@kungfu-tech/kfd 1.0.0-alpha.2 → 1.0.0-alpha.20
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.buildchain/kfd-1/contract-world.witness.json +753 -0
- package/.buildchain/kfd-2/kfd-foundation.trust-assessment.json +238 -0
- package/.buildchain/kfd-2/kfd-foundation.trust-claims.json +225 -0
- package/.buildchain/kfd-2/public-release-trust.claim.json +131 -0
- package/.buildchain/kfd-3/collaboration-interface.artifact.json +774 -0
- package/.buildchain/kfd-3/collaboration-interface.json +421 -0
- package/.buildchain/kfd-3/collaboration-interface.prebuild.json +1141 -0
- package/README.md +149 -29
- package/TRADEMARKS.md +60 -0
- package/buildchain.contract-lock.json +86 -0
- package/buildchain.release-propagation.json +32 -0
- package/decisions/{kfd-1.md → KFD-1.md} +77 -35
- package/decisions/{kfd-2.md → KFD-2.md} +63 -11
- package/decisions/{kfd-3.md → KFD-3.md} +54 -16
- package/decisions/KFD-4.md +182 -0
- package/docs/KFD-1-usage.md +37 -0
- package/docs/KFD-2-usage.md +123 -0
- package/docs/KFD-3-usage.md +98 -0
- package/docs/KFD-4-usage.md +31 -0
- package/docs/MAP.md +20 -3
- package/docs/release-governance.md +28 -0
- package/kfd.release.json +13 -0
- package/package.json +28 -2
- package/registry.json +15 -5
- package/release-impact.json +113 -0
- package/schemas/kfd-1/contract-world.schema.json +67 -4
- package/schemas/kfd-1/witness.schema.json +113 -0
- package/schemas/kfd-2/release-claims.schema.json +331 -0
- package/schemas/kfd-2/release-trust-passport.schema.json +276 -0
- package/schemas/kfd-2/trust-assessment.schema.json +313 -0
- package/schemas/kfd-2/trust-claims.schema.json +334 -0
- package/schemas/kfd-2/trust-taxonomy.schema.json +219 -0
- package/schemas/kfd-3/collaboration-interface.schema.json +542 -0
- package/schemas/kfd-3/witness.schema.json +167 -0
- package/schemas/kfd-4/observer-perspective.schema.json +272 -0
- package/schemas/kfd-standards.schema.json +163 -0
- package/scripts/check.mjs +930 -0
- package/scripts/npm-publish-transaction.mjs +220 -0
- package/scripts/update-kfd-1-witness.mjs +35 -0
- package/scripts/update-kfd-2-claim.mjs +304 -0
- package/scripts/update-kfd-3-witness.mjs +261 -0
- package/scripts/update-site-bundle.mjs +353 -0
- package/site/kfd-site.json +251 -12
- package/standards.json +775 -15
|
@@ -7,6 +7,8 @@
|
|
|
7
7
|
|
|
8
8
|
## One sentence
|
|
9
9
|
|
|
10
|
+
Trust must start from facts.
|
|
11
|
+
|
|
10
12
|
A product must not ask users or agents to trust important claims before the
|
|
11
13
|
relevant facts are inspectable, local where possible, and connected to
|
|
12
14
|
responsibility state.
|
|
@@ -19,8 +21,11 @@ KFDs can be principles or procedures:
|
|
|
19
21
|
products, repositories, and release lines change.
|
|
20
22
|
- A **procedure** states how a class of work enforces or protects a principle.
|
|
21
23
|
|
|
22
|
-
This KFD is a principle. KFD-1 is
|
|
23
|
-
|
|
24
|
+
This KFD is a principle. KFD-1 is the procedure that keeps the fact sources
|
|
25
|
+
under this principle from drifting. KFD-3 is the principle that governs how
|
|
26
|
+
humans and agents cooperate once facts and trust are visible. KFD-4 is a
|
|
27
|
+
procedure whose observer-perspective claims can also be assessed under this
|
|
28
|
+
principle.
|
|
24
29
|
|
|
25
30
|
## Foundation role
|
|
26
31
|
|
|
@@ -31,9 +36,13 @@ trust must start from facts
|
|
|
31
36
|
```
|
|
32
37
|
|
|
33
38
|
KFD-2 says Kungfu products should not ask users or agents to trust a claim
|
|
34
|
-
before the product has made the relevant facts inspectable. KFD-1 protects
|
|
35
|
-
|
|
36
|
-
human or agent who must understand and act on those facts.
|
|
39
|
+
before the product has made the relevant facts inspectable. KFD-1 protects the
|
|
40
|
+
non-drifting fact source those claims stand on. KFD-3 protects the relationship
|
|
41
|
+
with the human or agent who must understand and act on those facts.
