Account / Memory

Memory Shell

private noindex,nofollow

Memory appears here as a fail-closed workflow contract for saved workspace context, saved study threads, saved words, saved passages, project notebooks, reader preferences, external AI handoff packets, saved-object state maps, reader role, project type, citation preference, import/export blockers, deletion queue states, and future personalization boundaries, not as stored user history, generated output, source evidence, private-note evidence, or account personalization.

Auth not implemented

Persistence not implemented

Browser storage not used

Network sync not called

Model calls not called

Cookies not set

Personal data not stored

Privacy Boundary

Planned-Only Memory Surface

display only

Future surface: Future study threads may group explicit public route pointers, receipt pointers, and reader-authored note pointers.
No-storage boundary: Today there is no thread row, account owner, note body, reading history, model summary, browser storage, or sync record.
Blocked until: Blocked until account model, category consent, export/delete, deletion proof, and privacy review exist.
Must never store: Never stores source text, generated scholarly answers, passive study history, model summaries, inferred identity, or evidence state.

Future surface: Future saved words may point to public lemma routes only, with language code, reader label, and delete state.
No-storage boundary: Today there is no personal vocabulary list, saved-word ledger, write action, browser storage, cookie, or account storage.
Blocked until: Blocked until a pointer-only saved-object schema and per-item export/delete controls exist.
Must never store: Never stores lexical range, etymology, morphology, translation, source access, usage claims, ranking, or receipt readiness.

Future surface: Future saved passages may link public passage route pointers to reviewed receipt pointers for citation export.
No-storage boundary: Today there is no saved-passage library, citation export job, private passage history, note store, or browser storage.
Blocked until: Blocked until source-safe citation links, reviewed receipt readiness, export preview, and deletion proof exist.
Must never store: Never stores source text copies, translation/gloss text, private note bodies, receipt hash mutations, JSON-LD, or sitemap fields.

Future surface: Future preferences may hold explicit reader role, project type, citation style, audience mode, and strict defaults.
No-storage boundary: Today there is no settings table, profile, personalization engine, inferred role, adaptive prompt, cookie, or local storage.
Blocked until: Blocked until scoped consent, reset, revocation, export/delete, and strict-default fallback exist.
Must never store: Never infers religion, profession, education level, congregation, classroom, reader type, or tolerance from activity.

Future surface: Future memory may restore explicit workflow context after the complete memory contract is accepted.
No-storage boundary: Today memory has no auth, storage, account session, API route, MCP write tool, model recall, generated output channel, or AI memory.
Blocked until: Blocked until account model, consent, export/delete, source-safe citation links, no generated scholarly claim storage, and privacy review all pass.
Must never store: Never stores generated lexical, etymological, translation, morphology, interpretive, source, or teaching claims as account memory.

Required Gates Memory cannot turn on until every gate is accepted.

missing_required_gate

Account model

Define account identity, owner fields, session lifetime, saved-object schema, retention scope, and failure states.

No auth handler, storage layer, account row, cookie, or browser storage may appear before this model is accepted.

missing_required_gate

Consent

Require explicit opt-in by category for saved threads, saved words, saved passages, preferences, imports, exports, and memory context.

No hidden identity, inferred profile, passive personalization, or background capture may count as consent.

missing_required_gate

Export / delete

Provide inspectable ledger rows, export preview, per-item deletion, global reset, consent withdrawal, and deletion proof.

If any future private object lacks export and deletion behavior, storage remains disabled.

missing_required_gate

Source-safe citation links

Permit only pointer-safe links from private saved rows to reviewed public routes and receipt IDs.

Private context cannot unlock source text, alter receipt readiness, mutate citation records, or enter JSON-LD and sitemap output.

missing_required_gate

No generated scholarly claim storage

Keep generated teaching artifacts, model summaries, lexical claims, etymology claims, morphology claims, translations, and interpretations outside memory storage.

Any path that stores generated scholarly claims as user memory keeps memory activation closed.

missing_required_gate

Privacy review

Review privacy, retention, consent withdrawal, import/export behavior, API/MCP exposure, and source/evidence separation before runtime work.

Without privacy review, memory remains a display-only shell with no auth, storage, personalization, API, or AI memory.

Saved Workspace Context

pointer only

Saved Workspace Context

Future Saved Workspace Shell

These rows preview the account-memory shape without creating saved state. Every record is pointer-only, unavailable, and outside auth, storage, API, MCP, model memory, and persistence.

Study thread pointer

Future study thread workspace

Unavailable

Unavailable - no persistence

Preview row for a future reader-created study thread that could group public route pointers and receipt pointers only.

Future pointer fields only

study thread pointer
public route pointers
reviewed receipt pointers
reader-authored note pointer IDs
export state label
delete state label

Unavailable Because: A study thread cannot exist until account identity, consent, retention, export preview, deletion proof, and source/evidence firewall tests are accepted.
No Runtime: No save control, account owner, auth session, database write, API route, browser storage, cookie, sync job, or model memory exists.
No Persistence: This row is static copy only; it creates no local, remote, browser, account, analytics, model, MCP, or API persistence.
Restricted Claims Blocked: No source text, translation, morphology, etymology, lexical range, gloss, usage, frequency, equivalence, interpretation, generated teaching artifact, or public receipt export is stored or derived.
External AI Boundary: External AI may receive no study-thread context today; any later packet must show pointers only and treat them as non-evidence.
Deletion Boundary: Future deletion would remove only the private thread pointer and never public routes, sources, evidence rows, receipts, JSON-LD, or sitemap records.

Evidence firewall: A saved study thread cannot rank evidence, soften unavailable states, unlock source text, create claims, or change receipt readiness.

Saved word pointer

Future saved words shelf

Unavailable

Unavailable - route pointers only

Preview row for future saved word pointers that could reopen public lemma routes without becoming lexical records.

Future pointer fields only

saved word pointer
public lemma route pointer
language code
reader label
consent scope label
delete state label

Unavailable Because: Saved words stay closed until a pointer-only saved-object schema, owner field, export preview, per-word deletion, and claim-denial tests exist.
No Runtime: No personal vocabulary store, auth callback, database table, write endpoint, REST handler, MCP memory tool, local storage, cookie, sync job, or model recall exists.
No Persistence: The shell lists sample route pointers but does not write a vocabulary row, browser record, cookie, profile, or model-memory item.
Restricted Claims Blocked: No lexical range, etymology, morphology, root derivation, translation, gloss, usage, frequency, equivalence, source access, or ranking signal can come from saving a word.
External AI Boundary: External AI may not treat a saved-word pointer as proof of meaning; any later packet can use it only as a navigation pointer.
Deletion Boundary: Future deletion would remove only the private saved-word pointer and never public lemma pages, source state, or receipt state.

Evidence firewall: Saved-word context cannot prove word meaning, alter source readiness, change morphology or etymology gates, or enter JSON-LD and sitemap output.

Saved passage pointer

Future saved passages tray

Unavailable

Unavailable - citation locked

Preview row for future saved passage pointers that could link public passage routes to reviewed receipt pointers where allowed.

Future pointer fields only

saved passage pointer
public passage route pointer
stable passage ID
reviewed receipt pointer
citation-state label
delete state label

Unavailable Because: Saved passages remain pointer-only until reviewed receipt readiness, export policy, consent scope, retention, and deletion proof exist.
No Runtime: No saved-passage library, citation export job, source display unlock, account row, API route, browser storage, cookie, sync job, MCP source lookup, or model call exists.
No Persistence: Opening or previewing this row stores no reading history, note body, route visit, citation bundle, or account state.
Restricted Claims Blocked: No source text copy, translation text, gloss text, morphology field, etymology claim, usage claim, passage screenshot, receipt hash mutation, or public receipt export can enter this shell.
External AI Boundary: External AI may not cite a saved-passage pointer unless public receipt gates independently allow citation; no private context can supply that proof.
Deletion Boundary: Future deletion would remove only the private saved-passage pointer and leave source, edition, evidence, receipt, JSON-LD, and sitemap records untouched.

Evidence firewall: Saved-passage context cannot promote source-pending text, mutate receipt hashes, expose source text, or convert blocked evidence into citation evidence.

Preference pointer

Future reader preferences card

Unavailable

Unavailable - strict defaults

Preview row for explicit future preference labels such as reader role, project type, citation preference, audience mode, and strict-warning posture.

