Docs/The Open/Closed Boundary (OBEP vs OpenErrand) raw .md

The Open/Closed Boundary (OBEP vs OpenErrand)

Governing rule: anything whose secrecy would create a vulnerability MUST be open (OBEP); anything whose secrecy only protects the business MAY be closed (OpenErrand). All security is in the first bucket; all commercial value is in the second.

#Open — OBEP (/obep, Apache-2.0)

Must be open or the security is unverifiable:

  • Playbook schema, JCS canonicalization, hashing, Ed25519 signing/verification.
  • The permission-enforcement engine (default-deny, blocklist, capture policy, TOFU).
  • The extension in full (outbound-only, connect-src lock, Web Crypto vault).
  • The wire protocol — messages, pairing/binding handshake, token formats.
  • The audit-record shape (AuditRecord in @obep/protocol).
  • The relay protocol contract — encoded as the runnable conformance suite — plus a reference relay good enough to self-host.

#Closed-eligible — OpenErrand (/openerrand, proprietary)

Secrecy protects the business, never a guarantee:

  • Relay scaling, infra, DB schema, deployment specifics.
  • Dashboard, billing, multi-tenant ops tooling, anomaly-detection heuristics.
  • SLA/uptime engineering, monitoring, onboarding, support.

#The one-way dependency rule (enforced in CI)

Nothing under /obep may import from /openerrand. Dependencies point one way: OpenErrand → OBEP, never the reverse. This is enforced by .dependency-cruiser.cjs and fails the build on violation (CI). It guarantees OBEP works standalone — the entire basis of "trust the protocol, not the vendor."

The openerrand/dashboard is the worked example: proprietary code that imports the open AuditRecord shape and builds a commercial surface on top, weakening no guarantee.

#Verifying the split is honest

Run the open conformance suite against any relay — OpenErrand or self-hosted — to prove it behaves per spec without trusting it:

node --import tsx obep/conformance/src/cli.ts --reference

OpenErrand is "just" a relay that passes this suite, and customers can prove it does.

#Extraction

/obep is structured to split into its own public Apache-2.0 repo with near-zero untangling once the protocol is stable and the conformance suite passes. The one-way rule keeps that extraction mechanical.