2.1 Evidence-anchored claims

Every statement is filed under exactly one context. Every claim of maturity ≥ E2 carries (or transitively carries) at least one evidence link. The default for a hypothesis_only=false ingest without anchor is to land at E1 (candidate) until provenance is attached. Consumers may opt into the legacy hypothesis_only=true path for explicitly speculative recall, as long as the speculation is flagged at the storage layer.

2.2 Bitemporal discipline

valid_time (world-time) and tx_time (system-time) are non-optional on donto_statement. The same discipline extends to alignments, identity edges, policies, attestations, reviews, and releases via donto_event_log. The contract: consumers can always ask "what did the substrate believe at system-time t?" and "what holds in the world at valid-time t'?" and get a deterministic answer.

2.3 Paraconsistent storage

Two currently-believed rows with the same subject and predicate but conflicting objects, polarities, or valid-time intervals are legal substrate state. donto exposes a contradiction frontier; it does not pick winners. Consumers (memory runtime, genealogy reviewer, language analyst) decide what to do with contradictions through their own argument-edge writes, review decisions, or query lenses.

2.4 Typed predicate alignment

Eleven relations × three safety flags (safe_for_query_expansion, safe_for_export, safe_for_logical_inference). A materialised closure rides at query time when PREDICATES EXPAND is set. The substrate does not auto-collapse aligned predicates at write time.

2.5 Identity as hypothesis

Symbols (freely-minted IRIs) live forever. Identity edges weight coreference between symbols. Identity hypotheses name clustering solutions. Queries pick a lens (strict, likely, exploratory, or a consumer-defined hypothesis IRI) at evaluation time. A merge accepted under one hypothesis never destroys data; querying under a different hypothesis returns the unmerged view.

2.6 Policy capsules with action-level granularity

Fifteen actions: read_metadata, read_content, quote, view_anchor_location, derive_claims, derive_embeddings, translate, summarize, export_claims, export_sources, export_anchors, train_model, publish_release, share_with_third_party, federated_query. The default is fail-closed. Attestation credentials grant subset actions to specific holders for specific purposes with mandatory rationale.

2.7 DontoQL with lens parameters

The 21-clause language exposes scope, polarity, maturity, identity, predicate expansion, modality, extraction level, POLICY ALLOWS, SCHEMA_LENS, bitemporal AS_OF, and contradiction-pressure ordering as first-class clauses. Consumers get one query algebra rather than a stack of ad-hoc SDKs.

2.8 Append-only event log

Non-statement objects (alignments, identity hypotheses, policies, attestations, reviews, releases, predicate descriptors, frames) mutate exclusively through donto_event_log. There is no UPDATE … SET on these tables; all changes are events.

2.9 Content-addressed blob substrate

donto_blob stores content by SHA-256 with pluggable backends (LocalFS, GCS, mock). The same revision body uploaded by ten documents lands as one blob. Consumers reference blobs through revisions, not directly.

2.10 Three-tier source-provenance trace

donto-trace resolves surface text to byte-offset spans through exact-line equality → substring-within-line → full-body fallback, with cross-shard caching. Backward-fill is idempotent and resumable. Consumers do not implement provenance; they consume it.

2.11 Lean overlay — certifies, does not gate

donto_engine certifies shapes and rules via a stdio JSON protocol. The substrate never blocks on the Lean side. Sidecar absence degrades shape/rule/cert endpoints only.

2.12 Signed release envelopes

Ed25519 over a manifest SHA-256 with did:key identifiers. RO-Crate is the portable export format; JSONL is the native one. Verification is self-contained and offline-safe.

4.1 Context namespacing

Every consumer files its writes under a stable IRI prefix. Recommended forms:

ctx:memory/<module>/<session_id>
ctx:genes/<topic>
ctx:linguistic/<language_or_corpus>
ctx:legal/<case_id>
ctx:medical/<cohort>

A consumer must not write under another consumer's namespace without coordination. The substrate does not enforce this; the convention is what makes multi-consumer operation safe.

4.2 Predicate registry discipline

A consumer that mints new predicates must register descriptors (donto_predicate_descriptor) including label, gloss, subject-type hint, object-type hint, an example, and a nearest- neighbour confidence at mint time. The substrate refuses to register a predicate at maturity ≥ E2 without a descriptor (M10 deliverable; see §6.2). Auto-minted candidate predicates remain at E1 in the consumer's namespace until reviewed.

4.3 Policy declaration

A consumer that registers documents must declare the policy IRI it is using. The substrate's fail-closed default (policy:default/restricted_pending_review) catches misuse without preventing it; declared policies make exports tractable.

4.4 Modality and extraction-level declaration

If a consumer cares about modality (a memory runtime certainly will: model_output is different from oral_history is different from community_protocol), it must declare modality overlays at ingest. Queries that filter by modality drop statements without an explicit overlay row, by design.

4.5 Overlay registration

A consumer that introduces consumer-specific state (memory salience, genealogy DNA-match channels, linguistic paradigm-cell coverage) must register the overlay tables through donto_overlay_registry (M10 deliverable; see §6.1). Overlay tables are bitemporal-lint- checked and policy-aware.

4.6 No direct core mutation

Consumers may not UPDATE, DELETE, or TRUNCATE against any donto_* core table. Reads are unrestricted (subject to policy); writes go through donto_assert / donto_retract / donto_correct / donto_event_log_append / overlay-table inserts.

4.7 Tripwire contribution

A consumer that depends on a substrate invariant (e.g., donto-memory depending on bitemporal AS_OF returning the expected pre-revocation view of a preference claim) commits a tripwire test to packages/donto-client/tests/invariants_*.rs. This is how the substrate stays honest about the contracts it serves.

4.8 Adapter loss reporting

A consumer that imports from or exports to external systems must produce a LossReport describing what the external format cannot represent (governance, contradiction, time, n-ary frames, anchors, review state). The substrate enforces this for adapters that ship in this repository; consumers extending the adapter surface accept the same discipline.

6.1 Overlay extension API

Status: new. Problem: Consumers will introduce state that doesn't belong in core but does need bitemporal discipline, policy inheritance, and event-log integration. donto-memory needs salience, recall counts, reconsolidation queues. genes needs DNA-match channels, blocking indexes, kin-recursion caches. Today's options are "add to core" (wrong) or "side database" (also wrong; reintroduces split-brain).

Delta: Introduce donto_overlay_registry (migration 0132):

create table if not exists donto_overlay_registry (
    overlay_iri      text primary key,    -- e.g. ctx:memory/overlay/access
    consumer_iri     text not null,        -- e.g. ctx:memory
    table_name       text not null,        -- e.g. donto_x_memory_access
    owns_key         text not null,        -- statement_id | record_id | ...
    policy_inherits  text not null default 'from_target',
    bitemporal       boolean not null default true,
    description      text,
    registered_by    text not null,
    registered_at    timestamptz not null default now()
);

Plus three CLI verbs: donto overlay register, donto overlay lint, donto overlay drop. Lint checks:

• Overlay table has tx_time tstzrange (or valid_time for world-time overlays) with lower_inc constraint.
• Overlay table references at least one substrate primary key.
• Overlay table is in the consumer's prefix namespace.
• Overlay table has no ON DELETE CASCADE against core tables (so retraction cannot silently delete consumer overlay state).

Acceptance: donto-memory's donto_x_memory_access, donto_x_memory_state, and donto_x_reconsolidation_queue register cleanly. genes's donto_x_dna_match_channel registers cleanly. Lint catches a deliberately-broken overlay (missing tx_time) in a tripwire test.

6.2 Predicate registry minting controls

Status: PRD §6.9 spec; not enforced. Problem: 938 K distinct predicates in production. LLM-driven proliferation has no write-side brake.

Delta: Migration 0133 makes donto_predicate_descriptor required for any predicate registered at maturity ≥ E2 under a curated context. A new column donto_predicate.minting_status (candidate / approved / deprecated / merged) drives the gate. Auto-mint by extraction writes candidate status; review promotes to approved. The existing donto-api align worker proposes near-duplicate merges nightly.

