@githolon/dsl 0.1.0

package/src/framework/rbac.ts

@@ -0,0 +1,418 @@
+// NOMOS — Nomos Sovereign: participants act · verify · remember LOCALLY; hosted
+// remotes are replaceable custody/transport, not truth.  ⇒ ONE Nomos GitHolon
+// wasm32-wasip1 artifact {kernel · projection · embedded
+// QuickJS engine} on V8 + WASI-shim, byte-identical everywhere.  V8 = portability; the one
+// wasm = determinism.  No native, no wasmtime, no 2nd artifact, no domain-JS on bare V8.
+// If a file isn't this / hosting this / authoring for this / proving this — it's gone.
+
+/**
+ * framework/rbac.ts — the FRAMEWORK RBAC mechanism (tenant-agnostic).
+ *
+ * ── Why this module exists (the framework↔tenant line) ───────────────────────
+ * Multi-layer RBAC role-bindings are framework MECHANISM, not tenant content. The
+ * kernel ships the engine (`identity::authz` — `PermissionState::bindings_for` +
+ * `effective_caps_for` + chain delegation + captured-deps) and the one shared
+ * `admit` gate resolves the DECLARED `.requires(cap, scopeFrom)` pre-condition
+ * against the folded permission projection. A tenant should therefore NOT
+ * re-implement grant/revoke/delegate — it should DECLARE its roles→capabilities
+ * (a `RoleCatalogue`) and its resource vocabulary, then USE these framework
+ * primitives to author the binding-leaf writes.
+ *
+ * This module is the DSL surface for that mechanism:
+ *   • `roleBindingSchema(resourceTypes)` — the stored binding-leaf shape (the
+ *     EXACT JSON the kernel `identity::authz::RoleBinding` parses out of the
+ *     `UserPermission.permissions` map);
+ *   • `userPermissionAggregate(resourceTypes)` — the per-user aggregate shape +
+ *     the `userPermissionsInstanceId`/`permissionId` deterministic id rules
+ *     (`user-permissions-<userId>`, `perm-<userId>-<resourceType>-<resourceId>`);
+ *   • `grant` / `revoke` / `delegate` / `revokeDelegation` — the four primitive
+ *     PLAN BUILDERS. Each takes a `scope = [resourceType, resourceId]` (the
+ *     framework's universal scope shape) + the actor/role/provenance and returns
+ *     the `PlannedOp[]` that write the SAME binding leaf the authz engine reads.
+ *   • `roleCatalogue(roles)` — the declaration helper a tenant uses to declare its
+ *     roles→capabilities (the `RoleCatalogue` the kernel resolves a `role` string
+ *     against; opaque to the framework — the framework provides the SHAPE, the
+ *     tenant the CONTENT).
+ *
+ * ── CRITICAL — the kernel-read wire shape is FROZEN (`authz.rs` reads it) ──────
+ * `identity::authz::PermissionState::bindings_for` reads JSON `RoleBinding` leaves
+ * out of `UserPermission.permissions` (a `MapOf`, keyed
+ * `user-permissions-<userId>`). The AUTHZ-RELEVANT fields the kernel parses are
+ * frozen — `permissionId / userId / resourceType / resourceId / role / status /
+ * grantedBy / grantedAt`, the revocation provenance (`revokedBy / revokedAt /
+ * revocationReason`), and the OPTIONAL delegation fields (`delegator / attenuation
+ * / expires`) which the kernel serde-defaults so a plain grant leaf is unchanged.
+ * The OPTIONAL book-keeping (`displayName / lastViewed / resourceCount`) is NOT in
+ * the kernel's `RoleBinding` struct — serde drops unknown leaf fields — so it is
+ * invisible to authz and free to use framework-generic names (`resourceCount` is
+ * the tenant-agnostic book-keeping count; a tenant maps its own domain noun onto
+ * it at the directive surface). This is a refactor of WHO authors the leaf, NOT a
+ * change to any field the kernel reads.
