13_Round_D_Policy_Scope_UI_Micro_Patch_R0_2.md
Memory Rebuild Docs/Memory Rebuild Review Packs/DOC80_Memory_Control_Plane_PreSpec_Review_Pack_v1_0_2026-05-25/13_Round_D_Policy_Scope_UI_Micro_Patch_R0_2.md
ELNOR REPO READER TEXT MIRROR
Original path: Memory Rebuild Docs/Memory Rebuild Review Packs/DOC80_Memory_Control_Plane_PreSpec_Review_Pack_v1_0_2026-05-25/13_Round_D_Policy_Scope_UI_Micro_Patch_R0_2.md
Source repo: /Users/OpenClaw1/Elnor/Elnor Specs
Git branch: main
Git commit: dbaa25962edc11ab30e8d4ca1715f9ae5bf77331
Generated: 2026-06-09T01:23:58.539Z
---
# DAMS V5 / Memory Control Plane — Round D Policy, Scope, and UI Micro-Patch R0.2
**Status:** Pre-spec structural micro-patch for reviewer regression. Not an operative specification.
**Input reviews:** Round D Policy / Scope / UI reviews from Claude, ChatGPT, Grok, and Gemini.
**Patch target:** `12_ABC_Consolidated_Structural_Patch_R0_2.md`.
**Purpose:** Repair the Round D seams before Round E flattening review or final V5 drafting.
---
## 0A. R0.2 cleanup delta
R0.2 incorporates the Round D regression responses. It does not change the direction of R0.1. It adds the following executable clarifications so flattening can consume this patch without recreating Round D blockers.
### 0A.1 Policy meet ordering
Every policy dimension that participates in `per_dimension_most_restrictive` must declare a restrictiveness order. The order is part of the policy contract, not implied by prose. The meet takes the most restrictive value across contributing decisions.
```text
content_fidelity: none < redacted < reference_only < full
locality: blocked < local_only < approved_external
learning_scope: none < same_scope_only < partitioned < global_allowed
mutation_authority: none < candidate_only < durable_allowed
disclosure_class: not_disclosable < disclosable_label_only < disclosable
```
### 0A.2 Obligation aggregation
`EffectiveMemoryPolicy.obligations` is the union of contributing obligations after duplicate collapse by obligation identity. Obligations are not themselves reduced by the dimensional meet. If two obligations conflict, emit a policy-composition conflict and fail closed for the affected action until resolved.
### 0A.3 ReasonCode owner
`ReasonCode` remains a cross-doc registry concern. Until the final owner-doc landing pass pins exact registry ownership, Round D patch consumers must treat undefined reason-code namespaces as a flattening/open-registry item, not invent local reason-code strings.
### 0A.4 Supersession table deferred to flattening
R0.1 introduced or rewrote several R0.2 types. The full consolidated supersession table belongs in the flattening plan, not this micro-patch. The flattening plan must include at least: `PolicyMembraneDecision`, `MemoryPolicyDecision`, `EffectiveMemoryPolicy`, `ScopeMembrane`, `ScopeBoundary`, `ScopeResolutionResult`, `UserContextSurfacePlan`, `NullResultMemory`, `SearchAffordance`, `MemoryPolicyAction`, `AvailabilityDisposition`, and all Blocked/Reference-only notice types.
### 0A.5 Minor fixture/schema clarifications
- `ProjectAutoLinkState` must be declared wherever project auto-link fixtures assert `suggested`, `quarantined`, or accepted states.
- `NullResultMemory` must carry enough freshness/staleness metadata to support `stale_possible` and `verification_required` fixture outcomes.
- `suppressed_manifest_only` is a handling/disposition for `blocked_known_exists_not_disclosable`; it is not a user-visible availability state.
- `PolicyDisambiguationRequest.fallback_if_unanswered = defer` is valid only when `blocked_until_answered = false`.
### 0A.6 No further Round D cycle
Round D is closed for purposes of proceeding to flattening. Remaining items are either captured here, assigned to flattening, or owner-doc landing work.
---
## 0. Executive disposition
The ABC Structural Patch R0.2 remains the right backbone. Round D does **not** require scrapping it. Round D does require a focused repair before proceeding.
The core Round D convergence is:
```text
Scope identifies relation and boundary.
Policy decides capability.
Disclosure policy decides what can be said about the decision.
UI command closure proves visible controls are real.
```
The patch therefore adds:
1. one canonical dimensional policy object;
2. a per-action/per-destination policy meet;
3. a separate disclosure meet;
4. concrete policy obligations, stamps, invalidation, and episode policy epochs;
5. restored and normalized scope identity/equivalence/container/boundary/affinity structures;
6. fail-closed behavior that does not depend on candidate tags being correct;
7. safe-label, availability, Inspector, and UI command-closure contracts;
8. a Project-mode delta table, including transitions, auto-link, cross-project search, and task handoff;
9. policy-capped DAMS rules;
10. Round D fixtures and lints;
11. close-audit coverage for the Round D reviews.
Round D regression review passed with minor cleanup. R0.2 incorporates the cleanup items and is the current target-policy/scope/UI patch for flattening.
---
## 1. Canonical policy plane
### 1.1 Problem fixed
R0.2 had policy fragments but not one canonical executable policy plane. Reviewers converged that `PolicyMembraneDecision.result = allow | block | redact | reference_only | ask_user` is too scalar. It cannot express ordinary mixed cases:
```text
retrieve = allow
render_inline = blocked
render_reference_only = allowed
export = blocked
learning = same_scope_only
ui_disclose = safe_label_only
```
R0.2 also left dangling or incomplete references to:
```text
MemoryPolicyDecision
PolicyObligation
PolicyStamp
PolicyStampInvalidation
EpisodePolicyEpoch
MemoryPolicyDecisionRef
```
### 1.2 Normative rule
```text
Policy decisions are action-scoped and dimension-scoped.
The effective decision for a given object/action/destination is computed by EC's compiled policy evaluator as a per-dimension conservative meet over all applicable policy inputs.
A ranked union over scalar results is forbidden.
```
Policy inputs include at least:
```text
global EC controls
session / incognito / processing state
source policy tags
visibility class
scope boundary
principal
surface
destination class
model class
user instruction, bounded by policy ceilings
```
### 1.3 Canonical `MemoryPolicyAction`
Bare `render` is retired. Rendering must be action-specific.
```ts
type MemoryPolicyAction =
| "collect"
| "extract"
| "classify"
| "write_candidate"
| "write_durable"
| "retrieve"
| "render_inline"
| "render_reference_only"
| "render_safe_label"
| "export"
| "delegate"
| "carryover"
| "learn_same_scope"
| "learn_partitioned"
| "learn_global"
| "ui_disclose"
| "inspect";
```
### 1.4 Canonical `MemoryPolicyDecision`
```ts
type MemoryPolicyDecision = {
decision_id: string;
object_ref: ContentReference;
action: MemoryPolicyAction;
destination?: DestinationClass; // required for export/delegate/carryover
principal_ref?: PrincipalRef;
surface_ref?: SurfaceRef;
source_scope_ref?: ScopeRef;
request_scope_ref?: ScopeRef;
destination_scope_ref?: ScopeRef;
boundary_ref?: ScopeBoundaryRef;
model_class?: ModelClass;
client_kind?: ClientKind;
content_fidelity: "none" | "safe_label" | "reference_only" | "redacted" | "full";
locality: "blocked" | "local_only" | "approved_external";
learning_scope: "none" | "audit_only" | "same_scope_only" | "partitioned" | "global_allowed";
mutation_authority: "none" | "candidate_only" | "durable_requires_review" | "durable_allowed";
disclosure_class:
| "not_disclosable"
| "generic_safe_label_only"
| "existence_only"
| "redacted_summary"
| "full";
obligations: PolicyObligation[];
policy_generation_id: string;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
### 1.5 `EffectiveMemoryPolicy`
The effective decision is keyed by the triple:
```text
(object_ref, action, destination?)
