@kungfu-tech/kfd 1.0.0-alpha.2 → 1.0.0-alpha.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/.buildchain/kfd-1/contract-world.witness.json +753 -0
  2. package/.buildchain/kfd-2/kfd-foundation.trust-assessment.json +238 -0
  3. package/.buildchain/kfd-2/kfd-foundation.trust-claims.json +225 -0
  4. package/.buildchain/kfd-2/public-release-trust.claim.json +131 -0
  5. package/.buildchain/kfd-3/collaboration-interface.artifact.json +774 -0
  6. package/.buildchain/kfd-3/collaboration-interface.json +421 -0
  7. package/.buildchain/kfd-3/collaboration-interface.prebuild.json +1141 -0
  8. package/README.md +149 -29
  9. package/TRADEMARKS.md +60 -0
  10. package/buildchain.contract-lock.json +86 -0
  11. package/buildchain.release-propagation.json +32 -0
  12. package/decisions/{kfd-1.md → KFD-1.md} +77 -35
  13. package/decisions/{kfd-2.md → KFD-2.md} +63 -11
  14. package/decisions/{kfd-3.md → KFD-3.md} +54 -16
  15. package/decisions/KFD-4.md +182 -0
  16. package/docs/KFD-1-usage.md +37 -0
  17. package/docs/KFD-2-usage.md +123 -0
  18. package/docs/KFD-3-usage.md +98 -0
  19. package/docs/KFD-4-usage.md +31 -0
  20. package/docs/MAP.md +20 -3
  21. package/docs/release-governance.md +28 -0
  22. package/kfd.release.json +13 -0
  23. package/package.json +28 -2
  24. package/registry.json +15 -5
  25. package/release-impact.json +113 -0
  26. package/schemas/kfd-1/contract-world.schema.json +67 -4
  27. package/schemas/kfd-1/witness.schema.json +113 -0
  28. package/schemas/kfd-2/release-claims.schema.json +331 -0
  29. package/schemas/kfd-2/release-trust-passport.schema.json +276 -0
  30. package/schemas/kfd-2/trust-assessment.schema.json +313 -0
  31. package/schemas/kfd-2/trust-claims.schema.json +334 -0
  32. package/schemas/kfd-2/trust-taxonomy.schema.json +219 -0
  33. package/schemas/kfd-3/collaboration-interface.schema.json +542 -0
  34. package/schemas/kfd-3/witness.schema.json +167 -0
  35. package/schemas/kfd-4/observer-perspective.schema.json +272 -0
  36. package/schemas/kfd-standards.schema.json +163 -0
  37. package/scripts/check.mjs +930 -0
  38. package/scripts/npm-publish-transaction.mjs +220 -0
  39. package/scripts/update-kfd-1-witness.mjs +35 -0
  40. package/scripts/update-kfd-2-claim.mjs +304 -0
  41. package/scripts/update-kfd-3-witness.mjs +261 -0
  42. package/scripts/update-site-bundle.mjs +353 -0
  43. package/site/kfd-site.json +251 -12
  44. package/standards.json +775 -15
@@ -7,6 +7,8 @@
7
7
 
8
8
  ## One sentence
9
9
 
10
+ Trust must start from facts.
11
+
10
12
  A product must not ask users or agents to trust important claims before the
11
13
  relevant facts are inspectable, local where possible, and connected to
12
14
  responsibility state.
@@ -19,8 +21,11 @@ KFDs can be principles or procedures:
19
21
  products, repositories, and release lines change.
20
22
  - A **procedure** states how a class of work enforces or protects a principle.
21
23
 
22
- This KFD is a principle. KFD-1 is a procedure that protects release and
23
- version responsibility under this principle.
24
+ This KFD is a principle. KFD-1 is the procedure that keeps the fact sources
25
+ under this principle from drifting. KFD-3 is the principle that governs how
26
+ humans and agents cooperate once facts and trust are visible. KFD-4 is a
27
+ procedure whose observer-perspective claims can also be assessed under this
28
+ principle.
24
29
 
25
30
  ## Foundation role
26
31
 
@@ -31,9 +36,13 @@ trust must start from facts
31
36
  ```
32
37
 
33
38
  KFD-2 says Kungfu products should not ask users or agents to trust a claim
34
- before the product has made the relevant facts inspectable. KFD-1 protects
35
- contract truth across artifact lines. KFD-3 protects the relationship with the
36
- human or agent who must understand and act on those facts.
39
+ before the product has made the relevant facts inspectable. KFD-1 protects the
40
+ non-drifting fact source those claims stand on. KFD-3 protects the relationship
41
+ with the human or agent who must understand and act on those facts.
42
+
43
+ KFD-2 is not a checker for only one other KFD. It is the generic trust
44
+ adjudication layer for any KFD claim, product claim, artifact claim, control
45
+ surface claim, or release claim that asks a human or agent to rely on it.
37
46
 
38
47
  ## Principle
39
48
 
@@ -68,6 +77,27 @@ leaves enough evidence for later review.
68
77
  - Hosted or cloud convenience may add synchronization, storage, compute, and
69
78
  collaboration, but it must not become the only place where the truth exists.
70
79
 
80
+ ## Generic trust assessment model
81
+
82
+ Every KFD-2 trust assessment starts from a claim. The claim may be about a
83
+ release, but it may also be about a contract world, a collaboration interface,
84
+ an observer perspective, a config surface, an API, an ABI, a GUI surface, a
85
+ runtime fact, documentation, or another product surface.
86
+
87
+ A claim is trustable only when the assessment can state:
88
+
89
+ - what the claim is about;
90
+ - which facts the claim binds to;
91
+ - which evidence was checked;
92
+ - what can be machine verified;
93
+ - what remains a residual risk;
94
+ - who owns source facts, verification, and the trust decision;
95
+ - whether the result is pass, warning, fail, or unverifiable.
96
+
97
+ This model is intentionally general. KFD-1, KFD-3, KFD-4, and future KFDs can
98
+ provide claims that KFD-2 assesses. Release trust passports are one projection
99
+ of this model, not the model itself.
100
+
71
101
  ## What it does not require
72
102
 
73
103
  - It does not require every product to be a journal engine or runtime ledger.
@@ -81,14 +111,15 @@ leaves enough evidence for later review.
81
111
 
82
112
  ## Relation to KFD-1
83
113
 
84
- KFD-1 is a procedure. It makes release and version responsibility legible when
85
- contract worlds change. KFD-2 is the higher-level principle: versioning,
86
- release evidence, fact ledgers, agent control panes, extension gates, and
87
- hosted services should all preserve the path from fact source to responsibility
88
- state to proof-backed decision.
114
+ KFD-1 is a procedure. It defines what can count as a load-bearing fact source:
115
+ facts must not drift from the contract world that declares them. KFD-2 is the
116
+ next layer: once facts are non-drifting and inspectable, trust claims must be
117
+ bound to those facts and to responsibility state.
89
118
 
90
119
  KFD-2 does not supersede KFD-1. KFD-1 remains active and is one concrete
91
- procedure that implements KFD-2 for version and release responsibility.
120
+ procedure that implements KFD-2 wherever trust depends on contract worlds,
121
+ release evidence, fact ledgers, agent control panes, extension gates, hosted
122
+ surfaces, schemas, configs, or package metadata.
92
123
 
93
124
  ## Supersession rule
94
125
 
@@ -98,6 +129,27 @@ explicitly and the registry records the affected decision. Two active KFDs that