Future pointer fields only

reader role label
project type label
citation preference label
audience mode label
strict-warning label
reset state label

Unavailable Because: Preferences remain visible defaults until explicit settings, consent, reset, revocation, export, deletion, and privacy review exist.
No Runtime: No settings table, personalization engine, inferred profile, browser storage, cookie, account session, analytics-derived memory, API preferences route, or model prompt bridge exists.
No Persistence: The shell does not remember preferences, infer identity, classify the reader, change output, or store personal data.
Restricted Claims Blocked: Preferences cannot imply source text, translation, morphology, etymology, lexical range, gloss, equivalence, usage, frequency, citation readiness, or generated teaching readiness.
External AI Boundary: External AI may not receive preference context today; later packets must show explicit labels only and cannot relax source gates.
Deletion Boundary: Future reset or deletion must restore strict defaults and leave public evidence, receipts, source records, and generated-artifact review gates unchanged.

Evidence firewall: Reader preferences cannot change claim wording, source order, receipt readiness, overclaim warnings, morphology gates, etymology gates, or review states.

External AI packet

Future external AI handoff packet

Unavailable

Unavailable - no packet builder

Preview row for a future reader-reviewed handoff packet made only of selected public route pointers, saved-object pointers, explicit preference labels, consent labels, and policy warnings.

Future pointer fields only

handoff packet pointer
public route pointers
saved word pointer IDs
saved passage pointer IDs
explicit preference labels
revocation state label

Unavailable Because: External AI handoff stays closed until a previewable pointer-only envelope, consent scope, revocation, deletion proof, and evidence-firewall validator exist.
No Runtime: No packet builder, download response, share URL, authenticated endpoint, REST API, MCP runtime, connector secret, token grant, source lookup, network sync, model call, or write handler exists.
No Persistence: No packet is created, stored, shared, synced, logged, exported, remembered by a model, or exposed through API/MCP in this shell.
Restricted Claims Blocked: No source text, translation, morphology, etymology, lexical range, gloss, usage, frequency, equivalence, generated answer, generated teaching artifact, citation proof, or public receipt export can enter the packet.
External AI Boundary: A future external AI must treat every pointer as revocable planning context, not evidence, citation support, source access, or live memory.
Deletion Boundary: Future revocation must disable the packet and remove private pointer visibility without deleting public sources, routes, receipts, evidence rows, JSON-LD, or sitemap output.

Evidence firewall: External AI packets cannot unlock source text, generate citations, promote receipts, run source lookup, create teaching claims, or operate as MCP runtime tools.

Account Access Planning

pointer only

planned_only_static_boundary

Saved study threads

blocked_until_memory_contract

Future account ledger row for reader-created study groupings.

Pointer-only plan: May contain an account-owned thread ID, reader-authored title pointer, public route pointers, receipt pointers, note pointers, export state, and delete state.
Blocked collection: No passive reading history, model summary, source text, translation text, search log, inferred identity, browser storage, or account row exists.
Activation gate: Requires explicit save action, owner scope, retention policy, export preview, per-thread deletion, and consent withdrawal.
Evidence firewall: A thread can navigate to public routes but cannot rank evidence, unlock source-pending routes, alter receipt readiness, or enter JSON-LD and sitemap output.

planned_only_static_boundary

Saved words

blocked_until_memory_contract

Future private vocabulary pointer list.

Pointer-only plan: May contain public lemma route pointer, language code, optional reader label, created timestamp, export state, and delete state.
Blocked collection: No lexical range, etymology, morphology, translation/gloss, source access, usage claim, route ranking, cookie, or personal vocabulary store exists.
Activation gate: Requires pointer-only schema, account owner, visible ledger, export preview, per-word deletion, and blocked-receipt handling.
Evidence firewall: A saved word cannot prove word meaning, change source readiness, create a lexical claim, or promote a public word page.

planned_only_static_boundary

Saved passages

blocked_until_memory_contract

Future private passage pointer and citation-prep list.

Pointer-only plan: May contain public passage route pointer, stable passage ID, reviewed receipt pointer, citation export state, and delete state.
Blocked collection: No source text copy, translation/gloss text, private note body, passage screenshot, receipt hash mutation, account storage, or browser storage exists.
Activation gate: Requires reviewed public receipt readiness, source-safe export preview, retention scope, per-passage deletion, and failure state.
Evidence firewall: Saved-passage context cannot convert a blocked receipt into citation evidence, mutate receipt hashes, or expose source text.

planned_only_static_boundary

API access state

blocked_until_memory_contract

Future account API status surface for private pointer ledgers.

Pointer-only plan: May expose disabled/enabled/revoked state, selected pointer classes, last-reviewed policy version, export scope, and deletion state after policy review.
Blocked collection: No API route, request parser, auth callback, token field, bearer credential, secret, account table, write handler, or rate-limit identity exists.
Activation gate: Requires auth design, token policy, audit log, revocation, export/delete compatibility, abuse handling, and source-gate proof.
Evidence firewall: API state cannot open source text, accept private note bodies as evidence, change route indexability, or modify API/MCP runtime behavior in this shell.

planned_only_static_boundary

MCP access state

blocked_until_memory_contract

Future MCP access vocabulary for account-owned portable context packets.

Pointer-only plan: May describe disabled/default, consent scope, allowed pointer bundle type, revocation state, and export/delete compatibility after review.
Blocked collection: No MCP server, executable memory tool, write route, tool token, connector secret, source lookup, model call, or runtime grant exists.
Activation gate: Requires MCP policy, tool allowlist, revocation, least-privilege packet schema, deletion proof, and public-evidence firewall test.
Evidence firewall: MCP access can only remain pointer-navigation context; it cannot fetch hidden sources, generate citations, store notes, or promote evidence.

planned_only_static_boundary

Personal notes boundary

blocked_until_memory_contract

Future private note ledger attached to explicit public route pointers.

Pointer-only plan: May contain note owner, note pointer, attached public route pointer, retention state, export state, and delete state after consent.
Blocked collection: No note editor, textarea, form, file import, pasted content capture, parser, database row, model context injection, or browser storage exists.
Activation gate: Requires note policy, abuse handling, import rules, export format, per-note deletion, global reset, and leak guard.
Evidence firewall: Personal note text cannot become source text, translation, morphology, etymology, commentary, citation proof, model prompt context, JSON-LD, or sitemap data.

planned_only_static_boundary

Deletion and export requests

blocked_until_memory_contract

Future account portability and removal request center.

Pointer-only plan: May contain request type, private object classes in scope, preview state, completion state, failure state, and deletion receipt pointer.
Blocked collection: No export builder, download route, email job, archive job, deletion queue, worker, support ticket, account row, or stored request exists.
Activation gate: Requires visible inventory, scoped preview, confirmation, completion proof, retry/failure states, and delete-before-export rule.
Evidence firewall: Export and deletion requests can affect only private account rows; they cannot delete public source, receipt, fixture, indexability, or route records.

planned_only_static_boundary

Private/public evidence firewall

blocked_until_memory_contract

Future review layer separating account context from public source evidence.

Pointer-only plan: May record firewall policy version, blocked private classes, allowed pointer classes, reviewed receipt dependency, and unresolved blocker state.
Blocked collection: No private content, generated claim, source excerpt, translation, morphology field, etymology claim, credential, token, or secret is collected.
Activation gate: Requires tests proving private memory cannot enter source gates, receipt promotion, JSON-LD, sitemap, generated artifacts, API, or MCP packets.
Evidence firewall: If any private context can become evidence, citation proof, source readiness, route promotion, model recall, or public text, account access remains disabled.

Consent Sequence

preview only

Workflow Context Placeholders

not evidence

Reading lane workflow only

last public route pointer

Could restore the last opened public route after a consented account system exists.

Not evidence Not a source, translation, morphology analysis, lexical claim, etymology claim, or interpretation.

Activation gate Requires explicit opt-in plus visible reset and deletion controls.

Question stack workflow only

reader-authored questions

Could keep a queue of reader-authored questions for later study planning.

Not evidence Questions do not become source-backed answers and cannot query evidence from this shell.

Activation gate Requires a saved-question model that cannot run research or generation from this page.

Classroom prep lane workflow only

selected public routes and audience mode

Could group selected routes for a future lesson workflow.

Not evidence Grouping routes does not generate teaching prose, translate text, or create interpretive claims.

Activation gate Requires artifact review rules, citation export rules, and audience-setting consent.

Project notebook lane workflow only

project type, reader role, saved route pointers, citation preference, export and deletion intention

Could group a reader-selected project notebook after account, storage, export, and deletion contracts exist.

Not evidence Project context does not become evidence, source state, receipt content, generated teaching prose, or indexability proof.

Activation gate Requires explicit notebook save action plus per-notebook export, reset, and deletion controls.

Receipt review lane workflow only

public receipt pointers

Could remember which public receipt pointers a reader wants to inspect.

Not evidence Receipt pointers remain separate from source text, source audit state, and claim readiness.

Activation gate Requires account-owned saved pointers without changing receipt content or indexability.

