# AMDUAT-SRS — Detailed Requirements Specification Status: Approved Owner: Niklas Rydberg Version: 0.4.0 SoT: Yes Last Updated: 2025-11-11 Linked Phase Pack: PH01 Tags: [requirements, cas, kheper] **Document ID:** `AMDUAT-SRS` **Layer:** L0 — Requirements baseline (CAS + deterministic composition) **Depends on (normative):** * None (requirements baseline) **Informative references:** * `AMDUAT-DDS` — byte-level design specification * ADR-006 — deterministic error semantics * ADR-015 — CAS rejection matrix alignment © 2025 Niklas Rydberg. ## License Except where otherwise noted, this document (text and diagrams) is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0). The identifier registries and mapping tables (e.g. TypeTag IDs, HashId assignments, EdgeTypeId tables) are additionally made available under CC0 1.0 Universal (CC0) to enable unrestricted reuse in implementations and derivative specifications. Code examples in this document are provided under the Apache License 2.0 unless explicitly stated otherwise. Test vectors, where present, are dedicated to the public domain under CC0 1.0. > **Purpose:** Capture normative behavioural requirements for Phase PH01 (Kheper) and beyond. Long-lived semantics live here (not in Phase Packs). --- ## 1. Objectives (from Tier-0 Charter; elaborated) * Deterministic addressing: identical payload bytes **MUST** yield identical CIDs. * Immutability: new bytes → new CID; objects MUST NOT be mutated in place. * Integrity by design: `verify()` MUST detect corruption; zero false positives. * Instance isolation: storage layout and runtime state are implementation detail. * Binary canonical substrate: COR/1 is the normative import/export envelope. * Instance identity: ICD/1 defines stable `instance_id` for future transaction bindings. * Crypto agility: default SHA-256; algorithm IDs extensible. * Minimal tooling: reference CLI (`amduatcas`) and C library. * Conformance: golden vectors and cross-impl CI enforce byte-identity. --- ## 2. Scope (Behavioural) ### 2.1 In Scope * Local, single-node Content-Addressable Storage (CAS) * Deterministic hashing with domain separation * Canonical envelopes (COR/1) and instance descriptor (ICD/1) * CRUD-adjacent operations: put/get/stat/exists/verify * Import/export of canonical bytestreams * Optional listing/gc semantics ### 2.2 Out of Scope (for PH01) * Networking, replication, consensus * Multi-object transactions * Semantic/provenance graphing * Encryption/ACLs (layer externally) --- ## 3. Functional Requirements ### FR-001 Deterministic CID Production Given identical payload bytes and algo_id, the CID **MUST** match across compliant implementations. ### FR-002 Immutability Objects **MUST NOT** be mutated; new payload → new CID. ### FR-003 Idempotent Put Concurrent `put()` of identical payload MUST yield one canonical object; object integrity preserved. ### FR-004 Verification `verify(CID)` MUST recompute the CID and detect corruption; zero false positives. ### FR-005 Import/Export Canonicality Importing COR/1 and then exporting it MUST yield byte-identical bytestreams. ### FR-006 Size Validation `get()` MUST validate payload length according to COR/1. ### FR-007 Optional Verify-on-Read Policy Policy MAY require verify for cold reads; MUST NOT corrupt payload if disabled. ### FR-008 Canonical Rejection CAS decoders MUST reject: * out-of-order TLV tags * duplicate TLV tags * extraneous tags * trailing bytes * malformed or over-long VARINT encodings * payload length mismatches Rejection MUST be deterministic and symbolic. ### FR-009 Concurrency Discipline Concurrent `put()` operations for identical payloads MUST NOT yield divergent COR/1 envelopes. Only one canonical envelope may result. ### FR-010 Raw Byte Semantics CAS MUST operate strictly