98
129
  conflict without an explicit supersession relationship are a registry defect,
99
130
  not an invitation to pick the newer text silently.
100
131
 
132
+ ## Implementation case: the KFD package
133
+
134
+ The `@kungfu-tech/kfd` npm package is a self-proof case for this principle.
135
+ It does not ask humans or agents to trust the KFD registry only because the
136
+ README says so. It publishes inspectable facts: decision documents,
137
+ `registry.json`, `standards.json`, JSON schemas, document hashes, release-impact
138
+ metadata, and conformance checks.
139
+
140
+ KFD-2 also owns the trust taxonomy used by release claims, release trust
141
+ passports, KFD-3 witnesses, and generic trust assessments. Unknown
142
+ residual-risk or trust-downgrade values fail validation until KFD records them
143
+ in `schemas/kfd-2/trust-taxonomy.schema.json`. When an agent needs a new value,
144
+ the declared extension path is to open an issue in
145
+ `https://github.com/kungfu-systems/kfd` rather than inventing a private value.
146
+
147
+ The package dogfoods this model through
148
+ `.buildchain/kfd-2/kfd-foundation.trust-claims.json` and
149
+ `.buildchain/kfd-2/kfd-foundation.trust-assessment.json`. Those files assess
150
+ KFD-1's contract-world claim, KFD-3's collaboration-interface claim, and KFD-4's
151
+ observer-perspective claim through the same KFD-2 structure.
152
+
101
153
  ## Adopters
102
154
 
103
155
  Each adopting repository cites this KFD when designing or changing a fact
@@ -1,4 +1,4 @@
1
- # KFD-3: Cooperation must start from transparent value — compliance must not be coerced
1
+ # KFD-3: Cooperation must start from trusted value — compliance must not be coerced
2
2
 
3
3
  - Status: active
4
4
  - Number: 3
@@ -7,10 +7,12 @@
7
7
 
8
8
  ## One sentence
9
9
 
10
+ Cooperation must start from trusted value.
11
+
10
12
  A product must not obtain cooperation through pressure, manipulation, hidden
11
- control, or forced workflow capture. It must make value, choices, and
12
- constraints visible enough for intelligent participants to understand, decide,
13
- and cooperate.
13
+ control, or forced workflow capture. It must make facts, value, choices, and
14
+ constraints transparent enough for intelligent participants to trust what is
15
+ being offered, understand the available path, decide, and cooperate.
14
16
 
15
17
  ## Decision type
16
18
 
@@ -28,11 +30,12 @@ kungfu-systems takes toward humans and agents as reasoning participants.
28
30
  Within the KFD-1/2/3 foundation, this is the relationship path:
29
31
 
30
32
  ```text
31
- cooperation must start from transparent value, not coercion
33
+ cooperation must start from trusted value
32
34
  ```
33
35
 
34
36
  KFD-2 protects the truth path: show facts before asking for trust. KFD-3
35
- protects the relationship path: show value before asking for compliance.
37
+ protects the relationship path: make value transparent enough to be trusted
38
+ before asking for cooperation.
36
39
 
37
40
  ## Principle
38
41
 
@@ -58,7 +61,7 @@ The default product path should therefore follow this chain:
58
61
 
59
62
  ```text
60
63
  transparent facts
61
- -> discoverable value
64
+ -> trusted value
62
65
  -> stable choice
63
66
  -> explainable constraint
64
67
  -> voluntary cooperation
@@ -83,7 +86,7 @@ Products may recommend a path, refuse unsafe actions, or require explicit
83
86
  approval. They should not pretend that forced compliance is the same as
84
87
  understanding or trust.
85
88
 