|
|
42
|
+
|
|
43
|
+
KFD-2 is not a checker for only one other KFD. It is the generic trust
|
|
44
|
+
adjudication layer for any KFD claim, product claim, artifact claim, control
|
|
45
|
+
surface claim, or release claim that asks a human or agent to rely on it.
|
|
37
46
|
|
|
38
47
|
## Principle
|
|
39
48
|
|
|
@@ -68,6 +77,27 @@ leaves enough evidence for later review.
|
|
|
68
77
|
- Hosted or cloud convenience may add synchronization, storage, compute, and
|
|
69
78
|
collaboration, but it must not become the only place where the truth exists.
|
|
70
79
|
|
|
80
|
+
## Generic trust assessment model
|
|
81
|
+
|
|
82
|
+
Every KFD-2 trust assessment starts from a claim. The claim may be about a
|
|
83
|
+
release, but it may also be about a contract world, a collaboration interface,
|
|
84
|
+
an observer perspective, a config surface, an API, an ABI, a GUI surface, a
|
|
85
|
+
runtime fact, documentation, or another product surface.
|
|
86
|
+
|
|
87
|
+
A claim is trustable only when the assessment can state:
|
|
88
|
+
|
|
89
|
+
- what the claim is about;
|
|
90
|
+
- which facts the claim binds to;
|
|
91
|
+
- which evidence was checked;
|
|
92
|
+
- what can be machine verified;
|
|
93
|
+
- what remains a residual risk;
|
|
94
|
+
- who owns source facts, verification, and the trust decision;
|
|
95
|
+
- whether the result is pass, warning, fail, or unverifiable.
|
|
96
|
+
|
|
97
|
+
This model is intentionally general. KFD-1, KFD-3, KFD-4, and future KFDs can
|
|
98
|
+
provide claims that KFD-2 assesses. Release trust passports are one projection
|
|
99
|
+
of this model, not the model itself.
|
|
100
|
+
|
|
71
101
|
## What it does not require
|
|
72
102
|
|
|
73
103
|
- It does not require every product to be a journal engine or runtime ledger.
|
|
@@ -81,14 +111,15 @@ leaves enough evidence for later review.
|
|
|
81
111
|
|
|
82
112
|
## Relation to KFD-1
|
|
83
113
|
|
|
84
|
-
KFD-1 is a procedure. It
|
|
85
|
-
contract
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
state to proof-backed decision.
|
|
114
|
+
KFD-1 is a procedure. It defines what can count as a load-bearing fact source:
|
|
115
|
+
facts must not drift from the contract world that declares them. KFD-2 is the
|
|
116
|
+
next layer: once facts are non-drifting and inspectable, trust claims must be
|
|
117
|
+
bound to those facts and to responsibility state.
|
|
89
118
|
|
|
90
119
|
KFD-2 does not supersede KFD-1. KFD-1 remains active and is one concrete
|
|
91
|
-
procedure that implements KFD-2
|
|
120
|
+
procedure that implements KFD-2 wherever trust depends on contract worlds,
|
|
121
|
+
release evidence, fact ledgers, agent control panes, extension gates, hosted
|
|
122
|
+
surfaces, schemas, configs, or package metadata.
|
|
92
123
|
|
|
93
124
|
## Supersession rule
|
|
94
125
|
|
|
@@ -98,6 +129,27 @@ explicitly and the registry records the affected decision. Two active KFDs that
|
|
|
98
129
|
conflict without an explicit supersession relationship are a registry defect,
|
|
99
130
|
not an invitation to pick the newer text silently.
|
|
100
131
|
|
|
132
|
+
## Implementation case: the KFD package
|
|
133
|
+
|
|
134
|
+
The `@kungfu-tech/kfd` npm package is a self-proof case for this principle.
|
|
135
|
+
It does not ask humans or agents to trust the KFD registry only because the
|
|
136
|
+
README says so. It publishes inspectable facts: decision documents,
|
|
137
|
+
`registry.json`, `standards.json`, JSON schemas, document hashes, release-impact
|
|
138
|
+
metadata, and conformance checks.
|
|
139
|
+
|
|
140
|
+
KFD-2 also owns the trust taxonomy used by release claims, release trust
|
|
141
|
+
passports, KFD-3 witnesses, and generic trust assessments. Unknown
|
|
142
|
+
residual-risk or trust-downgrade values fail validation until KFD records them
|
|
143
|
+
in `schemas/kfd-2/trust-taxonomy.schema.json`. When an agent needs a new value,
|
|
144
|
+
the declared extension path is to open an issue in
|
|
145
|
+
`https://github.com/kungfu-systems/kfd` rather than inventing a private value.
