docs(architecture): reconcile DFD flow labels to one canonical scheme

[Yambr]

What

A vertical-consistency trace (during ADR-0010 follow-up work) surfaced a pre-existing defect: two competing DFD flow-label schemes across the architecture docs.

• Canonical (threat-model, eleven flows F1–F11): broker→backend = F9, audit fan-in = F10, north face = F11.
• Drifted scheme B (off-by-one): backend = F10, audit = F11, north = F12 — contradicting the threat-model's own F1–F11 count (there is no F12).

No file defined the labels authoritatively — eleven specs deferred to 06-threat-model.md §1 (which uses the labels) or 05-c4-container.md §4 (which had no F# column).

Fix

1. 05-c4-container.md §4 — add the authoritative F# column (F1–F11). This table is now the sole definition.
2. Reconcile scheme B → canon in: components/04 (25/77/93), components/01 (33), components/02 (33), components/07 (23/29/89), adr/0006 (41), adr/0002 (57).
3. Fix two sandbox-egress mislabels — the outbound egress leg is F8, not F9 (components/05 lines 36, 69).
4. Redirect definition pointers from 06-threat-model.md §1 → 05-c4-container.md §4.

Verification

Verified by gsd-doc-verifier re-trace: zero F12 anywhere, every F8/F9/F10/F11 matches its canonical flow, threat-model and .mmd diagrams agree, F1–F11 each appear exactly once in the canonical table. No NFR or decision content changed — labels only.

This unblocks ADR-0011 (storage-leg detach), which edits many of these loci and needs a single consistent flow-label scheme underneath.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Updated architecture documentation for improved clarity and consistency across component boundaries and data flow descriptions.
  • Corrected cross-references between architecture specification documents to ensure accurate boundary definitions throughout the system design.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: a684e472-cf63-457b-8ffe-591395c4e8de

📥 Commits

Reviewing files that changed from the base of the PR and between 19d1860 and 5e831f3.

📒 Files selected for processing (9)

• docs/architecture/05-c4-container.md
• docs/architecture/adr/0002-session-view-descriptor.md
• docs/architecture/adr/0006-egress-forward-proxy-substrate.md
• docs/architecture/components/01-mcp-gateway.md
• docs/architecture/components/02-control-operator-api.md
• docs/architecture/components/04-storage-broker.md
• docs/architecture/components/05-session-sandbox.md
• docs/architecture/components/06-egress-trust-edge.md
• docs/architecture/components/07-audit-pipeline.md

---

Walkthrough

This PR consolidates flow-label definitions scattered across threat-model and component specs into a single canonical schema in the C4 container boundary table (F1–F11), then updates all downstream references in component specs and ADRs to point to this unified source.

Changes

Architecture Flow-Label Consolidation

Layer / File(s)	Summary
Canonical flow-label schema definition docs/architecture/05-c4-container.md	The boundary table gains an F# column and explicitly enumerates flows F1–F11 with direction and crossing artifacts. Section text confirms this table is the authoritative source for all F# labels used by component specs and the threat model.
Component boundary realignment to canonical labels docs/architecture/components/01-mcp-gateway.md, 02-control-operator-api.md, 04-storage-broker.md, 05-session-sandbox.md, 06-egress-trust-edge.md, 07-audit-pipeline.md	All component specs redirect their flow-label citations from the threat-model to the container doc (05-c4-container.md §4) and adjust internal flow-label identifiers to match the canonical F# enumeration (e.g., F11→F10 for audit fan-in, F9 for broker-backend leg). Failure-mode and operational-concern tables are updated correspondingly.
ADR threat-mitigation flow-label updates docs/architecture/adr/0002-session-view-descriptor.md, adr/0006-egress-forward-proxy-substrate.md	ADRs update threat-mitigation STRIDE row references and broker backend leg identifiers to align with the new canonical flow labels (e.g., north-face F12→F11, broker leg F10→F9), while preserving stated behavior and mitigation contracts.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• Wide-Moat/open-computer-use#173: Introduced the C4 container boundary and flow scheme that this PR now consolidates as canonical.
• Wide-Moat/open-computer-use#219: Modified the storage broker north-face threat-model scope and flow-label numbering that this PR aligns across components.
• Wide-Moat/open-computer-use#253: Updated storage broker backend-leg and egress-trust-edge behavior whose flow-label references are adjusted in this PR.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'docs(architecture): reconcile DFD flow labels to one canonical scheme' directly and clearly summarizes the main change: consolidating competing flow-label schemes into a single canonical scheme across architecture documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore-flabel-reconciliation

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}