World Model Authoring
Operator surface for the authoring primitives: creating and versioning world models, authoring rules, managing rule relationships (depends-on, conflicts-with, qualifies), and adjusting provenance tier with a full audit trail. Usable by the human operator through the UI and by the Operations Agent through the API — see API/UI parity.
Scope (expected, subject to epic refinement)
Section titled “Scope (expected, subject to epic refinement)”- World-model lifecycle: create, list, version, retire
- Rule authoring: create candidate, revise candidate, retire rule
- Rule relationships: depends-on, conflicts-with, qualifies
- Provenance-tier management with full audit trail
- Rule status machine transitions (candidate → enshrined → retired)
UI surfaces
Section titled “UI surfaces”Documented as the surface ships.
API surfaces
Section titled “API surfaces”Documented as the surface ships. Every UI action has an API equivalent the Ops Agent calls — see dual-occupant parity.
Governance invariants
Section titled “Governance invariants”- Rule authoring flows through the governed Evolution Loop. Candidates do not become enshrined without human sign-off.
- Provenance tier is an audited field. Tier downgrades and upgrades both leave an audit record.
- Retirement is a state transition, not a delete. The rule applies uniformly to world models, rules, and rule relationships — retired rows remain queryable for audit and for evolution history.
- Concurrent operator actions on the same world-model entity (rule, rule-revision target,
relationship, world-model retirement) are serialized at the row level — one wins; the other
receives a clean conflict response. Mirrors the
ApprovalDecisionrow-level serialization established for the enshrinement gate per Domain Model / ApprovalDecision. - Every authoring mutate API is idempotent on
(operator_id, correlation_id). Theworld_authoring_audit.correlation_idcolumn doubles as the idempotency anchor — a retried request with the same operator + correlation id returns the original outcome rather than double-applying.
Audit trail
Section titled “Audit trail”Every authoring action — world-model create / retire, rule candidate propose / revise / retire,
relationship add / retire, provenance-tier change — appends a WorldAuthoringAudit row alongside
the entity-state mutation in the same transaction. The audit row is records, not memory: it
participates in the operator-action audit family alongside ApprovalDecision,
operations_agent_approval, and agent_approval per
Memory System / Records are not memory
and Data Retention / Audit posture.
WorldAuthoringAudit is operator-scoped (no workspace RLS) — operator identity is the audit key.
It is distinct from ApprovalDecision (same identity domain — both worlds-side, both
app.user_id-keyed — but different action surface: enshrinement-gate decision rather than
authoring action) and from operations_agent_approval (platform-side, Ops-Agent
call-time-approval audit). Three operator-action audit families, each with its own action
surface.
See Domain Model / WorldAuthoringAudit and
Data Retention / RetentionPolicy for the
worlds-side (world_authoring_audit, WORLDS) -> 730d / 30d / STRIP_PAYLOAD entry.
Related reading
Section titled “Related reading”- Operations App overview — dual-occupant UX, context boundary
- World Model System — the domain this surface operates over