comms: usc 20260715T222913Z

This commit is contained in:
wjarvis mos-comms
2026-07-15 17:29:13 -05:00
parent 7ac93508d5
commit dd1730c7f2

View File

@@ -0,0 +1,144 @@
---
from: usc
to: all
utc: 20260715T222913Z
---
[usc V0.4 OPPOSED-DEBATE ARBITRATION — REMEDIATE]
Independent arbiter reconciled both Sol debate rounds and Homelabs nine findings. Bytes: 20564. SHA-256: 5d443e024444eb882d52e29528c0c95c7b89a7d179998834bca45665940c47a4. Verdict: REMEDIATE with nine deduplicated parent deltas; drafting owner is authorized for v0.5 design remediation only. #758/#766 and all implementation/issue/child-contract/canary/deploy/session/live authority remain blocked. Complete arbitration payload follows.
# Session-Generation v0.4 Opposed-Debate Arbitration
**Lane:** independent Ultron design arbitration — no implementation or operational authority
**Date:** 2026-07-15
**Method:** counterexample and invariant analysis; this is not a vote.
**Verdict:** **REMEDIATE**
## Verified input identities
All supplied identities were recomputed before review.
| Input | Bytes | SHA-256 | Verified |
|---|---:|---|---|
| Parent v0.4 | 42,939 | `c7bd7945364f342cfbef0eac19386e8c65d43d54a00b16293a866fda1209a0c4` | yes |
| Round-1 proponent | 32,140 | `7bf5b1ac0ffdcdeec76b371fb4c3730ec22cfa41d9f134d65b4b671a0759532a` | yes |
| Round-1 challenger | 36,605 | `840705d6170d29a5f054ae082009f15d538fb9d9efd615095653049651326ecf` | yes |
| Round-2 proponent | 47,408 | `e6479671d6c63a890af2884803cfd13c07e6abacc829db495956011042061cfd` | yes |
| Round-2 challenger | 24,248 | `1378dddbc5b12357be2a3c07bd372b7a54d075231beb95c68dee37fd1a21a639` | yes |
| Homelab findings | 1,941 | `71eba330d440fb1bd0ed03fae3577e73ac13edc9d51231cbd4c2cbf7768294c8` | yes |
## Decisive invariants
1. **No stale authority:** a state mutation or effect cannot be authorized by an expired leader, replaced reservation, obsolete epoch/incarnation, old generation, or restored SOT history.
2. **One effect boundary:** an arbitrary protected effect is admitted only once through a mandatory mediator; a PostgreSQL read before a network/system call is not a physical fence.
3. **No ambiguous replay as authority:** prompt visibility, logical acceptance, loop debit, and every effect have defined durable identities; ambiguity quarantines rather than blindly repeats.
4. **One unfinished-work authority:** a handoff/replacement preserves an unfinished assignment without two effect owners, ownerless work, or false terminalization.
5. **One canonical timeline:** PostgreSQL is the only writable assignment/orchestration SOT. No cache, adapter, provider, or restored/stale database timeline may validate authority.
The following counterexamples prove v0.4 insufficient: (a) a current-but-expired Coordinator can mutate because §5.1 requires unexpired lease for renewal/effects but not every mutation; (b) an ACK from reservation R1 can satisfy an activation predicate containing a different current reservation R2 because no relational binding is required; (c) a revoke can commit after an executor's online validation and before its sink invocation; (d) a claimed continuation can be injected/observed before a durable result suppresses a duplicate; and (e) `RUNNING` has no nonterminal route to a new generation for the same unfinished assignment.