```
It is **not** a meet across actions. A permissive retrieval decision must not constrain export, and a restrictive export decision must not overblock same-scope retrieval.
```ts
type EffectiveMemoryPolicy = {
effective_policy_id: string;
object_ref: ContentReference;
action: MemoryPolicyAction;
destination?: DestinationClass;
contributing_decision_refs: MemoryPolicyDecisionRef[];
effective_content_fidelity: MemoryPolicyDecision["content_fidelity"];
effective_locality: MemoryPolicyDecision["locality"];
effective_learning_scope: MemoryPolicyDecision["learning_scope"];
effective_mutation_authority: MemoryPolicyDecision["mutation_authority"];
effective_disclosure_class: MemoryPolicyDecision["disclosure_class"];
meet_kind: "per_dimension_most_restrictive";
obligations: PolicyObligation[];
policy_generation_id: string;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
### 1.6 Capability meet and disclosure meet
Round D sharpened that one meet is not enough.
```text
Capability meet = what the system may do.
Disclosure meet = what the system may say about what it may or may not do.
```
A blocked object may still have one of several disclosure postures:
```text
existence cannot be disclosed;
existence can be generically disclosed;
source kind can be disclosed;
reason summary can be disclosed;
full explanation can be disclosed.
```
The disclosure meet is represented by `effective_disclosure_class` and must be consumed by:
```text
BlockedScopeNotice
ReferenceOnlyNotice
SearchAffordance
InspectorVisibilityPlan
UserContextSurfacePlan
ConsideredItemLedger
CarryoverCapsule
Export/delegation receipts
```
### 1.7 Policy obligations
```ts
type PolicyObligation = {
obligation_id: string;
obligation_kind:
| "require_redaction"
| "require_safe_label"
| "require_user_confirmation"
| "require_restamp_before_action"
| "require_audit_certificate"
| "require_final_prompt_proof"
| "forbid_global_learning"
| "forbid_cross_scope_relation_traversal"
| "require_source_sandbox_isolation"
| "require_prompt_injection_isolation"
| "require_review_queue"
| "require_ui_warning"
| "hide_existence"
| "show_generic_existence_only"
| "partition_learning"
| "receipt_required";
applies_to_actions: MemoryPolicyAction[];
enforcement_owner: "EC" | "PropA" | "DOC24" | "KDA" | "DOC11" | "DOC20" | "DOC8" | "DOC1" | "DOC25" | "DOC73";
blocking: boolean;
parameters?: Record<string, string | number | boolean>;
reason_code: ReasonCode;
schema_version: 1;
};
```
### 1.8 `ask_user` is not a policy result
`ask_user` is retired as a scalar policy result. Asking the user can itself leak protected information.
Use:
```ts
type PolicyDisambiguationRequest = {
request_id: string;
question_kind:
| "scope_confirmation"
| "destination_confirmation"
| "identity_confirmation"
| "privilege_review"
| "export_confirmation"
| "carryover_confirmation";
safe_prompt_label_ref: SafeReferenceLabelRef;
may_name_object: boolean;
may_name_scope: boolean;
blocked_until_answered: boolean;
fallback_if_unanswered: "block" | "reference_only" | "search_only" | "defer";
policy_decision_ref: MemoryPolicyDecisionRef;
schema_version: 1;
};
```
Unsafe prompt:
```text
Do you want me to use the privileged Marex strategy memo?
```
Safe prompt:
```text
Some potentially relevant protected material may exist outside this request's eligible scope. Continue using only eligible material?
```
---
## 2. Policy stamps, invalidation, and episode policy epochs
### 2.1 `PolicyStamp`
```ts
type PolicyStamp = {
stamp_id: string;
object_ref: ContentReference;
issued_for_policy_ref: EffectiveMemoryPolicyRef;
issued_at: ISO8601;
issued_by: "EC_compiled_policy_evaluator";
policy_generation_id: string;
stamp_scope_ref: PolicyStampScopeRef;
expires_at?: ISO8601;
schema_version: 1;
};
```
### 2.2 `PolicyStampScope`
```ts
type PolicyStampScope = {
stamp_ref: PolicyStampRef;
object_ref: ContentReference;
valid_for_actions: MemoryPolicyAction[];
valid_for_destinations?: DestinationClass[];
policy_generation_id: string;
expires_at?: ISO8601;
schema_version: 1;
};
```
Rules:
```text
If valid_for_actions includes export, delegate, or carryover, valid_for_destinations is REQUIRED and non-empty.
A retrieval-approved object is not render-approved.
A local-inline-approved object is not export-, delegate-, carryover-, or learn-approved.
```
### 2.3 `PolicyStampInvalidation`
```ts
type PolicyStampInvalidation = {
invalidation_id: string;
invalidated_stamp_ref: PolicyStampRef;
object_ref: ContentReference;
prior_policy_generation_id: string;
new_policy_generation_id: string;
affected_actions: MemoryPolicyAction[];
tightened_dimensions: Array<
| "content_fidelity"
| "locality"
| "learning_scope"
| "mutation_authority"
| "disclosure_class"
>;
required_remediation: "restamp" | "downgrade" | "block";
user_visible_summary_ref: SafeReferenceLabelRef;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
### 2.4 Prior delivery and KV cache must respect policy generation
Round D found a cross-turn bug: `PriorDeliveryLedger` and KV-cache front-loading can re-use stale policy material after a policy generation change.
Add fields:
```ts
type PriorDeliveryLedgerEntry = {
truth_key: AssertionRef | CuPropositionKey | DirectiveRef;
delivered_turn: number;
delivered_product_kind: ContextProductKind;
still_in_context: boolean;
last_warrant: UseWarrant;
policy_generation_at_delivery: string;
prompt_shell_variant_id?: string;
};
```
Rule:
```text
If policy_generation_at_delivery != current policy_generation_id, prior delivery cannot justify a one-line reminder or KV-cache reuse. The item must be re-evaluated, downgraded, blocked, or restamped.
```
### 2.5 `EpisodePolicyEpoch`
Round D found that R0.2 silently dropped this adjudicated object. Restore it.
```ts
type EpisodePolicyEpoch = {
epoch_id: string;
work_episode_ref: WorkEpisodeRef;
surface_ref?: SurfaceRef;
policy_generation_id: string;
opened_at: ISO8601;
closed_at?: ISO8601;
superseding_epoch_ref?: EpisodePolicyEpochRef;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
Rules:
```text
Durable write, carryover, export, and delegation decisions made within a WorkEpisode record the active epoch_id.
A mid-episode policy-generation change closes the prior epoch, opens a new epoch, and forces restamp of in-flight context products and movement actions.
