spec(SHARD-WP-0006 T5): track §C as O-8..O-12; refresh decisions/traceability; close-out

Adds O-8 (preset bundles), O-9 (shard sharing vs tenant partition), O-10 (span authz + transclusion ⊕), O-11 (union under unavailability), O-12 (append-log throughput) to §12. Refreshes §14 decisions (event-sourced coordination, conformance, I-2 verification) and §16 traceability (round-2 review + WP-0006). Flips SHARD-WP-0006 done. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-15 02:03:58 +02:00
parent 1ad70a9c8a
commit d39e7f7765
3 changed files with 22 additions and 4 deletions
--- a/SCOPE.md
+++ b/SCOPE.md
@@ -22,7 +22,7 @@ Learnings update both SCOPE and INTENT where necessary.
 | Research | yawex prior art; c2 origins; federation concepts; wikiengines overview (`research/260608-*/`); XWiki/TWiki/Foswiki deep dives (`research/260613-*/`); Xanadu + ZigZag + Roam + Obsidian + Notion + Joplin + Logseq + local-first workspaces (Anytype/AFFiNE/AppFlowy) + Trilium + Wiki.js + Federated Wiki + Wikibase + git-forge wikis + TiddlyWiki + ikiwiki + Quip + MojoMojo + Oddmuse + UseModWiki deep dives & shard-spectrum synthesis (`research/260614-*/`) |
 | Demand | NetKingdom integration asks captured, not yet negotiated |
 | Spec | CoreArchitectureBlueprint (whole-system architecture, hardened via SHARD-WP-0005) + ArchitectureBlueprint (auth/history) drafted; UseCaseCatalog 84 UCs from research; PRD/TSD scaffolds |
-| Work | `SHARD-WP-0001` active (6 tasks); `SHARD-WP-0002` active (18 tasks: T1–T10 federation + T11–T16 adapter contract + T17 federation-model taxonomy + T18 computational content, re-folded from synthesis v3 + the computational page model); `SHARD-WP-0003` **done** (9 engine dives complete); `SHARD-WP-0004` **done** (all 8 computational-knowledge dives T1–T8 complete + "computational page model" synthesis); `SHARD-WP-0005` **done** (9 tasks: CoreArchitectureBlueprint hardened against the 260615 review) |
+| Work | `SHARD-WP-0001` active (6 tasks); `SHARD-WP-0002` active (18 tasks: T1–T10 federation + T11–T16 adapter contract + T17 federation-model taxonomy + T18 computational content, re-folded from synthesis v3 + the computational page model); `SHARD-WP-0003` **done** (9 engine dives complete); `SHARD-WP-0004` **done** (all 8 computational-knowledge dives T1–T8 complete + "computational page model" synthesis); `SHARD-WP-0005` **done** (9 tasks: CoreArchitectureBlueprint hardened against the 260615 review); `SHARD-WP-0006` **done** (5 tasks: round-2 hardening — overview reconciled, event-sourced coordination + append authority, adapter conformance, incremental correctness + I-2 verification) |

 ## In Scope (today)

--- a/spec/CoreArchitectureBlueprint.md
+++ b/spec/CoreArchitectureBlueprint.md
@@ -846,6 +846,11 @@ direction** and a **revisit trigger** — the thing that, if observed, forces a
 | O-5 | **Axis-interaction completeness** (§6.5) | the named interaction table is the contract; extend deliberately | a real adapter needing an interaction not in the table |
 | O-6 | **Span-address portability across projection** (§7.2) | shard-scoped native-id wrapping now; tumbler later | cross-shard transclusion that native ids can't satisfy |
 | O-7 | **Squash-compaction vs. perfect auditability** (§8.1) | compact the *path*, preserve reachable states; configurable | a compliance need for every intermediate keystroke |
+| O-8 | **Policy-knob proliferation → operator burden** (§10) | ship named **preset bundles** ("personal vault" / "team wiki" / "enterprise federation") over the policy surface | operators mis-configuring interacting knobs |
+| O-9 | **Shard sharing across roots vs tenant partition** (§9.1, I-13) | shard exclusive to one root by default; explicit shared-read binding otherwise (avoids double-caching a rate-limited shard) | a shard legitimately needed live in two tenants |
+| O-10 | **Span-level authz under transclusion** (aggregation/inference leak; ⊕ across boundaries, §7.3/§9) | a transcluded span inherits the **stricter** of source & host authz; provenance ⊕ composes the source-page envelope under the host | a real cross-authz transclusion |
+| O-11 | **Union under shard unavailability** (§8.8 covers stale, not down) | **partial union** + per-shard "unavailable" provenance + last-known-projection where policy allows | an SLA need on partial reads |
+| O-12 | **Per-space append-log throughput ceiling** (§8.1 append authority) | single writer per space scales across spaces; per-space log sharding if needed | a single space exceeding one writer's append rate |

