World Model Authoring
Operator surface for the authoring primitives: creating and versioning world models, authoring the context schema + configuration block + action registry, authoring rules alongside the World Agent (which generates the deterministic predicate code from a behavioral spec extracted independently of the predicate), and managing two-dimensional provenance with a full audit trail. The human operator drives the surface through the UI, which is a thin client over the same HTTP API — see API/UI parity.
Scope (expected, subject to epic refinement)
Section titled “Scope (expected, subject to epic refinement)”- World-model lifecycle — create, list, version, retire
- Context schema authoring — declare typed attributes with sources (
supplied/system_generated/computed); declare derivations for computed attributes; constraint authoring (min/max, enum, regex) - Configuration-block authoring — declare stable per-version values (business hours, holiday calendars, thresholds, regional regulatory parameters); change-driven regeneration of dependent rule code
- Action-registry authoring — register actions per domain; assign rules to actions; set aggregation mode per action
- Rule authoring — propose candidate (natural-language form + tier + outcome), invoke the World Agent to generate the predicate code and applies_when filter, derive the rule’s typed input declaration bound
declared == read, and extract a behavioral spec from the rule text independently of the predicate that the generated predicate must pass; attach authoritative-source citations - Two-dimensional provenance management — authoritative-source dimension (operator-authored citations verified at the conformity gate) and code dimension (regenerated when the natural-language form or configuration dependencies change; verified at the implementation-readiness gate, where codegen is bound
declared == readso the rule’s declared inputs equal the predicate’s actual reads per ADR-107) - Rule status machine transitions —
candidate → enshrined → retiredper World Model; publish/deploy are separate boundaries that gather assigned enshrined rules
UI surfaces
Section titled “UI surfaces”Documented as the surface ships.
API surfaces
Section titled “API surfaces”Documented as the surface ships. Every UI action has an API equivalent — the UI is an API client over the same routes; see API/UI parity.
Governance invariants
Section titled “Governance invariants”- Rule authoring flows through the governed Evolution Loop. Candidates do not become enshrined without human sign-off on the natural-language rule intent; generated predicate code, behavioral tests, input declarations, and source-conformity evidence are machine-checked review artifacts around that intent.
- Authoritative-source provenance is an audited field. Tier downgrades and upgrades both leave an audit record. Code-dimension provenance regenerates whenever the natural-language form or configuration dependencies change; the regeneration is also audited.
- Retirement is a state transition, not a delete. The rule applies uniformly to world models, rules, source materials, and action-registry entries — retired rows remain queryable for audit and for evolution history.
- Configuration-block edits force code-dimension regeneration on dependent rules. A configuration change is a version bump that re-runs the implementation-readiness gate against the regenerated code; predicates do not read configuration at runtime.
- Concurrent operator actions on the same world-model entity (rule, configuration value,
context-schema attribute, action-registry entry, relationship) are serialized at the row
level — one wins; the other receives a clean conflict response. Mirrors the
ApprovalDecisionrow-level serialization established for the enshrinement gate. - Every authoring mutate API is idempotent on
(operator_id, correlation_id). TheWorldAuthoringAuditcorrelation_idcolumn doubles as the idempotency anchor — a retried request with the same operator + correlation id returns the original outcome rather than double-applying.
Audit trail
Section titled “Audit trail”Every authoring action — world-model create / retire, context-schema attribute add / edit,
configuration value add / edit, action-registry entry add / retire, rule candidate propose /
revise / retire, authoritative-source citation add / change, provenance-tier change —
appends a WorldAuthoringAudit row
alongside the entity-state mutation in the same transaction. The audit row is records, not
memory: it participates in the operator-action audit family alongside ApprovalDecision and
agent_approval per
Memory System / Records are not memory
and Data Retention / Audit posture.
WorldAuthoringAudit is operator-scoped (no domain RLS) — operator identity is the audit key.
It is distinct from ApprovalDecision (same identity domain — both worlds-side, both
app.user_id-keyed — but different action surface: enshrinement-gate decision rather than
authoring action).
See Domain Model / WorldAuthoringAudit and
Data Retention for the worlds-side
(world_authoring_audit, WORLDS) → 730d / 30d / STRIP_PAYLOAD entry.
Related reading
Section titled “Related reading”- Operations App overview — API/UI parity, context boundary
- World Model — the primitives this surface authors against
- World Agent — the code-generation collaborator on the rule-authoring surface
- Evolution Loop — the two gates and the reviewer surface candidates flow through