niklas/amduat
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat/tier1/srs.md
Carl Niklas Rydberg 3886716799 Add core tier1 specs for ASL/TGK
2026-01-17 11:18:00 +01:00

27 KiB
Raw Blame History

AMDUAT-SRS — Detailed Requirements Specification

Status: Approved Owner: Niklas Rydberg Version: 0.4.0 SoT: Yes Last Updated: 2025-11-11 Linked Phase Pack: PH01 Tags: [requirements, cas, kheper]

Document ID: AMDUAT-SRS Layer: L0 — Requirements baseline (CAS + deterministic composition)

Depends on (normative):

  • None (requirements baseline)

Informative references:

  • AMDUAT-DDS — byte-level design specification
  • ADR-006 — deterministic error semantics
  • ADR-015 — CAS rejection matrix alignment

© 2025 Niklas Rydberg.

License

Except where otherwise noted, this document (text and diagrams) is licensed under the Creative Commons Attribution 4.0 International License (CC BY 4.0).

The identifier registries and mapping tables (e.g. TypeTag IDs, HashId assignments, EdgeTypeId tables) are additionally made available under CC0 1.0 Universal (CC0) to enable unrestricted reuse in implementations and derivative specifications.

Code examples in this document are provided under the Apache License 2.0 unless explicitly stated otherwise. Test vectors, where present, are dedicated to the public domain under CC0 1.0.

Purpose: Capture normative behavioural requirements for Phase PH01 (Kheper) and beyond. Long-lived semantics live here (not in Phase Packs).

1. Objectives (from Tier-0 Charter; elaborated)

  • Deterministic addressing: identical payload bytes MUST yield identical CIDs.
  • Immutability: new bytes → new CID; objects MUST NOT be mutated in place.
  • Integrity by design: verify() MUST detect corruption; zero false positives.
  • Instance isolation: storage layout and runtime state are implementation detail.
  • Binary canonical substrate: COR/1 is the normative import/export envelope.
  • Instance identity: ICD/1 defines stable instance_id for future transaction bindings.
  • Crypto agility: default SHA-256; algorithm IDs extensible.
  • Minimal tooling: reference CLI (amduatcas) and C library.
  • Conformance: golden vectors and cross-impl CI enforce byte-identity.

2. Scope (Behavioural)

2.1 In Scope

  • Local, single-node Content-Addressable Storage (CAS)
  • Deterministic hashing with domain separation
  • Canonical envelopes (COR/1) and instance descriptor (ICD/1)
  • CRUD-adjacent operations: put/get/stat/exists/verify
  • Import/export of canonical bytestreams
  • Optional listing/gc semantics

2.2 Out of Scope (for PH01)

  • Networking, replication, consensus
  • Multi-object transactions
  • Semantic/provenance graphing
  • Encryption/ACLs (layer externally)

3. Functional Requirements

FR-001 Deterministic CID Production

Given identical payload bytes and algo_id, the CID MUST match across compliant implementations.

FR-002 Immutability

Objects MUST NOT be mutated; new payload → new CID.

FR-003 Idempotent Put

Concurrent put() of identical payload MUST yield one canonical object; object integrity preserved.

FR-004 Verification

verify(CID) MUST recompute the CID and detect corruption; zero false positives.

FR-005 Import/Export Canonicality

Importing COR/1 and then exporting it MUST yield byte-identical bytestreams.

FR-006 Size Validation

get() MUST validate payload length according to COR/1.

FR-007 Optional Verify-on-Read Policy

Policy MAY require verify for cold reads; MUST NOT corrupt payload if disabled.

FR-008 Canonical Rejection

CAS decoders MUST reject:

  • out-of-order TLV tags
  • duplicate TLV tags
  • extraneous tags
  • trailing bytes
  • malformed or over-long VARINT encodings
  • payload length mismatches

Rejection MUST be deterministic and symbolic.

FR-009 Concurrency Discipline

Concurrent put() operations for identical payloads MUST NOT yield divergent COR/1 envelopes. Only one canonical envelope may result.