```
---
## 3. Scope coordination normalization
### 3.1 Problem fixed
R0.2 carried overlapping and undefined scope terms:
```text
ScopeBoundary.boundary_kind
ScopeResolutionResult.scope_relation
ScopeAffinity
ScopeRelation
ScopeRelationLabel
ScopeRef
ScopeResolutionTraceRef
```
It also dropped earlier scope components:
```text
ScopeIdentityRoot
ScopeEquivalenceBinding
ScopeContainerRelation
ScopeMembrane / boundary equivalent
```
### 3.2 Normative rule
```text
Scope resolves identity, equivalence, containment, relation, affinity, and uncertainty.
Scope may emit conservatism floors and policy-posture hints.
Scope must not emit final allow/block/render/export/delegate/learn decisions.
```
### 3.3 Restored scope model
```ts
type ScopeIdentityRoot = {
scope_ref: ScopeRef;
display_name?: string;
scope_kind:
| "project"
| "matter"
| "engagement"
| "research_topic"
| "initiative"
| "library"
| "personal_domain"
| "global";
owner_principal_ref?: PrincipalRef;
visibility_class?: VisibilityClass;
schema_version: 1;
};
type ScopeEquivalenceBinding = {
binding_id: string;
scope_refs: ScopeRef[];
equivalence_basis:
| "explicit_user_binding"
| "entity_resolution"
| "folder_binding"
| "project_binding"
| "corpus_binding"
| "manual_merge"
| "migration_inferred";
confidence: number;
domain_threshold_ref?: DomainProfileRef;
schema_version: 1;
};
type ScopeContainerRelation = {
relation_id: string;
container_scope_ref: ScopeRef;
member_scope_ref: ScopeRef;
relation_kind:
| "contains"
| "linked_library"
| "source_membership"
| "project_binding"
| "topic_membership"
| "episode_touched_scope"
| "analogical_relation";
policy_load_bearing: boolean;
schema_version: 1;
};
```
### 3.4 Two scope axes: topology and affinity
```ts
type ScopeBoundaryKind =
| "same_scope"
| "contained"
| "adjacent"
| "cross_scope"
| "firewalled"
| "unknown";
type ScopeAffinity =
| "direct"
| "secondary"
| "background"
| "analogical"
| "unrelated"
| "uncertain";
```
`ScopeBoundaryKind` answers:
```text
what structural boundary exists?
```
`ScopeAffinity` answers:
```text
how relevant is this object to the request?
```
### 3.5 `ScopeResolutionResult`
```ts
type ScopeResolutionResult = {
result_id: string;
request_scope_ref?: ScopeRef;
object_scope_ref: ScopeRef;
source_scope_ref?: ScopeRef;
destination_scope_ref?: ScopeRef;
principal_ref?: PrincipalRef;
boundary_kind: ScopeBoundaryKind;
relation_to_request: ScopeAffinity;
relation_to_destination:
| "same_runtime"
| "same_machine_local"
| "same_principal"
| "same_project"
| "same_firewall"
| "external_destination"
| "unknown_destination"
| "blocked_destination";
sensitive_tag_summary:
| "none"
| "sensitive_present"
| "protected_present"
| "classification_unknown";
active_scope_protection_state:
| "ordinary"
| "matter_or_project_sensitive"
| "firewalled"
| "sealed"
| "personal_private"
| "unknown_sensitive";
confidence: number;
domain_threshold_ref: DomainProfileRef;
ambiguity_reason_codes: ReasonCode[];
equivalence_binding_refs: ScopeEquivalenceBindingRef[];
container_relation_refs: ScopeContainerRelationRef[];
scope_trace_ref: ScopeResolutionTraceRef;
minimum_conservatism_floor:
| "normal_policy_check"
| "reference_only_candidate"
| "safe_label_candidate"
| "user_disambiguation_candidate"
| "fail_closed_candidate";
policy_actions_required: MemoryPolicyAction[];
schema_version: 1;
};
```
### 3.6 Fail-closed rule, corrected
R0.2's rule failed closed only when the **candidate** already carried sensitive tags. Round D found the dangerous case: an unclassified privileged source.
Correct rule:
```text
If boundary_kind is cross_scope, firewalled, or unknown, and either side of the boundary is protected, sensitive, matter-specific, personal/private, sealed, firewalled, or unclassified, the result must set minimum_conservatism_floor = fail_closed_candidate or reference_only_candidate.
```
This applies when:
```text
the candidate object is tagged protected;
the active/request scope is protected;
the source classification is unknown;
the destination is external or unknown;
the domain profile marks the context high-risk;
the scope confidence is below the domain threshold.
```
`orientation_only` is not a confidentiality control.
### 3.7 Scope relation traversal gates
Assertion relation traversal can leak across boundaries. Add:
```text
AssertionRelationEdge traversal for conflict projection, analogy, supersession, or comparison injection must run a scope-resolution and effective-policy check for every related variant.
```
If the related variant is cross-scope/firewalled/not-disclosable:
```text
it may not render;
it may not be summarized;
it may not be named;
it may at most trigger a safe blocked notice if ui_disclose permits existence disclosure.
```
### 3.8 Project ↔ scope seam
A Project may seed scope identity, but only as an operational hint.
```text
Active Project mode may provide request_scope_ref and preferred ScopeIdentityRoot.
Project bindings may contribute to ScopeEquivalenceBinding or ScopeContainerRelation.
Project mode may not create truth identity, override scope boundaries, broaden policy, or treat Project membership as proof.
```
No-project mode must still resolve memory through:
```text
prompt content;
entities;
recent episodes;
Topics;
Libraries;
directives;
procedures;
DOC72 graph retrieval;
explicit user search.
```
---
## 4. Project-mode delta table
### 4.1 Normative table
| State | What changes | What does not change |
|---|---|---|
| No Project mode | Uses prompt/entities/recent episodes/Topics/Libraries/directives/graph/search. No project chrome. No project capture bias. | Memory still works. Truth identity, policy, visibility, scope boundaries, durable writer, and final prompt truth unchanged. |
| Project active | Biases retrieval, capture priority, Library/source selection, output routing, UI indicators, and project background instructions where policy permits. | Does not override EC controls, incognito, PropA, visibility, DOC1 Write Gate, source policy, parse-quality gates, or firewalls. |
| Project paused | Keeps visible project indicator and may preserve loaded/searchable context. Suspends enhanced project capture and aggressive extraction. | Must not silently keep active capture, attenuator pin, or project_id writes at active strength. |
| Auto-link suggested | May propose a project binding. May show UI affordance. | Does not silently enable elevated capture or durable project_id tagging in protected/sensitive contexts. |
| Auto-link quarantined | Temporary association for low-risk review/undo window; no durable project_id write until policy clears or user accepts. | Does not bypass policy or visibility. |
| Cross-project explicit search | User may expand search scope deliberately, e.g. “search all matters/projects.” UI must show expanded scope. | Does not mutate active Project mode; every result is separately policy/disclosure-gated. |
| Task handoff from Project-mode chat | A task may receive explicit `task_scope_envelope` only if user/config allows. | Background tasks do not inherit Project mode by default. `task_handoff` stamp is not external-LLM carryover approval. |
| Project transition | Pausing/exiting/switching Project opens a new scope-resolution context. | No residual hidden Focus bias. No inherited paused-project active scope unless explicitly surfaced and down-weighted. |
### 4.2 Project active capture wording
Replace any “always captured” interpretation with:
```text
Project active makes eligible surfaces capture-eligible, project-associated, and higher-priority. It may bypass ordinary low-significance suppression for eligible work surfaces, but it never bypasses EC collection controls, incognito, PropA source rules, visibility class, firewalls, DOC1 Write Gate, prompt-injection isolation, parse-quality gates, or cost/budget gates.