86
- ### 2. Make value discoverable through facts
89
+ ### 2. Make value trusted through transparent facts
87
90
 
88
91
  Humans and agents should be able to discover what the product can do, why it is
89
92
  useful, what it observed, what it changed, and what boundary applies without
@@ -91,7 +94,15 @@ needing oral context, private maintainer memory, or web-only documentation.
91
94
 
92
95
  Agent-facing surfaces should expose local, versioned, machine-readable and
93
96
  human-readable facts wherever possible. A capable agent should be able to learn
94
- the product's value by inspecting the product's own facts and commands.
97
+ the product's value, and why that value can be trusted, by inspecting the
98
+ product's own facts and commands.
99
+
100
+ Trusted value is therefore not only a product promise or persuasive sentence.
101
+ A collaboration interface should bind important value claims to explicit value
102
+ evidence: the facts that make the value claim inspectable, the artifacts or
103
+ checks that prove those facts are present, and the KFD-2 trust assessment or
104
+ residual-risk state that tells participants how much weight to place on the
105
+ claim.
95
106
 
96
107
  ### 3. Use constraints as transparent safety, not hidden control
97
108
 
@@ -140,9 +151,10 @@ how it can be changed, escalated, or revoked when appropriate
140
151
  - It does not turn a private founder narrative into a public repository rule.
141
152
  This public rule is about product stance, adoption, safety, and cooperation
142
153
  with intelligent participants.
143
- - It does not supersede KFD-2. Facts and responsibility still come first; this
144
- KFD states how those facts should be presented to humans and agents without
145
- coercion.
154
+ - It does not supersede KFD-2. Facts and responsibility still come first;
155
+ transparent value is the route by which value becomes trusted, not a
156
+ substitute for trust. This KFD states how those facts and values should be
157
+ presented to humans and agents without coercion.
146
158
 
147
159
  ## Relation to KFD-2
148
160
 
@@ -151,12 +163,38 @@ KFD-3 says the path of least resistance should not be built from pressure or
151
163
  hidden control. Together:
152
164
 
153
165
  ```text
154
- KFD-2: show the facts before asking for trust.
155
- KFD-3: show the value before asking for compliance.
166
+ KFD-1: facts must not drift.
167
+ KFD-2: trust must start from facts.
168
+ KFD-3: cooperation must start from trusted value.
156
169
  ```
157
170
 
158
- KFD-2 protects the truth path. KFD-3 protects the relationship with the
159
- intelligent participant who must walk that path.
171
+ KFD-1 protects the fact-source layer. KFD-2 protects the trust layer. KFD-3
172
+ protects the relationship with the intelligent participant who must decide
173
+ whether the offered value is trustworthy enough to walk that path.
174
+
175
+ In machine-readable profiles, this means KFD-3 collaboration interfaces should
176
+ not merely list surfaces and constraints. They should also declare value
177
+ evidence that can be evaluated through the KFD-2 trust model. KFD-2 can then
178
+ say which parts are machine-checkable, which parts remain semantic residual
179
+ risk, and what an agent should do next.
180
+
181
+ ## Implementation case: the KFD package
182
+
183
+ The `@kungfu-tech/kfd` npm package is a self-proof case for this principle.
184
+ Its README gives humans and agents the same quickstart path. `standards.json`
185
+ gives stable standard identity, schema IDs, and concept names. The KFD-3
186
+ schemas define collaboration interfaces, witnesses, and extension requests, so
187
+ an agent can discover both the valid interface and the standard path for asking
188
+ to extend it. The KFD-3 collaboration interface also declares value evidence
189
+ that points to KFD-owned facts, package surfaces, and the KFD-2 generic trust
190
+ assessment, so an agent can inspect why KFD's claimed value is trustable before
191
+ cooperating.
192
+
193
+ For example, if an agent needs a KFD-2 trust-taxonomy value that does not
194
+ exist, the KFD-3 collaboration path is not hidden maintainer pressure or local
195
+ invention. The declared path is a visible GitHub issue in the KFD repository,
196
+ where the new value can be reviewed and, if accepted, added to the KFD-owned
197
+ taxonomy for everyone.
160
198
 