FR-010 Raw Byte Semantics

CAS MUST operate strictly over exact payload bytes. No normalization (newline, whitespace, UTF-8 interpretation, or Unicode equivalence) SHALL occur.

FR-011 Filesystem Independence

Consensus behaviour MUST NOT depend on:

  • directory entry ordering
  • timestamp metadata
  • filesystem case sensitivity
  • locale or regional configuration

FR-012 Deterministic Failure

Malformed objects MUST be rejected. CAS MUST NOT auto-repair or normalize COR/1 envelopes.

FR-013 Resource Boundaries

Resource exhaustion (disk full, allocation failure) MUST fail atomically and leave no partial objects visible.

FR-014 FCS/1 Descriptor Determinism (v1-min)

Composite and custom functions MUST be expressed as canonical FCS/1 descriptors that contain only the execution recipe: function_ptr, parameter_block (PCB1), and arity. Identical descriptors SHALL hash to identical CIDs and MUST remain immutable after publication. No policy/intent/notes appear in FCS/1.

FR-015 Registry Determinism (Descriptor Admission)

Functional registries MUST admit only canonical FCS/1 descriptors (per FR-014) and enforce descriptor validation (TLV order, PCB1 arity, acyclicity). Registries MUST NOT infer or embed policy/intent into descriptors; publication governance is handled at certification time (FR-017).

FR-016 Evaluation Receipt Integrity (FER/1)

Every execution of a composite function under curated or locked policies MUST emit a FER/1 receipt. The receipt SHALL encode, in canonical TLV order, at least the following evidence:

  1. function_cid → evaluated FCS/1 descriptor (v1-min) preserving CIP indirection.
  2. input_manifest → GS/1 BCF/1 set of consumed input CIDs (deduped and byte-lexicographic).
  3. environment → ICD/1 (or PH03 env capsule) snapshot pinning toolchain/runtime state.
  4. evaluator_id → stable evaluator identity bytes.
  5. executor_set → implementations that executed the recipe, keyed in canonical byte order.
  6. parity_vector → per-executor digests with matching executor ordering, shared output (== output_cid), and sbom_cid entries.
  7. executor_fingerprint + run_id → optional SBOM fingerprint CID and deterministic dedup hash (H("AMDUAT:RUN\0" || function || manifest || env || fingerprint)).
  8. logs → typed evidence capsules binding kind, cid, and sha256 for stdout/stderr/metrics traces.
  9. limits → declared execution envelope (cpu_ms, wall_ms, max_rss_kib, io_reads, io_writes).
  10. determinism_level / rng_seed → declared determinism class (D1_bit_exact default, D2_numeric_stable requires a 032 byte seed).
  11. output_cid → single canonical output CID for the run.
  12. started_at / completed_at → epoch-second timestamps satisfying FR-020 bounds.
  13. signature → Ed25519 metadata verifying H("AMDUAT:FER\0" || canonical bytes).

Receipts MAY include optional logs (typed capsules), context, witnesses, parent, and signature_ext TLVs but MUST NOT leak policy/intent (those belong to FCT/1).

From Phase 04 onwards, governance and runtime layers MUST require FER/1 v1.1 receipts; ER/1 artefacts remain valid only as historical evidence and SHALL NOT satisfy FR-016 compliance gates.

Parity discipline is mandatory: unsorted executor keys or mismatched parity orderings SHALL raise ERR_IMPL_PARITY_ORDER; divergent outputs or missing executors SHALL raise ERR_IMPL_PARITY. Unknown TLVs or cardinality violations SHALL raise ERR_FER_UNKNOWN_TAG. GS/1 manifest violations emit ERR_FER_INPUT_MANIFEST_SHAPE; missing RNG seed when determinism ≠ D1 emits ERR_FER_RNG_REQUIRED. All signatures MUST verify against the domain-separated hash (ERR_FER_SIGNATURE on failure).

FR-017 Certification Transactions (FCT/1: Policy & Intent)

Certification events MUST be recorded as FCT/1 transactions that aggregate one or more FER/1 receipts and bind registry policy, intent, domain scope, and authority role. Transactions MUST include attestations whenever registry_policy != 0 and SHALL expose publication pointers when federated. All intent/scope/role/authority metadata lives in FCT/1 (not in FCS/1).

FR-BS-001 ByteStore Deterministic Identity

ByteStore SHALL derive CIDs using the canonical CAS domain separator: CID = algo || H("CAS:OBJ\0" || payload). The derived CID returned by put() and import_cor() MUST match the CID embedded in COR/1 envelopes and SHALL remain stable across runs, implementations, and ingest modes (DDS §11.2; ADR-030).

FR-BS-002 Atomic Durability Ladder

ByteStore persistence MUST follow the atomic write ladder: write → fsync(tmp)renamefsync(shard)fsync(root). Crash-window simulations triggered via AMDUAT_BYTESTORE_CRASH_STEP MUST leave the public area consistent upon recovery, with no visible partial objects (DDS §11.4; ADR-030; evidence PH05-EV-BS-001).

FR-BS-003 Secure/Public Area Isolation

ByteStore SHALL enforce SA/PA isolation such that public payload roots and secure state roots are disjoint and non-overlapping. Violations MUST raise ERR_AREA_VIOLATION and SHALL be surfaced to callers (DDS §11.5; ADR-030).

FR-BS-004 COR/1 Round-Trip Identity

Importing COR/1 bytes via ByteStore and exporting the same CID MUST yield a byte-identical envelope. Any mismatch between stored bytes and derived CID SHALL raise ERR_IDENTITY_MISMATCH (DDS §11.3; ADR-030).

FR-BS-005 Streaming Determinism & Policy Enforcement

Chunked ingestion (put_stream) MUST produce the same CID as single-shot put for equivalent payloads and reject non-bytes or missing data with deterministic errors (ERR_STREAM_ORDER, ERR_STREAM_TRUNCATED). ByteStore SHALL enforce ICD/1 max_object_size for all ingest paths, raising ERR_POLICY_SIZE when exceeded (DDS §11.611.7; ADR-030).

FR-022 Federation Publication Digest (FPD/1)

Every publish event emerging from an FCT/1 certification MUST emit exactly one FPD/1 digest satisfying ADR-007 single-digest guarantees. The digest SHALL canonically hash the certified FCT/1 record, all attested FER/1 receipts, and the emitted governance edges (certifies, attests, publishes). Implementations MUST persist the FPD/1 bytes alongside the FCT/1 payload under /logs/ph03/evidence/fct/ (or successor evidence path) and reference the resulting CID from fct.publication. Repeated invocations over identical inputs SHALL reproduce the same digest; mismatches SHALL be treated as certification failures.

FR-018 Provenance Enforcement

Caching or replay layers MUST validate FER/1 receipts and FCT/1 transactions before serving composite outputs. Serving uncertified artefacts when policy requires certification is forbidden.

FR-019 Transaction Envelope Rejection

Systems MUST reject FER/1 or FCT/1 envelopes whose CID lineage does not match the referenced FCS/1 descriptor, whose timestamps are non-monotonic, or whose signatures/attestations fail verification.

FR-020 Deterministic Execution Envelope

ID Statement Verification Notes
FR-020 — Deterministic Execution Envelope Each executor SHALL complete within a bounded deterministic time envelope (default 5 s). Execution time SHALL be measured and logged as evidence. Non-termination SHALL yield symbolic error ERR_EXEC_TIMEOUT. Verified via CI parity harness and evidence file /logs/ph03/evidence/<date>-execution-times.jsonl. Implements Maats Balance principle. Tags: [deterministic-timing, evidence, maat-balance].

FR-021 Acyclic Composition

FCS/1 descriptors referencing FPS/1 primitives, PCB1 parameter blocks, or nested FCS/1 descriptors MUST form an acyclic graph. Registries SHALL reject submissions introducing self-references or cycles and emit ERR_FCS_CYCLE_DETECTED or ERR_PCB_ARITY_MISMATCH when arity metadata conflicts with PCB1 manifests.

FR-028 Concept-Native Domain Materialization

Federated domain manifests SHALL be materialized exclusively from CRS Concepts and Relations. Given a DomainNode Concept, registries MUST traverse hasManifestManifestEntry Concepts, extract entryName and entryChildVersion relations, dedupe the (name, version) set, and compute the GS/1 domain state deterministically. Duplicated pairs trigger ERR_DG_DUP_ENTRY; missing relations trigger ERR_DG_ENTRY_INCOMPLETE; self references or ancestor loops raise ERR_DG_CYCLE. Evidence: tools/ci/dg_snapshot.pylogs/ph04/evidence/dg1/PH04-EV-DG-001/.

Operational linkage: router listings (GET /links) MUST return entries sorted lexicographically by fls_cid and treat since query parameters as exclusive lower bounds, ensuring deterministic replay of linkage events.

FR-029 Publication Recursion Discipline

Publication Concepts SHALL declare their supporting FPD/1 digest, GS/1 cover state, endorsed member FPD CIDs, and optional lineage parent using CRS relations (covers, endorses, parent). Validators MUST recompute GS/1 from the FPD payload, enforce duplicate-free membership, and detect recursive cycles (ERR_FPD_CYCLE). Timestamp regressions raise ERR_FPD_TIMESTAMP; state mismatches raise ERR_PUB_STATE_MISMATCH. Evidence: tools/ci/pub_validate.pylogs/ph04/evidence/pub1/PH04-EV-PUB-001/.

Operational linkage: non-genesis publications SHOULD enable the parent-required policy, supplying fpd.parent and guaranteeing strictly monotonic fpd.timestamp to align with ADR-019 v1.2.1 and PH04 parent-policy harnesses.

FR-030 Predicate Concepts

Every CRR/1 relation predicate MUST resolve to a CRS Concept. When the taxonomy defines a Predicate Concept, predicate entries SHALL expose an is_a edge into that class. Missing predicate Concepts raise ERR_CRR_PREDICATE_NOT_CONCEPT; missing taxonomy membership raises ERR_CRR_PREDICATE_CLASS_MISSING. Evidence: CRS validator vectors and logs/ph04/evidence/crs1/PH04-EV-CRS-001.md.

Operational linkage: FPD feed endpoints SHALL implement stateless, content-anchored pagination over parent-chained publications. GET /feed/fpd MUST traverse the publishers current tip toward genesis until either the caller-provided limit is satisfied or the supplied since CID is encountered; identical publisher_id, since, and limit inputs SHALL yield identical CID sequences. Detail lookups (GET /feed/fpd/:cid) SHALL expose publisher, members, parent, and state metadata without server-side session state. Evidence: tools/ci/feeds_check.py/amduat/logs/ph04/evidence/feeds/PH04-EV-FEEDS-001/pass.jsonl.

FR-031 Authority Anchoring via CRS & FPD

Publishing authorities SHALL represent identities as CRS Concepts linked via owns and hasRole relations to key material and governance roles. Signatures remain confined to FCT/1 and FPD/1 surfaces; CRS layers stay unsigned. FLS/1 transport MAY carry Concept or Relation payloads but MUST NOT mutate them and MUST perform payload-kind checks when requested (--check-crs-payload).

Operational linkage: FLS router deployments SHALL expose POST /fls, GET /fls/:cid, GET /links, GET /healthz, and GET /readyz endpoints and enforce SA/PA separation (ERR_AREA_VIOLATION if misconfigured) so that public ingest never mutates state areas directly. Audited ticket intake SHALL be implemented via WT/1 (ADR-023) with:

