Struct GovernancePolicy 

pub struct GovernancePolicy {
    pub core: CorePolicy,
    pub atomisation: AtomisationPolicy,
    pub synthesis: SynthesisPolicy,
    pub multistep: MultistepPolicy,
    pub kind_class: KindClassificationPolicy,
    pub persona: PersonaPolicy,
    pub export: ExportPolicy,
}

Governance policy attached to a namespace’s standard memory (stored in metadata.governance).

Default policy when a standard has no metadata.governance: { write: Any, promote: Any, delete: Owner, approver: Human, inherit: true }.

v0.6.2 (S34 defensive): promote, delete, and approver carry #[serde(default)] so partial-policy payloads (a common shape for operator CLIs / test harnesses that only care about write) round-trip instead of 400-ing out on missing fields. write remains required — it’s the core knob a policy is attempting to set.

v0.6.3.1 (P4, audit G1): inherit controls whether parent-namespace policies bubble up. Default true matches the architecture page T2 promise of “Hierarchical policy inheritance (default at org/, overridable at org/team/)”. Setting inherit: false on a child stops the leaf-first walk in resolve_governance_policy, providing an explicit opt-out path for scoped overrides (e.g. an audit sandbox under a fully-governed parent).

#880 / #793 PR-3 — decomposition (2026-05-18)

Pre-#880 the struct carried 20 flat fields. Adding any new field forced a 50-site struct-literal cascade across src/ + tests/ (the surface this issue closes). Post-#880 the same 20 fields are grouped into 7 per-concern sub-structs and re-attached to the parent via #[serde(flatten)]. The composite still carries every field, so the wire-format / TOML / metadata.governance JSON shape is unchanged (pinned by tests/governance_policy_wire_compat.rs). Each existing field is still reachable via the new policy.core.write, policy.atomisation.auto_atomise, etc. paths, and every effective_* accessor on the parent struct delegates to the matching sub-struct so the rest of the codebase that calls policy.effective_max_reflection_depth() is unchanged.

Adding a new policy knob now means:

1. Pick the right sub-struct under CorePolicy / AtomisationPolicy / etc.
2. Add the field (with #[serde(default, skip_serializing_if = "Option::is_none")]).
3. Add the field to the sub-struct’s Default impl.

No literal-site cascade. The ..Default::default() pattern used at every construction site picks up the new field automatically.

Fields

core: CorePolicy

Access-control + inheritance + reflection-depth — the load-bearing K9/K10 governance knobs. See CorePolicy.

atomisation: AtomisationPolicy

WT-1-D + Form 2 atomisation knobs. See AtomisationPolicy.

synthesis: SynthesisPolicy

Form 1 synthesis curator knobs + legacy per-pair opt-in. See SynthesisPolicy.

multistep: MultistepPolicy

Form 3 multistep-ingest prompt sizing knobs. See MultistepPolicy.

kind_class: KindClassificationPolicy

Form 6 memory-kind auto-classifier knobs. See KindClassificationPolicy.

persona: PersonaPolicy

QW-2 persona auto-regeneration cadence + file-backed export knobs. See PersonaPolicy.

export: ExportPolicy

QW-1 reflection-export knob. See ExportPolicy.

Implementations

impl GovernancePolicy

pub fn from_metadata(metadata: &Value) -> Option<Result<Self, Error>>

Parse a policy out of a metadata.governance JSON value. Returns None when the field is missing/null. Parse errors propagate so callers can surface them to the user instead of silently defaulting.

pub fn default_for_managed_namespace() -> Self

NHI-P4-T19 (v0.7.0 NHI testing): default policy for namespaces that have a standard set but no explicit metadata.governance. Differs from Default::default (write=Any) by tightening write to Owner — calling memory_namespace_set_standard implies the operator wants enforcement, not advisory-only. Operators who want write=Any must set it explicitly in the standard memory’s metadata. Tested in db::tests::namespace_set_standard_default_write_is_owner.

pub fn effective_max_reflection_depth(&self) -> u32

v0.7.0 recursive-learning Task 2/8 (issue #655): resolve the per-namespace reflection-depth cap. Returns the operator’s override when present, otherwise the compiled-in default of 3.

Why 3? Bounds recursion (reflection-on-reflection-on-…) without strangling the legitimate “reflection-on-reflection” chains the v0.8.0 Pillar 2.5 curator mode will lean on. Operators who want a different global default should change the constant in this accessor; per-namespace overrides should stay in the JSON metadata blob.

Some(0) disables reflection entirely. Task 5/8 enforces the rule proposed_reflection_depth >= cap → refuse, so a cap of 0 refuses every reflection (no depth >= 0 passes the comparison). This is the documented kill-switch for a namespace that should never accept reflection writes.

Ancestor inheritance is not walked here — that’s the job of db::resolve_governance_policy (and the equivalent store trait method), which returns the most-specific policy via the leaf-first namespace chain walk. Callers at the memory_reflect MCP write path resolve the policy first, then call this accessor on the result.

pub fn effective_auto_export_reflections_to_filesystem(&self) -> bool

v0.7.0 QW-1 — resolve the file-backed-export policy. Returns false (substrate stays SQL-canonical) when the namespace has no explicit override. Some(true) opts the namespace into the deferred filesystem write in the substrate post_reflect hook.

