You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Each action has a minimum organization role, optional explicit permission grants, wallet-binding requirement, registry read-access requirement, settled-payment requirement, explicit-confirmation requirement, repair-approval requirement, and source-visibility result.
392
+
Protected-source actions fail closed unless role/grant, wallet binding, owner-read or licensed-read registry access, settlement, and interface admission all agree.
393
+
Source-safe preview actions may remain visible without protected source.
394
+
395
+
The same authority primitive must be used by:
396
+
397
+
- Terminal, as the ordinary permission explainer for selected activity detail;
398
+
- API routes, as the JSON-safe route decision for interface owners;
399
+
- MCP, as organization-scoped action authority over read-license and delivery operations;
400
+
- ChatGPT App, as connected-interface write admission over confirmed delivery writes;
401
+
- the sandbox harness, as emitted evidence for live Reading/AssetPack completion readback.
402
+
403
+
Authority proof roots include role root, permission root, read-access root, interface root, and aggregate authority root.
404
+
Terminal renders those roots with blockers and decision rows so operators can understand why a transaction can or cannot pay, unlock, deliver, repair, or administer without opening network logs.
405
+
372
406
### Disclosure and projection
373
407
374
408
- Current canonical objects and emitted artifacts: disclosure policy, projection policy, redaction decision, preview metadata, owner-read/licensed-read/denied state.
Copy file name to clipboardExpand all lines: BITCODE_SPEC_V29_NOTES.md
+20Lines changed: 20 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -168,6 +168,26 @@ Operator notes:
168
168
- Terminal journal detail is the ordinary repair cockpit for this gate: drift classes, blockers, repair actions, proof roots, journal entries, and repair receipts must be visible without opening network logs.
169
169
- Raw payload remains audit material, not the primary operator interface.
170
170
171
+
## Gate 7 working notes
172
+
173
+
Gate 7 makes organization authority package-owned and interface-shared.
174
+
175
+
Accepted Gate 7 posture:
176
+
177
+
- BTD authority evaluates Terminal, API, MCP, and ChatGPT App surfaces against the same action requirement table.
178
+
- Registry-derived organization holdings and read-license usage are summarized as authority evidence, not aggregate spendable balance.
179
+
- Protected-source actions require owner-read or licensed-read access plus settled payment where the action crosses the source boundary.
180
+
- ChatGPT App writes remain impossible without explicit user confirmation, read-access evidence, and organization authority evidence.
181
+
- MCP can request interface authority after its existing permission and read-access checks.
182
+
- Terminal exposes authority as a normal selected-activity detail section with collapsed metrics, blockers, decision rows, proof roots, and raw payload.
183
+
- Sandbox harness output carries `organizationAuthority` so staging-testnet Reading runs can be debugged from Terminal.
184
+
185
+
Gate 7 completion condition:
186
+
187
+
-`pnpm run check:v29-gate7` passes.
188
+
- Focused BTD, API, MCP, ChatGPT App, pipeline-hosts, and UAPI tests cover the authority primitive and interface surfaces.
189
+
- Spec, delta, notes, parity, Terminal README, package scripts, and gate-quality workflow name the Gate 7 closure surface.
190
+
171
191
## Later-version boundaries
172
192
173
193
- V30 remains reserved for Protocol/BTD hardening that is not necessary to close Terminal transaction depth.
| Commercial formalization | Gate 8 | packages/protocol, package tests, import scans, docs | pending | Demonstration-origin commercial internals are package-native and no runtime demo imports remain. |
59
59
| Terminal UX quality | Gate 9 | Playwright/Jest/a11y/responsive/browser QA | pending | Complete transaction cockpit is usable by default and inspectable in detail. |
60
60
| Promotion readiness | Gate 10 | promotion workflow, `.bitcode/v29-*`, `BITCODE_SPEC_V29_PROVEN.md`| pending |`version/v29` can promote to `main` only after all V29 checks pass. |
@@ -71,7 +71,8 @@ No `_legacy/` source is active source truth.