161
199
  ## Adopters
162
200
 
@@ -0,0 +1,182 @@
1
+ # KFD-4: Timelines must declare their observer — useful views need a stated perspective
2
+
3
+ - Status: active
4
+ - Number: 4
5
+ - Kind: procedure
6
+ - Applies to: every kungfu-systems product, repository, release surface, extension surface, hosted surface, and agent-facing interface that represents time, ordering, history, timelines, sync, replay, or mixed-source work facts
7
+
8
+ ## One sentence
9
+
10
+ Timelines must declare their observer.
11
+
12
+ A product must not present a mixed-source ordering as an absolute view from
13
+ nowhere. A useful view of reality must state who is observing, which facts were
14
+ accepted, and how concurrent facts were projected.
15
+
16
+ ## Decision type
17
+
18
+ KFDs can be principles or procedures:
19
+
20
+ - A **principle** states what must remain true across kungfu-systems even as
21
+ products, repositories, and release lines change.
22
+ - A **procedure** states how a class of work enforces or protects a principle.
23
+
24
+ This KFD is a procedure. It is not a fourth foundation principle beside
25
+ KFD-1/2/3. It is the first practice guideline derived from the foundation
26
+ triad: once facts are non-drifting, trust starts from facts, and cooperation
27
+ starts from trusted value, a product still has to say from which perspective a
28
+ time-ordered view is being offered.
29
+
30
+ ## Practice role
31
+
32
+ Within the KFD structure, KFD-1/2/3 form the foundation:
33
+
34
+ ```text
35
+ facts must not drift
36
+ -> trust must start from facts
37
+ -> cooperation must start from trusted value
38
+ ```
39
+
40
+ KFD-4 applies that foundation to perspective, ordering, and action. It answers
41
+ this practice question:
42
+
43
+ ```text
44
+ In a complex world, from which declared perspective is this view useful,
45
+ stable, and trustworthy?
46
+ ```
47
+
48
+ ## Procedure
49
+
50
+ When a product combines facts from multiple machines, agents, processes,
51
+ sessions, sources, repositories, providers, or external systems, it should
52
+ treat the visible timeline as an observer-relative projection over accepted
53
+ facts, not as a claim that the product has found one absolute global clock.
54
+
55
+ The authoritative record should be facts and evidence:
56
+
57
+ - source-local records and their local order;
58
+ - provenance for source, participant, location, session, run, or adapter;
59
+ - accepted ranges, heads, cursors, watermarks, and capture boundaries;
60
+ - causal links between observations, decisions, actions, and results;
61
+ - payload hashes, schema bindings, receipts, redaction states, and verification
62
+ results.
63
+
64
+ The visible timeline is a view over those facts. Its perspective must be
65
+ declared enough that another human or agent can reproduce the same view from
66
+ the same accepted facts.
67
+
68
+ ## What a declared perspective should include
69
+
70
+ A perspective-bearing timeline should identify, where applicable:
71
+
72
+ - the observer or observer location whose view is being presented;
73
+ - the accepted fact sources, ranges, watermarks, and freshness boundaries;
74
+ - the projection policy version;
75
+ - the ordering rule for concurrent or causally unrelated facts;
76
+ - the deterministic tie-breaker used when policy and source-local order are not
77
+ enough;
78
+ - the degraded state when causality, payloads, schemas, accepted ranges, or
79
+ freshness are incomplete.
80
+
81
+ Causal facts dominate projection policy. A product may order concurrent facts
82
+ by observer policy, source priority, or deterministic tie-breaker, but it must
83
+ not invert a known causal dependency. If it cannot produce a valid total order
84
+ without hiding missing causality or missing evidence, it should report a
85
+ degraded view rather than silently sorting by wall-clock time.
86
+
87
+ ## What it requires
88
+
89
+ - GUI, CLI, API, export, and agent-facing timeline surfaces should make the
90
+ observer or projection policy inspectable when they mix sources.
