hyperpolymath · hyperpolymath · May 16, 2026 · May 16, 2026
diff --git a/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc b/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc
@@ -3,17 +3,18 @@
 
 = RSR Language Policy
 :author: Jonathan D.A. Jewell (hyperpolymath)
-:revnumber: 1.1.0
-:revdate: 2026-04-10
+:revnumber: 1.2.0
+:revdate: 2026-05-16
 :toc: left
 :icons: font
 :source-repo: https://github.com/hyperpolymath/cccp
 
 [NOTE]
 ====
-*Version Status*: v1.1.0 — allowed/banned lists amended 2026-04-10. See §Amendments
-at the bottom of this document for the rationale and the full change list. The
-prior v1.0.0 freeze was lifted on the same date.
+*Version Status*: v1.2.0 — codifies the Interface & Architecture Law
+(ABI=Idris2, API+FFI=Zig; strict typed boundaries; no gatekeeperless gateways)
+as a normative section, 2026-05-16. v1.1.0 amended the allowed/banned lists
+2026-04-10. See §Amendments at the bottom for rationale and the full change list.
 ====
 
 == Terminology: "Rust" means "Rust/SPARK"
@@ -239,6 +240,54 @@ the reach order is:
      consideration)
    * `Node.js` as a standalone runtime — replaced by Deno
 
+== Interface & Architecture Law (NORMATIVE)
+
+This is a day-1, estate-wide structural law. It is non-negotiable and applies
+to *every* repository.
+
+=== Layer languages
+
+* **ABI layer → Idris2** (`src/abi/*.idr`): formal types + proofs. Always.
+* **FFI layer → pure Zig** (`ffi/zig/`). Always — since day 1.
+* **API layer → pure Zig** (`src/api/zig/`). Always — since V was dropped for APIs.
+
+Rust/SPARK is *application* logic only (per §Terminology); it is **never** the
+ABI, API, or FFI layer, and is **never** the target of an abi/api/ffi migration.
+C is never an estate API/ABI/FFI layer either. A `MIGRATION.adoc`, `CLAUDE.md`,
+manifest comment, or build file that says "→ Rust" / "canonical Rust rewrite of
+the API" is **itself off-policy drift**: the canonical target is the Zig
+implementation. Stray `src/api/rust/` API crates are debt to remove, not a
+destination. Consumers may still *call* the C ABI from any language — that is
+consumer-side binding, not the layer implementation.
+
+=== V-lang only when it is Coq
+
+V-lang is banned (see §Banned Languages); the migration target is **Zig, never
+Rust**. The sanctioned exception is the `developer-ecosystem/v-ecosystem/`
+subtree (and `awesome-v`, a curated list — never touched). Outside those, a `.v`
+file or "V" reference in code, docs, `CLAUDE.md`, `Justfile`, `Containerfile`,
+or `flake.nix` is acceptable **only when it is a Coq/Rocq proof**
+(`Require Import` / `Theorem` / `Qed.`). All other V references are drift to
+remove. V-stub-generation recipes are *re-emergence engines* and must be
+deleted, not merely disabled.
+
+=== Strict typed boundaries
+
+Every cross-language or cross-trust boundary MUST be type-protected and
+correctness-gated: an **Idris2 correctness contract** (proven ABI/protocol) plus
+a **Zig transaction interface** (the marshalling / C-ABI / wire layer). This
+covers in-process FFI, NIFs (exemplar: the `snifs` repo), WASM boundaries
+(exemplar: the `typed-wasm` repo), API gateways, gRPC/GraphQL/REST edges, DB and
+service connectors, and any (de)serialisation trust boundary. An
+untyped/unproven boundary is non-conformant and blocks.
+
+=== No gatekeeperless gateways
+
+Every gateway / API edge MUST front a policy gate (authentication + entitlement
++ rate-limiting). A gateway without a gatekeeper is a defect, not a later-phase
+nicety. (This is a *runtime access-control* rule and is distinct from the
+social "graduated trust without gatekeeping" contribution model.)
+
 == Machine-Readable Policy
 
 See link:../spec.scm/language-policy.scm[spec.scm/language-policy.scm] for tooling integration.