ADR-014: ASCII-safe identifiers (#SafeID, #SafeLabel) on all graph surfaces
| Field | Value |
|---|---|
| Status | accepted |
| Date | 2026-02-19 |
Context
CUE unification treats string values as opaque byte sequences. Cyrillic 'a' and Latin 'a' are different CUE values that look identical.
Decision
Constrain all graph identifiers to ASCII via regex. #SafeID for resource names, #SafeLabel for type keys.
Rationale
Constraining identifiers to ASCII eliminates the entire class of unicode-based confusion attacks.
Consequences
- All resource names, @type keys, depends_on keys must be ASCII
- patterns/graph.cue defines hidden mirrors (#SafeID, #SafeLabel)
- boot/resource.cue uses inline regex (no cross-package hidden field access)
- Downstream repos inherit constraints via quicue.ca symlink
- apercue.ca has identical constraints — both layers enforce independently