over exact payload bytes. No normalization (newline, whitespace, UTF-8 interpretation, or Unicode equivalence) SHALL occur. ### FR-011 Filesystem Independence Consensus behaviour MUST NOT depend on: * directory entry ordering * timestamp metadata * filesystem case sensitivity * locale or regional configuration ### FR-012 Deterministic Failure Malformed objects MUST be rejected. CAS MUST NOT auto-repair or normalize COR/1 envelopes. ### FR-013 Resource Boundaries Resource exhaustion (disk full, allocation failure) MUST fail atomically and leave no partial objects visible. ### FR-014 FCS/1 Descriptor Determinism (v1-min) Composite and custom functions MUST be expressed as canonical **FCS/1** descriptors that contain **only the execution recipe**: `function_ptr`, `parameter_block (PCB1)`, and `arity`. Identical descriptors SHALL hash to identical CIDs and MUST remain immutable after publication. **No policy/intent/notes** appear in FCS/1. ### FR-015 Registry Determinism (Descriptor Admission) Functional registries MUST admit **only canonical FCS/1 descriptors** (per FR-014) and enforce descriptor validation (TLV order, PCB1 arity, acyclicity). Registries MUST NOT infer or embed policy/intent into descriptors; publication governance is handled at certification time (FR-017). ### FR-016 Evaluation Receipt Integrity (FER/1) Every execution of a composite function under curated or locked policies MUST emit a **FER/1** receipt. The receipt SHALL encode, in canonical TLV order, at least the following evidence: 1. `function_cid` → evaluated FCS/1 descriptor (v1-min) preserving CIP indirection. 2. `input_manifest` → GS/1 BCF/1 set of consumed input CIDs (deduped and byte-lexicographic). 3. `environment` → ICD/1 (or PH03 env capsule) snapshot pinning toolchain/runtime state. 4. `evaluator_id` → stable evaluator identity bytes. 5. `executor_set` → implementations that executed the recipe, keyed in canonical byte order. 6. `parity_vector` → per-executor digests with matching `executor` ordering, shared `output` (`== output_cid`), and `sbom_cid` entries. 7. `executor_fingerprint` + `run_id` → optional SBOM fingerprint CID and deterministic dedup hash (`H("AMDUAT:RUN\0" || function || manifest || env || fingerprint)`). 8. `logs` → typed evidence capsules binding `kind`, `cid`, and `sha256` for stdout/stderr/metrics traces. 9. `limits` → declared execution envelope (`cpu_ms`, `wall_ms`, `max_rss_kib`, `io_reads`, `io_writes`). 10. `determinism_level` / `rng_seed` → declared determinism class (`D1_bit_exact` default, `D2_numeric_stable` requires a 0–32 byte seed). 11. `output_cid` → single canonical output CID for the run. 12. `started_at` / `completed_at` → epoch-second timestamps satisfying FR-020 bounds. 13. `signature` → Ed25519 metadata verifying `H("AMDUAT:FER\0" || canonical bytes)`. Receipts MAY include optional `logs` (typed capsules), `context`, `witnesses`, `parent`, and `signature_ext` TLVs but MUST NOT leak policy/intent (those belong to FCT/1). From Phase 04 onwards, governance and runtime layers MUST require FER/1 v1.1 receipts; ER/1 artefacts remain valid only as historical evidence and SHALL NOT satisfy FR-016 compliance gates. Parity discipline is mandatory: unsorted executor keys or mismatched parity orderings SHALL raise `ERR_IMPL_PARITY_ORDER`; divergent outputs or missing executors SHALL raise `ERR_IMPL_PARITY`. Unknown TLVs or cardinality violations SHALL raise `ERR_FER_UNKNOWN_TAG`. GS/1 manifest violations emit `ERR_FER_INPUT_MANIFEST_SHAPE`; missing RNG seed when determinism ≠ D1 emits `ERR_FER_RNG_REQUIRED`. All signatures MUST verify against the domain-separated hash (`ERR_FER_SIGNATURE` on failure). ### FR-017 Certification Transactions (FCT/1: Policy & Intent) Certification events MUST be recorded as **FCT/1** transactions that aggregate one or more FER/1 receipts and bind **registry policy, intent, domain scope, and authority role**. Transactions MUST include attestations whenever `registry_policy != 0` and SHALL expose publication pointers when federated. **All intent/scope/role/authority metadata lives in FCT/1 (not in FCS/1).