Day 25 – May 26, 2026: Governance Hardening, AI Workflow Evolution, and Phase 12 Authorization

Day 25 was a platform stewardship day.

The work moved across two related surfaces: infrastructure security for the domain portfolio, and governance maturity inside lingua-core-platform. Those may look like separate concerns at first. One is DNS, email routing, DMARC, SPF, DKIM, and domain reputation. The other is architectural doctrine, AI bootstrap reliability, invariant guard enforcement, and Phase 12 learning surface authorization.

They were connected by the same operating principle: systems should enter their next phase from a governed baseline, not from passive trust.

The domain fleet could not remain in monitoring mode after evidence of active spoofing appeared. The language platform could not move deeper into Phase 12 while governance files contradicted implementation reality, AI sessions were starting from stale context, and builder invariants still had subtle doctrinal gaps. Day 25 treated both problems as operational maturity work.

The result was less about visible feature velocity and more about hardening the control plane around future work. The portfolio domains became safer by default. The AI collaboration workflow became more reproducible. Repository doctrine became more explicit. Phase 12 was authorized from a cleaner audit baseline. The first Phase 12 learning primitive, SpellingEntry, landed with tests and coverage evidence.

Problem

The day began with a concrete security signal.

An automated DMARC forensic report forwarded through Cloudflare Email Routing showed that malicious actors were actively spoofing 100dash.com, one of the placeholder domains in the portfolio. The domain was still using a passive DMARC policy of p=none, which meant receiving mail servers could continue accepting spoofed mail while the domain merely observed the abuse.

That posture was acceptable only while the risk remained theoretical. Once the report showed unauthorized foreign IPs attempting to send as the domain, the mail posture needed to change from observation to enforcement. A placeholder domain can still accumulate reputation damage before a product formally launches. Unused domains are not harmless if their DNS records allow others to borrow their identity.

At the same time, lingua-core-platform was approaching a different kind of risk. The project had reached late Phase 11 and early Phase 12 planning after several phases of deterministic runtime governance, lexical architecture, and AI-assisted engineering workflow design. The repository had enough doctrine to guide future work, but some of that doctrine had drifted.

Several AI-facing architecture files no longer matched implementation reality. Some roadmap references were stale. Some governance documents overlapped in ways that created competing sources of truth. Fresh AI sessions could begin without reliable awareness of current repository state. That made the engineering workflow itself a risk surface.

The pre-Phase 12 audit also found a more specific architectural violation: multiple Phase 9 builder functions did not satisfy the platform’s Invariant Guard Form Law. Instead of enforcing invariants inline at the point of construction, they delegated validation into helper functions. That satisfied some local implementation goals but weakened the doctrine. A future assistant could preserve the helper pattern and technically keep behavior green while missing the architectural intent.

Phase 12 introduced one more governance constraint. The roadmap referenced reading and writing learning primitives, but the Documentary Derivation Law blocked implementation because the repository did not yet justify the field-level structure of those types. Implementing the primitives first would have been faster. It also would have violated the project’s own rule that architectural structure needs documentary derivation before code expansion.

Actions Taken

The infrastructure-security response was fleet-wide rather than domain-local.

The placeholder domains were moved toward an inbound-only locked state. The standard baseline hardened SPF to v=spf1 -all, disabled unused wildcard DKIM selectors, and upgraded DMARC from passive monitoring to strict reject enforcement with p=reject. Cloudflare Email Routing rules were also adjusted so catch-all dictionary attacks could be silently discarded while intentional aliases such as hello@ remained preserved.

The important architectural choice was to treat unused domains as assets that still need a baseline. A domain that is not sending mail should explicitly say so. A placeholder domain should not leave ambiguous DNS behind simply because no product is live yet.

The lingua-core-platform work followed the same hardening posture.

Before authorizing deeper Phase 12 implementation, the governance layer was restructured. CLAUDE.md was rewritten into a lightweight orientation-only document. ARCHITECTURE.md was split conceptually between immutable principles and roadmap planning. ROADMAP.md became the authoritative mutable phase-planning document. ADRs 0008 through 0011 were added to capture architectural decisions from Phases 10 through 12. AGENTS.md was simplified and aligned to a single mandatory doctrine source. HANDOFF_TEMPLATE.md was strengthened. NEW_CHAT_SESSION.md was introduced to standardize AI bootstrap sessions. DATA_SOURCES.md expanded to support future learning-surface derivation governance.

The audit surfaced several governance flaws that would have been easy to miss in normal feature work. AGENTS.md still instructed AI assistants to place all linguistic processing under src/core/tokenizers/, even though Phase 10 had introduced src/core/lexical/. SESSION_STATE.md referenced architecture sections that no longer existed. HANDOFF_TEMPLATE.md did not prohibit delegated invariant guard helpers, leaving room for assistants to satisfy the letter of doctrine while bypassing its intent.

Those were not merely documentation polish issues. In an AI-assisted platform, governance files are part of the production architecture surface area. They shape what future sessions will build, what they will preserve, and where they will search for authority.

The pre-Phase 12 audit also produced implementation remediation. Several dedicated branches restored inline-only invariant enforcement across nine builder functions, removed five unused helper functions, corrected barrel export leaks, and repaired schema literal reconciliation gaps. The audit prompts themselves were improved with exhaustiveness requirements and no-collapse reporting rules so future reviews would not compress distinct findings into vague summary confidence.

