Vord

Architecture Decision Record

0005. The revocation model

Date: design phase Status: Accepted

Context

Revocation is the one identity primitive that genuinely fights edge-statelessness, and the constitution (ADR-0001) named it a first-class obligation rather than leaving it to be discovered. It is monotonic — once revoked, a credential stays revoked — which is simple and grow-only-set-shaped; correctness is never the hard part. The hard part is propagation latency: a revocation must become visible fast, and the naive way to guarantee that (read the authoritative set on every verification) is exactly the hot-path core read the constitution forbids (rule 1).

So the design problem is precisely: revoke promptly without putting a core read on the verification path. This ADR fixes the mechanism, because it determines Vord's whole consistency posture and is tightly coupled to the token format (ADR-0003).

Decision

  1. Short-TTL-dominant. Access tokens are minutes-scale, so for the common case revocation reduces to waiting for expiry. This keeps the large majority of revocations off any propagation path at all — the cheapest possible answer for the common case.

  2. Signed status list for "kill now". For revocations that must take effect within a bounded window before expiry, a signed Token Status List (the IETF draft) is published and cached at the edge. The verifier consults it locally — it is itself a signed, verifiable artifact, not a core read — refreshed on a short interval.

  3. Urgent propagation over NATS. Genuinely urgent revocations are pushed to edge nodes over NATS (already present in the Wyrd stack for L3 replication), with Wyrd's watch hook (reserved Wyrd ADR-0007, fan-out kept uncapped per Wyrd ADR-0018) as the durable backstop and source of truth.

  4. The authoritative set is core-resident but never hot-path-read. The strongly-consistent core holds the authoritative revocation set — freshness- critical revocation is one of the irreducible facts constitution rule 2 permits there — but the status list and the NATS stream are derived projections of it (a CQRS-shaped relationship). Verification reads the projections, never the source.

  5. Freshness budget is a target, shape fixed. "Urgent revocation visible at all edges within N seconds" is a budget set during implementation; the mechanism above is fixed now (the same pattern as Wyrd's quality scenarios — numbers later, shape now).

Consequences

  • The verification path never reads the core for revocation: short TTLs and the cached status list carry it, so constitution rule 1 holds even for the primitive that most threatens it.
  • "Kill now" is bounded, not instantaneous, and the bound is a stated budget — the honest tradeoff of freshness latency against hot-path independence, named rather than hidden.
  • Revocation correctness stays trivial (monotonic, grow-only); all the engineering is in propagation latency, which is now explicit and measurable (a durability-plane signal — revocation lag — worth instrumenting, the Vord analog of Wyrd's time-to-repair).
  • The model is coupled to the token format (ADR-0003): short TTL is a token parameter and the status list is a credential-format artifact, so the two ADRs move together.