|
|
146
|
+
|
|
147
|
+
The package dogfoods this model through
|
|
148
|
+
`.buildchain/kfd-2/kfd-foundation.trust-claims.json` and
|
|
149
|
+
`.buildchain/kfd-2/kfd-foundation.trust-assessment.json`. Those files assess
|
|
150
|
+
KFD-1's contract-world claim, KFD-3's collaboration-interface claim, and KFD-4's
|
|
151
|
+
observer-perspective claim through the same KFD-2 structure.
|
|
152
|
+
|
|
101
153
|
## Adopters
|
|
102
154
|
|
|
103
155
|
Each adopting repository cites this KFD when designing or changing a fact
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
# KFD-3: Cooperation must start from
|
|
1
|
+
# KFD-3: Cooperation must start from trusted value — compliance must not be coerced
|
|
2
2
|
|
|
3
3
|
- Status: active
|
|
4
4
|
- Number: 3
|
|
@@ -7,10 +7,12 @@
|
|
|
7
7
|
|
|
8
8
|
## One sentence
|
|
9
9
|
|
|
10
|
+
Cooperation must start from trusted value.
|
|
11
|
+
|
|
10
12
|
A product must not obtain cooperation through pressure, manipulation, hidden
|
|
11
|
-
control, or forced workflow capture. It must make value, choices, and
|
|
12
|
-
constraints
|
|
13
|
-
and cooperate.
|
|
13
|
+
control, or forced workflow capture. It must make facts, value, choices, and
|
|
14
|
+
constraints transparent enough for intelligent participants to trust what is
|
|
15
|
+
being offered, understand the available path, decide, and cooperate.
|
|
14
16
|
|
|
15
17
|
## Decision type
|
|
16
18
|
|
|
@@ -28,11 +30,12 @@ kungfu-systems takes toward humans and agents as reasoning participants.
|
|
|
28
30
|
Within the KFD-1/2/3 foundation, this is the relationship path:
|
|
29
31
|
|
|
30
32
|
```text
|
|
31
|
-
cooperation must start from
|
|
33
|
+
cooperation must start from trusted value
|
|
32
34
|
```
|
|
33
35
|
|
|
34
36
|
KFD-2 protects the truth path: show facts before asking for trust. KFD-3
|
|
35
|
-
protects the relationship path:
|
|
37
|
+
protects the relationship path: make value transparent enough to be trusted
|
|
38
|
+
before asking for cooperation.
|
|
36
39
|
|
|
37
40
|
## Principle
|
|
38
41
|
|
|
@@ -58,7 +61,7 @@ The default product path should therefore follow this chain:
|
|
|
58
61
|
|
|
59
62
|
```text
|
|
60
63
|
transparent facts
|
|
61
|
-
->
|
|
64
|
+
-> trusted value
|
|
62
65
|
-> stable choice
|
|
63
66
|
-> explainable constraint
|
|
64
67
|
-> voluntary cooperation
|
|
@@ -83,7 +86,7 @@ Products may recommend a path, refuse unsafe actions, or require explicit
|
|
|
83
86
|
approval. They should not pretend that forced compliance is the same as
|
|
84
87
|
understanding or trust.
|
|
85
88
|
|
|
86
|
-
### 2. Make value
|
|
89
|
+
### 2. Make value trusted through transparent facts
|
|
87
90
|
|
|
88
91
|
Humans and agents should be able to discover what the product can do, why it is
|
|
89
92
|
useful, what it observed, what it changed, and what boundary applies without
|
|
@@ -91,7 +94,15 @@ needing oral context, private maintainer memory, or web-only documentation.
|
|
|
91
94
|
|
|
92
95
|
Agent-facing surfaces should expose local, versioned, machine-readable and
|
|
93
96
|
human-readable facts wherever possible. A capable agent should be able to learn
|
|
94
|
-
the product's value
|
|
97
|
+
the product's value, and why that value can be trusted, by inspecting the
|
|
98
|
+
product's own facts and commands.
|
|
99
|
+
|
|
100
|
+
Trusted value is therefore not only a product promise or persuasive sentence.
|
|
101
|
+
A collaboration interface should bind important value claims to explicit value
|
|
102
|
+
evidence: the facts that make the value claim inspectable, the artifacts or
|
|
103
|
+
checks that prove those facts are present, and the KFD-2 trust assessment or
|
|
104
|
+
residual-risk state that tells participants how much weight to place on the
|
|
105
|
+
claim.
|
|
95
106
|
|
|
96
107
|
### 3. Use constraints as transparent safety, not hidden control
|
|
97
108
|
|
|
@@ -140,9 +151,10 @@ how it can be changed, escalated, or revoked when appropriate
|
|
|
140
151
|
- It does not turn a private founder narrative into a public repository rule.
|
|
141
152
|
This public rule is about product stance, adoption, safety, and cooperation
|
|
142
153
|
with intelligent participants.
