Vord

Architecture Decision Record

0001. Project name (Vord), component scheme, and founding constitution

Date: design phase Status: Accepted

Context

Vord is the identity system reserved for in Wyrd ADR-0018 — a globally scalable authentication and authorization foundation, built as a separate project that consumes Wyrd through its traits and never modifies Wyrd's core. It begins now, before any implementation. This ADR is its founding record: it fixes the name and component scheme, and — the part that earns an ADR rather than a naming note — it records the one architectural invariant the whole project exists to uphold, before any code can drift away from it.

The motivating history is recorded across the design discussion and Wyrd ADR-0018: identity systems that place all of their state behind a single strongly-consistent store (the Keycloak / Authentik pattern) inherit that store as their scaling ceiling. Hyperscale identity is achieved instead by making the common path stateless cryptographic verification at the edge, and shrinking the strongly-consistent core to the smallest irreducible set of facts. That separation is fragile: every feature has gravity toward a central read, and a hundred such conveniences quietly re-collapse a distributed design into a monolith. The defence is not a technology but a constitution, recorded at the founding and allowed to refuse features.

Decision

Name

The project is Vord, from Old Norse vörðr — a warden or guardian spirit bound to a person from birth and attending them through life; the same Proto-Germanic root (warðu-) as English ward, warden, guard. Where Wyrd is the fate woven around a person, Vord is the guardian bound to that person: the thing that vouches for them, proves them, and follows them across the system. An identity is, precisely, a warden attached to a principal. The two names are one etymological stratum and read as a deliberate pair.

Namespace identity

Following Wyrd ADR-0017's convention, the single-word name is kept everywhere it is spoken; the product-style get- handle appears only in the URL.

  • Project name: Vord
  • Domain: getvord.dev
  • Primary crate: vord-core; additional crates follow vord-*.
  • GitHub org / crate availability: [OPEN] — to be verified before first publish, as Wyrd's was. The get- handle and vord-* crate names mean availability shapes the handle, never vetoes the name.

Component scheme

As in Wyrd ADR-0017, the scheme names the conceptually load-bearing components only; lower-level mechanical parts keep plain descriptive names, and Vord must not become a single "god" component. The figures are drawn from the same Norse mythology, mapped onto the planes established in the design:

  • Vör — the goddess from whom nothing can be concealed; names the verification plane (establishing who a principal truly is: signatures, tokens, and credentials checked at the edge).
  • Forseti — the god whose judgments all parties accept; names the authorization / policy-decision plane.
  • Troth — Old English trēowþ, a sworn pledge of faith (root of both truth and betroth); names the credential / attestation primitive: the signed pledge of identity a holder presents and any party can verify offline.

The scheme is adopted but extensible: further load-bearing components are named under the same discipline as they are designed. Two deliberate non-choices are recorded so they are not relitigated:

  • Syn (the hall-door goddess of denial) was the natural name for the admission / access-decision component, but is rejected for its spoken collision with sync — a word an identity system uses constantly (replica sync, directory sync). The admission component name is [OPEN].
  • Vár (goddess of oaths) was the natural name for the pledge, but is rejected for the same class of reason: its identifier form var is a reserved word across common languages and is unsearchable. Troth is chosen in its place.

The constitution (the binding invariant)

These rules hold for the life of the project. They are why Vord exists as a distinct thing rather than another monolith. Changing any of them is a superseding-ADR event with a deliberately high bar.

  1. Verification never reads the strongly-consistent core on the hot path. The common authentication and authorization path MUST be satisfied by stateless cryptographic verification — signatures, self-contained or attenuable tokens, verifiable credentials — against public material and a clock, not by a read of any shared authoritative store.
  2. The strongly-consistent core holds only the irreducible. Issuance, uniqueness constraints, and freshness-critical revocation are the only facts that justify a strongly-consistent read or write. Everything else is eventually-consistent, cacheable, or edge-local.
  3. Tenant is the shard and isolation boundary. No cross-tenant strongly-consistent read sits on any hot path. The tenant is also the unit of data residency.
  4. Vord consumes Wyrd; it does not alter it. Vord depends on Wyrd's traits and reserved hooks (Wyrd ADR-0018). Any accommodation that makes sense only for Vord lives in Vord's crates, never pushed down into Wyrd's core — mirroring Wyrd ADR-0017's god-component prohibition, applied in the other direction.

Vord adopts Wyrd's documentation discipline by reference: the four document classes (specs / architecture overview / immutable ADRs / proposals), ADRs that are appended and superseded but never edited, and the spec-first posture for any externally-relied-upon format. The token and credential formats are the likely first normative specs, since a non-Vord verifier must honor them — the same "data outlives software" argument as Wyrd's on-disk format.

Consequences

  • The constitution forbids the easy path for whole categories of feature. "Show every active session across all tenants," "search all users globally," and similar conveniences cannot be a central strong read; they must be served from projections, refused, or routed through an explicit slow path. This is the cost, paid on purpose — it is the discipline that keeps the design from re-collapsing into the ceiling described in Context.
  • Revocation must be solved without hot-path core reads — short-lived tokens so revocation tends toward expiry, status lists / bloom filters cached at the edge, and a pub/sub channel for urgent propagation (Wyrd's watch hook as the durable backstop, per Wyrd ADR-0018). This is the hardest primitive and is named here as a first-class obligation rather than discovered later.
  • The constitution is testable: a conformance / property test MUST be able to assert the edge-independence property — that a verification decision completes with the strongly-consistent core unavailable — so "has the design secretly re-monolithized?" is a mechanical check, not a matter of opinion. This mirrors Wyrd's deterministic-simulation discipline for the commit protocol (Wyrd ADR-0009).
  • The name satisfies the Wyrd-sibling test: Germanic root, fitting meaning (a guardian bound to a principal), short and hard-edged, and it pairs with Wyrd in both sound and sense.
  • Open items — the admission-component name, org / crate availability, and whether authorization is a Wyrd trait or wholly internal to Vord (deferred from Wyrd ADR-0018) — are marked [OPEN] and settled in later ADRs as they are decided.
  • This founding record may later be split: if the constitution grows, it graduates to its own dedicated ADR, as Wyrd separated its consistency contract (ADR-0015) from its naming (ADR-0017). For now it is the constitutional core of the founding record, because the name and the invariant were settled together at the founding moment.