Project Notebook Planning

workflow only

lesson

Sunday lesson notebook

inactive_local_placeholder

Reader role: Pastor or teacher placeholder, selected voluntarily only.
Citation preference: Receipt-first citation preference with source-state warnings locked on.
Saved words: Future saved word pointers could group nephesh, ruach, and psyche without creating lexical facts.
Saved passages: Future passage pointers could group Genesis 2:7, John 1:1, and receipt IDs after review.
Study thread: One teaching-prep thread placeholder; no generated lesson prose or audience profile exists.
Export intention: Future handout citation pack blocked until reviewed receipt readiness and export policy exist.
Deletion intention: Future notebook delete must remove the private notebook row without changing public receipts.

Evidence boundary Notebook choices cannot supply translation, etymology, morphology, lexical range, source access, or lesson claims.

Runtime boundary No notebook table, save action, note editor, download control, API route, auth session, cookie, or local storage exists.

sermon

Sermon preparation notebook

inactive_local_placeholder

Reader role: Pastor placeholder, never inferred from reading behavior.
Citation preference: SBL-style biblical citation preference placeholder, subordinate to receipt gates.
Saved words: Future saved word pointers could collect pneuma, spiritus, and ruach as route IDs only.
Saved passages: Future passage pointers could require public receipt IDs before citation export.
Study thread: One sermon-prep thread placeholder; no draft, outline, or generated artifact exists.
Export intention: Future sermon notes export blocked until private ledger, receipt map, and review state exist.
Deletion intention: Future per-notebook deletion must leave public source, evidence, and review records untouched.

Evidence boundary Project type cannot create interpretation, soften unavailable states, or personalize source-backed claims.

Runtime boundary No form, parser, upload route, export builder, background job, browser storage, cookie, or model call exists.

paper

Seminar paper notebook

inactive_local_placeholder

Reader role: Scholar or student placeholder, editable only after explicit settings exist.
Citation preference: Chicago notes preference placeholder, blocked until citation export policy exists.
Saved words: Future saved word pointers could collect psyche, thumos, anima, and animus as route IDs only.
Saved passages: Future passage pointers could link Homer source-audit rows without copying source text.
Study thread: One argument-map placeholder; no note body, thesis claim, or generated prose exists.
Export intention: Future bibliography export blocked until receipt readiness, format scope, and privacy review exist.
Deletion intention: Future deletion proof must cover note pointers, saved routes, preferences, and export jobs.

Evidence boundary Paper context cannot become source evidence, citation proof, morphology proof, or etymology authority.

Runtime boundary No account storage, database write, file writer, download response, session state, sync, or model recall exists.

study_thread

Independent study thread

inactive_local_placeholder

Reader role: Independent reader placeholder, never converted into an inferred identity.
Citation preference: Plain receipt summary preference placeholder with strict overclaim warnings.
Saved words: Future saved word pointers could collect soul, mind, heart, and thumos for navigation only.
Saved passages: Future passage pointers could remain private route pointers outside public JSON-LD and sitemaps.
Study thread: One private study-thread placeholder; no passive history or search behavior is collected.
Export intention: Future private ledger export blocked until scope preview and deletion-before-export rules exist.
Deletion intention: Future global reset must clear private pointers and preferences without deleting evidence rows.

Evidence boundary Reader-selected interests cannot rank public evidence, prove term meaning, or upgrade source-pending rows.

Runtime boundary No browser storage, cookie, analytics, network sync, API route, model recall, or account session exists.

Saved Object Contract

blocked

saved_word

Saved words

blocked_until_memory_contract

Private pointer: Future private row may point to a reviewed public lemma route and language code only.
Allowed future fields: public route pointer, language code, reader label, created timestamp, delete state
Prohibited fields: No lexical range, etymology, morphology, translation/gloss, source text, receipt hash, ranking signal, or evidence state can be stored as a saved-word field.
Export boundary: Export may list the private route pointer only after an account ledger and export scope preview exist.
Deletion boundary: Deleting a saved word removes only the private pointer and never changes the public lemma route.
Evidence firewall: A saved word cannot prove term meaning, source coverage, corpus readiness, or citation readiness.

saved_passage

Saved passages

blocked_until_memory_contract

Private pointer: Future private row may point to a public passage route, stable ID, and reviewed receipt pointer.
Allowed future fields: public passage route pointer, stable passage ID, receipt pointer, citation export readiness, delete state
Prohibited fields: No public source text, translation/gloss text, private note body, source snapshot, receipt hash mutation, JSON-LD field, or sitemap field can be stored as a saved-passage field.
Export boundary: Citation export must read reviewed public receipt readiness, not private saved-passage context.
Deletion boundary: Deleting a saved passage removes only the private pointer and leaves source, receipt, and indexability records untouched.
Evidence firewall: A saved passage cannot promote source-pending text, resolve a license state, or create citation evidence.

project_notebook

Project notebooks

blocked_until_memory_contract

Private pointer: Future private row may group reader-selected route pointers, project type, citation preference, and deletion intent.
Allowed future fields: project type, reader role, saved route pointers, citation preference, export intention, deletion intention
Prohibited fields: No source text, morphology proof, etymology authority, generated lesson prose, public receipt content, account inference, or evidence promotion state can be stored as a notebook field.
Export boundary: Notebook export remains private until receipt readiness, generated-artifact review, and export policy pass.
Deletion boundary: Deleting a notebook removes private grouping only and cannot delete public evidence rows or reviewed artifacts.
Evidence firewall: Notebook organization cannot become interpretation, source state, teaching readiness, or public claim proof.

study_thread

Study threads

blocked_until_memory_contract

Private pointer: Future private row may collect explicit route pointers and reader-authored note pointers after consent.
Allowed future fields: thread title, public route pointers, receipt pointers, note pointer, export state, delete state
Prohibited fields: No passive reading history, search behavior, source text copy, model summary, inferred identity, or ranking signal can be stored as a study-thread field.
Export boundary: Thread export requires an inspectable ledger and must separate private notes from public receipt pointers.
Deletion boundary: Thread deletion clears private state only and cannot suppress public citations or source audit records.
Evidence firewall: Study-thread continuity cannot rank evidence, personalize claims, or soften unavailable states.

Saved Object State Maps

not created

saved_word

Saved word state map

blocked_until_memory_contract

preview route pointer
explicit save request
private ledger row
visible account row
exportable pointer after preview
deleted private pointer

Current state: not_created
Allowed transition: Only a reader-initiated save may move a public lemma route pointer into a private saved-word row after account consent exists.
Blocked transition: A public lemma route, source-pending word page, search visit, or model answer cannot create a saved-word row automatically.
Visible ledger: Future ledger row must show owner, language, public route pointer, created time, export state, and delete state.
Source firewall: Saved-word state cannot store or alter lexical range, etymology, morphology, translation, source readiness, receipt readiness, ranking, JSON-LD, or sitemap state.

saved_passage

Saved passage state map

blocked_until_memory_contract

preview passage pointer
receipt readiness check
explicit save request
private ledger row
citation export preview
deleted private pointer

Current state: not_created
Allowed transition: Only a reader-confirmed passage pointer may enter a future ledger, and citation export must read reviewed public receipt readiness.
Blocked transition: Opening a passage, selecting source text, or preparing a citation cannot store private history or promote a receipt.
Visible ledger: Future ledger row must show stable passage ID, public route pointer, receipt pointer, citation export state, and delete state.
Source firewall: Saved-passage state cannot copy source text, translation text, note body, receipt hashes, source snapshots, JSON-LD fields, or sitemap fields.

project_notebook

Project notebook state map

blocked_until_memory_contract

preview notebook scope
explicit project creation
private ledger row
saved route grouping
export preview
deleted private notebook

Current state: not_created
Allowed transition: Only reader-selected project type, route pointers, citation preference, and note pointers may form a private notebook after consent.
Blocked transition: Audience mode, reader role, or project label cannot personalize claim-bearing prose or weaken source warnings.
Visible ledger: Future ledger row must show project type, saved route scope, note pointer count, export state, deletion state, and consent scope.
Source firewall: Notebook state cannot become source evidence, generated teaching proof, receipt content, morphology proof, etymology authority, or indexability proof.

study_thread

Study thread state map

blocked_until_memory_contract

reader-authored title preview
explicit save request
private thread row
route and receipt pointer grouping
export preview
deleted private thread

Current state: not_created
Allowed transition: Only explicit route pointers, receipt pointers, and reader-authored note pointers may become a private study thread.
Blocked transition: Passive reading history, search behavior, unfinished drafts, or model summaries cannot create or update a study thread.
Visible ledger: Future ledger row must show title, scope, pointer inventory, created time, export state, and delete state.
Source firewall: Study-thread continuity cannot rank evidence, personalize claims, soften unavailable states, or modify public citations.

private_note

Private note state map

blocked_until_memory_contract

note editor unavailable
explicit note creation
private note row
route pointer attachment
private export preview
deleted private note

Current state: not_created
Allowed transition: Only reader-authored note text may enter a future private note row after import, retention, export, and deletion rules exist.
Blocked transition: Private note text cannot flow into public commentary, source text, translation, morphology, etymology, citation, model context, JSON-LD, or sitemap output.
Visible ledger: Future ledger row must show note owner, attached public route pointer, retention state, export state, and delete state.
Source firewall: Private notes remain outside public fixtures, receipts, source gates, ranking, generated teaching review, and citation proof.

