ICN State (living doc)

Current status (2026-05-15 snapshot)

Current phase: Phase 2 — Pilot Launch. NYCN is the intended first cooperative partner (active partnership track, not yet a formally committed pilot). The next concrete step is presenting the merged drive-ingest ladder + ICN proof-loop machinery + the now-complete architecture-spec ladder to NYCN organizers. Subsequent gates are pilot formalization, then first operator rehearsal against real (or fixture-equivalent) organizer material. The exact gate definition lives in the partner NYCN repo. The Phase 2 machinery is in place end-to-end at the runtime layer; the contract layer is now substantially richer at the design-level after the May-14/May-15 architecture-spec sprint. What remains is the human procedure — present, formalize, rehearse — and recording each step, plus the implementation work the closure batch's follow-up roster names.

The 2026-05-14 → 2026-05-15 architecture-spec sprint landed thirteen design-level spec PRs plus one process-doc PR plus one wrap-up PR (fifteen PRs total): #1814 integrated cooperative operating model spine, #1819 accepted-proposal effect dispatch contract (closed #1797 on merge), #1820 institutional domain and policy primitive, #1821 CCL policy registry and hook contract, #1822 governed service binding / workload manifest / runtime provider, #1823 storage durability policy objects, #1824 ArtifactRegistry v0 and ScopedVault boundary, #1825 entity-scope vocabulary boundary (LocalDomain not Coop), #1826 compute placement policy, #1827 reconciled the AGENTS.md handoff path with the actual template convention, #1829 network anti-entropy proof loops, #1830 member shell v0, #1831 steward cockpit v0, #1832 steward cockpit drift fix (four rounds of post-merge fixes addressing late reviewer feedback that landed after #1831 merged), and #1833 architecture-spec sprint closure-review wrap-up. After #1833 merged, the nine remaining sprint-related sibling issues were closed at the docs/spec level: #1794, #1795, #1798, #1799, #1801, #1815, #1816, #1817, #1818. The first batch of follow-up issues from the wrap-up's deduplicated roster was filed (#1834–#1840): three schema follow-ups (AntiEntropyProbe/StateDigest, DivergenceEvidence/RepairPlan, PlacementDecision/ExecutorAdmissionDecision), the steward required-action card contract (#1837 — the ADR-0027-doesn't-cover-operator-scenarios gap surfaced by #1831 / #1832), and three first-slice fixture follow-ups (anti-entropy Slice A, member shell Slice A, cockpit Slice A). Twenty-seven additional follow-up drafts remain in the wrap-up doc's deduplicated roster for separate batch decisions.

No closure of any sprint sibling issue implies runtime-implementation completion: every closure comment names the docs/spec-level scope explicitly. The deferred items (DataLocality::CoopReplicated rename, FuelLimit/fuel_limit code-level alignment with the execution budget policy-facing term, payment_rate/payment_currency legacy reconciliation on ComputeTask, PrivacyClass taxonomy reconciliation between ADR-0030 and the in-code variants, bonds:payments gossip-topic legacy preservation, AGENTS.md auto-commit-handoff behavioral rule reconciliation) are all carried in the wrap-up roster and remain explicit out-of-scope for the sprint closure. Phase 2 status is unchanged; the sprint did not implement, deploy, or claim partner pilot.

The prior May-7 close-out cycle context is preserved below.

The May-7 close-out cycle landed: #1761 closed the surfaced sled-flusher race (#1760), #1762 truth-synced STATE.md and PHASE_PROGRESS.md for the opaque receipt storage stack, #1763 / #1735 bumped Dependabot dev dependencies, and #1764 published the generic ActionCard contract surface for institution packages (bundled fictional example + draft-2020-12 validator script + expanded README mirroring the convention used by validate-preview-review.py and validate-rehearsal-evidence.py). #1764 closed #1713 with all six acceptance criteria met. No schema fields changed; the schema's $id remains DNS-backed under the schema-id audit's retain-temporarily decision (#1742 tracks the 2026-06-30 review). Phase 2 status is unchanged.

