railiance-fabric/docs/accountability-root-manifest.md

Accountability Root Manifest

The accountability root manifest is the handoff between the financial Fabric model and the discovery/update loop.

It answers where discovery starts. A manifest names the netkingdom, actors, fabric boundaries, and durable roots that can prove repositories, deployment realities, service configuration, endpoint contracts, backup/recovery evidence, and secret-root metadata. It does not collect live telemetry and it does not make State Hub the authoring surface for topology.

Schema:

schemas/accountability-root-manifest.schema.yaml

Current Railiance manifest:

fabric/discovery/railiance-accountability-roots.yaml

Tenant/subfabric example:

examples/discovery/accountability-root-manifest.yaml

Raw evidence run schema:

schemas/accountability-root-evidence.schema.yaml

Identity projection schema:

schemas/accountability-identity-projection.schema.yaml

Ownership review schema:

schemas/accountability-ownership-review.schema.yaml

Update delta schema:

schemas/accountability-update-delta.schema.yaml

Required Sections

• netkingdom: root id, name, and king actor.
• actors: king, lord, tenant, operator, or steward actors.
• fabrics: fabric and subfabric boundaries.
• discovery_roots: durable roots such as State Hub repo inventory, Gitea organizations, registry manifests, host paths, repo checkouts, deployment automation, endpoint contracts, backup/recovery evidence, and secret-root metadata.
• refresh: cadence and trigger hints for the future update loop.

Boundary Rules

The current Railiance manifest has one active fabric: fabric.railiance.primary. Future tenant subfabrics are added under that fabric by adding a tenant actor, a Subfabric, and subfabric-scoped discovery roots. This does not change the root fabric criterion: the fabric boundary still rests on financial and operational accountability.

owner_actor_id on a discovery root describes the default owner to attach to identity candidates discovered through that root. For ordinary repositories, deployment files, and host-path evidence this should be the lord who pays for the fabric. King authority remains modeled on the netkingdom and on roots that represent recovery, secret, backup, or termination authority.

Discovery roots should state safe_discovery explicitly. Secret and backup roots should use metadata_only or explicit_review; adapters must never read secret values or operational telemetry while building Fabric graph evidence.

Collecting Root Evidence

The first adapter slice emits raw evidence without promoting it into accepted graph snapshots:

railiance-fabric discover-roots \
  --manifest fabric/discovery/railiance-accountability-roots.yaml \
  --max-items-per-root 200

The command covers manifest-backed repository inventory, repository checkout identity, host-path evidence, deployment automation and infrastructure files, State Hub/Gitea metadata roots, endpoint/service-config roots, and safe metadata-only backup or secret roots. Remote HTTP reads are disabled by default; pass --include-remote only when the operator intentionally wants configured remote roots such as State Hub inventory endpoints to be fetched.

The output is an AccountabilityRootEvidenceRun. Every evidence item carries provenance, source, fingerprint, durable: true, and live_telemetry: false, preserving the boundary between Fabric evidence and operational telemetry.

To normalize raw evidence into reviewable identity candidates:

railiance-fabric discover-roots \
  --identity-projection \
  --max-items-per-root 200

To persist raw evidence and identity candidates in a local SQLite store:

railiance-fabric discover-roots \
  --store-db .railiance-fabric/accountability-evidence.sqlite3 \
  --identity-projection

The store is intentionally separate from accepted registry graph snapshots. It keeps raw evidence runs, evidence items, and identity candidates available for inspection before any candidate is promoted.

Ownership Review

To resolve ownership and containment from the normalized identities:

railiance-fabric discover-roots \
  --ownership-review \
  --store-db .railiance-fabric/accountability-evidence.sqlite3

The ownership review inherits owners from fabric/subfabric containment when possible, applies explicit owner evidence from discovery roots, and marks unresolved or ambiguous candidates as needs_review. Accepted candidates must have a resolved owner and containment unless they are actors or the netkingdom root.

To persist a reviewer decision for a stable identity candidate:

railiance-fabric review-identity identity:repository:example-repo \
  --store-db .railiance-fabric/accountability-evidence.sqlite3 \
  --decision accept \
  --owner-actor-id actor.railiance.primary-lord \
  --fabric-id fabric.railiance.primary \
  --reviewer operator \
  --note "accepted from reviewed checkout evidence"

Reviewer decisions are keyed by stable identity key. Later rescans apply the latest decision for that key, so ordinary evidence refreshes do not lose reviewed ownership choices.

Update Deltas

To compare the current run with previous identity and ownership-review outputs:

railiance-fabric discover-roots \
  --delta \
  --previous-identity-projection previous-identities.json \
  --previous-ownership-review previous-ownership.json

The delta separates candidate graph node changes, candidate graph edge changes, ownership changes, containment changes, review-state changes, and blocker changes. When summary.promotion_needed is false, the update loop can skip promotion because the durable evidence produced no meaningful Fabric change.