WEIGHTLESS.md — weightlessness as a named design principle#1
Draft
patrickkarle wants to merge 10 commits into
Draft
WEIGHTLESS.md — weightlessness as a named design principle#1patrickkarle wants to merge 10 commits into
patrickkarle wants to merge 10 commits into
Conversation
Consolidate ASHE's frictionless-by-mandate / TLS-for-the-agent-layer promise into a single engineering property: weightlessness is the placement of cost, not its absence. Pay once at an amortizable boundary; make the steady-state per-action path a local check with no network callout, no model token, and no human prompt. - Axes-of-weight table mapping each axis to its existing ASHE mechanism - Hot-path budget promoting locally-validated capability tokens to default - Evidence grades (Floor/Target/Stretch) per ADR-015 - Honest limits: Tier C floor, cold start, revocation trade, audit cost - Conformance budget table with a one-line weightlessness test https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
… literal zero Sharpen weightlessness from amortized-small to four absolutes — no delay, no added bandwidth, no data alteration, no interference — and resolve them honestly: - No-data-alteration is Floor-contractual (ADR-007: idempotent, no dispatch-state mutation; pass/deny, never rewrite). - No-interference-with-surfaces is Floor-constructional (ADR-018 additive dual-surface; ADR-009 graceful degradation never fails the host). - Name the tension: active enforcement IS interference by definition, so literal-zero holds only for pre-authorized actions and structurally- bounded denials; remaining enforcement weight is concentrated at the rare Tier C boundary where interference is the intended function. - Structural vs procedural: literal zero on delay/bandwidth is a Layer 3/4 property (ADR-014) where the capability boundary is part of the system's shape (object-capability: an absent reference is not a check), enforced by the substrate at no added path cost. https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
Weightlessness is not a mechanism you install — it is the default state of a system whose authority boundaries were applied correctly, forfeited the instant they are applied incorrectly. A misapplied ASHE is just middleware. 'Properly apply' is four facets of one discipline, all required together: - what — object-capability primitive (held-or-absent authority) - how — structurally (substrate mechanism), not procedurally (a check) - when — at construction (wall-up-first, ADR-017), not bolted on after - where — true-zero on the ~98% path; weight concentrated at the ~2% Drop any one facet and weight reappears. The resolving point: proper application REMOVES the work rather than accelerating it — a fast check is still a check, still weight; weightless means there is no check at all on the path that matters. https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
Promotes the 'proper application' resolving discipline from a WEIGHTLESS.md design note to a binding conformance gate. An ASHE implementation may claim the four hard invariants (no delay / no bandwidth / no data alteration / no interference) only if it satisfies all four facets, conjunctively: what — object-capability primitive (unauthorized action is unnameable) how — structural boundary (substrate mechanism), not a procedural check when — established at construction (ADR-017 wall-up-first), not bolted on where — literal-zero on the ~98%, weight concentrated at the ~2% Tier C Forbids claiming 'weightless' for a fast-but-real per-action check, a permission-flag model, a retrofitted gate, or uniform enforcement. Layer-1 cooperating-SDK implementations are not disqualified but MUST disclose amortized-small vs literal-zero per ADR-015 evidence grades. Wires the new ADR into INDEX.md, back-references it from WEIGHTLESS.md, and adds a CHANGELOG entry. https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
Four conjunctive test groups, one per facet — all four MUST pass:
W (what) — unnameability, zero-ambient-authority, attenuation
H (how) — no-added-step, byte-identity, layer-disclosure
N (when) — construction-order, no-front-gate (disabling ASHE must
make guarded actions unreachable, not ungated-but-reachable)
R (where) — path-classification, no-uniform-enforcement, friction-frequency
Results are graded per invariant (literal-zero structural Layer 3/4 vs
amortized-small disclosed Layer 1) per ADR-015, never binary-by-assertion.
The two floored invariants (ADR-007 no-data-alteration, ADR-009/018
no-interference) are re-checked here as regression guards.
https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
First runnable arm of the spec — turns ADR-020's four conformance groups
into an executable scaffold under conformance/ (the repo's first code).
src/adapter.ts — the AsheConformanceAdapter contract a SUT implements;
four method blocks map 1:1 to the what/how/when/where facets
src/manifest.ts — the 11 tests (W1-W3, H1-H3, N1-N2, R1-R3) as typed,
language-neutral data keyed by id
tests/group-*.ts — real assertions per group, gated on adapter presence
src/examples/ — illustrative correctly-applied (structural, Layer 3)
adapter that makes the suite self-verifying
Sharpest checks: W1 fails a SUT that returns DENIED for an unauthorized
action (nameable => evaluated); N2 fails a SUT where disabling ASHE leaves
a guarded action reachable (removable front gate); R2 fails uniform
enforcement of the routine 98%. Group H grades literal-zero vs
amortized-small per ADR-015 so Layer-1 passes honestly.
