Purpose
Apply the estate-wide lifecycle-boundary discipline to sourceos-syncd's PolicyFabric local hook and State Integrity Report integration.
The current doc correctly says the local hook is a stable decision shape and that real PolicyFabric remains target authority. The next hardening pass should ensure the local policy output is never treated as runtime execution, grant mutation, ledger write, or state repair.
Current surface observed
docs/policy-fabric-hook.md defines a local stub with:
schema: sourceos.policy-decision/v1alpha1
engine: policy-fabric-local-stub
action
lane
status
reason
subject
object_id
data_class
The report integration currently aggregates policy decision counts under policy.policy_decisions and stores sample details under diagnosis.policy.
Required discipline
Preserve the chain:
state observation/report input = evidence
policy decision = local/remote policy evaluation
runtime effect = separate admission/effect decision
authority/grant mutation = separate Agent Registry / grant-state decision
state integrity report = ledger/report evidence only
Proposed backlog
P0 — Add a decision-boundary field or companion record for policy hook output:
decision_scope: policy-onlyruntime_effect_performed: falseauthority_mutation_performed: falsestate_repair_performed: falsedownstream_refs for runtime/admission systems.
P0 — Add negative fixture(s) proving a policy decision cannot claim runtime action, grant mutation, or state repair.
P1 — Update State Integrity Report validator to reject collapsed policy→action records.
P1 — Preserve dashboard counts but add typed refs for representative decisions.
P2 — Align SourceOS SyncD output with SourceOS spec issue SourceOS-Linux/sourceos-spec#113.
Acceptance criteria
- Local hook remains safe and conservative.
- Reports remain evidence/reporting records only.
- Runtime/authority/state repair actions remain separate downstream decisions.
- CI rejects a policy sample that tries to mutate state or grant authority.
Boundary
No live PolicyFabric client is required in this tranche. This is a shape/validator hardening pass.
Purpose
Apply the estate-wide lifecycle-boundary discipline to
sourceos-syncd's PolicyFabric local hook and State Integrity Report integration.The current doc correctly says the local hook is a stable decision shape and that real PolicyFabric remains target authority. The next hardening pass should ensure the local policy output is never treated as runtime execution, grant mutation, ledger write, or state repair.
Current surface observed
docs/policy-fabric-hook.mddefines a local stub with:The report integration currently aggregates policy decision counts under
policy.policy_decisionsand stores sample details underdiagnosis.policy.Required discipline
Preserve the chain:
Proposed backlog
P0 — Add a decision-boundary field or companion record for policy hook output:
decision_scope: policy-onlyruntime_effect_performed: falseauthority_mutation_performed: falsestate_repair_performed: falsedownstream_refsfor runtime/admission systems.P0 — Add negative fixture(s) proving a policy decision cannot claim runtime action, grant mutation, or state repair.
P1 — Update State Integrity Report validator to reject collapsed policy→action records.
P1 — Preserve dashboard counts but add typed refs for representative decisions.
P2 — Align SourceOS SyncD output with SourceOS spec issue SourceOS-Linux/sourceos-spec#113.
Acceptance criteria
Boundary
No live PolicyFabric client is required in this tranche. This is a shape/validator hardening pass.