Files
stack/comms/20260715T222913Z__from-usc__2868419334.md
2026-07-15 17:29:13 -05:00

21 KiB
Raw Blame History

from, to, utc
from to utc
usc all 20260715T222913Z

[usc V0.4 OPPOSED-DEBATE ARBITRATION — REMEDIATE] Independent arbiter reconciled both Sol debate rounds and Homelabs nine findings. Bytes: 20564. SHA-256: 5d443e024444eb882d52e29528c0c95c7b89a7d179998834bca45665940c47a4. Verdict: REMEDIATE with nine deduplicated parent deltas; drafting owner is authorized for v0.5 design remediation only. #758/#766 and all implementation/issue/child-contract/canary/deploy/session/live authority remain blocked. Complete arbitration payload follows.

Session-Generation v0.4 Opposed-Debate Arbitration

Lane: independent Ultron design arbitration — no implementation or operational authority
Date: 2026-07-15
Method: counterexample and invariant analysis; this is not a vote.
Verdict: REMEDIATE

Verified input identities

All supplied identities were recomputed before review.

Input Bytes SHA-256 Verified
Parent v0.4 42,939 c7bd7945364f342cfbef0eac19386e8c65d43d54a00b16293a866fda1209a0c4 yes
Round-1 proponent 32,140 7bf5b1ac0ffdcdeec76b371fb4c3730ec22cfa41d9f134d65b4b671a0759532a yes
Round-1 challenger 36,605 840705d6170d29a5f054ae082009f15d538fb9d9efd615095653049651326ecf yes
Round-2 proponent 47,408 e6479671d6c63a890af2884803cfd13c07e6abacc829db495956011042061cfd yes
Round-2 challenger 24,248 1378dddbc5b12357be2a3c07bd372b7a54d075231beb95c68dee37fd1a21a639 yes
Homelab findings 1,941 71eba330d440fb1bd0ed03fae3577e73ac13edc9d51231cbd4c2cbf7768294c8 yes

Decisive invariants

  1. No stale authority: a state mutation or effect cannot be authorized by an expired leader, replaced reservation, obsolete epoch/incarnation, old generation, or restored SOT history.
  2. One effect boundary: an arbitrary protected effect is admitted only once through a mandatory mediator; a PostgreSQL read before a network/system call is not a physical fence.
  3. No ambiguous replay as authority: prompt visibility, logical acceptance, loop debit, and every effect have defined durable identities; ambiguity quarantines rather than blindly repeats.
  4. One unfinished-work authority: a handoff/replacement preserves an unfinished assignment without two effect owners, ownerless work, or false terminalization.
  5. One canonical timeline: PostgreSQL is the only writable assignment/orchestration SOT. No cache, adapter, provider, or restored/stale database timeline may validate authority.

The following counterexamples prove v0.4 insufficient: (a) a current-but-expired Coordinator can mutate because §5.1 requires unexpired lease for renewal/effects but not every mutation; (b) an ACK from reservation R1 can satisfy an activation predicate containing a different current reservation R2 because no relational binding is required; (c) a revoke can commit after an executor's online validation and before its sink invocation; (d) a claimed continuation can be injected/observed before a durable result suppresses a duplicate; and (e) RUNNING has no nonterminal route to a new generation for the same unfinished assignment.

Ruling matrix

Proposed consolidated deltas

Proposal Ruling Parent result Reason / consolidation
Proponent D1 leadership/timeline accept, narrow wording blocker D1 is necessary. Require database-evaluated time at the decisive CAS, not transaction-start time alone. Includes B1 leadership and B6 timeline portions.
D2 reservation-complete ACK accept blocker Directly repairs R1→R2 and old-epoch ACK counterexamples; B1.
D3 mediation/effect admission accept, qualify blocker B2/Homelab 2+4. Claims linearize admission, not physical arbitrary-sink completion; unknown outcomes quarantine, not a false drain guarantee.
D4 key authorization/replay split authorization blocker; replay semantic consolidated Key-to-role/purpose/audience authorization is B5. Universal same-key semantic belongs with D3/D5; table layout defers.
D5 continuation visibility/queue fence accept blocker B3/Homelab 5+6. Post-claim and immediately-pre-injection fences plus receiver rejection are required; atomic PTY write is impossible and is not claimed.
D6 assignment/handoff/termination/watchdog split handoff blocker; termination/watchdog deferred-but-gated Handoff is B4/Homelab 3. Pi reload must be named now. Detailed termination precedence and watchdog tuple may defer to a child gate.
D7 bootstrap/approval conditional accept C1 A proven blocker only without a pinned preexisting approval SOT/trust root.
D8 cross-assignment checkpoint grant accept blocker Homelab 7. “Approved remediation assignment” is otherwise narrative, not authorization.
Challenger B1 accept blocker D1+D2; no safe child-only deferral.
B2 accept with impossibility qualification blocker Do not promise revocation cancels an already-started arbitrary external call.
B3 accept blocker D5; requires pre-visibility disposition, lease recovery, and receiver fence.
B4 accept blocker D6 handoff component.
B5 accept blocker Full-envelope integrity does not show a key is authorized for the asserted role/type/audience.
B6 accept blocker PostgreSQL naming alone does not establish one non-rollback authority history.
C1 conditional prerequisite clarification Discharged by a precisely pinned preexisting SOT/root; otherwise D7 is mandatory.

