ARC Control Schema v1.0
Derived From: ARC Canon v1.0 (Frozen)
Status: IMPLEMENTATION BASELINE
Scope: Internal Control Layer (the system of record) — dashboards are a projection of this schema, not the other way around.
⸻
0) Process Chain
Canon v1.0 → Canonical Object Model → State Machine → Permission Model → Audit & Event Log → Control Surfaces (Dashboards) → API Contracts → Program Pipelines → Platform Exposure
⸻
1) Canonical Objects (System of Record)
These are the minimum objects required to operationalize the Canon without drift.
1.1 Core Objects (Primary)
A) Person - Represents humans (artists, operators, collectors, staff).
Fields
• person_id (UUID)
• legal_name
• display_name
• phone
• roles[] (system roles; see §4)
• status (active/inactive)
• created_at, updated_at
⸻
B) Organization
Studios, galleries, partners, vendors.
Fields
• org_id
• name
• type (studio/gallery/partner/vendor/brand)
• primary_contact_person_id
• status
• created_at, updated_at
⸻
C) Era
Bounded temporal phase.
Fields
• era_id
• name
• start_at, end_at (nullable end only if “announced but not closed”)
• ruleset_id (see RuleSet)
• narrative_tone (descriptor)
• economic_profile_id (see EconomicProfile)
• status (planned/active/closed)
Invariant
• Every asset and issuance must reference an era_id.
⸻
D) MasterAsset
The root economic event object.
Fields
• master_id
• title
• creator_person_id (artist)
• source_physical_work_id (see PhysicalWork)
• era_id (creation-era anchor)
• capture_session_id
• archive_package_id
• metadata_core_id
• state (see §3)
• fingerprint_hash (content-based hash)
• canonical_preview_derivative_id (optional)
• created_at, updated_at
Invariants
• No derivatives without a master.
• Master primacy cannot be superseded.
⸻
E) MetadataCore
Governing data layer.
Fields
• metadata_core_id
• master_id
• authorship (structured block)
• capture_conditions (lighting, lens, calibration notes)
• rights_profile_id
• edition_policy_id
• usage_policy_id
• tags[]
• jurisdiction (if needed)
• metadata_version
• created_at, updated_at
Invariant
• Metadata is governing; state transitions and distribution checks consult this first.
⸻
F) Derivative
Any generated artifact from master.
Fields
• derivative_id
• master_id
• type (print_file/web_image/crop/video/mockup/ai_render/etc.)
• spec (format, color space, dimensions, DPI)
• source_chain[] (links to other derivatives if derived-from-derivative)
• storage_ref
• fingerprint_hash
• created_by_person_id
• created_at
Invariant
• Derivatives inherit provenance; never outrank Master.
⸻
G) Utility
Rights, access, unlocks, experiences.
Fields
• utility_id
• master_id
• era_id
• type (display/license/governance/access/revenue-share/etc.)
• unlock_model (time-based, ownership-based, event-based)
• start_at, end_at (nullable)
• conditions (policy rules, thresholds)
• status (available/locked/expired)
⸻
1.2 Operations Objects (Control Layer)
H) PhysicalWork
Represents the real-world object being captured.
Fields
• physical_work_id
• title
• artist_person_id
• medium
• dimensions
• notes
• intake_status (received/returned)
• created_at
⸻
I) CaptureSession
A controlled imaging event.
Fields
• capture_session_id
• physical_work_id
• operator_person_id
• studio_org_id
• calibration_profile_id
• timestamp_start, timestamp_end
• equipment_manifest_id
• result (pass/fail + notes)
• created_at
⸻
J) ArchivePackage
Archival bundle for master + dependencies.
Fields
• archive_package_id
• master_id
• storage_locations[] (primary, backup, cold)
• checksums[]
• restore_test_status
• retention_policy
• created_at
⸻
K) RuleSet
Era governing rules.
Fields
• ruleset_id
• era_id
• rules[] (machine-checkable conditions)
• effective_at
• supersedes_ruleset_id (rare; only via Amendment)
⸻
L) EconomicProfile
All parameters for scarcity axes, pricing baselines, multipliers.
Fields
• economic_profile_id
• era_id
• physical_scarcity_model
• digital_scarcity_model
• temporal_scarcity_model
• pricing_parameters
• created_at
⸻
M) Program
Repeatable pipelines.
Fields
• program_id
• type (Masterwork / EraContent / Onboarding)
• owner_person_id
• SOP_version
• inputs[] (object types)
• outputs[] (object types)
• status (active/paused)
• created_at
⸻
N) ProgramRun
A single execution instance.
Fields
• program_run_id
• program_id
• era_id
• initiated_by_person_id
• state (running/completed/failed)
• run_log_ref
• created_at
⸻
O) License
Contractual permission issuance.
Fields
• license_id
• master_id
• licensee_person_id or licensee_org_id
• scope (display/print/digital/etc.)
• territory, term_start, term_end
• rev_share_terms_id (optional)
• status (draft/active/expired/revoked)
⸻
P) Order
Commercial transaction object.
Fields
• order_id
• customer_person_id
• line_items[] (prints, licenses, utilities)
• pricing_snapshot
• fulfillment_state
• created_at
⸻
Q) AuditEvent (Non-negotiable)
Everything important produces an event.