|
|
143
|
-
- It does not supersede KFD-2. Facts and responsibility still come first;
|
|
144
|
-
|
|
145
|
-
|
|
154
|
+
- It does not supersede KFD-2. Facts and responsibility still come first;
|
|
155
|
+
transparent value is the route by which value becomes trusted, not a
|
|
156
|
+
substitute for trust. This KFD states how those facts and values should be
|
|
157
|
+
presented to humans and agents without coercion.
|
|
146
158
|
|
|
147
159
|
## Relation to KFD-2
|
|
148
160
|
|
|
@@ -151,12 +163,38 @@ KFD-3 says the path of least resistance should not be built from pressure or
|
|
|
151
163
|
hidden control. Together:
|
|
152
164
|
|
|
153
165
|
```text
|
|
154
|
-
KFD-
|
|
155
|
-
KFD-
|
|
166
|
+
KFD-1: facts must not drift.
|
|
167
|
+
KFD-2: trust must start from facts.
|
|
168
|
+
KFD-3: cooperation must start from trusted value.
|
|
156
169
|
```
|
|
157
170
|
|
|
158
|
-
KFD-
|
|
159
|
-
intelligent participant who must
|
|
171
|
+
KFD-1 protects the fact-source layer. KFD-2 protects the trust layer. KFD-3
|
|
172
|
+
protects the relationship with the intelligent participant who must decide
|
|
173
|
+
whether the offered value is trustworthy enough to walk that path.
|
|
174
|
+
|
|
175
|
+
In machine-readable profiles, this means KFD-3 collaboration interfaces should
|
|
176
|
+
not merely list surfaces and constraints. They should also declare value
|
|
177
|
+
evidence that can be evaluated through the KFD-2 trust model. KFD-2 can then
|
|
178
|
+
say which parts are machine-checkable, which parts remain semantic residual
|
|
179
|
+
risk, and what an agent should do next.
|
|
180
|
+
|
|
181
|
+
## Implementation case: the KFD package
|
|
182
|
+
|
|
183
|
+
The `@kungfu-tech/kfd` npm package is a self-proof case for this principle.
|
|
184
|
+
Its README gives humans and agents the same quickstart path. `standards.json`
|
|
185
|
+
gives stable standard identity, schema IDs, and concept names. The KFD-3
|
|
186
|
+
schemas define collaboration interfaces, witnesses, and extension requests, so
|
|
187
|
+
an agent can discover both the valid interface and the standard path for asking
|
|
188
|
+
to extend it. The KFD-3 collaboration interface also declares value evidence
|
|
189
|
+
that points to KFD-owned facts, package surfaces, and the KFD-2 generic trust
|
|
190
|
+
assessment, so an agent can inspect why KFD's claimed value is trustable before
|
|
191
|
+
cooperating.
|
|
192
|
+
|
|
193
|
+
For example, if an agent needs a KFD-2 trust-taxonomy value that does not
|
|
194
|
+
exist, the KFD-3 collaboration path is not hidden maintainer pressure or local
|
|
195
|
+
invention. The declared path is a visible GitHub issue in the KFD repository,
|
|
196
|
+
where the new value can be reviewed and, if accepted, added to the KFD-owned
|
|
197
|
+
taxonomy for everyone.
|
|
160
198
|
|
|
161
199
|
## Adopters
|
|
162
200
|
|
|
@@ -0,0 +1,182 @@
|
|
|
1
|
+
# KFD-4: Timelines must declare their observer — useful views need a stated perspective
|
|
2
|
+
|
|
3
|
+
- Status: active
|
|
4
|
+
- Number: 4
|
|
5
|
+
- Kind: procedure
|
|
6
|
+
- Applies to: every kungfu-systems product, repository, release surface, extension surface, hosted surface, and agent-facing interface that represents time, ordering, history, timelines, sync, replay, or mixed-source work facts
|
|
7
|
+
|
|
8
|
+
## One sentence
|
|
9
|
+
|
|
10
|
+
Timelines must declare their observer.
|
|
11
|
+
|
|
12
|
+
A product must not present a mixed-source ordering as an absolute view from
|
|
13
|
+
nowhere. A useful view of reality must state who is observing, which facts were
|
|
14
|
+
accepted, and how concurrent facts were projected.
|
|
15
|
+
|
|
16
|
+
## Decision type
|
|
17
|
+
|
|
18
|
+
KFDs can be principles or procedures:
|
|
19
|
+
|
|
20
|
+
- A **principle** states what must remain true across kungfu-systems even as
|
|
21
|
+
products, repositories, and release lines change.
|
|
22
|
+
- A **procedure** states how a class of work enforces or protects a principle.
|
|
23
|
+
|
|
24
|
+
This KFD is a procedure. It is not a fourth foundation principle beside
|
|
25
|
+
KFD-1/2/3. It is the first practice guideline derived from the foundation
|
|
26
|
+
triad: once facts are non-drifting, trust starts from facts, and cooperation
|
|
27
|
+
starts from trusted value, a product still has to say from which perspective a
|
|
28
|
+
time-ordered view is being offered.
|
|
29
|
+
|
|
30
|
+
## Practice role
|
|
31
|
+
|
|
32
|
+
Within the KFD structure, KFD-1/2/3 form the foundation:
|
|
33
|
+
|
|
34
|
+
```text
|
|
35
|
+
facts must not drift
|
|
36
|
+
-> trust must start from facts
|
|
37
|
+
-> cooperation must start from trusted value
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
KFD-4 applies that foundation to perspective, ordering, and action. It answers
|
|
41
|
+
this practice question:
|
|
42
|
+
|
|
43
|
+
```text
|
|
44
|
+
In a complex world, from which declared perspective is this view useful,
|
|
45
|
+
stable, and trustworthy?
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
## Procedure
|
|
49
|
+
|
|
50
|
+
When a product combines facts from multiple machines, agents, processes,
|
|
51
|
+
sessions, sources, repositories, providers, or external systems, it should
|
|
52
|
+
treat the visible timeline as an observer-relative projection over accepted
|
|
53
|
+
facts, not as a claim that the product has found one absolute global clock.
|
|
54
|
+
|
|
55
|
+
The authoritative record should be facts and evidence:
|
|
56
|
+
|
|
57
|
+
- source-local records and their local order;
|
|
58
|
+
- provenance for source, participant, location, session, run, or adapter;
|
|
59
|
+
- accepted ranges, heads, cursors, watermarks, and capture boundaries;
|
|
60
|
+
- causal links between observations, decisions, actions, and results;
|
|
61
|
+
- payload hashes, schema bindings, receipts, redaction states, and verification
|
|
62
|
+
results.
|
|
63
|
+
|
|
64
|
+
The visible timeline is a view over those facts. Its perspective must be
|
|
65
|
+
declared enough that another human or agent can reproduce the same view from
|
|
66
|
+
the same accepted facts.
|
|
67
|
+
|
|
68
|
+
## What a declared perspective should include
|
|
69
|
+
|
|
70
|
+
A perspective-bearing timeline should identify, where applicable:
|
|
71
|
+
|
|
72
|
+
- the observer or observer location whose view is being presented;
|
|
73
|
+
- the accepted fact sources, ranges, watermarks, and freshness boundaries;
|
|
74
|
+
- the projection policy version;
|
|
75
|
+
- the ordering rule for concurrent or causally unrelated facts;
|
|
76
|
+
- the deterministic tie-breaker used when policy and source-local order are not
|
|
77
|
+
enough;
|
|
78
|
+
- the degraded state when causality, payloads, schemas, accepted ranges, or
|
|
79
|
+
freshness are incomplete.
|
|
80
|
+
|
|
81
|
+
Causal facts dominate projection policy. A product may order concurrent facts
|
|
82
|
+
by observer policy, source priority, or deterministic tie-breaker, but it must
|
|
83
|
+
not invert a known causal dependency. If it cannot produce a valid total order
|
|
84
|
+
without hiding missing causality or missing evidence, it should report a
|
|
85
|
+
degraded view rather than silently sorting by wall-clock time.
|
|
86
|
+
|
|
87
|
+
## What it requires
|
|
88
|
+
|
|
89
|
+
- GUI, CLI, API, export, and agent-facing timeline surfaces should make the
|
|
90
|
+
observer or projection policy inspectable when they mix sources.
|
|
91
|
+
- Wall-clock time may be used for display, latency, diagnostics, and
|
|
92
|
+
source-local ordering, but it must not be the only proof of cross-source
|
|
93
|
+
order.
|
|
94
|
+
- Exported bundles that claim a timeline order should carry enough perspective
|
|
95
|
+
metadata for another consumer to reproduce that order.
|
|
96
|
+
- Storage and sync systems should preserve source provenance, accepted ranges,
|
|
97
|
+
and causal links rather than flattening remote facts into anonymous local
|
|
98
|
+
records.
|
|
99
|
+
- Fsck, release gates, or other verification systems should eventually be able
|
|
100
|
+
to check that a projected view does not contradict known facts, invert known
|
|
101
|
+
causality, or hide an incomplete accepted range.
|
|
102
|
+
|
|
103
|
+
## What it does not require
|
|
104
|
+
|
|
105
|
+
- It does not say there are no facts. Facts and causality remain load-bearing.
|
|
106
|
+
- It does not permit arbitrary narratives, invented evidence, or convenient
|
|
107
|
+
ordering.
|
|
108
|
+
- It does not require a universal global clock, a permanent global sequencer,
|
|
109
|
+
or distributed consensus for every timeline.
|
|
110
|
+
- It does not forbid a product from having a default observer policy.
|
|
111
|
+
- It does not solve conflicts between independently written authority roots.
|
|
112
|
+
Conflict policy must be explicit when it exists.
|
|
113
|
+
- It does not supersede KFD-1, KFD-2, or KFD-3. It applies them to
|
|
114
|
+
perspective-bearing views.
|
|
115
|
+
|
|
116
|
+
## Relation to KFD-1, KFD-2, and KFD-3
|
|
117
|
+
|
|
118
|
+
KFD-1 says facts must not drift. KFD-4 depends on that: a perspective-bearing
|
|
119
|
+
timeline must stand on accepted facts, not on a driftable story.
|
|
120
|
+
|
|
121
|
+
KFD-2 says trust must start from facts. KFD-4 applies that to ordering: trust
|
|
122
|
+
in a timeline comes from reproducibility under declared facts and declared
|
|
123
|
+
projection policy, not from an undeclared claim to absolute time.
|
|
124
|
+
|
|
125
|
+
KFD-3 says cooperation must start from trusted value. KFD-4 applies that to
|
|
126
|
+
multi-participant work: humans and agents may carry different perspectives,
|
|
127
|
+
but cooperation becomes possible when those perspectives expose their facts,
|
|
128
|
+
constraints, and view policies instead of forcing everyone into a hidden
|
|
129
|
+
ordering.
|
|
130
|
+
|
|
131
|
+
Together:
|
|
132
|
+
|
|
133
|
+
```text
|
|
134
|
+
KFD-1: facts must not drift.
|
|
135
|
+
KFD-2: trust must start from facts.
|
|
136
|
+
KFD-3: cooperation must start from trusted value.
|
|
137
|
+
KFD-4: timelines must declare their observer.
|
|
138
|
+
```
|
|
139
|
+
|
|
140
|
+
The first three define the foundation. KFD-4 is a practice guideline for how
|
|
141
|
+
that foundation behaves when a product shows time, history, replay, sync, or
|
|
142
|
+
mixed-source work state.
|
|
143
|
+
|
|
144
|
+
## Implementation case: Kungfu observer timelines
|
|
145
|
+
|
|
146
|
+
Kungfu's observer-relative timeline design is the first concrete product case.
|
|
147
|
+
Kungfu stores causal runtime facts, source provenance, accepted ranges,
|
|
148
|
+
manifests, payload evidence, and verification results. A mixed-source timeline
|
|
149
|
+
is a deterministic projection from an explicit observer policy; it is not a
|
|
150
|
+
claim that Kungfu has discovered one universal global clock.
|
|
151
|
+
|
|
152
|
+
That design lets a local user sync facts from another machine, inspect agent
|
|
153
|
+
work that happened elsewhere, and still ask precise questions:
|
|
154
|
+
|
|
155
|
+
```text
|
|
156
|
+
which facts did this observer accept?
|
|
157
|
+
which source or location did each fact come from?
|
|
158
|
+
which causal links constrain the order?
|
|
159
|
+
which concurrent facts were ordered by policy?
|
|
160
|
+
can another consumer reproduce the same view?
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
This is the product-level form of the KFD-4 procedure.
|
|
164
|
+
|
|
165
|
+
## Implementation case: the KFD package
|
|
166
|
+
|
|
167
|
+
The `@kungfu-tech/kfd` npm package publishes a KFD-4 observer-perspective
|
|
168
|
+
schema under `schemas/kfd-4/observer-perspective.schema.json`. The schema is
|
|
169
|
+
not a mandatory runtime data model for every adopter. It is the KFD-owned
|
|
170
|
+
vocabulary for declaring observer, accepted facts, projection policy, causal
|
|
171
|
+
constraints, and degraded evidence state in products that need a
|
|
172
|
+
perspective-bearing timeline.
|
|
173
|
+
|
|
174
|
+
## Adopters
|
|
175
|
+
|
|
176
|
+
Each adopting repository cites this KFD when designing or changing a timeline,
|
|
177
|
+
history view, replay view, source sync flow, multi-machine view, multi-agent
|
|
178
|
+
view, audit bundle, or exported record that orders facts from more than one
|
|
179
|
+
source or perspective.
|
|
180
|
+
|
|
181
|
+
Adopters should keep local implementation detail in repository documents and
|
|
182
|
+
reference this KFD rather than restating it.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# KFD-1 Implementation Notes
|
|
2
|
+
|
|
3
|
+
KFD-1 defines the fact-source rule: facts must not drift. This page is the
|
|
4
|
+
package implementation note for machine consumers and release systems. The
|
|
5
|
+
authoritative decision text remains `decisions/KFD-1.md`.
|
|
6
|
+
|
|
7
|
+
## Package Surfaces
|
|
8
|
+
|
|
9
|
+
The KFD package implements KFD-1 through a declared contract world:
|
|
10
|
+
|
|
11
|
+
- `standards.json#/standards/kfd-1/surfaceRegister` is the package-owned
|
|
12
|
+
surface register.
|
|
13
|
+
- `schemas/kfd-1/contract-world.schema.json` defines the contract-world schema.
|
|
14
|
+
- `schemas/kfd-1/witness.schema.json` defines the witness schema.
|
|
15
|
+
- `.buildchain/kfd-1/contract-world.witness.json` projects registered surfaces,
|
|
16
|
+
source hashes, artifact hashes, surface classes, and impact projections.
|
|
17
|
+
- `scripts/check.mjs` verifies the register, schema enums, witness hashes, and
|
|
18
|
+
surface projection.
|
|
19
|
+
|
|
20
|
+
## Compatibility Impact Core
|
|
21
|
+
|
|
22
|
+
KFD-1 uses four generic compatibility-impact classes:
|
|
23
|
+
|
|
24
|
+
- `breaking`
|
|
25
|
+
- `additive`
|
|
26
|
+
- `none`
|
|
27
|
+
- `unclassifiable`
|
|
28
|
+
|
|
29
|
+
Release versioning is only one projection of those classes. Other domains can
|
|
30
|
+
project the same core into config migration, ABI epochs, API namespaces,
|
|
31
|
+
runtime compatibility bridges, or workflow gates.
|
|
32
|
+
|
|
33
|
+
## Dogfood Role
|
|
34
|
+
|
|
35
|
+
This package uses KFD-1 on itself. New public package surfaces should be added
|
|
36
|
+
to `standards.json#/standards/kfd-1/surfaceRegister`, then projected into the
|
|
37
|
+
KFD-1 witness by `node scripts/update-kfd-1-witness.mjs`.
|
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
# KFD-2 Trust Assessment Metadata
|
|
2
|
+
|
|
3
|
+
KFD-2 says that trust must start from inspectable facts and responsibility
|
|
4
|
+
state. A product must not ask users or agents to trust load-bearing claims only
|
|
5
|
+
because they appear in prose, changelogs, repository history, generated UI, or
|
|
6
|
+
maintainer reputation.
|
|
7
|
+
|
|
8
|
+
This package defines KFD-owned machine interfaces for the generic trust model:
|
|
9
|
+
|
|
10
|
+
- `schemas/kfd-2/trust-taxonomy.schema.json`: the KFD-owned taxonomy for
|
|
11
|
+
residual-risk types, trust impact, machine provability, agent actions, and
|
|
12
|
+
downgrade reasons.
|
|
13
|
+
- `schemas/kfd-2/trust-claims.schema.json`: the generic claim input shape for
|
|
14
|
+
KFD-2 assessment. Claims may target KFD standards, contract worlds,
|
|
15
|
+
collaboration interfaces, observer perspectives, releases, config, APIs,
|
|
16
|
+
ABIs, runtime facts, documentation, or other product surfaces.
|
|
17
|
+
- `schemas/kfd-2/trust-assessment.schema.json`: the generic assessment output
|
|
18
|
+
shape that records result, checked facts, evidence, audit boundary,
|
|
19
|
+
responsibility, residual risk, and downgrade reasons.
|
|
20
|
+
- `schemas/kfd-2/release-claims.schema.json`: the product's declared public
|
|
21
|
+
release claims, as a release-specific projection.
|
|
22
|
+
- `schemas/kfd-2/release-trust-passport.schema.json`: the verifier's result
|
|
23
|
+
after auditing release claims against evidence.
|
|
24
|
+
|
|
25
|
+
The generic flow is:
|
|
26
|
+
|
|
27
|
+
```text
|
|
28
|
+
trust claims -> evidence audit -> trust assessment -> product or release gate
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
The intended Buildchain flow is:
|
|
32
|
+
|
|
33
|
+
```text
|
|
34
|
+
release claims -> evidence audit -> release trust passport -> release passport
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
Release trust passports are one projection of KFD-2, not the whole KFD-2 model.
|
|
38
|
+
Each claim should declare the statement being made, the subject of the claim,
|
|
39
|
+
the facts it binds to, machine-readable evidence, the audit boundary, residual
|
|
40
|
+
risk, and responsibility state. A trust assessment or release trust passport
|
|
41
|
+
then records whether each claim is bound to evidence, which evidence was
|
|
42
|
+
checked, what the result was, and who owns the decision.
|
|
43
|
+
|
|
44
|
+
## Generic Trust Claims
|
|
45
|
+
|
|
46
|
+
The generic claim model exists so KFD-2 can assess KFD-1, KFD-3, KFD-4, and
|
|
47
|
+
future KFDs through one structure instead of inventing a new evaluator for each
|
|
48
|
+
standard.