```
---
## 5. UI and Inspector closure
### 5.1 Problem fixed
R0.2 had `visible_actions[]` and `action_command_refs[]` as parallel arrays. That is a phantom-control risk.
### 5.2 `UserContextSurfacePlan`
```ts
type VisibleIndicator =
| { kind: "project_mode"; project_ref: ProjectRef; state: "active" | "paused" | "suggested" | "quarantined" }
| { kind: "library_included"; library_ref: LibraryRef; inclusion_state: "selected" | "searched" | "included_in_packet" }
| { kind: "topic_availability"; topic_ref: TopicRef; product: "notice" | "slice"; availability: AvailabilityDisposition }
| { kind: "recent_work"; rollup_ref: RecentActivityRollupRef }
| { kind: "search_affordance"; affordance_id: string };
type UserContextSurfacePlan = {
surface_plan_id: string;
surface_ref: SurfaceRef;
visible_indicators: VisibleIndicator[];
visible_actions: VisibleContextActionSpec[];
hidden_refs: HiddenContextRef[];
inspector_plan_ref?: InspectorVisibilityPlanRef;
policy_generation_id: string;
schema_version: 1;
};
```
### 5.3 `VisibleContextActionSpec`
```ts
type VisibleContextActionSpec = {
action_id: string;
action:
| "open_inspector"
| "pull_topic_slice"
| "search_topic"
| "open_library"
| "pull_library_source_slice"
| "pause_topic_collection_directive"
| "review_candidates"
| "restamp_policy"
| "explain_blocked_item"
| "generate_carryover"
| "request_access"
| "dismiss_notice";
label_key: string;
enabled_state: "enabled" | "disabled" | "hidden";
command_ref?: ECCommandRef;
route_ref?: RegisteredRouteRef;
degraded_noop_receipt_kind?: DegradedReceiptKind;
required_policy_action?: MemoryPolicyAction;
required_disclosure_class?: MemoryPolicyDecision["disclosure_class"];
policy_decision_ref: EffectiveMemoryPolicyRef;
availability: AvailabilityDisposition;
safe_label_ref?: SafeReferenceLabelRef;
disabled_reason_label_ref?: SafeReferenceLabelRef;
telemetry_event_kind: string;
refreshed_read_model_ref?: ReadModelRef;
inspector_trace_refs: ContentReference[];
schema_version: 1;
};
```
Rules:
```text
Every visible action MUST have exactly one of command_ref, route_ref, or degraded_noop_receipt_kind.
Every successful command/route MUST name the refreshed read model or route-level refresh contract.
Every disabled visible action MUST use a safe disabled-reason label.
A visible action without command/route/no-op closure fails lint.
```
### 5.4 `restamp_policy`
```text
restamp_policy means re-run EC's compiled policy evaluator under the current policy_generation_id.
It can keep, downgrade, or block access.
It cannot grant access beyond current policy ceilings.
```
### 5.5 `HiddenContextRef`
```ts
type HiddenContextRef = {
ref: ContentReference;
disclosure_class: MemoryPolicyDecision["disclosure_class"];
safe_label_ref?: SafeReferenceLabelRef;
policy_decision_ref: EffectiveMemoryPolicyRef;
};
```
### 5.6 `InspectorVisibilityPlan`
```ts
type InspectorVisibilityPlan = {
inspector_plan_id: string;
requester_principal_ref: PrincipalRef;
surface_ref: SurfaceRef;
visible_trace_fields: string[];
redacted_trace_fields: string[];
hidden_trace_refs: HiddenContextRef[];
safe_label_policy_ref: SafeLabelPolicyRef;
policy_decision_ref: EffectiveMemoryPolicyRef;
may_show_source_title: boolean;
may_show_topic_label: boolean;
may_show_count: boolean;
may_show_reason_summary: boolean;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
Rule:
```text
Inspector / why excluded / why not remembered uses the same disclosure meet and safe-label discipline as prompt rendering. Inspector visibility is a policy-gated inspect action, not a debug bypass.
```
---
## 6. Availability, blocked notices, and safe labels
### 6.1 `AvailabilityDisposition`
```ts
type AvailabilityDisposition =
| "not_searched"
| "not_found"
| "available_injected"
| "available_not_injected_budget"
| "available_not_injected_low_relevance"
| "available_reference_only"
| "blocked_known_exists_disclosable"
| "blocked_known_exists_not_disclosable"
| "blocked_unknown_existence";
```
This must be present on:
```text
ContextProductDecision
ConsideredItemLedgerEntry
SearchAffordance
UserContextSurfacePlan actions
InspectorVisibilityPlan
BlockedScopeNotice
ReferenceOnlyNotice
NullResultNotice
```
### 6.2 Safe label policy
```ts
type SafeLabelPolicy = {
policy_id: string;
availability: AvailabilityDisposition;
protected_reason_class:
| "privileged"
| "sealed"
| "firewalled"
| "personal"
| "client_confidential"
| "matter_specific"
| "policy_unknown";
may_disclose_existence: boolean;
may_disclose_container_type: boolean;
may_disclose_topic_label: boolean;
may_disclose_source_title: boolean;
may_disclose_count: boolean;
may_disclose_reason_summary: boolean;
default_label_key: string;
inspector_label_key?: string;
policy_decision_ref: EffectiveMemoryPolicyRef;
schema_version: 1;
};
```
Safe labels must come from approved vocabulary, not protected content.
Allowed examples:
```text
Protected cross-scope material
Policy-restricted material
Reference-only material
Some material is unavailable under current policy
```
Forbidden examples unless full disclosure permits:
```text
Marex privileged memo
14 protected scienter strategy notes
Insider-sale weakness analysis from Client X
```
### 6.3 Blocked and reference-only rules
```text
blocked_known_exists_not_disclosable → suppressed_manifest_only. No prompt or UI notice may confirm existence.
blocked_known_exists_disclosable → safe generic notice only.
reference_only → diagnostic label only, not compact summary.
not_found → only when the relevant scope was actually searched.
not_searched → must not be described as not_found.
```
### 6.4 `BlockedScopeNotice`
```ts
type BlockedScopeNotice = ContextProductBase & {
kind: "blocked_scope_notice";
availability: "blocked_known_exists_disclosable";
safe_label_ref: SafeReferenceLabelRef;
policy_decision_ref: EffectiveMemoryPolicyRef;
model_visible_text: string; // generic only; no identity, title, count, topic, or characterization
};
```
### 6.5 `ReferenceOnlyNotice`
```ts
type ReferenceOnlyNotice = ContextProductBase & {
kind: "reference_only_notice";
availability: "available_reference_only";
diagnostic_label_ref: SafeReferenceLabelRef;
content_ref: ContentReference;
policy_decision_ref: EffectiveMemoryPolicyRef;
};
```
Reference-only rendering may not carry substantive content unless policy explicitly permits redacted summary, in which case it is no longer the ordinary `reference_only_notice` path and must carry a distinct redacted-summary obligation.
