY[egress proxy<br/>transparent pass-through default<br/>MITM customer-CA opt-in<br/>DLP-ICAP is MITM config<br/>MCP allow-list enforcement]
38+
end
39+
40+
subgraph AUDIT[Audit pipeline]
41+
BUS[durable bus + hash-chained store<br/>OCSF v1.x events<br/>host-local signing on minimal shelf<br/>HSM-rooted on full shelf<br/>compute-time metering]
42+
end
43+
44+
%% ─── inbound edges ───
45+
MCPC -->|"MCP authz spec<br/>audience-validated"| ORCH
46+
IDP -->|SAML / OIDC| ORCH
47+
OPER -->|PAM-JIT SAML attr<br/>NFR-COMP-29| ORCH
48+
SOAR <-->|signed webhook + admin API| ORCH
49+
50+
%% ─── internal edges (encrypted in transit; NFR-SEC-37) ───
51+
ORCH -->|"Generic internal token<br/>host-side RPC<br/>session policy + scope<br/>TTL ≤60 min"| BR
52+
ORCH -->|"Egress JWT on WS<br/>bound to container_name<br/>TTL ≤4h"| VM
53+
BR -->|"Broker scoped-JWT<br/>vsock / UDS / loopback<br/>TTL ≤15 min"| VM
54+
55+
%% ─── revoke channel (denylist; independent of IdP reachability) ───
56+
%% Compute plane gets a direct denylist check (Egress JWT TTL ≤4h needs it);
57+
%% Egress trust-edge revoke is indirect via Credential broker scoped-JWT
58+
%% non-reissue (TTL ≤15 min caps propagation), so no direct ORCH→PROXY edge.
59+
ORCH -.->|"revoke (denylist check)<br/>NFR-SEC-04 ≤5 min"| VM
60+
61+
%% ─── egress edges ───
62+
VM -->|"single outbound path<br/>network-bound identity<br/>NFR-SEC-27"| PROXY
63+
PROXY -->|"strict TLS validation<br/>broker-issued credential<br/>fail-closed"| LLM
64+
PROXY -->|"strict TLS validation<br/>broker-issued credential<br/>fail-closed"| OBJ
65+
PROXY -.->|"chained-proxy contract<br/>optional"| CPROXY
66+
PROXY -.->|"ICAP req-mod / resp-mod<br/>optional"| ICAP
67+
68+
%% ─── audit edges (every named zone emits OCSF events) ───
69+
ORCH -->|OCSF events| BUS
70+
BR -->|OCSF events| BUS
71+
VM -->|OCSF events| BUS
72+
PROXY -->|OCSF events| BUS
73+
74+
%% ─── audit egress ───
75+
BUS -.->|"OCSF bridge<br/>optional"| SIEM
76+
BUS -.->|"daily Merkle head<br/>submission envelope"| TLOG
77+
78+
%% ─── KMS path (optional, full-capability shelf only) ───
79+
BR -.->|"PKCS#11 / KMIP"| KMS
80+
BUS -.->|"PKCS#11 / KMIP<br/>signing on full shelf"| KMS
81+
82+
%% ─── styling (project palette: red untrusted / amber semi-trusted / green trusted / blue isolated) ───
83+
classDef ext fill:#fdecea,stroke:#c0392b,stroke-width:1px;
84+
classDef extOpt fill:#fdecea,stroke:#c0392b,stroke-dasharray: 5 5;
85+
classDef endpoint fill:#fafafa,stroke:#9e9e9e,stroke-dasharray: 2 2;
86+
style CP fill:#e8f5e9,stroke:#1e7e34,stroke-width:1px;
87+
style BROKER fill:#e8f5e9,stroke:#1e7e34,stroke-width:1px;
88+
style COMPUTE fill:#e3f2fd,stroke:#0d47a1,stroke-width:3px;
89+
style EDGE fill:#fff4e5,stroke:#b8860b,stroke-width:1px;
90+
style AUDIT fill:#e8f5e9,stroke:#1e7e34,stroke-width:1px;

docs/architecture/glossary.md

Lines changed: 90 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,99 @@
22
<!-- Copyright (c) 2025 Open Computer Use Contributors -->
33

44
---
5-
status: stub
5+
status: draft
66
last-reviewed: 2026-05-24
77
owner: "@Wide-Moat/architects"
88
applies-to: next/v1
99
---
1010

11-
Canonical definitions for terms used across this architecture. Define a term here once; link to it from anywhere else. If a term is used in ≥ 2 documents, it belongs here.
11+
Canonical definitions for terms used across this architecture. Define a term here once; link to it from anywhere else. A term lands here when it appears in ≥ 2 documents.
1212

13-
Terms are added when first used in two or more architecture documents, per the decision tree in `CLAUDE.md`.
13+
## Control plane
14+
15+
Orchestrator, RPC surface, session lifecycle, MCP server. Single instance per deployment. Holds no customer payload; metadata-only by design. Outbound to LLM and other upstream goes through the Egress trust-edge — the Control plane is not a model proxy.
16+
17+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md).
18+
19+
## Compute plane
20+
21+
The session sandbox zone — one sandbox per session, lifecycle bound to the session, guest agent as PID 1. Substrate is container on the minimal-capability shelf, microVM on the full-capability shelf. Cross-session network reachability disabled.
22+
23+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md).
24+
25+
## Credential broker
26+
27+
Per-VM secrets-injection service. Host-side. Bound to loopback / vsock / UDS only. Holds the real upstream credentials; the guest never does. Issues scoped, short-lived tokens to the guest. Distinct from a customer PAM tool — when §02 NFR-COMP-29 says "PAM brokers", it means the customer's privileged-access-management tool, not this component.
28+
29+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md).
30+
31+
## Egress trust-edge
32+
33+
The single outbound zone. Every outbound request from the Compute plane goes through here. Network-bound identity (NFR-SEC-27): the fact that traffic arrived from the sandbox at all is the identity. Fail-closed: proxy unreachable → outbound traffic dropped, never bypassed. Configurable posture per [Egress posture](#egress-posture) entry.
34+
35+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md). Spelled `egress proxy` when referring to the component implementation; `Egress trust-edge` when referring to the zone.
36+
37+
## Audit pipeline
38+
39+
Durable bus + hash-chained store + bridges to customer sinks. Mandatory in code; sinks are pluggable. Distinct retention floor, RPO, and tamper-evidence properties from the Control plane, which is why it is drawn as its own zone.
40+
41+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md).
42+
43+
## Capability shelf
44+
45+
A configuration profile of one product. Two shelves:
46+
47+
- **Minimal-capability shelf** — single-tenant, host-local Ed25519 signing keys, auto-generated self-signed CA, file-system audit sink. The one-click solo install path.
48+
- **Full-capability shelf** — customer HSM rooted, per-tenant SPIFFE trust domain, customer-CA-rooted egress, OCSF bridges to customer SIEM.
49+
50+
Both shelves run the same binary; the difference is configuration plus presence of customer-supplied facilities (HSM, CA, SIEM bridge). Not a SKU split.
51+
52+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2 / §8 / §10, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md).
53+
54+
## Isolation tier (T0…T3)
55+
56+
Per-tenant deployment shape menu. Picks the substrate, not the invariants — boundary properties hold for every tier.
57+
58+
- T0 logical — row-level filter, shared kernel.
59+
- T1 namespace — Kubernetes namespace + NetworkPolicy + RBAC + ResourceQuota.
60+
- T2 VPC / VNet — per-tenant VPC, no peering.
61+
- T3 dedicated cluster — dedicated control plane per tenant.
62+
63+
Higher isolation tiers (dedicated hardware, customer-owned cage) are tracked as candidates in open question `arch/cross-tenant-isolation-grading`; promote when a named workload requires them.
64+
65+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §4.
66+
67+
## Egress posture
68+
69+
The mode the Egress trust-edge runs in. Two modes:
70+
71+
- **Transparent pass-through** — proxy in path, does not terminate TLS, no customer CA needed. Default.
72+
- **MITM-inspecting** — proxy terminates TLS at the customer-CA root; required for any in-path content inspection (DLP-ICAP, prompt-content classification). Opt-in.
73+
74+
DLP-ICAP is a configuration of the MITM mode, not a third mode.
75+
76+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §7, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md) NFR-FLEX-15.
77+
78+
## Egress JWT
79+
80+
Per-session bearer token issued by the Control plane to the guest agent, bound to `container_name`, TTL ≤ 4 h. Distinct from the broker scoped-JWT (TTL ≤ 15 min, per-resource) and the generic internal RPC token (TTL ≤ 60 min, inter-component). The three TTL classes are independent commitments.
81+
82+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §5 / §8 / §8.1, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md) NFR-SEC-10/23/29.
83+
84+
## OCSF
85+
86+
Open Cybersecurity Schema Framework, v1.x JSON. The canonical audit-event schema we emit on the Audit pipeline. Bridges to SIEM transforms emit CEF / Elastic ECS / Chronicle UDM downstream.
87+
88+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §5 / §10, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md) NFR-MAINT-AUDIT-SCHEMA.
89+
90+
## Transparency log
91+
92+
External append-only log that the customer chooses (public, customer-private, or a Certificate-Transparency-style instance). The Audit pipeline submits the daily Merkle head of the hash-chained audit store; the log operator signs the Merkle head, we sign only the submission envelope. Provides tamper-evidence the customer can verify against an operator they trust.
93+
94+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §3 / §8.1 / §10 / §12, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md) NFR-SEC-03.
95+
96+
## Compute-time metering
97+
98+
Per-session billing primitives emitted as audit events: CPU-min, RAM-GB-min, storage-GB-day, egress bytes, MCP-call count. Live on the Audit pipeline because they are part of the same hash-chained record stream.
99+
100+
Used in: [`02-trust-boundaries.md`](./02-trust-boundaries.md) §2, [`manifesto/02-nfrs.md`](./manifesto/02-nfrs.md) NFR-COST-05.

0 commit comments

Comments
 (0)