Merge Orchestration · Bag-of-Actions execution-substrate design doc#498
Merged
Conversation
Records the mapping from the merge-orchestration runtime onto the bag-of-actions
continuation runtime (the owner-flagged alternative execution substrate), so the
build is ready the moment that repo is in session scope.
* lease -> capability route; no-double-merge -> Ephapax linear type;
attestation -> trust proof-chain; actuate hand-off -> Freeze/Thaw migration;
self-hosted BEAM mesh -> runs off GitHub Actions minutes (bears on the farm
billing question, which the owner has deferred).
* Integration sketch: a BatonEmitter on the hypatia side submitting armed
decisions as Batons whose required capability is {repo, github_merge_token};
a merge_pr action + capability facts on the bag-of-actions side.
DESIGN ONLY -- bag-of-actions is not in this session's scope, so its exact Baton
format / Bag.Mesh API could not be read first-hand; nothing is wired. LEDGER
v0.8.0 records this plus the P3/mass_squash farm landing (PR #79), the a5
draft-pending status, and the Dispatcher/actuate manifest-shape seam.
🔍 Hypatia Security ScanFindings: 42 issues detected
View findings[
{
"reason": "Repository has 5 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "src/ui/gossamer/README.adoc",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "scripts/ci-tools/Cargo.toml",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "scripts/bench-tools/Cargo.toml",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "ffi/zig/README.adoc",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "docs/reports/audit/audit-2026-04-15-post.md",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "docs/integration/github-registry.adoc",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "docs/integration/github-registry.adoc",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "docs/integration/a2ml-k9.md",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
},
{
"reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
"type": "CSA001",
"file": "docs/architecture/system-integration.md",
"action": "review",
"rule_module": "code_scanning_alerts",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
hyperpolymath
added a commit
that referenced
this pull request
Jun 14, 2026
…a.validate_leases) (#499) ## k9 lease validator — audit the persisted lease store The a5 follow-on you asked for. `KinGate.decide_acquire` prevents *bad acquires* at mint time; this validates the **persisted** lease store after the fact, catching coordination drift a live gate can't see across files. - **`LeaseValidator.validate/2`** (pure) over a list of a5 lease records → violations: - `{:le1_no_ttl, id}` — a `held` lease with no `expires_at` (LE1) - `{:le2_meta_unauthorized, id}` — a `held` meta-territory lease without `owner_authorized` (LE2) - `{:stale, id}` — a `held` lease past its TTL (should have released/expired) - `{:overlap, repo, [id]}` — **≥2 live `held` leases on one repo** (the "one bot per repo" rule broken in the store) - **`validate_store/2`** — reads the lease dir via `KinGate.FileStore` (decoder injectable). - **`mix hypatia.validate_leases [--store PATH]`** — the runnable gate; exits non-zero on any violation. This is exactly what the a5 standards `INTENT` probe I drafted points at (`.machine_readable/contractiles/trust/lease-validator.ncl`). ### Testing (actual, not looks-right) **71 ExUnit, 0 failures** (was 64), mix-format-clean, scanner-clean: ``` 71 tests, 0 failures ``` The **+7 LeaseValidator tests**: clean store, LE1 (no TTL), LE2 (meta unauthorized) + authorized-is-clean, stale (past TTL), overlap (two live held on one repo), different-repos/released-don't-overlap, and `validate_store` reading a real lease dir (injected codec). ### Scope / safety - **Not auto-armed** — core-tier `lib/` + a Mix task, your review. - Additive: one module + the task + its test. Complements `KinGate` (mint-time) with store-time auditing. ### Where this leaves the four items - **Manifest-shape adapter** → merged (farm #80) — the loop is connected end-to-end. - **k9 lease validator** → this PR. - **BoA substrate design** → merged (#498); real integration still gated on `bag-of-actions` being added to scope. - **a5 standards adoption** → drafted, awaiting your sign-off (I won't push to `standards`); the `INTENT` probe references this validator, so once you approve, the two click together. LEDGER is at `v0.9.0` with the full state. --- _Generated by [Claude Code](https://claude.ai/code/session_011GXPoh6pB6rm3jfeLHWMtc)_ Co-authored-by: Claude <noreply@anthropic.com>
hyperpolymath
added a commit
