From fe17249b936fd2f8476a9d00ddb08209a7aae907 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 27 May 2026 18:05:05 +0000 Subject: [PATCH] =?UTF-8?q?epiphany(board):=20E-CONTRACT-NO-SERIALIZE-2=20?= =?UTF-8?q?=E2=80=94=20correct=20#415;=20the=20audit=20event=20stays=20ins?= =?UTF-8?q?ide?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #415 landed E-CONTRACT-NO-SERIALIZE with "serialize at the membrane" — the user sharpened it ("why should the audit event go outside?"): audit is not membrane traffic at all. It is a witness (merkle -> SPO + Lance tombstone), examined in place by the query engine; the merkle chain IS the tamper-evidence. No JSON by default; the sink is inner, not membrane; off-box copies are an infra concern, not the sink's standing behavior. Board is append-only: prepends a correction entry, leaves the prior entry intact. §1 (contracts compile types, never serialize) stands. https://claude.ai/code/session_018FqA8TfgRBHy8zF92kx4TW --- .claude/board/EPIPHANIES.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.claude/board/EPIPHANIES.md b/.claude/board/EPIPHANIES.md index d896de6f..e22cbfd0 100644 --- a/.claude/board/EPIPHANIES.md +++ b/.claude/board/EPIPHANIES.md @@ -1,3 +1,19 @@ +## 2026-05-27 — E-CONTRACT-NO-SERIALIZE-2 — correction to E-CONTRACT-NO-SERIALIZE (below): the audit event never leaves the inside; "serialize at the membrane" was the wrong half — audit is not membrane traffic at all + +**Status:** FINDING (sharpens the entry directly below; user correction via the question "why should the audit event go outside?"). The §1 half of the prior entry — *contracts compile types, never serialize; build-time serde codegen is fine* — stands. This entry replaces its "outer membrane's job" framing (board is append-only, so the prior entry is left intact and corrected here). + +The audit event does **not go outside**, and there is no reason for it to. It is a **cognitive-compliance witness** — a merkle-chained event (`merkle_root` / `prev_merkle`) that **calcifies into SPO + a Lance columnar tombstone** (cf. `E-LADDER-SERVES-MAILBOX` §6). It is **examined in place** — lance-graph *is* a query engine, so HIPAA §164.312(b) "audit review" is a query against the witness, not an export to a SIEM. The merkle chain is the tamper-evidence; no external append-only file is needed for integrity. + +- **No JSON by default.** `JsonlAuditSink` / `with_jsonl_audit` are the legacy "ship logs to Splunk" pattern this stack obsoletes — not a sanctioned boundary. +- **The audit sink is inner, not membrane.** It belongs with the SPO/Lance tissue, behind the membrane — never in the outer client-facing layer. "Emit via the membrane sink" (prior entry's "Correct shape") was wrong. +- **Off-box durability / external-auditor copies are an infra concern** — replicate the durable Lance/merkle artifact, or do a deliberate on-request export *action* at the storage edge. Egress as an explicit act on the artifact, never the sink's standing behavior, never the client membrane. + +So the lance-graph-side direction stands but with a corrected target: relocate the concrete `JsonlAuditSink` out of `lance-graph-callcenter` as an at-most-optional export adapter; callcenter keeps only the `AuditSink` trait + `UnifiedAuditEvent` type; the **canonical sink is the SPO/Lance witness projection**, not a JSON file at the membrane. + +Cross-ref: medcare-rs `CLAUDE.md` commitment #7 (corrected in MedCare-rs #159); prior entry `E-CONTRACT-NO-SERIALIZE` below. + +--- + ## 2026-05-27 — E-CONTRACT-NO-SERIALIZE — a contract crate is a compile-time handshake (shared types + traits), NOT an outer serialization boundary; JSON emission belongs at the membrane, never on the BBB/contract surface **Status:** FINDING (architectural vow, user-stated 2026-05-27 via the medcare-rs consumer session; recorded for the next session that touches the audit-sink / bridge surface — no lance-graph code change in this entry).