Vord

Architecture Decision Record

0002. Rust as the implementation language

Date: design phase Status: Accepted

Context

Vord's components need a language. The decision is shaped, more than Wyrd's was, by commitments already made rather than being an open contest:

  • Vord consumes Wyrd through its traits and reserved hooks (ADR-0001 rule 4; Wyrd ADR-0018). Wyrd is Rust; its MetadataStore / Coordination / commit-point seams and its thick-client logic are Rust. A different language would turn in-process trait composition into an FFI or network integration for what is essentially coordination.
  • The constitution requires the edge-independence property to be mechanically testable (ADR-0001 consequences) — the deterministic-simulation-testing argument of Wyrd ADR-0009, where the Rust ecosystem (madsim / turmoil) leads and which is near-impossible to retrofit, because components must be written against abstract time / network traits from day one.
  • Vord's hot path is cryptographic verification — signature checks, token parsing, constant-time comparison. Bugs there are silent security failures, not crashes: the exact class Rust's type system and memory safety most reduce, and where the Rust crypto / identity ecosystem (rustls, RustCrypto, webauthn-rs, biscuit) has real depth. No-GC tail latency also matters more on an auth hot path than in storage.

Decision

Implement all Vord-authored components in Rust, for v1.

Adopted third-party engines are not required to be Rust. Where Vord consumes an off-the-shelf engine for a hard, well-solved primitive — notably the authorization / relationship engine (ADR-0006) — that engine runs behind a Vord trait and is reached as a service, exactly as Wyrd consumes etcd (Wyrd ADR-0006). "Vord is Rust" governs what Vord writes, not what it depends on.

Consequences

  • Same-language, trait-level composition with Wyrd: the dependency is a seam, not an integration project.
  • The constitution's edge-independence check can be a seed-reproducible simulation (Wyrd ADR-0009), so "has the design re-monolithized?" stays a mechanical test.
  • Memory safety and no-GC latency in the verification hot path, where bugs are silent and security-relevant.
  • Smaller drive-by-contributor pool and a steeper on-ramp — Wyrd ADR-0004's accepted cost, mitigated the same way: good onboarding docs and good-first-issues in non-hot-path crates.
  • An adopted engine in another language (e.g. a Go Zanzibar service behind the Authorizer trait) is explicitly fine; that is a composition choice, not a language compromise.