Active execution since the previous sync is mixed: the May-5 sequence was entirely doc/control-plane (#1734 rehearsal evidence export schema; #1739 architecture due-diligence checklist; #1741 contract schema-identifier audit; #1743 organizer/member accessibility gate definition; #1745 preview/review read-model contract urn:icn:contract:preview-review:v1; #1747 idea-0019 Institutional Process Substrate framing brief; #1748 coordination/control milestone for spine composition; #1749 read-model fixture-walk dogfood slice for idea-0019 plus the new ops/ideas/README.md "Dogfood slice variants" section; #1751 idea-0020 Democratic Authority Primitives framing brief; #1753 read-model fixture-walk dogfood slice for idea-0020); the May-6/May-7 sequence is runtime/implementation truth, not doc/refinery — real Rust changes landed in icn-gateway and apps/governance. The first runtime dogfood emitting one of the eight named ProcessTransitionReceipt classes from the idea-0019 framing brief landed as #1755 (ProcessGateResultReceipt), surfacing a production durability gap on the sled-backed ReceiptStore because no opaque storage path existed without expanding gateway typed governance imports. The opaque receipt storage stack (#1757 → #1758 → #1759) closed that gap: the gateway gained a meaning-blind put_opaque / get_latest_opaque / list_opaque_for primitive keyed on (class, key1, key2_opt, recorded_at, record_hash) (#1757); the GovernanceReceiptBackend trait gained a fail-closed opaque method surface and the sled-backed ReceiptStore overrode it via thin delegates to its inherent opaque methods (#1758); and put_process_gate_result's trait default was rewritten to attempt the opaque cascade first and fall back to the explicit process_gate_result_backend_not_implemented sentinel only when the underlying put_opaque itself returns the opaque-not-implemented sentinel (#1759). Production gateway-backed ReceiptStore therefore now durably persists ProcessGateResultReceipt through the opaque cascade without any new typed governance import on icn-gateway. A new invariant landed inside the merge cycle: the OPAQUE_HASH_BIND_PREFIX keyspace binds each (class, record_hash) to exactly one canonical (key1, key2_opt, recorded_at) tuple at first write; divergent re-binds abort with stable sentinel opaque_record_hash_index_collision to prevent one canonical receipt from fanning out across multiple audit chains. Bind, primary-record, and secondary-index writes are enforced atomically inside a single sled transaction. CI on #1759 surfaced a pre-existing sled-flusher race on the unrelated test_commons_charter_survives_sled_drop_and_reopen integration test (sled 0.34's flusher thread holds the OS flock(LOCK_EX) past Db::drop); filed as issue #1760 with corrected diagnosis and a follow-up bounded-retry fix opened on fix/commons-sled-open-retry-on-wouldblock as PR #1761 (merged 2026-05-07; closed #1760). Carrying forward: rehearsal evidence export schema (#1734); architecture due-diligence checklist (#1739); contract schema-identifier audit (#1741); organizer/member accessibility gate definition (#1743); preview/review read-model contract urn:icn:contract:preview-review:v1 (#1745); idea-0019 framing brief (#1747) + read-model fixture-walk dogfood (#1749); idea-0020 framing brief (#1751) + read-model fixture-walk dogfood (#1753). Carrying forward: institutional-operability runtime (live charter activation, person-directory overlay, /me/standing, authority_scope plumbing) plus the action-card runtime (/me/action-cards endpoint with proof-loop linkage to GovernanceDecisionReceipt for proposal/vote, ActionItemCompletionReceipt for action_item/complete, and MeetingAttendanceReceipt for meeting/attend). The action-item completion-receipt retrieval endpoint shipped as #1675; the local HTTP proof loop closure is documented in #1676 and the K3s smoke proof closure is recorded in #1677. NYCN's drive-ingest operator ladder (NYCN #21–#28 in fahertym/nycn) is merged end-to-end, with subsequent NYCN #29–#32 also merged. The May-5 process-substrate and authority-primitive sequence is documentation/refinery only: no runtime executes; no kernel, gateway, ledger, governance, or SDK code changed; no new contract URN beyond urn:icn:contract:preview-review:v1 (#1745) was minted; no implementation issue was opened from #1748; and a read-model fixture walk does not satisfy receipt-backed promotion thresholds per ops/ideas/README.md § "Dogfood slice variants". Democratic Authority Primitives now has both pieces of its idea-refinery surface: framing brief landed in #1751 as idea-0020 with brief at ops/ideas/framing/democratic-authority-primitives.md, and the read-model fixture-walk dogfood slice landed in #1753 at ops/ideas/dogfood/democratic-authority-primitives-mvp.md. The dogfood slice composes the six DAP primitive families named in the framing brief's §17 follow-up (AuthorityBasis, ParticipationRole, FacilitatorSummary, ConflictDisclosure, MinorityReport, DeliberationContext exercising three of its twelve reference families: CharterRuleReference, PriorDecisionReference, AccessibilityNote) plus references OperatorExecutionAuthority as the strictly-downstream-of-decision operator handle at the activation gate, all attached end-to-end to the merged idea-0019 read-model fixture walk without modifying any kernel, runtime, gateway, ledger, governance, SDK, or contract file. Both DAP framing (#1751) and DAP read-model dogfood (#1753) are pre-RFC framing/refinery only; together they do not claim runtime validity, do not emit receipts, do not contact gateway, do not create schema, do not create a contract URN, do not promote to RFC, do not open implementation issues, do not start runtime dogfood, and do not claim Phase 2 completion, formal NYCN pilot, production readiness, or live federation. Per ops/ideas/README.md § "Dogfood slice variants" and per the DAP framing brief's §16.1, the read-model fixture walk does NOT satisfy receipt-backed promotion thresholds; promotion of idea-0020 to RFC still requires (1) a separate runtime dogfood that emits at least one receipt under ADR-0026 for one of the named primitives — the framing brief's §16.1 names a ConflictDisclosure accept receipt and a MinorityReport recorded receipt generically; the dogfood artifact references slice-local class candidates ConflictDisclosureAcceptedReceipt and MinorityReportRecordedReceipt at the right transition points but does not commit them as canonical, (2) a real visibility/privacy-boundary run with redaction in evidence export, (3) an accessibility-gate ProcessGateResult produced through docs/design/ORGANIZER_MEMBER_ACCESSIBILITY_GATE.md on a real surface, and (4) Q1 (AuthorityBasis polymorphism vs typed family) or Q5 (ConflictDisclosure and MinorityReport placement) resolved in writing (deferral is not sufficient for the RFC gate per §16.1; the resolved-or-deferred standard at §16.3 applies only to the broader runtime-justification threshold). Next pre-RFC architecture move is not yet selected; this sync deliberately preserves optionality for the next session rather than smuggling in a new commitment. The prior sync (post-#1751) named the DAP read-model composition slice as the most directly named candidate; #1753 has now landed it, so the candidate enumeration is reduced. The candidate next moves the next session may pick from, listed descriptively only: (a) DAP runtime dogfood emitting at least one receipt under ADR-0026 for one DAP primitive — the next artifact called for by the slice's promotion gate; (b) idea-0019 runtime dogfood emitting additional ProcessTransitionReceipt classes (the first — ProcessGateResultReceipt — landed in #1755 and is durably persisted via the opaque cascade since #1759; remaining candidates are ProcessSessionOpenedReceipt, DeliberationEntryRecordedReceipt, DecisionRecordedReceipt, ActivationCrossedReceipt, MutationPlanRecordedReceipt, MutationAppliedReceipt, EvidencePacketProducedReceipt — all eligible through the same opaque storage cascade); (c) idea-0019 visibility/privacy-boundary run with redaction in evidence export (one of four #1748 acceptance gates); (d) idea-0019 accessibility-gate ProcessGateResult produced through docs/design/ORGANIZER_MEMBER_ACCESSIBILITY_GATE.md on a real surface (one of four #1748 acceptance gates); (e) idea-0019 open-question triage: at least one of Q1 (ProcessTargetRef polymorphism), Q3 (DeliberationEntry kind taxonomy), or Q4 (HumanDecisionSet vs proposal/vote) resolved or explicitly deferred in writing (one of four #1748 acceptance gates); (f) one of the DAP §17 follow-up framing briefs — pre-RFC, decompose-only (CCL hook-point catalog; expert/advisory across institution types; conflict object model connecting ConflictDisclosure to idea-0016/ADR-0029; federation tally semantics composing RepresentationMandate with #1609; delegation runtime gated on #1632); (g) control-plane cleanup, including unresolved/stale review-thread hygiene if inspection confirms it. None is selected here. Phase model classification is unchanged; see PHASE_PROGRESS.md for phase definitions.

