diff --git a/docs/canon-vs-runtime.md b/docs/canon-vs-runtime.md new file mode 100644 index 0000000..a0d2879 --- /dev/null +++ b/docs/canon-vs-runtime.md @@ -0,0 +1,73 @@ +# Canon vs Runtime + +LogLine is canon first. A runtime is an implementation that claims adherence to +a specific canon version. + +## Canon + +The canon defines the normative shape: + +```text +who +did +this +when +confirmed_by +if_ok +if_doubt +if_not +status +``` + +The canon owns: + +- required positions; +- textual and JSON shape; +- route classes; +- lifecycle vocabulary; +- evidence expectations; +- conformance cases; +- versioned normative changes. + +## Runtime + +A runtime executes, validates, walks, optimizes, and reports. It may be written +in Rust, Python, JavaScript, or another language. + +A runtime owns: + +- parser implementation; +- validator implementation; +- evidence adapters; +- CLI or SDK surface; +- performance strategy; +- storage strategy; +- receipts emitted by that implementation. + +It does not own the norm. + +## Conformance + +An implementation should be able to say: + +```text +I implement LogLine canon version X. +I ran conformance suite Y. +These receipts prove the observed result. +``` + +Conformance is measured against published artifacts, not against hidden behavior +inside the Rust runtime. + +## Boundary + +The Rust runtime is the reference implementation. It is important, but not +sovereign. + +The authority chain is: + +```text +canon -> conformance corpus -> receipts -> implementation report +``` + +The runtime sits in the implementation layer. diff --git a/docs/evidence-model.md b/docs/evidence-model.md new file mode 100644 index 0000000..e2494a1 --- /dev/null +++ b/docs/evidence-model.md @@ -0,0 +1,124 @@ +# Evidence model + +## Purpose + +`confirmed_by` is the pivot of the LogLine runtime. It determines whether a +candidate act has enough evidence to move toward `if_ok`, must remain in +`if_doubt`, or should be rejected by `if_not`. + +## Evidence kinds + +### none + +No evidence was supplied. + +Rules: + +- MUST NOT release consequence by default. +- MAY enter `if_doubt` for clarification, suspension, or simulation. +- MAY be allowed only by explicit override or narrow canon rule. + +### token + +A named witness or local capability token. + +Example: + +```text +ana +operator:dan +``` + +Rules: + +- Useful for local workflows. +- Not sufficient for strong public verification unless mapped to authority. + +### receipt + +A prior runtime artifact proving that a bounded observation occurred. + +Example: + +```text +receipt:sha256:abc... +``` + +Rules: + +- SHOULD be dereferenceable or reproducible. +- MUST define scope. +- MUST NOT be generalized beyond its observed claim. +- MAY be referenced by `receipt_hash` in `evidence.input_receipts`. +- MAY become `confirmed_by` evidence for a later LogLine when its scope matches + the later claim. +- MUST keep the canonical slots at top level when encoded as a LogLine receipt. + +### digest + +A cryptographic digest of a tuple, artifact, stdout, input, or receipt. + +Example: + +```text +digest:sha256:abc... +``` + +Rules: + +- Identifies bytes or canonical tuple identity. +- Does not by itself prove authority, intent, or execution. + +### signature + +A verifiable signature over a canonical message. + +Example: + +```text +signature:ed25519:... +``` + +Rules: + +- Requires key, algorithm, message, and verification result. +- SHOULD be linked to DID or authority document in future versions. + +### quorum + +A threshold witness pattern. + +Example: + +```text +quorum:2:release_committee +``` + +Rules: + +- Duplicate witnesses MUST NOT count twice. +- Quorum scope MUST be declared. +- Quorum result SHOULD produce a receipt. + +## Evidence collapse + +Evidence collapse means the runtime has enough scoped evidence to route toward +`if_ok`. It does not mean broad truth, production safety, or human-signature +approval unless those are explicitly part of the claim