Clear responsibility boundaries for each Spanda platform service.
Parent: platform-architecture.md
Platform services are reusable operational capabilities consumed by CLI, Control Center, SDKs, and solution blueprints. Each service owns one concern. Overlapping responsibilities create inconsistent reports, duplicated DTOs, and fragile integrations.
flowchart LR
BP[Solution Blueprint] --> CLI[CLI / API]
CLI --> RDY[Readiness]
CLI --> ASR[Assurance]
CLI --> TRU[Trust]
CLI --> TEL[Telemetry]
RDY --> ENT[Entity Model]
ASR --> RDY
EXP[Explain] --> ASR
EXP --> TRU
TEL --> EVT[Event Model]
| Crate | spanda-readiness |
| Question answered | Is this entity/system operationally ready? |
| Outputs | Weighted go/no-go score, gate failures, mission verification |
| Entity integration | evaluate_entity_readiness, verify_entity |
| Docs | readiness.md, entity-readiness.md |
Must not: generate compliance PDFs (assurance) or long-form failure narratives (explain).
| Crates | spanda-assurance, spanda-contract, spanda-score, spanda-compliance, spanda-chaos, spanda-estimate |
| Question answered | What evidence supports safe deployment? |
| Outputs | Assurance cases, contract proofs, scorecards, chaos results |
| Depends on | Readiness (gate input), capability, hardware |
| Docs | mission-assurance.md, assurance-cases.md |
Must not: duplicate readiness scoring or operate fleet mesh directly.
| Crates | spanda-explain, spanda-runtime-faults, spanda-decision, spanda-graph, spanda-diff |
| Question answered | Why did it fail? What changed? What depends on what? |
| Outputs | Explainability reports, fault events, decision trails, impact graphs |
| Docs | explainability.md, runtime-fault-detection.md, root-cause-analysis.md |
Must not: execute recovery actions (recovery) or set trust scores (trust).
| Crates | Runtime reliability hooks + readiness policies (no dedicated crate) |
| Question answered | How does the system recover from failure? |
| Outputs | Recovery plans, retry/fallback execution, degraded modes |
| Docs | reliability.md, recovery-policies.md, self-healing.md |
Recovery plans; runtime executes. Readiness evaluates post-recovery state.
| Crate | spanda-trust |
| Question answered | How much confidence in program/system authenticity? |
| Outputs | Composite trust score, entity trust reports |
| Entity integration | evaluate_entity_trust |
| Docs | trust-framework.md, entity-trust.md |
Must not: perform tamper sensor fusion (tamper) or readiness gating (readiness).
| Crates | spanda-readiness (entity health), spanda-hal, runtime watchdogs |
| Question answered | What is the current operational state? |
| Outputs | Health status, heartbeat events, HAL health |
| Entity integration | evaluate_entity_health |
| Docs | health-checks.md, entity-health.md, runtime-health.md |
Must not: replace readiness go/no-go for deployment decisions.
| Crates | spanda-security, spanda-tamper, spanda-spoofing, spanda-threat |
| Question answered | Are identities, secrets, and communications protected? |
| Outputs | Capability tokens, tamper alerts, threat models, spoof detection |
| Docs | security-architecture.md, tamper-detection.md |
Must not: own package resolution or entity registry mutations.
| Crate | spanda-telemetry-store |
| Question answered | What happened, with what metrics and traces? |
| Outputs | Append-only event log, mission traces, OTLP export |
| Docs | telemetry-store.md, replay.md |
Must not: evaluate readiness or render Control Center UI.
| Crate | spanda-interpreter (sim backend) |
| Question answered | How does the mission behave in simulation? |
| Outputs | Simulated sensor/actuator data, trace frames |
| Docs | getting-started.md (sim section) |
Simulation is a runtime mode, not a separate service crate. Assurance and readiness hooks run during sim when configured.
| Crates | spanda-telemetry-store + interpreter playback |
| Question answered | Can we deterministically reproduce a mission? |
| Outputs | Frame-by-frame playback, diff against live |
| Docs | replay.md, mission-time-travel.md |
| Crate | spanda-policy |
| Question answered | Do operational policies permit this action? |
| Outputs | Policy verdicts, violation events |
| Docs | policy-engine.md |
Must not: replace safety type system (compiler/runtime) or readiness weights.
| If two services both… | Owner |
|---|---|
| Score deployment go/no-go | Readiness |
| Produce audit evidence | Assurance |
| Explain a failure | Diagnosis (explain) |
| Detect tampering | Security (tamper) |
| Rate program authenticity | Trust |
| Record what happened | Telemetry |
| Block an action by rule | Policy |
When in doubt, add capability to the lower layer service and expose via entity/API — do not fork logic into blueprints.
spanda-api aggregates platform services into REST/gRPC endpoints. It does not reimplement service
logic — it routes to readiness, config, fleet, telemetry, etc.