Claim-Boundary Map
For current project truth, defer to `docs/STATE.md`, `docs/PHASE_PROGRESS.md`, current source/tests, and accepted ADRs/RFCs. This map is an operating manual, not a truth root.
1. Purpose
This guide collects ICN's already-existing firewall, proof-level, source-precedence, and show-readiness rules into one operational claim-boundary reference: the rule that a claim must not outrun its evidence, applied to inventories, PR bodies, generated artifacts, organizer-rehearsal docs, and public language.
It is not a canonical truth source and adds no new status vocabulary. It routes to the documents that already own each rule. When this map and a canonical source disagree, the canonical source wins (see §3). There is deliberately no docs/truth/ tree — a parallel truth root is exactly what the meaning-firewall and source-precedence discipline exist to prevent (see `README.md` §Truth layer).
2. Two firewalls — do not conflate
ICN uses "Meaning Firewall" for an architectural boundary. The claim-boundary firewall is a separate, mostly-conventional discipline. Conflating them is itself a claim-discipline error: the architectural CI checks do not police claims, and the claim conventions do not police kernel imports.
| Firewall | What it asserts | Where it is defined | Enforcement status |
|---|---|---|---|
| Architectural Meaning Firewall | Apps translate meaning into constraints; the kernel enforces constraints without understanding meaning. Kernel crates must not import/depend on domain/app crates. | `KERNEL_APP_SEPARATION.md`, `meaning-firewall-audit.md`, onboarding `05-the-meaning-firewall.md` | Tool-enforced (partial). scripts/check-meaning-firewall.sh (kernel use icn_trust::, with known migrations #865/#866/#867) and .github/scripts/firewall_denylist.py (kernel→domain crate deps, #1007). Migration not complete; some couplings tracked, not yet zero. |
| Claim-boundary firewall | Docs, PRs, inventories, demos, and public pages must not claim more than the evidence proves. | This map; `proof-level-taxonomy-capability-matrix.md`; `show-readiness-map.md`; `source-of-truth-map.md`. | Mostly convention. Narrow tool coverage only: compliance_linter.py (fintech vocabulary on API surfaces), readiness_overclaim_linter.py (scans docs/deployment + docs/operations/deployment + docs/pilots + docs/reference/project-index; ~9 patterns across production-readiness / live-federation / blanket-operability / general-availability / governance-completion — a narrow phrase-level guardrail, not whole-firewall enforcement), doc_control_check.py (doc truth-class front-matter), the route-inventory --check gate. The forbidden collapses in §5 are not mechanically enforced. |
3. Source-of-truth hierarchy
Full rules and conflict resolution: `source-of-truth-map.md`. Summary order (highest first) — this map does not replace it:
- Current source code and tests (test-only fixtures prove test behavior, not production readiness)
docs/STATE.mdanddocs/PHASE_PROGRESS.md- Accepted ADRs/RFCs (proposed/draft = design direction, not shipped)
- Recent merged PR bodies / issue-closure notes / review dispositions
- Runtime contracts, schemas, OpenAPI surfaces, contract docs
- Project-index maps (navigation; route to truth, do not override it)
- Architecture / strategy / design-direction docs
- Generated records (prove files existed at generation time, not current truth)
- Historical / archive material (archaeology only)
4. Status vs proof level
Two orthogonal axes; carry both. Detail: `proof-level-taxonomy-capability-matrix.md`.
- Status answers "is the code written, and how completely?" (
live/partial/planned/fixture-demo/unknown, or thesource-of-truth-map.mdimplementation labels). - Proof level (L0–L8) answers "how much verification evidence stands behind the claim?" (
L0named →L1schema/contract →L2unit →L3integration →L4local proof loop →L5live daemon/gateway →L6multi-node/devnet →L7partner/organizer rehearsal →L8production hardening).
Load-bearing consequences:
- A
liveorpartialstatus is not a production-readiness claim. - A static generated inventory (clap-tree scan, route scan) is L1 — it proves a surface is declared, not that its handler runs, unless stronger evidence (a test, a live run) is explicitly cited.
5. Forbidden collapses
Each row pairs a tempting overclaim with the minimum evidence that would license the stronger claim. "Enforced today?" states honestly whether tooling catches the collapse or it rests on review convention.
| Unsafe collapse (do not assert) | Minimum evidence to license it | Where to verify | Enforced today? |
|---|---|---|---|
| declaration exists ⇒ implementation works | a test, or handler-body read showing real work | source; tests | No (convention) |
| OpenAPI documents a path ⇒ it is mounted/complete/correct | the route is mounted in the gateway router and behaves | gateway router + handler; generated/route-inventory.md |
No (convention) |
| route registered ⇒ auth/correctness/show-safe | auth gate + correctness test; accessibility/privacy review for show | handler + tests; §9 red lines | No (convention) |
| client call exists ⇒ server/daemon method is wired | the cited RPC method is registered in daemon dispatch (or the route exists server-side) | `icn/crates/icn-rpc/src/server.rs`; generated/route-inventory.md |
No (convention) |
partial ⇒ live |
local-only operation, or binary-spawning e2e proof | handler; icn/bins/icnctl/tests/** |
No (convention) |
live ⇒ production-ready |
hardening: security/privacy/recovery/observability (L8) | show-readiness-map.md; STATE.md |
Narrow: readiness_overclaim_linter.py (deployment/ops + pilots + project-index docs) |
| fixture/demo data ⇒ live participant state | a live daemon/gateway run, not a committed fixture | proof-level-taxonomy rows 7/11/12 |
No (convention) |
| fixture-backed shell ⇒ organizer-ready rehearsal | L7 accessibility/privacy checklist and #1746 acceptance | proof-level-taxonomy §accessibility gate; #1746 |
No (convention) |
| NYCN intended partner ⇒ formal pilot | a signed agreement / committed launch | show-readiness-map.md; STATE.md |
No (convention) |
| federation commands/primitives ⇒ live federation | two cooperatives federating in production (Phase 3) | PHASE_PROGRESS.md; show-readiness-map.md |
Narrow: overclaim linter catches the "live federation" phrase, but only in the deployment/ops + pilots + project-index docs it scans |
| local proof loop ⇒ multi-node/devnet/production | a recorded L6 devnet/K3s run | proof-level-taxonomy (L5 vs L6) |
No (convention) |
| website maturity band ⇒ evidence | an ADR/issue/code-path/phase link that resolves | ADR-0032 bands; ADR-0033 (proposed) | Editorial only; ADR-0033 linter not built |
6. Worked examples (the completed #2113 icnctl-status lane)
The icnctl command-status inventory (`generated/icnctl-command-inventory.md`, #2113) is a concrete reference implementation of §5:
- Declared ≠ implemented. The clap-tree scan is L1 — it proves a command is declared. Status is a separate, curated signal verified from handler source, never inferred from the declaration.
