plan: log hardening pass H1-H7 (TDD) + the commerce arc next steps

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 10:56:58 +00:00
parent 99401ae21e
commit f561deede3

View File

@@ -334,6 +334,22 @@ covers everything until a DAG's cost/latency/placement forces the substrate.
activities), so business logic can change state, which federates, which triggers more flows.
## Progress log (newest first)
- 2026-07-03 — HARDENING PASS H1-H7 DONE (TDD, failing test first, all 7) + deployed + live-verified.
H1 internal endpoints HMAC-gated (x-int-sig of the TARGET; unsigned /ticket|/order|/person → 403 —
closed the live capacity-bypass). H2 admin ops (new-film/new-showing/offering-*/add-poll/new-event)
behind protect-html; /vote + /buy-ticket pinned public. H3 votes = atomic claims on stream
vote:<poll> (ev/book!), edge is a projection — dedup survives projection wipes. H4 P2 restored:
all cinema/poll mutations emit (create/schedule/offer/update/retract/vote/sell; voter anonymous on
the wire). H5 two-phase buy: ev/hold! → guarded mint (injectable host/blog--mint-ticket) →
ev/confirm! / ev/release! — the cross-domain seat leak is gone. H6 durable activity dedup: :id
claimed once-ever on stream activities:processed — prerequisite for payment. H7 adjacency streams:
out/in/out-raw fold per-(node,kind) event streams (rel:/rin:), not full kv scans; append-only = no
RMW race; boot reindex migrates legacy stores; add-edge-kv! collapsed in (algebra tests caught the
bypass). blog suite 218→256, FULL conformance 658/658. LIVE: 403 on unsigned mint, /login on
unauth admin, buy sold 2→3 through hold/confirm, vote +1-once, migrated reads correct.
NEXT (commerce arc, decided): single-till co-op settlement. Business+membership+rights → Cart +
per-line owner attribution → SumUp (stub→real) → reseed as the food co-op. Deferred: per-actor
keys + global naming (gate multi-co-op federation), lib/commerce money, blog.sx modular split.
- 2026-07-02 — CROSS-DOMAIN slice 1 DONE + LIVE-VERIFIED: allocate-a-post-to-a-calendar (blog→events).
events.rose-ash.com is now a fed-sx PEER — a lib/host instance with SX_DOMAIN=events, whose
"calendar" TYPE declares an on-allocate behavior (behaviors ARE type-declared — confirmed). Built: