S177 — OQ Decision Record (2026-05-19)
S177 — OQ Decision Record
Date: 2026-05-19 Authority: Huyên (decisions supplied to S177-R0) Status: AUTHORITATIVE — binds PATCH1 design + future patches Scope note: decisions only; no code, no commit, no Lark write.
These close OQ-2, OQ-3, OQ-4, OQ-5, OQ-7. OQ-1 (code reconcile) is addressed by the separate R0 report. OQ-6 (commit/path mechanics) remains an environment blocker.
OQ-2 — GPG private key
DECISION:
- VPS stores/fetches public key only.
- Private key remains offline with Huyên, never on the VPS.
- No on-VPS decrypt capability in Sprint 1.
Binds design §E (E.1/E.2/E.4). R-4 mitigation stands at full strength. GSM secret LARK_BACKUP_GPG_PUBKEY (public, ASCII-armored), fetched via the existing credential path.
OQ-3 — PII policy
DECISION:
- Guarded record writes: detect PII → log metadata only → proceed (do NOT block the write).
- Plaintext / export / stdout / non-GPG paths: PII detection blocks with
SafetyViolation. - Audit, stdout, and the rollback command must never include raw PII.
--pii-strict(also abort guarded writes) is optional, later — NOT a Sprint 1 blocker.
Binds design §D.3 (two-rule split confirmed) + §C.2 layer 7.
OQ-4 — MCP topology
DECISION:
- Existing
@larksuiteoapi/lark-mcpmay remain only if its write tools can be hidden/disabled. - Allowed plugin tools: read/list/search only.
- If the host cannot hide plugin create/update tools → replace the plugin entirely with the custom adapter.
- All write tools must go through the Application Service Layer + SafetyLayer. No unguarded write path is acceptable.
Binds design §F.1/F.2/F.3. R-6 (HIGH) mitigation confirmed.
OQ-5 — Lark batch_delete limit
DECISION:
- Limit is unknown until verified.
- Default
record.batch_delete max = 100. - R0 / Sprint 0 must verify via official Lark docs OR a Base đệm probe before raising.
- Limits stored in
config/lark-api-limits.yaml.
Binds design §B.4/§G.5. (Probe NOT performed in this read-only R0 — no Lark write/delete allowed; remains an explicit pre-raise task.)
OQ-7 — Orphan backup
DECISION:
- Keep the encrypted orphan backup for audit — do NOT auto-delete immediately.
- Write a metadata-only entry to
/var/log/lark-ops/orphan-backups.log. - Default grace window: 7 days.
- Sweep/delete must be explicit and audited.
Binds design §C.6 + §E.5. Adjustment vs PATCH1: PATCH1 §C.2 layer-4 said "delete-if-provably-this-attempt-safe, else log". Per OQ-7 this is overridden — no immediate auto-delete even when provably this-attempt-orphaned; always retain + log; deletion only via the explicit audited 7-day sweep. This delta must be carried into the next patch.
Decision → design-section binding summary
| OQ | Decision | Binds | PATCH1 change needed |
|---|---|---|---|
| OQ-2 | pubkey-only on VPS, privkey offline, no Sprint-1 decrypt | §E | none (confirms) |
| OQ-3 | write proceeds; block non-GPG egress; no raw PII in audit/rollback; --pii-strict later | §D.3,§C.2 | none (confirms) |
| OQ-4 | plugin read-only-if-hideable else full replace; all writes via SafetyLayer | §F | none (confirms) |
| OQ-5 | batch_delete=100 until doc/probe; config/lark-api-limits.yaml | §B.4,§G.5 | none (confirms) |
| OQ-7 | retain orphan + log; 7-day grace; explicit audited sweep; no immediate auto-delete | §C.6,§E.5 | YES — remove "delete-if-safe" immediate path |
OQ-7 introduces one required design correction (carry into PATCH2). OQ-2/3/4/5 confirm PATCH1 as-is.
OQ Decision Record complete. Authoritative. Pairs with s177-r0-code-reconcile-report-2026-05-19.md.