What this records. A destination. Loomworks will treat confidentiality posture — how strongly an engagement's content is protected from DUNIN7 itself — as a declared property carried by the Engagement, governed by its Operator. The engine reads the posture and behaves accordingly. The posture names a rung on a protection ladder. The strongest practical rung releases a customer-held key only into an attested hardware enclave, so DUNIN7 is structurally unable to read the content outside that seal — a cryptographically provable fact, not a promise.
Why it matters. It turns "which single protection do we build for the whole platform" into "each engagement declares the protection it needs, and the engine honors it." One engine serves an ordinary coaching engagement and a privilege-sensitive legal engagement without being two products. And it anchors the strongest claim to a structural property — key absence plus hardware attestation — because structural properties are the only ones that survive a decade of adversaries getting smarter.
Settled here. That posture is a declared, enforced, engagement-carried property; orthogonal to the access axis; bounded by the UUID-identity invariant; that the destination is the enclave-with-customer-key rung; that enforcement-by-key-absence is non-negotiable and designed before any protective rung ships.
Not settled here. The build of any rung; the enclave platform; the precise Companion degradation per rung; the seed addition (deferred). All downstream.
Confidentiality posture is a property an Engagement declares and the engine honors. It answers: how strongly is this engagement's content protected from DUNIN7 itself? Set per-Engagement, governed by the Operator in their per-engagement capacity.
A correction recorded rather than smoothed: the property was first described as "a property of an Operator and by extension Engagement." The seed check resolved it — the load-bearing locus is the Engagement; the Operator governs, the Engagement carries. (See §3, Resolution 1.)
The posture names a rung. The rungs stack — they are not a one-time menu. The engine honors whichever rung an Engagement declares; rungs are built in order as demand pulls.
The destination is Rung 2. The highest rung that preserves the server-side Companion — Loomworks's actual product — while making confidentiality a structural, attestable fact rather than a promise. Rung 3 exists for the absolute-exclusion buyer; the property lets each Engagement choose its rung rather than forcing the platform to pick one.
Rung 0 — none, no content protection beyond access control — is a permanent, first-class, frictionlessly-selectable rung, not a deprecated fallback. An Operator may declare Rung 0 for any engagement, without justification, on equal footing with every other rung. An Operator who runs ordinary, non-sensitive engagements and never wants content encryption is making a valid choice, not a negligent one.
Recorded explicitly because the failure mode is real: a future "secure-by-default" drift could quietly demote Rung 0 to a grayed-out "unprotected (not recommended)" option carrying friction or a justification burden. That would violate the property's own logic — the posture is the Operator's declared choice per engagement, and Rung 0 is a legitimate value of it — and the seed's "only show what is available" rule, which means Rung 0 appears as a clean, selectable posture, not a discouraged one. Rung 0 stays first-class.
The seed is silent on confidentiality-as-an-engagement-property, key custody, content protection, and inheritance grammar — by its own line-15 rule the comprehensive specification governs, making this property net-new architecture, not an amendment to a settled commitment. But the seed is not silent on three binds:
open / restricted (via OVA ACL) / private. Confidentiality posture is a how-protected axis, independent of who-can-reach. An Engagement can be private and Rung 2 together. The posture must not be folded into the access modes as a fourth value — a category error.Confidentiality posture is scope-kind-aware in its design. Not every scope kind carries the same default: domain scopes — shared bodies of practice referenced across engagements — are open-by-nature reference knowledge, not sensitive, and so default to Rung 0 (none). Encrypting a domain's body of practice would protect something meant to be shared and fight its purpose. This mirrors the seed's existing access-axis intent, where domain scopes default to open while engagements default to private — "different scope kinds, different defaults."
The default is a default, not a mandate: a domain carrying something genuinely proprietary — a bespoke methodology, or a practitioner's encoded method/vertical sold as the product — may declare a higher posture, exactly as a domain may be restricted on the access axis. So "domain knowledge needs no protection" is the correct everyday case, not a hard rule. (This matters for the method-as-product line: a sold vertical is domain-shaped knowledge that is also the thing being sold, and may want protection.)
Posture travels with the scope that owns the content, and references are non-transitive: an engagement at Rung 2 that references an open Rung 0 domain keeps its own content sealed — the reference is read-only and one-directional, the two postures do not mix. An engagement's protection is not weakened by reading from an open domain.
This is a forward commitment, not a description of current state. A scope-model inspection (engine HEAD 7159870) confirmed the engagement is the only Memory scope that exists in code. Domain, team, role, jurisdiction are not built as Memory scopes; the engagement→domain reference relation is not built; access-default-by-scope-kind is not built (a single per-engagement visibility column exists for dashboard filtering, no OVA/ACL enforcement); organizations exist only as an auth-policy/membership object, not a content scope. So today posture has only the engagement to attach to — landing as a column beside visibility, Operator-governed per-engagement, consistent with the founder-authority finding that Operator governance is engagement-scoped. The seed's own per-scope-kind access defaulting is equally unbuilt; the posture's per-scope-kind defaulting and the access axis land together, when the scope model gains domain (and the other kinds) as first-class. Until then: the engagement is where posture lives, Rung 0 is its de-facto current state, and "domain scopes default to Rung 0" is honored when domain becomes a first-class scope — designed-for now, built later.
A posture the engine merely describes — a flag consulted politely while a path to the plaintext remains — is worse than no posture, because it manufactures false confidence. For any rung above 0 the posture must be load-bearing: the engine structurally unable to read the content, because the key genuinely is not there (Rung 3) or is present only inside the attested seal (Rung 2). The flag's truth is enforced by the absence of the key, not by code that promises to behave.
Consequence for sequencing: before any protective rung ships, the engine's inability to read protected content must be testable and attestable. The customer receives cryptographic proof — enclave attestation at Rung 2, the structural impossibility of decryption at Rung 3 — not DUNIN7's assurance. Enforcement is designed and proven first; the rung is built on it, never the reverse. This is the line that converts "we did our best" into "we cannot betray you even under compulsion."
payload is a whole-object serialization duplicating identity and provenance held in dedicated columns, and free-text content may name people. The identity spine is separable (a refactor); the content payload re-embeds identity and is not identity-clean. This is why tokenization alone does not de-identify content, and why the enclave rungs — which protect content as content — are the correct answer for self-identifying domains.The residual at every rung is the authorized human. The destination accepts this by making the posture the customer's declared choice, not by pretending a rung dissolves it.
Only Rung 0 exists, and not even hardened — content is plaintext at rest, only secrets encrypted under one static key. Stand only on: per-engagement isolation, no training, no sharing, access control, encrypted secrets, TLS in transit. Do not claim content encryption at rest, customer-held keys, "DUNIN7 cannot read your content," or de-identification until the corresponding rung is built and its enforcement proven.
The order is the resolution: the property is the frame (settled); enforcement is the foundation (non-negotiable, first); rungs are built upward as demand pulls; the strongest practical rung that keeps the Companion is the destination.