Phase 0: authority model specification and invariants #45

Merged

erikinkinen merged 4 commits from 0-authority-model-specification into main

2026-02-04 12:47:57 +01:00

erikinkinen commented

2026-02-04 12:33:52 +01:00

Owner

Task

Closes #3

Summary

This PR freezes the Phase 0 authority model by formally specifying the conceptual entities, structural constraints, and intentional omissions that all later AES phases build upon.

The document defines what exists and how authority is represented, while deliberately avoiding any assumptions about temporal behavior, revocation semantics, enforcement, or epistemic limits.

No simulation logic is introduced in this PR.

Scope

Included

Formal definitions of:
- Subjects
- Objects
- Capabilities
Explicit specification of capability rights representation
Structural graph invariants (Phase 0)
Policy and rules for reserved-but-absent fields introduced in later phases
Clear phase discipline and non-goals

Explicitly excluded

Revocation semantics
Delegation or attenuation rules
Provenance tracking
Temporal behavior or event semantics
Metrics, workloads, or experiments

Design intent

This PR establishes the conceptual and structural baseline of AES:

Authority is modeled as a typed directed multigraph.
Capabilities are the sole source of authority.
Rights are explicit but semantically opaque in Phase 0.
All identifiers, relations, and invariants are deterministic and replayable.

The specification is written to ensure that failures or limits observed in later phases can be attributed to structural properties of authority evolution, not to ambiguity or underspecification in the base model.

Phase discipline

The contents of docs/model.md are considered frozen for Phase 0.
Later phases may extend the model by adding fields or invariants.
Later phases must not weaken or reinterpret Phase 0 assumptions.
Reserved-but-absent fields are introduced explicitly and phase-scoped.

Verification

Model is internally consistent with Phase 0 infrastructure
No semantic commitments beyond Phase 0
Documented assumptions are explicit and auditable

Notes

This PR is intentionally specification-only.

It should be reviewed for:

conceptual clarity,
internal consistency,
and phase discipline,

not for behavioral correctness or security properties, which are introduced in later phases.

### Task Closes #3 --- ### Summary This PR **freezes the Phase 0 authority model** by formally specifying the conceptual entities, structural constraints, and intentional omissions that all later AES phases build upon. The document defines *what exists* and *how authority is represented*, while deliberately avoiding any assumptions about temporal behavior, revocation semantics, enforcement, or epistemic limits. No simulation logic is introduced in this PR. --- ### Scope **Included** * Formal definitions of: * Subjects * Objects * Capabilities * Explicit specification of capability rights representation * Structural graph invariants (Phase 0) * Policy and rules for *reserved-but-absent fields* introduced in later phases * Clear phase discipline and non-goals **Explicitly excluded** * Revocation semantics * Delegation or attenuation rules * Provenance tracking * Temporal behavior or event semantics * Metrics, workloads, or experiments --- ### Design intent This PR establishes the **conceptual and structural baseline** of AES: * Authority is modeled as a typed directed multigraph. * Capabilities are the sole source of authority. * Rights are explicit but semantically opaque in Phase 0. * All identifiers, relations, and invariants are deterministic and replayable. The specification is written to ensure that failures or limits observed in later phases can be attributed to **structural properties of authority evolution**, not to ambiguity or underspecification in the base model. --- ### Phase discipline * The contents of `docs/model.md` are considered **frozen for Phase 0**. * Later phases may extend the model by *adding* fields or invariants. * Later phases must not weaken or reinterpret Phase 0 assumptions. * Reserved-but-absent fields are introduced explicitly and phase-scoped. --- ### Verification * [x] Model is internally consistent with Phase 0 infrastructure * [x] No semantic commitments beyond Phase 0 * [x] Documented assumptions are explicit and auditable --- ### Notes This PR is intentionally **specification-only**. It should be reviewed for: * conceptual clarity, * internal consistency, * and phase discipline, not for behavioral correctness or security properties, which are introduced in later phases.