Acceptance: A curated-context write attempting to use a predicate without a descriptor fails with a structured error. The permissive-context write succeeds. donto predicates audit returns counts by minting status. Three tripwires: descriptor-required, alignment-proposed, merge-applied.

6.3 Hot-path policy projection cache

Status: identified in ROADMAP-AFTER-MAY18.md; not landed. Problem: §12.3 (H8) shows policy gating scales modestly but becomes a bottleneck on hot paths at 1 M+ rows. donto-memory's hot path runs hundreds of recall queries per session; policy cannot re-evaluate per row.

Delta: Migration 0134 introduces donto_effective_policy_cache, a matview keyed by (target_kind, target_id) materialising donto_effective_actions output. Refreshed on policy assignment and revocation events via trigger. Hot-path lookups become a single B-tree probe.

Acceptance: A 100 K-row POLICY ALLOWS filter completes in < 100 ms on the standard hardware (vs ~812 ms today). Tripwire verifies cache consistency under concurrent policy changes.

6.4 Identity-lens precomputed clusters

Status: identified; not landed. Problem: Identity-lens query evaluation today walks identity edges per query. For a memory runtime that wants "all preferences about this user under the strict lens", per-query traversal is too slow.

Delta: Migration 0135 introduces donto_identity_cluster_cache(hypothesis_iri, symbol_iri, referent_id), refreshed when identity edges or hypotheses change. DontoQL IDENTITY_LENS consults the cache instead of walking edges. The cache is per-hypothesis, so adding a new lens does not invalidate the others.

Acceptance: A query under IDENTITY_LENS strict_identity_v1 on a 10 K-symbol corpus completes in < 50 ms. Adding a new edge invalidates only one hypothesis's cache.

6.5 HTTP-middleware Trust Kernel enforcement (F-1 follow-on)

Status: identified; substrate side closed; sidecar side open. Problem: The substrate fails closed if no policy is provided (F-1 closure, migration 0123), but consumers writing via legacy ingest paths can still produce unpoliced rows that land on the default fail-closed policy rather than being refused outright.

Delta: A new middleware in dontosrv rejects POST /assert, POST /documents/register, POST /documents/revision, and POST /extract/exhaustive calls that do not name a policy IRI. The middleware is opt-in by configuration: enforce_policy_at_http = true is the default for new deployments; existing deployments must explicitly enable it after a migration window.

Acceptance: A curl -X POST /documents/register without policy_iri returns 400; with policy_iri it succeeds. Migration notes document the enable-after-window procedure. genes corpus runs cleanly under the enforced middleware after a one-pass backfill.

6.6 Characterisation matviews

Status: identified; not landed. Problem: Subject cardinality and polarity-mixed contradictions do not return in routine time at 39 M rows. Consumers asking "how big is my namespace?" or "how contested is my preference data?" hit the same wall.

Delta: Three new matviews (migrations 0136–0138):

donto_subject_stats             -- per-subject row count, last update
donto_contradiction_pressure    -- per-subject-predicate contradiction count
donto_predicate_proliferation   -- predicate count by namespace prefix

All three refresh on a daily systemd timer (donto-matviews.timer). Manual refresh available via donto refresh-matviews. Refresh is incremental where possible (PostgreSQL REFRESH MATERIALIZED VIEW CONCURRENTLY).

Acceptance: donto status returns subject cardinality in < 1 s. donto-memory and genes both rely on these matviews for their dashboards. Tripwire verifies matview consistency after inserts.

6.7 True-deletion path for legal/privacy

Status: new. Problem: "No destructive overwrite" is correct for audit, but personal memory (donto-memory's domain) and sensitive cultural material (genes's domain) both have legitimate deletion paths. GDPR right-to-be-forgotten, native-title-sensitive material, medical-record retraction requirements all need a path that preserves audit-of-deletion without preserving the deleted content.

Delta: Migration 0139 introduces encrypted-blob tombstoning:

1. Blobs may be ingested with an optional encryption_key_iri referencing a key managed outside the substrate.
2. A new donto_blob_tombstone operation marks a blob as permanently inaccessible: the key reference is dropped, the bytes are overwritten with zero, the tombstone records that the deletion occurred (by whom, when, under what attestation, citing what authority).
3. Claims referencing tombstoned blobs continue to exist as audit records but their evidence links resolve to a redaction marker.
4. The Trust Kernel grows a new action: request_deletion. A holder with this action under a policy assigned to a target may initiate tombstoning.

Acceptance: GDPR-style deletion against a user-preference blob produces an audit trail without preserving the blob content. Re-running a release build against a corpus with tombstoned blobs emits a LossReport noting redactions but does not include the content. Three tripwires: tombstone-creates-audit-but-not-content, release-respects-tombstones, tombstone-requires-attestation.

6.8 Schema discovery API

Status: partial (/predicates, /schema exist; not exhaustive). Problem: Consumers binding to donto need to introspect what's available — predicates, contexts, modalities, extraction levels, policies, frame types, alignment relations. Today they have to read SQL or migration files.

Delta: A new endpoint family under /discovery/*:

GET /discovery/contract-version      contract version + supported clauses
GET /discovery/contexts              context tree
GET /discovery/contexts/<iri>        context detail + parents + policies
GET /discovery/predicates            predicates with minting status
GET /discovery/predicates/<iri>      descriptor + alignment edges
GET /discovery/modalities            allowed modality values
GET /discovery/extraction-levels     allowed extraction levels
GET /discovery/policies              policy capsules
GET /discovery/policies/<iri>        capsule detail + assignments
GET /discovery/frame-types           registered frame types
GET /discovery/alignment-relations   the 11 alignment relations with safety flags
GET /discovery/identity-hypotheses   registered identity hypotheses
GET /discovery/overlays              registered consumer overlays (§6.1)
GET /discovery/dontoql-grammar       BNF of the current DontoQL grammar
GET /discovery/openapi               OpenAPI 3.1 spec for everything above

All endpoints policy-gate as read_metadata. The OpenAPI spec is the contract for SDK generators.

Acceptance: A new consumer with a fresh donto-client install can render its own UI by hitting /discovery/* exclusively, without parsing migration files.

6.9 Lean overlay parity

Status: identified; not landed. Problem: packages/lean/ is skeletal; the developed shape library lives in autoresearch-genealogy/lean/Genealogy/. The two should converge in the substrate-neutral parts (functional, typed- literal, transitive closure, inverse, symmetric, parent–child age-gap as the worked-genealogy-shape example).

Delta: Port the substrate-neutral shapes and rules into packages/lean/Donto/Shapes/Stdlib.lean and packages/lean/Donto/ Rules/Stdlib.lean. Domain-specific shapes (kinship-recursion bounds, paradigm-cell coverage) stay in the consumer's tree; donto_engine loads them via a registry.

Acceptance: lake build from a fresh checkout produces a working donto_engine against the standard shape library. The genealogy-specific shapes ship in genes/lean/ and load on demand. Tripwires for each standard-library shape ship in the substrate test suite.

6.10 Multi-tenant deployment pattern

Status: undocumented. Problem: Two consumers (donto-memory and genes) running against one Postgres instance need a convention for isolation. Database-per-consumer is too expensive; schema-per-consumer would break shared substrate primitives.

Delta: Document the context-namespace-with-policy-isolation pattern as the canonical multi-tenant deployment:

• Each consumer owns a context namespace (ctx:memory/*, ctx:genes/*).
• Each consumer registers a default policy that all of its contexts inherit.
• Cross-consumer reads require attestation under the producing consumer's policy.
• Cross-consumer writes are not supported; consumers must publish release envelopes if they want their data consumed elsewhere.

The pattern doc lives at docs/MULTI-TENANT-DEPLOYMENT.md with the systemd unit files, Caddy routes, and policy templates for both deployment models (single-instance and per-consumer-instance).