** ### FR-BS-001 ByteStore Deterministic Identity ByteStore SHALL derive CIDs using the canonical CAS domain separator: `CID = algo || H("CAS:OBJ\0" || payload)`. The derived CID returned by `put()` and `import_cor()` MUST match the CID embedded in COR/1 envelopes and SHALL remain stable across runs, implementations, and ingest modes (DDS §11.2; ADR-030). ### FR-BS-002 Atomic Durability Ladder ByteStore persistence MUST follow the atomic write ladder: write → `fsync(tmp)` → `rename` → `fsync(shard)` → `fsync(root)`. Crash-window simulations triggered via `AMDUAT_BYTESTORE_CRASH_STEP` MUST leave the public area consistent upon recovery, with no visible partial objects (DDS §11.4; ADR-030; evidence PH05-EV-BS-001). ### FR-BS-003 Secure/Public Area Isolation ByteStore SHALL enforce SA/PA isolation such that public payload roots and secure state roots are disjoint and non-overlapping. Violations MUST raise `ERR_AREA_VIOLATION` and SHALL be surfaced to callers (DDS §11.5; ADR-030). ### FR-BS-004 COR/1 Round-Trip Identity Importing COR/1 bytes via ByteStore and exporting the same CID MUST yield a byte-identical envelope. Any mismatch between stored bytes and derived CID SHALL raise `ERR_IDENTITY_MISMATCH` (DDS §11.3; ADR-030). ### FR-BS-005 Streaming Determinism & Policy Enforcement Chunked ingestion (`put_stream`) MUST produce the same CID as single-shot `put` for equivalent payloads and reject non-bytes or missing data with deterministic errors (`ERR_STREAM_ORDER`, `ERR_STREAM_TRUNCATED`). ByteStore SHALL enforce ICD/1 `max_object_size` for all ingest paths, raising `ERR_POLICY_SIZE` when exceeded (DDS §11.6–11.7; ADR-030). ### FR-022 Federation Publication Digest (FPD/1) Every publish event emerging from an FCT/1 certification MUST emit exactly one **FPD/1** digest satisfying ADR-007 single-digest guarantees. The digest SHALL canonically hash the certified FCT/1 record, all attested FER/1 receipts, and the emitted governance edges (`certifies`, `attests`, `publishes`). Implementations MUST persist the FPD/1 bytes alongside the FCT/1 payload under `/logs/ph03/evidence/fct/` (or successor evidence path) and reference the resulting CID from `fct.publication`. Repeated invocations over identical inputs SHALL reproduce the same digest; mismatches SHALL be treated as certification failures. ### FR-018 Provenance Enforcement Caching or replay layers MUST validate FER/1 receipts and FCT/1 transactions before serving composite outputs. Serving uncertified artefacts when policy requires certification is forbidden. ### FR-019 Transaction Envelope Rejection Systems MUST reject FER/1 or FCT/1 envelopes whose CID lineage does not match the referenced FCS/1 descriptor, whose timestamps are non-monotonic, or whose signatures/attestations fail verification. ### FR-020 Deterministic Execution Envelope | ID | Statement | Verification | Notes | | --------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------ | | **FR-020 — Deterministic Execution Envelope** | Each executor SHALL complete within a bounded deterministic time envelope (default 5 s). Execution time SHALL be measured and logged as evidence. Non-termination SHALL yield symbolic error `ERR_EXEC_TIMEOUT`. | Verified via CI parity harness and evidence file `/logs/ph03/evidence/-execution-times.jsonl`. | Implements Maat’s Balance principle. Tags: [deterministic-timing, evidence, maat-balance]. | ### FR-021 Acyclic Composition FCS/1 descriptors