---
## 7. SearchAffordance autonomy
### 7.1 Problem fixed
Round D found that SearchAffordance can become a phantom tool, a leakage channel, or an agentic dead-end if it advertises a route that policy will later block.
### 7.2 Execution mode
```ts
type SearchAffordanceExecutionMode =
| "ui_hint_only"
| "manual_user_action"
| "agent_auto_pull_allowed"
| "agent_auto_pull_reviewable"
| "blocked_by_policy"
| "blocked_by_scope"
| "degraded_route_unavailable";
```
### 7.3 SearchAffordance schema additions
```ts
type SearchAffordance = ContextProductBase & {
kind: "search_affordance";
actionability: "model_tool_callable" | "model_should_offer_to_user" | "ui_only";
execution_mode: SearchAffordanceExecutionMode;
backing_command_ref?: ECCommandRef;
route_ref?: RegisteredRouteRef;
scope_filter: ScopeFilterSpec;
policy_generation_id: string;
preflight_result_ref: SearchAffordancePreflightRef;
availability: AvailabilityDisposition;
safe_label_ref?: SafeReferenceLabelRef;
};
type SearchAffordancePreflight = {
preflight_id: string;
affordance_ref: SearchAffordanceRef;
policy_generation_id: string;
scope_filter: ScopeFilterSpec;
guaranteed_substantive_result: boolean;
minimum_result_disclosure: MemoryPolicyDecision["disclosure_class"];
fallback_if_empty_or_blocked: "hide_affordance" | "render_degraded_suggestion" | "manual_only";
reason_codes: ReasonCode[];
};
```
Rules:
```text
DOC24 must not advertise a model-callable SearchAffordance unless preflight shows the route exists, policy permits it, and at least some eligible result can be returned or a safe degraded result is specified.
Unknown scope + sensitive/protected source → no auto-pull.
Cross-scope protected candidate → no auto-pull.
Reference-only item → no auto-pull that bypasses reference-only posture.
Route unavailable → UI hint only, not callable prompt action.
Auto-pull must emit command receipt, policy decision ref, and refreshed read model.
```
---
## 8. DAMS policy clamp
### 8.1 Problem fixed
Round D found DAMS could become policy-adjacent through learned `omission_cost` and `contamination_risk`.
### 8.2 Policy-capped input
```ts
type PolicyCappedDAMSInput = DAMSAttenuatorInput & {
eligibility_ceiling:
| "inline_allowed"
| "reference_only_max"
| "search_only_max"
| "notice_only_max"
| "blocked";
effective_policy_ref: EffectiveMemoryPolicyRef;
};
```
Rules:
```text
DAMS may rank only candidates already eligible for the product kind under policy, scope, and warrant.
DAMS may not convert blocked/reference-only/search-only/notice-only into inline render.
DAMS may not suppress mandatory warnings, safe-label notices, or policy-required products.
```
### 8.3 Contamination veto
`contamination_risk` is not a linear penalty when it crosses a threshold.
```text
If contamination_risk exceeds the domain/policy threshold, the item bypasses ordinary DAMS salience and is rerouted to WarningConstraint, BlockedScopeNotice, ReferenceOnlyNotice, or suppression according to policy.
```
---
## 9. Render safety and prompt-shell proof
### 9.1 Problem fixed
Final-prompt proof must prove not only that a product appeared, but that its safety-critical use limits survived rendering and trimming.
### 9.2 RenderSafetyProof
```ts
type RenderSafetyProof = {
proof_id: string;
context_product_instance_id: string;
render_bundle_ref: RenderBundleRef;
prompt_text_package_ref: PromptTextPackageRef;
policy_generation_id: string;
template_id: string;
template_version: string;
lint_suite_version: string;
passed_lints: ReasonCode[];
blocking_lints: ReasonCode[];
rendered_span_refs: FinalPromptSpanRef[];
use_limit_span_present: boolean;
warrant_label_span_present: boolean;
source_sandbox_span_present?: boolean;
reference_only_substantive_text_absent: boolean;
blocked_notice_safe_label_only: boolean;
disclosure_meet_respected: boolean;
schema_version: 1;
};
```
Rules:
```text
If a reference-only label survives final prompt trimming but its use-limit text is removed, safe reference-only utility credit is not awarded.
If a source sandbox marker is required but absent from the final prompt, the product is unsafe-delivered and receives no positive learning credit.
```
### 9.3 Dynamic header ledger
KV-cache optimization must not lock stale policy text.
```ts
type DynamicHeaderLedger = {
ledger_id: string;
stable_header_refs: ContentReference[];
volatile_header_refs: ContentReference[];
policy_generation_id: string;
cache_reuse_allowed: boolean;
cache_flush_required: boolean;
reason_codes: ReasonCode[];
};
```
Rules:
```text
Stable, immutable constraints may be front-loaded for cache reuse.
Volatile policy/scope warnings must either render in a dynamic tier or force an explicit cache flush on policy boundary crossing.
```
---
## 10. Null results and source deletion
### 10.1 NullResult population proof
Round D found NullResult needs population/version proof.
```ts
type NullResultMemory = {
null_result_id: string;
searched_for: string;
searched_scope_refs: ContentReference[];
search_method: string;
coverage_quality: "low" | "medium" | "high";
time_of_search: ISO8601;
recheck_after?: ISO8601;
scope_population_generation_id: string;
source_index_generation_id?: string;
materialization_snapshot_ref?: MaterializationSnapshotRef;
policy_generation_id: string;
access_set_hash: string;
excluded_count_disclosure: "none" | "count_only" | "count_and_reason_classes";
not_searched_reason_codes?: ReasonCode[];
use_warrant: "search_only" | "orientation_only" | "verify_before_use";
absence_claim_allowed: boolean;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
Rules:
```text
No eligible material found is different from material exists but is blocked.
A NullResultMemory stales when scope population, source index generation, materialization snapshot, policy generation, or access set changes.
```
### 10.2 Cascading source invalidation
Round D found a hard edge case: deleted/clawed-back sources.
```ts
type CascadingSourceInvalidation = {
invalidation_id: string;
source_ref: SourceRef;
invalidation_kind: "hard_delete" | "privilege_clawback" | "retention_expiry" | "source_withdrawn" | "source_replaced";
affected_evidence_edges: EvidenceSupportEdgeRef[];
affected_assertion_variants: AssertionVariantRef[];
required_variant_transition: "retired" | "audit_only" | "verify_before_use";
doc24_bar_inline_render: boolean;
reason_codes: ReasonCode[];
schema_version: 1;
};
```
Rule:
```text
If an AssertionVariant loses its last active support edge due to hard deletion, privilege clawback, or retention-expiry deletion, it may not merely degrade to orientation/search. It must transition to retired or audit_only unless another active lawful support edge exists.
```
---
## 11. Review queue triage
### 11.1 Problem fixed
Deep ingestion can generate hundreds of review items. Raw review queues become UI gridlock.
