flyingrobots · flyingrobots · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026 · Jun 15, 2026
@@ -3,7 +3,7 @@
 
 # BEARING
 
-Last updated: 2026-06-03.
+Last updated: 2026-06-15.
 
 This signpost summarizes current direction. It does not create commitments or
 replace backlog items, design docs, retros, or CLI status. If it disagrees with
@@ -12,6 +12,12 @@ code, the code wins and this file should be corrected.
 The WARP paper-to-Echo noun map is maintained in
 `docs/design/warp-optic-implementation-map.md`.
 
+The post-PR #545 strands and braids hardening roadmap is maintained in
+`docs/design/braids-and-strands-roadmap.md`.
+
+Its goalpost design packet is maintained under
+`docs/design/braids-and-strands-hardening/`.
+
 The feature bar for the eventual `v0.1.0` release is maintained in
 `docs/design/v0.1.0-release-plan.md`.
 
@@ -47,12 +53,22 @@ but production Echo code must remain generic.
 
 ## Current Bearing
 
+The active architecture hardening focus is the post-PR #545 braids and strands
+campaign. Track progress through the goalpost and slice checklist in
+`docs/design/braids-and-strands-roadmap.md`. Each goalpost has a focused design
+document under `docs/design/braids-and-strands-hardening/`; implementation PRs
+must check off slices in the roadmap only when the slice actually lands.
+
+This hardening campaign does not replace the `v0.1.0` external-app release
+gate. It protects the newly landed strand, braid, proof, sealed-member,
+identity, witness, and plurality surfaces before more callers depend on them.
+
 Echo has a local witnessed intent pipeline into deterministic execution:
 application ingress can become witnessed submission history, lawful admission
 evidence, ticketed runtime ingress, scheduler-owned handler dispatch, receipt
 correlation, and observable intent outcome.
 
-The current priority is to prove that pipeline with `jedit` as a real external
+The release priority remains proving that pipeline with `jedit` as a real external
 consumer. The in-repo external fixture remains valuable, but it is no longer
 the `v0.1.0` release gate. Echo is not ready to release until jedit can submit
 an application-owned contract intent, let a trusted Echo host authorize

