Skip to content
GitHub
Reference

Domain Model

This page is the primitives view of spectral.<context>.domain.* — what the entities are, why they exist, and how they relate. For field-level shape and module paths, the code under src/spectral/<context>/domain/ is the source of truth; this page anchors the conceptual model the code embodies.

For the inter-context architecture that holds these primitives together, see Architecture and Contract Surfaces. For the worlds-side authoring model and its full evolution loop, see World Model System.

Two FK edges deserve explicit mention because they are not aggregate-traversable. Domain ||--o{ Observation — agent-memory rows are read via ObservationRepo for compounding/retrieval/decay, never through a Domain load. Decision ||--o{ OverridePatternSignal — customer-initiated review-request and noteworthy-mark signals are read via the platform-side signal aggregator for operator triage, never through a Decision load. Treating either as traversable would couple unrelated lifecycles. The three-tier memory shape behind the Observation FK is documented in ADR-058.

The customer-identity boundary at the top of the tenancy hierarchy per ADR-086 D1. Owns billing identity, owner-level access, and the set of domains a customer operates.

The action-grouping container per ADR-086 D2 — a coherent subject area whose actions share context vocabulary, configuration, and an authoring authority. Each domain has its own world-model version chain, its own action registry, its own deployed action modules, and its own System Card. The customer-facing roles (admin / contributor / observer) are scoped per ADR-086 D5; tenancy enforcement keys on domain_id per ADR-086 D6.

The unit of authority per ADR-026. Each version is an immutable snapshot of one domain’s authoring state: context schema, configuration block, action registry, and the rules under each action. Versions never retroactively change; prior versions remain queryable indefinitely.

The typed declaration of every attribute a domain’s decisions can consume, with each attribute carrying a source (supplied / system_generated / computed). The schema is the authoritative input contract for /decide calls in this domain. See Primitives — Context schema.

Stable values per world-model version that derivations consume at composition-root entry and that rule code-generation bakes into predicates at authoring time. Not exposed to predicates at runtime; configuration changes are version bumps that regenerate dependent code.

The unit of decision-time routing within a domain. Each action carries its own rules directly (no separate “rule-set” primitive) and optionally an aggregation_mode controlling how rules combine. A rule associates to one or more actions through the many-to-many action–rule registry (per ADR-104 D2); a rule assigned to no action does not deploy. Each action also carries a persisted canonical input ontology (worlds.actions.ontology) — one named, typed input per real quantity — established at publish by vocabulary reconciliation and the authority for the action’s published input schema (per ADR-107).

One enforceable expectation, assigned to the action(s) it serves. Each rule is one file inside the action’s module, exporting metadata (id, tier, outcome, description, category, suppresses, dual provenance), an optional applies_when context-only filter, a pure deterministic predicate, and inline tests. The full lifecycle (candidate → enshrined → retired) is governed by the Evolution Loop.

Each rule carries two-dimensional provenance: an authoritative source dimension (statute, regulatory guidance, scholarly publication) and a code dimension (the generated predicate’s lineage to the natural-language rule it was generated from). The authoritative dimension carries through restatement; the code dimension is regenerated when the rule’s natural-language form or its configuration dependencies change.

The deployable artifact for (org, domain, action, world_model_version) produced by the authoring path and stored content-addressed in the module store. Carries composition root, embedded context-schema subset, rule files, and a manifest with module version, code provenance, embedded schema digest, and signature. Integrity is verified at load time per ADR-080 D2 + D3.

The outcome of a single /decide invocation: { status, work_frame, decision_metadata } returned to the caller plus a structured record written to the audit chain. Every decision is deterministic over (world_model_version, supplied_context, system_generated_at_entry). Response shape per ADR-077 D3.

The per-decision audit record persisted in the platform pillar per ADR-076 D3. Captures the full decision trace (request context, matched rules, suppression chain, aggregation outcome, predicate traces, errored predicates, work frame, response). Backs the System Card and the customer-initiated review-request flow.

The deployment-scoped operational record per ADR-082 D3: per-(org, domain) totals, p50/p95/p99 latency, four-state status distribution, methodology disclosure, version history. The customer-facing view of operational health.

The version-scoped methodology disclosure published with each world-model version per ADR-082 D2: scope, sources, decision log, authority basis, two-dimensional provenance summary. Operator-authored.