Recently merged (since 2026-04-15)

Recently merged (2026-04-15 snapshot, retained)

Open PRs

(none open at this sync write-time; verified via gh pr list --state open returning []. Dependabot may surface follow-on bumps automatically.)

Open implementation follow-ups at this sync:

(none — #1760 was closed by the #1761 merge.)

Open coordination/control issues at this sync (not implementation):

What landed since Phase 1 (Charter Engine)

ActionCard contract publication for institution packages (added 2026-05-07; doc/control-plane only — no runtime change, no schema fields changed, no new contract URN, no new ADR, no new RFC):

• Bundled fictional example landed at docs/contracts/institution-package/action-card.example.json — a single representative proposal/vote ActionCard with all required fields plus optional deadline and domain_id. Uses fictional ids (prop-example-2026-05-07-001, domain-example-fictional-cooperative); contains no NYCN-specific nouns. Validates against the existing schema. — #1764.
• Tiny draft-2020-12 JSON Schema validator landed at docs/scripts/validate-action-card.py. Mirrors the existing convention used by validate-preview-review.py and validate-rehearsal-evidence.py. Defaults to validating the bundled example; accepts a partner-side card path positional; supports --schema for pinned-version validation. CLI argument is card/DEFAULT_CARD (terminology aligned with the schema, ADR-0027, README, and runtime struct after a substantive Copilot review finding addressed pre-merge). Stdlib-only format: date-time and format: uri checkers registered for symmetry with the other contract validators (the action-card schema does not currently use either format; future format additions will be enforced without touching this file). — #1764.
• docs/contracts/institution-package/README.md expanded — #1764: Files table now lists the schema + example + validator. Stability section cites ADR-0027 § Card kind taxonomy ("growable by ADR amendment") to explain why "x-icn-status": "rfc" is honest, and documents the schema's current DNS-backed $id retention per docs/contracts/schema-id-audit.md (review by 2026-06-30 tracked by #1742; migration to urn:icn:contract:action-card:v<N> is a separate single-schema PR under audit §5 rules). Validation guidance now includes the explicit emitted-vs-gated source kind enumeration with tracking issues (signal_rule → #1631 / #1711; obligation_lifecycle → #1634 / #1712), the regulatory-safe vocabulary list (obligation, allocation, settlement, unit, position, receipt, provenance, evidence — explicitly not payment / wallet / balance / currency), the explicit "institution-specific semantics belong in institution packages, not in ICN core" boundary, a worked CLI command block for the new validator, and partner-package vendor-or-invoke-from-CI guidance.
• docs/registry.toml — #1764: last_updated and last_reviewed advanced 2026-05-04 → 2026-05-07 for the institution-package README entry; description refreshed to mention the new example, validator, and schema-id-audit retention decision.
• Closes #1713: all six acceptance criteria met by the merged PR (generic ActionCard schema exists and matches current runtime fields; honest stability/status marker; source kinds distinguish shipped vs gated variants; NYCN-specific nouns absent; regulatory-safe vocabulary preserved; package validation path documented for NYCN and future institution packages). Manually closed after merge with a comment enumerating each gate met by the merged PR. The schema and ADR-0027 existed before this PR; #1764 added only the example, validator, README expansions, and registry metadata.
• Hard rule preserved: this publication does NOT change the schema fields, does NOT mint a new contract URN, does NOT add new ADR / RFC content, does NOT touch runtime code, does NOT widen gateway typed governance imports, does NOT increase the meaning-firewall ratchet, does NOT touch K3s / DNS / Forgejo state, does NOT handle private partner data, does NOT claim Phase 2 completion, does NOT claim formal NYCN pilot, does NOT claim production readiness, does NOT claim live federation, and does NOT start any Stage 1.5 / Stage 2 / Stage 3 / Stage 4 / Stage 5 work.