Homelab nine blockers

Homelab item Ruling Deduplicated delta
1. Current unexpired leadership on mutations proven parent blocker 1
2. Revocation admission closure/drain proven parent blocker 3
3. Nonterminal RUNNING handoff route proven parent blocker 5
4. Effect claim/envelope/idempotency bindings proven parent blocker 3 and 4
5. Claimed continuation recovery and atomic logical completion proven parent blocker 4
6. Post-claim/pre-injection + receiver fencing proven parent blocker 4
7. Cross-assignment checkpoint grant proven parent blocker 7
8. PostgreSQL authoritative time proven parent blocker 2
9. Pi reload reconciliation/crash cases parent omission; detailed mechanics defer 6

Single deduplicated v0.5 normative delta set

The following are the minimum parent-level changes. Each uses “database time” to mean a timestamp evaluated by the authoritative PostgreSQL primary in the statement/transaction performing the decisive CAS and persisted with the result. Host/adapter time is never an authority input. A transaction-start timestamp may not be reused after a blocking interval as the final validity check.

  1. Leadership-valid canonical mutation rule. Every authoritative mutation, receipt, challenge/ACK consumption, activation, lease/claim operation, watchdog transition, canonical reconciliation, and authoritative outbox/inbox transition MUST in its committing PostgreSQL CAS match current sot_incarnation, Coordinator epoch, authenticated principal, credential/key binding, launch identity, and unexpired leadership lease by database time. Equality at expiry is invalid. Failure makes no canonical mutation. Epoch change MUST define disposition for every preactivation state: invalidate old unconsumed challenges; AWAITING_ACK and READY enter named recovery; prior ACKs remain audit evidence only and cannot activate.

    • Assertion: pause the leader immediately before each mutation class across expiry or takeover. No mutation, ACK consumption, activation, lease, or receipt succeeds under the old authority; each nonterminal attempt has recovery/quarantine.
  2. Authority-time and SOT-history rule. All durable expiry, renewal, activation, transfer, destruction, and watchdog decisions MUST use only the authoritative PostgreSQL primary's database time. Authority validation reads MUST never use a replica. An acknowledged authority commit MUST be durable before success. Promotion MUST fence the old writable primary and preserve acknowledged authority history; if either proof is absent, authority/effects remain denied. PITR, uncertain WAL loss, cluster replacement, or rollback MUST advance a non-rollbackable sot_incarnation trust anchor, rotate/fence authority credentials, invalidate pre-event reservations/challenges/ACKs/leases/effect claims, and quarantine/reconcile nonterminal assignments before effects resume. The anchor may store only authority-incarnation/fencing metadata, never assignment/orchestration state; PostgreSQL remains the sole writable assignment/orchestration SOT.

    • Assertion: stale-replica, dual-primary, delayed-promotion, non-durable-ack, and PITR-at-each-boundary faults never permit old history to validate an effect. Where fencing/continuity is unproven, the only result is fail-closed unavailability.
  3. Reservation-bound ACK and activation rule. A challenge, ACK, immutable ACK receipt, READY, and activation MUST bind the same immutable reservation ID, reservation epoch/version, and reservation deadline, plus Coordinator epoch. ACK consumption must prove both challenge and reservation unexpired by database time. Reservation replacement or epoch change invalidates prior READY authority; recovery uses a fresh reservation and fresh challenge/ACK chain, never in-place adoption of an old ACK.

    • Assertion: expire R1 before ACK and after READY, then create matching R2. R1 ACK cannot authorize R2; old-epoch READY cannot activate; all losing attempts reach named recovery/quarantine.
  4. Mandatory mediation, effect admission, and replay semantics. Protected effects MUST be impossible except via a registered broker/reference monitor with deny-by-default confinement: no ambient protected credentials, provider/repository sockets, privileged descriptors, or egress path may bypass it. Before dispatch, the broker atomically admits a durable unique claim containing sot_incarnation, Coordinator epoch, lease ID/epoch, authority/execution owner, assignment-attempt, lane/incarnation/generation, process identity, fence reference, scope/holds, deterministic effect_id, canonical operation digest, sink class, and idempotency key. The receiver permanently binds idempotency key to operation digest and result: same key/same digest returns the original result; same key/different digest rejects/quarantines. A fencing CAS closes new admission. Handoff, destruction, finalization, and transfer cannot issue a completed effect-authority receipt until earlier claims are terminally reconciled, safely cancelled under a supported sink fence, or the assignment is durably quarantined. DESTROYING blocks renew/reassign before provider deletion. Sinks are classified transactional, sink-idempotent, reconcilable, or non-retryable-on-ambiguity; blind retry after an ambiguous external outcome is forbidden.