The memory primitive — agent reasoning compounded across runs. Observations are append-only, anchored to the agent that produced them, and tiered (interaction / session / persistent) per ADR-058. The records-vs-memory boundary — observations are value-added reasoning about records, not records themselves — is the load-bearing invariant. See Memory System.

The entities operators interact with on the Operations app during world-model authoring, distillation, publication, and release-notes work.

A registered authoritative-tier source document (statute, regulatory guidance, scholarly publication) that distillation runs against and rules cite. Operators ingest source materials into the inventory with anchored provenance metadata; the REFERENCED ⇌ ACTIVE retention transition holds rows cited by enshrined rules indefinitely. Append-only — metadata corrections produce a new row plus retire of the prior; retirement is a state transition, not a delete.

An operator-submitted run of the LLM-guided distillation pipeline against selected source materials. Carries lifecycle state (status, started_at, completed_at, failure_reason_code) and the produced RuleCandidate rows. Per-source extraction state surfaces partial output and explicit errors; failures surface a coded failure_reason_code (retained on STRIP_PAYLOAD) plus free-text detail (stripped on disposal).

The junction row linking a DistillationRun to each RuleCandidate it produced and the SourceMaterial rows that contributed to the candidate’s extraction. End-to-end provenance trail: run → source materials → candidate.

A proposed rule under review, not yet enshrined. Surfaced from three signal sources (operator authoring, distillation runs, override-pattern signal aggregation) per Evolution Loop. Carries the proposed metadata, the World Agent’s generated predicate code (when authoring is past the implementation-readiness gate), proposed provenance citations, and the supporting evidence summary. Lifecycle: candidate → enshrined → retired; request-revision/send-back keeps it in candidate, while discard/reject retires it.

The operator-action audit row recording an enshrinement-gate decision (approve / reject / request-revision) on a RuleCandidate. Operator-scoped (app.user_id) with no domain RLS, keyed on (candidate_id, operator_id, decided_at) with rationale captured verbatim. Records — not memory. Append-only.

The operator-action audit row for every authoring action on the worlds-side surfaces — world-model lifecycle, rule authoring (when not gated by ApprovalDecision), source-material ingest + retire, distillation-run submission, release-notes create + revise, publication. Operator-scoped (app.user_id) with no domain RLS, keyed on (operator_id, target_type, target_id, action, occurred_at, correlation_id). Discriminators by target_type and action. The correlation_id column doubles as the idempotency anchor for the originating mutate API.

The version-scoped restatement artifact published with each world-model version per ADR-026. Operator-authored narrative + structured correction-record content. Lifecycle follows the parent WorldModel version: mutable while parent is in draft; locked at publication. No independent review-gate.

The structured per-correction child entity under ReleaseNotes: corrected rule reference, prior version restated, restatement narrative. Carries the three-category restatement discipline (configuration restatement, rule restatement, action restatement) per ADR-026.

A handful of entities drive lifecycle state through transitions worth understanding at the primitives level. The five with the most consequence:

  • Rulecandidate → enshrined → retired. Enshrinement is operator sign-off on the natural-language rule intent; generated predicate code, behavioral tests, and input declarations are machine-checked artifacts around that intent. Publication/deployment are separate version boundaries that gather assigned enshrined rules; retirement carries through restatement.
  • ActionModulebuilt → reviewed → enshrined → published → loaded. Published modules are immutable; subsequent versions ship as new module IDs keyed on a new world-model version.
  • Decision — terminal one-shot; no state machine. Status (GREEN / GREEN-SKIP / YELLOW / RED) is the audit-grade headline.
  • Agent taskqueued → running → completed | failed; failed tasks may be retried into a new task with a parent reference.
  • Conversationopen → closed; closed conversations may be reopened by a new message.
  • Glossary — canonical terminology for cross-referenced concepts.
  • Primitives — per-primitive definitions, structure, and lifecycle.
  • Architecture — the three-context layout these primitives live in.
  • World Model System — the worlds-side primitives in their full context.
  • Decision Execution — how the platform-side primitives compose at decision time.
  • ADR-058 — the universal three-tier memory schema.
  • ADR-065 — the contract-surface doctrine that admits these primitives across context boundaries.
  • ADR-086 — the org/domain tenancy hierarchy.