May-7 close-out cycle (added 2026-05-07; doc/control-plane and dependency maintenance only, plus one runtime fix):

• Sled-open retry-on-WouldBlock shipped — #1761 (closed #1760). Bounded retry-with-backoff in SledCommonsStore::open (8 attempts max, 500ms total budget cap, 10ms initial backoff, only matches io::ErrorKind::WouldBlock so genuine errors are not masked). Two new unit tests pin the new behavior. Single-file change in icn/crates/icn-commons/src/store.rs. Diagnosis was corrected pre-merge from initial actor-drop hypothesis to sled-flusher-flock-shutdown.
• Truth-sync of opaque receipt storage stack landing — #1762. Records #1755/#1756/#1757/#1758/#1759 in docs/STATE.md and docs/PHASE_PROGRESS.md. Adds docs/dev/handoff-2026-05-07.md. Doc/control-plane only.
• Dependabot dev-dependency maintenance — #1763 (sdk/typescript/, four updates) and #1735 (web/pilot-ui/, @axe-core/playwright 4.11.2 → 4.11.3). No runtime change.

Opaque receipt storage stack (added 2026-05-06 → 2026-05-07; runtime/implementation truth — real Rust changes in icn-gateway and apps/governance; no firewall ratchet increase; no new typed governance imports on icn-gateway):

• First runtime dogfood emitting one of the eight named ProcessTransitionReceipt classes from the idea-0019 framing brief landed as #1755 (feat(governance): add first process-transition receipt runtime slice). Adds ProcessGateResultReceipt, emitted by GovernanceManager::record_process_gate_result, persisted through the GovernanceReceiptBackend trait. Surfaced a production durability gap on the sled-backed ReceiptStore because no opaque storage path existed without expanding gateway typed governance imports — addressed by the #1757 → #1758 → #1759 stack.
• Meaning-blind opaque receipt storage primitive landed at icn/crates/icn-gateway/src/receipt_store.rs — #1757. Adds put_opaque(class, key1, key2_opt, recorded_at, record_hash, payload) plus get_latest_opaque and list_opaque_for inherent methods on ReceiptStore. The gateway stores payloads under a caller-supplied (class, key1, key2_opt, recorded_at, record_hash) tuple without learning the typed shape; the apps layer is the single source of truth for the closed taxonomy of class strings. Adding a new receipt class becomes a one-file change in apps. Three substantive review findings addressed in cb9d6daf before merge (write-once-by-hash on the primary record with stable sentinel opaque_record_hash_collision; atomic primary + secondary index writes via single sled transaction; distinct key2 = None vs key2 = Some("") tag-byte encoding; deterministic (recorded_at, record_hash) tie-breaker). One additional codex P2 raised against cb9d6daf and addressed in a8fbb1a6 before merge: the new OPAQUE_HASH_BIND_PREFIX keyspace binds each (class, record_hash) to exactly one canonical (key1, key2_opt, recorded_at) tuple at first write; divergent re-binds abort with stable sentinel opaque_record_hash_index_collision. Bind, primary, and secondary writes are enforced atomically inside the same sled transaction.
• Opaque storage exposed on the GovernanceReceiptBackend trait at icn/apps/governance/src/receipt_backend.rs — #1758. Adds put_opaque / get_latest_opaque / list_opaque_for to the trait surface, each with a fail-closed default returning the stable sentinel opaque_storage_not_implemented. The sled-backed ReceiptStore overrides them via thin delegates to its inherent opaque methods. Existing typed test backends are unaffected; opaque methods are only exercised when callers explicitly route through them. Validates dynamic dispatch via a Box<dyn GovernanceReceiptBackend> round-trip test.
• ProcessGateResultReceipt routed through opaque storage cascade — #1759. Updates the trait default for put_process_gate_result to attempt the opaque cascade first (encoding the typed envelope as JSON, calling put_opaque with class "process_gate_result", key1 = session_id, key2 = Some(gate_kind), the typed recorded_at and record_hash), and to surface the explicit process_gate_result_backend_not_implemented sentinel only when the underlying put_opaque itself returns the opaque-not-implemented sentinel. Production gateway-backed ReceiptStore therefore now durably persists ProcessGateResultReceipt through the opaque cascade. Test-backend coverage: a new OpaqueOnlyBackend overrides only put_opaque and exercises the typed-default → opaque cascade end-to-end. Test-suite determinism follow-up was applied in the same PR (Copilot review): three tests previously used std::thread::sleep(Duration::from_millis(1100)) to force recorded_at to advance one second between writes — replaced with explicit, strictly-increasing recorded_at timestamps on directly-constructed ProcessGateResultReceipt values fed through the backend trait. Suite now finishes in 0.01s, deterministic.
• New invariant: OPAQUE_HASH_BIND_PREFIX keyspace in icn/crates/icn-gateway/src/receipt_store.rs. Each (class, record_hash) is bound to exactly one canonical (key1, key2_opt, recorded_at) tuple. Divergent re-binds abort with stable sentinel opaque_record_hash_index_collision. Closes a secondary-index fan-out hole that the original write-once-by-hash check on OPAQUE_REC_PREFIX did not catch. Bind, primary, and secondary writes are atomic inside the same sled transaction.
• Surfaced flake → real bug filed and fix opened: a pre-existing race on test_commons_charter_survives_sled_drop_and_reopen (sled 0.34's flusher thread holds the OS flock(LOCK_EX) past Db::drop) fired on #1759's CI Test job. Filed as issue #1760 with corrected diagnosis (initial actor-drop hypothesis was wrong; CommonsHandle is synchronous Arc<RwLock<CommonsInner>> with no spawned tasks). Fix opened as PR #1761 (fix(commons): retry sled open on WouldBlock to bridge flusher shutdown) — bounded retry-with-backoff in SledCommonsStore::open, 8 attempts max, 500ms total budget cap, 10ms initial backoff, only matches io::ErrorKind::WouldBlock so genuine errors (NotFound, PermissionDenied, etc.) are not masked. Two new unit tests pin the new behavior. Open at this sync write-time.
• Hook tooling fix: scope-guard / todo-guard exec bit + todo-guard pipeline failures observed in earlier sessions resolved in #1756. Repository tooling only; no runtime, contract, schema, or API change.
• Hard rule preserved: this stack does NOT widen gateway typed governance imports, does NOT increase the meaning-firewall ratchet (baseline 10 known violations preserved, 0 new), does NOT claim Phase 2 completion, does NOT claim formal NYCN pilot, does NOT claim production readiness, does NOT claim live federation, does NOT touch K3s/DNS/GitHub/Forgejo state, does NOT handle private partner/member/organizer data, and does NOT satisfy more than acceptance gate (a) of idea-0019 (#1748) — the visibility/privacy-boundary run, accessibility-gate ProcessGateResult on a real surface, and open-question triage gates remain open.