and receipt. + +## Receipt hashes + +Receipt encoding distinguishes three identities: + +```text +tuple_hash identity of exactly the nine-slot LogLine tuple +result_hash identity of the produced result +receipt_hash identity of the historical receipt emission +``` + +`tuple_hash` uses the LogLine length-prefixed tuple profile. + +`result_hash` and `receipt_hash` use JCS / RFC 8785 canonical JSON with SHA-256 +in v0. + +Changing transport changes `receipt_hash`, but not `result_hash`. diff --git a/docs/if-doubt-package-notes.md b/docs/if-doubt-package-notes.md new file mode 100644 index 0000000..7d5b0ff --- /dev/null +++ b/docs/if-doubt-package-notes.md @@ -0,0 +1,36 @@ +# LogLine Canon Improvement Pack - if_doubt as auditable simulation + +This package turns the raw improvement list into repo-ready source documents. +It is intended as a draft bundle for the next canonical move. + +Central sentence: + +```text +confirmed_by collapses evidence. if_ok releases the real. if_doubt simulates the possible. if_not records the false. status closes the history. +``` + +## Contents + +```text +spec/if-doubt-simulation.md +spec/if-doubt-canon-addendum.md +spec/logline-canon.schema.json +spec/grammar-delta-if-doubt.ebnf +lips/LIP-0002-if-doubt-auditable-simulation.md +docs/implementation-backlog.md +docs/evidence-model.md +docs/release-discipline.md +docs/runtime-declaration.md +docs/governance-delta.md +docs/modes.md +docs/implementation-plan.md +conformance/cases.json +conformance/README.md +proposals/proposta-melhoria-canon-if-doubt.md +``` + +## Editorial stance + +This pack does not claim implementation. It defines the intended canonical rule, +the receipt shape, the conformance fixture shape, and the implementation path. +Runtime verification still requires the Rust CLI or another conforming runtime. diff --git a/source/README.md b/source/README.md new file mode 100644 index 0000000..515aac0 --- /dev/null +++ b/source/README.md @@ -0,0 +1,3 @@ +# source/ + +Canon and adapter specs described in the LogLine language itself (dogfooding). Not normative — the markdown specs in `spec/` are. These files demonstrate the language can describe its own protocols. diff --git a/source/adapter-conformance.logline b/source/adapter-conformance.logline new file mode 100644 index 0000000..5a45621 --- /dev/null +++ b/source/adapter-conformance.logline @@ -0,0 +1,7 @@ +adapter_conformance define_conformance adapter_protocol_conformance lip_0006 confirmed_by canon_governance if_ok accept_adapter_conformance_report if_doubt require_more_cases if_not reject_conformance_claim status normative +adapter_conformance require adapter_conformance_is_lateral lip_0006 confirmed_by canon_governance if_ok accept_lateral_claim if_doubt clarify_claim_scope if_not reject_canon_conformance_confusion status normative +adapter_conformance require full_adapter_conformance_requires_report lip_0006 confirmed_by canon_governance if_ok accept_full_claim if_doubt mark_claim_unproven if_not reject_full_claim status normative +adapter_conformance require conformance_report_references_protocol_lips lip_0006 confirmed_by canon_governance if_ok accept_report_scope if_doubt require_lip_reference if_not reject_unscoped_report status normative +adapter_conformance require adapter_cases_include_no_slot_capture lip_0006 confirmed_by canon_governance if_ok accept_case_set if_doubt require_more_cases if_not reject_slot_capture_case_set status normative +adapter_conformance require technical_failure_is_reported_not_branch_override lip_0006 confirmed_by canon_governance if_ok accept_failure_report if_doubt mark_technical_uncertainty if_not reject_false_canonical_not status normative +adapter_conformance require conformance_runner_is_not_runtime_authority lip_0006 confirmed_by canon_governance if_ok allow_runner_projection if_doubt mark_runner_incomplete if_not reject_runner_as_canon status normative diff --git a/source/adapter-declaration-profile.logline b/source/adapter-declaration-profile.logline