gsmlg-dev
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.specify/memory/constitution.md‎
Lines changed: 112 additions & 36 deletions b/‎.specify/memory/constitution.md‎
Lines changed: 112 additions & 36 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 7 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 10 additions & 8 deletions b/‎README.md‎
Lines changed: 10 additions & 8 deletions
@@ -37,4 +37,4 @@ jobs:
           mix deps.get
 
       - name: Run tests
-        run: mix test
+        run: mix test --cover
@@ -3,16 +3,14 @@
 <!--
 Sync Impact Report
 ==================
-Version change: 0.0.0 → 1.0.0 (initial ratification)
-Modified principles: N/A (initial)
+Version change: 1.0.0 → 1.1.0
+Modified principles: None renamed
 Added sections:
-  - Core Principles (7 principles)
-  - Architectural Constraints
-  - Development Workflow
-  - Governance
-Removed sections: N/A
+  - Principle VIII: Deterministic State Machine (6 correctness invariants)
+Removed sections: None
 Templates requiring updates:
-  - .specify/templates/plan-template.md ✅ (Constitution Check section compatible)
+  - .specify/templates/plan-template.md ✅ (Constitution Check section is
+    dynamic — new principle auto-included)
   - .specify/templates/spec-template.md ✅ (Requirements section compatible)
   - .specify/templates/tasks-template.md ✅ (Phase structure compatible)
 Follow-up TODOs: None
@@ -22,70 +20,92 @@ Follow-up TODOs: None
 
 ### I. Consistency First
 
-All write operations MUST go through Raft consensus to ensure strong consistency across the cluster. The system is designed as a CP (Consistent + Partition-tolerant) system where:
+All write operations MUST go through Raft consensus to ensure strong
+consistency across the cluster. The system is designed as a CP
+(Consistent + Partition-tolerant) system where:
 
 - Writes require quorum acknowledgment before returning success
-- Reads default to leader consistency but support configurable consistency levels (`:eventual`, `:leader`, `:strong`)
-- No operation may sacrifice consistency for availability during network partitions
+- Reads default to leader consistency but support configurable
+  consistency levels (`:eventual`, `:leader`, `:strong`)
+- No operation may sacrifice consistency for availability during
+  network partitions
 
-**Rationale**: As a distributed coordination system, incorrect data is worse than unavailable data. Applications relying on Concord for configuration, feature flags, or coordination require absolute certainty about data accuracy.
+**Rationale**: As a distributed coordination system, incorrect data is
+worse than unavailable data. Applications relying on Concord for
+configuration, feature flags, or coordination require absolute
+certainty about data accuracy.
 
 ### II. Embedded by Design
 
-Concord MUST function as an embedded library that starts with the host application. This means:
+Concord MUST function as an embedded library that starts with the host
+application. This means:
 
 - No separate infrastructure or external processes required
 - Application lifecycle controls Concord lifecycle
-- Configuration follows Elixir conventions (config files, environment variables)
+- Configuration follows Elixir conventions (config files, environment
+  variables)
 - Zero operational overhead for single-node development
 
-**Rationale**: Lowering the barrier to entry enables adoption. Developers should be able to add distributed coordination to their apps as easily as adding any other dependency.
+**Rationale**: Lowering the barrier to entry enables adoption.
+Developers should be able to add distributed coordination to their
+apps as easily as adding any other dependency.
 
 ### III. Performance Without Compromise
 
-The system MUST maintain microsecond-level performance for reads and low-millisecond performance for writes:
+The system MUST maintain microsecond-level performance for reads and
+low-millisecond performance for writes:
 
-- Read operations: target <10μs for ETS lookups
+- Read operations: target <10us for ETS lookups
 - Write operations: target <20ms for quorum commits
 - Throughput: maintain 600K+ ops/sec under load
 - All performance-critical paths MUST avoid blocking operations
 
-**Rationale**: A coordination layer that introduces latency becomes a bottleneck. Performance MUST be a feature, not an afterthought.
+**Rationale**: A coordination layer that introduces latency becomes a
+bottleneck. Performance MUST be a feature, not an afterthought.
 
 ### IV. Observability as Infrastructure
 
-Every operation MUST emit telemetry events. Observability is not optional:
+Every operation MUST emit telemetry events. Observability is not
+optional:
 
 - All API operations emit `[:concord, :api, :*]` events
 - All internal operations emit `[:concord, :operation, :*]` events
 - State changes emit `[:concord, :state, :*]` events
 - OpenTelemetry tracing MUST be available for distributed debugging
 - Prometheus metrics MUST be exportable
 
-**Rationale**: Distributed systems are inherently harder to debug. Without comprehensive observability, production issues become impossible to diagnose.
+**Rationale**: Distributed systems are inherently harder to debug.
+Without comprehensive observability, production issues become
+impossible to diagnose.
 