Democratic Authority Primitives read-model fixture-walk dogfood (added 2026-05-05; doc/control-plane and idea-refinery only, not runtime; no kernel, gateway, ledger, governance, or SDK code touched):

• Read-model fixture-walk dogfood slice for idea-0020 landed at ops/ideas/dogfood/democratic-authority-primitives-mvp.md alongside an ops/ideas/ideas.yaml row update — #1753. Read-model fixture-walk variant per ops/ideas/README.md § "Dogfood slice variants" (formalized in #1749). Composes the six DAP primitive families named in the framing brief's §17 follow-up (AuthorityBasis, ParticipationRole, FacilitatorSummary, ConflictDisclosure, MinorityReport, DeliberationContext — the latter exercising three of its twelve reference families: CharterRuleReference, PriorDecisionReference, AccessibilityNote) end-to-end against the merged idea-0019 read-model fixture walk (ops/ideas/dogfood/institutional-process-substrate-mvp.md). Walks Step 0 through Step 7 of the existing idea-0019 slice without re-describing the spine; only DAP primitive additions are recorded. References OperatorExecutionAuthority as the strictly-downstream-of-decision operator handle at the activation gate (Step 5), typed to point at the DecisionRecord plus the ProcessGateResult set plus the steward's RoleAssignment. Composes orthogonally with idea-0019: the spine names what gets processed; the primitives fill the spine's records with the authority and context typing the spine deliberately deferred. Emits no receipts, contacts no gateway, performs no mutation, introduces no new contract URN, modifies no kernel/runtime/contract/schema/ADR file. Receipt class candidates FacilitatorSummaryRecordedReceipt, ConflictDisclosureAcceptedReceipt, and MinorityReportRecordedReceipt are referenced at the right transition points as slice-local candidates only — the framing brief's §16.1 names a ConflictDisclosure accept receipt and a MinorityReport recorded receipt generically without attaching concrete class identifiers, and the slice does not commit any of these names as canonical. Per ops/ideas/README.md § "Dogfood slice variants" and per the DAP framing brief's §16.1, a read-model fixture walk does NOT satisfy receipt-backed promotion thresholds; promotion of idea-0020 to RFC still requires (1) a separate runtime dogfood emitting at least one receipt under ADR-0026 for one of the named primitives, (2) a real visibility/privacy-boundary run with redaction in evidence export, (3) an accessibility-gate ProcessGateResult produced through docs/design/ORGANIZER_MEMBER_ACCESSIBILITY_GATE.md on a real surface, and (4) Q1 (AuthorityBasis polymorphism vs typed family) or Q5 (ConflictDisclosure and MinorityReport placement) resolved in writing — deferral is not sufficient for the RFC gate per §16.1; the resolved-or-deferred standard at §16.3 applies only to the broader runtime-justification threshold. The DAP brief's other open questions (Q2 through Q4, Q6 through Q10) are not surfaced by this slice and remain open. Hard rule preserved per DAP framing brief §14: not runtime, not a schema, not an RFC by itself, not a voting-system decision, not a liquid-democracy commitment, not expertocracy, not anti-expertise, not chat, not social media, not a moderation platform, not an identity directory implementation, not a credential verification implementation, not a private-overlay implementation, not NYCN-specific, not a production-readiness claim, not a Phase 2 completion claim, not a formal NYCN pilot authorization, not a live federation claim, not a live cloud sync claim, not a K3s/DNS/Forgejo mutation claim, not a private-data-handling claim, not a binding on partner repositories.

