Phase 57 — Halt-surface note: OL signin email gate contradicts engine identity contract

Version. 0.1 Date. 2026-05-12 Filed. During Phase 57 Step 2 entry, post-Checkpoint A, before live usage event began. Status. Halt-surface note per substrate-friction-discipline-pattern (manifest v0.39 §2). Phase 57 build paused at Step 2 entry; amendment-scoping moves to a fresh Claude.ai chat. Authoritative inputs. CR-2026-090 phase-57-cr-marketing-engagement-creation-v0_1.md; CC diagnostic against engine + OL source on phase-57-marketing-engagement-creation branch (engine at a00f4a3, OL at 2cc0ebc). Surfaced by. Phase 57 Step 2 entry — first real-Operator attempt to sign in via /operator/create-engagement at the Operator-Layer surface. Operator named a long-standing DUNIN7 principle (email must not be used for identity; email-hijack creates account-takeover via password-reset-to-email) that the OL signin form's required-email gate contradicts.

1. What halted

CR-2026-090 §10 Step 2 — live usage event — paused at signin. The Operator Layer signin form at /operator/create-engagement (which redirects to /signin when unauthenticated) presents a required-email field. The Operator surfaced the standing DUNIN7 principle: email must not be used for identity. The principle predates Phase 41/48's auth-surface work and was not named in any source-of-truth document accessible to phase planning.

CR §10 Step 2 acceptance gate 5 (live OL stack ready) is met at the infrastructure level (engine + OL both healthy; CORS resolved per the earlier local-stack-readiness friction; banner revision present). It is not met at the architectural level (the signin surface contradicts a DUNIN7 principle).

CR §11 halt threshold does not name this contradiction explicitly; the closest fits are "Operator's live conversation surfaces friction the Field 6 prompt can't resolve" (wrong layer — this is signin surface, not field elicitation) and the implicit substrate-friction-discipline-pattern (manifest v0.39 §2 — note-first; Operator-elective amendment cycle).

The halt is filed under the implicit substrate-friction-discipline-pattern. Phase 57 build pauses pending amendment scoping.

2. What CC's diagnostic established

Three findings against the live engine + OL source on the phase-57-marketing-engagement-creation branch:

Finding 1 — Engine identity model is WebAuthn passkey.

• SignupBeginRequest (engine schemas.py): display_name: str required; email: str | None, mobile: str | None optional.
• begin_signup (engine persons/signup.py): display_name validated non-empty; email, mobile optional.
• PersonRow (engine persons/models.py): display_name: str NOT NULL; email: Optional[str] NULL; mobile: Optional[str] NULL.
• LoginBeginRequest (engine signin side): nothing required; email: str | None = None optional.
• Identity is established at /auth/login/complete when the browser returns a signed WebAuthn assertion; engine looks up the Person by the passkey's credential_id, not by email.
• Resident-key / discoverable-credential flow is supported: when email = None on /auth/login/begin, the engine returns a discoverable-credential challenge; the browser presents every passkey for the relying party; selection happens in the browser's passkey UI.

The engine correctly embodies the standing principle. Passkey is the identity; email is an optional contact + optional passkey hint to narrow allowCredentials. The architecture is high-assurance and consistent with the standing principle.

Finding 2 — OL signin form's client-side gate contradicts the engine contract.

