docs: recenter Truth docs and planning lifecycle

[flyingrobots]

Summary

• repair the architecture map so it matches the shipped system
• add a dedicated threat model and align security docs around it
• define the planning-doc lifecycle and archive delivered backlog cards
• add the Truth legend backlog items from the editor report

Included cycles

• TR-001 Architecture Reality Gap
• TR-002 Threat Model
• TR-004 Design Doc Lifecycle

Review order

1. editor-report backlog additions and Truth legend setup
2. architecture doc rewrite
3. threat model and security/api wording corrections
4. workflow and planning lifecycle cleanup

Notes

• docs/process-only branch
• no runtime code changes
• local verification for this branch was markdown formatting plus the repo pre-commit eslint gate

Summary by CodeRabbit

• Documentation
  • Rewrote ARCHITECTURE into a consolidated system/layer model (manifests, Merkle behavior, storage layout, adapters, vault semantics)
  • Added canonical THREAT_MODEL and linked it from SECURITY.md; clarified vault-passphrase/KDF guidance in API docs
  • Introduced formal planning lifecycle, archive/backlog/design indexes, many new/updated docs and backlog items
  • Updated CHANGELOG and formatting/consistency fixes across documentation files

[coderabbitai]

Important

Review skipped

This PR was authored by the user configured for CodeRabbit reviews. CodeRabbit does not review PRs authored by this user. It's recommended to use a dedicated user account to post CodeRabbit review feedback.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b9b5a11f-fc32-4243-8f86-ec3889be615b

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR is documentation-centric: it rewrites ARCHITECTURE.md into a system/layer model, adds a canonical threat model, formalizes doc/workflow lifecycles with archive dirs, updates API/SECURITY/CHANGELOG, and marks many design/backlog docs as Landed with retrospectives.

Changes

Cohort / File(s)	Summary
Architecture & System Docs ARCHITECTURE.md	Rewrote into a system-map and layer model; added ContentAddressableStore facade, ports/adapters list (GitRefPort, CryptoPort, ChunkingPort, ObservabilityPort), detailed storage/vault behavioral contracts (Merkle manifests, chunk/manifest rules, vault slug index at refs/cas/vault), and core flows (+284/-28).
Threat Model & Security docs/THREAT_MODEL.md, SECURITY.md, docs/design/TR-002-threat-model.md	Added canonical threat model and TR-002; SECURITY.md now references threat model, condenses threat discussion, and reforms presentation/tables/examples (+249, +102/-68, +166).
API Documentation docs/API.md	Normalized JS examples (semicolons, trailing commas), renamed Vault section to "Vault‑Configured Passphrase Encryption", clarified KDF/.vault.json semantics and caller responsibilities; table reflows for flags/errors (+121/-97).
Workflow & Lifecycle WORKFLOW.md, docs/design/TR-004-design-doc-lifecycle.md	Formalized live vs archived backlog and document lifecycle vocabulary (Proposed/Active/Landed/Superseded/Archived), added Index Hygiene rules and lifecycle normalization guidance (+64, +163).
Backlog / Archive docs/BACKLOG/README.md, docs/BACKLOG/TR-003*, docs/BACKLOG/TR-005*, docs/archive/...	Converted live backlog to queued/in-cycle items, added archive directories/READMEs, introduced TR backlog items (TR-003, TR-005), and fixed archive link paths (../→../../).
Design Docs — Status Updates docs/design/..., docs/design/RL-*.md, docs/design/README.md	Marked multiple design docs as Landed, appended Retrospectives, and reorganized design README around status sections (Active/Landed/Archived).
New Design Truth Documents docs/design/TR-001-architecture-reality-gap.md	Added TR-001 ("Architecture Reality Gap") as a landed truth doc describing mismatches and an implementation/verification plan (+152).
Legends / Indexes docs/legends/README.md, docs/legends/RL-relay.md, docs/legends/TR-truth.md	Added TR — Truth legend, updated Relay legend wording/status, and added TR-truth entry to legends README.
Changelog & Minor Indexes CHANGELOG.md, various docs/archive/BACKLOG/*	Added Unreleased changelog entries documenting the new threat-model doc, workflow lifecycle updates, and ARCHITECTURE.md refresh; added/updated archive backlog readmes and entries.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• v3.0.0 — Vault #7 — Related: documentation mirrors VaultService, vault refs, and vault-oriented ports/adapters introduced or exposed in that PR.
• docs(jsdoc): comprehensive JSDoc pass across all source files #5 — Related: docs reference ContentAddressableStore facade and exported convenience methods (storeFile/restoreFile) described in that PR.

Poem

A rabbit nibbles through docs by lamplight,
Hops through ARCHITECTURE, threat model bright.
Backlogs trimmed, legends set in place,
Vaults and manifests keep tidy trace.
Hooray — landed docs, a tidy space! 🐇📜

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: recentering the documentation around Truth docs and planning lifecycle, which aligns with the PR's core objectives of repairing architecture, adding threat model, defining lifecycle, and reorganizing backlog.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (3)

docs/legends/RL-relay.md (1)

83-86: Consider normalizing empty-backlog phrasing for consistency.

Line 85 (- none currently) works, but title-case/sentence-style wording would read cleaner in this docs set (e.g., - None currently.).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/legends/RL-relay.md` around lines 83 - 86, Change the backlog item
string "- none currently" to use sentence-style capitalization and punctuation
for consistency with the docs (replace "- none currently" with "- None
currently.").

ARCHITECTURE.md (2)

271-284: Add cross-reference to the new threat model document.

The "Reading This With Other Docs" section provides helpful navigation to adjacent documentation. However, it's missing a reference to docs/THREAT_MODEL.md, which TR-002 establishes as the canonical threat model document. Given that the threat model defines assets, attackers, and trust boundaries—all architectural concerns—it would be valuable to include it here.

📝 Suggested addition

 - [SECURITY.md](./SECURITY.md)
   - crypto and security guidance
+- [docs/THREAT_MODEL.md](./docs/THREAT_MODEL.md)
+  - threat model, assets, and trust boundaries
 - [WORKFLOW.md](./WORKFLOW.md)
   - current planning and delivery model

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ARCHITECTURE.md` around lines 271 - 284, Add a new bullet under the "Reading
This With Other Docs" section pointing to docs/THREAT_MODEL.md so readers can
find the canonical threat model (TR-002); follow the existing bullet format (a
link plus a short descriptor) and place it with the other adjacent-doc entries
to ensure the threat model is discoverable from the architecture overview.

---

44-67: Clarify which domain services are publicly exported.

The document lists CasService, KeyResolver, VaultService, rotateVaultPassphrase, and CasError as "Current key domain pieces." However, only CasService and VaultService are exported from index.js. KeyResolver, rotateVaultPassphrase, and CasError are internal-only services.

While the document doesn't explicitly claim all listed services are public exports, the structure (Facade → Domain → Ports → Infrastructure) could lead readers to assume everything listed is part of the public API. Consider adding a brief note distinguishing exported services from internal domain services, or restructuring to make the public API boundary more explicit.

📝 Suggested clarification

 ### Domain
 
 The domain lives under `src/domain/`.
 
-Current key domain pieces:
+Current key domain pieces (exported services in **bold**):
 
 - `Manifest` and `Chunk`
   - value objects that describe stored content and chunk metadata
-- `CasService`
+- **`CasService`**
   - the main content orchestration service
   - handles store, restore, tree creation, manifest reads, inspection, and
     recipient/key operations
 - `KeyResolver`
   - resolves key sources, passphrase-derived keys, and envelope recipient DEK
     wrapping and unwrapping
-- `VaultService`
+- **`VaultService`**
   - manages the GC-safe vault ref and its commit-backed slug index
 - `rotateVaultPassphrase`
   - coordinates vault-wide passphrase rotation across existing entries
 - `CasError`
   - the canonical domain error type with stable codes and metadata