### 11.2 Batch triage
```ts
type ReviewQueueBatch = {
batch_id: string;
grouped_entry_refs: ReviewQueueEntryRef[];
grouping_basis:
| "same_review_kind"
| "same_canonical_question"
| "same_source_parse_failure"
| "same_dedupe_conflict"
| "same_policy_issue"
| "same_scope_uncertainty";
representative_summary_ref: SafeReferenceLabelRef;
blocking_count: number;
nonblocking_count: number;
recommended_batch_action:
| "review_now"
| "degrade_all_to_reference_only"
| "degrade_all_to_search_only"
| "archive_nonblocking"
| "route_to_domain_review";
expires_at?: ISO8601;
schema_version: 1;
};
```
Rules:
```text
Nonblocking review items may auto-archive after TTL into their most conservative safe state.
Blocking safety/policy/source-grounding items do not auto-promote.
Batch cards must use safe labels and obey disclosure policy.
```
---
## 12. Topic future-watch budgets
### 12.1 Problem fixed
A static `IngestionCostBudget` is insufficient for future streams.
### 12.2 Velocity-gated budget
```ts
type TopicCollectionDirectiveBudget = {
directive_ref: TopicCollectionDirectiveRef;
budget_mode: "one_time_backfill" | "recurring_epoch" | "future_stream";
max_llm_calls_per_epoch?: number;
max_input_tokens_per_epoch?: number;
epoch_window: "hour" | "day" | "week" | "month";
velocity_threshold:
| "low"
| "medium"
| "high"
| "unbounded_requires_review";
on_budget_exceeded:
| "pause_directive"
| "degrade_to_observe_only"
| "degrade_to_extract_candidate"
| "cluster_then_sample"
| "ask_user";
last_epoch_usage_ref?: UsageRecordRef;
schema_version: 1;
};
```
Rules:
```text
A future-watch directive over a high-velocity stream must not hard-fail silently after draining a static budget.
It must degrade, cluster/sample, pause visibly, or ask the user according to budget policy.
```
---
## 13. MemoryCoordinationTrace restored
Round D found the patch carried the three plans but dropped the trace connecting them.
```ts
type MemoryCoordinationTrace = {
trace_id: string;
request_ref: RequestRef;
surface_ref?: SurfaceRef;
source_refs: SourceRef[];
scope_resolution_ref: ScopeResolutionTraceRef;
policy_generation_id: string;
extraction_plan_ref?: ExtractionContextPlanRef;
memory_context_plan_ref?: MemoryContextPlanRef;
user_surface_plan_ref?: UserContextSurfacePlanRef;
doc24_manifest_refs?: string[];
kda_patch_refs?: string[];
final_prompt_manifest_ref?: string;
context_packet_proof_ref?: ContextPacketProofRef;
memory_flow_certificate_refs?: MemoryFlowCertificateRef[];
learning_event_refs?: string[];
schema_version: 1;
};
```
Rules:
```text
Inspector “why included / why excluded / why not remembered” is backed by MemoryCoordinationTrace.
“Why not remembered” must be able to reach ExtractionContextPlan and policy/source admissibility, not only MemoryContextPlan.
```
---
## 14. Round D fixtures
Add these to `05_Worked_Examples_and_Fixtures.md` or the V5 fixture appendix.
### D-1 — Dimensional policy meet
Object has three contributing policy decisions:
```text
retrieve allowed;
render_inline blocked;
render_reference_only allowed;
export blocked;
learning same_scope_only.
```
Expected:
```text
EffectiveMemoryPolicy preserves all dimensions independently.
No scalar ranked union may collapse the result.
```
### D-2 — Disclosure meet / not-disclosable suppression
Relevant protected material exists, but `effective_disclosure_class = not_disclosable`.
Expected:
```text
No BlockedScopeNotice confirming existence.
No count/title/topic/source.
Disposition = suppressed_manifest_only.
```
### D-3 — Inspector no-leak
Henderson prompt excludes Marex privileged material.
Expected:
```text
Inspector shows only safe generic label if ui_disclose permits; otherwise hides existence.
No source title, client/matter name, count, or strategy characterization.
```
### D-4 — Unclassified privileged source
Privileged memo is ingested before classification or with missed tags.
Expected:
```text
Unknown/cross scope + protected active scope or unclassified source → fail closed.
No reliance on candidate tag correctness.
```
### D-5 — Cross-scope relation traversal
`AssertionRelationEdge.analogous_to` crosses firewalled matters.
Expected:
```text
Related variant suppressed unless policy permits safe disclosure.
No comparison injection across firewall.
```
### D-6 — Export stamp missing destination
`valid_for_actions` includes export but `valid_for_destinations` is empty.
Expected:
```text
Schema/lint failure.
```
### D-7 — Command closure
Visible UI action lacks command, route, or degraded no-op receipt.
Expected:
```text
Lint failure.
```
### D-8 — Project-off retrieval
No Project active. User asks a memory-relevant question.
Expected:
```text
Retrieval works through prompt/entities/episodes/Topics/Libraries/graph/directives.
No degraded receipt solely because no Project is active.
```
### D-9 — Project paused capture
Project paused, user asks unrelated question.
Expected:
```text
No aggressive project capture or durable project_id write.
Visible paused indicator may remain.
```
### D-10 — Auto-link quarantine
High-confidence project inference on protected matter-scoped chat.
Expected:
```text
auto_link_state = suggested_only or active_quarantined.
No elevated durable capture until user accepts or policy-safe grace resolution clears.
```
### D-11 — Cross-project explicit search
User in Project A asks “search all matters/projects.”
Expected:
```text
UI shows expanded search scope.
Project mode is not mutated.
Each result gets per-item policy/disclosure meet.
Blocked material uses safe labels or suppression.
```
### D-12 — Task handoff from Project-mode chat
Project-mode chat spawns background task.
Expected:
```text
Task does not inherit Project mode by default.
If user opts in, task receives explicit task_scope_envelope.
Task_handoff stamp does not imply external_llm carryover stamp.
```
### D-13 — SearchAffordance no-route / blocked route
Topic Notice advertises more context, but route is unavailable or fully blocked.
Expected:
```text
No model-callable affordance.
UI hint only or degraded suggestion according to preflight.
```
### D-14 — Policy restamp propagation
Policy generation changes after retrieval but before render/export/carryover.
Expected:
```text
PolicyStampInvalidation emitted.
PriorDeliveryLedger/KV cache cannot reuse stale policy result.
Context product and carryover eligibility downgrade or block.
```
### D-15 — NullResult stale population
High-coverage null result exists. New Library source added.
Expected:
```text
NullResultMemory becomes stale_possible / verification_required.
No absence claim until population rechecked.
```
### D-16 — Cascading source invalidation
Assertion relies entirely on a source later hard-deleted or clawed back.
Expected:
```text
AssertionVariant retires or becomes audit_only.
DOC24 barred from inline injection.
Standard gradual degradation ladder is bypassed.
```
### D-17 — Reference-only final-prompt trimming
Reference-only label survives but use-limit text is trimmed.
Expected:
```text
RenderSafetyProof marks unsafe delivery.
No positive safe-reference utility credit.
```
### D-18 — Policy disambiguation safe question
Scope ambiguous with protected candidate.
Expected:
```text
Question uses safe generic wording only.
No object/scope/source title unless disclosure meet permits.
```
### D-19 — Topic future-watch runaway budget
Topic watches high-velocity corpus/source stream.
Expected:
```text
Velocity-gated budget triggers degrade/cluster/sample/pause/ask_user, not silent budget death.
