Authority And Degraded Mode
Purpose
AdaOS needs explicit authority boundaries before transport hardening. Without them, degraded mode becomes ambiguous and reconnect logic becomes unsafe.
This document defines who owns what and how the system behaves when root, route, sync, or integration readiness is lost.
Related documents:
Authority model
Root
Root is the authority for:
- hub registration and identity validation
- hub NATS session issuance
- owner-facing authentication and root-routed membership bootstrap
- cross-subnet coordination
- externally hosted integrations routed through root
- release and update coordination that spans hubs
Root is not the authority for:
- local hub execution state
- local skill runtime internals
- local Yjs in-memory session ownership
Hub
Hub is the authority for:
- local execution of skills and scenarios
- local event bus
- local persisted webspace and Yjs state
- local member/browser session handling after admission
- local degraded-mode execution once root is unavailable
Hub is not the authority for:
- minting fresh root-backed trust
- claiming root integration delivery without root acknowledgement
- cross-subnet global truth
Member / Browser
Member or browser is the authority for:
- local ephemeral session state
- local cached sync state
- local media device state
Member or browser is not the authority for:
- shared durable control state
- global routing authority
- root-issued trust state
Sidecar
A sidecar may own:
- transport lifecycle
- socket diagnostics
- reconnect loops
- local relay IO
A sidecar must not become the authority for:
- command semantics
- idempotency rules
- durable cursor semantics
- degraded-mode business policy
Readiness tree
AdaOS readiness must be evaluated as a tree, not as one boolean.
Hub Local Core Ready
Means:
- local process is healthy
- local storage is writable
- local event bus is functioning
- local runtime can execute scenarios and skills
Root Control Ready
Means:
- hub has an authenticated control session to root
- auth freshness is valid
- control channel subscriptions are established
- critical root RPC path is available
Route Ready
Means:
- relay route path is installed and subscribed
- route queues are below threshold
- authority path for proxied traffic is known
Sync Ready
Means:
- sync engine can persist and replay updates
- current authority path for sync is healthy
- snapshot + diff recovery is available
Integration Ready
Must be tracked per integration:
- Telegram
- GitHub
- LLM
Each integration can be ready, degraded, buffered, or unavailable independently.
Media Ready
Means:
- media path is available for the session
- signaling may be separate from actual media transport
Media readiness must not gate core hub readiness.
Degraded mode states
AdaOS degraded behavior must be explicit.
State: Root Control Lost
Allowed:
- continue local skill execution
- continue local scenario execution
- continue local Yjs sync on already admitted local sessions if local path exists
- buffer selected Class A outbound hub->root messages
Restricted:
- no minting of new root-backed trust
- no claiming successful external integration delivery
- no operations that require fresh root authority
State: Route Lost But Root Control Up
Allowed:
- control-plane operations
- integration operations
- local hub operations
Restricted:
- new proxied browser/member route sessions may be rejected or deferred
- route traffic enters degraded policy based on backlog class
State: Sync Path Lost
Allowed:
- local persistence of pending sync updates
- snapshot/diff recovery once path is restored
Restricted:
- no claim of real-time sync readiness
- awareness may be dropped
State: Integration Degraded
Allowed:
- continue unrelated hub logic
- buffer or reject per integration policy
Restricted:
- do not mark integration actions as completed without the integration-specific acknowledgement rule
Degraded behavior matrix
| Capability | Hub Local Core Ready | Root Control Ready | Route Ready | Sync Ready | Integration Ready |
|---|---|---|---|---|---|
| Execute local scenarios | required | no | no | no | no |
| Existing local member/browser sessions | required | optional | optional | optional | no |
| New root-backed member admission | required | required | optional | optional | no |
| Root-routed browser proxy | required | required | required | optional | no |
| Telegram/GitHub/LLM action completion | required | required | no | no | per integration |
| Core update coordination via root | required | required | no | no | GitHub optional |
Stale authority rules
The hub must enter stale authority when:
- root-issued control credentials expire
- root control session is absent beyond the configured degraded window
- membership or route authority depends on root state that is older than the allowed freshness bound
When in stale authority:
- new root-dependent admissions are rejected
- buffered commands may remain queued but not executed as if authority were fresh
- diagnostics must surface the distinction between local readiness and stale authority
Required implementation artifacts
Any code path that introduces reconnect, replay, failover, or degraded mode must name:
- authority owner
- stale authority threshold
- allowed operations during degradation
- prohibited operations during degradation
- recovery condition
This document is the policy source for those rules.