71
71
| Gate 3 wallet/BTC operation |`pnpm run check:v29-gate3` proves quote lifecycle, signer recovery, blocked readiness, API posture, and Terminal Wallet/BTC detail | drafted |
72
72
| Gate 4 Reading observability |`pnpm run check:v29-gate4` proves contract-aware Reading stream telemetry and Terminal rendering | drafted |
73
73
| Gate 5 AssetPack disclosure |`pnpm run check:v29-gate5` proves source-safe disclosure review, leakage detection, Terminal preview rendering, and PR title enforcement | drafted |
74
-
| Product implementation gates | Gates 6-9 close remaining Terminal transaction depth with tests and docs | pending |
74
+
| Gate 7 organization authority |`pnpm run check:v29-gate7` proves shared org/interface authority across BTD, API, MCP, ChatGPT App, harness, and Terminal | drafted |
75
+
| Product implementation gates | Gates 8-9 close remaining Terminal transaction depth with tests and docs | pending |
- Focused BTD, API, pipeline-hosts, and UAPI tests prove repair classification, conservation drift, proof roots, and Terminal repair visibility.
210
-
- Gate 5 does not implement organization authority beyond read-right state distinctions; Gate 7 owns registry-derived roles and holdings.
211
-
- Gate 5 does not add browser proof or full UX polish; Gate 9 owns that surface.
212
-
- Gate 5 does not add versioned API routes or source identifiers.
213
211
214
212
## Gate 5 completion condition
215
213
216
214
Gate 5 is complete when AssetPack disclosure review is package-owned, postprocess and sandbox harness evidence include source-safe disclosure review roots, protected-source leakage tests fail closed, Terminal renders the disclosure review through the Reading preview surface, gate PR title enforcement is active, focused package and UAPI tests pass, `check:v29-gate5` passes, CI invokes the checker and tests, docs name the implemented source surfaces, and the gate branch is committed and pushed for review into `version/v29`.
215
+
216
+
## Gate 7 Parity
217
+
218
+
Gate 7 closes the organization authority slice by making action permission a shared BTD decision instead of interface-local convention.
219
+
220
+
Accepted surfaces:
221
+
222
+
-`packages/btd/src/authority.ts` is the canonical organization/interface authority primitive for role checks, explicit grants, wallet binding, registry read access, settlement, explicit confirmation, repair approval, source visibility, and authority proof roots.
223
+
-`packages/api/src/routes/btd-crypto.ts` and `uapi/app/api/btd/organization-interface-authority/route.ts` expose JSON-safe authority decisions for application routes.
224
+
-`packages/executions-mcp/src/mcp-server/src/auth/middleware.ts` can require interface authority after existing permission and BTD read-access checks.
225
+
-`packages/chatgptapp/src/tools.ts` requires explicit confirmation, registry read-access evidence, and organization authority evidence before connected-interface writes.
226
+
-`packages/pipeline-hosts/src/asset-pack-harness.ts` stores and emits `organizationAuthority` beside settlement unlock and reconciliation evidence.
227
+
-`uapi/app/terminal/terminal-organization-authority.ts` and `TerminalTransactionOrganizationAuthorityCard.tsx` project the selected transaction into authority metrics, blockers, decision rows, proof roots, and raw payload.
228
+
229
+
Accepted failure states:
230
+
231
+
- Missing role, insufficient role, or missing explicit grant blocks authority.
232
+
- Missing wallet binding blocks fee payment, source unlock, and delivery when those actions require Reader wallet proof.
233
+
- Missing or denied registry read access blocks protected-source unlock and delivery.
234
+
- Pending settlement blocks protected-source visibility even when role evidence exists.
235
+
- Missing explicit confirmation blocks payment, delivery, repair, and administration actions that cross sensitive boundaries.
236
+
- Interfaces may deny actions even when the organization role could authorize them elsewhere.
0 commit comments