91
+ - Wall-clock time may be used for display, latency, diagnostics, and
92
+ source-local ordering, but it must not be the only proof of cross-source
93
+ order.
94
+ - Exported bundles that claim a timeline order should carry enough perspective
95
+ metadata for another consumer to reproduce that order.
96
+ - Storage and sync systems should preserve source provenance, accepted ranges,
97
+ and causal links rather than flattening remote facts into anonymous local
98
+ records.
99
+ - Fsck, release gates, or other verification systems should eventually be able
100
+ to check that a projected view does not contradict known facts, invert known
101
+ causality, or hide an incomplete accepted range.
102
+
103
+ ## What it does not require
104
+
105
+ - It does not say there are no facts. Facts and causality remain load-bearing.
106
+ - It does not permit arbitrary narratives, invented evidence, or convenient
107
+ ordering.
108
+ - It does not require a universal global clock, a permanent global sequencer,
109
+ or distributed consensus for every timeline.
110
+ - It does not forbid a product from having a default observer policy.
111
+ - It does not solve conflicts between independently written authority roots.
112
+ Conflict policy must be explicit when it exists.
113
+ - It does not supersede KFD-1, KFD-2, or KFD-3. It applies them to
114
+ perspective-bearing views.
115
+
116
+ ## Relation to KFD-1, KFD-2, and KFD-3
117
+
118
+ KFD-1 says facts must not drift. KFD-4 depends on that: a perspective-bearing
119
+ timeline must stand on accepted facts, not on a driftable story.
120
+
121
+ KFD-2 says trust must start from facts. KFD-4 applies that to ordering: trust
122
+ in a timeline comes from reproducibility under declared facts and declared
123
+ projection policy, not from an undeclared claim to absolute time.
124
+
125
+ KFD-3 says cooperation must start from trusted value. KFD-4 applies that to
126
+ multi-participant work: humans and agents may carry different perspectives,
127
+ but cooperation becomes possible when those perspectives expose their facts,
128
+ constraints, and view policies instead of forcing everyone into a hidden
129
+ ordering.
130
+
131
+ Together:
132
+
133
+ ```text
134
+ KFD-1: facts must not drift.
135
+ KFD-2: trust must start from facts.
136
+ KFD-3: cooperation must start from trusted value.
137
+ KFD-4: timelines must declare their observer.
138
+ ```
139
+
140
+ The first three define the foundation. KFD-4 is a practice guideline for how
141
+ that foundation behaves when a product shows time, history, replay, sync, or
142
+ mixed-source work state.
143
+
144
+ ## Implementation case: Kungfu observer timelines
145
+
146
+ Kungfu's observer-relative timeline design is the first concrete product case.
147
+ Kungfu stores causal runtime facts, source provenance, accepted ranges,
148
+ manifests, payload evidence, and verification results. A mixed-source timeline
149
+ is a deterministic projection from an explicit observer policy; it is not a
150
+ claim that Kungfu has discovered one universal global clock.
151
+
152
+ That design lets a local user sync facts from another machine, inspect agent
153
+ work that happened elsewhere, and still ask precise questions:
154
+
155
+ ```text
156
+ which facts did this observer accept?
157
+ which source or location did each fact come from?
158
+ which causal links constrain the order?
159
+ which concurrent facts were ordered by policy?
160
+ can another consumer reproduce the same view?
161
+ ```
162
+
163
+ This is the product-level form of the KFD-4 procedure.
164
+
165
+ ## Implementation case: the KFD package
166
+
167
+ The `@kungfu-tech/kfd` npm package publishes a KFD-4 observer-perspective
168
+ schema under `schemas/kfd-4/observer-perspective.schema.json`. The schema is
169
+ not a mandatory runtime data model for every adopter. It is the KFD-owned
170
+ vocabulary for declaring observer, accepted facts, projection policy, causal
171