+ */
+import { z } from "zod";
+import { aggregate, instance, type AggregateHandle } from "../aggregate.js";
+import { t } from "../fields.js";
+import { Lww, MapOf } from "../drivers.js";
+import { set, setEntry, type PlannedOp } from "../ops.js";
+
+/** Permission lifecycle — the framework binding-status vocabulary. */
+export const PERMISSION_STATUSES = ["active", "revoked", "suspended"] as const;
+export type PermissionStatus = (typeof PERMISSION_STATUSES)[number];
+
+/**
+ * The framework binding-leaf schema, parameterised over a tenant's resource-type
+ * vocabulary. A binding is the `(actor, role, scope)` triple from
+ * identity-access §"Multi-layer RBAC", scope = `(resourceType, resourceId)`, plus
+ * provenance, optional book-keeping, and the optional delegation fields. This
+ * lowers to ONE JSON Str leaf (the kernel stores Str|Int leaves only — gap G2).
+ *
+ * `resourceTypes` is the tenant's enum; the framework does not fix it. The rest of
+ * the shape is framework-fixed because the kernel `authz.rs` `RoleBinding` parses
+ * it field-for-field.
+ */
+export function roleBindingSchema<const T extends readonly [string, ...string[]]>(
+  resourceTypes: T,
+) {
+  return z.object({
+    permissionId: z.string(),
+    userId: z.string(),
+    // scope = (resourceType, resourceId), the org→workspace→resource address.
+    resourceType: z.enum(resourceTypes),
+    resourceId: z.string(),
+    // role within that scope (a role = a capability set; resolved by the kernel
+    // authz slice against the tenant `RoleCatalogue`; opaque string here).
+    role: z.string(),
+    status: z.enum(PERMISSION_STATUSES),
+    grantedBy: z.string(),
+    grantedAt: z.string(),
+    // book-keeping (tenant `updatePermissionMetadata`): all optional.
+    displayName: z.string().optional(),
+    lastViewed: z.string().optional(),
+    resourceCount: z.number().int().optional(),
+    // revocation provenance, set when status flips to "revoked".
+    revokedBy: z.string().optional(),
+    revokedAt: z.string().optional(),
+    revocationReason: z.string().optional(),
+    // ── DELEGATION (identity-access §"delegated authority") ──
+    // `delegator` set ⇒ this binding is a DELEGATION (actor A handed a capability
+    // subset down to `userId`). Honoured only if A held those caps at the
+    // evaluation point-in-time (kernel `effective_caps_for` recurses to a
+    // delegator-less root). All three OPTIONAL so a plain grant leaf is unchanged.
+    delegator: z.string().optional(),
+    // the capability subset handed down (the attenuation ceiling).
+    attenuation: z.array(z.string()).optional(),
+    // point-in-time expiry (ISO/HLC string mirror).
+    expires: z.string().optional(),
+  });
+}
+
+/**
+ * The generic framework binding-leaf type. A tenant narrows `resourceType` via its
+ * own `roleBindingSchema(RESOURCE_TYPES)`; the framework primitives below accept a
+ * plain `string` resourceType (the tenant's enum is a subtype) so the mechanism is
+ * tenant-agnostic.
+ */
+export type FrameworkRoleBinding = {
+  permissionId: string;
+  userId: string;
+  resourceType: string;
+  resourceId: string;
+  role: string;
+  status: PermissionStatus;
+  grantedBy: string;
+  grantedAt: string;
+  displayName?: string;
+  lastViewed?: string;
+  resourceCount?: number;
+  revokedBy?: string;
+  revokedAt?: string;
+  revocationReason?: string;
+  delegator?: string;
+  attenuation?: string[];
+  expires?: string;
+};
+
+/**
+ * The per-user permissions aggregate SHAPE — framework mechanism. Wire id
+ * `UserPermission` matches the live aggregate type the kernel folds and
+ * `bindings_for` reads. Multi-instance, keyed `user-permissions-<userId>`.