Verified: npm run test:example -> 11/11 green; npm test (no adapter) ->
11 skipped; tsc --noEmit clean. Stack TypeScript + vitest; node_modules
ignored, lockfile committed. Wires a pointer from ADR-020 and a CHANGELOG
entry.
https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
CI: .github/workflows/conformance.yml — the repo's first CI, scoped via
paths: to conformance/** so the doc-only surface is untouched. Runs
npm ci -> typecheck -> test:example on Node 20.
Reference impl (conformance/src/protocol/): the example adapter now
delegates to real in-memory object-capability primitives instead of inline
toy logic.
capability.ts — unforgeable capabilities (module-private mint token;
external construction throws) + attenuate-only CapabilitySet.
No grant/union: amplification is unconstructable, not checked.
actor.ts — principals with no ambient authority; spawn() attenuates
(cascade attenuation, ADR-017)
lease.ts — boundary-amortized standing authority with TTL
tier.ts — routine A/B vs deliberate-weight Tier C
mediation.ts — structural interception (ADR-007): routine pass-through with
no boundary step, byte-identical payload; unheld => UNNAMEABLE,
never DENIED
Verified: npm run test:example -> 25/25 green (14 protocol units + 11
conformance); npm test (no adapter) -> 14 pass, 11 skip; tsc --noEmit clean.
https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
audit.ts — tamper-evident append-only audit log (ADR-013 Audit service,
ADR-016 provenance). SHA-256 hash chain; verify() catches any reorder/
edit/drop of a sealed record. The Mediator optionally emits one record per
decision (including UNNAMEABLE attempts) as a local append off the critical
path — not a round-trip, payload never touched.
intent.ts — declare-once intent reconciliation (VISION §6, ADR-017 C2).
In-scope, unexpired actions reconcile silently (frictionless routine path
with accountability intact); out-of-scope or expired escalates.
Mediator gains an opt-in { audit, now } options bag — non-breaking; existing
new Mediator(tiers) callers unchanged.
Verified: npm run test:example -> 32/32 green (21 protocol units + 11
conformance); tsc --noEmit clean.
https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
Granular operating plan from inception to a five-year de-facto-standard horizon. Operationalizes the existing architecture (ADR-014 layer trajectory, ADR-009 profiles, ADR-015 methodology, ADR-020 conformance gate, tri-surface design) and adds the standardization, funding, governance, and org tracks the ADRs presuppose but do not specify. Posture: open-core (ASHE Apache-2.0 + Continuum commercial reference impl); grant/standards-body funded; north star = de facto cross-vendor standard. Structure: three tracks (Standard/Implementation/Adoption) + two enabling tracks (Sustainability/Org); version<->layer<->year mapping (v0 Layer-1 -> v6 Layer-4 pilot); quarter-level deliverables with entry/exit gates; grant/sponsorship funding plan; lean org plan; per-year KPI targets graded Floor/Target/Stretch; 8-item risk register; sequencing logic. Keystone metric: the second independent conformant implementation (Y2). Linked from README read-order; CHANGELOG updated. https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
design/ — drills each architectural element to engineering level across
four facets: Technology (per ADR-014 layer), Application, Algorithm
(invariants, complexity, security properties), Pseudocode (consistent with
running conformance/src/protocol primitives).
INDEX.md — catalog of all 20 elements + drill order + template
01-capability — unforgeable refs; attenuate-only; I1/I2/I3 invariants;
per-layer representation (object ref -> fd -> TPM token)
02-lease — boundary-amortized authority; revocation lifecycle
(short-TTL + epoch bump + targeted list = bounded,
disclosed staleness; the fast-vs-prompt trade resolved)
03-mediation — interception point per layer; M1/M2/M3 invariants;
Tier-C boundary evaluator; tied to ADR-020 W/H/R
ROADMAP-MONTHLY.md — month-by-month execution, M01 (2026-07) .. M60
(2031-06). Year 1 at task level across all 5 tracks; Years 2-5 at
monthly-milestone level (granularity decreases with distance by design;
each annual exit gate re-plans the next year to task level). Gate markers
throughout; keystone numbers flagged.
https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this answers
The answer the corpus was already pointing at: weightlessness is the placement of cost, not its absence. ASHE does real work — issues leases, validates capabilities, declares intent, writes audit. Weightlessness is paying that work once at an amortizable boundary (handshake / intent declaration / lease issuance) and making the steady-state per-action path a local check with no network callout, no model token, no human prompt. It's the TLS handshake-vs-symmetric-crypto split, generalized from bytes to actions: at
Nactions per lease, per-action overhead trends toboundary_cost / N→ ~0.This consolidates properties already scattered across the docs (the frictionless mandate in ADR-017, the <5 ms p99 interceptor budget in ADR-007, the wire economics in ADR-012 / VISION §3, the ASHE-core <50 MB footprint in ADR-009, the non-invasive model layer in the MANIFESTO) into one named principle and budget.
What's in
WEIGHTLESS.mdNo ADR superseded. Cross-references ADR-007/009/012/017/018; CHANGELOG updated in the house style.
Open questions for review
🤖 Draft for review.
https://claude.ai/code/session_01SvcmH5eRSyewRd99atWhuu
Generated by Claude Code