new file mode 100644 index 0000000..ac7d0ea --- /dev/null +++ b/source/adapter-declaration-profile.logline @@ -0,0 +1,12 @@ +adapter_declaration_profile define_profile adapter_declaration lip_0005 confirmed_by canon_governance if_ok allow_manifest_projection if_doubt quarantine_incomplete_manifest if_not reject_declaration_profile status normative +adapter_declaration_profile require adapter_identity_declared lip_0005 confirmed_by canon_governance if_ok accept_adapter_identity if_doubt require_identity_evidence if_not reject_anonymous_adapter status normative +adapter_declaration_profile require adapter_kind_declared lip_0005 confirmed_by canon_governance if_ok accept_adapter_kind if_doubt quarantine_kind_claim if_not reject_unknown_kind status normative +adapter_declaration_profile require effect_class_declared lip_0005 confirmed_by canon_governance if_ok accept_effect_class if_doubt require_effect_scope if_not reject_effect_claim status normative +adapter_declaration_profile require supported_receipt_scopes_declared lip_0005 confirmed_by canon_governance if_ok accept_receipt_scope_list if_doubt require_scope_clarification if_not reject_unscoped_adapter status normative +adapter_declaration_profile require manifest_is_auxiliary lip_0005 confirmed_by canon_governance if_ok allow_json_manifest if_doubt mark_manifest_incomplete if_not reject_manifest_as_canon status normative +adapter_declaration_profile require projection_is_not_norm lip_0005 confirmed_by canon_governance if_ok allow_projection if_doubt mark_projection_incomplete if_not reject_projection_as_norm status normative +adapter_declaration_profile define_vocabulary effect_none lip_0005 confirmed_by canon_governance if_ok allow_pure_adapter if_doubt inspect_adapter_claim if_not reject_effect_claim status normative +adapter_declaration_profile define_vocabulary effect_read lip_0005 confirmed_by canon_governance if_ok allow_read_adapter if_doubt inspect_read_scope if_not reject_read_claim status normative +adapter_declaration_profile define_vocabulary effect_write lip_0005 confirmed_by canon_governance if_ok allow_write_adapter_after_release if_doubt require_write_simulation if_not reject_write_claim status normative +adapter_declaration_profile define_vocabulary effect_external lip_0005 confirmed_by canon_governance if_ok allow_external_effect_after_release if_doubt simulation_only if_not reject_external_effect_claim status normative +adapter_declaration_profile define_vocabulary effect_irreversible lip_0005 confirmed_by canon_governance if_ok require_strong_release_evidence if_doubt block_irreversible_effect if_not reject_irreversible_effect_claim status normative diff --git a/source/adapter-protocol.logline b/source/adapter-protocol.logline new file mode 100644 index 0000000..3097f8b --- /dev/null +++ b/source/adapter-protocol.logline @@ -0,0 +1,17 @@ +adapter_protocol define_contract inbound_adapter lip_0004 confirmed_by canon_governance if_ok translate_external_input if_doubt reject_implicit_effects if_not deny_adapter_claim status normative +adapter_protocol define_contract evidence_adapter lip_0004 confirmed_by canon_governance if_ok resolve_confirmed_by if_doubt mark_unresolved_evidence if_not mark_contradicted_evidence status normative +adapter_protocol define_contract runtime_invocation_transport lip_0004 confirmed_by canon_governance if_ok invoke_runtime if_doubt report_transport_uncertainty if_not report_transport_failure status normative +adapter_protocol define_contract release_adapter lip_0004 confirmed_by canon_governance if_ok execute_released_route if_doubt simulate_without_effect if_not refuse_external_effect status normative +adapter_protocol define_contract receipt_sink lip_0004 confirmed_by canon_governance if_ok persist_phase_receipt if_doubt preserve_unwritten_receipt if_not report_receipt_failure status normative +adapter_protocol require adapter_must_not_redefine_canon lip_0004 confirmed_by canon_governance if_ok