Skip to content

docs(core): state the write-bit recoverability trust model in the spec#78

Merged
cuibonobo merged 1 commit into
mainfrom
claude/issue-59-design-review-7jgwnk
Jul 10, 2026
Merged

docs(core): state the write-bit recoverability trust model in the spec#78
cuibonobo merged 1 commit into
mainfrom
claude/issue-59-design-review-7jgwnk

Conversation

@cuibonobo

Copy link
Copy Markdown
Member

Summary

Finishes the remaining work items from #59, now that its two prerequisites — #60 (undelete API) and #61 (unified versioning rule) — have both landed.

#59's own carve-out (hard delete is owner-only) merged first in #75. The rest of its checklist was explicitly blocked on undelete and association versioning existing, so it was left for follow-up. With both now in place, this PR:

  • Spec §Permissions gains a new subsection, "The write bit: a recoverability trust model," stating the model plainly:
    • A verb table: update, associate/dissociate, restoreVersion, and soft delete are all reversible (via versioning or undelete()); hard delete is never reachable through the write bit.
    • The owner/creator-only list: hard delete and setPermissions() sit outside the coarse bit entirely, because they're either irreversible or privilege-bearing — the existing setPermissions carve-out stops being an unexplained special case and becomes the pattern's first stated instance.
  • Layer 2 (grants) gains a short note on why the two permission layers use different granularities — record-level write stays one coarse bit, grants stay precise per verb — and that associate()/dissociate() ride update-own/update-any rather than getting their own grant action.
  • Test: the specific cross-entity recoverability scenario from Record-level write stays one bit — but everything it permits must be recoverable, and irreversible verbs get carved out #59's own test checklist — a write-holder soft-deletes a record, and the owner can undelete it — now that the undelete API exists to make this checkable.

Test plan

  • Added test: a write-holder soft-delete is undeletable by the owner — recoverability holds
  • pnpm --filter @haverstack/core typecheck — clean
  • pnpm --filter @haverstack/core lint — clean
  • pnpm --filter @haverstack/core test — 224 tests passing
  • prettier --check on changed files — clean

Refs #59, #60, #61


Generated by Claude Code

Finishes the remaining #59 work items now that #60 (undelete) and #61
(unified versioning) have landed:

- Spec §Permissions gains "The write bit: a recoverability trust model" —
  the verb table (update/associate/dissociate/restoreVersion/soft-delete
  are all reversible via versioning or undelete; hard delete is never
  reachable) and the owner/creator-only list (hard delete, setPermissions),
  stating plainly why those two sit outside the coarse write bit instead
  of being unexplained special cases.
- Layer 2 gains a note on why grants stay fine-grained per-verb while
  record-level write stays one coarse bit, and that associate/dissociate
  ride update-own/update-any rather than getting their own grant action.
- Test: a write-holder's soft delete is undeletable by the owner —
  the specific cross-entity recoverability scenario #59's own test
  checklist called for once the undelete API existed.
@cuibonobo cuibonobo merged commit da9c140 into main Jul 10, 2026
5 checks passed
@cuibonobo cuibonobo deleted the claude/issue-59-design-review-7jgwnk branch July 10, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants