radar: pass 4 — append-only audit log (acl+mod) sharpens W4 → persist/log; proof-explain → new W5 (substrate)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

plans/abstractions.md

@@ -12,8 +12,11 @@ Anything short → _Watching_ (what's missing) or _Rejected_ (why).
 
 ## Last scan
 
-- **Date:** 2026-06-06 (radar loop, pass 3)
+- **Date:** 2026-06-06 (radar loop, pass 4)
-- **Pass 3:** subsystem set + tmux + A1 adopters (4) all unchanged vs pass 2. Loops
+- **Pass 4:** no churn vs pass 3 (same worktrees/tmux/HEADs/adopters). Swept audit+explain
+  surfaces: acl/mod share an append-only-log shape (→ sharpened W4 with persist/log API
+  evidence) and a proof-explain shape (→ new W5, substrate-bound). No new gate-clearer.
+- **Pass 3 (earlier today):** subsystem set + tmux + A1 adopters (4) all unchanged vs pass 2. Loops
   advanced: acl shipped Phase 4 federation; search shipped Phase 4 + pagination; feed
   shipped pagination/threading; mod at Ext 19 (capstone); persist did a worked acl-grants
   migration (W4). New shape found: offset/limit pagination → folded into W3.
@@ -127,6 +130,32 @@ Anything short → _Watching_ (what's missing) or _Rejected_ (why).
 - Not an abstraction to extract — a migration target. Every subsystem fakes its
   store with a mutable list (`feed/-log`, flow store, mod audit, …).
 - **Owner:** `persist-on-sx` (in progress). Tracked there, listed here for visibility.
+- **Concrete instance (file:line, found pass 4): the append-only decision/audit log.**
+  `acl/lib/acl/audit.sx` and `mod/lib/mod/audit.sx` are the SAME hand-rolled shape, and
+  `persist/lib/persist/log.sx` (the persist *log facet*) already implements it durably:
+
+  | role | acl/audit.sx | mod/audit.sx | persist/log.sx (target) |
+  |---|---|---|---|
+  | log var | `acl-audit-log` :9 | `mod/*audit-log*` :10 | backend stream |
+  | monotonic seq | `acl-audit-seq` :10 | `mod/*audit-seq*` :11 | per-stream high-water :1 |
+  | append (auto-seq) | `acl-audit-decide!` | commit :32 | `persist/append` :17 |
+  | count | `acl-audit-count` :51 | `mod/audit-count` :44 | `persist/count` :12 |
+  | read-all oldest-first | snapshot/tail :73 | `mod/audit-all` :43 | `persist/read` :29 |
+  | read seq≥from | — | by-seq | `persist/read-from` :31 |
+
+  Both deliberately use a monotonic seq with **no wall-clock** (deterministic/testable) —
+  identical to persist/log's design. Action when persist's host adapter lands: acl + mod
+  loops swap their in-memory log for `persist/log`. 2 consumers today; not a new lib —
+  the home already exists. Belongs to acl/mod loops × persist loop, not an extraction.
+
+### W5 · Proof-tree explanation over a logic-program derivation
+- `acl/lib/acl/explain.sx` (reconstructs a canonical proof by goal-directed search over a
+  saturated Datalog db) and `mod/lib/mod/explain.sx` (renders a Prolog-style proof tree
+  goal-by-goal with proved/unproved marks + unification bindings) are the same *idea*.
+- **Missing / disposition:** only 2 consumers, and they sit on **different substrates**
+  (acl→`lib/datalog`, mod→`lib/prolog`). Proof reconstruction/rendering is logic-engine
+  machinery → it belongs in each **substrate** (datalog/prolog), not a shared app lib.
+  Watch; revisit only if a 3rd logic-backed subsystem reimplements proof explanation.
 
 ---