Memory Boundaries

Account shell

closed

No memory action

This fail-closed shell does not save, infer, personalize, sync, query, or generate anything.

Contract impact Future memory must start from an explicit user action, not observation.

closed

Context is not evidence

Memory can only be future workflow context; it cannot supply lexical, etymological, source, translation, morphology, or interpretive claims.

Contract impact Any future recall layer must be excluded from evidence, receipt, and indexability promotion.

closed

No personal data storage

These controls do not save names, notes, project histories, passage history, or preference values.

Contract impact Activation requires retention, export, reset, and deletion controls before any saved state.

inactive

No runtime connection

The shell has no auth handler, API route, database write, browser storage, account session, network sync, or model call.

Contract impact A runtime path must be designed and reviewed outside this static shell.

visible

Visible private posture

Account and memory routes render noindex,nofollow and remain outside the sitemap registry.

Contract impact Private account surfaces remain non-discoverable even after account features exist.

Privacy States

separated

public_evidence

Public evidence objects

visible

Visible surface: Sources, editions, passages, evidence rows, receipts, and reviewed public pages.
Allowed use: May support citation and indexability only when source gates pass.
Blocked use: Cannot be edited, promoted, deleted, or personalized by private memory.
Indexability: indexable_when_reviewed

private_placeholder

Private route pointers

closed

Visible surface: Saved thread, word, passage, and receipt-pointer placeholders.
Allowed use: May restore navigation after explicit consent and storage policy exist.
Blocked use: Cannot affect public ranking, receipt hashes, source states, or claim readiness.
Indexability: noindex_nofollow

sensitive_future

Sensitive preferences

closed

Visible surface: Reader type, citation style, audience mode, and overclaim posture placeholders.
Allowed use: May shape presentation only after explicit settings and reset controls exist.
Blocked use: Cannot infer identity, lower warnings, or relax citation and evidence gates.
Indexability: noindex_nofollow

deleted_private

Deleted private records

closed

Visible surface: Future deletion receipts and failure states only.
Allowed use: May prove private removal for account support after a deletion contract exists.
Blocked use: Cannot delete public source, receipt, fixture, JSON-LD, sitemap, or review records.
Indexability: noindex_nofollow

never_stored

Never-stored material

closed

Visible surface: Boundary list for source text, claims, prompts, passive telemetry, and credentials.
Allowed use: May appear as visible policy language only.
Blocked use: Cannot become account rows, memory rows, exports, analytics, cookies, or model context.
Indexability: not_applicable

Inactive Preference Controls

reader

Reader role

unset

Future account settings could store a voluntarily selected reader role for workflow framing only.

Activation gate Reader role must be explicit, editable, exportable, resettable, and erasable.

inactive_local_placeholder

project

Project type

unset

Future notebooks could declare lesson, sermon, paper, or study-thread intent without changing evidence facts.

Activation gate Project type must be user-selected and cannot alter source, receipt, citation, or review gates.

inactive_local_placeholder

citation

Citation preference

receipt-first

Future exports could choose citation format only after account storage and receipt policy are implemented.

Activation gate Citation mode cannot bypass source, receipt, or uncertainty gates.

inactive_local_placeholder

audience

Audience mode

unset

Future lesson tools could use a voluntary audience setting after storage, export, and delete controls exist.

Activation gate Audience mode must be selected by the user and must not be inferred from activity.

inactive_local_placeholder

safety

Overclaim tolerance

strict

The visible default keeps unsupported lexical, etymological, and source claims closed.

Activation gate Strict mode remains the default unless a reviewed policy creates another safe mode.

inactive_local_placeholder

Personalization Boundaries

strict default

strict_default

Reader role

blocked_until_memory_contract

Future use: May tailor navigation labels only when the reader explicitly selects a role.
Blocked inference: Cannot infer pastor, scholar, student, independent reader, religion, education level, classroom, or congregation from activity.
Reader control: Must be editable, resettable, exportable, revocable, and deletable from the account ledger.
Evidence firewall: Reader role cannot change source order, claim wording, citation readiness, overclaim warnings, or generated artifact review.

strict_default

Project type

blocked_until_memory_contract

Future use: May organize private workflow surfaces for lesson, sermon, paper, or study-thread work.
Blocked inference: Cannot classify a reader from saved routes, viewed passages, export attempts, or unfinished notes.
Reader control: Must be selected per project and removable without deleting public receipts or evidence objects.
Evidence firewall: Project type cannot create interpretation, personalize source-backed claims, or soften unavailable states.

strict_default

Citation style

blocked_until_memory_contract

Future use: May format already-reviewed public receipt pointers after citation export policy exists.
Blocked inference: Cannot infer institution, tradition, discipline, or authority preference from citation format.
Reader control: Must show receipt-first fallback, blocked receipt states, and reset controls before export.
Evidence firewall: Citation style cannot create evidence IDs, mutate receipt hashes, open blocked sources, or convert private context into citation proof.

strict_default

Audience mode

blocked_until_memory_contract

Future use: May shape labels for a reader-selected teaching workflow after generated-artifact review rules exist.
Blocked inference: Cannot infer classroom, congregation, therapy group, age group, or pedagogical need from behavior.
Reader control: Must be voluntary, scoped to a project, revocable, and excluded from passive memory.
Evidence firewall: Audience mode cannot personalize claim-bearing prose, bypass source warnings, or weaken lesson-review gates.

strict_default

Overclaim posture

blocked_until_memory_contract

Future use: May keep strict warnings visible as a future reader preference, with strict as the fallback.
Blocked inference: Cannot infer tolerance from repeated dismissals, reading level, saved topics, or export behavior.
Reader control: Must remain visible, reversible, and subordinate to source-pending and unavailable states.
Evidence firewall: Overclaim posture cannot relax lexical, etymological, morphology, translation, source, citation, or review gates.

No-Storage Pending States

no runtime

pending_no_storage_contract

Project notebooks

planning shell only

No notebook row, project table, note body, route ledger, export job, deletion job, browser storage, or account storage exists.

pending_no_storage_contract

Saved study threads

empty fixture rows only

No account table, write path, browser storage, cookie, note body, or history ledger exists.

pending_no_storage_contract

Saved words and passages

public route pointers only

The route-pointer set does not create a personal library.

pending_no_storage_contract

Preferences

visible defaults only

Citation mode, audience mode, reader type, and overclaim posture do not personalize output.

blocked_until_memory_contract

Memory

contract draft only

Memory has no runtime, profile, sync layer, recall step, or generated-output channel.

Activation Path

Memory Activation Path Matrix

These rows show what must exist before memory can become a real product feature. None of the rows activate storage.

Activation gateExplicit save or preference action with visible scope preview.

Public boundaryReader intent cannot rank evidence or alter source-pending route state.

Blocked runtimeNo passive history, inferred identity, cookie, browser storage, or analytics-derived memory.

Activation gateAccount schema, owner field, retention policy, export preview, and deletion path.

Public boundaryPrivate rows must point to public route IDs and receipt IDs without copying evidence fields.

Blocked runtimeNo account table, write endpoint, local storage, sync job, or background memory process.

Activation gateNotebook object contract plus saved-word, saved-passage, study-thread, and note-pointer rules.

Public boundaryNotebook organization cannot create translation, morphology, etymology, lexical, or teaching claims.

Blocked runtimeNo note body, generated artifact, citation export, download, import, or model recall.

Activation gateConsent, settings UI, strict-default fallback, revocation, and deletion proof.

Public boundaryPersonalization cannot soften unavailable states or change receipt/source/citation gates.

Blocked runtimeNo adaptive prompt injection, reader profiling, audience inference, or claim rewriting.

Activation gateAuth, rate limits, pointer-only envelopes, private/public separation, and MCP runtime review.

Public boundaryExternal tools must receive receipt pointers and blocker states, not private notes as evidence.

Blocked runtimeNo write API, executable MCP memory tool, model call, source lookup, or claim-bearing export.

Future Memory Contract

blocked

not active

Voluntary capture

blocked_until_memory_contract

A reader must explicitly choose what to save: route pointer, note, preference, or project label.

Privacy boundary: No passive collection, inference, hidden profile, or automatic reader classification.
Evidence boundary: Captured context never becomes source evidence.

not active

Inspectable ledger

blocked_until_memory_contract

Every saved item must appear in an editable account ledger with timestamp, scope, and deletion control.

Privacy boundary: A reader must be able to see and remove every stored item.
Evidence boundary: Ledger rows cannot modify receipt hashes, source audit state, or claim readiness.

not active

Preference application

blocked_until_memory_contract

Reader role, project type, citation preference, audience mode, and overclaim posture may shape workflow presentation only.

Privacy boundary: Preferences remain explicit settings, not inferred identities.
Evidence boundary: Preferences cannot relax citation, source, morphology, translation, or etymology gates.

not active

Portability and deletion

blocked_until_memory_contract

Saved threads, words, passages, notes, and preferences require export, reset, and deletion paths.

Privacy boundary: No memory feature ships without a removal path visible from the account surface.
Evidence boundary: Deleting memory changes only private workflow state, never public evidence records.

Import / Export Placeholders

no runtime

import

Import study notes

inactive_local_placeholder

File intake placeholder for a future private note ledger.

Current state: inactive surface only
Blocked runtime: No file picker, parser, upload route, queue, or note ingestion exists.
Activation gate: Requires account identity, accepted file types, malware policy, retention policy, and deletion control.
Privacy boundary: No imported text, filename, source path, or reader note is collected.

import

Import saved routes

inactive_local_placeholder

Route-list placeholder for future reader-owned navigation pointers.

Current state: inactive surface only
Blocked runtime: No paste handler, sync endpoint, account merge, or browser state exists.
Activation gate: Requires explicit route schema, duplicate handling, preview review, and cancel-before-save behavior.
Privacy boundary: No route list or reader history is accepted by this shell.

export

Export account ledger

inactive_local_placeholder

Future account data export row.

Current state: blocked until storage contract
Blocked runtime: No export builder, download response, email job, archive job, or account data source exists.
Activation gate: Requires inspectable stored fields, format choice, timestamp scope, and deletion-before-export rule.
Privacy boundary: Because nothing is stored, there is no personal ledger to export.

export

Export citations and receipts

inactive_local_placeholder

Future private citation bundle export row.

Current state: blocked until receipt policy
Blocked runtime: No citation export runtime, generated artifact export, or receipt promotion is connected.
Activation gate: Requires reviewed receipt readiness and must remain separate from private memory context.
Privacy boundary: Private saved context cannot become citation evidence or public receipt content.

Saved Study Categories

no ledger

private_placeholder

Project notebooks

inactive_placeholder

Future contents

Visible owner: Every future project notebook must show owner, project type, reader role, saved route scope, export state, and deletion state.
Activation gate: Requires project schema, explicit save action, storage contract, export contract, and notebook deletion path.
Never stores: Never stores notebook preferences as source, lexical, etymological, morphology, translation, interpretation, or citation evidence.

private_placeholder

Study threads

inactive_placeholder

Future contents

route pointers
receipt pointers
reader-authored note pointers

Visible owner: Every future row must show the account owner, created time, scope, export state, and deletion state.
Activation gate: Requires explicit save action, retention policy, export format, and per-thread deletion path.
Never stores: Never stores source text, generated answers, passive reading history, or inferred reader identity.

private_placeholder

Saved words

inactive_placeholder

Future contents

public lemma route pointer
language code
reader label

Visible owner: Every future saved word must resolve to a public route pointer without creating a lexical record.
Activation gate: Requires account-owned route ledger and reset controls.
Never stores: Never stores lexical range, etymology, morphology, translation, or usage claims as personal memory.

private_placeholder

Saved passages

inactive_placeholder

Future contents

public passage route pointer
receipt pointer
citation export readiness

Visible owner: Every future saved passage must keep private context separate from public citation and receipt records.
Activation gate: Requires receipt readiness checks before any citation export surface.
Never stores: Never stores private passage notes inside source, receipt, JSON-LD, sitemap, or indexability records.

sensitive_future

Preferences

inactive_placeholder

Future contents

reader mode
citation style
audience mode
overclaim posture

Visible owner: Every future preference must be explicit, editable, exportable, resettable, and revocable.
Activation gate: Requires separate consent for preferences and visible fallback to strict defaults.
Never stores: Never infers religion, education level, profession, classroom, congregation, or reader type from activity.

sensitive_future

Imports

inactive_placeholder

Future contents

declared file type
reader-approved import preview
reader-owned note pointer

Visible owner: Every future import must be previewed and cancellable before any private record exists.
Activation gate: Requires account identity, accepted file policy, retention policy, malware policy, and deletion control.
Never stores: Never stores filenames, source paths, imported text, or uploaded notes in this shell.

sensitive_future

Consent states

inactive_placeholder

Future contents

account consent
preference consent
memory consent
export consent

Visible owner: Every future consent state must be inspectable, timestamped, revocable, and scoped.
Activation gate: Requires consent withdrawal behavior plus delete-or-retain choices for existing private records.
Never stores: Never treats consent as permission to weaken evidence, source, citation, or review gates.

Memory Evidence Firewall

closed

Project notebooks

Blocked use Cannot prove reader intent, term meaning, source access, citation readiness, or teaching readiness.

Allowed future use May group reader-selected route pointers and preferences after explicit account consent exists.

Enforcement Notebook fields must stay outside source, evidence, receipt, JSON-LD, sitemap, ranking, and review promotion logic.

closed

Saved routes

Blocked use Cannot prove source access, corpus coverage, translation accuracy, lexical range, or reader intent.

Allowed future use May restore a reader-selected navigation pointer after explicit account consent exists.

Enforcement Stored route pointers must never enter source, evidence, receipt, or indexability promotion as proof.

closed

Reader notes

Blocked use Cannot become commentary, etymology, morphology, translation, or theological evidence.

Allowed future use May remain private annotation text with export and deletion controls after a storage contract exists.

Enforcement Notes must stay outside public fixtures, public receipts, JSON-LD, sitemap entries, and source gates.

closed

Audience preferences

Blocked use Cannot infer a reader identity, lower overclaim warnings, or bypass generated-teaching review.

Allowed future use May shape presentation labels for a user-selected teaching workflow after consent exists.

Enforcement Preferences cannot alter source, receipt, morphology, translation, etymology, or lesson-review gates.

closed

Study history

Blocked use Cannot be treated as relevance ranking, scholarly authority, or evidence of term meaning.

Allowed future use May help a reader reopen unfinished private work after storage, export, and deletion paths exist.

Enforcement History must not affect public ranking, citation readiness, or claim promotion.

closed

Citation exports

Blocked use Cannot convert private saved context into public citation evidence or receipt content.

Allowed future use May package already-reviewed public receipt pointers after an export contract exists.

Enforcement Citation export must depend on receipt readiness, not memory, preference, note, or history state.

Account Citation Boundaries

private only

blocked_until_memory_contract

Saved word pointer

Future reader-owned saved lemma route.

Allowed use: May reopen the public lemma route after explicit account storage exists.
Must not affect: Cannot alter lexical range, morphology, etymology, translation/gloss, source readiness, receipt readiness, ranking, JSON-LD, or sitemap state.
Fail-closed rule: Any saved-word API must fail closed if a saved pointer is treated as proof of word meaning.

blocked_until_memory_contract

Saved passage pointer

Future reader-owned saved passage route.

Allowed use: May reopen the passage route and attached public receipt pointer after explicit account storage exists.
Must not affect: Cannot open source text, translation text, passage screenshots, source display, receipt export, citation readiness, or public evidence promotion.
Fail-closed rule: Any saved-passage API must fail closed if private saving changes public source or receipt state.

blocked_until_memory_contract

Project notebook context

Future reader-selected project type, audience mode, citation preference, and route group.

Allowed use: May organize private workflow presentation and planned exports after explicit consent exists.
Must not affect: Cannot personalize claim-bearing prose, soften unavailable states, generate teaching claims, relax warnings, or become source-backed evidence.
Fail-closed rule: Any notebook API must fail closed if project context enters generated artifacts without reviewed claim maps.

blocked_until_memory_contract

Private note body

Future reader-authored annotation text.

Allowed use: May remain private text with export and deletion controls after a storage contract exists.
Must not affect: Cannot become source text, commentary, translation, morphology, etymology, receipt content, public citation, JSON-LD, sitemap data, or ranking input.
Fail-closed rule: Any note API must fail closed if private text leaks into public evidence or model context by default.

blocked_until_memory_contract

Citation export preference

Future reader-selected export format and citation style preference.

Allowed use: May choose formatting for already-reviewed public receipt pointers after an export contract exists.
Must not affect: Cannot create public-ready receipts, mutate receipt hashes, add evidence IDs, open source fields, or convert blocked evidence into a citable bundle.
Fail-closed rule: Any export preference must fail closed if it tries to export blocked receipts or private context as evidence.

