11 KiB
Edge Sync Artifact Contract
Status: Design contract
Builds on: docs/architecture/edge-s3-persistence.md
Scope: Artifact classes, manifest shape, authority boundaries, sync failure semantics, and future proof obligations for CORE edge/cloud synchronization.
Non-goal: This document does not introduce a runtime dependency on S3/object storage and does not implement a sync client.
Purpose
The S3 persistence architecture defines where cloud/object storage belongs:
Edge = thinking, acting, refusing, remembering hot.
S3 = preserving, auditing, syncing, distributing, training cold.
This contract defines what is allowed to cross that boundary and what authority, if any, each artifact has after crossing.
The load-bearing invariant:
Downloaded != activated.
Activated != coherent.
Signed != true.
Integrity, provenance, epistemic status, and runtime authority are separate axes. They must never collapse into one another.
Core rule
S3-compatible storage may preserve and distribute artifacts. It does not grant epistemic admissibility.
Any artifact imported from cloud/object storage enters CORE under the same truth-seeking schema as any other input:
- malformed or absent epistemic status defaults to speculative;
- source prestige, fleet frequency, or signature presence is not coherence;
- runtime-affecting artifacts require signature/hash/schema verification before activation;
- learning artifacts may inform sealed practice, but do not mutate serving knowledge directly;
- serving evidence still requires the reviewed/proven mutation path.
Artifact classes
Each artifact class has a fixed authority profile. Implementations may add fields, but they must not weaken these defaults without a follow-on ADR or explicitly ratified contract update.
| Artifact class | Runtime-affecting | Hot-path allowed | Signature required | Review/proof required before serving influence | Epistemic default |
|---|---|---|---|---|---|
trace |
No | No | Recommended | No; audit input only | speculative |
replay_bundle |
No | No | Recommended | No; audit/proof input only | speculative |
sealed_eval_result |
No | No | Recommended | Yes, before claims/promotion | speculative |
fleet_observation_batch |
No | No | Recommended | Yes, before evidence use | speculative |
curriculum_bundle |
No direct effect | No | Required if distributed to devices | Yes, before pack/runtime mutation | speculative |
pack_release |
Yes | Pull-only, activation-gated | Required | Yes; release process must prove/review | as manifest declares, never implicit |
policy_release |
Yes | Pull-only, activation-gated | Required | Yes; release process must prove/review | as manifest declares, never implicit |
modality_compiler_release |
Yes | Pull-only, activation-gated | Required | Yes; compiler changes are runtime-affecting | as manifest declares, never implicit |
cold_vault_snapshot |
Yes during explicit restore | No live hot path | Required | Yes; restore is an activation event | preserved per entry, malformed => speculative |
Prohibited implication
No artifact class may imply:
stored in S3 => reviewed
signed => true
downloaded => active
popular => coherent
fleet-seen => admissible
Manifest schema
Every artifact that is distributed or consumed by automation should have a manifest. Runtime-affecting artifacts must have one.
Minimal manifest:
{
"schema_version": 1,
"artifact_id": "...",
"artifact_type": "pack_release",
"artifact_version": "...",
"created_at_utc": "...",
"producer": {
"type": "human|runtime|ci|fleet_aggregator",
"id": "..."
},
"content": {
"uri": "s3://bucket/path/object.zst",
"digest": "sha256:...",
"size_bytes": 0,
"compression": "zstd|none",
"media_type": "application/jsonl|application/zstd|application/octet-stream"
},
"authority": {
"runtime_affecting": true,
"hot_path_allowed": false,
"requires_signature": true,
"requires_activation": true,
"requires_review_or_proof": true
},
"epistemic": {
"default_status": "speculative",
"admissible_as_evidence": false,
"promotion_required": true
},
"compatibility": {
"min_runtime_version": "...",
"max_runtime_version": null,
"requires_capabilities": []
},
"provenance": {
"source_trace_ids": [],
"source_eval_run_ids": [],
"source_pack_digests": []
},
"signature": {
"algorithm": "...",
"key_id": "...",
"signature": "..."
}
}
Required manifest checks
Before a runtime-affecting artifact may be activated, the edge runtime or release manager must verify:
- manifest schema version is supported;
- artifact type is known;
- content digest matches downloaded bytes;
- signature is valid for the manifest and/or content according to release policy;
- runtime compatibility is satisfied;
- artifact class authority profile is not weakened by the manifest;
- activation is recorded as an auditable trace;
- previous verified release remains available for rollback where applicable.
Activation contract
A downloaded object is inert until activated.
Activation is the explicit transition:
downloaded + verified + compatible + authorized => active local release
Activation does not mean the artifact's claims are automatically COHERENT. It means the artifact is now allowed to participate according to its artifact class.
Examples:
- A
pack_releasemay contain coherent entries only where the pack itself declares and proves the review status required by pack policy. - A
policy_releasemay constrain actions after activation, but the signature only proves the policy bundle came from an authorized release process. - A
fleet_observation_batchremains speculative learning input even when signed and downloaded. - A
cold_vault_snapshotpreserves per-entry epistemic statuses; malformed or missing statuses default to speculative.
Sync failure semantics
Sync failures must preserve edge safety.
| Failure | Required behavior |
|---|---|
| S3 unavailable | Continue local operation using last verified local state. |
| Upload failure | Retain local journal for retry; do not block hot path. |
| Download failure | Keep current active release; do not partially activate. |
| Hash mismatch | Reject object; log trace; keep current active release. |
| Invalid signature | Reject object; log trace; keep current active release. |
| Unknown artifact type | Reject unless explicitly configured as non-runtime archival input. |
| Unsupported schema | Reject or quarantine; never activate silently. |
| Compatibility failure | Reject activation; keep current active release. |
| Partial download | Discard or quarantine; never activate. |
| Clock skew | Do not grant authority based solely on local time; preserve trace. |
Authority model
Artifacts have four independent authority axes:
- Integrity — bytes match digest/signature.
- Compatibility — runtime can safely parse and understand the artifact.
- Activation — artifact is allowed to participate in local runtime behavior.
- Epistemic admissibility — artifact claims may be used as evidence.
These axes are intentionally separate.
Integrity does not imply activation.
Activation does not imply coherence.
Coherence does not imply permanence.
Edge hot-path prohibition
The following decisions must not require S3/object storage round trips:
- stop/continue safety decisions;
- collision or force-limit decisions;
- active vault recall;
- current-field propagation;
- customer-facing refusal/answer generation;
- immediate policy/action gate evaluation;
- active contradiction checks required for current action;
- motor-control or embodied reflex loops.
If the edge runtime cannot decide safely without S3, it must choose the safe local fallback: refuse, ask, observe-only, stop, or escalate according to action class.
Learning and fleet aggregation
Fleet artifacts may feed sealed practice and offline aggregation.
They may not directly mutate serving knowledge.
Correct flow:
fleet traces / observations
-> S3 archival
-> offline aggregation
-> candidate proposal
-> proof / review / ratification
-> signed release
-> edge download
-> verification
-> activation
Incorrect flow:
fleet observation
-> S3
-> runtime fact
The incorrect flow is an epistemic-corruption path and must be rejected.
Required metadata by artifact class
trace
Required:
trace_idruntime_versiontimestamp_utcfield_state_digest_beforefield_state_digest_afterwhen available- input source digests
- selected decision/action/refusal
- epistemic states involved
- safety gate result where applicable
replay_bundle
Required:
replay_hash- source
trace_idor eval run id - runtime/version metadata
- pack/policy manifest digests
- deterministic replay inputs
- expected replay verdict
sealed_eval_result
Required:
- lane id
- run id
- case count
- verdict counts
- wrong/refusal/correct counts where applicable
- timing summary when measured
- runtime version
- input dataset digest
fleet_observation_batch
Required:
- producing robot/site/fleet ids where applicable
- capture time range
- source modalities
- per-observation provenance
- epistemic default = speculative
- no direct admissibility flag unless produced by a reviewed/proven release process
pack_release / policy_release / modality_compiler_release
Required:
- signed manifest
- content digest
- schema version
- runtime compatibility
- release notes or proof summary
- rollback reference where applicable
- activation trace requirement
cold_vault_snapshot
Required:
- snapshot id
- source runtime/device id
- vault schema version
- per-entry epistemic status
- per-entry digest or snapshot digest
- restore policy
- explicit restore activation trace
Future implementation targets
This contract should eventually be enforced by code. Likely targets:
core/sync/artifacts.py
core/sync/manifest.py
core/sync/verify.py
core/sync/journal.py
core/sync/activation.py
tests/test_edge_sync_artifact_contract.py
No implementation path may introduce S3 as a dependency of active recall, active reasoning, refusal, or safety gating.
Future proof obligations
A code implementation should include tests that fail if:
- an unsigned runtime-affecting artifact activates;
- a hash-mismatched artifact activates;
- a downloaded artifact becomes active before verification;
- a signed fleet observation becomes admissible evidence by signature alone;
- malformed epistemic status imports as coherent;
- S3 unavailability blocks local refusal/reasoning;
- download failure clears the last verified local release;
- hot-path code imports the S3 client directly;
- a cold vault restore drops or upgrades per-entry epistemic status;
- activation occurs without an auditable trace.
Summary
This contract turns edge/S3 separation into an authority model.
S3 may store.
S3 may distribute.
S3 may preserve evidence.
S3 may not decide truth.
S3 may not sit in the hot path.
S3 may not mutate serving knowledge directly.
Truth still enters by proof, review, coherence, replay, and ratified mutation paths — never by storage location, signature, popularity, or fleet frequency.