Version. 0.2
Date. 2026-06-03
Provenance. Operator (Marvin Percival) direction, 2026-06-03. Surfaced by the engine API parity audit's sharpest finding (the in-process WebAuthn-commit bypass). The principle is the Operator's.
Status. Settled principle of the engine boundary-enforcement project. A constraint on how the brain-as-client work and the API contract are built. Candidate for absorption into the methodology / architecture spec at the next consolidation.
Changes from v0.1 (committed at b7f7809). Adds the step-up re-authentication + freshness-window mechanism (new section below): weighty actions require a fresh WebAuthn presence-proof within a configurable window (default 15 min), a valid standing session alone is not sufficient, the window is a system setting (engine config) not hardcoded, changeable only by an authorized user — and changing it is itself a weighty action subject to step-up (who is "authorized to change it" is a flagged open sub-decision), individual weighty actions may later override to always-confirm, and this applies to all callers including the in-process brain. v0.1's content carried forward unchanged.
Parent principle. Derives from standing-notes/loomworks-standing-note-engine-wrapper-boundary-v0_1.md — "the engine must survive any wrapper." This note applies that to authentication specifically.
Cross-links. investigations/loomworks-engine-api-parity-audit-v0_1.md (the finding this closes); planning/loomworks-engine-boundary-enforcement-plan-v0_1.md (the project this constrains); recorded in planning/loomworks-master-build-plan-v0_2.md (P5 + C2).
The engine enforces authentication, not the wrapper.
Any wrapper — the Companion or any other — can be built to skip authentication. So wrapper-side authentication proves nothing: it is a claim the engine cannot trust. Therefore the engine must, at its own boundary, refuse weighty actions unless the call carries verifiable proof of an authenticated user's presence — proof the engine itself checks, not a flag it is handed.
Concretely:
commit_engagement, gated today by the WebAuthn ceremony — is the exemplar: it requires a WebAuthn assertion the engine verifies, and the engine will not act without it. The proof is cryptographic and user-bound; a wrapper cannot fabricate or skip it.The concrete realization of the principle. Two tiers of credential, enforced by the engine on every call:
commit_engagement / the WebAuthn ceremony) only if the caller has proven presence — a fresh WebAuthn assertion — within a freshness window. A valid standing session alone is NOT sufficient for these actions.The freshness window:
This applies to ALL callers, including the in-process brain. The brain cannot commit on a stale session: it must carry a fresh presence-proof within the window, exactly as any external wrapper must. The engine checks freshness at its own boundary; co-residence grants no exemption. (This is why the step-up rule is the concrete mechanism behind closing the in-process WebAuthn-commit bypass — see "What it closes.")
This section states what the mechanism must satisfy (the freshness contract and where the setting lives), not its implementation — token/assertion format, where the last-proof timestamp is recorded, and the exact challenge flow are design, deferred to the build.
The parity audit's sharpest finding: today the Companion's brain commits engagements in-process, bypassing the WebAuthn ceremony, because it is a co-resident insider — _route_finalize_project calls commit_engagement core directly, while the only HTTP path (POST /engagements/{id}/instantiate) enforces WebAuthn. Under this principle, no caller — insider or not — can do that. The fix is not to trust the brain to authenticate; it is that the engine refuses to commit without the verifiable proof (a presence-proof fresh within the window), so the bypass ceases to exist for anyone. The brain, post-refactor, performs the ceremony like any client — or it cannot commit.
This is the authentication-specific reading of the parent principle. "The engine must survive any wrapper" means the engine cannot assume any property of the wrapper calling it — including that the wrapper authenticated its user honestly. A future wrapper (third-party, or a misbuilt one) could assert "this user is present" with no basis. The only defensible posture is that presence is proven to the engine, at the engine's boundary, by a credential the engine verifies — never asserted by the caller. This is the same shape as the project's "engine verifies, does not decide" stance: the engine verifies the cryptographic fact of authenticated presence (and its freshness); it does not delegate that judgment to the wrapper.
/instantiate already does for commit), and must not offer any insider-only path around it. Closing the in-process bypass (a later increment) means deleting the direct commit_engagement call and routing it through the step-up check, not auth-stubbing it.This principle is settled; it constrains the build. It is not a design of the auth mechanism — it states what any such mechanism must satisfy.
Standing note. No code changed; no auth mechanism designed. Supersedes v0.1 (which remains in the record). Filed in loomworks-record/standing-notes/. Parent: loomworks-standing-note-engine-wrapper-boundary-v0_1.md. Pairs with investigations/loomworks-engine-api-parity-audit-v0_1.md and planning/loomworks-engine-boundary-enforcement-plan-v0_1.md. Recorded in the master build plan's Settled principles list (P5) and under C2.