|
| 1 | +// SPDX-License-Identifier: PMPL-1.0-or-later |
| 2 | += Plan — verisim-modular-experiment |
| 3 | +Jonathan D.A. Jewell <j.d.a.jewell@open.ac.uk> |
| 4 | +:toc: |
| 5 | +:sectnums: |
| 6 | + |
| 7 | +*Type:* research plan (not feature plan). Phases have decision gates that |
| 8 | +can terminate the experiment with a positive or negative result. A |
| 9 | +negative result (octad-is-indivisible) is an acceptable outcome and |
| 10 | +strengthens the main verisimdb documentation. |
| 11 | + |
| 12 | +*Cadence:* light. User has many other active projects. Run in background |
| 13 | +between higher-priority work. No ship deadline. |
| 14 | + |
| 15 | +== Scope boundaries |
| 16 | + |
| 17 | +[cols="1,3",options="header"] |
| 18 | +|=== |
| 19 | +|In scope |Out of scope |
| 20 | + |
| 21 | +|Articulating the identity core vs. federable shapes |Refactoring main `verisimdb/` |
| 22 | +|Federation contract Idris2 ABI design |Production implementation |
| 23 | +|One reference federated shape + one dogfood client |Full parity with octad |
| 24 | +|Honest degradation documentation |Maintaining both monolith + modular long-term |
| 25 | +|VCL consonance-preservation proofs |New VCL features |
| 26 | +|=== |
| 27 | + |
| 28 | +== Phases and decision gates |
| 29 | + |
| 30 | +=== Phase 0 — Octad archaeology |
| 31 | + |
| 32 | +*Goal:* inventory the octad's shapes and their current VCL-visible contracts. |
| 33 | +No code written. |
| 34 | + |
| 35 | +*Activities:* |
| 36 | + |
| 37 | +* Read main `verisimdb/` sources to enumerate the eight shapes |
| 38 | +* For each shape, document: |
| 39 | + - What invariants does VeriSim *enforce* about it? |
| 40 | + - What does VeriSim merely *expose* about it to VCL? |
| 41 | + - Which VCL constraints cross this shape's boundary? |
| 42 | + |
| 43 | +*Artifact:* `docs/OCTAD-SHAPES.adoc` — inventory with per-shape contract surface. |
| 44 | + |
| 45 | +*Decision gate:* none. This phase is descriptive. |
| 46 | + |
| 47 | +*Dependency:* needs read access to main verisimdb sources (already have). |
| 48 | + |
| 49 | +--- |
| 50 | + |
| 51 | +=== Phase 1 — Core identification |
| 52 | + |
| 53 | +*Goal:* produce a candidate `Core ⊆ Octad` split with justifications. |
| 54 | + |
| 55 | +*Activities:* |
| 56 | + |
| 57 | +* Apply the _closure test_ per shape: is this invariant VeriSim-enforced |
| 58 | + (core candidate) or can it be externally honoured + checked (federable |
| 59 | + candidate)? |
| 60 | +* For each federable candidate, sketch the degradation story (what |
| 61 | + VCL claims weaken if this shape is omitted from a federation?) |
| 62 | +* Stress-test with adversarial cases: can VCL compose claims across the |
| 63 | + proposed `Core/Federable` boundary? |
| 64 | + |
| 65 | +*Artifact:* `docs/CORE-CANDIDATES.adoc` — split with justification per |
| 66 | +shape + degradation table. |
| 67 | + |
| 68 | +*Decision gates:* |
| 69 | + |
| 70 | +* **Trivial core (|Core| ≤ 1)** → experiment collapses to "VeriSim is an |
| 71 | + audit wrapper". *Negative result, stop.* |
| 72 | +* **Full octad (|Core| = 8)** → octad is indivisible. *Negative result, |
| 73 | + stop and write up.* |
| 74 | +* **Non-trivial split (2 ≤ |Core| ≤ 6)** → proceed to Phase 2. |
| 75 | + |
| 76 | +--- |
| 77 | + |
| 78 | +=== Phase 2 — Federation contract design |
| 79 | + |
| 80 | +*Goal:* state the typed contract a federable shape must honour, in Idris2, |
| 81 | +such that VCL's consonance claims over a federation are sound. |
| 82 | + |
| 83 | +*Activities:* |
| 84 | + |
| 85 | +* Draft `src/abi/FederationContract.idr` — the ABI honoured by any |
| 86 | + federated shape |
| 87 | +* Prove contract composability: federating shape A + shape B under the |
| 88 | + contract does not weaken claims about A or B or Core (non-interference) |
| 89 | +* Document the reduced-guarantee story formally |
| 90 | + |
| 91 | +*Artifacts:* |
| 92 | + |
| 93 | +* `src/abi/FederationContract.idr` |
| 94 | +* `spec/federation-contract.adoc` — prose + type-level statement |
| 95 | +* `PROOF-NEEDS.md` updated with discharged obligations |
| 96 | + |
| 97 | +*Decision gate:* |
| 98 | + |
| 99 | +* **Contract unstateable in Idris2 without losing guarantees** → |
| 100 | + indivisibility confirmed by a different route. *Negative result, stop.* |
| 101 | +* **Contract states cleanly + non-interference proved** → proceed to |
| 102 | + Phase 3. |
| 103 | + |
| 104 | +--- |
| 105 | + |
| 106 | +=== Phase 3 — Reference core + one federated shape |
| 107 | + |
| 108 | +*Goal:* working reference implementation of VerisimCore with exactly one |
| 109 | +shape federated through the contract. |
| 110 | + |
| 111 | +*Choice of federated shape:* probably *temporal* — well-understood ordering |
| 112 | +semantics, easy to expose invariants externally, common in real systems. |
| 113 | + |
| 114 | +*Activities:* |
| 115 | + |
| 116 | +* Implement minimal VerisimCore (identity + provenance + VCL runtime + |
| 117 | + consonance prover) |
| 118 | +* Implement federation adapter for temporal shape via Zig FFI |
| 119 | +* Write VCL test cases that exercise claims crossing Core/temporal boundary |
| 120 | +* Verify consonance is preserved vs. equivalent full-octad run |
| 121 | + |
| 122 | +*Artifacts:* |
| 123 | + |
| 124 | +* Reference implementation (language TBD — Julia for Core? Zig for FFI? |
| 125 | + Decide in Phase 2 as contract crystallises) |
| 126 | +* Integration tests |
| 127 | +* Benchmark comparison vs. full octad for shared claims |
| 128 | + |
| 129 | +*Decision gate:* |
| 130 | + |
| 131 | +* **VCL composes correctly across boundary, tests pass** → proceed to |
| 132 | + Phase 4. |
| 133 | +* **VCL claims fail to compose, or require weakening** → revisit Phase 1/2 |
| 134 | + split or declare indivisibility. |
| 135 | + |
| 136 | +--- |
| 137 | + |
| 138 | +=== Phase 4 — Dogfood on KRLAdapter.jl |
| 139 | + |
| 140 | +*Goal:* validate that a real client can be satisfied by VerisimCore + |
| 141 | +federation, not by the full octad. |
| 142 | + |
| 143 | +*Activities:* |
| 144 | + |
| 145 | +* Wire `KRLAdapter.jl` against VerisimCore (already earmarked for this per |
| 146 | + `vcl-rename.md` memory) |
| 147 | +* Verify it can do what it needs with only identity + provenance (+ |
| 148 | + temporal via federation?) |
| 149 | +* Document what it *cannot* do that the full octad would enable |
| 150 | +* Decide: is the reduced capability acceptable for this client? |
| 151 | + |
| 152 | +*Artifacts:* |
| 153 | + |
| 154 | +* Working `KRLAdapter.jl` ↔ VerisimCore integration |
| 155 | +* Degradation report for this client |