+ *
+ *  - userId        Lww (identity)
+ *  - permissions   MapOf(Lww) — the map-of-driven role-binding entries; each value
+ *                  is a JSON-encoded binding (a `t.json` Str leaf), merged per-key
+ *                  by Lww (the closest-expressible map driver — gap G1)
+ *  - lastViewedAt  Lww (aggregate-level "last touched")
+ */
+export const userPermissionAggregate = aggregate("UserPermission", {
+  userId: t.string().merge(Lww),
+  permissions: t.map(t.json()).merge(MapOf(Lww)),
+  // The grant/ensure primitive folds ONLY userId + a permissions entry (writeBinding),
+  // never lastViewedAt — a freshly-ensured per-user record lacks it — OPTIONAL on
+  // the read type (read-decode gap).
+  lastViewedAt: t.string().merge(Lww).optional(),
+});
+export type UserPermissionAggregateHandle = typeof userPermissionAggregate;
+
+/**
+ * Deterministic per-user aggregate instance id — `user-permissions-<userId>`.
+ * Reproduces the Dart aggregate-id rule so two users' bindings fold into two
+ * distinct aggregates (never colliding on the shared type) and replay is stable.
+ */
+export function userPermissionsInstanceId(userId: string): string {
+  return `user-permissions-${userId}`;
+}
+
+/**
+ * Deterministic permission-id (map key) — `perm-<userId>-<resourceType>-<resourceId>`.
+ * Reproduces the Dart `execute()` rule so the same (user, scope) always maps to the
+ * same map key (kills the dup-grant re-dispatch class).
+ */
+export function permissionId(input: {
+  userId: string;
+  resourceType: string;
+  resourceId: string;
+}): string {
+  return `perm-${input.userId}-${input.resourceType}-${input.resourceId}`;
+}
+
+/**
+ * A framework scope: `[resourceType, resourceId]`. This is the universal scope the
+ * framework `grant`/`revoke`/`delegate` primitives take and the same shape a
+ * directive's `.requires(cap, p => [resourceType, resourceId])` derives so the
+ * authz gate checks the actor holds the capability at a covering scope.
+ */
+export type Scope = readonly [resourceType: string, resourceId: string];
+
+/** Bind the per-user aggregate handle to a concrete user instance. */
+function userInstance(userId: string) {
+  return instance(userPermissionAggregate, userPermissionsInstanceId(userId));
+}
+
+/**
+ * Strip `undefined`-valued keys so the JSON leaf is byte-stable (no `"k":null`,
+ * no `"k":undefined`-dropped key carrying a slot). Returns a `FrameworkRoleBinding`
+ * — the omitted-when-undefined optionals are exactly the schema's `.optional()`s.
+ */
+function compact(obj: Record<string, unknown>): FrameworkRoleBinding {
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (v !== undefined) out[k] = v;
+  }
+  return out as FrameworkRoleBinding;
+}
+
+/** Common fields every grant-family primitive consumes. */
+interface BindingInput {
+  userId: string;
+  scope: Scope;
+  role: string;
+  grantedBy: string;
+  grantedAt: string;
+  displayName?: string | undefined;
+}
+
+/**
+ * Build a role-binding leaf for one (user, scope) pair. The single place the
+ * framework constructs the wire leaf the kernel `authz.rs` reads — every primitive
+ * routes through here so the shape can never drift.
