Audit record · NexusScholar.Provenance
Provenance
Immutable, digest-verified records of who or what performed an activity, when it occurred, and which stable scientific entities entered and left it.
Purpose and authority boundary
Provenance describes accepted activity; it does not authorize scientific decisions and it is not the Workflow state machine. A human, automation, plugin, system, or import agent can be truthfully recorded without inheriting human authority. Domain owners decide whether the referenced activity and outputs are valid.
A cache, wiki page, embedding index, generated narrative, local path, bundle, or container cannot be submitted as a canonical provenance entity. Projection state may be useful, but it does not replace the scientific records it summarizes.
Key types and event shape
ProvenanceActivitydeclares an activity id/label and whether actor, digested inputs, and digested outputs are required.ProvenanceAgentsupportshuman,automation,plugin,system, andimport.ProvenanceEntityRefcarries canonical kind/id and optional content digest.ProvenanceProtocolBindingandProvenanceWorkflowBindingbind accepted identifiers and digests without making Provenance depend outward on those packages.ResearchEventis the immutable event with actor, activity, UTC timestamp, subject, inputs, outputs, optional bindings, and event digest.ResearchEventFactoryconstructs and validates records.IProvenanceStoreexposes append/read semantics;InMemoryProvenanceStoreis the local reference store.
Source: NexusScholar.Provenance. Contract: ADR 0008.
Canonical identity and append authority
event id + agent + activity + occurred_at + subject
+ ordered inputs/outputs + optional protocol/workflow bindings
↓ DigestEnvelope
scope: provenance-event
schema: nexus.provenance-event / 1.0.0
↓
event digestThe store validates the event and reproduces its digest before append, rejects duplicate event ids, preserves order, and clones records on write/read. Later hardening adds resolver-backed append authority so callers cannot substitute partial actor, binding, or digest dictionaries for the referenced records. Stored collections remain immutable snapshots.
Typical developer flow
- Select a declared activity whose required actor/input/output shape matches the domain action.
- Use stable kind/id/digest entity references; never pass a path as the evidence identity.
- Add exact Protocol and Workflow bindings when the activity occurred under them.
- Create the event with injected clock/ID sources and append through the accepted store/authority boundary.
- Project events outward for audit views; retain the canonical event as the source.
Failure and refusal behavior
Stable categories reject duplicate/default IDs, missing actor, unsupported agent kinds, missing required digested inputs or outputs, noncanonical projection kinds, non-UTC timestamps, invalid Protocol/Workflow bindings, and stale event digests. Rehydration/append authority rejects actor or binding claims that do not resolve to the exact expected record.
Tests, bridges, and nonclaims
ProvenanceTests, FE-01 Provenance tests, and ProvenanceFixtureTests cover creation, immutable append, authority binding, duplicates, and canonical exclusions. Fixtures live under fixtures/conformance/provenance.
Outward bridge packages may deterministically project accepted domain events—such as Workflow Execution transitions—into Provenance. Provenance itself remains Kernel-only. It provides no database, distributed ledger, signature, cryptographic non-repudiation, workflow state, decision authorization, bundle completeness, or guarantee that an external action actually occurred beyond the accepted record.