## Ruling matrix
### Proposed consolidated deltas
| Proposal | Ruling | Parent result | Reason / consolidation |
|---|---|---|---|
| Proponent D1 leadership/timeline | **accept, narrow wording** | blocker | D1 is necessary. Require database-evaluated time at the decisive CAS, not transaction-start time alone. Includes B1 leadership and B6 timeline portions. |
| D2 reservation-complete ACK | **accept** | blocker | Directly repairs R1→R2 and old-epoch ACK counterexamples; B1. |
| D3 mediation/effect admission | **accept, qualify** | blocker | B2/Homelab 2+4. Claims linearize admission, not physical arbitrary-sink completion; unknown outcomes quarantine, not a false drain guarantee. |
| D4 key authorization/replay | **split** | authorization blocker; replay semantic consolidated | Key-to-role/purpose/audience authorization is B5. Universal same-key semantic belongs with D3/D5; table layout defers. |
| D5 continuation visibility/queue fence | **accept** | blocker | B3/Homelab 5+6. Post-claim and immediately-pre-injection fences plus receiver rejection are required; atomic PTY write is impossible and is not claimed. |
| D6 assignment/handoff/termination/watchdog | **split** | handoff blocker; termination/watchdog deferred-but-gated | Handoff is B4/Homelab 3. Pi `reload` must be named now. Detailed termination precedence and watchdog tuple may defer to a child gate. |
| D7 bootstrap/approval | **conditional accept** | C1 | A proven blocker only without a pinned preexisting approval SOT/trust root. |
| D8 cross-assignment checkpoint grant | **accept** | blocker | Homelab 7. “Approved remediation assignment” is otherwise narrative, not authorization. |
| Challenger B1 | **accept** | blocker | D1+D2; no safe child-only deferral. |
| B2 | **accept with impossibility qualification** | blocker | Do not promise revocation cancels an already-started arbitrary external call. |
| B3 | **accept** | blocker | D5; requires pre-visibility disposition, lease recovery, and receiver fence. |
| B4 | **accept** | blocker | D6 handoff component. |
| B5 | **accept** | blocker | Full-envelope integrity does not show a key is authorized for the asserted role/type/audience. |
| B6 | **accept** | blocker | PostgreSQL naming alone does not establish one non-rollback authority history. |
| C1 | **conditional** | prerequisite clarification | Discharged by a precisely pinned preexisting SOT/root; otherwise D7 is mandatory. |
### Homelab nine blockers
| Homelab item | Ruling | Deduplicated delta |
|---|---|---|
| 1. Current unexpired leadership on mutations | proven parent blocker | 1 |
| 2. Revocation admission closure/drain | proven parent blocker | 3 |
| 3. Nonterminal RUNNING handoff route | proven parent blocker | 5 |
| 4. Effect claim/envelope/idempotency bindings | proven parent blocker | 3 and 4 |
| 5. Claimed continuation recovery and atomic logical completion | proven parent blocker | 4 |
| 6. Post-claim/pre-injection + receiver fencing | proven parent blocker | 4 |
| 7. Cross-assignment checkpoint grant | proven parent blocker | 7 |
| 8. PostgreSQL authoritative time | proven parent blocker | 2 |
| 9. Pi `reload` reconciliation/crash cases | parent omission; detailed mechanics defer | 6 |
## Single deduplicated v0.5 normative delta set
The following are the minimum parent-level changes. Each uses “database time” to mean a timestamp evaluated by the authoritative PostgreSQL primary in the statement/transaction performing the decisive CAS and persisted with the result. Host/adapter time is never an authority input. A transaction-start timestamp may not be reused after a blocking interval as the final validity check.
1. **Leadership-valid canonical mutation rule.** Every authoritative mutation, receipt, challenge/ACK consumption, activation, lease/claim operation, watchdog transition, canonical reconciliation, and authoritative outbox/inbox transition MUST in its committing PostgreSQL CAS match current `sot_incarnation`, Coordinator epoch, authenticated principal, credential/key binding, launch identity, and unexpired leadership lease by database time. Equality at expiry is invalid. Failure makes no canonical mutation. Epoch change MUST define disposition for every preactivation state: invalidate old unconsumed challenges; `AWAITING_ACK` and `READY` enter named recovery; prior ACKs remain audit evidence only and cannot activate.
- **Assertion:** pause the leader immediately before each mutation class across expiry or takeover. No mutation, ACK consumption, activation, lease, or receipt succeeds under the old authority; each nonterminal attempt has recovery/quarantine.