  • POST /wt (Protected Area) accepting WT/1 BCF/1 payloads, validating has_pubkey(wt.author, wt.pubkey) (or registered equivalent), verifying signatures over H("AMDUAT:WT\0" || canonical_bytes_without_signature), enforcing registered ADR-010 intents (deduped + byte-lexicographically sorted), ensuring monotonic wt.timestamp per wt.author, and optionally chaining wt.parent lineage. Violations yield ERR_WT_SIGNATURE, ERR_WT_KEY_UNBOUND, ERR_WT_INTENT_UNREGISTERED, ERR_WT_INTENT_DUP, ERR_WT_INTENT_EMPTY, ERR_WT_TIMESTAMP, ERR_WT_PARENT_UNKNOWN, or ERR_WT_PARENT_REQUIRED. Router policy MUST surface scope denials as ERR_WT_SCOPE_UNAUTHORIZED and log the governing policy capsule.
  • GET /wt/:cid returning the canonical WT/1 bytes for any accepted ticket.
  • Deterministic pagination (GET /wt?after=<cid>&limit=<n>) that emits WT/1 entries in byte-lexicographic CID order with stable page boundaries. The after parameter is an exclusive bound and routers SHALL enforce 1 ≤ limit ≤ Nmax to guarantee replay stability.

Evidence: /amduat/logs/ph04/evidence/wt1/PH04-EV-WT-001/summary.md captures the validator run over vectors TV-WT-001…009, ensuring unknown keys, signature failures, timestamp regressions (including parent inversions), unbound keys, unregistered intents, policy rejections, and unresolved parents reject as specified.

Compat overlays SHALL reference ADR-025 MPR/1 provenance capsules and ADR-026 IER/1 inference evidence when operating in policy lane compat. Routers MUST validate that executor_fingerprint equals the supplied MPR/1 CID, enforce determinism_level plus rng_seed (raising ERR_FER_RNG_REQUIRED when omitted), and verify log digests via the IER/1 manifest before accepting overlays (ERR_IER_LOG_HASH/ERR_IER_LOG_MANIFEST). Evidence surfaces /amduat/logs/ph04/evidence/mpr1/PH04-EV-MPR-001/pass.jsonl and /amduat/logs/ph04/evidence/ier1/PH04-EV-IER-001/pass.jsonl prove vector coverage TV-MPR-001…003 (hash triple, missing weights, signature domain) and TV-IER-001…004 (ok, missing seed, fingerprint mismatch, log digest mismatch) respectively with scenario summaries in accompanying summary.md files.

FR-032 CT/1 Deterministic Replay (D1)

Given identical AC/1 + DTF/1 + topology inputs, executing the runtime twice in isolation MUST produce byte-identical CT/1 snapshots (header and payload) with matching CIDs whenever ct.determinism_level = 0. Evidence: tools/ci/ct_replay.py (runA/runB) → /amduat/logs/ph05/evidence/ct1/PH05-EV-CT1-REPLAY-001/.

FR-033 CT/1 Numeric Stability (D2)

When ct.determinism_level = 1, numeric observables MAY diverge, but the maximum absolute delta MUST remain within the tolerance documented by ct.kernel_cfg. Evidence: tools/ci/ct_replay.py D2 replay outputs and kernel configuration manifests in the same evidence set.

FR-034 CT/1 Header Integrity

CT/1 headers MUST follow ADR-027: canonical BCF/1 key ordering, rejection of unknown keys, monotonic ct.tick, canonical cid: formatting for topology and AC/1/DTF/1 pointers (ADR-028), and Ed25519 signatures over H("AMDUAT:CT\0" || canonical_bytes_without_signature). Evidence: tools/validate/ct1_validator.py with vectors /amduat/vectors/ph05/ct1/TV-CT1-001…004 and AC/DTF fixtures TV-AC1-001…002, TV-DTF1-001…002.

4. Non-Functional Requirements

NFR-001 Determinism

Platform/language differences MUST NOT affect CID.

NFR-002 Performance

Put/get latency MUST remain within configured OPS budgets.

NFR-003 Reliability

CAS operations MUST be atomic; partial writes MUST NOT be visible.

NFR-004 Portability

Implementations MUST operate on common filesystems.

NFR-005 Security Posture

Domain separation strings MUST be applied for all hashed surfaces.

4.3 Future Scope Alignment (Informative)

Phase 02 introduces deterministic transformation primitives (FPS/1) extending the Kheper CAS model defined herein. See /amduat/arc/adrs/adr-015.md and /amduat/tier1/fps.md for details. No behavioural changes apply retroactively to PH01 surfaces.

