Cross-project access, deny-by-default.

FederatedContract carries (SourceProjectId, TargetProjectId, EntityName, AccessMode, GrantedBy, GrantedAt, ExpiresAt, IsActive). Unique on the triple. Bidirectional needs two contracts.

AccessMode is typed. ReadOnly grants entity reads; ReadWrite grants reads plus writes. Cross-relation traversal honors the source's access mode.

EntityName='*' grants all entities in the source project. Useful for parent-to-child scenarios where the parent admin needs blanket data access. Always explicit, always auditable.

Active = IsActive=true AND no RevokedAt AND ExpiryPolicy.IsNotExpired(now). Fail-closed on malformed dates. ExpiryPolicy is the canonical helper across the platform.

FederationDiffAnalyzer covers Federation as one of the 19 typed manifest domains. Sandbox a contract change. Three-way merge handles cross-project conflicts.

IGovernanceEnvelopeValidator.ValidateFederationContractAsync enforces the descendant envelope's AllowedFederationTargets at mutation time. A child cannot federate beyond what its parent permits.

Anti-pattern #31 codified. No active contract → cross-project read denies. There is no implicit traversal across project boundaries — federation is opt-in by design.

Federation = simple per-entity grant. Installable surfaces = versioned + metered + state-machined + revocable. The two are designed to coexist; pick the right tool.

IFederationService — CreateContractAsync, RevokeContractAsync, HasActiveContractAsync, ListContractsBySourceAsync, ListContractsByTargetAsync. One canonical authority.