# Accountability Root Manifest The accountability root manifest is the handoff between the financial Fabric model and the discovery/update loop. It answers where discovery starts. A manifest names the netkingdom, actors, fabric boundaries, and durable roots that can prove repositories, deployment realities, service configuration, endpoint contracts, backup/recovery evidence, and secret-root metadata. It does not collect live telemetry and it does not make State Hub the authoring surface for topology. Schema: ```text schemas/accountability-root-manifest.schema.yaml ``` Current Railiance manifest: ```text fabric/discovery/railiance-accountability-roots.yaml ``` Tenant/subfabric example: ```text examples/discovery/accountability-root-manifest.yaml ``` Raw evidence run schema: ```text schemas/accountability-root-evidence.schema.yaml ``` Identity projection schema: ```text schemas/accountability-identity-projection.schema.yaml ``` Ownership review schema: ```text schemas/accountability-ownership-review.schema.yaml ``` Update delta schema: ```text schemas/accountability-update-delta.schema.yaml ``` ## Required Sections - `netkingdom`: root id, name, and king actor. - `actors`: king, lord, tenant, operator, or steward actors. - `fabrics`: fabric and subfabric boundaries. - `discovery_roots`: durable roots such as State Hub repo inventory, Gitea organizations, registry manifests, host paths, repo checkouts, deployment automation, endpoint contracts, backup/recovery evidence, and secret-root metadata. - `refresh`: cadence and trigger hints for the future update loop. ## Boundary Rules The current Railiance manifest has one active fabric: `fabric.railiance.primary`. Future tenant subfabrics are added under that fabric by adding a tenant actor, a `Subfabric`, and subfabric-scoped discovery roots. This does not change the root fabric criterion: the fabric boundary still rests on financial and operational accountability. Discovery roots should state `safe_discovery` explicitly. Secret and backup roots should use `metadata_only` or `explicit_review`; adapters must never read secret values or operational telemetry while building Fabric graph evidence. ## Collecting Root Evidence The first adapter slice emits raw evidence without promoting it into accepted graph snapshots: ```bash railiance-fabric discover-roots \ --manifest fabric/discovery/railiance-accountability-roots.yaml \ --max-items-per-root 200 ``` The command covers manifest-backed repository inventory, repository checkout identity, host-path evidence, deployment automation and infrastructure files, State Hub/Gitea metadata roots, endpoint/service-config roots, and safe metadata-only backup or secret roots. Remote HTTP reads are disabled by default; pass `--include-remote` only when the operator intentionally wants configured remote roots such as State Hub inventory endpoints to be fetched. The output is an `AccountabilityRootEvidenceRun`. Every evidence item carries provenance, source, fingerprint, `durable: true`, and `live_telemetry: false`, preserving the boundary between Fabric evidence and operational telemetry. To normalize raw evidence into reviewable identity candidates: ```bash railiance-fabric discover-roots \ --identity-projection \ --max-items-per-root 200 ``` To persist raw evidence and identity candidates in a local SQLite store: ```bash railiance-fabric discover-roots \ --store-db .railiance-fabric/accountability-evidence.sqlite3 \ --identity-projection ``` The store is intentionally separate from accepted registry graph snapshots. It keeps raw evidence runs, evidence items, and identity candidates available for inspection before any candidate is promoted. ## Ownership Review To resolve ownership and containment from the normalized identities: ```bash railiance-fabric discover-roots \ --ownership-review \ --store-db .railiance-fabric/accountability-evidence.sqlite3 ``` The ownership review inherits owners from fabric/subfabric containment when possible, applies explicit owner evidence from discovery roots, and marks unresolved or ambiguous candidates as `needs_review`. Accepted candidates must have a resolved owner and containment unless they are actors or the netkingdom root. To persist a reviewer decision for a stable identity candidate: ```bash railiance-fabric review-identity identity:repository:example-repo \ --store-db .railiance-fabric/accountability-evidence.sqlite3 \ --decision accept \ --owner-actor-id actor.railiance.primary-lord \ --fabric-id fabric.railiance.primary \ --reviewer operator \ --note "accepted from reviewed checkout evidence" ``` Reviewer decisions are keyed by stable identity key. Later rescans apply the latest decision for that key, so ordinary evidence refreshes do not lose reviewed ownership choices. ## Update Deltas To compare the current run with previous identity and ownership-review outputs: ```bash railiance-fabric discover-roots \ --delta \ --previous-identity-projection previous-identities.json \ --previous-ownership-review previous-ownership.json ``` The delta separates candidate graph node changes, candidate graph edge changes, ownership changes, containment changes, review-state changes, and blocker changes. When `summary.promotion_needed` is `false`, the update loop can skip promotion because the durable evidence produced no meaningful Fabric change.