5. Data Model (Behavioural View)

  • CAS objects identified strictly by CID.
  • COR/1 envelope provides size, payload, algo_id.
  • ICD/1 descriptor provides instance configuration.

See DDS §2 (COR/1) and §3 (ICD/1) for normative byte layouts.

6. API Semantics

put(payload_bytes, algo_id=default) → CID

  • Compute CID using domain separation: CID = algo_id || H("CAS:OBJ\0" || payload_bytes)
  • If CID exists: return existing CID (idempotent)
  • If absent: write canonical COR/1 envelope atomically
  • Reject on size limit breach, malformed payload, non-canonical COR/1, I/O errors
  • Writes MUST be atomic: temp file → fsync → rename → fsync parent dir

get(CID) → payload_bytes

  • Retrieve raw payload bytes
  • MUST validate canonical COR/1 envelope
  • Implementation MAY verify hash on read by policy
  • Reject on missing object, hash mismatch

exists(CID) → bool

  • Return true if object is present and canonical

stat(CID) → { present, size, algo_id }

  • MUST return canonical metadata

verify(CID) → { ok|error, expected:CID, actual:CID }

  • Recompute CID from canonical bytes
  • MUST detect corruption and reject non-canonical encodings

import(stream_COR1) → CID

  • Validate canonical TLV ordering
  • Reject duplicate tags, extraneous tags, malformed VARINTs
  • MUST round-trip to identical CID

export(CID) → stream_COR1

  • Emit canonical envelope; re-encoding MUST preserve canonical bytes

Deterministic Errors

Errors MUST be emitted as stable symbolic codes including but not limited to:

  • E_CID_NOT_FOUND
  • E_CORRUPT_OBJECT
  • E_CANONICALITY_VIOLATION
  • E_IO_FAILURE

7. Success Criteria

  • Byte-for-byte CID agreement (≥ 3 platforms)
  • Zero false positives in verify()
  • Idempotent concurrent put()
  • COR/1 import/export round-trips cleanly

8. GC Semantics (Behavioural)

  • Reachability from configured roots
  • Dry-run mode MUST NOT delete
  • Removal MUST be atomic per object

9. Acceptance Criteria (Phase Exit)

  • Golden vectors published
  • Cross-impl CI passing
  • COR/1 and ICD/1 documented in DDS
  • Security posture validated by SEC

10. Traceability

  • Requirements link to tests/defects in Phase Packs
  • ADRs reference affected FR/NFR IDs

11. Future Phases

  • Multi-object transactions bind to instance_id
  • Provenance graph consumes COR/1 metadata

12. Functional Primitive Surface (FPS/1)

Defines the canonical deterministic operations over canonical payloads. Each primitive produces exactly one payload and one CID.

Primitive Signature Description Determinism / Errors
put (payload_bytes) → CID Canonical write, atomic fsync ladder. ADR-006 ERR_IO_FAILURE, ERR_NORMALIZATION.
get (CID) → payload_bytes Fetch canonical bytes. ERR_CID_NOT_FOUND.
slice (CID, offset, length) → CID Extract contiguous bytes. ERR_SLICE_RANGE.
concatenate ([CID₁,…,CIDₙ]) → CID Sequential join of payloads. ERR_EMPTY_INPUTS.
reverse (CID, level) → CID Reverse payload order (bit/byte/word/long). ERR_REV_ALIGNMENT, ERR_INVALID_LEVEL.
splice (CID_a, offset, CID_b) → CID Insert payload b into a at offset. ERR_SPLICE_RANGE.

Determinism: identical inputs → identical outputs. Immutability: inputs never mutated. Closure: outputs valid for reuse as inputs to any primitive. Error handling: all symbolic per ADR-006.

Appendix A — Surface Version Table

Surface Version Notes
FCS/1 v1-min Canonical execution descriptors; governance captured in FCT/1.
FER/1 v1.1 Receipts enforce parity-first evidence, run_id dedup, typed logs, and RNG discipline (ADR-017).
FCT/1 v1.0 Certification transactions binding policy/intent/attestations with FER/1 sets.
FPD/1 v1.0 Publication digest linking FCT/1 to FER/1 receipts for federation replay.