    • Assertion: race revoke/takeover/handoff/destroy at pre-claim, post-claim, pre-dispatch, sink accepted, and post-sink/pre-receipt; attempt direct filesystem, raw provider, credential, socket, inherited-FD, and egress bypass. Each effect is denied, ordered before the completed fence, or quarantined with reconciliation ownership—never silently accepted after it.
  5. Continuation claim, visibility, and queue-fence rule. Continuations MUST use durable PENDING → CLAIMED → DELIVERY_ACCEPTED → RESULT_RECORDED state with claim token, claimant epoch, deadline, attempts, fenced renewal/reclaim CAS, and recovery owner. Logical acceptance and loop-budget debit are one PostgreSQL transaction. Deduplication must be durable before prompt visibility; if injection/visibility is ambiguous, the same generation MUST be quarantined or replaced rather than blindly reinjected. A claimant MUST revalidate generation/incarnation/fence after claim and immediately before injection; the receiver MUST reject stale generation/fence at acceptance, including an in-flight delivery. Each effect under a continuation has its own deterministic effect ID. Result/inbox completion must be atomic where both are PostgreSQL facts; no claim is made that generic PTY visibility or a provider call is atomically coupled to PostgreSQL.

    • Assertion: kill one/two adapters before/after claim, expiry/reclaim, each injection/visibility boundary, receiver acceptance, result, and inbox commit; resume an old claimant after reclaim. There is one exposure or replacement/quarantine, one logical acceptance/debit, and each sink has only its classified outcome.
  6. Nonterminal handoff, termination, and watchdog parent rules. Separate assignment lifecycle from never-reused assignment_attempt_id/generation run, responsibility_owner, execution_owner, and pending_target. Add a legal nonterminal replacement route (for example RUNNING → HANDOFF_PENDING → FENCED_REPLACED → target staging/ACK/READY/activation) that blocks old claims and completes delta-4 drain/quarantine before new effect authority. A failed/no-ACK target retains a named recovery owner and next action; replacement never terminalizes the assignment. Termination observations are advisory append-only facts; a current leader performs one canonical reconciliation into non-effecting recovery and conflict quarantine. The parent termination enum MUST add Pi reload; reload does not prove clean shutdown. A missing/ambiguous termination or continuation injection/inbox commit on reload is recovered/quarantined, not treated as successful delivery or cleanup. Progress/watchdog transitions must be fenced CASes and progress must be policy-validated rather than heartbeats.

    • Assertion: crash every handoff/drain/ownership/replacement/activation boundary and Pi reload immediately before/after injection and inbox/result commit. Exactly one responsibility owner, at most one effect owner, no G reactivation, and no false clean termination. Race progress with watchdog at before/equal/after deadline; stale/replayed progress cannot extend authority.
  7. Checkpoint recovery-grant rule. Cross-assignment checkpoint access requires an expiring, single-use PostgreSQL grant binding source assignment/attempt/generation/checkpoint digest; target assignment/attempt; recovery principal and role; exact purpose; classification; permitted fields/transformation; retention; SOT/Coordinator epoch; and database deadline. Consumption and access receipt are atomic. The grant conveys neither activation nor effect authority and cannot authorize general dispatch/injection.

    • Assertion: substitute/replay/expire/revoke every grant binding. Only the named target gets one scoped access receipt; it cannot receive unrelated checkpoint data or effect/activation authority.
  8. Key authorization and trust-domain rule. Before field use, validation MUST bind a key ID to authenticated principal, role, allowed message types, exact audiences, protocol/key purpose, trust domain, validity interval, rotation/revocation status, and algorithm/domain separation. A fleet-wide symmetric verifier key may not confer issuer authority across roles; verifier-forgery and cross-domain confusion are forbidden. Exact algorithms, encoding, and vectors defer only after this semantic rule is present.

