What's shipped, what's coming.

`kiri project init` cannot leave the project in an invalid state. Every required choice — name, target, classification posture — is checked before write.

Inferred PII (names, e-mails, free-text identifiers, classified attributes) cannot be authored as `public` without an audited override and a reason. The default is refuse, not warn.

`kiri.schedule` is the single canonical scheduling customProperty. Cron expressions with nested `schedule.*` routing — one declaration drives ingestion, transformation, and orchestration on the same cadence without separate scheduler config.

`kiri.schedule` understands `helgfria vardagar` and equivalent — Swedish business days, EU holidays, custom calendars per project. "Ready by 06:00 Europe/Stockholm on the next business day" is a one-line declaration.

Every artefact (contract, table, job, audit row) is addressed by a stable URN; `kiri.lifecycle.state` is the canonical state field across the platform. One namespace across CLI, MCP, federation, and audit — no per-surface dialect drift.

Lineage and data-model docs materialise as Markdown + Mermaid inside the repo on `kiri docs generate`. `kiri docs verify-generated` is a CI gate — if the docs drift from the contracts the build fails.

A business outcome resolves to columns regardless of whether the silver layer is Flat, Data Vault 2.0, or conformed Kimball. The intent layer is the join.

Customer vocabulary first. The contract names the target (a column, a metric, an entity); the generator picks the source projection. No silver-table-name in business prose.

Silver as a conformed dimensional layer is one of the three first-class silver techniques — alongside Flat and Data Vault 2.0. All three feed the same gold contract.

Gold compiles to a Kimball star schema regardless of silver technique. Slowly-changing dimensions, conformed facts, surrogate keys — first-class outputs.

Declarative `CASE` / type-cast / normalisation as a contract property. No SQL strings hand-written; every projection is contract-declared and versioned.

Raw vault + business vault + PIT bridges as a production technique. Optional DataVault4dbt backend wired in via the same contract — pick the engine, the contract stays canonical.

Sample, classify, and propose populated bronze contracts from a live source. The output is editable scaffolding, not auto-applied — humans approve.

Every adapter ships with a typed landing-zone abstraction. Bronze writes go to a known address; lineage starts at the landing zone, not somewhere down the pipeline.

Cross-project catalog snapshots over three transports (in-process, HTTP+ETag, fs-static). `health()` returns OK / STALE / UNAVAILABLE; browse serves stale-with-marker; lint, apply and AI-policy all fail closed when a federated source isn't reachable.

Every catalog attribute moves through a five-state lifecycle (proposed → reviewed → approved → deprecated → retired) with closed-menu transitions. SME decisions are typed, auditable, and surfaced in the lint output — no informal review queue.

Every adapter ships against a published surface contract; conformance tests gate the merge. Databricks is the flagship today; an OSS edition with a prescribed stack is on the roadmap.

An architectural boundary separates AI-assisted code paths from deterministic codegen, enforced by an import-linter contract and architecture tests. The build fails if an AI module leaks into a deterministic surface — what gets generated is reproducible by construction.

Every Kiri → Databricks action (CREATE / INSERT / SHOW / job submit / …) emits a one-line audit record. MCP calls are audited identically to CLI calls — same logger, same fields, same correlation id. `tail -f databricks-audit.log` is the whole demo.

Quality runs surface as a four-status taxonomy — `engine_ran` / `documentation_only` / `engine_none_configured` / `engine_not_applicable` — and roll up into a DORA-aligned data-quality evidence section. Structured evidence, not legal certification; human attestation remains required. The wider DORA / EU AI Act / GDPR generator suite is still on the roadmap.

AI translates legacy business-vault objects into ODCS contracts; every output lands on a review queue with `accept` / `reject` as the only ways forward. Nothing reaches a contract without an SME signature.

AI-translated output is row-hash-compared against a deterministic baseline. Input snapshots are pinned, the row-hash algorithm is closed-menu, mismatches block promotion. Parity is the gate, not a report.

`kiri cutover shadow` / `diff` / `promote` / `rollback`. Shadow builds are namespace-isolated; promotes are atomic and rename-based; rollback is one verb, not a runbook.

Re-ingestion goes through the same DQ pipeline that rejected the row. The reprocess table is append-only; the per-row state machine is four states with a closed-menu of transitions — no silent quarantine rotting.

The review queue gets three new SME decisions next to `accept`/`reject`: `drop` (legacy object isn't migrated), `merge` (collapse into a downstream object), `redesign` (rebuild rather than translate). A project-level flag flips the default action — burden of proof becomes "why migrate this?" instead of "why drop it?".