referencing FPS/1 primitives, PCB1 parameter blocks, or nested FCS/1 descriptors MUST form an acyclic graph. Registries SHALL reject submissions introducing self-references or cycles and emit `ERR_FCS_CYCLE_DETECTED` or `ERR_PCB_ARITY_MISMATCH` when arity metadata conflicts with PCB1 manifests. ### FR-028 Concept-Native Domain Materialization Federated domain manifests SHALL be materialized exclusively from CRS Concepts and Relations. Given a DomainNode Concept, registries MUST traverse `hasManifest` → `ManifestEntry` Concepts, extract `entryName` and `entryChildVersion` relations, dedupe the `(name, version)` set, and compute the GS/1 domain state deterministically. Duplicated pairs trigger `ERR_DG_DUP_ENTRY`; missing relations trigger `ERR_DG_ENTRY_INCOMPLETE`; self references or ancestor loops raise `ERR_DG_CYCLE`. Evidence: `tools/ci/dg_snapshot.py` → `logs/ph04/evidence/dg1/PH04-EV-DG-001/`. Operational linkage: router listings (`GET /links`) MUST return entries sorted lexicographically by `fls_cid` and treat `since` query parameters as exclusive lower bounds, ensuring deterministic replay of linkage events. ### FR-029 Publication Recursion Discipline Publication Concepts SHALL declare their supporting FPD/1 digest, GS/1 cover state, endorsed member FPD CIDs, and optional lineage parent using CRS relations (`covers`, `endorses`, `parent`). Validators MUST recompute GS/1 from the FPD payload, enforce duplicate-free membership, and detect recursive cycles (`ERR_FPD_CYCLE`). Timestamp regressions raise `ERR_FPD_TIMESTAMP`; state mismatches raise `ERR_PUB_STATE_MISMATCH`. Evidence: `tools/ci/pub_validate.py` → `logs/ph04/evidence/pub1/PH04-EV-PUB-001/`. Operational linkage: non-genesis publications SHOULD enable the parent-required policy, supplying `fpd.parent` and guaranteeing strictly monotonic `fpd.timestamp` to align with ADR-019 v1.2.1 and PH04 parent-policy harnesses. ### FR-030 Predicate Concepts Every CRR/1 relation predicate MUST resolve to a CRS Concept. When the taxonomy defines a `Predicate` Concept, predicate entries SHALL expose an `is_a` edge into that class. Missing predicate Concepts raise `ERR_CRR_PREDICATE_NOT_CONCEPT`; missing taxonomy membership raises `ERR_CRR_PREDICATE_CLASS_MISSING`. Evidence: CRS validator vectors and `logs/ph04/evidence/crs1/PH04-EV-CRS-001.md`. Operational linkage: FPD feed endpoints SHALL implement stateless, content-anchored pagination over parent-chained publications. `GET /feed/fpd` MUST traverse the publisher’s current tip toward genesis until either the caller-provided `limit` is satisfied or the supplied `since` CID is encountered; identical `publisher_id`, `since`, and `limit` inputs SHALL yield identical CID sequences. Detail lookups (`GET /feed/fpd/:cid`) SHALL expose publisher, members, parent, and state metadata without server-side session state. Evidence: `tools/ci/feeds_check.py` → `/amduat/logs/ph04/evidence/feeds/PH04-EV-FEEDS-001/pass.jsonl`. ### FR-031 Authority Anchoring via CRS & FPD Publishing authorities SHALL represent identities as CRS Concepts linked via `owns` and `hasRole` relations to key material and governance roles. Signatures remain confined to FCT/1 and FPD/1 surfaces; CRS layers stay unsigned. FLS/1 transport MAY carry Concept or Relation payloads but MUST NOT mutate them and MUST perform payload-kind checks when requested (`--check-crs-payload`). Operational linkage: FLS router deployments SHALL expose `POST /fls`, `GET /fls/:cid`, `GET /links`, `GET /healthz`, and `GET /readyz` endpoints and enforce SA/PA separation (`ERR_AREA_VIOLATION` if misconfigured) so that public ingest never mutates state areas directly. Audited ticket intake SHALL be implemented via WT/1 (ADR-023) with: * `POST /wt` (Protected Area) accepting WT/1 BCF/1 payloads, validating `has_pubkey(wt.author, wt.pubkey)` (or registered equivalent), verifying signatures over `H("AMDUAT:WT\0" || canonical_bytes_without_signature)`, enforcing registered ADR-010 intents (deduped + byte-lexicographically sorted), ensuring monotonic `wt.timestamp` per `wt.author`, and optionally chaining `wt.parent` lineage. Violations yield `ERR_WT_SIGNATURE`, `ERR_WT_KEY_UNBOUND`, `ERR_WT_INTENT_UNREGISTERED`, `ERR_WT_INTENT_DUP`, `ERR_WT_INTENT_EMPTY`, `ERR_WT_TIMESTAMP`, `ERR_WT_PARENT_UNKNOWN`, or `ERR_WT_PARENT_REQUIRED`. Router policy MUST surface scope denials as `ERR_WT_SCOPE_UNAUTHORIZED` and log the governing policy capsule. * `GET /wt/:cid` returning the canonical WT/1 bytes for any accepted ticket. * Deterministic pagination (`GET /wt?after=&limit=`) that emits WT/1 entries in byte-lexicographic CID order with stable page boundaries. The `after` parameter is an exclusive bound and routers SHALL enforce `1 ≤ limit ≤ Nmax` to guarantee replay stability. Evidence: `/amduat/logs/ph04/evidence/wt1/PH04-EV-WT-001/summary.md` captures the validator run over vectors `TV-WT-001…009`, ensuring unknown keys, signature failures, timestamp regressions (including parent inversions), unbound keys, unregistered intents, policy rejections, and unresolved parents reject as specified. Compat overlays SHALL reference ADR-025 MPR/1 provenance capsules and ADR-026 IER/1 inference evidence when operating in policy lane `compat`. Routers MUST validate that `executor_fingerprint` equals the supplied MPR/1 CID, enforce `determinism_level` plus `rng_seed` (raising `ERR_FER_RNG_REQUIRED` when omitted), and verify log digests via the IER/1 manifest before accepting overlays (`ERR_IER_LOG_HASH`/`ERR_IER_LOG_MANIFEST`). Evidence surfaces `/amduat/logs/ph04/evidence/mpr1/PH04-EV-MPR-001/pass.jsonl` and `/amduat/logs/ph04/evidence/ier1/PH04-EV-IER-001/pass.jsonl` prove vector coverage `TV-MPR-001…003` (hash triple, missing weights, signature domain) and `TV-IER-001…004` (ok, missing seed, fingerprint mismatch, log digest mismatch) respectively with scenario summaries in accompanying `summary.md` files. ### FR-032 CT/1 Deterministic Replay (D1) Given identical AC/1 + DTF/1 + topology inputs, executing the runtime twice in isolation MUST produce byte-identical CT/1 snapshots (header and payload) with matching CIDs whenever `ct.determinism_level = 0`. Evidence: `tools/ci/ct_replay.py` (`runA`/`runB`) → `/amduat/logs/ph05/evidence/ct1/PH05-EV-CT1-REPLAY-001/`. ### FR-033 CT/1 Numeric Stability (D2) When `ct.determinism_level = 1`, numeric observables MAY diverge, but the maximum absolute delta MUST remain within the tolerance documented by `ct.kernel_cfg`. Evidence: `tools/ci/ct_replay.py` D2 replay outputs and kernel configuration manifests in the same evidence set. ### FR-034 CT/1 Header Integrity CT/1 headers MUST follow ADR-027: canonical BCF/1 key ordering, rejection of unknown keys, monotonic `ct.tick`, canonical `cid:` formatting for topology and AC/1/DTF/1 pointers (ADR-028), and Ed25519 signatures over `H("AMDUAT:CT\0" || canonical_bytes_without_signature)`. Evidence: `tools/validate/ct1_validator.py` with vectors `/amduat/vectors/ph05/ct1/TV-CT1-001…004` and AC/DTF fixtures `TV-AC1-001…002`, `TV-DTF1-001…002`. --- ## 4. Non-Functional Requirements ### NFR-001 Determinism Platform/language differences MUST NOT affect CID. ### NFR-002 Performance Put/get latency MUST remain within configured OPS budgets. ### NFR-003 Reliability CAS operations MUST be atomic; partial writes MUST NOT be visible. ### NFR-004 Portability Implementations MUST operate on common filesystems. ### NFR-005 Security Posture Domain separation strings MUST be applied for all hashed surfaces. ### 4.3 Future Scope Alignment (Informative) Phase 02 introduces deterministic transformation primitives (**FPS/1**) extending the Kheper CAS model defined herein. See `/amduat/arc/adrs/adr-015.md` and `/amduat/tier1/fps.md` for details. No behavioural changes apply retroactively to PH01 surfaces. --- ## 5. Data Model (Behavioural View) * CAS objects identified strictly by CID. * COR/1 envelope provides size, payload, algo_id. * ICD/1 descriptor provides instance configuration. > See DDS §2 (COR/1) and §3 (ICD/1) for normative byte layouts. --- ## 6. API Semantics ### `put(payload_bytes, algo_id=default) → CID` * Compute CID using domain separation: `CID = algo_id || H("CAS:OBJ\0" || payload_bytes)` * If CID exists: return existing CID (idempotent) * If absent: write canonical COR/1 envelope atomically * Reject on size limit breach, malformed payload, non-canonical COR/1, I/O errors * Writes MUST be atomic: temp file → fsync → rename → fsync parent dir ### `get(CID) → payload_bytes` * Retrieve raw payload bytes * MUST validate canonical COR/1 envelope * Implementation MAY verify hash on read by policy * Reject on missing object, hash mismatch ### `exists(CID) → bool` * Return true if object is present and canonical ### `stat(CID) → { present, size, algo_id }` * MUST return canonical metadata ### `verify(CID) → { ok|error, expected:CID, actual:CID }` * Recompute CID from canonical bytes * MUST detect corruption and reject non-canonical encodings ### `import(stream_COR1) → CID` * Validate canonical TLV ordering * Reject duplicate tags, extraneous tags, malformed VARINTs * MUST round-trip to identical CID ### `export(CID) → stream_COR1` * Emit canonical envelope; re-encoding MUST preserve canonical bytes ### Deterministic Errors Errors MUST be emitted as stable symbolic codes including but not limited to: * `E_CID_NOT_FOUND` * `E_CORRUPT_OBJECT` * `E_CANONICALITY_VIOLATION` * `E_IO_FAILURE` --- ## 7. Success Criteria * Byte-for-byte CID agreement (≥ 3 platforms) * Zero false positives in `verify()` * Idempotent concurrent `put()` * COR/1 import/export round-trips cleanly --- ## 8. GC Semantics (Behavioural) * Reachability from configured roots * Dry-run mode MUST NOT delete * Removal MUST be atomic per object --- ## 9. Acceptance Criteria (Phase Exit) * Golden vectors published * Cross-impl CI passing * COR/1 and ICD/1 documented in DDS * Security posture validated by SEC --- ## 10. Traceability * Requirements link to tests/defects in Phase Packs * ADRs reference affected FR/NFR IDs --- ## 11. Future Phases * Multi-object transactions bind to `instance_id` * Provenance graph consumes COR/1 metadata --- ## 12. Functional Primitive Surface (FPS/1) > Defines the canonical deterministic operations over canonical payloads. > Each primitive produces exactly one payload and one CID. | Primitive | Signature | Description | Determinism / Errors | | ------------- | ------------------------------ | ------------------------------------------- | ---------------------------------------------- | | `put` | `(payload_bytes) → CID` | Canonical write, atomic fsync ladder. | ADR-006 `ERR_IO_FAILURE`, `ERR_NORMALIZATION`. | | `get` | `(CID) → payload_bytes` | Fetch canonical bytes. | `ERR_CID_NOT_FOUND`. | | `slice` | `(CID, offset, length) → CID` | Extract contiguous bytes. | `ERR_SLICE_RANGE`. | | `concatenate` | `([CID₁,…,CIDₙ]) → CID` | Sequential join of payloads. | `ERR_EMPTY_INPUTS`. | | `reverse` | `(CID, level) → CID` | Reverse payload order (bit/byte/word/long). | `ERR_REV_ALIGNMENT`, `ERR_INVALID_LEVEL`. | | `splice` | `(CID_a, offset, CID_b) → CID` | Insert payload b into a at offset. | `ERR_SPLICE_RANGE`. | **Determinism:** identical inputs → identical outputs. **Immutability:** inputs never mutated. **Closure:** outputs valid for reuse as inputs to any primitive. **Error