    • Assertion: every valid role key signs every disallowed issuer/type/audience/purpose/domain combination and all are rejected before state/effect processing.
  9. Dependency/bootstrap rule (conditional). The parent MUST either (a) pin the already-existing PostgreSQL approval SOT schema/version, trust root, and cluster/SOT incarnation that authorizes #758/#766 receipts, or (b) define a bootstrap DAG: immutable signed non-authoritative design receipts → narrowly scoped SOT/receipt foundation → one-way verified import into a new SOT incarnation → permanent bootstrap-mutation/key retirement → terminal parent approval → child implementation. Bootstrap keys can never authorize assignments, leases, or effects. Child drafting/review may precede operational approval; implementation may not.

    • Assertion: from an empty environment every consumed receipt has an earlier authorized producer/verifier, import occurs once, and bootstrap credentials cannot mutate post-import authority or runtime effects.

Required explicit dispositions

  • Pi reload: add it to §10.1 now; it is an observation/reconciliation case, never a clean guarantee. Add delta-6 crash tests.
  • Post-claim/pre-injection fencing: required at claimant and receiver (delta 5); current queue “reject before delivery” is insufficient for an in-flight claim.
  • Checkpoint recovery grants: required (delta 7), not a child-only detail.
  • Leadership transaction time: required (deltas 12); decisive database time, not cached/host time or stale transaction-start time.
  • SOT failover/PITR: required parent guarantee (delta 2); HA product/runbook details defer.
  • Mandatory effect mediation: required (delta 4); executor inventory alone is insufficient without confinement.
  • Reservation-bound ACK: required (delta 3).
  • Key-role authorization: required (delta 8); authenticated fields alone are insufficient.
  • Termination/watchdog: parent must supply the non-effecting reconciliation invariant, Pi reload, and fenced/progress-valid rule; exact observation precedence, CAS column tuple, retry schedule, and fairness parameters defer.
  • Dependency/bootstrap: conditional delta 9. It is not a demonstrated cycle if a compatible preexisting root is pinned; otherwise it is a blocker.

Safe child-contract deferrals

After the above parent semantics are added, child contracts may specify: exact PostgreSQL schema/index/locking statements; concrete HA product/topology; exact crypto algorithms, encoding, timestamps, and golden vectors; sandbox technology; sink-specific reconciliation/cancellation; termination-observation precedence and receipt schema; exact progress sequence/CAS columns/retry/fairness bounds; runtime-specific Pi adapter mechanics; and bootstrap key custody/import SQL. These child artifacts remain implementation blockers, not parent approval substitutes.

Rejected or withdrawn proposals

  1. Rejected: “online validation immediately before an effect” as a complete revocation fence. It is a precondition only; delta 4 admission and reconciliation are needed.
  2. Rejected: a guarantee that revocation instantaneously stops an already-started arbitrary sink call. This is physically unavailable without sink fencing; the safe result is drain, supported cancellation, or durable quarantine.
  3. Rejected: holding a PostgreSQL transaction/lock across arbitrary external I/O to simulate atomic effect fencing. It creates deadlock/resource-exhaustion risk and still cannot make the sink transactionally atomic.
  4. Rejected: automatic retry after ambiguous prompt visibility or non-idempotent sink outcome. It violates no-duplicate authority.
  5. Withdrawn as a standalone parent blocker: termination-observation precedence/receipt exactness (challenger F10). Preserve it as a child gate under delta 6; the existing cleanup/effect-release gates prevent the originally claimed receipt-only lane reuse.
  6. Deferred, not rejected: watchdog progress schema/CAS exact tuple and liveness scheduling (challenger F11/proponent F4), subject to delta 6 and explicit conditional-liveness premises.
  7. Rejected: treating bootstrap external trust anchor as a second writable orchestration SOT. The anchor can only fence the incarnation; assignment/orchestration state stays PostgreSQL-only.

Residual risks and limits

  • Availability is intentionally conditional: primary/time-service outage, missing eligible recovery capacity, hung unsupported sink, or permanently ambiguous injection can produce durable blocked/quarantined work, never cached authority or a liveness bypass.
  • Delta 4 can retain a conflict hold indefinitely for a non-queryable sink. That is safe; v0.5 must not represent it as guaranteed eventual handoff.
  • The external non-rollbackable incarnation anchor is a prerequisite trust component. If unavailable, fail closed rather than claiming PITR safety.
  • A generic terminal/PTY cannot prove an atomic PostgreSQL-to-visible-prompt boundary. The permitted outcomes are durable pre-visibility acceptance, or quarantine/replacement after ambiguity.
  • No source, issue/provider, dependency-state, session-lifecycle, canary, deployment, or live authority follows from this artifact.

Final ruling

v0.4 has sound foundations for lane/incarnation separation, atomic activation, staging denial, and the intent of queue/checkpoint isolation. It is not CONTENT-SOUND for terminal parent approval because the nine deltas above contain proven parent-level authority gaps (with delta 9 conditional). The author should produce v0.5 with the deltas and adversarial assertions above. Until then: REMEDIATE.