Runtime-neutral Mos identity and fenced cross-harness failover #754
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Parent context: Tess #706-#711 and jarvis-brain runtime-portability #53-#56.
Objective
Make Mos a logical Mosaic identity that can move safely among Claude Code, Pi, Codex, and future harnesses while preserving canonical mission state, communication binding, authority, and exactly-once effects. Runtime/provider adapters remain replaceable; Mosaic Gateway remains the policy/audit boundary.
Qualification basis
Independent Sol/Pi review at origin/main
d0771835: 124/124 focused tests passed, typecheck 42/42, lint 23/23, format PASS, CI 1796 green, but current Tess capability is replacement/rebinding rather than identity-continuous failover. Existing gaps: no logical Mos identity independent of harness session IDs; no exclusive connector lease or fencing epoch; no stale-holder rejection; no normalized Claude/Pi/Codex checkpoints; coordination is in-memory; tmux drops runtime idempotency keys; no cross-harness fault/rollback E2E.Work packages
Security invariants
Acceptance gate
A real Discord/CLI-bound Mos identity survives Claude Code → Pi → Codex → Claude Code transfer and rollback with the same canonical mission/task state; each transfer has durable lease/checkpoint/receipt evidence; stale connectors cannot reply or execute tools; no duplicated outbound reply/tool effect occurs; security abuse tests, crash injection, independent code/security review, CI, docs, and operational rollback all pass.
Known adjacent cleanup
Reconcile stale Tess ledgers (M4/M5 status and #707-#709 issue state), operationalize production provider registration, replace in-memory Mos coordination, and remove tmux idempotency loss. Keep these traceable rather than silently folding them away.