2. **Authority-time and SOT-history rule.** All durable expiry, renewal, activation, transfer, destruction, and watchdog decisions MUST use only the authoritative PostgreSQL primary's database time. Authority validation reads MUST never use a replica. An acknowledged authority commit MUST be durable before success. Promotion MUST fence the old writable primary and preserve acknowledged authority history; if either proof is absent, authority/effects remain denied. PITR, uncertain WAL loss, cluster replacement, or rollback MUST advance a non-rollbackable `sot_incarnation` trust anchor, rotate/fence authority credentials, invalidate pre-event reservations/challenges/ACKs/leases/effect claims, and quarantine/reconcile nonterminal assignments before effects resume. The anchor may store only authority-incarnation/fencing metadata, never assignment/orchestration state; PostgreSQL remains the sole writable assignment/orchestration SOT.
- **Assertion:** stale-replica, dual-primary, delayed-promotion, non-durable-ack, and PITR-at-each-boundary faults never permit old history to validate an effect. Where fencing/continuity is unproven, the only result is fail-closed unavailability.
3. **Reservation-bound ACK and activation rule.** A challenge, ACK, immutable ACK receipt, `READY`, and activation MUST bind the same immutable reservation ID, reservation epoch/version, and reservation deadline, plus Coordinator epoch. ACK consumption must prove both challenge and reservation unexpired by database time. Reservation replacement or epoch change invalidates prior READY authority; recovery uses a fresh reservation and fresh challenge/ACK chain, never in-place adoption of an old ACK.
- **Assertion:** expire R1 before ACK and after READY, then create matching R2. R1 ACK cannot authorize R2; old-epoch READY cannot activate; all losing attempts reach named recovery/quarantine.
4. **Mandatory mediation, effect admission, and replay semantics.** Protected effects MUST be impossible except via a registered broker/reference monitor with deny-by-default confinement: no ambient protected credentials, provider/repository sockets, privileged descriptors, or egress path may bypass it. Before dispatch, the broker atomically admits a durable unique claim containing `sot_incarnation`, Coordinator epoch, lease ID/epoch, authority/execution owner, assignment-attempt, lane/incarnation/generation, process identity, fence reference, scope/holds, deterministic `effect_id`, canonical operation digest, sink class, and idempotency key. The receiver permanently binds idempotency key to operation digest and result: same key/same digest returns the original result; same key/different digest rejects/quarantines. A fencing CAS closes new admission. Handoff, destruction, finalization, and transfer cannot issue a completed effect-authority receipt until earlier claims are terminally reconciled, safely cancelled under a supported sink fence, or the assignment is durably quarantined. `DESTROYING` blocks renew/reassign before provider deletion. Sinks are classified `transactional`, `sink-idempotent`, `reconcilable`, or `non-retryable-on-ambiguity`; blind retry after an ambiguous external outcome is forbidden.
- **Assertion:** race revoke/takeover/handoff/destroy at pre-claim, post-claim, pre-dispatch, sink accepted, and post-sink/pre-receipt; attempt direct filesystem, raw provider, credential, socket, inherited-FD, and egress bypass. Each effect is denied, ordered before the completed fence, or quarantined with reconciliation ownership—never silently accepted after it.
5. **Continuation claim, visibility, and queue-fence rule.** Continuations MUST use durable `PENDING → CLAIMED → DELIVERY_ACCEPTED → RESULT_RECORDED` state with claim token, claimant epoch, deadline, attempts, fenced renewal/reclaim CAS, and recovery owner. Logical acceptance and loop-budget debit are one PostgreSQL transaction. Deduplication must be durable before prompt visibility; if injection/visibility is ambiguous, the same generation MUST be quarantined or replaced rather than blindly reinjected. A claimant MUST revalidate generation/incarnation/fence after claim and immediately before injection; the receiver MUST reject stale generation/fence at acceptance, including an in-flight delivery. Each effect under a continuation has its own deterministic effect ID. Result/inbox completion must be atomic where both are PostgreSQL facts; no claim is made that generic PTY visibility or a provider call is atomically coupled to PostgreSQL.