Democratic Authority Primitives framing (added 2026-05-05; doc/control-plane and idea-refinery only, not runtime; no kernel, gateway, ledger, governance, or SDK code touched):

• idea-0020 Democratic Authority Primitives framing brief landed at ops/ideas/framing/democratic-authority-primitives.md and the matching idea-refinery row in ops/ideas/ideas.yaml — #1751. Pre-RFC framing only; not an RFC, not an ADR, not a schema, not a contract URN, not a backlog commitment. Names two generic primitive families (authority/participation: AuthorityBasis, ParticipationRole, DelegationGrant, RepresentationMandate, ExpertStatement, AdvisoryOpinion, ConflictDisclosure, FacilitatorSummary, StewardReview, OperatorExecutionAuthority, MinorityReport, ChallengePath, RevocationPath, RecallPath; deliberation context / educational reference: DeliberationContext, ContextReference, LearningReference, EvidenceReference, PriorDecisionReference, CharterRuleReference, CCLRuleReference, AccessibilityNote, PrivacyNote, RiskNote, CounterargumentReference, GlossaryReference). Composes orthogonally with idea-0019 (Institutional Process Substrate): the spine names what gets processed; these primitives fill the spine's records with the authority and context typing the spine deliberately deferred. Hard rule preserved: institutions adopt and constrain through CCL, charters, and institution packages — not as ICN app features. Promotion to RFC requires (per the brief's §16.1 promotion gate) a read-model composition slice with idea-0019, a runtime dogfood emitting at least one receipt under ADR-0026, a real visibility/privacy-boundary run, an accessibility-gate ProcessGateResult on a real surface, and at least one open question — Q1 (AuthorityBasis polymorphism vs typed family) or Q5 (ConflictDisclosure and MinorityReport placement) — resolved in writing. Deferral is not sufficient for the RFC gate per §16.1; the lenient resolved-or-deferred standard at §16.3 applies only to the broader runtime-justification threshold, not to RFC promotion. None of those follow-ups is started in this sync; the next move is not yet selected.

Institutional Process Substrate framing and read-model dogfood (added 2026-05-04 → 2026-05-05; doc/control-plane and idea-refinery only, not runtime; no kernel, gateway, ledger, governance, or SDK code touched):

• Rehearsal evidence export schema landed under docs/contracts/rehearsal-evidence-export.md and docs/contracts/rehearsal-evidence-export.schema.json defining urn:icn:contract:rehearsal-evidence-export:v1 — #1734. Contract definition only; no live evidence export pipeline runs.
• Architecture due-diligence checklist landed at docs/architecture/ARCHITECTURE_DUE_DILIGENCE.md — #1739. Reflex/process artifact only; no architectural change.
• Contract schema-identifier audit table landed at docs/contracts/schema-id-audit.md — #1741. Inventory/discipline only; no schema change.
• Organizer/member accessibility gate definition landed at docs/design/ORGANIZER_MEMBER_ACCESSIBILITY_GATE.md — #1743. PR-time gate definition only; no UI/runtime change.
• Preview/review read-model contract urn:icn:contract:preview-review:v1 landed under docs/contracts/preview-review.md, docs/contracts/preview-review.schema.json, and docs/contracts/preview-review.example.json — #1745. Read-model contract definition only; no read-model serves over a gateway today.
• idea-0019 Institutional Process Substrate framing brief landed at ops/ideas/framing/institutional-process-substrate.md and the matching idea-refinery row in ops/ideas/ideas.yaml — #1747. Pre-RFC framing only; not an RFC, not an ADR, not a schema, not a backlog commitment.
• Read-model fixture-walk dogfood slice for idea-0019 landed at ops/ideas/dogfood/institutional-process-substrate-mvp.md, alongside the new ops/ideas/README.md § "Dogfood slice variants" section that formalizes this variant convention — #1749. Fictional Example Cooperative process session walked end-to-end against the SAME shipping contract URNs as the committed examples (urn:icn:contract:preview-review:v1, urn:icn:contract:rehearsal-evidence-export:v1); emits no receipts, contacts no gateway, performs no mutation, introduces no new contract URN. A read-model fixture walk does NOT satisfy receipt-backed promotion thresholds; receipt-backed promotion of idea-0019 to RFC still requires (1) a separate runtime dogfood slice that emits at least one ProcessTransitionReceipt class under ADR-0026, (2) a real visibility/privacy-boundary run with redaction in the evidence export, (3) a real accessibility-gate ProcessGateResult produced through the accessibility-gate checklist, and (4) at least one framing-brief open question among Q1/Q3/Q4 resolved or explicitly deferred in writing.
• Coordination/control milestone issue #1748 (milestone(process): define Institutional Process Substrate) is open with epic:arch-invariants + type:spec. Acceptance criteria record #1747 framing as merged and #1749 read-model dogfood as the smallest-safe slice; runtime dogfood, visibility-boundary run, accessibility-gate ProcessGateResult, and open-question triage remain unchecked. No implementation work is opened from #1748 until a runtime dogfood slice is explicitly scoped.
• Next pre-RFC architecture move: Democratic Authority Primitives (delegation, representation, expert/advisory input, deliberation context / educational references, conflict disclosure, facilitator and steward/operator authority, and revocation/recall/challenge paths) as generic primitives institutions adopt and constrain through CCL, charters, and institution packages. Not started in this sync. Not an ICN app feature. Not an RFC by itself. Not a runtime commitment.

May-cycle repo governance and strategy documentation (added 2026-05-01 → 2026-05-02; documentation/control-plane only, not runtime deployment):

• Licensing metadata and open questions documented — #1686.
• RFC-0017 moved from draft to active for Tool Install Infrastructure — #1688. Active means accepted for implementation; it does not mean the tool install infrastructure is implemented.
• Full repo-record protocol/generator added — #1690.
• Generated ICN repo-record snapshot added — #1691. This is a mechanical inventory snapshot, not an interpretive atlas.
• Licensing/autonomy strategy matrix added — #1693. Planning only; no relicensing happened.
• Sovereign service hosting stack added — #1694. Design direction only; no Forgejo deployment, DNS mutation, K3s mutation, hosted-service rollout, or GitHub cutover happened.
• Follow-up maintenance/state queue merged — #1695-#1701. This includes CI action bumps, a wasmtime security bump, unified bootstrap setup, and a prior state sync; none of these changes starts a NYCN pilot or completes Phase 2.
• NYCN organizer/operator rehearsal gate defined (lives in the partner NYCN repo). The gate remains organizer presentation -> pilot formalization -> first operator rehearsal.