- #2222 (gov delegation) — client call ≠ server wiring.
gov vote delegate/delegations/revokecallgovernance.delegation.*, but those methods are not registered in `icn-rpc/src/server.rs` and a repo-wide search finds them only in the CLI. Against a running daemon they return method-not-found, so they were not markedpartial— leftunknown. - #2223 (federation) —
partialonly after a server-side check. All 20partialfederation commands were classifiedpartialbecause each citednetwork.*/federation.*RPC method was confirmed registered inserver.rs, or the gateway route was confirmed inroute-inventory.md. "Does not claim live federation" is on the nonclaims for exactly this reason. - #2224 (final unknowns) — honest non-collapse.
policy.*becamepartialbecause the methods are registered in daemon dispatch;init-coopwas leftunknownbecause static review cannot honestly collapse its hybrid behavior (always-local keystore/config/bootstrap plus a best-effort gatewayPOST /v1/gov/domainsgated on daemon-up and a token) into a single status.
7. Generated artifact rules
Per `docs/ci/GENERATED_TRUTH_DRIFT.md`:
- A generated artifact must state what it proves and does not prove (generated records prove files existed at generation time, not current truth — hierarchy rank 8).
- Do not hand-edit generated files. Edit the generator and regenerate (
docs/scripts/icnctl_command_inventory.py --write,docs/scripts/route_inventory.py --write). - Every committed generated artifact must either have a drift check (wired into
generated-truth.yml/docs-freshness.yml) or be explicitly declared on-demand with no committed snapshot. A committed generated artifact with neither silently rots. - Both committed project-index inventories are now drift-gated in
docs-freshness.yml(warn-on-drift, advisory):generated/route-inventory.mdviaroute_inventory.py --check(#2112) andgenerated/icnctl-command-inventory.mdviaicnctl_command_inventory.py --check(#2113 — wired as the immediate follow-up to this map). Both are warn-only (a stale artifact emits a CI::warning::, not a merge block) and are listed as promotion candidates in `docs/ci/GENERATED_TRUTH_DRIFT.md`. - Generated records are orientation aids, not truth roots.
8. PR body / review checklist (inventory & status PRs)
Reusable checklist — copy into the PR body or run it as a reviewer:
- Distinguishes mechanical discovery (clap/route scan) from curated status.
- Every
partialcites server-side wiring (RPC method registered inserver.rs) or route registration where relevant. - Every
livecites local-only behavior or binary-spawning e2e evidence. - Every
plannedcites an explicit placeholder /bail!/ "not yet supported" marker. - Unknowns left unknown where evidence is ambiguous (not force-fit to a positive status).
- Uses
Refs #N(not a closing keyword) when the issue's acceptance is not met. - Includes nonclaims for production readiness, formal pilot readiness, live federation, Phase 2 completion, and (when relevant) #2082 and #2099.
9. Public / show-readiness language
Full list and the suggested demo narrative: `show-readiness-map.md`; website convention: ADR-0032 (accepted; maturity bands strong/advancing/maturing/behind/not-yet). Red lines to restate briefly:
- No crypto / web3 / token framing (no token, no native currency, receipts are evidentiary, not tradable).
- No financial-product framing (use settlement / unit / identity / position / obligation / allocation; the
compliance_linter.pyenforces the vocabulary on API surfaces). - No NYCN commitment claim (intended first partner, not a signed/launched pilot).
- No live-federation claim (Phase 3, not Phase 2).
- No blanket production-readiness claim across the substrate.
ADR-0033 (evidence-link requirement) is proposed, not implemented — do not claim evidence-link enforcement exists yet.
10. Non-goals
This map is not: a new canonical truth source; a replacement for STATE.md / PHASE_PROGRESS.md; a new status vocabulary; a new CI gate; a runtime behavior change; and not a claim that the claim-boundary rules are fully enforced (most are convention — §2, §5).
Where to read deeper
| You want… | Read |
|---|---|
| Which source wins on conflict | `source-of-truth-map.md` |
| How strong the proof is (L0–L8) | `proof-level-taxonomy-capability-matrix.md` |
| What is safe to show / red lines | `show-readiness-map.md` |
Which routes / icnctl commands back the rehearsal |
`organizer-rehearsal-operability-map.md` |
| The architectural Meaning Firewall | `KERNEL_APP_SEPARATION.md` |
| Generated-artifact drift discipline | `docs/ci/GENERATED_TRUTH_DRIFT.md` |