• signin-flow.ts:42 POSTs {email: email.trim()} to /auth/login/begin. Engine accepts email: None cleanly.
• IdentifierStep.tsx:31 adds a client-side requirement:

``` if (!email.trim()) { setLocalError(SIGNIN.emailEmptyError); return; } ```

• This four-line client-side gate is the entire contradiction. The engine would accept body: {} and run the discoverable-credential path; the OL form blocks that path by refusing to submit without an email.

The drift is purely at the OL client-side gate. No engine substrate change is required to resolve it.

Finding 3 — The drift was not previously surfaced.

Phase 41 (personal-engagement + Companion identity); Phase 48 (Operator sign-in shipped); Phase 50 (public form with email field) all touch identity-adjacent surfaces. None of them surfaced the contradiction at scoping, build, or close. The drift shipped silently and accumulated across at least three phases.

The reason: the standing DUNIN7 principle is not named in what-dunin7-is-building, the current-status manifest, any phase scoping note, any CR, or any investigation document. The principle lives in the Operator's head as background knowledge. Phase planning had no document to check against; the OL form's email-required gate went unchallenged at every prior phase close.

3. The architectural finding

Standing DUNIN7 principle (named here for the first time in a Loomworks document).

Email must not be used for identity. Email can be hijacked at the email-provider layer; identity tied to email creates an account-takeover path via password-reset-to-email or equivalent recovery flows. Identity must be tied to a credential the holder controls and cannot be hijacked by gaining access to a different system.

The principle generalizes beyond email — phone numbers (SIM-swap), social-login identifiers (identity-provider compromise), and any externally-controlled identifier carry the same hijack vector. The DUNIN7-correct identity model is WebAuthn passkey or equivalent high-assurance credential where the credential itself is the identity and there is no email-keyed recovery path.

The principle is correctly embodied in the engine. WebAuthn passkey identity; credential_id lookup at /auth/login/complete; email-as-optional-hint not email-as-identity. The engine's data model has no identity dependency on email.

The contradiction is at the OL signin form's client-side gate only. IdentifierStep.tsx:31 requires email input where the engine doesn't. The fix is a one-line edit: remove the empty-email guard, or omit the email field from the POST body when empty so the engine receives {} and runs the discoverable-credential path.

4. Methodology candidates surfaced

Two candidates new at this halt-surface note. Carry to v0.42 manifest absorption and v0.21 methodology consolidation.

Candidate A — engine-correct-surface-drifted. Single-instance evidence at this halt. The engine's data model correctly implements a standing principle. The Operator Layer surface added a client-side requirement that contradicts the engine contract. The drift happened at OL surface design time, not at engine architecture time; the drift was not caught at any prior phase close (Phase 41/48/50 all shipped surfaces adjacent to identity without surfacing the contradiction). Generalizes to: surface implementations can drift from their underlying contract; surface-vs-contract audits catch this; the audit needs a trigger. The trigger at this instance was the first real-Operator usage event.

Candidate B — standing-principle-not-named-in-source-of-truth-documents-allows-contradicting-surface-to-ship. Single-instance evidence at this halt. The standing DUNIN7 principle existed in the Operator's head as background knowledge but was not named in what-dunin7-is-building, the current-status manifest, any phase scoping note, any CR, or any investigation document. Three phases (41/48/50) made identity-adjacent surface decisions without the principle being a checkable document constraint. Generalizes to: DUNIN7 principles that aren't written down can't be enforced by phase planning; they surface as findings during usage events rather than at scoping time. The remediation is to surface the principle in a permanent document — almost certainly what-dunin7-is-building at v0.21 consolidation — so future phase planning has a checkable reference.

Candidate C — reserved-slot-pattern-was-structural-because-scoping-caught-everything-until-it-didn't. Adjacent observation. The seven-consecutive-phase reserved-slot-unconsumed pattern (Phases 50–56) was interpreted at manifest v0.41 §1 as "the pattern is now strong enough to be considered structural rather than coincidental." Phase 57 is the first phase to consume a reserved slot — and consumes it for exactly the reason the discipline anticipates: a real-Operator usage event surfaced a finding scoping couldn't anticipate. The reserved-slot pattern's value is not its consumption count; it is its presence. Phase 57 demonstrates the discipline firing as designed.