+ constraints, and degraded evidence state in products that need a
172
+ perspective-bearing timeline.
173
+
174
+ ## Adopters
175
+
176
+ Each adopting repository cites this KFD when designing or changing a timeline,
177
+ history view, replay view, source sync flow, multi-machine view, multi-agent
178
+ view, audit bundle, or exported record that orders facts from more than one
179
+ source or perspective.
180
+
181
+ Adopters should keep local implementation detail in repository documents and
182
+ reference this KFD rather than restating it.
@@ -0,0 +1,37 @@
1
+ # KFD-1 Implementation Notes
2
+
3
+ KFD-1 defines the fact-source rule: facts must not drift. This page is the
4
+ package implementation note for machine consumers and release systems. The
5
+ authoritative decision text remains `decisions/KFD-1.md`.
6
+
7
+ ## Package Surfaces
8
+
9
+ The KFD package implements KFD-1 through a declared contract world:
10
+
11
+ - `standards.json#/standards/kfd-1/surfaceRegister` is the package-owned
12
+ surface register.
13
+ - `schemas/kfd-1/contract-world.schema.json` defines the contract-world schema.
14
+ - `schemas/kfd-1/witness.schema.json` defines the witness schema.
15
+ - `.buildchain/kfd-1/contract-world.witness.json` projects registered surfaces,
16
+ source hashes, artifact hashes, surface classes, and impact projections.
17
+ - `scripts/check.mjs` verifies the register, schema enums, witness hashes, and
18
+ surface projection.
19
+
20
+ ## Compatibility Impact Core
21
+
22
+ KFD-1 uses four generic compatibility-impact classes:
23
+
24
+ - `breaking`
25
+ - `additive`
26
+ - `none`
27
+ - `unclassifiable`
28
+
29
+ Release versioning is only one projection of those classes. Other domains can
30
+ project the same core into config migration, ABI epochs, API namespaces,
31
+ runtime compatibility bridges, or workflow gates.
32
+
33
+ ## Dogfood Role
34
+
35
+ This package uses KFD-1 on itself. New public package surfaces should be added
36
+ to `standards.json#/standards/kfd-1/surfaceRegister`, then projected into the
37
+ KFD-1 witness by `node scripts/update-kfd-1-witness.mjs`.
@@ -0,0 +1,123 @@
1
+ # KFD-2 Trust Assessment Metadata
2
+
3
+ KFD-2 says that trust must start from inspectable facts and responsibility
4
+ state. A product must not ask users or agents to trust load-bearing claims only
5
+ because they appear in prose, changelogs, repository history, generated UI, or
6
+ maintainer reputation.
7
+
8
+ This package defines KFD-owned machine interfaces for the generic trust model:
9
+
10
+ - `schemas/kfd-2/trust-taxonomy.schema.json`: the KFD-owned taxonomy for
11
+ residual-risk types, trust impact, machine provability, agent actions, and
12
+ downgrade reasons.
13
+ - `schemas/kfd-2/trust-claims.schema.json`: the generic claim input shape for
14
+ KFD-2 assessment. Claims may target KFD standards, contract worlds,
15
+ collaboration interfaces, observer perspectives, releases, config, APIs,
16
+ ABIs, runtime facts, documentation, or other product surfaces.
17
+ - `schemas/kfd-2/trust-assessment.schema.json`: the generic assessment output
18
+ shape that records result, checked facts, evidence, audit boundary,
19
+ responsibility, residual risk, and downgrade reasons.
20
+ - `schemas/kfd-2/release-claims.schema.json`: the product's declared public
21
+ release claims, as a release-specific projection.
22
+ - `schemas/kfd-2/release-trust-passport.schema.json`: the verifier's result
23
+ after auditing release claims against evidence.
24
+
25
+ The generic flow is:
26
+
27
+ ```text
28
+ trust claims -> evidence audit -> trust assessment -> product or release gate
29
+ ```
30
+
31
+ The intended Buildchain flow is:
32
+
33
+ ```text
34
+ release claims -> evidence audit -> release trust passport -> release passport
35
+ ```
36
+
37
+ Release trust passports are one projection of KFD-2, not the whole KFD-2 model.
38
+ Each claim should declare the statement being made, the subject of the claim,
39
+ the facts it binds to, machine-readable evidence, the audit boundary, residual
40
