Summary
In the current Anchor design, the constitution.anchor → mitigation.anchor mapping layer is necessarily hand-authored. This creates a brittleness point: completeness depends on how exhaustively risks are translated into executable rule forms.
I would like to propose introducing a minimal, typed primitive vocabulary as an intermediate layer between risk statements and mitigation logic.
The goal is not to expand scope, but to make the mapping layer more structurally decomposable and lintable.
1. Minimal Primitive Vocabulary (Illustrative)
A constrained, typed set such as:
- ACTION – the operation being performed
- OBJECT – the resource or entity affected
- CONTEXT – environmental or conditional qualifiers
- AUTHORITY – who/what is permitted to perform the action
- FLOW – data or control movement semantics
Each risk statement would be decomposed into these fields before mitigation mapping.
This creates a structured representation that is:
- machine-parseable
- lintable for completeness
- composable into mitigation rules
2. Worked Example (RI-24 – illustrative)
Assume a risk statement similar in shape to:
"Unrestricted modification of governance configuration by unauthorised actors."
A primitive decomposition might look like:
- ACTION: modify
- OBJECT: governance_configuration
- AUTHORITY: unauthorised_actor
- CONTEXT: unrestricted
- FLOW: direct_mutation
From here, mitigation surfaces become derivable:
- Static rule: detect writes to governance configuration objects
- Authority check: verify role/permission binding
- Flow constraint: disallow mutation outside approved pathways
This does not require expanding Anchor's threat model scope — it clarifies the semantic layer above it.
3. Benefits to Anchor
-
Deterministic mapping surface
Risk-to-rule derivation becomes structured rather than narrative.
-
Lintable governance statements
Risk entries can be checked for decomposability into primitives.
-
Reduced hand-authored fragility
Mitigation patterns derive from typed fields rather than ad hoc phrasing.
-
Compatibility with static + runtime engines
The same primitive layer can inform AST analysis and future runtime interceptors.
4. Implementation Sketch (Non-Prescriptive)
- Add a structured grammar layer in
constitution.anchor
- Validate entries against required primitive fields
- Derive mitigation scaffolds from primitive semantics
- Keep mitigation.anchor focused on executable patterns
This can remain minimal and incremental — no redesign required.
If helpful, I can open a follow-up with:
- a concrete minimal primitive schema,
- a single RI-24 end-to-end decomposition example,
- and a deterministic derivation sketch into mitigation patterns.
Interested in feedback before drafting that.
Summary
In the current Anchor design, the
constitution.anchor → mitigation.anchormapping layer is necessarily hand-authored. This creates a brittleness point: completeness depends on how exhaustively risks are translated into executable rule forms.I would like to propose introducing a minimal, typed primitive vocabulary as an intermediate layer between risk statements and mitigation logic.
The goal is not to expand scope, but to make the mapping layer more structurally decomposable and lintable.
1. Minimal Primitive Vocabulary (Illustrative)
A constrained, typed set such as:
Each risk statement would be decomposed into these fields before mitigation mapping.
This creates a structured representation that is:
2. Worked Example (RI-24 – illustrative)
Assume a risk statement similar in shape to:
A primitive decomposition might look like:
From here, mitigation surfaces become derivable:
This does not require expanding Anchor's threat model scope — it clarifies the semantic layer above it.
3. Benefits to Anchor
Deterministic mapping surface
Risk-to-rule derivation becomes structured rather than narrative.
Lintable governance statements
Risk entries can be checked for decomposability into primitives.
Reduced hand-authored fragility
Mitigation patterns derive from typed fields rather than ad hoc phrasing.
Compatibility with static + runtime engines
The same primitive layer can inform AST analysis and future runtime interceptors.
4. Implementation Sketch (Non-Prescriptive)
constitution.anchorThis can remain minimal and incremental — no redesign required.
If helpful, I can open a follow-up with:
Interested in feedback before drafting that.