North star — where Atelier is heading
The destination is ontology-native convergence: one declared catalog, one renderer, one authorization compiler, one control plane, and Martha-grade CLI/DX parity. Five vectors, each grounded in the open questions the sections surfaced.
1. Ontology-native authorization — substantially DONE; the residual is upstream, not platform debt. The per-app read-path flip shipped and was decommissioned (#424 merged, #431 closed): staff + citizen reads resolve under per-app namespaces, the flags are retired (config.py:54, application.py:129), the legacy admin-bff domain plane is no longer served, and citizen identity is re-keyed to the root-org UUID. The settled architecture is Pattern A (ADR-0001): the BFF resolves under the per-app namespace with the user JWT as on_behalf_of, compiles to a filter, and calls the ontology with a service-account token — forwarding the user token to the engine is rejected (wrong-namespace fail-closed, "the nav bug"). The one remaining consolidation — having the engine resolve under a consumer-supplied app-id so the BFF compiles less — is gated on a single upstream ontology change the BFF cannot make (resolver.py:67 honoring a consumer app-id; Path X vs Path Y deferred to that timeline). Even then, rule compilation relocates, it does not vanish (spec §5), and composite/BFF-native types (kc_*, admin_entity_config, cross-service joins) enforce BFF-side by design (ADR-0001 decision #1: enforce at the data-owning layer). So this vector is not "mostly subtraction left to do" — it is done as far as the platform controls it; what remains is an upstream API change and an irreducible compiler. (authz-ums)
2. A supported template→fork propagation channel. The single most-cited gap across provisioning, authoring, surface, and reports: fork is copy-on-create with no live inheritance, which directly contradicts the "author once, all tenants get it" thesis. The roadmap must pick one of: a re-fork, a scoped reconciler, or an opt-in live-inheritance channel — and decide what governs divergence-accumulation when a tenant has locally edited the row a fleet change would overwrite.
3. Control-plane unification on organization_membership. Make organization_membership(role=admin) the single authz source of truth, retire the residual is_superuser/is_service bootstrap authority, and provision a dedicated platform tenant root so platform_admins is authoritative from boot rather than convention-derived. Store root_org_id as an FK on tenant instead of deriving it from a tenant-code convention (which silently breaks on a non-conforming code).
4. Block[] + single-catalog convergence on the surface plane. Collapse the three overlapping widget lists into one enumerable widget catalog with key discovery; route admin KPI cards and Metabase embeds through resolveWidget so "one renderer drives admin" becomes fully true; ship Block.children grid nesting (#176) and a wired public read path for the kpi/stat-grid kind. Formally mark the m10 PRD superseded by the shipped Block[] + WidgetKind + page_template model.
5. Authoring registry + CLI/DX parity with Martha. Keep the design system presentation-only and stand up the separate authoring registry keyed to the render registry (the SOTA Puck/Builder/Sanity separation). Then bring Martha's authoring ergonomics to Atelier: CLI-first declaration with JSON output and exit codes designed for both humans and AI, a check_sheet --applied gate in CI so fatal sheets stop being silent "nav blank / 404" classes, and fleet-wide collision guards (type, route, and the missing view-collision guard) promoted from advisory to importer-blocking for the designed-in inconsistency classes.
Convergence also means cleanups that pay compounding interest: complete notification slice 4f (retire the action_side_effect.event_type string in favor of the FK; tenant-scope the notification_event lookup or reclassify it vocabulary-only); add a transactional outbox to the best-effort CloudEvents offload so a swallowed emit can't silently drop a submitted create; and decide shared-Martha vs per-tenant Martha — the answer determines whether the dormant per-tenant secret matching and #441 Vault provisioning are deleted as dead code or revived.