Inheritance is not walked here — the caller resolves the most-specific policy via resolve_governance_policy and then queries this accessor on the result, mirroring how effective_max_reflection_depth is consumed.

pub fn effective_auto_atomise(&self) -> bool

v0.7.0 WT-1-D — resolve the auto-atomisation enable flag. Returns false (substrate stays quiet) when the namespace has no explicit override. Some(true) opts the namespace into the pre_store substrate hook’s deferred curator-pass enqueue.

Inheritance is not walked here — the caller resolves the most-specific policy via resolve_governance_policy and then queries this accessor on the result, mirroring how effective_max_reflection_depth is consumed.

pub fn effective_auto_atomise_threshold_cl100k(&self) -> u32

v0.7.0 WT-1-D — resolve the cl100k token threshold above which the auto-atomisation hook fires. Compiled default is 500; matches the WT-1-D brief (memories ≤ 500 tokens are short enough to live as a single observation).

pub fn effective_auto_atomise_max_atom_tokens(&self) -> u32

v0.7.0 WT-1-D — resolve the per-atom token budget for the auto-atomisation curator pass. Compiled default is 200; matches AtomiserConfig::default_max_atom_tokens so the hook-driven path produces atoms indistinguishable from CLI/MCP-driven atomisation.

pub fn effective_auto_atomise_max_retries(&self) -> Option<u32>

v0.7.0 Cluster-F PERF-5 — resolve the Synchronous-mode curator retry budget. Returns None when the namespace has no explicit override; the caller threads this through Atomiser::atomise_sync_with_retries and falls back to AtomiserConfig::sync_curator_max_retries (compiled default 1) when None. Documented in docs/atomisation.md alongside the Synchronous-mode latency envelope.

pub fn effective_auto_persona_trigger_every_n_memories(&self) -> Option<u32>

v0.7.0 QW-2 — resolve the auto-persona regeneration cadence. Returns None (cadence disabled) when the namespace has no explicit override; Some(N) opts the namespace into deferred persona regeneration every N writes against an entity. The post_store hook reads this accessor on the resolved policy after walking the leaf-first ancestor chain.

pub fn effective_auto_export_personas_to_filesystem(&self) -> bool

v0.7.0 QW-2 — resolve the file-backed-export policy for Persona-kind memories. Returns false (substrate stays SQL-canonical) when the namespace has no explicit override. Symmetric with Self::effective_auto_export_reflections_to_filesystem.

pub fn effective_auto_atomise_mode(&self) -> AutoAtomiseMode

v0.7.x Form 2 — resolve the atomisation execution mode.

Resolution rules (matches the table on AutoAtomiseMode):

1. auto_atomise_mode = Some(mode) wins — operator explicit.
2. Otherwise auto_atomise = Some(true) → AutoAtomiseMode::Deferred (preserves pre-Form-2 deployments verbatim).
3. Otherwise AutoAtomiseMode::Off.

Both Off returns and an Off explicit override short-circuit the pre_store hook chain entirely.

pub fn effective_legacy_per_pair_classifier(&self) -> bool

v0.7.x Form 1 — resolve the legacy per-pair classifier opt-in. Returns false (default) when absent or Some(false), routing the substrate through the new single-batch action-emitting synthesiser. Some(true) keeps the legacy per-pair binary contradiction call (metadata-only outcome) for operators who depend on the v0.6.x behaviour.

pub fn effective_synthesis_failure_mode(&self) -> SynthesisFailureMode

v0.7.0 Cluster-B (issue #767) — resolve the synthesis-failure policy. Default is SynthesisFailureMode::FallThrough to preserve backward compatibility with the v0.7.0 ship behaviour; operators opt in to SynthesisFailureMode::BlockWrite per namespace when a curator outage must be surfaced loudly.

pub fn effective_synthesis_max_deletes_per_call(&self) -> u32

v0.7.0 Cluster-B (issue #767, SEC-1) — resolve the per-call delete-cap. Compiled default is 1: a single LLM round-trip must not mass-delete a namespace without an explicit K10 approval flow.

pub fn effective_synthesis_max_candidate_chars(&self) -> usize

v0.7.0 Cluster-B (issue #767, PERF-7) — resolve the per-candidate character cap inlined into the synthesis prompt. Compiled default is 1500 characters (~400 cl100k tokens). Truncation only affects the LLM prompt, not the stored row.

pub fn effective_multistep_max_content_chars(&self) -> usize

v0.7.0 polish (issue #782, PERF-11) — resolve the per-stage character cap inlined into a Form 3 multistep-ingest LLM-stage prompt. Compiled default is 1500 characters (~400 cl100k tokens), matching the synthesis cap (PERF-7) so operators have a single reasonable prompt-budget shape to reason about. Truncation only affects the LLM prompt content slot; the helper payloads (which carry their own preview truncation inside the helper) and the caller-visible final output are untouched.

pub fn effective_auto_classify_kind(&self) -> MemoryKindAutoClassify

#880 — auto-classify-kind accessor, missing in the pre-#880 hand-written impl (callers were reading policy.kind_class.auto_classify_kind directly). Now exposed via a typed accessor so the call sites can migrate to the sub-struct path without referencing every field directly.

Trait Implementations

impl Clone for GovernancePolicy

fn clone(&self) -> GovernancePolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for GovernancePolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for GovernancePolicy

fn default() -> GovernancePolicy

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for GovernancePolicy

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Eq for GovernancePolicy

impl PartialEq for GovernancePolicy

fn eq(&self, other: &GovernancePolicy) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for GovernancePolicy

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for GovernancePolicy