Purpose
Apply the estate-wide lifecycle-boundary discipline to SociOS-Linux/source-os before Phase 4 agentic control-plane integration expands.
The current program plan in #67 already identifies the local realization spine: installer/apply/doctor/fix/report/runtime behavior, with downstream agentplane, sociosphere, prophet-cli, contractforge, and standards repos consuming artifacts and actions. The missing hardening issue is to make sure local workstation evidence, policy decisions, fix plans, runtime mutations, and report artifacts do not collapse into one implicit success/action object.
Required discipline
Preserve this chain:
workstation observation = evidence input
doctor/report artifact = evidence/read path
fix plan = proposed mutation plan
policy/admission decision = governed decision
runtime apply/fix = explicit mutation
post-fix report = evidence receipt
agentplane/sociosphere/prophet-cli = downstream consumers, not hidden authority
A doctor or report artifact must not imply a fix was performed. A fix plan must not imply policy admission. A policy/admission decision must not be treated as a completed workstation mutation. A post-fix report must not hide what changed.
Proposed first tranche
Add a compact WorkstationActionBoundary / SourceOSWorkstationBoundary contract or equivalent validator that records:
artifact_kind = doctor_report | fix_plan | admission_decision | applied_fix | post_fix_reportevidence_refspolicy_decision_refsrequested_actionmutation_plannedmutation_performedperformed_bybefore_refsafter_refsreversiblerollback_refsdownstream_consumers
Negative fixtures required
- doctor/report artifact claims mutation performed;
- fix plan applies without policy/admission refs;
- runtime apply/fix has no before/after evidence refs;
- post-fix report omits mutation summary;
- downstream
agentplane/prophet-cli wrapper claims hidden local authority;
- raw sensitive local data appears in report payload instead of redacted/ref-only evidence.
Acceptance criteria
Boundary
This issue is not requesting a new fix/apply implementation. It is the contract hardening pass so future agentic workstation automation cannot silently turn read/report surfaces into mutation surfaces.
Purpose
Apply the estate-wide lifecycle-boundary discipline to
SociOS-Linux/source-osbefore Phase 4 agentic control-plane integration expands.The current program plan in #67 already identifies the local realization spine: installer/apply/doctor/fix/report/runtime behavior, with downstream
agentplane,sociosphere,prophet-cli,contractforge, and standards repos consuming artifacts and actions. The missing hardening issue is to make sure local workstation evidence, policy decisions, fix plans, runtime mutations, and report artifacts do not collapse into one implicit success/action object.Required discipline
Preserve this chain:
A
doctororreportartifact must not imply a fix was performed. Afix planmust not imply policy admission. Apolicy/admissiondecision must not be treated as a completed workstation mutation. A post-fix report must not hide what changed.Proposed first tranche
Add a compact
WorkstationActionBoundary/SourceOSWorkstationBoundarycontract or equivalent validator that records:artifact_kind = doctor_report | fix_plan | admission_decision | applied_fix | post_fix_reportevidence_refspolicy_decision_refsrequested_actionmutation_plannedmutation_performedperformed_bybefore_refsafter_refsreversiblerollback_refsdownstream_consumersNegative fixtures required
agentplane/prophet-cliwrapper claims hidden local authority;Acceptance criteria
Boundary
This issue is not requesting a new fix/apply implementation. It is the contract hardening pass so future agentic workstation automation cannot silently turn read/report surfaces into mutation surfaces.