Maintainer-ratified from the 2026-07-03 review (R1-R3): - ADR-0009: retire "structurally impossible for a 3-vendor stack" post-0007; restate the gate's true guarantees (credential isolation, unskippable mediation, media-plane enforcement, audit co-location). Propagated to README pillar 3, ARCHITECTURE, PORT_PLAN s10; amendment note on ADR-0002. - ADR-0010: insert step 4.5 (benchmark + simulation harness, rutster-sim seed, CI-regressed p50/p99 + kill-time) after barge-in; pull rung-2 escalation ahead of steps 5-6. Spearhead lists updated. - ADR-0004: delete the legally-broken AGPL escape hatch; GPL-3.0-or-later permanent, no CLA; tap protocol/SDKs intended permissive (future ADR). - README: add brain-vendor-direct competitor row (review D2). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_018vNe64BBDkgo5oQVkBa3XF
5.3 KiB
ADR-0009 — Spend/abuse gate: honest re-scope of the structural claim post-0007
- Status: Accepted (maintainer-ratified 2026-07-03)
- Date: 2026-07-03
- Origin: 2026-07-03 adversarial review, finding D4 / recommendation R3.
- Amends: ADR-0002 (pillar table),
README.md(pillar 3),docs/PORT_PLAN.md(§10 toll-fraud row),docs/ARCHITECTURE.md(in-boundary spend/abuse gate bullet)
Context
ADR-0002 promoted the spend/abuse gate to constitutive with the argument: "a runaway brain can't exceed pacing or spend because it doesn't hold the wire — structurally impossible for a 3-vendor stack." Under ADR-0003 (rutster terminates the carrier trunk) that claim was structural: rutster held the wire.
ADR-0007 changed the topology. Under rented transport, rutster does not hold the wire either — the CPaaS does. The gate's mechanism became "rutster holds the provider call-control credential and the brain doesn't," which is an IAM/configuration property, not a structural one:
- Any orchestrator that holds the provider credentials can make the same claim (a Python framework with a spend counter and scoped credentials).
- The CPaaS itself ships spend limits.
- A provider credential scoped too widely, or leaked outside rutster, bypasses the gate entirely — rutster cannot see, let alone stop, provider-API calls it doesn't mediate.
Meanwhile the ADR-0007 architecture is a 3-vendor stack (CPaaS + rutster + brain), making the unamended pillar self-describing. The claim must be narrowed to what is actually true before it is repeated in public-facing material.
Decision
The spend/abuse gate remains FOB and constitutive (ADR-0008: security-constitutive), but its guarantees are restated precisely:
What the gate structurally guarantees (true post-0007):
- Credential isolation — the brain never holds provider credentials. Every call-origination, transfer, or hangup the brain wants happens through rutster's API, where the gate sits. The brain cannot spend through rutster beyond the gate, ever.
- Unskippable on mediated egress — spend/pacing checks are in-process with the tap and the provider call-control client. There is no deployment topology in which brain-initiated actions reach the provider without passing the gate. (Contrast: a bolt-on spend service in a 3-vendor chain can be routed around; an in-boundary gate cannot — for traffic rutster mediates.)
- Media-plane enforcement — pacing, half-duplex, and playout caps are enforced over media rutster terminates. The brain proposes audio; the core disposes. A flooding or overlapping brain is throttled at the playout ring regardless of what it sends.
- Audit co-location — every allowed/denied spend decision is recorded at the same trust boundary that made it, so the audit log and the enforcement point cannot diverge.
What the gate does NOT guarantee (stated so we don't kid ourselves):
- It cannot constrain spend on provider credentials used outside rutster (mis-scoped keys, console access, a second integration holding the same key). Deployment guidance must pair the gate with provider-side caps (defense in depth) and per-integration credential scoping.
- The "structurally impossible for a 3-vendor stack" phrasing is retired. The honest comparative claim: in-boundary co-location makes the gate unskippable for everything rutster mediates, and rutster mediates everything the brain can do — a property a bolt-on spend service cannot offer, but not a physical monopoly on the wire.
Propagation (on acceptance)
| Doc | Change |
|---|---|
| ADR-0002 | Add amendment note to the pillar table pointing here |
README.md pillar 3 |
Replace "doesn't hold the wire — structurally impossible for a 3-vendor stack" with the credential-isolation + unskippable-mediation phrasing |
docs/ARCHITECTURE.md |
Same fix in the "In-boundary spend / abuse gate" bullet |
docs/PORT_PLAN.md §10 |
Same fix in the toll-fraud/spend row |
Consequences
- Positive: the security narrative survives adversarial scrutiny (the previous phrasing invited a one-tweet rebuttal); the gate's real guarantees — credential isolation, unskippable mediation, media-plane throttling, audit co-location — are strong and defensible; deployment guidance gains the provider-side-caps pairing, which operators need anyway.
- Negative: the pitch loses a superlative ("structurally impossible") in exchange for precision; step 6's scope grows slightly (the gate should also meter — per-call cost attribution into the CDR — per the market feature scan F5, since integrator unit economics run on cost-per-contained-call).
References
- ADR-0002 — the pillar this amends
- ADR-0007 — the topology change that invalidated the phrasing
- ADR-0008 — FOB test the gate still passes (security-constitutive)
- Adversarial review 2026-07-03 — finding D4