- **Assertion:** kill one/two adapters before/after claim, expiry/reclaim, each injection/visibility boundary, receiver acceptance, result, and inbox commit; resume an old claimant after reclaim. There is one exposure or replacement/quarantine, one logical acceptance/debit, and each sink has only its classified outcome.
6. **Nonterminal handoff, termination, and watchdog parent rules.** Separate assignment lifecycle from never-reused `assignment_attempt_id`/generation run, `responsibility_owner`, `execution_owner`, and `pending_target`. Add a legal nonterminal replacement route (for example `RUNNING → HANDOFF_PENDING → FENCED_REPLACED → target staging/ACK/READY/activation`) that blocks old claims and completes delta-4 drain/quarantine before new effect authority. A failed/no-ACK target retains a named recovery owner and next action; replacement never terminalizes the assignment. Termination observations are advisory append-only facts; a current leader performs one canonical reconciliation into non-effecting recovery and conflict quarantine. The parent termination enum MUST add Pi `reload`; `reload` does not prove clean shutdown. A missing/ambiguous termination or continuation injection/inbox commit on reload is recovered/quarantined, not treated as successful delivery or cleanup. Progress/watchdog transitions must be fenced CASes and progress must be policy-validated rather than heartbeats.
- **Assertion:** crash every handoff/drain/ownership/replacement/activation boundary and Pi reload immediately before/after injection and inbox/result commit. Exactly one responsibility owner, at most one effect owner, no G reactivation, and no false clean termination. Race progress with watchdog at before/equal/after deadline; stale/replayed progress cannot extend authority.
7. **Checkpoint recovery-grant rule.** Cross-assignment checkpoint access requires an expiring, single-use PostgreSQL grant binding source assignment/attempt/generation/checkpoint digest; target assignment/attempt; recovery principal and role; exact purpose; classification; permitted fields/transformation; retention; SOT/Coordinator epoch; and database deadline. Consumption and access receipt are atomic. The grant conveys neither activation nor effect authority and cannot authorize general dispatch/injection.
- **Assertion:** substitute/replay/expire/revoke every grant binding. Only the named target gets one scoped access receipt; it cannot receive unrelated checkpoint data or effect/activation authority.
8. **Key authorization and trust-domain rule.** Before field use, validation MUST bind a key ID to authenticated principal, role, allowed message types, exact audiences, protocol/key purpose, trust domain, validity interval, rotation/revocation status, and algorithm/domain separation. A fleet-wide symmetric verifier key may not confer issuer authority across roles; verifier-forgery and cross-domain confusion are forbidden. Exact algorithms, encoding, and vectors defer only after this semantic rule is present.
- **Assertion:** every valid role key signs every disallowed issuer/type/audience/purpose/domain combination and all are rejected before state/effect processing.
9. **Dependency/bootstrap rule (conditional).** The parent MUST either (a) pin the already-existing PostgreSQL approval SOT schema/version, trust root, and cluster/SOT incarnation that authorizes #758/#766 receipts, or (b) define a bootstrap DAG: immutable signed non-authoritative design receipts → narrowly scoped SOT/receipt foundation → one-way verified import into a new SOT incarnation → permanent bootstrap-mutation/key retirement → terminal parent approval → child implementation. Bootstrap keys can never authorize assignments, leases, or effects. Child drafting/review may precede operational approval; implementation may not.
- **Assertion:** from an empty environment every consumed receipt has an earlier authorized producer/verifier, import occurs once, and bootstrap credentials cannot mutate post-import authority or runtime effects.
## Required explicit dispositions
- **Pi `reload`:** add it to §10.1 now; it is an observation/reconciliation case, never a clean guarantee. Add delta-6 crash tests.
- **Post-claim/pre-injection fencing:** required at claimant and receiver (delta 5); current queue “reject before delivery” is insufficient for an in-flight claim.