For Phase 12, the team did not bypass the Documentary Derivation Law. Instead, documentation expansion became its own architectural slice. ADR-0011 established independent learning primitive doctrine. Learning layer diagrams were added to ARCHITECTURE.md. DATA_SOURCES.md expanded with candidate Thai datasets. The boundary between learning surfaces and future tenant or runtime concerns was clarified before implementation proceeded.

After that authorization work, the first Phase 12 implementation landed: SpellingEntry as a structural type, with 18 associated tests covering replay safety and immutability expectations.

Troubleshooting

The DNS automation exposed several practical issues.

The modern Cloudflare Python SDK rejected API calls unless ttl=1 was provided explicitly. That made the automation stricter than expected and forced the workflow to encode Cloudflare’s automatic TTL behavior directly.

TXT record rendering also produced misleading feedback. Records inserted through the API did not display with visible quote wrapping in the Cloudflare dashboard, which triggered UI validation warnings even when the records were technically valid. The automation was adjusted to inject escaped inner quotes so TXT values rendered correctly both operationally and visually.

That distinction mattered because DNS governance is not only about machine validity. Operators need dashboard state that is readable and does not create false uncertainty during future audits.

The invariant guard remediation produced its own edge case. ESLint treated inline schema version comparisons as dead code because TypeScript narrowing made some comparisons appear impossible. The fix used explicit as unknown casts while preserving the doctrinally required direct equality checks.

That was a useful reminder that tools can disagree with architectural doctrine. The goal was not to appease linting by reintroducing helper delegation. The goal was to preserve inline invariant evidence while giving the type system enough distance to allow the check to remain visible.

AI workflow troubleshooting was also significant. Fresh planning sessions had repeatedly suffered from stale context and GitHub raw URL caching issues. AI assistants were sometimes reading outdated governance files and lacked awareness of current model availability. The bootstrap workflow changed so new sessions attach current governance files directly instead of relying on raw URLs alone. NEW_CHAT_SESSION.md still includes explicit raw URLs where they are useful, but the workflow no longer depends on them as the sole path to current state.

Solution Implemented

By the end of the infrastructure work, the placeholder domain fleet had a clearer locked-state baseline.

SPF declared that the domains send no mail. DKIM selectors were disabled where unused. DMARC moved to reject enforcement. Cloudflare Email Routing preserved intentional aliases while reducing inbound noise from catch-all abuse. The automation used a hardcoded exclusion list so production or business-critical domains were not accidentally folded into the placeholder-domain policy.

Subsequent DMARC reports from providers such as Google confirmed that spoofing attempts were actively occurring. That evidence validated the timing of the hardening effort. The problem was not hypothetical; the portfolio was already being tested by attackers.

The platform-governance solution was broader.

The repository now has a cleaner separation between immutable architectural principles, mutable roadmap planning, handoff protocol, session bootstrap instructions, and source-derivation governance. ADRs 0008 through 0011 make recent architectural decisions reviewable rather than conversational. AGENTS.md, CLAUDE.md, HANDOFF_TEMPLATE.md, NEW_CHAT_SESSION.md, ROADMAP.md, ARCHITECTURE.md, SESSION_STATE.md, and DATA_SOURCES.md now play more distinct roles in the AI engineering operating model.

The invariant guard remediation closed a concrete doctrinal gap. Nine builder functions now enforce invariants inline. Five unused helpers were removed. Barrel export leaks were corrected. Schema literal reconciliation reached 27 reconciled literals. The validation chain returned to green. Phase 12 was formally authorized from a clean re-audit rather than from forward momentum.

The Documentary Derivation Law also expanded rather than weakened. Phase 12 learning surfaces now have stronger documentary footing before further implementation. ADR-0011 defines independent learning primitive doctrine, and the learning layer now has clearer architectural diagrams and data-source references.

The SpellingEntry milestone made that authorization real. It was not a large surface feature, but it was an important proof that Phase 12 could begin without breaking the governance model. The implementation included the structural type, 18 tests, replay-safety validation, and immutability checks. The broader test suite reached 680 tests across 52 files with 92.48% statement coverage.

Most importantly, the AI workflow itself became more reliable. New sessions now attach current governance files directly, use clearer bootstrap instructions, and inherit a stronger distinction between reference-only artifacts, authoritative doctrine, roadmap state, and implementation permission. That makes future AI work less dependent on hidden memory and less vulnerable to stale URLs or prompt compression.

Nice to Have / Future Direction

The domain-security work points naturally toward Infrastructure-as-Code.

The current automation was intentionally lightweight, but the long-term target is Terraform-managed domain portfolio governance. New domains should inherit hardened email and routing baselines by default. Placeholder domains should enter an inbound-only locked state automatically. Production and business-critical domains should remain explicitly excluded or separately modeled. DNS posture should become reviewable infrastructure, not manual dashboard memory.

The lingua-core-platform direction is similar. Governance should continue to move from conversation into versioned artifacts. AI bootstrap files should be kept current enough that a new session can enter the repository, understand phase state, identify mandatory doctrine, run validation, and continue without guessing. Audit prompts should remain strict enough to surface distinct risks instead of summarizing them away.

Phase 12 can now proceed, but only under the conditions that made authorization possible: documentary derivation first, invariant guards inline, schema changes explicit, replay safety preserved, exported artifacts immutable, and AI workflow treated as part of the architecture rather than a side channel.

Day 25 marked a transition from rapid foundational expansion into platform stewardship. The work was security hardening, governance restructuring, doctrinal enforcement, and controlled authorization. It made the portfolio harder to spoof, the repository harder to drift, and the next phase of the language platform easier to trust.