+ risk, and responsibility state. A trust assessment or release trust passport
41
+ then records whether each claim is bound to evidence, which evidence was
42
+ checked, what the result was, and who owns the decision.
43
+
44
+ ## Generic Trust Claims
45
+
46
+ The generic claim model exists so KFD-2 can assess KFD-1, KFD-3, KFD-4, and
47
+ future KFDs through one structure instead of inventing a new evaluator for each
48
+ standard.
49
+
50
+ A generic claim identifies:
51
+
52
+ - `subject`: what the claim is about, such as `contract-world`,
53
+ `collaboration-interface`, `observer-perspective`, `release`, `config`,
54
+ `api`, `abi`, `gui-surface`, or `runtime-fact`;
55
+ - `facts`: the inspectable fact sources the claim binds to;
56
+ - `evidence`: the files, schemas, witnesses, commands, artifacts, URLs, or
57
+ manual-review records used to evaluate the claim;
58
+ - `auditBoundary`: what the assessment covers and whether the surface is
59
+ closed-world, declared-open, sampled, or manual;
60
+ - `responsibility`: who owns source facts, verification, and the decision;
61
+ - `residualRisk`: KFD-2 taxonomy values for what remains unproved.
62
+
63
+ The KFD package dogfoods this through:
64
+
65
+ ```text
66
+ .buildchain/kfd-2/kfd-foundation.trust-claims.json
67
+ .buildchain/kfd-2/kfd-foundation.trust-assessment.json
68
+ ```
69
+
70
+ Those files assess KFD-1's contract-world claim, KFD-3's
71
+ collaboration-interface claim, and KFD-4's observer-perspective claim. KFD-3
72
+ currently receives a warning result because its machine-checkable interface
73
+ still carries natural-language semantic residual risk.
74
+
75
+ ## Trust Taxonomy
76
+
77
+ KFD-2 owns the vocabulary for residual risks and trust downgrades. A product,
78
+ release tool, or agent must not invent new residual-risk values locally and
79
+ still claim KFD-2 conformance. Unknown values fail schema validation.
80
+
81
+ The current taxonomy is published in
82
+ `schemas/kfd-2/trust-taxonomy.schema.json`. It defines:
83
+
84
+ - `riskType`: what kind of trust gap remains;
85
+ - `trustImpact`: whether the gap is informational, downgraded, failing, or
86
+ unverifiable;
87
+ - `machineProvability`: whether the gap can be fully proved by machine;
88
+ - `agentAction`: what an agent should do next;
89
+ - `downgradeReason`: how a verifier maps residual risk into a release trust
90
+ result.
91
+
92
+ If an agent needs a KFD-2 value that is not present, the standard extension
93
+ path is to open an issue in the KFD repository:
94
+
95
+ ```text
96
+ https://github.com/kungfu-systems/kfd/issues/new?title=KFD-2%20trust%20taxonomy%20extension%20request
97
+ ```
98
+
99
+ The issue should state the missing value, the field it belongs to, the product
100
+ or release scenario that needs it, and why existing values cannot express the
101
+ case. Until KFD accepts the new value into the taxonomy schema, consumers
102
+ should treat the value as invalid rather than as a soft warning.
103
+
104
+ ## Interface Versioning
105
+
106
+ KFD package semver is only the distribution version. It is not the version of a
107
+ KFD-owned machine interface.
108
+
109
+ Every KFD-owned machine interface uses:
110
+
111
+ - `schemaVersion`: the interface version consumed by tools.
112
+ - `contract`: the stable contract name, such as `kfd-2-release-claims`.
113
+ - `$id`: the canonical schema URL for the current stable interface.
114
+
115
+ Compatible additions may keep `schemaVersion: 1`. A change that alters required
116
+ fields, field semantics, verification meaning, audit boundary semantics, or
117
+ responsibility semantics must not silently reuse the same interface contract.
118
+ It must introduce a new interface version or, when the standard itself changes,
119
+ a new KFD decision or amendment path.
120
+
121
+ The same rule applies to KFD-1 and KFD-3 schemas. Their current schemas already
122
+ carry `schemaVersion: 1` and a `contract` value; this document makes the
123
+ evolution rule explicit across the KFD package.