@@ -0,0 +1,73 @@
+<!-- SPDX-License-Identifier: Apache-2.0 OR LicenseRef-MIND-UCAL-1.0 -->
+<!-- © James Ross Ω FLYING•ROBOTS <https://github.com/flyingrobots> -->
+
+# Goalpost 1: Lawful Construction And Typed Failures
+
+Status: planned.
+
+Roadmap:
+[`../braids-and-strands-roadmap.md`](../braids-and-strands-roadmap.md)
+
+## Decision Summary
+
+Echo will stop presenting law-bearing strand and braid/proof failures as casual
+public data shapes. `Strand<P>` construction moves behind posture-aware doors,
+proof validation reports structured `ProofError` variants, and braid transition
+failures report typed transition kinds instead of string action names.
+
+## Invariant
+
+No law-looking strand value or transition failure is created by accident.
+Typestate narrows ordinary construction, but live registry and runtime posture
+checks remain the final admission law.
+
+## Sponsored Human
+
+A maintainer wants hard API boundaries around strand posture and braid/proof
+failures so future refactors cannot create fake `Shared`-looking values or
+parse behavior out of display text.
+
+## Sponsored Agent
+
+An agent needs typed constructors, fixture builders, and error variants so it
+can write regression tests against behavior without inferring invariants from
+public fields or error strings.
+
+## Scope
+
+This goalpost includes:
+
+- private or controlled `Strand<P>` construction;
+- read-only accessors where public data remains needed;
+- fixture builders for tests;
+- structured `ProofError`;
+- typed `BraidTransitionKind`;
+- negative tests for forged construction and string parsing.
+
+## Non-Goals
+
+This goalpost does not include:
+
+- changing settlement semantics;
+- replacing runtime posture checks with typestate;
+- adding real cryptographic proof verification;
+- adding historical braid membership views.
+
+## Slices
+
+| Slice  | Work                                               | Witness                                          |
+| ------ | -------------------------------------------------- | ------------------------------------------------ |
+| GP1-S1 | Make `Strand<P>` construction posture-aware        | compile-fail or API test for public forgery      |
+| GP1-S2 | Replace public test construction with fixtures     | tests use builders instead of public literals    |
+| GP1-S3 | Replace proof validation strings with `ProofError` | tests assert exact error variants                |
+| GP1-S4 | Replace action strings with `BraidTransitionKind`  | tests assert exact invalid transition kind       |
+| GP1-S5 | Add negative capability tests                      | tests reject forged strands and string contracts |
+
+## Acceptance
+
+- External callers cannot set `_marker` or `retention_posture` directly.
+- `Strand<Shared>` cannot be publicly constructed with `AuthorOnly` retention
+  posture.
+- `ProofEnvelope` callers can branch on `ProofError` variants.
+- Braid transition failures identify a typed transition kind.
+- Display text remains human-facing only.
@@ -0,0 +1,73 @@
+<!-- SPDX-License-Identifier: Apache-2.0 OR LicenseRef-MIND-UCAL-1.0 -->
+<!-- © James Ross Ω FLYING•ROBOTS <https://github.com/flyingrobots> -->
+
+# Goalpost 2: Stable Identity And Privacy Posture
+
+Status: planned.
+
+Roadmap:
+[`../braids-and-strands-roadmap.md`](../braids-and-strands-roadmap.md)
+
+## Decision Summary
+
+Echo will lock the young proof, braid shell, and member reference identity
+surfaces with golden vectors before more callers depend on them. The same
+goalpost makes deterministic blinding salt semantics explicit so reproducible
+local behavior is never mistaken for unlinkability.
+
+## Invariant
+
+Digest identity drift is intentional, visible, and compatibility-classed.
+Deterministic blinding defaults are reproducibility tools, not privacy
+boundaries.
+
+## Sponsored Human
+
+A maintainer wants refactors to fail loudly when they change braid shell,
+proof, or sealed member identity.
+
+## Sponsored Agent
+
+An agent needs hand-reviewable vector fixtures and explicit privacy wording so
+it can distinguish stable identity promises from E1 scaffolding and test-only
+fixtures.
+
+## Scope
+
+This goalpost includes:
+
+- replay-trace `ProofEnvelope` digest vectors;
+- proofless and proof-bearing `BraidShell` vectors;
+- revealed and sealed `BraidMemberRef` vectors;
+- salt-effect vectors;
+- compatibility class labels;
+- privacy docs for deterministic and caller-supplied blinding material.
+
+## Non-Goals
+
+This goalpost does not include:
+
+- implementing verifier backends;
+- changing shell semantics beyond identity hardening;
+- claiming unlinkability from deterministic defaults;
+- introducing sealed membership presentation tokens.
+
+## Slices
+
+| Slice  | Work                                         | Witness                                 |
+| ------ | -------------------------------------------- | --------------------------------------- |
+| GP2-S1 | Add replay-trace `ProofEnvelope` vectors     | vector fixture test                     |
+| GP2-S2 | Add proofless/proof-bearing shell vectors    | vector fixture test                     |
+| GP2-S3 | Add revealed/sealed member reference vectors | vector and salt-effect tests            |
+| GP2-S4 | Mark compatibility classes                   | fixture metadata or docs assertion      |
+| GP2-S5 | Document deterministic blinding salt risk    | docs/examples plus salt-path regression |
+
+## Acceptance
+
+- CI catches digest drift for proof envelopes and braid shells.
+- Sealed member reference vectors prove caller-supplied salt changes the
+  commitment.
+- Public stable identity changes require a migration path, version bump, or
+  declaration that no prior stable identity was published.
