Skip to content

ADR 0028 — Tier A / Tier B code partition + garble obfuscation policy

  • Status: Accepted (formalized 2026-05-12 with v3.7.0 — partition + garble CI gate shipping)
  • Date: 2026-05-11 (locked), 2026-05-12 (formalized)
  • Deciders: TLSStress.Art project
  • Targets: v3.7.0 and forward — partition is permanent
  • Patent claim family: claim #19 — Tier A/B partition as a verifiable customer-auditable artifact, with the partition itself being a moat
  • Umbrella ADR: 0026

Context

A noncommercial source-available licence is fragile against insider operators. With full read access to every source file, an adversary can:

  • Recompile after stripping licence checks
  • Recompile after disabling DLP egress monitoring
  • Recompile after relaxing the K8s admission webhook
  • Recompile after replacing the canonical encoder with one that produces a different byte order

The classical mitigation is "ship the source for everything and trust legal" — that's how every prior noncommercial-source project has died. The other classical mitigation is "ship binaries only and refuse customer audit" — that's why no Fortune-500 will procure your software.

We need a third path: the customer sees + audits the posture (every camada, every gate, every audit-log writer) but does not see the moat that makes the posture forgery-resistant (canonical encoder, licence checker, the obfuscation policy itself, the crypto envelope construction).

The split has to be:

  • Named — every file is on a list
  • Mechanical — CI enforces the partition
  • Static — once a file is Tier B it stays Tier B (no quiet reclassifications)
  • Verifiable — the customer can hash + re-verify which files shipped open vs which shipped obfuscated

Decision

Adopt a binary partition with CI enforcement:

  • Tier ACustomer-replaceable, open, audit-target. Distroless containers, no obfuscation, source available, third parties can reproduce builds. Roles: enforcement scaffolding, detection probes, audit log surfaces, dashboards, integration glue.

  • Tier BMoat-closed, garble-obfuscated, never on customer workstation. Native binary only, garble in CI, source not shipped to customer. Roles: canonical encoder, licence-envelope signer, the dashboard's licence-validation kernel, the saturation patterns that anchor patents #18 and #24, DOM transition logic.

Source of truth: platform/ztp-prem/tier-policy.yaml. Every container build job consults the policy and either:

  • Tier A: standard go build + cosign sign + SBOM attest
  • Tier B: garble build + cosign sign + SBOM attest + policy receipt entry

platform/ztp-prem/TIER-B-OBFUSCATION.md documents the garble flags + the threat model + the customer-visible promise ("this binary is obfuscated; here's the policy file that says so; here's the SBOM that proves nothing else changed").

CI gate: the build pipeline refuses to publish a Tier B image unless garble is in the toolchain string and the policy receipt matches.

Consequences

Pros - Open-core narrative is truthful — every Tier A file is inspectable - Moat narrative is enforceable — every Tier B file is obfuscated by a CI gate, not by an honor system - Customer compliance audit becomes a partition-by-file checklist, not a code crawl - Patent claims that anchor specific encoders/algorithms (claims #18, #24) live in Tier B by construction

Cons - Two build pipelines forever — added CI complexity - Garble bumps occasionally break the obfuscation; CI catches it but engineering cost is real - "Tier B forever" rule means a file accidentally landed in Tier A can never be quietly re-classified — needs an ADR + a release note

Reversibility: low. The partition is part of the customer contract. Moving a Tier A file to Tier B requires a public ADR (here) plus a notice to the customer base. Moving a Tier B file to Tier A is operationally free but releases the moat.

Last verified against shipping code: v3.7.0 (2026-05-12).