Real-Operator-evidence-and-persona-projection-contrast pattern — second concrete instance. Phase 57 v0.1 scoping anticipated this pattern would produce its first concrete instance via real-Operator transcript fixture vs. persona fixtures. The pattern has produced its first concrete instance earlier than anticipated — at Step 2 entry, before the usage event begins, in the form of this halt-surface note. Personas conformed to the OL form's email requirement; a real Operator carrying the standing principle as background knowledge surfaced the drift before the conversation began. The contrast surfaces what personas miss; what personas missed here was the standing-principle background.

5. What the amendment scope is

The amendment-scoping chat resolves the following:

Settled at this halt-surface note (do not re-litigate at amendment scoping):

• The fix is at OL IdentifierStep.tsx:31 (and possibly the adjacent signin-flow.ts:42 POST body construction). Engine substrate is correct; no engine change required.
• The fix is small: one client-side gate removed; possibly one line in the POST body to omit the email field when empty.
• Phase 57's scope shifts from "zero OL substrate changes" to "one OL substrate change" — a Sub-arc 1e or Sub-arc 4 (CR amendment-scoping decides which).
• Phase 57's deliverables (engagement live + real-Operator transcript + observation capture) are preserved; the fix lands before Step 2 resumes.
• The standing principle is filed for v0.21 consolidation — naming in what-dunin7-is-building is downstream work, not Phase 57 scope.

Open at amendment scoping:

• Exact fix shape. Remove the empty-email guard entirely (most consistent with engine contract — engine accepts email: None)? Or keep the field as optional with a "use passkey only" affordance + helper text? The first is smallest; the second is more discoverable for Operators who don't know about discoverable-credential flow.
• OL test surface. One vitest covering the new flow (empty email submit; passkey challenge proceeds)? Two (with-email; without-email)? Zero (relying on the existing 149 + the live exercise at Step 2)?
• What other OL surfaces have the same drift? The signin form is the entry point but the principle may apply to sign-up too. Worth a quick OL-side audit at amendment scoping — read every form that accepts email; check whether any treat it as required-for-identity. If any do, amendment scope widens; if none do, scope stays narrow.
• Public marketing form. Phase 51 shipped a public form that takes email + jurisdiction for grant requests. Does that form treat email as identity? Probably not (the form-submission Memory event carries the email as contact metadata; the grant flows through Companion-as-Authority approval, not through email-keyed auth). Worth confirming at amendment scoping but probably out of scope.
• CR version. phase-57-cr-marketing-engagement-creation-v0_2.md — version bump captures the amendment. Original v0_1 carried forward as superseded.
• Sub-arc placement. Add as Sub-arc 1e (OL substrate addition) OR as a new Sub-arc 4 (OL surface alignment with engine contract). Amendment-scoping picks.
• Test count update. CR §16 prediction was 149 OL vitest unchanged. Amendment shifts to 149–150 depending on test surface decision.
• Acceptance gate update. CR §12 gate 5 currently says "Live OL stack ready... lint/tsc/build/test clean on OL." Amendment adds a gate around the signin path correctness.
• Carry-forward. Methodology candidates A + B filed; remediation actions for B (name the principle in what-dunin7-is-building) carry to v0.21.
• Reserved-slot consumption. Phase 57 Step 6 (reserved buffer) is consumed by this amendment. First consumed reserved slot since Phase 49. Worth naming explicitly.

6. State at halt

Engine repo DUNIN7/loomworks-engine:

• Branch: phase-57-marketing-engagement-creation at a00f4a3 (CR archive commit + Field 6 substrate commit).
• Tests: 2,280 always-run passed, 32 skipped (1 always-run + 2 calibration-gated added at Step 1; Δ matches CR §16 within the +1-to-+2 range).
• Alembic head: 0064 unchanged.
• Working tree: clean.
• Step 0 findings file: present on branch at docs/phase-impl-notes/phase-57-step-0-findings-v0_1.md.
• Step 1 substrate file: present at prompts/intent_instructions/create_engagement/additional_assertions.md.
• This halt-surface note: to be filed at docs/phase-impl-notes/phase-57-halt-surface-2026-05-12-v0_1.md after Operator approval.

Operator Layer repo DUNIN7/loomworks:

• Branch: phase-57-marketing-engagement-creation at 2cc0ebc (= Phase 56 commit; no Phase 57 changes yet — the amendment changes this).
• Tests: 149 vitest passed; 11 prerendered routes; lint/tsc/build clean.
• Working tree: clean.

Local stack:

• Engine API up on :8000; /healthz returns 200; DB reachable; administrative_engagement_present.
• OL dev server up on :3001; banner revision present at ChatView.tsx:254.
• CORS resolved (LOOMWORKS_ENV=development added to local .env per the earlier local-stack-readiness friction).
• Marvin's Person row exists in the dev DB (signup completed previously); passkey credential registered.

No mid-build commits to amend or revert. Phase 57 Step 1 substrate is correct and stays. Step 2 paused at signin attempt; no Discovery record created; no Memory event written; no engagement created.

7. What happens next

1. Operator reviews this halt-surface note. Confirms the architectural finding is correctly captured; confirms the amendment-scope framing in §5.
2. CC files this halt-surface note at docs/phase-impl-notes/phase-57-halt-surface-2026-05-12-v0_1.md on the phase-57-marketing-engagement-creation branch in the engine repo. Commit message: Phase 57 halt-surface: OL signin email gate contradicts engine identity contract.
3. Operator opens a fresh Claude.ai chat for amendment scoping. Project knowledge: this halt-surface note + CR-2026-090 v0_1 + the Phase 57 scoping note v0_2 + the Phase 57 CR drafting handoff v0_1 + current-status manifest v0_41.
4. Amendment scoping produces phase-57-cr-amendment-handoff-v0_1.md (analogous to the CR drafting handoff shape; smaller scope because the change is one-line-plus-test) which kicks off CR amendment drafting in a subsequent fresh chat (or compressed-analog in the same chat, per Phase 53/54 precedent).
5. CR amendment drafting produces phase-57-cr-marketing-engagement-creation-v0_2.md with the OL fix included as a new sub-arc.
6. CC applies the amendment on phase-57-marketing-engagement-creation branch: OL IdentifierStep.tsx:31 fix + any test additions.
7. Phase 57 build resumes at Step 2 with the fixed signin path. Marvin retries signin; passkey flow completes; /operator/create-engagement renders; marketing engagement creation conversation proceeds.
8. Step 3 + Step 4 + Step 5 close per CR §10 with the amendment-revised CR v0_2.

8. Discovery-record posture preservation

For v0.42 manifest absorption and any future trajectory reconstruction.

Position 1 (Phase 57 scoping v0.1 → v0.2 → CR-2026-090 v0_1). Phase 57 anticipated zero OL substrate changes. The CR explicitly named this at §16 test count predictions (OL vitest: 149 unchanged) and §6 (What Phase 57 does NOT deliver, no OL changes).

Position 2 (Step 2 entry, pre-halt). Local stack readiness friction surfaced (CORS preflight 405 on OL :3001 → engine :8000). Resolved with LOOMWORKS_ENV=development added to local .env. Acceptance gate 5 (live OL stack ready) appeared met. Step 2 ready to begin. Note: gate 5 was met at the infrastructure layer but not yet validated at the architectural layer; the architectural validation happened when the Operator looked at the signin surface.

Position 3 (this halt-surface note). Architectural finding: OL signin form's required-email gate contradicts the standing DUNIN7 principle (email must not be used for identity) and contradicts the engine's identity contract (WebAuthn passkey + discoverable-credential flow; email optional). Phase 57 halts at Step 2 entry. Amendment scope: one-line OL fix + possibly one test + carry-forward of methodology candidates A + B to v0.21 consolidation.

The three positions are preserved. Position 1 (no OL changes anticipated) is not erased by Position 3 (one OL change required). It is corrected. The correction surfaced via the substrate-friction-discipline-pattern firing as designed.

9. What this halt-surface note does NOT do

• Does not pre-decide the exact fix shape. Amendment scoping settles whether the empty-email guard is removed entirely, or kept with a "use passkey only" affordance + helper text, or some other shape.
• Does not pre-decide the test surface. Amendment scoping settles whether zero, one, or two new OL vitest land.
• Does not pre-decide the sub-arc placement. Amendment scoping settles whether the fix lands as Sub-arc 1e (extension of Field 6 work) or Sub-arc 4 (new OL surface alignment).
• Does not draft what-dunin7-is-building v0.21 absorption. That is downstream work informed by Phase 57's two methodology candidates (A + B) plus other accumulated candidates. Phase 57 carries the candidates; v0.21 consolidates them.
• Does not audit Phase 41/48/50 surfaces beyond the signin entry point. Amendment scoping decides whether a broader OL-side audit is in Phase 57's amended scope or carries to a separate Phase 58+ surface-vs-contract-audit phase.
• Does not name the standing principle in what-dunin7-is-building directly. That's v0.21 consolidation work. The principle is named here in §3 for the first-time-in-a-Loomworks-document record; the canonical naming happens at v0.21.

DUNIN7 — Done In Seven LLC — Miami, Florida Loomworks Phase 57 Halt-surface — OL signin email gate contradicts engine identity contract — v0.1 — 2026-05-12