From c895d33091ab5f12a54ce5ac79c2667d4bb7fdc4 Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 15 Jun 2026 01:41:09 +0200 Subject: [PATCH] spec(SHARD-WP-0005 T8): tenant isolation of derived tier + history scaling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes B-3/C-3. §9.1 structural per-tenant partitioning of the derived tier (no shared cross-tenant cache; read-time filtering as defence-in-depth; reconciles I-2+L5 per partition); new invariant I-13. §8.1 history stays recoverable AND bounded (gc/repack, squash-compaction of churn preserving recoverable endpoints, per-shard offload, anti-abuse hooks). Co-Authored-By: Claude Opus 4.8 --- spec/CoreArchitectureBlueprint.md | 42 +++++++++++++++++++ .../SHARD-WP-0005-architecture-hardening.md | 2 +- 2 files changed, 43 insertions(+), 1 deletion(-) diff --git a/spec/CoreArchitectureBlueprint.md b/spec/CoreArchitectureBlueprint.md index 8d65066..80f8df3 100644 --- a/spec/CoreArchitectureBlueprint.md +++ b/spec/CoreArchitectureBlueprint.md @@ -101,6 +101,7 @@ principles fused with the research through-lines. | I-10 | **History is the floor.** Every write is a recoverable commit; recoverability, not gatekeeping, is the baseline protection. | ArchitectureBlueprint §2 | | I-11 | **Authorization in core, authentication delegated.** Core decides who-may; an external provider says who-is. | INTENT; ArchitectureBlueprint | | I-12 | **Not a file-sync daemon; not an execution platform.** Sync is wiki-page-semantic; computation is recognised+projected, not hosted. | INTENT; computational-page-model synthesis | +| I-13 | **Tenant-partitioned derived state.** Derived state is partitioned by tenant/root entity; no derived artifact spans tenants except via explicit, authorised cross-root federation. | §9.1; review B-3 | --- @@ -390,6 +391,23 @@ operations (fork, import, reconcile, overlay-apply, space-branch) and **is** the the journal supplements (begins-now / mirrors-forward / snapshots-replica) or imports (backfill open file history). History portability is a spectrum, handled per profile (axis 5). +**History must stay recoverable *and* bounded (review C-3).** "Every write is a commit" + open +L0 means an unbounded, bot-/vandalism-amplified journal that eventually degrades Git itself. +Recoverability (I-10) is non-negotiable, so the answer is *compaction, not deletion*: + +- **Routine git maintenance** — background `gc`/repack, commit-graph, and (for very large + spaces) partial-clone / sparse strategies; operational, no semantic change. +- **Squash-compaction of low-value churn (policy, §10)** — long runs of rapid same-author + edits or revert-pairs can be folded into checkpoint commits *while preserving the recoverable + endpoints*; what is squashed is configurable and always leaves the content recoverable (it + compacts the *path*, not the *reachable states*). +- **Per-shard history offload** — a git-IS-store shard keeps its own history in its own repo; + the coordination journal references it rather than duplicating it (the journal records + *coordination* events, not a second copy of every shard commit). +- **Anti-abuse hooks (policy)** — rate-limiting / quarantine for anonymous L0 writers feed the + authz/policy layer; they throttle *abuse*, never legitimate history. Recoverability is the + floor; bounding is how it survives at scale. + ### 8.2 Overlay / patch engine (L3) The default write path for anything below write-through capability (I-5): an edit becomes a @@ -612,6 +630,30 @@ summarised here for completeness: is resolved. Provenance carries authz context so the union never leaks unreadable content (the L5↔provenance-rail interaction). +### 9.1 Tenant isolation of the derived tier (review B-3) + +Read-time authz filtering is necessary but **not sufficient** when the derived tier is +*persisted*: a single cross-tenant union/index cache guarded only by a filter on read is a +standing leak surface (one filtering bug exposes another tenant's content). So isolation is +**structural, not just procedural**: + +- **The derived tier is partitioned per tenant / root entity.** A tenant maps to a root entity + (§4); its union graph, equivalence index, projections, and caches live in a **separate + partition** keyed by that tenant. There is no shared cross-tenant derived store to leak from. +- **No cross-tenant equivalence by default.** Blocking/LSH (§8.7) operates *within* a partition; + cross-tenant equivalence is an explicit, authorised, opt-in federation between roots, never an + accident of a shared index. +- **Read-time filtering remains, as defence-in-depth** — the provenance envelope's authz context + is still checked, so even within a partition a principal sees only what it may; partitioning + removes the *blast radius*, filtering removes the *fine-grained* leak. +- **This reconciles I-2 with L5:** recomputability (a persisted-but-disposable derived tier) is + preserved *per partition* — each tenant's derived tier is independently rebuildable from that + tenant's canonical state — so isolation costs nothing in the rebuild model. At L0/L1 (single + tenant) there is one partition and the machinery is invisible. + +**Isolation invariant (add to §2 as I-13):** *derived state is partitioned by tenant; no +derived artifact spans tenants except through an explicit, authorised cross-root federation.* + --- ## 10. The policy surface (mechanism over policy, made concrete) diff --git a/workplans/SHARD-WP-0005-architecture-hardening.md b/workplans/SHARD-WP-0005-architecture-hardening.md index a9bdd5f..0f777ac 100644 --- a/workplans/SHARD-WP-0005-architecture-hardening.md +++ b/workplans/SHARD-WP-0005-architecture-hardening.md @@ -164,7 +164,7 @@ implied-position rules. Update §6. ```task id: SHARD-WP-0005-T7 -status: todo +status: done priority: medium state_hub_task_id: "b84b790f-d208-4a76-af9f-1402a6a87ac1" ```