Fields
• event_id
• timestamp
• actor_person_id
• action (create/update/transition/issue/revoke)
• object_type, object_id
• before_snapshot_ref, after_snapshot_ref
• reason_code
• ip/device_ref (optional)
• signature_hash
Invariant
• State transitions are logged, irreversible, auditable.
⸻
2) Relationship Diagram (Canonical)
3) State Machine (MasterAsset)
Canonical states (Canon v1.0):
Captured → Mastered → Activated → Distributed → Archived
3.1 State Transition Rules
3.2 Transition Gate Checks (examples)
• Cannot go Mastered unless:
• ArchivePackage.restore_test_status == pass
• MetadataCore.metadata_version >= 1
• Cannot go Distributed unless:
• rights allow intended scope
• temporal scarcity windows respected
⸻
4) Permission Model (Roles → Capabilities)
This is the control layer’s enforcement surface. It must be explicit.
4.1 System Roles (from Canon)
• Architect
• Traveler
• Oracle
4.2 Implementation Roles (required for operations)
These do not violate Canon; they are operational sub-roles within governance:
• SystemAdmin (platform ops)
• ProgramOwner (runs a Program)
• CaptureOperator
• Archivist
• RightsManager
• FinanceOperator
• SupportAgent
• PartnerUser (external org access)
• CollectorUser (limited access)
4.3 Capability Matrix (minimum)
Y* = only within defined SOP constraints and with mandatory reason codes.
⸻
5) Control Dashboard Schema (Internal UI Modules)
Dashboards are views over the objects above. The minimum viable control surface is:
5.1 Control Tower (Executive Operations)
Purpose: real-time system health and throughput.
Widgets
• Program throughput (Masterwork, Onboarding, Era Content)
• MasterAsset state distribution (counts by state)
• Exception queue (failed runs, blocked transitions)
• Compliance indicators (missing audit logs, missing archive checks)
Primary Actions
• Assign owner
• Approve transition (where required)
• Escalate exception
⸻
5.2 Asset Registry (System of Record)
Purpose: authoritative asset lookup and lifecycle control.
Views
• MasterAsset list (filter by era, creator, state)
• MasterAsset detail:
• state timeline
• linked Derivatives
• metadata summary
• audit trail
• rights & utilities
Primary Actions
• Create master (via ProgramRun)
• Request state transition (gated)
• Generate derivative (per SOP)
⸻
5.3 Program Console (Repeatability Engine)
Purpose: run, monitor, and measure programs.
Views
• Program list (status, owner, SOP version)
• ProgramRun detail:
• inputs/outputs
• step-by-step log
• failures and remediation playbook
Primary Actions
• Initiate ProgramRun
• Pause program
• Roll forward via remediation
⸻
5.4 Era Governance Console
Purpose: manage era boundaries, rulesets, and economic profiles.
Views
• Era timeline (planned/active/closed)
• RuleSet detail (machine-checkable rules)
• EconomicProfile parameters
Primary Actions
• Create next era (planned)
• Close era (locks issuance to historical rules)
• Publish ruleset (effective date)
⸻
5.5 Rights & Licensing Console
Purpose: issue, track, revoke licenses and enforce policy.
Views
• Active licenses by master
• Expiry calendar
• License scope map
Primary Actions
• Draft license
• Activate license
• Revoke license (requires elevated approval + audit)
⸻
5.6 Audit Ledger (Non-repudiation Layer)
Purpose: prove the system is real and controlled.
Views
• Event stream (filter by actor/object/action)
• State transition ledger
• Anomaly detection (missing event, unusual actor behavior)
Primary Actions
• Export audit package (for disputes/partners)
• Flag incident (creates incident record)
⸻
6) API Contract Sketch (Internal First)
This is the minimal interface surface to keep implementation coherent.
6.1 Core Endpoints (conceptual)
• POST /program-runs (initiate pipeline run)
• GET /master-assets?filters=...
• GET /master-assets/{id}
• POST /master-assets/{id}/transition (gated)
• POST /derivatives (requires master + policy)
• POST /licenses (issue)
• GET /audit-events?filters=...
Hard rule: any endpoint that mutates state must emit an AuditEvent automatically.
⸻
7) Program Pipelines (How the schema becomes throughput)
7.1 Masterwork Program (canonical run steps)
Intake PhysicalWork → CaptureSession → Create MasterAsset (Captured) → Create MetadataCore → ArchivePackage → Transition to Mastered → Policy Validation → Transition to Activated
ProgramRun outputs
• MasterAsset
• MetadataCore
• ArchivePackage
• baseline Derivative (preview)
• AuditEvents for each step
⸻
8) Non-Negotiable Constraints (Anti-Entropy Controls)
These are the “drift killers.”
1. Single Source of Truth: MasterAsset + MetadataCore are authoritative.
2. State transition gating: no manual state edits; transitions only via gated endpoint.
3. Audit by default: no mutation without an AuditEvent.
4. Era binding: issuance, utilities, licenses reference Era.
5. Immutable master fingerprint: changes generate a new master (rare) and link via lineage, not overwrite.