Develop
Conformance
Conformance is not a checklist of features; it is a set of six invariants a conformant system must satisfy — and that never weaken across spec versions. A system declares a class and proves it against the Six Guarantees.
The Six Guarantees
These are invariants, not features. Each forbids a class of unsafe behavior.
| Guarantee | Forbids | |
|---|---|---|
| G1 | Scoped, default-deny grants | Ambient authority |
| G2 | Two-phase: no direct-write verbs | Fire-and-forget mutation |
| G3 | Out-of-band approval, credential-separated | Self-approval |
| G4 | Idempotency with outcome replay | Duplicate side effects |
| G5 | Budgets before side effects, fail-closed | Spend-then-reconcile |
| G6 | Append-only audit | Unaccountable or silent action |
Two conformance classes
| Class | For | Adds |
|---|---|---|
| Core System | Single-tenant backend | The Six Guarantees |
| NIL-H | Multi-tenant SaaS | The Six Guarantees + tenant-isolation guarantees |
NIL-H is a superset: a tenant’s data, capacity, grants, audit logs, and idempotency ledgers are partitioned per tenant, and cross-tenant data or capacity is never observable.
Advertising support
A system does not document its capabilities in prose. It declares them machine-readably via QUERY nil.profiles, so a client that understands a profile can discover whether the system speaks it and interoperate without vendor-specific code.
{
"data": {
"spec": "nil/0.2",
"class": "NIL-H",
"profiles": [
{ "name": "commerce-v1", "status": "deprecated", "sunset": "2026-12-01" },
{ "name": "commerce-v2", "status": "active" },
{ "name": "services-v1", "status": "active" }
],
"standards": [ "w3c-trace-context", "bcp47", "iso4217",
"rfc6750", "rfc9457", "rfc6585", "standard-webhooks" ]
}
}Rollback-honesty
A reversibility tier is a claim, and conformance adds checks that prove a shim cannot lie about reversal. A COMPENSABLE verb must actually compensate; an IRREVERSIBLE verb must refuse ROLLBACK with code IRREVERSIBLE; the reversal must be previewed — a real PROPOSAL existed before any state changed; and an unknown or expired token must never trigger a phantom reversal.
manifest diff exits non-zero in CI when a shim declares a reversibility tier it does not honor.Refusals are conformant
A conformant system does not throw HTTP errors for business-logic outcomes. A refusal is a 200 OK with a typed code — AMBIGUOUS, UNRESOLVED, INVALID_ARGS, POLICY_DENIED, BUDGET_EXHAUSTED, EXPIRED, SUSPENDED, UNSUPPORTED, IRREVERSIBLE, COMPENSATION_EXPIRED. The contract is the outcome, not the transport status.
The governance invariant
Profiles evolve, new verbs arrive, old verbs deprecate — with a deprecation overlap of at least one MINOR release. But no spec revision may relax a guarantee. The spec is extracted from running code, never the reverse.