Never Stored

closed

Source and citation evidence

Boundary Source text, edition data, translation/gloss data, morphology data, etymology data, evidence rows, and receipt hashes are not stored as memory.

Reason Evidence objects belong to the public source/audit system, not to private account context.

Firewall Memory cannot create, alter, promote, or delete citation evidence.

closed

Unsupported claims

Boundary Lexical, etymological, translation, morphology, interpretive, and teaching claims are never stored from private memory.

Reason Private context cannot become proof of word meaning, source access, or lesson readiness.

Firewall Every claim-bearing surface remains source-backed, reviewed, or explicitly unavailable.

closed

Passive behavior

Boundary Reading history, hover behavior, search behavior, route visits, and unfinished drafts are not collected here.

Reason Future memory must start from explicit save actions rather than observation.

Firewall No analytics, cookies, browser storage, network sync, or model recall path exists.

closed

Sensitive identity

Boundary Religion, profession, education level, classroom, congregation, and reader type are not inferred.

Reason Preference mode must remain voluntary, editable, exportable, resettable, and revocable.

Firewall Audience and reader settings cannot personalize claims or weaken overclaim warnings.

closed

Secrets and credentials

Boundary Tokens, credentials, account identifiers, authentication artifacts, and session data are not accepted.

Reason This route has no auth runtime, cookie path, callback, API route, or storage layer.

Firewall Private trust architecture stays non-operational until a separate implementation packet exists.

closed

Imported content

Boundary File contents, filenames, source paths, pasted notes, and imported route lists are not collected.

Reason Import is a visible placeholder only; no parser, upload, queue, paste handler, or archive job exists.

Firewall Imported private material cannot become public receipt content or citation evidence.

Source And Private Notes

separated

closed

Source object versus note pointer

Public object Source, edition, passage, evidence row, and receipt records belong to the public audit graph.

Private object Reader note pointers belong to a future private account ledger only.

Allowed link A future note may link to a public route ID without copying source text or changing source state.

Blocked merge A note body cannot become source text, translation, morphology, etymology, commentary, receipt content, JSON-LD, or sitemap data.

Review gate Any claim-bearing text must pass the public evidence and receipt gates without using private note content as proof.

closed

Citation receipt versus deletion receipt

Public object Citation receipts prove public source and review readiness.

Private object Deletion receipts would prove private account removal only after storage exists.

Allowed link A future account ledger may show a public receipt pointer beside private export state.

Blocked merge Deletion receipts cannot become citation receipts, receipt hashes, source audit state, public evidence, or indexability proof.

Review gate Citation export must depend on public receipt readiness, not private deletion or export state.

closed

Generated artifact versus project context

Public object Generated teaching artifacts require separate review, claim maps, and receipt readiness.

Private object Project context may hold reader-selected audience and project labels only after explicit consent.

Allowed link A future project may request a generated artifact review from selected public route pointers.

Blocked merge Audience mode, reader role, project label, and saved history cannot personalize claim-bearing prose or weaken warnings.

Review gate Teaching output remains blocked until generated-artifact policy and source-backed claim review pass.

Activation Checklist

blocked

not started

Identity and session design

blocked_until_memory_contract

Required before activation: Choose auth provider, session lifetime, sign-out behavior, and account deletion path.
Failure mode: No hidden identity, account inference, or background profile creation can ship.

not started

Storage contract

blocked_until_memory_contract

Required before activation: Define stored fields, retention period, export format, reset behavior, and deletion job.
Failure mode: No database, browser storage, cookie, or sync layer may appear before the contract.

not started

Evidence separation

blocked_until_memory_contract

Required before activation: Prove saved user context cannot enter source gates, receipt promotion, JSON-LD, or sitemap promotion.
Failure mode: Memory must fail closed if any path can upgrade a claim or soften an unavailable state.

not started

User controls

blocked_until_memory_contract

Required before activation: Add visible save, edit, export, reset, delete, and disable controls before storing anything.
Failure mode: No passive collection or uninspectable memory ledger can ship.

not started

Generated artifact policy

blocked_until_memory_contract

Required before activation: Keep teaching, sermon, handout, and summary generation behind reviewed claim maps and receipt checks.
Failure mode: Memory cannot generate or personalize claim-bearing artifacts without evidence review.

Future API Surfaces

documentation only

documentation_only

Saved route ledger

blocked_until_memory_contract

Future account saved-routes read/write surface.

Permitted purpose: May create, list, and delete account-owned route pointers only after auth, consent, and storage policy exist.
Blocked runtime: No route file, handler, request parser, auth callback, database table, browser storage, or cookie exists.
Required contract: Requires owner field, saved-object schema, retention period, export format, per-item deletion, and failure states.
Evidence firewall: Saved-route API output cannot enter source gates, receipt promotion, JSON-LD, sitemap generation, or ranking logic.

documentation_only

Project notebook ledger

blocked_until_memory_contract

Future account project-notebooks surface.

Permitted purpose: May group explicit saved words, saved passages, project type, citation preference, and private note pointers.
Blocked runtime: No notebook endpoint, write route, table, form, upload, background job, or model recall path exists.
Required contract: Requires notebook schema, consent scope, visible ledger row owner, export preview, delete preview, and reset behavior.
Evidence firewall: Notebook API data cannot become source evidence, generated teaching proof, receipt content, or indexability proof.

documentation_only

Private notes

blocked_until_memory_contract

Future account private-notes surface.

Permitted purpose: May store reader-authored annotation text only after explicit account consent and deletion proof exist.
Blocked runtime: No note editor, parser, storage adapter, sync route, browser storage, cookie, or model context injection exists.
Required contract: Requires note ownership, retention limits, import policy, export format, per-note deletion, and abuse handling.
Evidence firewall: Private note text cannot become commentary, translation, morphology, etymology, source text, or citation proof.

documentation_only

Export and deletion jobs

blocked_until_memory_contract

Future account export/delete job surface.

Permitted purpose: May prepare private ledger export, per-item deletion, global reset, and consent-withdrawal jobs.
Blocked runtime: No job queue, download response, email job, archive writer, account data source, or deletion worker exists.
Required contract: Requires scoped preview, confirmation, completion state, failed-job state, support path, and deletion-before-export rule.
Evidence firewall: Export and deletion jobs cannot edit public source records, receipt hashes, fixture data, JSON-LD, or sitemaps.

Agent Access Boundaries

runtime blocked

Read-only REST handoff documentation_only

Future channel: REST API
Allowed future use: A future agent may request saved route pointers and preference settings after explicit consent.
Blocked runtime: No authenticated endpoint, token scope, account row, storage adapter, or response body exists.
Evidence firewall: Agent context cannot include source text, translations, morphology, etymology, lexical ranges, receipt hashes, or claim-bearing prose.
Consent requirement: Requires opt-in consent, revocation, audit log, and per-scope visibility before activation.
Deletion requirement: Every returned private pointer class needs a matching deletion path and completion state.

MCP memory handoff documentation_only

Future channel: MCP
Allowed future use: A future MCP tool may expose route pointers and user-selected settings as a private planning context.
Blocked runtime: No executable MCP memory tool, write action, model call, sync job, or personal context envelope exists.
Evidence firewall: MCP context cannot become citation evidence, public receipt content, generated answer support, or source authority.
Consent requirement: Requires separate MCP consent, tool scope display, revocation, and denied-action behavior.
Deletion requirement: MCP-visible private context must disappear when the matching account deletion path completes.

Portable context packet blocked_until_memory_contract

Future channel: portable context
Allowed future use: A future export may package private route pointers, preferences, and project-notebook metadata.
Blocked runtime: No context builder, archive, download, share URL, background job, or file export exists.
Evidence firewall: Portable context cannot contain source text copies, translation/gloss text, morphology features, etymology claims, or private notes as proof.
Consent requirement: Requires export consent, preview, confirmation, and a clear distinction from public evidence.
Deletion requirement: Export logs and private packet records require deletion proof before storage can activate.

Memory export receipt blocked_until_memory_contract

Future channel: memory export
Allowed future use: A future receipt may prove what private account data was exported or deleted.
Blocked runtime: No private receipt renderer, export ledger, deletion ledger, or account support route exists.
Evidence firewall: Private memory receipts cannot promote source receipts, alter public route readiness, or supply scholarly proof.
Consent requirement: Requires account consent, deletion/export scope review, and support handling for failures.
Deletion requirement: Must define how private export receipts are retained, revoked, and removed.

Auth and token scopes blocked

Account login, API tokens, MCP auth, and session cookies.

No identity model or scoped token policy has been accepted.

Cannot expose: Cannot expose account IDs, credentials, tokens, session data, or private saved objects.

Required first: account model, token scope policy, revocation, audit log

Storage adapter blocked

Saved words, saved passages, study threads, notebooks, preferences, and private notes.

No storage schema, consent ledger, export path, or deletion proof exists.

Cannot expose: Cannot expose passive history, note bodies, source text, generated claims, or private imports.

Required first: storage schema, consent ledger, export preview, deletion proof

Agent response envelope blocked

REST and MCP response bodies for private context.

No pointer-only response schema or evidence firewall validator has been approved.

Cannot expose: Cannot expose source text, translations, morphology, etymology, lexical ranges, claim text, or local paths.

Required first: pointer-only schema, no-source-text validator, claim-denial tests, private route policy

Personalization bridge blocked

Reader role, project type, audience mode, citation preference, and safety preference.

Preferences have no accepted personalization contract and cannot modify evidence behavior.

Cannot expose: Cannot infer identity, rewrite claims, lower overclaim warnings, or change source/citation readiness.

Required first: explicit settings, reset controls, source firewall, reviewed personalization policy

Portable Context Workflow

inert

Reader choice later

Choose saved scope

Blocked until contract

What should travel with this future project?

A reader would explicitly choose saved words, saved passages, project notebooks, preferences, or an import preview before any private context exists.

Allowed Later

public route pointers
saved-word pointers
saved-passage pointers
reviewed receipt pointers
reader-selected project label
explicit citation preference
explicit reader preferences
visible consent scope

Blocked Now

No save control, checkbox state, account row, note table, import parser, browser storage, cookie, sync job, API call, or model call exists.

Removal Path

Every future scope must be removable item by item and resettable as a whole before storage can activate.

AI Boundary

No AI or agent receives context today; a later agent packet would require a preview that names each pointer and omits private note bodies.

Evidence firewall: Chosen scope cannot alter source readiness, receipt readiness, indexability, ranking, or claim wording.

Import not accepted

Inspect import boundary

Blocked until contract

Would imported notes become evidence?

A reader would review a future import preview and cancel before any private note pointer or project grouping is created.

Allowed Later

declared import type
reader-approved note pointer
attached public route pointer
retention choice

Blocked Now

No file picker, upload route, parser, note editor, filename capture, local path capture, account storage, or generated summary exists.

Removal Path

Imported private material must have preview, cancellation, per-note deletion, global reset, and deletion proof before use.

AI Boundary

Imported text cannot enter model context, API payloads, MCP packets, citation exports, or generated teaching drafts by default.

Evidence firewall: Imported notes cannot become source text, translation, morphology, etymology, commentary, receipt content, JSON-LD, or sitemap data.

Preview required

Preview pointer packet

Blocked until contract

What exactly leaves the account boundary?

A reader would inspect a pointer-only packet before export, agent handoff, or notebook portability is allowed.

Allowed Later

route IDs
saved-word IDs
saved-passage IDs
receipt IDs
review-state labels
blocker labels
selected preference labels

Blocked Now

No packet builder, archive job, download response, share URL, request parser, token field, or authenticated endpoint exists.

Removal Path

Future packets must be revocable, exportable for inspection, and deletable without changing public evidence records.

AI Boundary

AI portable context may carry route pointers, saved-word pointers, saved-passage pointers, and explicit reader preferences only after review; it cannot carry source text, generated claims, private notes, or hidden evidence.

Evidence firewall: A pointer packet cannot promote blocked receipts, create evidence IDs, mutate receipt hashes, or relax source gates.

Runtime absent

Hand off to agent

Blocked until contract

Could an API or MCP tool use this context?

A reader would approve a tightly scoped handoff only after API/MCP policy, token scope, revocation, and deletion behavior exist.

Allowed Later

pointer-safe route bundle
saved-word pointer bundle
saved-passage pointer bundle
explicit reader preference bundle
policy warnings
consent scope
revocation state
deletion state

Blocked Now

No REST endpoint, MCP server, executable memory tool, connector secret, bearer token, source lookup, write route, or model call exists.

Removal Path

Agent-visible context must disappear when consent is revoked or the matching private pointer is deleted.

AI Boundary

Agent context remains planning context only; it cannot query sources, generate citations, create teaching artifacts, or act as live memory.

Evidence firewall: Agent handoff cannot unlock source text, fetch hidden records, promote public routes, or become citation proof.

Removal before storage

Export or delete

Blocked until contract

How does the reader leave cleanly?

A reader would see inventory, export preview, per-item deletion, global reset, consent withdrawal, and deletion proof before storage ships.

Allowed Later

private object inventory
export scope preview
delete request state
completion proof
unresolved failure list

Blocked Now

No export builder, deletion queue, worker, email job, archive job, account support route, browser storage, cookie, or sync process exists.

Removal Path

Deletion affects private pointers, preferences, imports, and notes only; failures must remain visible and keep memory disabled.

AI Boundary

Exported memory receipts are private account receipts, not public citation receipts and not evidence for AI answers.

Evidence firewall: Export or deletion cannot remove public sources, reviewed receipts, evidence rows, generated-artifact review gates, JSON-LD, or sitemap output.

Portable Context Contract

contract only

Contract only

Route pointer bundle

Blocked until contract

Future Envelope: Future portable context may carry selected public route IDs, canonical paths, route labels, and blocker labels to an external AI as navigation context only.
Allowed Contents: Pointer-safe public route ID, route path, route family, visible state label, user-selected grouping label, consent scope, and delete state.
Blocked Contents: No source text, translation text, morphology fields, etymology claims, lexical range, usage claims, private notes, model summaries, or inferred identity.
External AI Use: A future external AI may use a route pointer to orient a reader back to a public Logoi page, not to fetch hidden sources or answer from private memory.
No Storage Boundary: Today no selected-route ledger, packet builder, browser storage, cookie, account row, sync job, or handoff record exists.
Not A Runtime Tool: This row is not a REST endpoint, MCP tool, model context bridge, authenticated share URL, or executable agent permission.
Revocation Requirement: Every pointer must be removable from the private bundle without mutating the public route or evidence record.
Evidence Firewall: A route pointer can navigate to a public review surface, but it cannot promote that surface, soften blockers, or become citation proof.

Contract only

Saved-word pointer bundle

Blocked until contract

Future Envelope: Future portable context may carry reader-selected saved-word pointers for public lemma routes after a pointer-only saved-object contract exists.
Allowed Contents: Public lemma route pointer, language code, optional reader label, visible source-state label, consent scope, export state, and delete state.
Blocked Contents: No lexical range, etymology, morphology, translation/gloss, usage claims, source text, receipt hash, ranking signal, private note body, or model summary.
External AI Use: A future external AI may see that a reader selected a public word route and may navigate by that pointer only; the pointer is not proof of meaning.
No Storage Boundary: Today no saved-word row, personal vocabulary list, account owner, API route, MCP packet, browser storage, cookie, or sync record exists.
Not A Runtime Tool: This row cannot create a saved-word API, executable MCP memory tool, local storage write, model prompt, or personalization bridge.
Revocation Requirement: Every saved-word pointer must be individually removable and resettable while the public lemma route and evidence gates remain unchanged.
Evidence Firewall: Saved-word context cannot prove word meaning, change source readiness, alter receipt readiness, affect ranking, or enter JSON-LD and sitemap output.

Contract only

Saved-passage pointer bundle

Blocked until contract

Future Envelope: Future portable context may carry reader-selected saved-passage pointers linked to public passage routes and reviewed receipt pointers where available.
Allowed Contents: Public passage route pointer, stable passage ID, reviewed receipt pointer, citation-state label, consent scope, export state, and delete state.
Blocked Contents: No source text copy, translation/gloss text, passage screenshot, private note body, receipt hash mutation, unsupported citation bundle, or generated answer.
External AI Use: A future external AI may use a saved-passage pointer to return the reader to a public passage surface; it cannot cite the passage unless public receipt gates independently allow it.
No Storage Boundary: Today no saved-passage library, citation export job, private passage history, note store, account row, browser storage, cookie, or network sync exists.
Not A Runtime Tool: This row cannot create citation export behavior, a share packet, an API handler, an MCP source lookup, or a model-call pathway.
Revocation Requirement: Every saved-passage pointer must be deletable while public passage routes, source records, receipt audits, JSON-LD, and sitemap output remain unchanged.
Evidence Firewall: Saved-passage context cannot convert blocked receipts into citation evidence, mutate receipt hashes, expose source text, or promote public evidence.