allow_adapter_registration if_doubt quarantine_adapter_claim if_not reject_adapter_claim status normative +adapter_protocol require external_input_becomes_logline_candidate lip_0004 confirmed_by canon_governance if_ok allow_runtime_walk if_doubt require_translation_receipt if_not reject_external_input status normative +adapter_protocol require confirmed_by_is_resolvable_evidence lip_0004 confirmed_by canon_governance if_ok resolve_evidence_scope if_doubt mark_evidence_unresolved if_not mark_evidence_contradicted status normative +adapter_protocol require transport_invokes_runtime_without_judging lip_0004 confirmed_by canon_governance if_ok allow_runtime_invocation if_doubt report_transport_uncertainty if_not reject_transport_judgment_claim status normative +adapter_protocol require if_ok_releases_external_effect lip_0004 confirmed_by canon_governance if_ok allow_released_execution if_doubt simulation_only if_not block_external_effect status normative +adapter_protocol require if_doubt_must_not_mutate_world lip_0004 confirmed_by canon_governance if_ok preserve_simulation_boundary if_doubt simulate_without_mutation if_not reject_doubt_execution status normative +adapter_protocol require adapter_receipts_prove_scope_not_universal_truth lip_0004 confirmed_by canon_governance if_ok accept_scoped_receipt if_doubt require_scope_clarification if_not reject_unscoped_receipt status normative +adapter_protocol require default_deny_external_effects lip_0004 confirmed_by canon_governance if_ok allow_declared_effects_after_release if_doubt simulate_effects_only if_not block_undeclared_effects status normative +adapter_protocol require branch_authority_remains_canonical lip_0004 confirmed_by canon_governance if_ok preserve_if_ok_if_doubt_if_not if_doubt reject_parallel_decision_field if_not deny_adapter_branch_override status normative +adapter_protocol require adapter_failure_is_not_canonical_rejection lip_0004 confirmed_by canon_governance if_ok report_adapter_failure_receipt if_doubt mark_technical_uncertainty if_not avoid_false_canonical_not status normative +adapter_protocol require receipt_sink_preserves_receipt_hash lip_0004 confirmed_by canon_governance if_ok accept_receipt_sink if_doubt quarantine_sink if_not reject_hash_mutating_sink status normative +adapter_protocol clarify product_examples_are_not_canonical_adapters lip_0004 confirmed_by canon_governance if_ok allow_illustrative_examples if_doubt require_scope_clarification if_not reject_product_capture status normative diff --git a/source/logline.canon.logline b/source/logline.canon.logline new file mode 100644 index 0000000..0c5f990 --- /dev/null +++ b/source/logline.canon.logline @@ -0,0 +1,15 @@ +canon define logline 0.2.0-draft confirmed_by nine_position_form if_ok allow_runtime_walk if_doubt suspend if_not reject status canonical +form require who did this when confirmed_by if_ok if_doubt if_not status +runtime walk logline at_admissibility confirmed_by evidence if_ok release_to_tower if_doubt suspend if_not deny status judge +if_doubt model auditable_simulation during_doubt confirmed_by doubt_trace if_ok record_trace if_doubt emit_simulation_receipt if_not forbid_execution status canonical +human_or_authorized_actor express_or_author intent before_runtime confirmed_by accountability if_ok enter_translation if_doubt ask_or_suspend if_not reject status source +llm_with_pocket_runtime translate natural_language before_logline confirmed_by pocket_runtime if_ok emit_logline if_doubt ghost_and_clarify if_not refuse_translation status translator +logline hold act at_runtime_boundary confirmed_by nine_position_form if_ok enter_strong_grammar if_doubt remain_unreleased if_not void status canonical_act +strong_grammar compile logline after_logline confirmed_by grammar_constraints if_ok emit_ir if_doubt return_to_logline if_not reject_shape status compiler +ir model consequence after_strong_grammar confirmed_by algebra if_ok enter_runtime_walk if_doubt suspend if_not