canon(principles): add type-contract-plus-adversarial-review#136
Merged
Conversation
Graduates the paired pattern observed across the aquifer-mcp J-002 -> H11b session (PRs klappy/aquifer-mcp#17 through #20) as tier-2 canon. Three deciding-argument recurrences: 1. PR #18 (BootstrapEntityResult) - Bugbot caught 3 silent-truth-loss bugs where complete=true could ship under contract-violating conditions. 2. PR #20 (FanOutEntityResult) - Bugbot caught High-severity ctx ReferenceError that esbuild transpile-only would have shipped as production crash. 3. esbuild-transpile-only boundary condition - orchestrator's load-bearing decision to treat Bugbot as sole defense (not secondary) in pipelines that bypass the type system. Under the manual-enforcement reading of the graduation test (multiple PRs, adversarial review dispositioned each time, principle cited as reason for architecture choices), all three cleared the bar in one session. Writing Canon checklist: title names concept + stance; blockquote contains full compressed argument; Summary section is self-contained; headers are descriptive and tell the document's story on scan; no formulaic transitions; em-dash density within 20% of reference canon (0.30 vs 0.24 baseline). Frontmatter schema: eight universal fields present; tier unquoted integer; booleans unquoted (none in this doc); date unquoted; simple identifiers unquoted; strings with special characters quoted. Release-validation-gate disposition: this PR added a new canon doc under canon/principles/. The gate's 'governs' clause includes klappy.dev canon PRs that change governance docs the worker reads at runtime. Rule 2's trigger list is worker-surface-specific; a new canon doc at a new URI is ambiguous under that list, and the gate's 'ambiguous cases default to load-bearing' clause binds. Bugbot dispositioned below; fresh-context Sonnet validator dispatch recorded separately in the closeout PR comment before merge. Companion graduation ledger ships in the partial-data PR to ensure all URI cross-references resolve at the time of the ledger's merge.
Merged
8 tasks
B1: Removed odd/ledger/2026-04-24-aquifer-session-principles-graduated.md from derives_from. The canon principle does not epistemically derive from the session ledger documenting its own graduation; the direction is the reverse. Validator correctly flagged this as an unacknowledged broken reference (the ledger ships with PR #137, not this branch). B2: Restructured the inline 9-field listing on the Recurrence 1 paragraph from em-dash parenthetical to parens. Dropped em-dash density from 0.30 to 0.28 (closer to existing canon baseline ~0.24-0.25). The reframe also aligns with the operative ai-voice-cliches signal (paragraph clusters, not ratios) — no remaining narrative em-dash clusters. N6: Fixed typo 'dispositon' -> 'disposition' on line 83. W1/W2 waived: Bold-then-explain and scope-limiting 'Does NOT Say' section are established canon precedent (contract-governs-handoff-drift, cache-fetches-and-parses). Validator 2 on the sibling PR confirmed these are structural governance patterns, not the conversational AI-tell that ai-voice-cliches targets. W3 (Recurrence 3 unverifiable without ledger) resolves when PR #137 merges and the ledger goes live.
klappy
pushed a commit
that referenced
this pull request
Apr 24, 2026
Canon doc: Removed ledger path from derives_from for same epistemic reason as PR #136: the canon principle does not derive from the session ledger documenting its graduation. Direction is the reverse. Ledger: Updated session_span from '2026-04-24' to '2026-04-24 closed' to align with frontmatter-schema example format ('YYYY-MM-DD closed' or 'YYYY-MM-DD to YYYY-MM-DD'). Validator flagged W-B1 as schema-example conformance; this session is in fact closed at the canon-promotion stage. Other validator warnings dispositioned in PR closeout comment: - W-A1 (em-dash methodology): operative signal per ai-voice-cliches is paragraph clusters, not ratios; only 1 genuine narrative cluster found, within tolerance. - W-A2 ('Does NOT Say' negation cluster): validator agreed this is scope-limiting governance, not conversational AI-tell. Waived. - W-A3 (forward ref to type-contract): resolves when sibling PR #136 merges. - W-A4 (Related Canon + See Also overlap): established canon precedent (contract-governs-handoff-drift, cache-fetches-and-parses use both sections). Waived. - W-B2 (forward refs in ledger Related Canon not labeled): low priority; 'The Canon PRs' section already discloses the forward-reference nature.
