nika at L5 — composed of
crates across six layers. Each crate has one job.
Together they parse .nika.yaml, resolve templates, route to providers,
execute verbs, and emit a structured event stream.
One binary, six layers
Arrows read “built on”. Thenika binary at L5 composes L4 interface
crates, which consume L3 runtime + policy, which orchestrate L2 verbs,
which call L1 effects through L0.5 kernel traits, which use L0
foundation types. Upward imports are a CI hard failure.
Each layer answers one question
| Layer | Question | Examples |
|---|---|---|
| L0 | What shapes does the engine use to talk about itself? | WorkflowId, NikaError, ModelCapabilities, Timestamp |
| L0.5 | What contract does a provider / fs / clock / tool executor implement? | Provider, Fs, Clock, ToolExecutor, MemoryStore |
| L1 | How do I actually call OpenAI / read a file / run a process? | nika-provider-openai, nika-fs, nika-process, nika-http |
| L2 | How do I execute a Nika verb end-to-end? | nika-verb-exec, nika-verb-infer, nika-verb-agent |
| L3 | How do I orchestrate a full workflow safely? | nika-runtime, nika-shield, nika-sandbox (future minors) |
| L4 | How does a human / tool / IDE talk to Nika? | nika-cli, nika-serve, nika-mcp, nika-lsp |
| L5 | What’s the single entrypoint that wires it all? | nika binary (<500 LOC) |
Why layers matter
Mechanical sorting — no debate
Mechanical sorting — no debate
New crate? Answer the mechanical sort test
in under 10 seconds. No meetings, no “where should this live”, no
spiral into abstraction-first design.
Trustable L0 — no hidden I/O
Trustable L0 — no hidden I/O
Swappable effects — test hermetically
Swappable effects — test hermetically
Every I/O crate implements a kernel trait with a mock twin. Unit tests
use
nika-kernel-mock::MockClock, MockFs, MockProvider — no
network, no disk, no wall-clock flakiness. Invariant #27.Capped blast radius — per-axis capabilities
Capped blast radius — per-axis capabilities
Every L1 crate declares its capability axes in
docs/architecture/security-axes.toml (e.g., net-egress for HTTP,
rw-fs for filesystem). Silent axis escalation fails CI.
12 axes total.What ships at v
crates admitted past 12 gates:nika-types
L0 · Foundation value types
nika-error
L0 · NIKA-XXX error infra
nika-catalog
L0 · providers · rules
nika-kernel
L0.5 · 40 ISP traits
nika-kernel-mock
L0.5 · Pure-memory mocks
nika-catalog-verify
L4 · Catalog validation tool
nika-schema (parser · analyzer · static check) is admitted and live — it is what nika check runs.
Live constellation → · 12-gate admission →
The build model
Every crate earns its seat through twelve gates. No exceptions, no late fixes. One crate = one atomic commit.SPEC → TDD → IMPL
Spec at
docs/crate-specs/<crate>.md first. Tests red before
implementation. Minimal code to green.CLIPPY 0 → MUTATION ≥ 90%
Zero clippy warnings.
cargo mutants -p <crate> kills ≥ 90% of
generated mutants.PROPERTY → BENCHMARKS → DOCS
Property tests via
proptest where it matters (parsers, taint,
crypto). Criterion benchmarks on hot paths. cargo doc clean.See also
Layers
Authoritative layer registry with mechanical sort test.
Forward-compat invariants
The 8 patterns that keep the public API stable across years.
L0 decisions
Q1-Q13 — why no proc macros in L0, why sibling sinks not god-trait.
Admission
The 12 gates with rationale per gate.