reject status formal +tower operate released_consequence after_admissibility confirmed_by runtime_release if_ok execute if_doubt halt if_not do_not_execute status operator +evidence close consequence after_operation confirmed_by receipt if_ok commit_status if_doubt mark_open if_not mark_failed status closure +natural_language execute * before_logline confirmed_by * if_ok * if_doubt translate_with_pocket_runtime if_not forbid status forbidden +llm become automation any_time confirmed_by * if_ok * if_doubt operator_only if_not forbid status forbidden +act bypass logline any_time confirmed_by * if_ok * if_doubt suspend if_not reject status forbidden +act release * any_time confirmed_by none if_ok * if_doubt suspend if_not reject status forbidden diff --git a/spec/README.md b/spec/README.md new file mode 100644 index 0000000..46893ef --- /dev/null +++ b/spec/README.md @@ -0,0 +1,16 @@ +# Engine spec/ + +Normative-leaning artifacts that the engine implements but the canon has not yet **frozen**. + +The canon (`LogLine-Foundation/canon`) holds only what is content-frozen and citable as a stable identifier. Things here are **proposed** behavior the engine honors today, pending promotion to canon via a future LIP (see `LogLine-Foundation/governance/lips/`). + +| file | LIP | +|---|---| +| `logline.adapter.v0` | LIP-0004 (adapter protocol) | +| `logline.adapter-declaration.v0` + `.schema.json` | LIP-0005 (declaration profile) | +| `logline.adapter-conformance.v0` | LIP-0006 (adapter conformance) | +| `logline.if-doubt.v0` | LIP-0002 (if-doubt simulation) | +| `logline.if-doubt-simulation.v0` | LIP-0002 | +| `logline.if-doubt-grammar.v0` | LIP-0002 | + +Grammar (EBNF for LogLine language proper) is intentionally not here yet — it is planned to live with the `constitutional-runtime` crate in the Minilab workspace, where it is consumed by the IR layer. diff --git a/spec/logline.adapter-conformance.v0 b/spec/logline.adapter-conformance.v0 new file mode 100644 index 0000000..9cebdb3 --- /dev/null +++ b/spec/logline.adapter-conformance.v0 @@ -0,0 +1,51 @@ +# Adapter Conformance + +Status: Draft +Introduces: LIP-0006 Adapter Conformance +Depends on: LIP-0004 Adapter Protocol, LIP-0005 Adapter Declaration Profile +Primary lateral source: `../source/adapter-conformance.logline` + +## Core law + +```text +Adapter conformance is lateral. +Runtime conformance is canonical. +Do not confuse them. +``` + +## Status values + +```text +none +partial +full +failed +unknown +``` + +An adapter MUST NOT report `full` without a conformance report. + +An adapter MUST NOT claim full LogLine canon conformance merely because it +passes adapter protocol cases. + +## Minimum case families + +```text +adapter does not redefine canon +external input becomes LogLine candidate +confirmed_by is resolved or fails audibly +runtime invocation transport invokes without judging +release adapter requires if_ok before external effect +if_doubt does not mutate world by default +receipt proves scope +receipt sink preserves hash and scope +product examples do not become canonical adapters +adapter manifest is auxiliary +projection does not redefine protocol +technical failure is not automatic if_not +``` + +## Runner boundary + +A future conformance runner may execute these cases. The runner is a projection +and MUST NOT become canon authority. diff --git a/spec/logline.adapter-declaration.v0 b/spec/logline.adapter-declaration.v0 new file mode 100644 index 0000000..1a03a24 --- /dev/null +++ b/spec/logline.adapter-declaration.v0 @@ -0,0 +1,65 @@ +# Adapter Declaration Profile + +Status: Draft +Introduces: LIP-0005 Adapter Declaration Profile +Depends on: LIP-0004 Adapter Protocol +Primary lateral source: `../source/adapter-declaration-profile.logline` + +## Purpose + +The Adapter Declaration Profile defines how adapters declare identity, kind, +version, effect class, receipt scopes, and projections without becoming canon. + +## Declaration first + +Every adapter