Contract only

Reader preference bundle

Blocked until contract

Future Envelope: Future portable context may carry explicit reader preferences for workflow presentation after scoped consent and reset/delete controls exist.
Allowed Contents: Reader-selected role, project type, audience mode, citation format preference, strict-warning preference, consent scope, reset state, and delete state.
Blocked Contents: No inferred identity, passive behavior profile, religion inference, profession inference, education inference, classroom inference, congregation inference, or claim memory.
External AI Use: A future external AI may use explicit preferences to shape workflow order or citation-format reminders, not to rewrite claims or relax source gates.
No Storage Boundary: Today no preference table, personalization engine, cookie, browser storage, account session, analytics-derived memory, or adaptive prompt exists.
Not A Runtime Tool: This row cannot create personalization behavior, model recall, generated prose rewriting, API preferences, MCP preferences, or hidden profile state.
Revocation Requirement: Every preference must be editable, exportable, resettable, revocable, and deletable with strict defaults restored when consent is withdrawn.
Evidence Firewall: Reader preferences cannot change source order, claim wording, citation readiness, receipt readiness, overclaim warnings, or generated-artifact review gates.

Contract only

External AI handoff packet

Blocked until contract

Future Envelope: Future portable context may combine selected route, saved-word, saved-passage, and reader-preference pointers in one reviewed packet for an external AI.
Allowed Contents: Pointer inventory, public route pointers, saved-word pointers, saved-passage pointers, explicit preference labels, consent scope, revocation state, deletion state, and policy warnings.
Blocked Contents: No executable memory tool, write route, source lookup, model call, generated artifact, private note body, hidden evidence, token, credential, secret, or unsupported evidence claim.
External AI Use: A future external AI may receive a reader-previewed packet as portable planning context only; it must treat every pointer as non-evidence and revocable.
No Storage Boundary: Today no packet builder, export file, share URL, authenticated endpoint, MCP server, token grant, connector secret, network sync, or model handoff exists.
Not A Runtime Tool: This row is roadmap copy only and does not create account, memory, API, MCP, storage, auth, personalization, or runtime behavior.
Revocation Requirement: External AI handoff consent must be scoped, previewed, exportable for inspection, revocable by category, and disabled by default.
Evidence Firewall: External AI packets remain navigation and planning context; they cannot unlock source text, generate citations, promote receipts, or operate as MCP runtime tools.

Consent Boundaries

Privacy And Deletion Gates

blocked

visible_placeholder

View stored data

blocked_until_memory_contract

A future account ledger must list every saved thread, word, passage, note, preference, and consent state.

Required before storage: No storage can activate until every stored field has a visible account-row owner.
Deletion boundary: Viewing the ledger cannot create, infer, rank, or restore memory by itself.
Enforcement: If a stored item cannot be displayed to the reader, the storage contract remains closed.

closed

Delete one item

blocked_until_memory_contract

A future per-row deletion action must remove a selected saved pointer or note.

Required before storage: Each saved-object class needs a reversible preview, confirmation, deletion receipt, and failure state.
Deletion boundary: Deleting private context changes only private account state and never public source, receipt, or indexability records.
Enforcement: No save action can ship without a matching per-item deletion path.

closed

Delete all memory

blocked_until_memory_contract

A future global reset must clear saved routes, notes, preferences, study history, and consent selections.

Required before storage: Global deletion requires scope preview, confirmation, completion state, and support path for failed deletion.
Deletion boundary: Resetting memory cannot delete public fixture data, evidence rows, source records, receipts, or generated review gates.
Enforcement: Memory must fail closed if global deletion cannot be proven for every private stored class.

closed

Withdraw consent

blocked_until_memory_contract

A future consent panel must disable capture, sync, personalization, and export preparation.

Required before storage: Consent must be inspectable, revocable, timestamped, and separate for account, preferences, memory, and exports.
Deletion boundary: Withdrawal must stop future use and present deletion choices for existing private records.
Enforcement: No preference or memory feature can remain active after its consent state is withdrawn.

Deletion Policy

blocked

Visible placeholder

Inventory before deletion

Blocked until contract

Required step: A future ledger must show each stored private object class before deletion can be requested.
Private scope: Saved routes, notes, preferences, study threads, imports, export jobs, and consent states.
Evidence boundary: Inventory cannot include public source text, public evidence, receipt hashes, or sitemap records.
Failure state: If a private object class is not visible, deletion remains blocked.

Closed

Per-item deletion

Blocked until contract

Required step: Each stored item needs preview, confirmation, completion, and failed-deletion states.
Private scope: One selected private pointer, note, import, preference, or thread row.
Evidence boundary: Deleting one item never changes public citation readiness or source audit state.
Failure state: Failed deletion must leave the item visible with a support path.

Closed

Global reset

Blocked until contract

Required step: A future global reset must enumerate private scopes and require confirmation before execution.
Private scope: All private memory, preferences, saved items, imports, export jobs, and consent choices.
Evidence boundary: Global reset cannot remove public fixtures, evidence objects, receipts, or reviewed pages.
Failure state: Partial deletion must report which private classes remain.

Closed

Consent withdrawal

Blocked until contract

Required step: Withdrawal must stop future use and offer delete-or-retain choices for existing private records.
Private scope: Account, preference, memory, import, and export consent scopes.
Evidence boundary: Withdrawing consent cannot suppress public source/citation records or alter reviewed artifacts.
Failure state: No feature can remain active after its consent state is closed.

Closed

Deletion proof

Blocked until contract

Required step: A future deletion receipt must identify private scope, completion state, and unresolved failures.
Private scope: Private account rows only.
Evidence boundary: Deletion receipts are not public citation receipts and cannot be used as evidence.
Failure state: No storage can activate until deletion proof is defined for every private object class.

Deletion Queue

not queued

No request queued

Saved route pointer deletion

Blocked until contract

Trigger: Future per-row delete request from a visible account ledger.
Blocked runtime: No queue, worker, account row, route handler, browser storage, cookie, or deletion job exists.
Required proof: Completion proof must name the private pointer class, owner scope, timestamp, and failure state.
Public boundary: Deleting a private route pointer cannot delete public lemma, passage, source, evidence, receipt, JSON-LD, or sitemap records.
Failure state: If deletion cannot be proven, the item remains visible and storage remains blocked.

No request queued

Private note deletion

Blocked until contract

Trigger: Future note delete request after a note ledger and note retention policy exist.
Blocked runtime: No note editor, note table, import parser, export archive, deletion worker, or model context path exists.
Required proof: Completion proof must show note row removal and preserve attached public route pointers as public objects.
Public boundary: Deleting a private note cannot alter source text, commentary, translation, morphology, etymology, citation receipts, or reviewed artifacts.
Failure state: A failed note deletion must keep the note visible with a support path and must stop export preparation.

No request queued

Project notebook reset

Blocked until contract

Trigger: Future notebook reset after scope preview and confirmation.
Blocked runtime: No notebook table, account session, background job, sync layer, export job, or storage adapter exists.
Required proof: Completion proof must enumerate saved route pointers, note pointers, preferences, imports, and export jobs removed.
Public boundary: Reset cannot remove public fixtures, evidence rows, source records, receipts, reviewed pages, or generated-artifact review gates.
Failure state: Partial reset must list unresolved private classes and keep memory disabled until resolved.

No request queued

Consent withdrawal queue

Blocked until contract

Trigger: Future withdrawal request from account, preference, memory, import, or export consent scope.
Blocked runtime: No consent ledger, timestamp store, session state, queue, worker, cookie, or sync process exists.
Required proof: Completion proof must show disabled future capture plus delete-or-retain choices for existing private records.
Public boundary: Withdrawal cannot suppress public citations, source audit records, reviewed artifacts, robots policy, or sitemap output.
Failure state: No personalization, export, import, or memory feature may remain active after withdrawal failure.

Memory Controls

Planned-Only Memory Surface

Saved study threads

Saved words

Saved passages

Preferences

Memory activation

Account model

Consent

Export / delete

Source-safe citation links

No generated scholarly claim storage

Privacy review

Saved Workspace Context

Future Saved Workspace Shell

Account Access Planning

Saved study threads

Saved words

Saved passages

API access state

MCP access state

Personal notes boundary

Deletion and export requests

Private/public evidence firewall

Consent Sequence

Preview private surface

Choose identity

Select saved categories

Review evidence firewall

Enable export and deletion

Workflow Context Placeholders

Project Notebook Planning

Sunday lesson notebook

Sermon preparation notebook

Seminar paper notebook

Independent study thread

Saved Object Contract

Saved words

Saved passages

Project notebooks

Study threads

Saved Object State Maps

Saved word state map

Saved passage state map

Project notebook state map

Study thread state map

Private note state map

Memory Boundaries

No memory action

Context is not evidence

No personal data storage

No runtime connection

Visible private posture

Privacy States

Public evidence objects

Private route pointers

Sensitive preferences

Deleted private records

Never-stored material

Inactive Preference Controls

Reader role

Project type

Citation preference

Audience mode

Overclaim tolerance

Personalization Boundaries

Reader role

Project type

Citation style

Audience mode

Overclaim posture

No-Storage Pending States

Project notebooks

Saved study threads

Saved words and passages

Preferences

Memory

Memory Activation Path Matrix

Future Memory Contract

Voluntary capture