 ### V. Secure Defaults
 
 Security MUST be enabled by default in production environments:
 
 - Authentication required for all operations when `auth_enabled: true`
-- Token-based authentication with cryptographically secure token generation
+- Token-based authentication with cryptographically secure token
+  generation
 - RBAC (Role-Based Access Control) for fine-grained permissions
 - TLS support for transport security
 - Audit logging for compliance requirements
 
-**Rationale**: Security vulnerabilities in coordination systems can compromise entire application fleets. Secure-by-default prevents accidental exposure.
+**Rationale**: Security vulnerabilities in coordination systems can
+compromise entire application fleets. Secure-by-default prevents
+accidental exposure.
 
 ### VI. Test-Driven Quality
 
 All features MUST have corresponding tests before merge:
 
 - Unit tests for isolated component behavior
-- E2E tests for distributed scenarios (leader election, network partitions, node failures)
+- E2E tests for distributed scenarios (leader election, network
+  partitions, node failures)
 - Tests run with `async: false` to avoid Ra cluster conflicts
 - State machine changes require cluster restart verification
 
-**Rationale**: Distributed systems have subtle failure modes. Comprehensive testing is the only way to maintain confidence in correctness.
+**Rationale**: Distributed systems have subtle failure modes.
+Comprehensive testing is the only way to maintain confidence in
+correctness.
 
 ### VII. API Stability
 
@@ -94,9 +114,53 @@ Public API changes MUST follow semantic versioning:
 - MAJOR: Breaking changes to `Concord.*` public functions
 - MINOR: New features, new optional parameters
 - PATCH: Bug fixes, performance improvements
-- State machine version changes MUST be backward compatible or include migration paths
-
-**Rationale**: Applications depend on Concord for critical coordination. Breaking changes without warning erode trust.
+- State machine version changes MUST be backward compatible or include
+  migration paths
+
+**Rationale**: Applications depend on Concord for critical
+coordination. Breaking changes without warning erode trust.
+
+### VIII. Deterministic State Machine
+
+The Ra state machine (`Concord.StateMachine`) MUST remain
+deterministic and serialization-safe at all times. These six invariants
+are non-negotiable:
+
+1. **Deterministic replay**: `apply/3` MUST be a pure function of
+   `(meta, command, state)`. Time MUST come from `meta.system_time`
+   (leader-assigned milliseconds), NEVER from `System.system_time` or
+   any other wall-clock source. Use `meta_time(meta)` to convert to
+   seconds.
+
+2. **No anonymous functions in Raft state or log**: Index extractors,
+   conditions, and any data entering the Raft log MUST use declarative
+   specs (tuples like `{:map_get, :email}`, `{:nested, [:a, :b]}`,
+   `{:identity}`, `{:element, n}`). Closures cause `:badfun` on
+   deserialization across code versions or nodes.
+
+3. **All mutations through Raft**: Auth tokens, RBAC roles/grants/ACLs,
+   tenant definitions, backup restores, and any other state change MUST
+   route through `:ra.process_command`. Direct ETS writes are ONLY
+   acceptable as fallback when the cluster is not yet ready (`:noproc`).
+
+4. **ETS tables are materialized views**: ETS is rebuilt from
+   authoritative Raft state on `snapshot_installed/4`. ETS MUST NEVER
+   be treated as the source of truth.
+
+5. **Snapshots via `release_cursor` effect**: Ra does NOT have a
+   `snapshot/1` callback. Snapshots MUST be emitted every 1000 commands
+   as `{:release_cursor, index, state}` effects. The state MUST include
+   ETS data captured by `build_release_cursor_state/1`.
+
+6. **Pre-consensus evaluation**: `put_if`/`delete_if` MUST evaluate
+   condition functions at the API layer, then convert to CAS commands
+   with `expected: current_value` before entering the Raft log. This
+   keeps the log deterministic.
+
+**Rationale**: Violating any of these invariants causes state
+divergence between Raft replicas, data corruption on log replay, or
+deserialization failures across nodes. These are the most critical
+rules in the entire codebase.
 
 ## Architectural Constraints
 
@@ -118,10 +182,16 @@ Public API changes MUST follow semantic versioning:
 
 ### Data Flow Invariants
 
-1. All writes flow through: Client API → Auth → Validation → `:ra.process_command` → State Machine → ETS
-2. Reads may bypass Raft log via `:ra.consistent_query` or `:ra.local_query`
-3. Server ID format MUST be `{:concord_cluster, node()}` (not module-based)
-4. Query functions return `{:ok, result}`; Ra wraps as `{:ok, {:ok, result}, leader_info}`
+1. All writes flow through: Client API -> Auth -> Validation ->
+   `:ra.process_command` -> State Machine -> ETS
+2. Reads may bypass Raft log via `:ra.consistent_query` or
+   `:ra.local_query`
+3. Server ID format MUST be `{:concord_cluster, node()}`
+   (not module-based)
+4. Query functions return `{:ok, result}`; Ra wraps as
+   `{:ok, {:ok, result}, leader_info}`
+5. State machine correctness invariants per Principle VIII MUST be
+   enforced at every layer
 
 ## Development Workflow
 
@@ -141,25 +211,31 @@ Public API changes MUST follow semantic versioning:
 
 ### Commit Standards
 
-- Semantic commit messages: `feat:`, `fix:`, `docs:`, `chore:`, `test:`, `refactor:`
+- Semantic commit messages: `feat:`, `fix:`, `docs:`, `chore:`,
+  `test:`, `refactor:`
 - No auto-generated footers (Claude Code, Co-Authored-By)
 - Each commit should be atomic and independently reversible
 
 ## Governance
 
-This constitution supersedes all other development practices for the Concord project.
+This constitution supersedes all other development practices for the
+Concord project.
 