handling:** all symbolic per ADR-006. --- ## Appendix A — Surface Version Table | Surface | Version | Notes | | ------- | ------- | ----- | | FCS/1 | v1-min | Canonical execution descriptors; governance captured in FCT/1. | | FER/1 | v1.1 | Receipts enforce parity-first evidence, run_id dedup, typed logs, and RNG discipline (ADR-017). | | FCT/1 | v1.0 | Certification transactions binding policy/intent/attestations with FER/1 sets. | | FPD/1 | v1.0 | Publication digest linking FCT/1 to FER/1 receipts for federation replay. | --- ## Document History * 0.2.1 (2025-10-26) — Phase Pack pointer updated; no semantic changes; archival preserves historical lineage per ADR-002. * 0.2.2 (2025-10-26) — Promoted PH01 baseline to Approved; synchronized Phase Pack §1 anchors and closure snapshot. * 0.2.3 (2025-10-27) — Added future scope alignment note pointing to FPS/1 and ADR-015; PH01 semantics remain unchanged. * **0.2.4 (2025-11-14):** Added FR-014–FR-019 for FCS/1 composition, FER/1 receipts, and FCT/1 certification policies. * **0.2.5 (2025-11-15):** Added FR-021 (formerly FR-020) enforcing acyclic FCS/1 composition and PCB1 arity validation. * **0.2.6 (2025-11-19):** Registered FR-020 Deterministic Execution Envelope (Maat’s Balance) with timing evidence tags. * **0.3.0 (2025-11-02):** Trimmed FCS/1 to execution-only (v1-min) under FR-014/FR-015; moved policy/intent/scope/role/authority to FCT/1 (FR-017); clarified registry admission behaviour and kept FER/1 unchanged. * **0.3.1 (2025-11-21):** Updated FR-016 to require parity-first FER/1 receipts with executor sets, parity vectors, and FR-020 aligned timestamps. * **0.3.2 (2025-11-22):** Registered FR-022 Federation Publication Digest (FPD/1) requirement tying FCT/1 publications to single-digest evidence and canonical logging. * **0.3.4 (2025-11-07):** Recorded FER/1 v1.1 requirement for Phase 04 and added surface version table. * **0.3.5 (2025-11-08):** Registered PH04 linkage & semantic placeholder requirements (FR-028…031). * **0.3.6 (2025-11-09):** Promoted FR-028…031 to normative linkage requirements with CRS/1 validator enforcement. * **0.3.7 (2025-11-08):** Finalized FR-028…031 with CRS/1 immutability, GS/1 linkage, and certification coverage. * **0.3.8 (2025-11-09):** Promoted FR-028…FR-031 for concept-native domain and publication validation. * **0.3.9 (2025-11-09):** Documented operational linkage: router endpoints, deterministic `/links`, and parent-required publish policy guidance. * **0.3.10 (2025-11-11):** Registered FR-030 stateless, content-anchored FPD feed pagination requirement. * **0.3.11 (2025-11-09):** Extended FR-031 with WT/1 intake endpoints, validation, and evidence log references. * **0.3.12 (2025-11-20):** Tightened FR-031 with `wt.pubkey` bindings, signature preimage exclusion, lineage/policy errors, and expanded WT/1 vector evidence coverage. * **0.3.13 (2025-11-21):** Updated FR-031 for `has_pubkey` bindings (`ERR_WT_KEY_UNBOUND`), intent registry enforcement (`ERR_WT_INTENT_UNREGISTERED`), lineage policy rejection (`ERR_WT_PARENT_REQUIRED`), and expanded WT/1 vectors `TV-WT-001…009`. * **0.3.14 (2025-11-22):** WT/1 intake and SOS/1 compat overlays proven with PH04-M4/M5 audit evidence. * **0.3.15 (2025-11-22):** Recorded ADR-025/026 compat path requirements and evidence anchors for FR-031. * **0.3.16 (2025-11-23):** Compat lane now enforces ADR-025/026 validators (MPR/1 hash triple, IER/1 replay) with updated evidence surfaces. * **0.3.17 (2025-11-24):** Added FR-032–FR-034 for CT/1 replay determinism, numeric stability, and header integrity (ADR-027/028). * **0.4.0 (2025-11-11):** Added FR-BS-001…005 for ByteStore identity, atomic durability, SA/PA isolation, COR round-trip, and streaming determinism linked to DDS §11 / ADR-030.