+ */
+function buildBinding(
+  p: BindingInput & {
+    status: PermissionStatus;
+    revokedBy?: string | undefined;
+    revokedAt?: string | undefined;
+    revocationReason?: string | undefined;
+    delegator?: string | undefined;
+    attenuation?: string[] | undefined;
+    expires?: string | undefined;
+    lastViewed?: string | undefined;
+    resourceCount?: number | undefined;
+  },
+): { pid: string; binding: FrameworkRoleBinding } {
+  const [resourceType, resourceId] = p.scope;
+  const pid = permissionId({ userId: p.userId, resourceType, resourceId });
+  const binding = compact({
+    permissionId: pid,
+    userId: p.userId,
+    resourceType,
+    resourceId,
+    role: p.role,
+    status: p.status,
+    grantedBy: p.grantedBy,
+    grantedAt: p.grantedAt,
+    displayName: p.displayName,
+    lastViewed: p.lastViewed,
+    resourceCount: p.resourceCount,
+    revokedBy: p.revokedBy,
+    revokedAt: p.revokedAt,
+    revocationReason: p.revocationReason,
+    delegator: p.delegator,
+    attenuation: p.attenuation,
+    expires: p.expires,
+  });
+  return { pid, binding };
+}
+
+/**
+ * Lower a built binding to the `PlannedOp[]` for a per-user aggregate. `ensure`
+ * (the default) also writes the `userId` Set so the first grant materialises the
+ * aggregate (matching `EnsuresEntityPayload`); a plain status-flip (revoke) omits
+ * it (`ensure = false`) since the aggregate already exists.
+ */
+function writeBinding(
+  userId: string,
+  pid: string,
+  binding: FrameworkRoleBinding,
+  ensure = true,
+): PlannedOp[] {
+  const upa = userInstance(userId);
+  const ops: PlannedOp[] = [];
+  if (ensure) ops.push(set(upa, "userId", userId));
+  ops.push(setEntry(upa, "permissions", pid, JSON.stringify(binding)));
+  return ops;
+}
+
+/**
+ * grant — the framework PRIMITIVE: write one ACTIVE role-binding for `userId` at
+ * `scope`. The collapse target of a tenant grant-family directive (the scope's
+ * `resourceType` is fixed per tenant directive). Ensures the per-user aggregate.
+ */
+export function grant(p: BindingInput): PlannedOp[] {
+  const { pid, binding } = buildBinding({ ...p, status: "active" });
+  return writeBinding(p.userId, pid, binding, true);
+}
+
+/**
+ * revoke — the framework PRIMITIVE: flip the binding at `scope` to `status:revoked`
+ * (an Lww write over the SAME map entry — gap G1: ideally remove-wins). Re-authors
+ * the full leaf since a JSON leaf is replaced wholesale by Lww.
+ */
+export function revoke(
+  p: BindingInput & {
+    revokedBy: string;
+    revokedAt: string;
+    reason?: string | undefined;
+  },
+): PlannedOp[] {
+  const { pid, binding } = buildBinding({
+    ...p,
+    status: "revoked",
+    revokedBy: p.revokedBy,
+    revokedAt: p.revokedAt,
+    revocationReason: p.reason,
+  });
+  return writeBinding(p.userId, pid, binding, false);
+}
+
+/**
+ * delegate — the framework PRIMITIVE: actor `delegatedBy` (A) hands a capability
+ * subset down to `userId` (B) at `scope`, writing a `delegator`-stamped, attenuated
+ * ACTIVE binding into B's per-user map. Mirrors `grant`'s write shape but the leaf
+ * carries `delegator`/`attenuation`/`expires`. Self-authenticating (A signs the
+ * authoring intent); honoured only if A held the caps point-in-time (kernel
+ * `effective_caps_for`). Ensures B's aggregate.
+ */
+export function delegate(p: {
+  userId: string;
+  scope: Scope;
+  role: string;
+  attenuation: string[];
+  delegatedBy: string;
+  grantedAt: string;
+  expires?: string | undefined;
+  displayName?: string | undefined;
+}): PlannedOp[] {
+  const { pid, binding } = buildBinding({
+    userId: p.userId,
+    scope: p.scope,
+    role: p.role,
+    grantedBy: p.delegatedBy,
+    grantedAt: p.grantedAt,
+    status: "active",
+    delegator: p.delegatedBy,
+    attenuation: p.attenuation,
+    expires: p.expires,
+    displayName: p.displayName,
+  });
+  return writeBinding(p.userId, pid, binding, true);
+}
+
+/**
+ * revokeDelegation — the framework PRIMITIVE: flip a delegated binding to revoked
+ * (an Lww write over the SAME entry, like `revoke`, but carrying the
+ * `delegator`/`attenuation` provenance). Revoking the DELEGATOR's ROOT binding (a
+ * plain `revoke`) is the load-bearing case — the chained delegate loses its caps
+ * point-in-time via the fold with NO propagation; this is the symmetric surface
+ * for revoking a delegated leaf directly. Mutates (the aggregate exists).
+ */
+export function revokeDelegation(p: {
+  userId: string;
+  scope: Scope;
+  role: string;
+  attenuation: string[];
+  delegatedBy: string;
+  grantedAt: string;
+  revokedBy: string;
+  revokedAt: string;
+  reason?: string | undefined;
+}): PlannedOp[] {
+  const { pid, binding } = buildBinding({
+    userId: p.userId,
+    scope: p.scope,
+    role: p.role,
+    grantedBy: p.delegatedBy,
+    grantedAt: p.grantedAt,
+    status: "revoked",
+    delegator: p.delegatedBy,
+    attenuation: p.attenuation,
+    revokedBy: p.revokedBy,
+    revokedAt: p.revokedAt,
+    revocationReason: p.reason,
+  });
+  return writeBinding(p.userId, pid, binding, false);
+}
+
+/**
+ * updateMetadata — the framework PRIMITIVE for the book-keeping write
+ * (`lastViewed`/`resourceCount`/`displayName`) on an existing ACTIVE binding, plus the
+ * aggregate-level `lastViewedAt`. NOT authz (it never changes role/scope/status) —
+ * a tenant wraps it as its own directive (e.g. `updatePermissionMetadata`).
+ */
+export function updateMetadata(
+  p: BindingInput & {
+    lastViewed?: string | undefined;
+    resourceCount?: number | undefined;
+  },
+): PlannedOp[] {
+  const { pid, binding } = buildBinding({
+    ...p,
+    status: "active",
+    lastViewed: p.lastViewed,
+    resourceCount: p.resourceCount,
+  });
+  const ops = writeBinding(p.userId, pid, binding, false);
+  if (p.lastViewed !== undefined) {
+    ops.push(set(userInstance(p.userId), "lastViewedAt", p.lastViewed));
+  }
+  return ops;
+}
+
+/**
+ * A tenant `RoleCatalogue` declaration: `role → capability set` (the directive
+ * names a role grants). This is the SHAPE the kernel `identity::authz::RoleCatalogue`
+ * (a `BTreeMap<String, BTreeSet<Capability>>`) resolves a binding's `role` string
+ * against. The framework provides the declaration HELPER + type; the tenant
+ * supplies the CONTENT (its roles, its capabilities). Capabilities are directive
+ * names (a directive's name IS its capability — the `.requires(cap)` convention).
+ */
+export type RoleCatalogue = Readonly<Record<string, readonly string[]>>;
+
+/**
+ * Declare a tenant `RoleCatalogue`. Pure passthrough that brands the shape + freezes
+ * it so a tenant declares `roleCatalogue({ siteAdmin: ["grantSiteAccess", …] })`
+ * once and the framework/kernel resolve a `role` against it. Tenant-agnostic: the
+ * framework fixes the SHAPE, never the roles.
+ */
+export function roleCatalogue<const C extends RoleCatalogue>(roles: C): C {
+  return Object.freeze({ ...roles }) as C;
+}

package/src/framework/repair.ts

@@ -0,0 +1,150 @@
+// NOMOS — Nomos Sovereign: participants act · verify · remember LOCALLY; hosted
+// remotes are replaceable custody/transport, not truth.  ⇒ ONE Nomos GitHolon
+// wasm32-wasip1 artifact {kernel · projection · embedded
+// QuickJS engine} on V8 + WASI-shim, byte-identical everywhere.  V8 = portability; the one
+// wasm = determinism.  No native, no wasmtime, no 2nd artifact, no domain-JS on bare V8.
+// If a file isn't this / hosting this / authoring for this / proving this — it's gone.
+
+/**
+ * framework/repair.ts — the REPAIR surface as a tenant-style Nomos domain (#260 Stage 2).