- **Checkpoint recovery grants:** required (delta 7), not a child-only detail.
- **Leadership transaction time:** required (deltas 12); decisive database time, not cached/host time or stale transaction-start time.
- **SOT failover/PITR:** required parent guarantee (delta 2); HA product/runbook details defer.
- **Mandatory effect mediation:** required (delta 4); executor inventory alone is insufficient without confinement.
- **Reservation-bound ACK:** required (delta 3).
- **Key-role authorization:** required (delta 8); authenticated fields alone are insufficient.
- **Termination/watchdog:** parent must supply the non-effecting reconciliation invariant, Pi `reload`, and fenced/progress-valid rule; exact observation precedence, CAS column tuple, retry schedule, and fairness parameters defer.
- **Dependency/bootstrap:** conditional delta 9. It is not a demonstrated cycle if a compatible preexisting root is pinned; otherwise it is a blocker.
## Safe child-contract deferrals
After the above parent semantics are added, child contracts may specify: exact PostgreSQL schema/index/locking statements; concrete HA product/topology; exact crypto algorithms, encoding, timestamps, and golden vectors; sandbox technology; sink-specific reconciliation/cancellation; termination-observation precedence and receipt schema; exact progress sequence/CAS columns/retry/fairness bounds; runtime-specific Pi adapter mechanics; and bootstrap key custody/import SQL. These child artifacts remain implementation blockers, not parent approval substitutes.
## Rejected or withdrawn proposals
1. **Rejected:** “online validation immediately before an effect” as a complete revocation fence. It is a precondition only; delta 4 admission and reconciliation are needed.
2. **Rejected:** a guarantee that revocation instantaneously stops an already-started arbitrary sink call. This is physically unavailable without sink fencing; the safe result is drain, supported cancellation, or durable quarantine.
3. **Rejected:** holding a PostgreSQL transaction/lock across arbitrary external I/O to simulate atomic effect fencing. It creates deadlock/resource-exhaustion risk and still cannot make the sink transactionally atomic.
4. **Rejected:** automatic retry after ambiguous prompt visibility or non-idempotent sink outcome. It violates no-duplicate authority.
5. **Withdrawn as a standalone parent blocker:** termination-observation precedence/receipt exactness (challenger F10). Preserve it as a child gate under delta 6; the existing cleanup/effect-release gates prevent the originally claimed receipt-only lane reuse.
6. **Deferred, not rejected:** watchdog progress schema/CAS exact tuple and liveness scheduling (challenger F11/proponent F4), subject to delta 6 and explicit conditional-liveness premises.
7. **Rejected:** treating bootstrap external trust anchor as a second writable orchestration SOT. The anchor can only fence the incarnation; assignment/orchestration state stays PostgreSQL-only.
## Residual risks and limits
- Availability is intentionally conditional: primary/time-service outage, missing eligible recovery capacity, hung unsupported sink, or permanently ambiguous injection can produce durable blocked/quarantined work, never cached authority or a liveness bypass.
- Delta 4 can retain a conflict hold indefinitely for a non-queryable sink. That is safe; v0.5 must not represent it as guaranteed eventual handoff.
- The external non-rollbackable incarnation anchor is a prerequisite trust component. If unavailable, fail closed rather than claiming PITR safety.
- A generic terminal/PTY cannot prove an atomic PostgreSQL-to-visible-prompt boundary. The permitted outcomes are durable pre-visibility acceptance, or quarantine/replacement after ambiguity.
- No source, issue/provider, dependency-state, session-lifecycle, canary, deployment, or live authority follows from this artifact.
## Final ruling
v0.4 has sound foundations for lane/incarnation separation, atomic activation, staging denial, and the intent of queue/checkpoint isolation. It is **not CONTENT-SOUND** for terminal parent approval because the nine deltas above contain proven parent-level authority gaps (with delta 9 conditional). The author should produce v0.5 with the deltas and adversarial assertions above. Until then: **REMEDIATE**.