Action-card runtime (added 2026-04-27 → 2026-04-29, all currently emitted source paths now proof-bearing — issue #1646 remains open for the two RFC-gated paths):

• GET /v1/gov/me/action-cards member endpoint with closed source/action enums — #1659
• Proposal/vote action card → GovernanceDecisionReceipt proof linkage, end-to-end test — #1660
• action_item/complete source path emits append-only ActionItemCompletionReceipt (ADR-0026 Layer 2); persist-before-commit semantics; full-update handler routes status changes through receipt-bearing path — #1661
• meeting/attend source path emits append-only MeetingAttendanceReceipt (ADR-0026 Layer 2) keyed by (meeting_id, attendee_did); Present and Remote are receipt-bearing transitions, Absent is not; recorded_by is the authenticated caller (distinct from attendee_did for steward-recorded attendance); persist-before-commit semantics — #1663
• GET /v1/gov/domains/{domain_id}/action-items/{item_id}/completion-receipt retrieval endpoint — #1675; closes the proof loop on the read side so a holder shell that completed an action_item/complete action card can fetch the persisted ActionItemCompletionReceipt over HTTP instead of relying on in-process tests or on-disk Sled inspection. Authorization mirrors the rest of the action-item read surface (governance:read scope plus domain membership; the receipt's bound domain_id is asserted to match the path parameter so cross-domain probes are rejected).
• Local HTTP proof loop closure recorded — #1676.
• K3s smoke proof closure (operator-authorized, against deployed image 91a63eec) recorded — #1677. K3s smoke records remain durable devnet proof artifacts; full namespaced teardown semantics are not yet specified (tracking issue planned).
• Source paths currently emitted by /me/action-cards: proposal/vote, meeting/attend, action_item/complete
• Proof loop verified end-to-end for all three currently emitted source paths, both locally and on K3s.
• Pending under #1646 (RFC-gated): signal_rule source path (gated on #1631); obligation_lifecycle source path (gated on #1634)

NYCN drive-ingest operator ladder (added 2026-04-29; lives in fahertym/nycn):

• Parser → review artifact (drive-ingest-review/v1) — NYCN #21, #22
• Review decisions YAML (organizer-authored)
• Publish dry-run (drive-ingest-action-item-publish-dry-run/v1) — NYCN #23
• Assignee binding (drive-ingest-action-item-publish-dry-run-bound/v1) — NYCN #24
• Local publisher (drive-ingest-local-publish-plan/v1; preflight default, execute fenced behind two operator flags + localhost-only --gateway) — NYCN #25
• Local proof runner (drive-ingest-local-proof/v1; walks /me/action-cards → PUT .../status → GET .../completion-receipt) — NYCN #26
• Federation surface bridge (drive-ingest-federation-surface/v1; pure file-in/file-out summary records keyed on the cross-node deterministic blake3 record_hash from ActionItemCompletionReceipt) — NYCN #27
• Operator pilot runbook + no-network ladder checker — NYCN #28
• Organizer briefing + simple summit demo (partner-facing, civic tone, anti-pitch) — NYCN #29
• Start-here onboarding pass (START_HERE.md, ORGANIZER_QUICKSTART.md, STEWARD_QUICKSTART.md, GLOSSARY.md) — NYCN #30
• One-command local preflight runner (local_preflight_runner orchestrating the full chain in a single deterministic, no-network run; preserves both human-review boundaries) — NYCN #31
• Whole-NYCN operating-surfaces inventory + Google-Groups boundary policy + repo-safe communication-groups fixture (no live sync, no private data committed) — NYCN #32
• Steward-facing communication-groups directory tool (tools/nycn-ops; pure file-in / file-out validator + renderer) — NYCN #33 (open at last sync; verify status before reading)
• The ladder defends a hard mutation boundary: every layer is either pure (no network) or localhost-only operator-gated. K3s mutation is never allowed by NYCN-side tools. The ICN-side K3s exercise (#1677) sits on the ICN repo side of the boundary, not in the NYCN repo.

Institutional-operability runtime (added 2026-04-22 → 2026-04-26):

• Generic institution bootstrap package path — #1586
• Bootstrap-apply 409 idempotency for repeated bootstrap runs — #1617
• Persistent governance domains across gateway restart in standalone mode — #1621
• Live charter activation endpoint — #1624
• Person-directory overlay for bootstrap role assignment (DID binding) — #1626
• GET /me/standing read model — #1627
• authority_scope plumbed end-to-end through assign_role — #1630
• Feedback/support doctrine rename + ADR canonicalization under docs/adr/ — #1637
• NYCN bootstrap apply integration tests + live-validate runbook — #1592, #1593

Governance institutional primitives:

• Governance domains, structures, activities, parent (scope container) — #1540
• Decision-to-action bridge: accepted proposals create linked action items — #1532
• Consent-based decision mode — #1533
• Meeting management (schedule, agenda, attendance, minutes) — #1543
• Notification digest (pending votes, overdue items, upcoming meetings) — #1547
• NYCN architecture docs (repo-shaped spec, implementation matrix, execution tranches) — #1544
• NYCN institutional design correction (layered ontology) — #1545
• Residual acceptance-closure atomicity hazards closed — #1590
• Colon-safe proposal index keys with one-shot migration — #1591