| 156 | + |
| 157 | +*Decision gate:* |
| 158 | + |
| 159 | +* **KRLAdapter.jl satisfied** → positive result, proceed to Phase 5. |
| 160 | +* **KRLAdapter.jl needs more than Core provides** → either revisit the |
| 161 | + Core split (maybe too slim) or declare "this client needs the octad" |
| 162 | + (useful finding either way). |
| 163 | + |
| 164 | +--- |
| 165 | + |
| 166 | +=== Phase 5 — Write-up |
| 167 | + |
| 168 | +*Goal:* capture findings so the work isn't lost. |
| 169 | + |
| 170 | +*If positive result:* |
| 171 | + |
| 172 | +* Publish federation contract spec |
| 173 | +* Write adoption guide: "when to use VerisimCore vs. full octad" |
| 174 | +* Propose whether modular VerisimCore ships as a real product, stays |
| 175 | + experimental, or informs a refactor of main verisimdb |
| 176 | + |
| 177 | +*If negative result:* |
| 178 | + |
| 179 | +* Formal indivisibility argument → fold into main `verisimdb/` docs as |
| 180 | + justification for the octad |
| 181 | +* Document which shapes are most "federation-resistant" and why |
| 182 | + |
| 183 | +*Artifact:* `docs/FINDINGS.adoc` with conclusions + recommendations. |
| 184 | + |
| 185 | +== Risks and off-ramps |
| 186 | + |
| 187 | +[cols="2,3",options="header"] |
| 188 | +|=== |
| 189 | +|Risk |Mitigation |
| 190 | + |
| 191 | +|Scope creep into reimplementing VeriSim |
| 192 | +|Phase gates. Minimum viable Core only. Zero production concerns. |
| 193 | + |
| 194 | +|VCL's internal structure makes the split impossible to state |
| 195 | +|That *is* the result. Negative results are acceptable outcomes. |
| 196 | + |
| 197 | +|Federation contract requires bidirectional trust we can't provide |
| 198 | +|Document as a constraint on which external DBs can federate. |
| 199 | + |
| 200 | +|Competes for attention with higher-priority work |
| 201 | +|Light cadence. No deadline. Park between phases if needed. |
| 202 | + |
| 203 | +|Findings don't translate back to main verisimdb |
| 204 | +|Phase 5 has explicit fold-back artifact for negative case. |
| 205 | +|=== |
| 206 | + |
| 207 | +== Dependencies |
| 208 | + |
| 209 | +* *Main `verisimdb/`* — read-only reference for Phase 0–1. No modifications. |
| 210 | +* *VCL spec* — need current spec for Phase 1 (check `verisimdb/` + memory files). |
| 211 | +* *KRLAdapter.jl* — Phase 4 client. Kept at Verisim-interface-slot per memory. |
| 212 | +* *Idris2 toolchain* — Phase 2 onward. |
| 213 | +* *Zig toolchain* — Phase 3 onward. |
| 214 | +* *Dedicated VeriSimDB instance* — if experiment needs one, allocate a new |
| 215 | + port (8097 is next free per `feedback_verisimdb_policy.md`). Decide in |
| 216 | + Phase 3. |
| 217 | + |
| 218 | +== Working conventions |
| 219 | + |
| 220 | +* Each phase gets a dated session log in `docs/sessions/` |
| 221 | +* Decision gates are recorded in `PROOF-NEEDS.md` as discharged or refuted |
| 222 | + obligations |
| 223 | +* Folded-back findings to main verisimdb are tracked in `docs/FOLDBACK.adoc` |
| 224 | +* VCL is the current name (not VQL) |
| 225 | +* No fragmenting main verisimdb until after Phase 5 |
| 226 | + |
| 227 | +== Next action |
| 228 | + |
| 229 | +Phase 0, activity 1: read main `verisimdb/` sources and enumerate the |
| 230 | +octad's eight shapes. |
0 commit comments