6.5 KiB
Data Model — Private AI Execution & Policy Foundation
Spec: spec.md
No new persistent tables or AI artifact stores are required for v1. The feature reuses existing workspace settings, operational controls, and audit logs. New AI-specific structures are code-owned or request-scoped.
Persisted Truth Reused
Workspace AI Policy (workspace_settings carrier)
Purpose: Workspace-owned policy truth that determines whether AI is disabled entirely or limited to approved private-only use cases.
Persisted carrier: existing workspace_settings row via WorkspaceSetting
Planned definition:
domain:aikey:policy_modetype:stringsystem_default:disabledallowed values:disabled,private_onlyscope: workspace only; no tenant override in v1
Validation rules:
- required
- string
in:disabled,private_only
Authorization:
- view: existing
workspace_settings.view - mutation: existing
workspace_settings.manage
Audit strategy:
- reuse
workspace_setting.updatedandworkspace_setting.reset - include AI-specific metadata in the existing workspace-settings audit context
State transitions:
disabled->private_onlyprivate_only->disabled
AI Execution Control (operational_control_activations carrier)
Purpose: Platform-owned runtime stop for new AI execution attempts.
Persisted carrier: existing OperationalControlActivation
Planned definition:
control_key:ai.executionlabel:AI executionsupported_scopes:globalaffected_surfaces: governed AI decision callers only
Behavior:
- a matching active control blocks new AI execution decisions before provider resolution
- global pause is the required v1 incident path
- workspace-specific pause or tenant-specific pause is out of scope for v1 and remains a follow-up concern if future incident handling genuinely requires it
State transitions:
enabled->pausedpaused->enabled
AI Decision Audit (audit_logs carrier)
Purpose: Stable record of governed AI allow/block evaluations without storing raw prompt or output content.
Persisted carrier: existing audit_logs rows through WorkspaceAuditLogger / AuditRecorder
Planned action strategy:
- reuse existing workspace-setting actions for policy mutation
- add one bounded AI decision action ID, e.g.
ai_execution.decision_evaluated, for governed decision evaluations
Planned metadata:
use_case_keydecision_outcome(allowedorblocked)decision_reasonworkspace_ai_policy_moderequested_provider_classdata_classificationssource_familyworkspace_id- optional
tenant_id - optional
context_fingerprint - optional
matched_operational_control_scope
Explicit exclusions:
- raw prompt text
- raw source payloads
- raw provider payloads
- full model output text
Code-Owned Truth
Approved AI Use Case Definition
Purpose: Code-owned allowlist entry that defines one approved AI purpose and its trust constraints.
Fields:
keyfuture_consumervisibilityallowed_provider_classesallowed_data_classificationssource_familytenant_context_permitted
v1 catalog is locked to exactly two entries:
| Key | Future Consumer | Visibility | Allowed Provider Classes | Allowed Data Classifications | Source Family | Tenant Context Permitted |
|---|---|---|---|---|---|---|
product_knowledge.answer_draft |
ContextualHelpResolver and related code-owned knowledge sources |
internal_only_draft |
local_private |
product_knowledge, operational_metadata |
product_knowledge |
no |
support_diagnostics.summary_draft |
redacted summary derived from SupportDiagnosticBundleBuilder |
internal_only_draft |
local_private |
redacted_support_summary |
support_diagnostics |
yes |
Validation rules:
- key must be registered in the catalog
- no third use case may appear in v1 without a spec update
external_publicis never allowed for these entries in v1
Provider Class
Purpose: Vendor-neutral trust boundary for AI routing decisions.
Allowed values:
local_privateexternal_public
Behavioral consequence:
external_publicis always blocked in v1local_privatemay be allowed only when the use case and data classifications permit it
AI Data Classification
Purpose: Declarative label that determines whether a data family may cross the governed AI boundary.
Values:
product_knowledgeoperational_metadataredacted_support_summarypersonal_datacustomer_confidentialraw_provider_payload
Behavioral consequence:
personal_data,customer_confidential, andraw_provider_payloadare always blocked in v1- allowed classifications vary by use case
Request-Scoped Contracts
AI Execution Request
Purpose: In-process request envelope passed to the governed decision boundary before any provider resolution or model execution is attempted.
Fields:
workspace_id- optional
tenant_id actor_typeactor_iduse_case_keyrequested_provider_classdata_classifications(list)source_family- optional
caller_surface - optional
context_fingerprint
Validation rules:
workspace_idis requireduse_case_keymust be registeredrequested_provider_classmust be declared by the registered use case- every declared data classification must be allowed for the use case
- host-surface authorization must already be resolved before evaluation
Important v1 boundary:
- the request is a preflight contract and does not need to carry raw prompt or payload text in v1
- future runtime/provider work can extend around this envelope later, but not inside this spec
AI Execution Decision
Purpose: Terminal allow/block result returned by the governed boundary.
Fields:
outcome(allowedorblocked)reason_codeworkspace_ai_policy_modematched_operational_control_scope(nullable)use_case_keyrequested_provider_classdata_classificationssource_familyaudit_actionaudit_metadata
Behavioral consequence:
blocked: provider resolution must not occurallowed: returns an approved handoff envelope only; v1 still does not execute a provider call or create a persisted result
State Transitions Summary
Workspace AI Policy
disabled<->private_only
Operational Control
enabled<->paused
AI Execution Decision
evaluating->allowedevaluating->blocked
There is no queued, running, retrying, completed, or persisted-result lifecycle in v1.