Infrastructure:

• Atlas-backed Prometheus persistent storage — #1614
• Atlas-backed sccache for ci-runner — #1618
• Soft pod anti-affinity for ICN daemons — #1619
• Helm path documented for kube-prometheus-stack — #1616
• Steward dashboard derives gateway URL from request context — #1620
• Security Audit CI fix (wasmtime bump) — #1522, #1542
• CI dual-signal guard — #1524
• Docker-build-deploy timeout fix — #1527
• 21-file doc refresh and archive — #1526

Architectural decisions in force

• Layered ontology (locked 2026-04-14): Entities (sovereign) / Structures (non-sovereign, entity-owned) / Activities (time-bounded, entity-owned). Committees are Structures. Summit is Activity.
• Program is a separate primitive (not Activity extension): Milestones with machine-readable checks, parent_program_id for cycle-handoff. Spec lives in the partner NYCN repo.
• Authority is capability-string based today, typed model frozen for migration: RoleAssignment.authority_scope: Vec<String> remains the shipped surface; the constitutional object model (AuthorityClass, AuthorityGrant, TypedScope, Mandate) is frozen in ADR-0014 and is the target of a subsequent additive migration. No behavior change has shipped yet.
• Sled key convention: primary <thing>:{id}; secondary <thing>_by_<scope>:{scope_id}:{id}.
• Gateway event naming: Governance<Thing><Verb>.
• Meaning Firewall: CI ratchet enforces no new kernel/domain import regressions. Pre-existing domain imports in icn-core and icn-gateway remain; full extraction is ongoing work.

Architecture notes

• Repo root is not a Cargo workspace; Rust workspace lives in icn/.
• Workspace: 35 crates in icn/crates/ + 4 app crates in icn/apps/ + 3 binaries = 42 packages.
  • Crates (in icn/crates/): icn-api, icn-authz, icn-ccl, icn-commons, icn-community, icn-compute, icn-coop, icn-core, icn-crypto, icn-crypto-pq, icn-encoding, icn-entity, icn-federation, icn-gateway, icn-gossip, icn-governance, icn-http-kit, icn-identity, icn-kernel-api, icn-ledger, icn-naming, icn-net, icn-obs, icn-privacy, icn-protocol, icn-rpc, icn-security, icn-services, icn-snapshot, icn-steward, icn-store, icn-testkit, icn-time, icn-trust, icn-zkp.
  • App crates (in icn/apps/): icn-governance-actor, icn-ledger-actor, icn-membership-app, icn-charter-app.
  • Binaries: icnd, icnctl, icn-console.
• Web UI: web/pilot-ui (PWA), web/dashboard (static).
• SDKs: sdk/typescript, sdk/react-native.
• Deployment: native/systemd, Docker Compose, Kubernetes, Helm (deploy/README.md).

Decisions (durable)

• Mutual TLS with client certificates enabled (2025-12-18).
• DID-TLS binding verification enabled.
• Some QUIC/chaos tests ignored in CI due to timing; run manually as needed.

Constraints (durable)

• Run Rust build/test commands from icn/.
• Tokio async only; avoid blocking operations in async paths.
• No panics in protocol/network/actor runtime paths.
• Demo status docs note STUN discovery disabled for local-only testing.

References

• docs/PHASE_PROGRESS.md — phase tracking
• docs/architecture/THE_COMMONS.md — Capital-C Commons doctrine (what ICN exists to enable)
• docs/architecture/MEMBER_STANDING.md — /me/standing design contract (member-facing standing + accessibility)
• docs/architecture/KERNEL_APP_SEPARATION.md — kernel/app boundary
• docs/architecture/ARCHITECTURE_DUE_DILIGENCE.md — due-diligence reflex checklist (#1739)
• docs/adr/ADR-0027-action-card-contract.md — ActionCard contract ADR (referenced by #1713 / #1764)
• docs/contracts/institution-package/README.md — institution-package ActionCard contract notes + validation guidance (#1764)
• docs/scripts/validate-action-card.py — bundled draft-2020-12 validator for the ActionCard schema (#1764)
• docs/contracts/preview-review.md — urn:icn:contract:preview-review:v1 (#1745)
• docs/contracts/rehearsal-evidence-export.md — urn:icn:contract:rehearsal-evidence-export:v1 (#1734)
• docs/contracts/schema-id-audit.md — contract schema-identifier audit (#1741)
• docs/design/ORGANIZER_MEMBER_ACCESSIBILITY_GATE.md — organizer/member accessibility gate (#1743)
• docs/pilots/no-cli-organizer-member-rehearsal-workflow.md — no-CLI organizer/member rehearsal workflow spec (#1725)
• ops/ideas/framing/institutional-process-substrate.md — idea-0019 framing brief (#1747)
• ops/ideas/dogfood/institutional-process-substrate-mvp.md — read-model fixture-walk dogfood slice for idea-0019 (#1749)
• ops/ideas/framing/democratic-authority-primitives.md — idea-0020 framing brief (#1751)
• ops/ideas/dogfood/democratic-authority-primitives-mvp.md — read-model fixture-walk dogfood slice for idea-0020 (#1753)
• ops/ideas/README.md § "Dogfood slice variants" — read-model fixture-walk variant convention (#1749)
• docs/dev/handoff-2026-05-07-a.md — latest session handoff (post-#1764 sync)
• docs/dev/handoff-2026-05-07.md — prior same-day handoff (post-opaque receipt storage stack sync)
• deploy/README.md — deployment options

Historical snapshots