 These are the spec-writing inputs for `SHARD-WP-0002`; none blocks the architecture, each
 scopes an implementation spike.
@@ -886,6 +891,14 @@ Decided:
  (§6.5). (Decided.)
 - **Three states; derived = f(canonical)** — sharded + coordination canonical, derived
  disposable (§1). (Decided; supersedes the earlier "edges vs middle" framing.)
+- **Event-sourced coordination, one append authority per space** — coordination-canonical state
+  is an append-only **decision log** in the git journal; current state is a derived fold; a
+  per-space append lease gives a totally-ordered log and read-your-writes across orchestrator
+  instances (§8.1). (Decided — resolves the single-vs-multi-writer keystone.)
+- **Profiles are verified, not asserted** — a versioned **conformance suite** gates adapter
+  admission; capability-as-data acts on verified data (§6.6). (Decided.)
+- **I-2 is eventually-verified** — incremental maintenance is the fast path; a digest +
+  background consistency-checker detects and self-heals drift (§8.7). (Decided.)
 - **Incremental-first, rebuild-as-fallback** — the derived tier is continuously maintained from
  change events; full rebuild is rare and need not be cheap (§8.7). (Decided — resolves the
  earlier "union graph persistence" open item: **persisted, per-tenant, incrementally
@@ -929,6 +942,11 @@ Still open (carried to §12 / policy):
  B-3→§9.1+I-13 (tenant isolation), C-1/C-2→§8.7/§8.8 (incremental + indexed + invalidation),
  C-3→§8.1 (history scaling), D-1→§6.5 (orthogonal core), D-2→§7.3 (layered provenance),
  D-3→§8.4 (common-case projection), D-4→§11 (policy module + rail discipline); open items→§12.
+- **Round-2 review & hardening II** — folds in
+  `history/260615-core-architecture-blueprint-review-2.md` via **`SHARD-WP-0006`**:
+  A-1…A-4→§3/§4/§10/§11 (overview reconciled to the body), B-1+B-3→§8.1 (event-sourced
+  coordination + per-space append authority), B-2→§6.6 (adapter conformance suite),
+  B-4→§8.7 (incremental retraction/propagation + I-2 digest/checker); C-1…C-4→§12 (O-8…O-11).
 - **Research** — §6 (spectra) ← `260614-shard-spectrum-synthesis` v3; §8.3 (federation
  taxonomy) ← v3 §2.5; §8.4–§8.5 (two-axis projection, view registry, computational scope) ←
  `260614-computational-page-model-synthesis`; §7 page shapes ← the engine + modern-tool +
--- a/workplans/SHARD-WP-0006-architecture-hardening-2.md
+++ b/workplans/SHARD-WP-0006-architecture-hardening-2.md
@@ -4,7 +4,7 @@ type: workplan
 title: "core architecture hardening II (round-2 review fixes)"
 domain: whynot
 repo: shard-wiki
-status: active
+status: done
 owner: tegwick
 topic_slug: whynot
 created: "2026-06-15"
@@ -113,7 +113,7 @@ add the conformance obligation to the acceptance posture.

 ```task
 id: SHARD-WP-0006-T4
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "adf4ed28-8338-49ed-a552-c9fbe11c43ee"
 ```
@@ -132,7 +132,7 @@ not merely asserted; on mismatch, recompute the affected partition. State that I

 ```task
 id: SHARD-WP-0006-T5
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "18cb718a-e507-41d0-ae14-b144a56e3d57"
 ```