# The Open/Closed Boundary (OBEP vs OpenErrand)

**Governing rule:** anything whose secrecy would *create* a vulnerability MUST be
open (OBEP); anything whose secrecy only protects the *business* MAY be closed
(OpenErrand). All security is in the first bucket; all commercial value is in the
second.

## Open — OBEP (`/obep`, Apache-2.0)

Must be open or the security is unverifiable:

- Playbook schema, JCS canonicalization, hashing, **Ed25519 signing/verification**.
- The **permission-enforcement engine** (default-deny, blocklist, capture policy, TOFU).
- The **extension** in full (outbound-only, `connect-src` lock, Web Crypto vault).
- The **wire protocol** — messages, pairing/binding handshake, token formats.
- The **audit-record shape** (`AuditRecord` in `@obep/protocol`).
- The **relay protocol contract** — encoded as the runnable conformance suite — plus a
  reference relay good enough to self-host.

## Closed-eligible — OpenErrand (`/openerrand`, proprietary)

Secrecy protects the business, never a guarantee:

- Relay scaling, infra, DB schema, deployment specifics.
- Dashboard, billing, multi-tenant ops tooling, anomaly-detection heuristics.
- SLA/uptime engineering, monitoring, onboarding, support.

## The one-way dependency rule (enforced in CI)

Nothing under `/obep` may import from `/openerrand`. Dependencies point one way:
**OpenErrand → OBEP, never the reverse.** This is enforced by
[`.dependency-cruiser.cjs`](../.dependency-cruiser.cjs) and **fails the build** on
violation ([CI](../.github/workflows/ci.yml)). It guarantees OBEP works standalone —
the entire basis of "trust the protocol, not the vendor."

The [`openerrand/dashboard`](../openerrand/dashboard/) is the worked example: proprietary
code that imports the *open* `AuditRecord` shape and builds a commercial surface on top,
weakening no guarantee.

## Verifying the split is honest

Run the open conformance suite against any relay — OpenErrand or self-hosted — to prove
it behaves per spec without trusting it:

```bash
node --import tsx obep/conformance/src/cli.ts --reference
```

OpenErrand is "just" a relay that passes this suite, and customers can prove it does.

## Extraction

`/obep` is structured to split into its own public Apache-2.0 repo with near-zero
untangling once the protocol is stable and the conformance suite passes. The one-way
rule keeps that extraction mechanical.