declaration MUST be expressible as a LogLine. + +Example: + +```logline +adapter:http_inbound declare_adapter inbound_http_translation 2026-05-08T10:00:00Z confirmed_by receipt:sha256:author123 if_ok accept_adapter_declaration if_doubt quarantine_adapter if_not reject_adapter status declared +``` + +JSON manifests and language projections are auxiliary. + +## Adapter kinds + +```text +inbound +evidence +runtime_invocation_transport +release +receipt_sink +``` + +## Effect classes + +```text +none +read +write +external_effect +irreversible_external_effect +``` + +Greater effect requires stronger evidence. + +## Manifest + +The JSON manifest MAY help tools, but MUST NOT replace the LogLine declaration. + +The manifest MUST NOT introduce runtime slots and MUST NOT claim branch +authority outside `if_ok`, `if_doubt`, `if_not`, and `status`. + +## Projections + +Allowed projections include JSON Schema, TypeScript interfaces, Rust traits, +Python protocols, OpenAPI specs, MCP manifests, CLI flags, HTTP endpoints, and +database schemas. + +Projection rule: + +```text +Projections implement adapter contracts. +Projections do not redefine adapter contracts. +``` diff --git a/spec/logline.adapter-declaration.v0.schema.json b/spec/logline.adapter-declaration.v0.schema.json new file mode 100644 index 0000000..c951bb5 --- /dev/null +++ b/spec/logline.adapter-declaration.v0.schema.json @@ -0,0 +1,80 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "$id": "https://logline.foundation/spec/adapter-declaration.schema.json", + "title": "LogLine Adapter Declaration Manifest", + "type": "object", + "required": [ + "adapter_id", + "adapter_version", + "adapter_kind", + "protocol_version", + "canon_version", + "effect_class", + "declaration_logline" + ], + "additionalProperties": false, + "properties": { + "adapter_id": { + "type": "string", + "pattern": "^adapter:[^\\s]+$" + }, + "adapter_version": { + "type": "string", + "minLength": 1 + }, + "adapter_kind": { + "enum": [ + "inbound", + "evidence", + "runtime_invocation_transport", + "release", + "receipt_sink" + ] + }, + "protocol_version": { + "const": "adapter-protocol-v0" + }, + "canon_version": { + "const": "0.2.0-draft" + }, + "effect_class": { + "enum": [ + "none", + "read", + "write", + "external_effect", + "irreversible_external_effect" + ] + }, + "declaration_logline": { + "type": "string", + "minLength": 1 + }, + "supports": { + "type": "array", + "items": { + "type": "string", + "minLength": 1 + }, + "uniqueItems": true + }, + "receipt_scopes": { + "type": "array", + "items": { + "enum": [ + "translation_receipt", + "evidence_receipt", + "runtime_invocation_receipt", + "release_receipt", + "execution_receipt", + "persistence_receipt" + ] + }, + "uniqueItems": true + }, + "hashes": { + "type": "object", + "additionalProperties": true + } + } +} diff --git a/spec/logline.adapter.v0 b/spec/logline.adapter.v0 new file mode 100644 index 0000000..dc820e9 --- /dev/null +++ b/spec/logline.adapter.v0 @@ -0,0 +1,67 @@ +# LogLine Adapter Protocol + +Status: Draft +Introduces: LIP-0004 LogLine Adapter Protocol +Primary lateral source: `../source/adapter-protocol.logline` + +## Core law + +```text +The canon does not create world-specific adapters. +The canon defines the canonical contracts any world adapter must obey. +``` + +The protocol is lateral. It does not replace `source/logline.canon.logline` and +does not add a runtime slot. + +## Preserved body + +```text +who did this when confirmed_by if_ok if_doubt if_not status +``` + +## Contract families + +```text +inbound_adapter +evidence_adapter +runtime_invocation_transport +release_adapter +receipt_sink +``` + +## Pipeline + +```text +world + -> adapter + -> LogLine candidate + -> evidence resolution + -> runtime invocation + -> runtime judgment + -> receipt + -> release adapter, only after if_ok + -> world +``` + +`ReceiptSink` is transversal. It may persist receipts at any +receipt-producing phase. + +## Requirements + +- An adapter MUST NOT redefine the LogLine canon. +- External input MUST become a LogLine candidate before runtime judgment. +- `confirmed_by` MUST be resolved or fail audibly. +- A runtime invocation transport invokes the runtime; it does not judge. +- A release adapter MUST NOT execute external effects unless `if_ok` was + selected. +- `if_doubt` MUST NOT mutate the world by default. +- Receipts prove scope, not universal truth. +- Technical failure MUST NOT be silently converted into canonical `if_not`. +- Product examples are illustrative only and are not canonical adapters. + +## Product examples + +Names such as Supabase, Cloudflare, MCP, GitHub, Slack, Gateway, Minilab, +passport, visa, and admission are examples only unless defined outside the canon +as concrete adapters. diff --git a/spec/logline.if-doubt-grammar.v0 b/spec/logline.if-doubt-grammar.v0 new file mode 100644 index 0000000..176fb72 --- /dev/null +++ b/spec/logline.if-doubt-grammar.v0 @@ -0,0 +1,20 @@ +(* Draft EBNF delta for if_doubt simulation. This does not replace the full + LogLine grammar; it names the additional surface forms needed by the + if_doubt auditable simulation addendum. *) + +logline = who, ws, did, ws, this, ws, when, ws, + confirmed_by, ws, if_ok, ws, if_doubt, ws, if_not, ws, status ; + +if_doubt = "if_doubt", ws, doubt_route ; +doubt_route = suspend_route | clarify_route | simulate_route | dispatch_route ; + +simulate_route = "simulate" | "emit_simulation_receipt" | "propose_possible_world" ; +clarify_route = "ask" | "ask_or_suspend" | "ghost_and_clarify" | "ask_for_evidence" ; +suspend_route = "suspend" | "halt" | "remain_unreleased" | "mark_open" ; +dispatch_route = "dispatch" | "return_to_logline" ; + +status = "status", ws, lifecycle_state ; +lifecycle_state = "draft" | "pending" | "doubt" | "confirmed" | "released" | + "closed" | "failed" | "rolled_back" | "rejected" | "void" ; + +(* Addendum rule: simulate_route never implies execution. *) diff --git a/spec/logline.if-doubt-simulation.v0 b/spec/logline.if-doubt-simulation.v0 new file mode 100644 index 0000000..9b5c19d --- /dev/null +++ b/spec/logline.if-doubt-simulation.v0 @@ -0,0 +1,131 @@ +COM CERTEZAclaim had been confirmed. + +## 5. Simulation receipt + +When a LogLine routes into `if_doubt` and a simulation is performed, the runtime +SHOULD emit a simulation receipt. + +Minimum shape: + +```json +{ + "receipt_kind": "simulation", + "canon_version": "0.2.0-draft", + "runtime": "logline-runtime-rs", + "runtime_version": "0.1.x", + "logline_digest": "sha256:...", + "branch": "doubt", + "reason": "receipt_missing", + "simulated_route": "ask_or_suspend", + "executed": false, + "released": false, + "observed": "missing evidence required by confirmed_by", + "created_at": "RFC3339 timestamp" +} +``` + +A simulation receipt is evidence of a simulation. It is not evidence that the +underlying consequence happened. + +For canonical JSON receipt encoding, see `receipt-encoding.md`. The receipt +encoding profile keeps the nine LogLine slots at top level and uses +`tuple_hash`, `result_hash`, and `receipt_hash` to distinguish tuple identity, +result identity, and historical emission identity. + +## 6. Doubt trace + +Every `if_doubt` transition SHOULD preserve a doubt trace. + +Minimum shape: + +```json +{ + "branch": "doubt", + "reason": "receipt_missing", + "simulated_route": "ask_or_suspend", + "released": false +} +``` + +Recommended reason values: + +```text +receipt_missing +evidence_missing +schema_ambiguous +witness_insufficient +quorum_duplicate +route_unknown +time_ambiguous +lifecycle_ambiguous +operator_authority_missing +runtime_capability_missing +``` + +## 7. Possible-world LogLine + +A simulation MAY generate a new LogLine candidate. A possible-world LogLine MUST +carry an epistemic marker that prevents it from being treated as fact. + +Example: + +```logline +runtime simulate candidate_act before_release confirmed_by missing_evidence if_ok propose_path if_doubt ask if_not discard status doubt +``` + +Rules: + +- A possible-world LogLine MAY be inspected, compared, rejected, or promoted by later evidence. +- A possible-world LogLine MUST NOT be released merely because it was generated. +- Promotion from possible to real requires a later runtime walk with sufficient `confirmed_by` evidence. + +## 8. Ambiguous class + +A conforming conformance suite SHOULD classify cases as: + +```text +valid +invalid +ambiguous +``` + +`ambiguous` is not half-invalid. It is material that must be routed into +`if_doubt` rather than released or rejected by guesswork. + +## 9. Canonical digest rule + +The canonical digest MUST cover exactly the 9-slot tuple: + +```text +who did this when confirmed_by if_ok if_doubt if_not status +``` + +The canonical digest MUST NOT include CLI flags, execution timestamp, env vars, +working directory, session id, adapter metadata, stdout, stderr, or receipt id. +Those belong to receipts, not to the tuple identity. + +This digest is the `tuple_hash` in the receipt encoding profile. It is not +replaced by JCS / RFC 8785 JSON canonicalization. + +## 10. Conformance obligation + +A runtime claiming support for this draft SHOULD expose a declaration: + +```json +{ + "runtime": "logline-runtime-rs", + "runtime_version": "0.1.x", + "canon_version": "0.2.0-draft", + "conformance_status": "partial", + "supports": [ + "nine_slot_tuple", + "canonical_tuple_digest", + "if_doubt_trace", + "simulation_receipt", + "valid_invalid_ambiguous" + ] +} +``` + +A runtime MUST NOT claim full conformance until it can run the conformance suite +and emit receipts for doubt simulations without executing the consequence. diff --git a/spec/logline.if-doubt.v0 b/spec/logline.if-doubt.v0 new file mode 100644 index 0000000..900aa0d --- /dev/null +++ b/spec/logline.if-doubt.v0 @@ -0,0 +1,64 @@ +# Canon Addendum - if_doubt as auditable simulation + +## Summary + +The current canon defines the 9-slot sentence, external canon files, runtime +walk, branch routing, prohibitions, and lifecycle status graph. + +This addendum keeps the 9-slot form intact and adds one canonical upgrade: +`if_doubt` becomes auditable simulation. + +## Non-breaking principles + +- The 9 slots remain unchanged. +- Existing valid LogLines remain parseable. +- `if_ok` remains the only branch that may release real consequence. +- `if_not` remains the branch that records rejection, falsification, or denial. +- `confirmed_by = none` still cannot release unless an explicit canon-level rule permits a narrow exception. + +## New normative concepts + +| Concept | Before addendum | With if_doubt addendum | +|---|---|---| +| if_doubt | suspend / ghost / clarify | auditable simulation space | +| receipt | implicit aspiration | required shape for simulation and release | +| ambiguity | runtime result but not official class | official conformance class | +| digest | implemented in Rust | specified canonically | +| runtime declaration | absent | required for conformance claims | + +## New route kinds + +The canon MAY extend `route_kinds.doubt` with: + +```json +[ + "simulate", + "emit_simulation_receipt", + "emit_doubt_trace", + "propose_possible_world", + "ask_for_evidence", + "remain_unreleased" +] +``` + +## New prohibitions + +The canon SHOULD add explicit prohibitions: + +```text +if_doubt execute consequence * * * * * if_not forbid status forbidden +if_doubt silently_convert doubt_to_ok * * * * * if_not forbid status forbidden +simulation_receipt claim execution * * * * * if_not reject status forbidden +``` + +These are expressed informally here. The exact 9-slot representation should be +settled in the canon JSON and conformance corpus. + +## Migration guidance + +1. Add `ambiguous` to conformance result taxonomy. +2. Add simulation receipt type. +3. Add doubt trace to runtime output. +4. Add CLI conformance runner. +5. Add schema validation before semantic validation. +6. Only then claim partial conformance for the addendum.