Acceptance: A second consumer can be onboarded onto an existing donto instance in under 30 minutes of operator time (create namespace, create default policy, register overlays).

6.11 Consumer SDK promise

Status: Rust client exists (2,665 LOC, comprehensive); TypeScript client is partial; Python client is missing.

Delta:

• donto-client (Rust): the reference SDK. Maintain at parity with HTTP routes; promise semantic versioning from M10.
• client-ts: ship a 1.0 release covering reads, asserts, retracts, and DontoQL submission. The dontopedia frontend becomes the integration test.
• client-py: new. Synchronous and async (httpx) variants. Coverage: reads, asserts, retracts, DontoQL, policy, evidence links. donto-memory and donto-api both consume this. Generated from the OpenAPI spec where possible.

Acceptance: All three clients ship a smoke-test suite against a local donto instance. The Python client handles donto-memory's hot-path query within 50 ms p50.

6.12 Policy-aware recall projection

Status: new; specifically motivated by memory consumers but domain-neutral. Problem: A consumer wants to ask "give me everything in this context that this attested agent can quote / export / train on" in one round-trip rather than per-row policy decisions.

Delta: A new SQL function and HTTP route:

donto_recall_projection(
    p_holder text,
    p_action text,
    p_scope  jsonb,
    p_pattern jsonb,
    p_lens jsonb default null
) returns setof <statement-with-policy-flags>;

The function joins through donto_effective_policy_cache (§6.3), applies the identity lens (§6.4), filters by the attestation chain, and returns rows pre-marked with which actions the caller may perform on each. Consumers like donto-memory build their "Memory Evidence Bundle" by post-processing this single result set.

Acceptance: A POST /recall returning a 200-row bundle completes in < 100 ms on the standard hardware. Tripwire verifies that policy revocation propagates to the projection within one matview refresh cycle.

11.1 Mission drift

The most likely failure mode for an evidence-grade substrate that runs a 39 M-row genealogy corpus is that genealogy quietly becomes the product. Counter-controls:

• The substrate test (§10) is applied to every feature proposal.
• Domain-specific work lands in genes/ (a separate repository tree, not the donto repo) once donto-lang and a second third-party consumer are real.
• The PRD reviews every quarter check that no donto_* core table contains domain-specific columns.

11.2 Predicate proliferation

The 938 K-predicate problem (§13 of the May 2026 paper) is the visible artefact of insufficient minting controls. §6.2 is the direct fix; §6.6's matview is how we measure it.

11.3 Policy bleed

Multi-tenant deployment (§6.10) without careful policy templates risks one consumer's data leaking into another consumer's exports. Counter-controls:

• Default policy is fail-closed; cross-consumer reads require explicit attestation.
• Release blockers (PRD §17.2) include unresolved policy as a hard gate.
• Tripwire: an export from ctx:memory/* containing a row from ctx:genes/* must fail unless explicitly authorised.

11.4 Tombstoning vs audit

True-deletion (§6.7) is in tension with append-only discipline (I3). The encrypted-blob model resolves the tension at the bytes layer (key dropped, bytes zeroed, fact-of-deletion preserved), but it requires consumers to ingest sensitive blobs with encryption keys from the start. Retrofitting tombstones over plaintext blobs is impossible.

Counter-control: document the encrypted-ingest pattern prominently; ship donto blob ingest --encrypted as the default for sensitive-policy capsules.

11.5 Contract creep

The schema-discovery API (§6.8) commits the substrate to a publicly-visible surface. Once an SDK is generated from /discovery/openapi, breaking changes affect every consumer. Counter-control: contract-version field, semver discipline, deprecation cycles measured in quarters not weeks.

11.6 Overlay sprawl

The overlay-extension API (§6.1) is meant to absorb consumer- specific state cleanly. The risk is that consumers register overlays casually and the substrate's table count balloons. Counter-control: the donto overlay lint step enforces bitemporal discipline and policy inheritance; quarterly overlay review.