Owner
Author
Closeout — Release-Validation-Gate DispositionRule 1 — BugbotOriginal commit Follow-up commit Rule 2 — Independent Fresh-Context ValidatorDispatched Sonnet 4.6 validator via Managed Agents (session Verdict: PARTIAL — 2 blockers, 3 warnings, 6 notes. All findings now dispositioned. Blockers — Fixed in
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
canon/principles/type-contract-plus-adversarial-review.mdas a tier-2 canon principle. Graduates a paired pattern that was manually enforced across the aquifer-mcp J-002 → H11b session (PRs klappy/aquifer-mcp#17 through #20).The principle: When a function's correctness depends on reporting its own incompleteness honestly, a type-system contract at the API boundary is necessary but not sufficient. The type forces every caller to acknowledge the incompleteness axis; adversarial review catches the implementation lying about that axis. Either defense alone ships silent-truth-loss bugs. The pair collapses to a single line of defense when the build pipeline bypasses the type system (esbuild transpile-only), at which point adversarial review is the only thing standing between compile and production.
Three Deciding-Argument Recurrences
BootstrapEntityResult+ 9 Bugbot findings including 3 silent-truth-loss bugs (complete=truecould ship under contract-violating conditions). The paired pattern was the reason those bugs did not ship.FanOutEntityResult+ High-severityctxReferenceErrorthat esbuild transpile-only compiled cleanly and would have shipped as production crash on every cold-cache entity search. Bugbot was the sole defense.Under the operator's manual-enforcement reading of the graduation test, all three cleared the bar in one session.
Writing Canon Checklist
klappy://canon/meta/frontmatter-schema.## Summary — The Pair Is Load-Bearing, Not the Partsis self-contained.Release-Validation-Gate Disposition
Per
klappy://canon/constraints/release-validation-gate:Rule 1 (no merge with active reviews): will wait for Bugbot to reach
completedstatus; dispositioning every finding before merge.Rule 2 (independent fresh-context validation): Rule 2's trigger list is scoped to oddkit worker surface (orchestrate.ts, bm25.ts, governance file reads, response envelope). A new canon doc at a new URI is ambiguous under that list. Per the gate's "ambiguous cases default to load-bearing" clause, dispatching a fresh-context Sonnet 4.6 validator via Managed Agents before merge. Validator findings will be dispositioned in a closeout comment on this PR.
Rule 3 (canon wins over session artifacts): the handoff that proposed this graduation recommended promoting only one candidate principle (not two). The operator reframed toward manual-enforcement-as-deciding-argument, which graduated this and the sibling partial-data principle. Canon rule (graduation test) was honored; handoff recommendation was overridden by operator direction; audit trail lives in the graduation ledger on the sibling PR.
Companion Artifacts
feat/canon-partial-data-with-transparency-and-background-warmgraduates the second principle and carries the session graduation ledger (odd/ledger/2026-04-24-aquifer-session-principles-graduated.md). The two PRs cross-reference each other by URI; URIs will resolve once both merge.Not In Scope
observe-before-you-fix-the-wrong-axis— one explicit recurrence only; held for future session graduation.Note
Low Risk
Low risk because this PR only adds documentation and does not change runtime code or behavior.
Overview
Introduces a new canon principle doc,
canon/principles/type-contract-plus-adversarial-review.md, which formalizes a paired requirement: typed boundary contracts for partial/failed results plus adversarial review of implementations against those contracts.The document defines what qualifies as a trust boundary and adversarial review, and records three manual-enforcement recurrences (including the esbuild transpile-only type-bypass case) as justification for graduating the principle.
Reviewed by Cursor Bugbot for commit fd6f0ea. Bugbot is set up for automated code reviews on this repo. Configure here.