Skip to content

docs(architecture): NFR-COMP-01 — split retention floor from WORM substrate by shelf#246

Merged
Yambr merged 1 commit into
next/v1from
nfr-comp-01-shelf-split
Jun 6, 2026
Merged

docs(architecture): NFR-COMP-01 — split retention floor from WORM substrate by shelf#246
Yambr merged 1 commit into
next/v1from
nfr-comp-01-shelf-split

Conversation

@Yambr

@Yambr Yambr commented Jun 6, 2026

Copy link
Copy Markdown
Collaborator

What

Rewords NFR-COMP-01 (one row, ID preserved) to separate two things the current cell fuses:

  • Retention floor (7y/10y, hot→cold, machine-enforced) — mandatory on both shelves.
  • WORM Object-Lock substrate (S3 Object Lock Compliance or equivalent) — the full-shelf cold-tier realization. On the minimal shelf the floor holds on a plain file system with hash-chain + signed Merkle-head tamper-evidence (NFR-SEC-03) — tamper-evident, not WORM-immutable.

Why

The current row reads "Audit-log retention … WORM (S3 Object Lock Compliance or equivalent) … hot→cold" with no shelf qualifier. A reviewer can read it as Object-Lock mandatory on every shelf — which the one-click-solo minimal shelf (no object store) cannot satisfy, breaking the one-click-solo non-negotiable. The split keeps retention mandatory everywhere while making only the substrate shelf-conditional, mirroring the host-local/HSM split already in NFR-SEC-03.

The preventive-vs-detective distinction (full-shelf WORM is immutable; minimal-shelf hash-chain detects tampering after the fact) is stated in-cell so a bank InfoSec reviewer is not misled.

Consistency

ID preserved and retention stays the headline noun, so the four NFR-COMP-01 cross-refs stay valid unchanged: 02-trust-boundaries.md §10, AP-13, and 07-audit-pipeline.md Config/Capacity rows all anchor on retention. 07-audit-pipeline.md Shelf-delta (line 102) already defers the WORM substrate to an ADR — now matched, not contradicted.

Sequence

PR-B of three. PR-A (build-scope principle, #245) merged. PR-C is ADR-0009 "Audit pipeline is pluggable-by-contract", which cites this split.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Clarified audit-log retention policies and data protection mechanisms across different storage tiers.

…strate by shelf

The row fused the retention floor with the WORM Object-Lock substrate in one
clause with no shelf qualifier, readable as "Object-Lock mandatory on every
shelf" — which the minimal one-click-solo shelf (no object store) cannot meet.

Reworded as one row (ID preserved, retention stays the headline noun so the
four NFR-COMP-01 cross-refs stay valid): the 7y/10y retention floor is
machine-enforced on BOTH shelves; the WORM Object-Lock cold tier is the full
shelf realization; the minimal shelf holds the floor on a plain file system
with hash-chain + signed Merkle-head tamper-evidence (NFR-SEC-03) — tamper-
evident, not WORM-immutable. Only the substrate is shelf-conditional; the
floor is not relaxed. Mirrors the host-local/HSM shelf split of NFR-SEC-03.

Unblocks ADR-0009 (audit pipeline pluggable-by-contract), which cannot cite
an unsplit NFR-COMP-01 as if it cleanly maps to the WORM seam.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 6, 2026

Copy link
Copy Markdown

Wondering what really moved? Review this PR in Change Stack to inspect semantic changes, definitions, and references.

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: ff8d7830-041e-4705-b8bb-12f9968df0c2

📥 Commits

Reviewing files that changed from the base of the PR and between a0bae28 and d9a71d9.

📒 Files selected for processing (1)
  • docs/architecture/manifesto/02-nfrs.md

Walkthrough

Updated the NFR manifesto document with a clarified audit-log retention requirement. The revision explicitly describes the two-shelf tiering strategy: hot-to-cold tiering windows, WORM immutability on the full shelf, and tamper-evidence via hash-chaining and signed Merkle-head on the minimal shelf. The document review date was also refreshed.

Changes

Architecture Manifesto Updates

Layer / File(s) Summary
NFR-COMP-01 retention tiering clarification and manifesto review
docs/architecture/manifesto/02-nfrs.md
NFR-COMP-01 requirement expanded to explicitly describe hot-to-cold tiering windows and distinguish shelf-conditional cold-tier implementations (WORM on full shelf vs. hash-chain + signed Merkle-head tamper-evidence on minimal shelf). Document last-reviewed timestamp updated to 2026-06-06.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

  • Wide-Moat/open-computer-use#146: Both PRs modify docs/architecture/manifesto/02-nfrs.md, with that PR introducing the NFR-COMP layer-2 manifesto content and this PR further refining the NFR-COMP-01 retention tiering clarification.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately reflects the main change: clarifying how NFR-COMP-01's retention floor is separated from WORM substrate implementation, with shelf-specific realization (WORM for full shelf, hash-chain tamper-evidence for minimal shelf).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch nfr-comp-01-shelf-split

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@Yambr Yambr merged commit a4ec2b0 into next/v1 Jun 6, 2026
17 checks passed
@Yambr Yambr deleted the nfr-comp-01-shelf-split branch June 6, 2026 09:57
Yambr added a commit that referenced this pull request Jun 6, 2026
#247)

Draw the build/buy line for the whole audit tract in one decision. OCU
delivers the chain of custody and a local durable commit (the NFR-REL-03
RPO=0 forcer); the bus product, WORM store, SIEM sink, transparency-log
endpoint, and signing-key custody are pluggable seams, each a contract with
a one-click-solo reference default, none an OCU CVE responsibility.

Descends from the build-scope principle (03-non-negotiables, #245) and the
NFR-COMP-01 retention/WORM-substrate split (#246). Resolves the two
component-07 Shelf-delta picks and anchors 02-trust-boundaries §10 to an
ADR for the first time. Records one role per the ADR-0005 precedent.

Same-PR canon edits (one-source-of-truth): ADR index row; spec-07
adr: [0009] + Shelf-delta back-link; trust-boundaries §10 ADR anchor.
Per-seam transport stays open (#150, #151).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant