9.0 KiB
Native Kanban/SOT Canon
Status: KCR-001–016 independently cleared; canonical publication is in progress under issue #751
Date: 2026-07-14
Implementation hold: no feature implementation starts until this canon is squash-merged to main with terminal-green CI; after merge, every slice remains held until its KBN prerequisite graph is satisfied.
Artifacts
| Artifact | Purpose |
|---|---|
| Canonical requirements | Canonical P0–P3 requirements, all seven ratified decisions, fixed invariants, thin MVP, recovery tiers, non-goals, and per-requirement acceptance criteria |
MISSION-MANIFEST.md |
Mission/authority boundaries, exact role chain, gate model, mandatory SecReview triggers, Certifier final/no-merge rule, and collision-free slice ownership |
TASKS.md |
Dependency-ordered, bounded P0–P3 slices with IN/OUT scope, dependencies, shared contracts, file ownership, evidence, and USC coder2/3/4/5 parallelization |
SHARED-CONTRACT.md |
Remediated v1 integration contract: proof authority, exact failures/routes/DTOs/MCP ownership, concrete current-main field migration map, relational invariants, Coordinator split, recovery delivery |
contracts/kanban-schema.v1.ts |
Drizzle target declarations including exact owner/principal membership, project congruence, tags/archive, proposals, persisted assignments, monotonic fences, durable retry, immutable evidence/audit |
contracts/mechanical-coordinator.v1.ts |
Pure snapshot decision engine separated from persistence/service adapter; ID-bound approvals, bigint-safe fences, durable retry/quarantine, artifact-backed checkpoints, exact failures |
contracts/health-state.v1.ts |
Discriminated public health, separate branded transaction-local write proof, and non-overlapping denial/transport/version-conflict mappings |
contracts/recovery-posture.v1.ts |
Provider-neutral shape schema plus normative runtime refinement, cross-field constraints, and Lite/Standard/High-assurance defaults |
tsconfig.json |
Strict no-emit project scope for linting and compiling the four frozen TypeScript contracts against the current Stack Drizzle declarations |
DOCUMENTATION-CHECKLIST.md |
Publication documentation gate and implementation-slice deferrals |
| Initial independent review | KCR-001–016 findings that blocked the first draft |
| Final independent re-review | Closure matrix, reproducible validation evidence, and GO verdict |
| Ultron final gate | Final requirements, authority, schema, migration, recovery, decomposition, and evidence review GO |
Recommended USC lane partition
| Lane | Natural seam | Exclusive ownership |
|---|---|---|
| coder2 | Schema + migrations + recovery slice | Unified Drizzle schema, migration SQL/meta/journal/tests, then recovery parser/mechanism/runbook files |
| coder3 | Domain + Gateway + MCP server | Workspace-safe repositories, DTOs/controllers/services, exact apps/gateway/src/mcp/** files, health proof, proposals, Coordinator persistence adapter |
| coder4 | Pure Coordinator + tooling | packages/coord mechanical engine, CLI/MCP consumers, generated projection, one-way importer and cutover tooling; lane-serialized internally |
| coder5 | Web | Tasks/Projects Kanban/List/detail and later Coordinator/migration-review UI |
| Mos | Serialized integration | Canon publication, frozen-contract changes, shared-root/exports, integration gates, merge authority |
The safe order is KBN-010 → KBN-100 → KBN-105, then coder3 Gateway/MCP server, coder4 CLI/projection, coder5 web, and coder2 recovery can proceed on disjoint files. coder4 then runs pure Coordinator → importer → cutover tooling serially. No two active slices edit the same files.
Recovery defaults
| Tier | RPO / RTO | WAL / PITR | Base backup | Restore / break-glass | Off-cluster |
|---|---|---|---|---|---|
| Lite | 24h / 24h | disabled / disabled | daily | quarterly / annual | encrypted separate target |
| Standard | 1h / 8h | q15m / 14d | daily | quarterly / semiannual | encrypted separate object storage |
| High-assurance | 15m / 4h | q5m / 35d | daily | monthly / quarterly | encrypted base+WAL, separate failure domain |
These knobs affect recovery posture only. PostgreSQL remains the sole writable SOT in every tier. Fail-closed writes, generated-file non-authority, attributable post-recovery proposals, non-LLM Coordinator limits, and Certifier final-gate/no-merge authority are fixed for every tier.
Non-blocking implementation sub-decisions for Mos
The source plan and ratified seven decisions resolve all build-blocking product choices. The following implementation-local selections remain for the owning slices/Mos and must not weaken v1:
- Exact PostgreSQL write-health probe SQL and bounded proof lifetime; authority and failures are frozen.
- Dependency-cycle serialization mechanism (recursive CTE plus transaction/advisory lock or equivalent); required behavior is frozen.
- Whether RLS lands in the first migration or immediately after the tested session-context pattern; workspace constraints/repository authorization are required from migration one.
- Concrete off-cluster backup provider/bucket and selected production recovery tier; High-assurance minima are frozen if selected.
- Cutover reconciliation thresholds and stabilization duration, to be owner-approved before P3 execution.
None authorizes a second writer, dual sync, LLM scheduling, Coordinator gate waiver/merge, or Certifier merge authority.
Publication validation evidence
- Concrete TypeScript contracts are formatted with repository Prettier.
- All four contracts pass strict TypeScript no-emit checking against the current Stack Drizzle toolchain.
- Contract remediation and KCR-001–016 traceability are recorded in the issue scratchpad and linked review reports.
- Independent re-review returned GO with KCR-001–016 closed; implementation remains held until canon merge and the dependency-ordered KBN prerequisites complete.