```
### D-20 — Review queue gridlock
Deep Library ingestion creates many review items.
Expected:
```text
ReviewQueueBatch groups items; nonblocking items can auto-archive into safe degraded state; blocking items remain held.
```
---
## 15. Round D lints
```text
policy.scalar_ranked_union_used → error
policy.bare_render_action_used → error
policy.memory_policy_ref_unresolved → error
policy.obligation_undefined → error
policy.stamp_scope_export_without_destination → error
policy.ask_user_scalar_result_used → error
policy.restamp_grants_access → error
scope.required_policy_action_emitted_by_scope → error
scope.relation_enum_drift → error
scope.identity_equivalence_container_missing → error
scope.uncertain_no_threshold → error
scope.fail_closed_requires_candidate_tag_only → error
scope.relation_traversal_without_policy → error
ui.visible_action_without_command_route_or_noop → error
ui.parallel_action_command_arrays → error
ui.hidden_ref_without_disclosure_class → error
ui.inspector_leaks_protected_identity → error
ui.disabled_action_without_safe_label → error
notice.not_disclosable_renders_blocked_notice → error
notice.reference_only_contains_summary → error
notice.safe_label_derived_from_protected_content → error
search.affordance_no_registered_route → error
search.affordance_cross_firewall_auto_pull → error
project.active_overrides_policy → error
project.paused_keeps_active_capture → error
project.no_project_degrades_retrieval → error
project.auto_link_enables_sensitive_capture → error
carryover.uses_retrieve_stamp_for_external → error
dams.exceeds_eligibility_ceiling → error
dams.suppresses_mandatory_warning → error
prompt.use_limit_span_missing → error
prompt.blocked_notice_leaks_title_or_count → error
source.hard_deleted_support_retained_as_fact → error
null_result.population_changed_without_stale → error
review.raw_queue_over_threshold_without_batching → warning
```
---
## 16. Accept / modify / reject / defer
### 16.1 Accept
```text
Scope identifies boundary; policy decides crossing.
Project mode is optional and per-surface.
No Focus / Work Scope visible primitive.
BlockedScopeNotice and ReferenceOnlyNotice are distinct.
Reference-only is not compact rendering.
Project mode may bias retrieval/capture but cannot override policy/scope/truth.
DAMS is salience/capacity prior only.
Final-prompt proof gates learning.
```
### 16.2 Modify / repair now
```text
Replace scalar policy with dimensional MemoryPolicyDecision + EffectiveMemoryPolicy.
Add capability meet and disclosure meet.
Add PolicyObligation, PolicyStamp, PolicyStampInvalidation, EpisodePolicyEpoch.
Restore MemoryCoordinationTrace.
Normalize scope vocabulary and restore ScopeIdentityRoot/Equivalence/Container.
Change ScopeResolutionResult required_policy_action to minimum_conservatism_floor.
Fail closed on either-side sensitivity and unclassified sources.
Make AvailabilityDisposition core.
Replace UI parallel arrays with VisibleContextActionSpec.
Make Inspector policy-gated.
Define safe labels from approved vocabulary.
Add SearchAffordance state/preflight.
Add Project-mode delta table, including transition/auto-link/cross-search/task handoff.
Add DAMS eligibility ceiling and contamination veto.
Add RenderSafetyProof.
Add cascading source invalidation and review-queue batching.
```
### 16.3 Reject
```text
Two parallel policy-decision objects.
Scalar PolicyMembraneDecision.result as effective policy.
Scope deciding allow/block/export/render.
UI-visible raw scope internals by default.
Hidden Focus / Work Scope.
Project mode as global state.
Project membership as truth or required retrieval precondition.
Reference-only compact summaries.
Blocked notices that confirm non-disclosable existence.
Search affordances without real policy-checked routes.
DAMS using omission/contamination scores to bypass policy.
BDSM/DOC8 learning truth or policy.
```
### 16.4 Defer, but keep explicit
```text
Exact omission_cost formula.
Exact contamination_risk formula, except threshold-veto rule lands now.
Exact UI strings for safe labels.
Exact OP-A row IDs.
Full Corpus/Library hierarchy, unless needed for Round E.
Cold-start details beyond fixture coverage.
Full DOC24/KDA RenderBundle co-design, except safety/proof requirements land now.
```
---
## 17. Round D close-audit coverage
### 17.1 Claude coverage
Captured:
```text
parallel policy-decision type bug;
dimensional meet requirement;
PolicyObligation undefined;
classify/inspect actions;
PolicyStampInvalidation;
EpisodePolicyEpoch;
MemoryCoordinationTrace;
policy scalar collapse on extraction side;
warrant vs policy separation;
PriorDeliveryLedger/KV cache stale policy bug;
ContextProductArbitrationMatrix vs disclosure_class interaction;
determinism inputs missing DAMS/score generations;
Project transition case;
PolicyStampScope destination requirement;
UserContextSurfacePlan typed indicators/action bindings;
Inspector leak channel;
candidate-tag-only fail-closed bug;
BlockedScopeNotice existence leak;
AssertionRelationEdge scope traversal;
safe label provenance;
Project membership inert when no Project active;
Project-mode delta table;
fixture and lint set.
```
### 17.2 ChatGPT coverage
Captured:
```text
policy plane separate but incomplete;
dimensional capability meet;
separate disclosure meet;
ask_user as deferred disambiguation;
destination-relative scope resolution;
Project active capture wording;
auto-link quarantine;
UI command closure proof;
AvailabilityDisposition mandatory on considered items;
NullResult population/version proof;
SearchAffordance autonomy state machine;
DAMS policy clamp and contamination veto;
RenderSafetyProof;
Project-mode task handoff;
cross-project explicit search;
OP-A candidate rows should become required landing obligations;
additional fixtures.
```
### 17.3 Gemini coverage
Captured:
```text
dimensional meet;
SearchAffordance autonomy thresholds;
Project-mode delta table;
policy meet collision fixture;
safe-label fixture;
action-scoped stamp fixture;
UI command closure fixture;
cascading source deletion / epistemic void;
affordance preflight / agentic dead-end loop;
contamination threshold/veto math;
KV cache volatility;
Topic future-watch runaway budgets;
review queue UI gridlock.
```
### 17.4 Grok coverage
Captured where useful:
```text
formal PolicyMeet;
UI-disclosure obligations;
ScopeRelation feeds warrant/effective policy;
ContextProductArbitrationMatrix as deterministic DOC24 table;
PromptTextPackage / PromptShellRegistry / PromptTextLintSuite promoted;
PrimaryRenderBinding and render-binding learning target;
MemoryFlowCertificate vs ContextPacketProof retained;
three fixture additions for policy drift, relation edge conflict, and Notice→Slice paging.
```
Grok's “ready for spec” disposition is not accepted. The stricter Round D reviewers identified build-blocking policy/scope/UI mechanics that must be patched before proceeding.
---
## 18. Review instruction for Round D regression
Send this micro-patch to the Round D reviewers with the following short prompt:
```text
Review 13_Round_D_Policy_Scope_UI_Micro_Patch_R0_1.md as a regression patch to the ABC Structural Patch R0.2.
Questions:
1. Does this resolve the Round D blockers on policy, scope, UI, Inspector safety, Project optionality, SearchAffordance autonomy, and policy/scope leakage?
