Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Capability surface

Three capabilities gate dangerous operations:

  • forget — physical erasure of axiom events for compliance (RP-004 Temporal substrate). The source-level gate: a mutate body containing forget refuses to build (OE0730) unless the enclosing mutate declaration grants #[allow_forget]. The serving layer refuses forget outright (Runtime contract limits below).
  • unsafe_logic — execution of tier:fol rules under unsafe logic { }. Granted to the workspace at ox build time. A query whose dependency closure touches an unsafe_logic rule may run unbounded; runtimes MAY apply a per-query wall-clock timeout and return OE1301 UnsafeLogicTimeout.
  • fork — creating new forks, per-(tenant, parent_fork). A principal without it can open_store against existing forks but cannot create new ones. The trunk fork’s owner holds fork automatically.

Capabilities flow through the runtime as part of the PrincipalId argument to forget and the principal context of open_store. How a runtime authenticates a principal is backend-specific (the Postgres backend uses Postgres roles; the in-memory backend trusts the calling process).