|
|
49
|
+
|
|
50
|
+
A generic claim identifies:
|
|
51
|
+
|
|
52
|
+
- `subject`: what the claim is about, such as `contract-world`,
|
|
53
|
+
`collaboration-interface`, `observer-perspective`, `release`, `config`,
|
|
54
|
+
`api`, `abi`, `gui-surface`, or `runtime-fact`;
|
|
55
|
+
- `facts`: the inspectable fact sources the claim binds to;
|
|
56
|
+
- `evidence`: the files, schemas, witnesses, commands, artifacts, URLs, or
|
|
57
|
+
manual-review records used to evaluate the claim;
|
|
58
|
+
- `auditBoundary`: what the assessment covers and whether the surface is
|
|
59
|
+
closed-world, declared-open, sampled, or manual;
|
|
60
|
+
- `responsibility`: who owns source facts, verification, and the decision;
|
|
61
|
+
- `residualRisk`: KFD-2 taxonomy values for what remains unproved.
|
|
62
|
+
|
|
63
|
+
The KFD package dogfoods this through:
|
|
64
|
+
|
|
65
|
+
```text
|
|
66
|
+
.buildchain/kfd-2/kfd-foundation.trust-claims.json
|
|
67
|
+
.buildchain/kfd-2/kfd-foundation.trust-assessment.json
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
Those files assess KFD-1's contract-world claim, KFD-3's
|
|
71
|
+
collaboration-interface claim, and KFD-4's observer-perspective claim. KFD-3
|
|
72
|
+
currently receives a warning result because its machine-checkable interface
|
|
73
|
+
still carries natural-language semantic residual risk.
|
|
74
|
+
|
|
75
|
+
## Trust Taxonomy
|
|
76
|
+
|
|
77
|
+
KFD-2 owns the vocabulary for residual risks and trust downgrades. A product,
|
|
78
|
+
release tool, or agent must not invent new residual-risk values locally and
|
|
79
|
+
still claim KFD-2 conformance. Unknown values fail schema validation.
|
|
80
|
+
|
|
81
|
+
The current taxonomy is published in
|
|
82
|
+
`schemas/kfd-2/trust-taxonomy.schema.json`. It defines:
|
|
83
|
+
|
|
84
|
+
- `riskType`: what kind of trust gap remains;
|
|
85
|
+
- `trustImpact`: whether the gap is informational, downgraded, failing, or
|
|
86
|
+
unverifiable;
|
|
87
|
+
- `machineProvability`: whether the gap can be fully proved by machine;
|
|
88
|
+
- `agentAction`: what an agent should do next;
|
|
89
|
+
- `downgradeReason`: how a verifier maps residual risk into a release trust
|
|
90
|
+
result.
|
|
91
|
+
|
|
92
|
+
If an agent needs a KFD-2 value that is not present, the standard extension
|
|
93
|
+
path is to open an issue in the KFD repository:
|
|
94
|
+
|
|
95
|
+
```text
|
|
96
|
+
https://github.com/kungfu-systems/kfd/issues/new?title=KFD-2%20trust%20taxonomy%20extension%20request
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
The issue should state the missing value, the field it belongs to, the product
|
|
100
|
+
or release scenario that needs it, and why existing values cannot express the
|
|
101
|
+
case. Until KFD accepts the new value into the taxonomy schema, consumers
|
|
102
|
+
should treat the value as invalid rather than as a soft warning.
|
|
103
|
+
|
|
104
|
+
## Interface Versioning
|
|
105
|
+
|
|
106
|
+
KFD package semver is only the distribution version. It is not the version of a
|
|
107
|
+
KFD-owned machine interface.
|
|
108
|
+
|
|
109
|
+
Every KFD-owned machine interface uses:
|
|
110
|
+
|
|
111
|
+
- `schemaVersion`: the interface version consumed by tools.
|
|
112
|
+
- `contract`: the stable contract name, such as `kfd-2-release-claims`.
|
|
113
|
+
- `$id`: the canonical schema URL for the current stable interface.
|
|
114
|
+
|
|
115
|
+
Compatible additions may keep `schemaVersion: 1`. A change that alters required
|
|
116
|
+
fields, field semantics, verification meaning, audit boundary semantics, or
|
|
117
|
+
responsibility semantics must not silently reuse the same interface contract.
|
|
118
|
+
It must introduce a new interface version or, when the standard itself changes,
|
|
119
|
+
a new KFD decision or amendment path.
|
|
120
|
+
|
|
121
|
+
The same rule applies to KFD-1 and KFD-3 schemas. Their current schemas already
|
|
122
|
+
carry `schemaVersion: 1` and a `contract` value; this document makes the
|
|
123
|
+
evolution rule explicit across the KFD package.
|