+- Privacy-sensitive examples never use deterministic defaults as the privacy
+  boundary.
@@ -0,0 +1,72 @@
+<!-- SPDX-License-Identifier: Apache-2.0 OR LicenseRef-MIND-UCAL-1.0 -->
+<!-- © James Ross Ω FLYING•ROBOTS <https://github.com/flyingrobots> -->
+
+# Goalpost 3: Historical Membership And Replay
+
+Status: planned.
+
+Roadmap:
+[`../braids-and-strands-roadmap.md`](../braids-and-strands-roadmap.md)
+
+## Decision Summary
+
+Echo will make braid membership historical and replayable. Current membership
+becomes one projection over append-only event history, while replay surfaces
+explain member verdicts, posture floors, proof binding, retained support,
+frontiers, and witness posture.
+
+## Invariant
+
+Braid membership changes are append-only history. Current-only views cannot
+satisfy historical coordinate requests.
+
+## Sponsored Human
+
+A maintainer wants to answer who belonged to a braid at a coordinate without
+pretending later members existed in earlier intervals.
+
+## Sponsored Agent
+
+An agent needs replay facts and lower-mode output so it can audit braid shell
+readings without hand-inspecting internal state.
+
+## Scope
+
+This goalpost includes:
+
+- append-only membership design;
+- historical membership views by coordinate or event sequence;
+- membership diff facts for added, ended, revealed, and concealed changes;
+- replay facts for member verdicts and proof/witness posture;
+- Braid Flight Recorder artifact shape;
+- Causal X-Ray lower-mode output target.
+
+## Non-Goals
+
+This goalpost does not include:
+
+- settlement-as-merge semantics;
+- exposing sealed source chains beyond the requested aperture;
+- external witness backend implementation;
+- plurality law registry execution.
+
+## Slices
+
+| Slice  | Work                                    | Witness                                   |
+| ------ | --------------------------------------- | ----------------------------------------- |
+| GP3-S1 | Promote append-only membership design   | accepted design and invariant tests       |
+| GP3-S2 | Add historical membership views         | coordinate-based membership tests         |
+| GP3-S3 | Add membership diff facts               | added/ended/revealed/concealed diff tests |
+| GP3-S4 | Add replay/audit facts                  | stable JSON or fact assertions            |
+| GP3-S5 | Define recorder and Causal X-Ray output | fixture output and docs example           |
+
+## Acceptance
+
+- A braid whose initial interval includes `s0` and `s1`, then later weaves in
+  `s2`, reports `s2` only after the weave coordinate.
+- Current membership remains a deterministic projection over the same event
+  log.
+- Replay distinguishes admitted, retained, concealed, conflicted, obstructed,
+  and unsupported claims.
+- `SelfWitness` is displayed as integrity-only unless an external receipt says
+  otherwise.
@@ -0,0 +1,73 @@
+<!-- SPDX-License-Identifier: Apache-2.0 OR LicenseRef-MIND-UCAL-1.0 -->
+<!-- © James Ross Ω FLYING•ROBOTS <https://github.com/flyingrobots> -->
+
+# Goalpost 4: Witness Receipts And Sealed Capabilities
+
+Status: planned.
+
+Roadmap:
+[`../braids-and-strands-roadmap.md`](../braids-and-strands-roadmap.md)
+
+## Decision Summary
+
+Echo will name the witness receipt boundary before real witness backends
+arrive, then design purpose-bound sealed membership presentations on top of
+historical membership and explicit privacy posture.
+
+## Invariant
+
+Self-witness is local integrity scaffolding, not independent attestation.
+Sealed membership proves only the aperture-authorized membership claim for a
+purpose and disclosure budget.
+
+## Sponsored Human
+
+A maintainer wants witness and sealed membership surfaces that are ready for
+real backends without giving current scaffolding stronger semantics than it
+has earned.
+
+## Sponsored Agent
+
+An agent needs simulator fixtures and disclosure labels so it can test
+supported, rejected, and unsupported witness outcomes before cryptographic or
+institutional backends exist.
+
+## Scope
+
+This goalpost includes:
+
+- `WitnessReceipt`, `WitnessKind`, and `WitnessBackend`;
+- deterministic witness backend simulator fixtures;
+- explicit compatibility rules for witness identity;
+- purpose-bound sealed membership presentation design;
+- generic `PresentationPurpose` capability vocabulary;
+- disclosure budget labels;
+- replay wording for sealed membership.
+
+## Non-Goals
+
+This goalpost does not include:
+
+- real ZK, threshold, or signature backend implementation;
+- domain-specific purpose enums in Echo core;
+- sealed membership before historical membership and salt vectors exist;
+- treating self-witness as independent attestation.
+
+## Slices
+
+| Slice  | Work                                    | Witness                                      |
+| ------ | --------------------------------------- | -------------------------------------------- |
+| GP4-S1 | Define witness receipt boundary         | typed unsupported-backend tests              |
+| GP4-S2 | Add witness simulator fixtures          | supported/rejected/unsupported fixture tests |
+| GP4-S3 | Bind witness identity by compatibility  | compatibility class tests or docs assertions |
+| GP4-S4 | Design sealed membership presentation   | design doc and capability fixture            |
+| GP4-S5 | Add disclosure budget labels and replay | replay facts for sealed membership           |
+
+## Acceptance
+
+- Unsupported witness kinds fail as typed unsupported-backend outcomes.
+- Simulator fixtures harden witness behavior before real backends exist.
+- `PresentationPurpose` remains a generic capability purpose, not an
+  application-domain enum.
+- Replay records what was proven, what remained sealed, and which disclosure
+  budget applied.