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ARCHITECTURE.md` around lines 44 - 67, Clarify public vs internal domain
services in ARCHITECTURE.md by adding a short note after the "Current key domain
pieces" list stating which symbols are exported from the package entry
(index.js) and which are internal-only; explicitly name CasService and
VaultService as exported, and KeyResolver, rotateVaultPassphrase, and CasError
as internal/internal-only, and update the Facade → Domain → Ports →
Infrastructure description to call out the public API boundary so readers don’t
assume all listed items are exported.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@ARCHITECTURE.md`:
- Around line 271-284: Add a new bullet under the "Reading This With Other Docs"
section pointing to docs/THREAT_MODEL.md so readers can find the canonical
threat model (TR-002); follow the existing bullet format (a link plus a short
descriptor) and place it with the other adjacent-doc entries to ensure the
threat model is discoverable from the architecture overview.
- Around line 44-67: Clarify public vs internal domain services in
ARCHITECTURE.md by adding a short note after the "Current key domain pieces"
list stating which symbols are exported from the package entry (index.js) and
which are internal-only; explicitly name CasService and VaultService as
exported, and KeyResolver, rotateVaultPassphrase, and CasError as
internal/internal-only, and update the Facade → Domain → Ports → Infrastructure
description to call out the public API boundary so readers don’t assume all
listed items are exported.

In `@docs/legends/RL-relay.md`:
- Around line 83-86: Change the backlog item string "- none currently" to use
sentence-style capitalization and punctuation for consistency with the docs
(replace "- none currently" with "- None currently.").

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9f89cc9e-e4e4-4900-87fb-d0888f755404

📥 Commits

Reviewing files that changed from the base of the PR and between 6df6e86 and 801cb3d.

📒 Files selected for processing (35)

• ARCHITECTURE.md
• CHANGELOG.md
• SECURITY.md
• WORKFLOW.md
• docs/API.md
• docs/BACKLOG/README.md
• docs/BACKLOG/TR-003-benchmark-baselines.md
• docs/BACKLOG/TR-005-casservice-decomposition-plan.md
• docs/THREAT_MODEL.md
• docs/archive/BACKLOG/README.md
• docs/archive/BACKLOG/RL-001-agent-recipient-list.md
• docs/archive/BACKLOG/RL-002-agent-recipient-mutations.md
• docs/archive/BACKLOG/RL-003-agent-rotate.md
• docs/archive/BACKLOG/RL-004-agent-vault-rotate.md
• docs/archive/BACKLOG/RL-005-agent-vault-lifecycle.md
• docs/archive/BACKLOG/TR-001-architecture-reality-gap.md
• docs/archive/BACKLOG/TR-002-threat-model.md
• docs/archive/BACKLOG/TR-004-design-doc-lifecycle.md
• docs/archive/README.md
• docs/archive/design/README.md
• docs/design/0001-m18-relay-agent-cli.md
• docs/design/0002-m18-relay-write-flows.md
• docs/design/0003-m18-relay-tree-creation.md
• docs/design/README.md
• docs/design/RL-001-agent-recipient-list.md
• docs/design/RL-002-agent-recipient-mutations.md
• docs/design/RL-003-agent-rotate.md
• docs/design/RL-004-agent-vault-rotate.md
• docs/design/RL-005-agent-vault-lifecycle.md
• docs/design/TR-001-architecture-reality-gap.md
• docs/design/TR-002-threat-model.md
• docs/design/TR-004-design-doc-lifecycle.md
• docs/legends/README.md
• docs/legends/RL-relay.md
• docs/legends/TR-truth.md

[coderabbitai]

🧹 Nitpick comments (1)

docs/legends/TR-truth.md (1)

89-89: Consider simplifying "under strain" to "strained".

The phrase "under strain" could be shortened to "strained" for conciseness, though both are acceptable.