 ### Amendment Process
 
-1. Propose changes via pull request to `.specify/memory/constitution.md`
+1. Propose changes via pull request to
+   `.specify/memory/constitution.md`
 2. Document rationale for each change
 3. Update dependent templates if principles change
 4. Increment version according to semantic rules
 
 ### Compliance
 
 - All PRs MUST verify adherence to Core Principles
-- Complexity additions MUST be justified against Principle VII (simplicity via API stability)
+- Complexity additions MUST be justified against Principle VII
+  (simplicity via API stability)
+- State machine changes MUST be reviewed against Principle VIII
+  invariants
 - Constitution violations require explicit exception documentation
 
 ### Version Policy
@@ -168,4 +244,4 @@ This constitution supersedes all other development practices for the Concord pro
 - MINOR: New principle or section added
 - PATCH: Clarifications, wording improvements
 
-**Version**: 1.0.0 | **Ratified**: 2025-12-03 | **Last Amended**: 2025-12-03
+**Version**: 1.1.0 | **Ratified**: 2025-12-03 | **Last Amended**: 2026-03-03
@@ -121,3 +121,10 @@ See `docs/` for architectural documents:
 - `docs/DESIGN.md` — Original design blueprint
 - `docs/API_DESIGN.md` — HTTP API design
 - `docs/API_USAGE_EXAMPLES.md` — HTTP API usage examples
+
+## Active Technologies
+- Elixir 1.18 / OTP 28 + Ra 2.17.1 (Raft), libcluster 3.5.0, Bandit 1.8.0, Plug 1.18.1 (001-fix-review-issues)
+- ETS (in-memory) with Ra snapshots for persistence (001-fix-review-issues)
+
+## Recent Changes
+- 001-fix-review-issues: Added Elixir 1.18 / OTP 28 + Ra 2.17.1 (Raft), libcluster 3.5.0, Bandit 1.8.0, Plug 1.18.1
@@ -12,7 +12,7 @@
 ## Key Features
 
 - **Strong Consistency** — Raft consensus ensures all nodes agree on data
-- **600K-870K ops/sec** — 1-7us latency for typical operations
+- **High Performance** — ETS-backed reads with microsecond-level latency
 - **Embedded Design** — Starts with your app, no external infrastructure
 - **HTTP REST API** — Complete API with OpenAPI/Swagger documentation
 - **Configurable Consistency** — Choose eventual, leader, or strong per operation
@@ -81,13 +81,7 @@ iex --name n3@127.0.0.1 --cookie concord -S mix  # Terminal 3
 
 ## Performance
 
-| Operation | Throughput | Latency |
-|-----------|-----------|---------|
-| Small Values (100B) | 621K-870K ops/sec | 1-2us |
-| Medium Values (1KB) | 134K-151K ops/sec | 6-7us |
-| TTL Operations | 943K-25M ops/sec | 0.04-1us |
-| HTTP Health Check | 5K req/sec | 197us |
-| Memory Overhead | ~10 bytes per item | — |
+Performance varies significantly depending on hardware, cluster size, network topology, and consistency level. ETS-backed reads are inherently fast, but actual throughput and latency depend on your deployment. Run `mix run benchmarks/run_benchmarks.exs` on your own hardware to get representative numbers.
 
 ## When to Use Concord
 
@@ -102,6 +96,14 @@ iex --name n3@127.0.0.1 --cookie concord -S mix  # Terminal 3
 | Primary Database | Avoid (use PostgreSQL) |
 | Large Blob Storage | Avoid (use S3) |
 
+## Known Limitations
+
+- **Bootstrap ETS Fallback**: Auth, RBAC, and tenant data written via ETS fallback during the bootstrap window (before a Raft cluster forms) is not replicated. Once the cluster establishes quorum, subsequent writes go through Raft consensus normally.
+
+- **Node-Local Rate Limiting**: Multi-tenancy rate limiting is tracked per-node. A tenant can exceed its configured quota by up to N× across N nodes in the cluster.
+
+- **Query TTL Clock Sensitivity**: TTL expiration checks in queries use wall-clock time (`System.system_time`) which may differ from leader-assigned time (`meta.system_time`) during clock drift between nodes.
+
 ## Comparison
 
 | Feature | Concord | etcd | Consul | ZooKeeper |