Data Ownership and Contract Standards¶
Status: Draft for approval Scope: single-writer ownership model and contract versioning standards
1. Data Ownership Model¶
| Data Domain | System of Record | Read Replicas/Projections | Notes |
|---|---|---|---|
| users, identities, sessions | Identity Auth | Gateway BFF cache, Admin views | authentication domain only |
| roles, policies, grants | Policy Authorization | all services via decision API/cache | no direct policy DB writes outside service |
| conversations, messages metadata | Conversation Service | Stream Projection, Admin views | append-only events for timeline integrity |
| workflow runs, run states, retries | Workflow Orchestrator | Stream Projection, Admin views | durable execution state source of truth |
| tool invocations, execution logs | Tool Executor | Workflow Orchestrator, Admin views | include tool risk tier and timeout data |
| hitl requests and responses | HITL Approval | Workflow Orchestrator, Stream Projection | approval deadlines and actor identity required |
| artifacts and file metadata | Artifact Service | Conversation Service references | binary in object storage, metadata in DB |
| mcp app registry and capabilities | MCP Registry Gateway | Agent Runtime and Admin views | versioned capability manifests |
| audit events | Admin Control Plane | Analyst views and SIEM export | immutable append-only log model |
2. Contract Standards¶
API Standards¶
- Command APIs: must be idempotent using client_request_id.
- Query APIs: must support pagination and deterministic sorting.
- Every endpoint must include contract_version in response envelope.
- Every mutating endpoint must return operation_id for traceability.
Event Standards¶
- Event envelope fields: event_id, event_type, event_version, emitted_at, tenant_id, workspace_id, actor_id, correlation_id.
- Event payloads are immutable after publish.
- Breaking payload changes require new event_type or major event_version.
- Consumer services must declare supported event_version ranges.
3. Idempotency and Consistency Rules¶
- Workflow commands must be idempotent by tenant_id + workspace_id + client_request_id.
- Tool execution results must include deterministic invocation_id.
- HITL responses must reject duplicate response attempts after finalization.
- Stream Projection must be replayable from event backbone offsets.
- Cross-service writes are forbidden; use command APIs or event-driven update paths.
4. Security and Data Rules¶
- PII and credential data only in Identity Auth storage domain.
- Tool secrets are referenced via secret IDs, never embedded in event payloads.
- Artifact metadata must include ownership and retention policy fields.
- Audit events must include actor principal and policy decision reference.
5. Approval Checklist¶
- Confirm each data domain has exactly one owner.
- Confirm event envelope standard fields are mandatory.
- Confirm idempotency strategy is accepted for command APIs.
- Confirm immutable audit requirement is accepted.