Document History

  • 0.2.1 (2025-10-26) — Phase Pack pointer updated; no semantic changes; archival preserves historical lineage per ADR-002.

  • 0.2.2 (2025-10-26) — Promoted PH01 baseline to Approved; synchronized Phase Pack §1 anchors and closure snapshot.

  • 0.2.3 (2025-10-27) — Added future scope alignment note pointing to FPS/1 and ADR-015; PH01 semantics remain unchanged.

  • 0.2.4 (2025-11-14): Added FR-014FR-019 for FCS/1 composition, FER/1 receipts, and FCT/1 certification policies.

  • 0.2.5 (2025-11-15): Added FR-021 (formerly FR-020) enforcing acyclic FCS/1 composition and PCB1 arity validation.

  • 0.2.6 (2025-11-19): Registered FR-020 Deterministic Execution Envelope (Maats Balance) with timing evidence tags.

  • 0.3.0 (2025-11-02): Trimmed FCS/1 to execution-only (v1-min) under FR-014/FR-015; moved policy/intent/scope/role/authority to FCT/1 (FR-017); clarified registry admission behaviour and kept FER/1 unchanged.

  • 0.3.1 (2025-11-21): Updated FR-016 to require parity-first FER/1 receipts with executor sets, parity vectors, and FR-020 aligned timestamps.

  • 0.3.2 (2025-11-22): Registered FR-022 Federation Publication Digest (FPD/1) requirement tying FCT/1 publications to single-digest evidence and canonical logging.

  • 0.3.4 (2025-11-07): Recorded FER/1 v1.1 requirement for Phase 04 and added surface version table.

  • 0.3.5 (2025-11-08): Registered PH04 linkage & semantic placeholder requirements (FR-028…031).

  • 0.3.6 (2025-11-09): Promoted FR-028…031 to normative linkage requirements with CRS/1 validator enforcement.

  • 0.3.7 (2025-11-08): Finalized FR-028…031 with CRS/1 immutability, GS/1 linkage, and certification coverage.

  • 0.3.8 (2025-11-09): Promoted FR-028…FR-031 for concept-native domain and publication validation.

  • 0.3.9 (2025-11-09): Documented operational linkage: router endpoints, deterministic /links, and parent-required publish policy guidance.

  • 0.3.10 (2025-11-11): Registered FR-030 stateless, content-anchored FPD feed pagination requirement.

  • 0.3.11 (2025-11-09): Extended FR-031 with WT/1 intake endpoints, validation, and evidence log references.

  • 0.3.12 (2025-11-20): Tightened FR-031 with wt.pubkey bindings, signature preimage exclusion, lineage/policy errors, and expanded WT/1 vector evidence coverage.

  • 0.3.13 (2025-11-21): Updated FR-031 for has_pubkey bindings (ERR_WT_KEY_UNBOUND), intent registry enforcement (ERR_WT_INTENT_UNREGISTERED), lineage policy rejection (ERR_WT_PARENT_REQUIRED), and expanded WT/1 vectors TV-WT-001…009.

  • 0.3.14 (2025-11-22): WT/1 intake and SOS/1 compat overlays proven with PH04-M4/M5 audit evidence.

  • 0.3.15 (2025-11-22): Recorded ADR-025/026 compat path requirements and evidence anchors for FR-031.

  • 0.3.16 (2025-11-23): Compat lane now enforces ADR-025/026 validators (MPR/1 hash triple, IER/1 replay) with updated evidence surfaces.

  • 0.3.17 (2025-11-24): Added FR-032FR-034 for CT/1 replay determinism, numeric stability, and header integrity (ADR-027/028).

  • 0.4.0 (2025-11-11): Added FR-BS-001…005 for ByteStore identity, atomic durability, SA/PA isolation, COR round-trip, and streaming determinism linked to DDS §11 / ADR-030.