generated from coulomb/repo-seed
spec(SHARD-WP-0005 T8): tenant isolation of derived tier + history scaling
Fixes B-3/C-3. §9.1 structural per-tenant partitioning of the derived tier (no shared cross-tenant cache; read-time filtering as defence-in-depth; reconciles I-2+L5 per partition); new invariant I-13. §8.1 history stays recoverable AND bounded (gc/repack, squash-compaction of churn preserving recoverable endpoints, per-shard offload, anti-abuse hooks). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -101,6 +101,7 @@ principles fused with the research through-lines.
|
||||
| I-10 | **History is the floor.** Every write is a recoverable commit; recoverability, not gatekeeping, is the baseline protection. | ArchitectureBlueprint §2 |
|
||||
| I-11 | **Authorization in core, authentication delegated.** Core decides who-may; an external provider says who-is. | INTENT; ArchitectureBlueprint |
|
||||
| I-12 | **Not a file-sync daemon; not an execution platform.** Sync is wiki-page-semantic; computation is recognised+projected, not hosted. | INTENT; computational-page-model synthesis |
|
||||
| I-13 | **Tenant-partitioned derived state.** Derived state is partitioned by tenant/root entity; no derived artifact spans tenants except via explicit, authorised cross-root federation. | §9.1; review B-3 |
|
||||
|
||||
---
|
||||
|
||||
@@ -390,6 +391,23 @@ operations (fork, import, reconcile, overlay-apply, space-branch) and **is** the
|
||||
the journal supplements (begins-now / mirrors-forward / snapshots-replica) or imports
|
||||
(backfill open file history). History portability is a spectrum, handled per profile (axis 5).
|
||||
|
||||
**History must stay recoverable *and* bounded (review C-3).** "Every write is a commit" + open
|
||||
L0 means an unbounded, bot-/vandalism-amplified journal that eventually degrades Git itself.
|
||||
Recoverability (I-10) is non-negotiable, so the answer is *compaction, not deletion*:
|
||||
|
||||
- **Routine git maintenance** — background `gc`/repack, commit-graph, and (for very large
|
||||
spaces) partial-clone / sparse strategies; operational, no semantic change.
|
||||
- **Squash-compaction of low-value churn (policy, §10)** — long runs of rapid same-author
|
||||
edits or revert-pairs can be folded into checkpoint commits *while preserving the recoverable
|
||||
endpoints*; what is squashed is configurable and always leaves the content recoverable (it
|
||||
compacts the *path*, not the *reachable states*).
|
||||
- **Per-shard history offload** — a git-IS-store shard keeps its own history in its own repo;
|
||||
the coordination journal references it rather than duplicating it (the journal records
|
||||
*coordination* events, not a second copy of every shard commit).
|
||||
- **Anti-abuse hooks (policy)** — rate-limiting / quarantine for anonymous L0 writers feed the
|
||||
authz/policy layer; they throttle *abuse*, never legitimate history. Recoverability is the
|
||||
floor; bounding is how it survives at scale.
|
||||
|
||||
### 8.2 Overlay / patch engine (L3)
|
||||
|
||||
The default write path for anything below write-through capability (I-5): an edit becomes a
|
||||
@@ -612,6 +630,30 @@ summarised here for completeness:
|
||||
is resolved. Provenance carries authz context so the union never leaks unreadable content
|
||||
(the L5↔provenance-rail interaction).
|
||||
|
||||
### 9.1 Tenant isolation of the derived tier (review B-3)
|
||||
|
||||
Read-time authz filtering is necessary but **not sufficient** when the derived tier is
|
||||
*persisted*: a single cross-tenant union/index cache guarded only by a filter on read is a
|
||||
standing leak surface (one filtering bug exposes another tenant's content). So isolation is
|
||||
**structural, not just procedural**:
|
||||
|
||||
- **The derived tier is partitioned per tenant / root entity.** A tenant maps to a root entity
|
||||
(§4); its union graph, equivalence index, projections, and caches live in a **separate
|
||||
partition** keyed by that tenant. There is no shared cross-tenant derived store to leak from.
|
||||
- **No cross-tenant equivalence by default.** Blocking/LSH (§8.7) operates *within* a partition;
|
||||
cross-tenant equivalence is an explicit, authorised, opt-in federation between roots, never an
|
||||
accident of a shared index.
|
||||
- **Read-time filtering remains, as defence-in-depth** — the provenance envelope's authz context
|
||||
is still checked, so even within a partition a principal sees only what it may; partitioning
|
||||
removes the *blast radius*, filtering removes the *fine-grained* leak.
|
||||
- **This reconciles I-2 with L5:** recomputability (a persisted-but-disposable derived tier) is
|
||||
preserved *per partition* — each tenant's derived tier is independently rebuildable from that
|
||||
tenant's canonical state — so isolation costs nothing in the rebuild model. At L0/L1 (single
|
||||
tenant) there is one partition and the machinery is invisible.
|
||||
|
||||
**Isolation invariant (add to §2 as I-13):** *derived state is partitioned by tenant; no
|
||||
derived artifact spans tenants except through an explicit, authorised cross-root federation.*
|
||||
|
||||
---
|
||||
|
||||
## 10. The policy surface (mechanism over policy, made concrete)
|
||||
|
||||
@@ -164,7 +164,7 @@ implied-position rules. Update §6.
|
||||
|
||||
```task
|
||||
id: SHARD-WP-0005-T7
|
||||
status: todo
|
||||
status: done
|
||||
priority: medium
|
||||
state_hub_task_id: "b84b790f-d208-4a76-af9f-1402a6a87ac1"
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user