guides/support-truth-and-ownership-boundaries.md

Select File
guides/support-truth-and-ownership-boundaries.md

# Support Truth And Ownership Boundaries

This project is intentionally explicit about which side owns which behavior. The public contract
uses five support-truth buckets everywhere: `supported`, `tested`, `best-effort`, `host-owned`,
and `intentionally unsupported`.

## supported

- the native `/ops/jobs` shell is the supported operator surface
- native Powertools pages are the supported mutation surface
- `Powertools-native` pages are the diagnosis-first and `Audited action` surface
- overview and audit are part of the same unified native `/ops/jobs` control plane
- the optional `/ops/jobs/oban` bridge is supported only as a read-only inspection annex
- the `Oban Web bridge` remains `Inspection only`
- the host-owned integration contract is supported when the documented seams are explicit
- the singular upgrade lane from `examples/phoenix_host_upgrade_source` to the current contract
  is supported

## tested

- the fresh-host install path
- the canonical current-state fixture at `examples/phoenix_host`
- the first-session proof for `ops-demo`, `nightly_sync`, and `pause_cron_entry`
- the optional bridge render lane at `/ops/jobs/oban`
- the docs-contract lane
- the singular `upgrade-proof` lane backed by `examples/phoenix_host_upgrade_source`

## best-effort

- semver-allowed combinations outside tested lanes
- bridge-enabled or otherwise diverged source hosts
- bespoke host shells beyond the documented `/ops/jobs` mount shape
- unusual reverse-proxy, session, or WebSocket setups
- bridge behavior beyond the bounded read-only contract

## host-owned

- router scope in front of `/ops/jobs`
- browser pipeline in front of `/ops/jobs`
- auth implementation and authorization policy
- actor and session lookup
- runtime config
- display policy and redaction posture
- reverse-proxy, WebSocket, and auth/session behavior ahead of the mount
- seeded operator data and whether the optional bridge is exposed in production

## intentionally unsupported

- using the bridge as a mutation surface alongside native Powertools pages
- hidden fallback behavior when required config is missing
- non-Postgres support
- broad compatibility promises outside verified lanes

## v1.4 forensics and runbook handoffs

For forensic continuity, keep one explicit route-level journey:
`/ops/jobs` -> `/ops/jobs/forensics` -> ownership-labeled next path ->
`/ops/jobs/audit`.

At decision points, preserve these exact labels:

- `Powertools-native` (`Audited action`)
- `Oban Web bridge` (`Inspection only`)
- `host-owned follow-up`

Forensics evidence boundaries must remain explicit:

- `partial evidence`
- `history unavailable`
- `unknown`

Escalation status truth is intentionally narrow. Powertools reports only
`unconfigured`, `invoked`, and `failed` host follow-up states, and host
escalation remains host-owned beyond those statuses.

## library-owned implementation

- nested Powertools routes
- native pages
- runtime helpers and adapters
- bounded bridge plumbing

The library keeps those internals explicit, but they do not change the host-owned ownership
split above. The host contract stays explicit instead of relying on hidden defaults.