+ *
+ * ── Why this module exists ──────────────────────────────────────────────────
+ * "Nomos is powerful enough to define its own repair surface as a Nomos domain"
+ * (Jack 2026-06-05, TARGET_repair.dot). The dogfood proof: repair intents go through
+ * THE ONE GATE — no bespoke crate, no AssumeVerified, no 2nd write path. This is Stage
+ * 2 (the `revert` directive); supersede / upcast / drain are later stages.
+ *
+ * ── The RepairRecord aggregate ──────────────────────────────────────────────
+ * A `revert` is an ACCOUNTABLE act: it leaves an immutable audit record (RepairRecord)
+ * in the ledger so every repair is traceable — who struck what, why, and when. This
+ * aggregate also satisfies the directive builder's mandatory aggregate-marker
+ * requirement (a strike-only directive has no aggregate to `.creates`/`.mutates` unless
+ * we supply one — the audit record is the natural candidate).
+ *
+ * ── The `revert` directive ──────────────────────────────────────────────────
+ * `revert` is the KEYSTONE (#260 Stage 2):
+ *  • `.creates(RepairRecord)` — keyed by a KERNEL-MINTED `recordId`
+ *    (`RepairRecord_<uuidv7>`). The kernel mints it (the marker-driven front-door),
+ *    captures it, and commits it; replay reads the captured id (idempotent by
+ *    capture, never re-minted). There is no peer-supplied id — every peer runs the
+ *    same kernel and the id-mint gate verifies the minted shape on admit.
+ *  • `.plan(...)` returns BOTH `strike(p.target)` AND the audit `set(...)` ops
+ *    in one `PlannedOp[]` — one atomic intent carrying both channels.
+ *  • The `strike(target)` op flows through the engine plan output (`{events, strikes}`)
+ *    so it is VERIFIED at the gate — never a forgeable, out-of-band retraction
+ *    (determinism law, ops.ts: "the strike flows through the verified plan output").
+ *
+ * ── Scope (Stage 2 only — do NOT add supersede / upcast / drain here) ──────
+ * supersede needs policy-control event shapes; upcast is an on-read migration;
+ * drain is a re-dispatch. All are later stages (TARGET_repair.dot build order §2-5).
+ */
+import { z } from "zod";
+import { aggregate, instance } from "../aggregate.js";
+import { t } from "../fields.js";
+import { Lww } from "../drivers.js";
+import { directive } from "../directive.js";
+import { set, strike } from "../ops.js";
+
+// ── The repair-kind vocabulary (Stage 2: "revert" only; expand later) ───────
+
+/** The known repair operations. Stage 2 carries only `"revert"`. */
+// `revert` = a pure strikeout (generic, framework-only). `replace` = strikeout PLUS
+// corrected events — only expressible in a COMPOSED domain (e.g. tenant_repairs = repair ⊕ tenant),
+// because the corrected events are in the TENANT's vocabulary. The repair domain owns the
+// kind vocabulary + the audit record; a composed domain authors the replace directive.
+export const REPAIR_KINDS = ["revert", "replace"] as const;
+export type RepairKind = (typeof REPAIR_KINDS)[number];
+
+// ── RepairRecord aggregate ──────────────────────────────────────────────────
+
+/**
+ * The RepairRecord aggregate — the immutable audit log of a repair act.
+ *
+ * Every repair is a RECORDED, ACCOUNTABLE act: the record carries WHO struck WHAT,
+ * WHY, and WHEN — so the ledger history is never silently mutated. This serves two
+ * purposes:
+ *
+ *  1. AUDIT. A struck intent (e.g. a bad move) is retracted from the fold, but the
+ *     RepairRecord survives as evidence that the retraction happened, authorised by
+ *     whom, and for what reason. Operators can query "who reverted what".
+ *
+ *  2. DIRECTIVE MARKER. The DSL directive builder requires every directive to carry
+ *     a `.creates` or `.mutates` marker (the referential-marker invariant). A
+ *     pure `strike`-only directive (no field ops) has no natural aggregate to create
+ *     or mutate. RepairRecord IS that aggregate — a create keyed by a KERNEL-MINTED
+ *     `recordId` (idempotent on replay by capture, like every create).
+ *
+ * Fields are all Lww (the "immutable-after-create" gap, same as identity.ts NOTE 1a):
+ * a RepairRecord should never be rewritten, but there is no `immutableAfterCreate`
+ * driver yet — Lww is the safe fallback (a re-author merely converges, never corrupts).
+ */
+export const RepairRecord = aggregate("RepairRecord", {
+  /** The aggregate instance id — a KERNEL-MINTED `RepairRecord_<uuidv7>`. */
+  recordId: t.string().merge(Lww),
+  /** The kind of repair (Stage 2: "revert" only). */
+  kind: t.enum(REPAIR_KINDS).merge(Lww),
+  /** The id of the struck intent — the target of the retraction. */
+  target: t.string().merge(Lww),
+  /** Human-readable reason for the repair (audit trail). */
+  reason: t.string().merge(Lww),
+  /** Who authored the repair (actor id / display name). */
+  revertedBy: t.string().merge(Lww),
+  /** Epoch-ms the repair was authored. */
+  revertedAt: t.int().merge(Lww),
+});
+
+// ── `revert` directive ──────────────────────────────────────────────────────
+
+/**
+ * `revert` — the keystone directive of the repair domain.
+ *
+ * Lowers to a `WireIntent` carrying BOTH channels in one atomic commit:
+ *   • `strikes = [p.target]`      — the kernel strikeout (folded by parity; parity-even
+ *                                    is a redo). Verified at the gate: the engine
+ *                                    re-derives the strike from the plan, so it is
+ *                                    IMPOSSIBLE to forge.
+ *   • `events = [RepairRecord]`   — the Create of the audit record, keyed by a
+ *                                    KERNEL-MINTED `recordId` (`RepairRecord_<uuidv7>`),
+ *                                    minted by the marker-driven front-door, captured +
+ *                                    committed (idempotent on replay by capture).
+ *
+ * The `recordId` is KERNEL-MINTED — there is no peer-supplied id. Every peer runs the
+ * same deterministic kernel; the kernel mints the id from a host-injected entropy
+ * capability whose draw is captured into the ledger, and the id-mint gate verifies the
+ * minted shape + type tag on admit (the same path every create takes).
+ */
+export const revert = directive("revert")
+  .creates(RepairRecord)
+  .payload(
+    z.object({
+      /** The RepairRecord instance id — a KERNEL-MINTED `RepairRecord_<uuidv7>`. */
+      recordId: z.string(),
+      /** The intent id to retract (strike). */
+      target: z.string(),
+      /** Human-readable reason (audit). */
+      reason: z.string(),
+      /** Who is performing the repair. */
+      revertedBy: z.string(),
+      /** Epoch-ms of authorship (captured deterministically). */
+      revertedAt: z.number().int(),
+    }),
+  )
+  .plan((p) => {
+    // Key the RepairRecord by its KERNEL-MINTED `recordId` (idempotent on replay by
+    // capture). instance(RepairRecord, recordId) → the create's `__id` (the marker-driven
+    // front-door mints this id; the gate verifies its shape + type tag on admit).
+    const rec = instance(RepairRecord, p.recordId);
+    return [
+      // CHANNEL 1: the strikeout — retract the target intent.
+      // `strike(target)` routes onto WireIntent.strikes (via lower.ts partition);
+      // the engine emits the {events, strikes} object so the gate can verify it.
+      strike(p.target),
+      // CHANNEL 2: the audit record — immutable log of this repair act.
+      set(rec, "recordId", p.recordId),
+      set(rec, "kind", "revert"),
+      set(rec, "target", p.target),
+      set(rec, "reason", p.reason),
+      set(rec, "revertedBy", p.revertedBy),
+      set(rec, "revertedAt", p.revertedAt),
+    ];
+  });