- New acl.md: AclGraph Module definition (PrincipalNode, ResourceNode,
DelegatesEdge, ScopesEdge, MemberEdge), principal-agent hierarchy
with no-escalation invariant, setup-time vs runtime separation,
multi-parent aggregation rules, cycle detection, scope semantics
- ADR-034: ACL as metagraph (not domain-specific tables)
- ADR-035: Actors become PrincipalNode entries, standalone table removed
- ADR-036: Principal-agent as DelegatesEdge with scope narrowing
- ADR-037: Setup-time definitions seed graph types, runtime instances
are separate graphs
- Resolve OQ-03 (actors table design) — actors become ACL nodes
- Add OQ-20 through OQ-25 (delegation expiration, evaluator location,
graph instance lifecycle, BelongsToEdge derivation, identityId
references, scope string semantics)
- Update README.md and overview.md to reflect new doc and ADRs
- Note: multi-tenancy / graph scoping problem (no ownerId/scopeId on
graphs table, no identity tables at this level) still needs
resolution — identity and org tables will likely need to be added
at this level for referential integrity
glm-5.1
6b5f32bad4