Context
BSFG exists to preserve durable, replayable boundary history across autonomous zones. That raises a central modeling question: is the boundary substrate authoritative because it stores the current state of cross-zone entities, or because it preserves the fact history from which state can be derived?
This decision affects:
- how replay and recovery work
- whether corrections mutate prior truth or add later truth
- whether consumers can rebuild projections independently
- whether the boundary appliance becomes a stateful application platform
Options Considered
| Option | Description | Benefits | Drawbacks |
|---|---|---|---|
| Mutable current-state store | BSFG keeps the latest state of each subject as the primary authoritative representation. | easy “current view” queries simple mental model for CRUD-oriented users |
history becomes secondary replay and audit reconstruction weaken corrections require overwrite semantics |
| Dual-authority model | Maintain both current mutable state and fact history as equally authoritative. | supports direct read models retains historical data |
two sources of truth reconciliation complexity ambiguous audit posture |
| Projection-owned state only | BSFG retains facts and leaves all current-state materialization to downstream projections. | strong replay story clean separation between transport and interpretation independent projection rebuilds are possible |
clients wanting current state must build or query projections more than one projection may coexist |
| Fact history is authoritative; state is derived (Selected) | BSFG treats retained facts as the authoritative boundary record. Any state view is a derived projection. | maximizes replayability and audit clarity fits append-only retention model keeps BSFG out of application-state ownership allows many projections without changing transport truth |
current-state queries are indirect projection design becomes a downstream responsibility |
Decision
BSFG treats retained fact history as the authoritative boundary truth. Current state is never the primary boundary primitive.
authoritative truth = retained facts
derived state = projection(facts)
Implications:
- facts are append-only
- corrections are represented as later facts, not overwrites
- current-state views are projections owned by downstream systems or read models
- BSFG does not expose “update state” as a boundary operation
State-like predicates such as state_is or status_is are still facts. They are facts about state, not a separate mutable state substrate.
Consequences
Benefits:
- recovery can always rebuild from retained history while the facts remain available
- boundary truth is simple to reason about and audit
- many downstream consumers can derive different views without competing for authority
- BSFG remains a durable transport substrate rather than a business state manager
Tradeoffs:
- systems wanting a fast current-state answer must maintain projections
- operators must learn to distinguish retained truth from materialized views
- projection correctness becomes a downstream engineering concern