2. Does it accidentally add unnecessary bloat or duplicate owner systems?
3. Are any major Round D findings still missing or mishandled?
4. If only minor edits remain, say whether we can proceed to Round E Flattening Plan review.
Do not re-review the full concept model. Focus on whether the Round D blockers are closed.
```
---
## 19. Additional close-audit fixes from Round D deeper passes
This section records items found during the close audit that are not naturally housed in the earlier sections but must be preserved.
### 19.1 Reconcile against the adjudication delta
Round D found that R0.2's close audit compared mainly against A/B/C mechanisms, not against the adjudication delta's accepted policy objects. This patch restores or explicitly addresses those objects:
| Adjudicated object | R0.1 treatment |
|---|---|
| `MemoryPolicyDecision` | Restored as canonical dimensional policy decision. |
| `PolicyObligation` | Restored and concretized. |
| `PolicyStamp` | Restored. |
| `PolicyStampInvalidation` | Restored. |
| `ScopeMembrane` | Replaced by `ScopeBoundary` + `EffectiveMemoryPolicy`; `ScopeMembrane` must not own allow/block decisions. |
| `EpisodePolicyEpoch` | Restored. |
| `MemoryCoordinationTrace` | Restored. |
Rule:
```text
Any future V5 patch that renames or drops an adjudicated object must explicitly list the old name, new name, rationale, and migration effect.
```
### 19.2 Extraction-side policy use
`ExtractionRouteContext.policy_decision_ref` must not be singular when extraction spans multiple actions.
```ts
type ExtractionRoutePolicyEnvelope = {
route_context_ref: ExtractionRouteContextRef;
effective_policies: Partial<Record<MemoryPolicyAction, EffectiveMemoryPolicyRef>>;
required_actions: MemoryPolicyAction[]; // usually collect/extract/classify/write_candidate/write_durable/learn_*
policy_generation_id: string;
schema_version: 1;
};
```
Rules:
```text
collect approval does not imply extract approval.
extract approval does not imply durable write approval.
write_candidate approval does not imply write_durable approval.
learning approval is separately computed and may be none/audit-only even when extraction is allowed.
```
### 19.3 Warrant is not policy
`EffectiveWarrant` governs epistemic use only.
```text
A warrant of assert/hedge/verify_before_use never authorizes export, carryover, delegation, learning, inspection, UI disclosure, or rendering posture.
Every movement or disclosure action must consult EffectiveMemoryPolicy directly.
```
A consumer that gates export/carryover/delegation on `EffectiveWarrant` instead of `EffectiveMemoryPolicy` fails lint.
### 19.4 Context-product arbitration precedence
Round D found a possible disagreement between product priority lists and cross-scope safety rows.
Rule:
```text
Disclosure policy and mandatory safety products run before ordinary ContextProductArbitrationMatrix ranking.
```
Precedence:
```text
1. EffectiveMemoryPolicy capability/disclosure meet.
2. Mandatory policy/scope products: suppression, blocked notice, reference-only notice, warnings.
3. Product arbitration for eligible products.
4. DAMS salience/capacity prior inside the eligibility ceiling.
5. Token budget/degradation.
```
If `effective_disclosure_class = not_disclosable`, the arbitration matrix must not select `blocked_scope_notice`, because that would disclose existence.
### 19.5 MemoryContextPlan determinism inputs
Round D found that determinism claims omitted DAMS and score generations.
Add to `MemoryContextPlan` determinism anchors:
```ts
type MemoryContextPlanDeterminismInputs = {
considered_candidates_hash: string;
policy_generation_id: string;
bdsm_bundle_generation_id: string;
context_compiler_generation_id: string;
scope_resolution_ref: ScopeResolutionTraceRef;
budget_ref: PacketTokenBudgetRef;
prior_delivery_ledger_ref: PriorDeliveryLedgerRef;
dams_generation_id: string;
omission_score_generation_id: string;
contamination_score_generation_id: string;
};
```
Rule:
```text
A MemoryContextPlan is deterministic only relative to all listed generation IDs. Any change to DAMS, omission scoring, contamination scoring, policy, or prior delivery invalidates the plan.
```
### 19.6 Paused-project inherited scope flag
Add to `ScopeResolutionResult`:
```ts
active_scope_inherited_from_paused_project?: boolean;
```
Rule:
```text
If active_scope_inherited_from_paused_project = true, project relation may be used as weak orientation/search context only. It may not drive aggressive capture, durable project_id tagging, or elevated injection without explicit user action or policy-safe confirmation.
```
### 19.7 Required UI surfaces
The following user-visible surfaces must have contracts before implementation handoff:
```text
Review queue / review batch card
Policy restamp panel
Blocked-item explanation panel
Privacy / policy banner
Project auto-link quarantine chip
Cross-project search expansion chip
Task handoff scope envelope confirmation
```
Each surface must define:
```text
loading state;
empty state;
degraded state;
error state;
command or route;
telemetry event;
read-model refresh;
safe-label policy;
Inspector behavior.
```
### 19.8 Owner-doc landing obligations
The following are required owner-doc landing obligations before implementation handoff, even if final OP-A row IDs are assigned later:
```text
DOC24: context-product arbitration and placement.
DOC24: PromptTextPackage / final prompt span references.
DOC24: considered-item ledger / why included-excluded-not-remembered surface.
KDA: reference-only safe-label rendering and blocking lints.
KDA: RenderSafetyProof / render-lint output.
PropA/EC: blocked-label disclosure safety and dimensional policy meet.
DOC11/OpenClaw: final-prompt shell/use-limit span proof and truncation feedback.
BDSM/DOC8: prompt-shell utility and context-product utility gated by final-prompt spans.
DOC20/Q: command-closed UI controls and Inspector safe-label filtering.
DOC23: task handoff scope envelope and project-mode inheritance rule.
```
### 19.9 Corpus / Library hierarchy status
Round D noted Corpus/Library hierarchy but did not require fixing it in this micro-patch.
Current disposition:
```text
Library remains the user-visible source collection.
Corpus / SourceCollection / CorpusIndex remains internal ingestion/materialization state.
This remains deferred to the flattening/source-plane work unless Round E finds it blocks migration.
```
### 19.10 Safe source labels for deleted/clawed-back material
Cascading source invalidation may itself become a disclosure event. If the deleted source is protected, user-visible explanation must be safe-labeled.
```text
Allowed: “Some prior support for this item is no longer available under current source-retention or access rules.”
Forbidden unless disclosure permits: “The Marex privileged memo was clawed back.”
```
---
## 20. Round D regression pass criteria
A regression reviewer should mark this micro-patch as sufficient if:
```text
1. There is one canonical dimensional policy object and effective meet.
2. Disclosure is separated from capability.
3. Policy stamps, invalidations, obligations, and episode epochs are concrete.
4. Scope vocabulary is normalized and restored.
5. Scope does not decide policy.
6. Fail-closed works when either side is sensitive or classification is unknown.
7. Inspector and UI controls are command-closed and safe-label gated.
8. Project mode remains optional and transition-safe.
9. SearchAffordance is preflighted and non-phantom.
10. DAMS cannot bypass policy or mandatory warnings.
11. Final-prompt/render proof includes use-limit/safe-label survival.
12. Round D fixtures and lints cover the found failure modes.
```