# Spec audit for runtime/store-machine ownership cuts This audit records the review of specs 020, 030, 040, 050, 060, 100, and 110 before widening runtime, storage, FFI, and browser APIs. The numbered specs remain protocol truth; this file summarizes ownership-cut edits and open questions. ## Audited specs - `020-RECORD-FACTS-VIEWS.md`: record facts remain derived only from validated local records. Peer advertisements are not `Have` or `Field` facts. Query views are declassification boundaries, not direct store APIs. - `030-DATALOG.md`: Datalog remains pure evaluation over explicit fact inputs. It does not read clocks, sockets, stores, transactions, callbacks, or runtime state directly. - `040-EXCHANGE-POLICY.md`: public prepared-flat-policy setup language was rewritten as trusted local precompilation. Interoperable/public setup uses origin-aware exchange operands, query exposure, and exchange-plan transcripts. - `050-INTERLACE.md`: setup and state-machine language now describes agreement on an exchange plan, not a public prepared-policy path. Callback wording was rewritten as runtime-local event streams/result collectors. In-process and reconciliation optimizations were clarified to preserve store-machine read/load/store boundaries and not expose raw store access. - `060-ILTP.md`: byte-availability language now references exchange-plan and operand resources rather than a prepared-lacegram public route. WebSocket/TCP remain byte-stream adapters; transport facts are explicit runtime facts, not core participant authority. ## Removed or rewritten stale assumptions - Table/record terminology: specs now use `record` as the durable unit, `Group`/`App`/`Name` as coordinate fields, `Signed-By` and `Signature` as Seal-record signature headers, and Blob/Plex/Seal only as record variants with `B.`/`P.`/`S.` prefixes. - Public direct store APIs: specs now describe public record access through interlace-backed `get`, `list`, and `store`, with raw record indexes and stores store/runtime-internal. - Prepared-policy public paths: trusted precompilation is allowed only as a local implementation cache derived from an agreed plan. Peer-authored rules require origin/facet metadata and query-view enforcement. - Stream/session app APIs: normal applications consume runtime record/lifecycle event streams; raw side-machine phases and ILTP stream details are diagnostic or binding-level concerns. - Callback/reentry assumptions: runtime event streams and result collectors are local behavior and are not invoked from core steps, store operations, or transport callbacks while locks are held. - Transport-as-core-participant language: WebSocket/TCP/stdio are ILTP carriers and runtime-owned typed stream adapters. Core sees semantic interlace messages and store operations, not sockets. ## Remaining open questions - The exact query-view representation for nontrivial peer-origin policy should be tightened as the notes-room scenario runner grows beyond broad `all` exposure fixtures. - Open interlace needs a normative restart/abandon policy for stale store scopes after compaction. - ILTP resource availability for cached exchange-plan operands needs stronger conformance traces once scenario-tools emits canonical byte transcripts. - Filesystem compaction can currently stale read scopes; production compaction policy still needs space-reclamation and crash-window details.