that referenced
this pull request
Jun 14, 2026
…kend) (#500) ## BatonEmitter — actuate armed merges on the bag-of-actions mesh Item #2 of what you picked: the real bag-of-actions integration. Since the repo still isn't in this session's MCP scope (your grant applies to a *new* session; the `add_repo` tool isn't available here), I read its **real API by public `git clone`** and built the integration **hypatia-side** — which is where it belongs anyway. ### What the real API turned out to be `Bag.Mesh.submit_planned(spec, budget)` takes `%{check_id, command, required_cap, mutating?, risk?}`; the planner routes to the cheapest capable node and **gates `mutating: true` work on a verifier** — which *is* the independent re-verification. So a merge needs **no custom Ephapax action**: it's just a `command` (`gh pr merge …`) carrying `required_cap: "secret-access"` — the capability **only `mesh-github-runner` holds** in the estate `nodes.scm` (the token-bearer). The brain's node lacks it, so the Baton can't run on the brain and **migrates** to the runner: the token-free-brain invariant expressed as **capability routing**. No bag-of-actions changes needed. ### `Hypatia.MergeOrchestration.BatonEmitter` - **`to_spec/2`** (pure) → the `submit_planned` spec, carrying `lease_id` + `route` + `rationale` as the trust/residue link. - **`emit/2`** → submits one Baton per **armed** `Loop` entry (gate `{:armed, lease}`); deferred/flagged entries are skipped. The `Bag.Mesh` call is **late-bound (`apply/3`) and injectable**, so this stays compile-decoupled from bag-of-actions and the logic tests run without it. This is the alternative actuation backend to `merge-decisions.jsonl` from the #498 design doc — now real, not just sketched. ### Testing (actual, not looks-right) **74 ExUnit, 0 failures** (was 71), mix-format-clean, scanner-clean: ``` 74 tests, 0 failures ``` The **+3 BatonEmitter tests**: the spec shape (check_id, `gh pr merge` command, `required_cap: "secret-access"`, `mutating: true`, attestation), the method→gh-flag + aggressive-pool→`:high`-risk mapping, and that `emit` submits **only** armed entries (via an injected `submit`). ### Scope / what's left on BoA - **Not auto-armed** — core-tier `lib/`, your review. - The integration is complete on the hypatia side. The only remaining BoA step needs the repo in a session's MCP scope: wire `emit` into the live `Loop` as the actuation backend (alongside `write_manifest`) and register hypatia as a mesh node — **no new emitter logic**. LEDGER `v0.10.0` records the real-API findings + this build. --- _Generated by [Claude Code](https://claude.ai/code/session_011GXPoh6pB6rm3jfeLHWMtc)_ Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bag-of-Actions — execution-substrate design (item #2 of the four you picked)
You pointed me at
bag-of-actions, and it's an apt pointer: not a "bag of CI actions" but a "distributed OS for mobile continuations" (Batons, capability routing, Ephapax linear types, trust-attestation proof-chains, Freeze/Thaw,Bag.Mesh.submit). This doc records how the merge-orchestration runtime maps onto it — a near one-to-one structural fit — so the integration is ready to build the moment the repo is in scope.docs/design/merge-orchestration/05-execution-substrate-bag-of-actions.adoccovers:MapSet+lock) · a3 attestation → trust proof-chain · sense→actuate hand-off → Freeze/Thaw migration · self-hosted BEAM mesh → runs off GitHub-hosted Actions minutes.BatonEmitteron the hypatia side that submits each armed decision as a Baton whose required capability is{repo, :github_merge_token}(which the brain doesn't hold, so it must migrate to the farm); amerge_praction + capability facts on the BoA side. The JSONL manifest stays as the durable record/fallback; this is additive.Status / honesty
DESIGN ONLY.
bag-of-actionsis not in this session's scope — theadd_repotool my setup references isn't available here, so I could only read its metadata + README (via public web), not its files. So I can't read the real Baton format /Bag.Meshsurface or build the integration from here. The doc says so plainly and lists exactly what's needed to build it once the repo is added.Scope
.adoc+ the LEDGER, nowv0.8.0). Not armed — it's a design you specifically asked about, so it's for your read.The LEDGER also now records the P3 + mass_squash farm landing (
.git-private-farm#79, 10/10 conformance, admin-merge pending its dead CI), the a5 standards draft-pending status (I'll show it for your sign-off, not push), and a flagged manifest-shape seam betweenDispatcher's output andactuate.sh's input.Generated by Claude Code