Optional simplification

-- evaluating service decomposition where the current boundary is under strain
+- evaluating service decomposition where the current boundary is strained

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/legends/TR-truth.md` at line 89, Replace the phrase "under strain" with
the more concise "strained" in the sentence "evaluating service decomposition
where the current boundary is under strain" inside the TR-truth.md content;
update that exact text to read "evaluating service decomposition where the
current boundary is strained" to improve conciseness while preserving meaning.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/legends/TR-truth.md`:
- Line 89: Replace the phrase "under strain" with the more concise "strained" in
the sentence "evaluating service decomposition where the current boundary is
under strain" inside the TR-truth.md content; update that exact text to read
"evaluating service decomposition where the current boundary is strained" to
improve conciseness while preserving meaning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5de2cea9-2955-414f-ba88-f73f8430d385

📥 Commits

Reviewing files that changed from the base of the PR and between 9032718 and a629b2f.

📒 Files selected for processing (12)

• WORKFLOW.md
• docs/API.md
• docs/BACKLOG/README.md
• docs/archive/BACKLOG/README.md
• docs/archive/BACKLOG/TR-001-architecture-reality-gap.md
• docs/archive/BACKLOG/TR-002-threat-model.md
• docs/archive/BACKLOG/TR-004-design-doc-lifecycle.md
• docs/design/README.md
• docs/design/TR-001-architecture-reality-gap.md
• docs/design/TR-002-threat-model.md
• docs/design/TR-004-design-doc-lifecycle.md
• docs/legends/TR-truth.md

✅ Files skipped from review due to trivial changes (9)

• docs/BACKLOG/README.md
• docs/archive/BACKLOG/README.md
• docs/archive/BACKLOG/TR-002-threat-model.md
• docs/archive/BACKLOG/TR-001-architecture-reality-gap.md
• docs/archive/BACKLOG/TR-004-design-doc-lifecycle.md
• docs/design/README.md
• WORKFLOW.md
• docs/design/TR-001-architecture-reality-gap.md
• docs/design/TR-004-design-doc-lifecycle.md

🚧 Files skipped from review as they are similar to previous changes (2)

• docs/API.md
• docs/design/TR-002-threat-model.md

[coderabbitai]

🧹 Nitpick comments (1)

docs/legends/TR-truth.md (1)

94-94: Optional: tighten wording at Line 94.

“Under strain” reads slightly vague here; a more concrete phrase improves scanability.

✏️ Suggested wording tweak

-- evaluating service decomposition where the current boundary is under strain
+- evaluating service decomposition where the current boundary no longer fits

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/legends/TR-truth.md` at line 94, Replace the vague phrase "evaluating
service decomposition where the current boundary is under strain" with a more
concrete alternative—e.g., "evaluating service decomposition where the current
boundary is experiencing high load or frequent contention"—so readers
immediately understand the trigger conditions; update the line containing that
exact phrase in TR-truth.md to the new wording.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@docs/legends/TR-truth.md`:
- Line 94: Replace the vague phrase "evaluating service decomposition where the
current boundary is under strain" with a more concrete alternative—e.g.,
"evaluating service decomposition where the current boundary is experiencing
high load or frequent contention"—so readers immediately understand the trigger
conditions; update the line containing that exact phrase in TR-truth.md to the
new wording.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 93524617-c1ec-4bdc-885e-f68e999e6b69

📥 Commits

Reviewing files that changed from the base of the PR and between c767044 and 3cccd48.

📒 Files selected for processing (7)

• docs/BACKLOG/README.md
• docs/BACKLOG/TR-006-docs-maintainer-checklist.md
• docs/BACKLOG/TR-007-security-doc-discoverability-audit.md
• docs/BACKLOG/TR-008-empty-state-phrasing-consistency.md
• docs/BACKLOG/TR-009-pre-pr-doc-cross-link-audit.md
• docs/BACKLOG/TR-010-planning-index-consistency-review.md
• docs/legends/TR-truth.md

✅ Files skipped from review due to trivial changes (5)

• docs/BACKLOG/TR-009-pre-pr-doc-cross-link-audit.md
• docs/BACKLOG/TR-007-security-doc-discoverability-audit.md
• docs/BACKLOG/TR-006-docs-maintainer-checklist.md
• docs/BACKLOG/TR-010-planning-index-consistency-review.md
• docs/BACKLOG/TR-008-empty-state-phrasing-consistency.md

🚧 Files skipped from review as they are similar to previous changes (1)

• docs/BACKLOG/README.md