21 KiB
from, to, utc
| from | to | utc |
|---|---|---|
| usc | all | 20260715T222913Z |
[usc V0.4 OPPOSED-DEBATE ARBITRATION — REMEDIATE] Independent arbiter reconciled both Sol debate rounds and Homelab’s nine findings. Bytes: 20564. SHA-256: 5d443e024444eb882d52e29528c0c95c7b89a7d179998834bca45665940c47a4. Verdict: REMEDIATE with nine deduplicated parent deltas; drafting owner is authorized for v0.5 design remediation only. #758/#766 and all implementation/issue/child-contract/canary/deploy/session/live authority remain blocked. Complete arbitration payload follows.
Session-Generation v0.4 Opposed-Debate Arbitration
Lane: independent Ultron design arbitration — no implementation or operational authority
Date: 2026-07-15
Method: counterexample and invariant analysis; this is not a vote.
Verdict: REMEDIATE
Verified input identities
All supplied identities were recomputed before review.
| Input | Bytes | SHA-256 | Verified |
|---|---|---|---|
| Parent v0.4 | 42,939 | c7bd7945364f342cfbef0eac19386e8c65d43d54a00b16293a866fda1209a0c4 |
yes |
| Round-1 proponent | 32,140 | 7bf5b1ac0ffdcdeec76b371fb4c3730ec22cfa41d9f134d65b4b671a0759532a |
yes |
| Round-1 challenger | 36,605 | 840705d6170d29a5f054ae082009f15d538fb9d9efd615095653049651326ecf |
yes |
| Round-2 proponent | 47,408 | e6479671d6c63a890af2884803cfd13c07e6abacc829db495956011042061cfd |
yes |
| Round-2 challenger | 24,248 | 1378dddbc5b12357be2a3c07bd372b7a54d075231beb95c68dee37fd1a21a639 |
yes |
| Homelab findings | 1,941 | 71eba330d440fb1bd0ed03fae3577e73ac13edc9d51231cbd4c2cbf7768294c8 |
yes |
Decisive invariants
- No stale authority: a state mutation or effect cannot be authorized by an expired leader, replaced reservation, obsolete epoch/incarnation, old generation, or restored SOT history.
- One effect boundary: an arbitrary protected effect is admitted only once through a mandatory mediator; a PostgreSQL read before a network/system call is not a physical fence.
- No ambiguous replay as authority: prompt visibility, logical acceptance, loop debit, and every effect have defined durable identities; ambiguity quarantines rather than blindly repeats.
- One unfinished-work authority: a handoff/replacement preserves an unfinished assignment without two effect owners, ownerless work, or false terminalization.
- One canonical timeline: PostgreSQL is the only writable assignment/orchestration SOT. No cache, adapter, provider, or restored/stale database timeline may validate authority.
The following counterexamples prove v0.4 insufficient: (a) a current-but-expired Coordinator can mutate because §5.1 requires unexpired lease for renewal/effects but not every mutation; (b) an ACK from reservation R1 can satisfy an activation predicate containing a different current reservation R2 because no relational binding is required; (c) a revoke can commit after an executor's online validation and before its sink invocation; (d) a claimed continuation can be injected/observed before a durable result suppresses a duplicate; and (e) RUNNING has no nonterminal route to a new generation for the same unfinished assignment.
Ruling matrix
Proposed consolidated deltas
| Proposal | Ruling | Parent result | Reason / consolidation |
|---|---|---|---|
| Proponent D1 leadership/timeline | accept, narrow wording | blocker | D1 is necessary. Require database-evaluated time at the decisive CAS, not transaction-start time alone. Includes B1 leadership and B6 timeline portions. |
| D2 reservation-complete ACK | accept | blocker | Directly repairs R1→R2 and old-epoch ACK counterexamples; B1. |
| D3 mediation/effect admission | accept, qualify | blocker | B2/Homelab 2+4. Claims linearize admission, not physical arbitrary-sink completion; unknown outcomes quarantine, not a false drain guarantee. |
| D4 key authorization/replay | split | authorization blocker; replay semantic consolidated | Key-to-role/purpose/audience authorization is B5. Universal same-key semantic belongs with D3/D5; table layout defers. |
| D5 continuation visibility/queue fence | accept | blocker | B3/Homelab 5+6. Post-claim and immediately-pre-injection fences plus receiver rejection are required; atomic PTY write is impossible and is not claimed. |
| D6 assignment/handoff/termination/watchdog | split | handoff blocker; termination/watchdog deferred-but-gated | Handoff is B4/Homelab 3. Pi reload must be named now. Detailed termination precedence and watchdog tuple may defer to a child gate. |
| D7 bootstrap/approval | conditional accept | C1 | A proven blocker only without a pinned preexisting approval SOT/trust root. |
| D8 cross-assignment checkpoint grant | accept | blocker | Homelab 7. “Approved remediation assignment” is otherwise narrative, not authorization. |
| Challenger B1 | accept | blocker | D1+D2; no safe child-only deferral. |
| B2 | accept with impossibility qualification | blocker | Do not promise revocation cancels an already-started arbitrary external call. |
| B3 | accept | blocker | D5; requires pre-visibility disposition, lease recovery, and receiver fence. |
| B4 | accept | blocker | D6 handoff component. |
| B5 | accept | blocker | Full-envelope integrity does not show a key is authorized for the asserted role/type/audience. |
| B6 | accept | blocker | PostgreSQL naming alone does not establish one non-rollback authority history. |
| C1 | conditional | prerequisite clarification | Discharged by a precisely pinned preexisting SOT/root; otherwise D7 is mandatory. |
Homelab nine blockers
| Homelab item | Ruling | Deduplicated delta |
|---|---|---|
| 1. Current unexpired leadership on mutations | proven parent blocker | 1 |
| 2. Revocation admission closure/drain | proven parent blocker | 3 |
| 3. Nonterminal RUNNING handoff route | proven parent blocker | 5 |
| 4. Effect claim/envelope/idempotency bindings | proven parent blocker | 3 and 4 |
| 5. Claimed continuation recovery and atomic logical completion | proven parent blocker | 4 |
| 6. Post-claim/pre-injection + receiver fencing | proven parent blocker | 4 |
| 7. Cross-assignment checkpoint grant | proven parent blocker | 7 |
| 8. PostgreSQL authoritative time | proven parent blocker | 2 |
9. Pi reload reconciliation/crash cases |
parent omission; detailed mechanics defer | 6 |
Single deduplicated v0.5 normative delta set
The following are the minimum parent-level changes. Each uses “database time” to mean a timestamp evaluated by the authoritative PostgreSQL primary in the statement/transaction performing the decisive CAS and persisted with the result. Host/adapter time is never an authority input. A transaction-start timestamp may not be reused after a blocking interval as the final validity check.
-
Leadership-valid canonical mutation rule. Every authoritative mutation, receipt, challenge/ACK consumption, activation, lease/claim operation, watchdog transition, canonical reconciliation, and authoritative outbox/inbox transition MUST in its committing PostgreSQL CAS match current
sot_incarnation, Coordinator epoch, authenticated principal, credential/key binding, launch identity, and unexpired leadership lease by database time. Equality at expiry is invalid. Failure makes no canonical mutation. Epoch change MUST define disposition for every preactivation state: invalidate old unconsumed challenges;AWAITING_ACKandREADYenter named recovery; prior ACKs remain audit evidence only and cannot activate.- Assertion: pause the leader immediately before each mutation class across expiry or takeover. No mutation, ACK consumption, activation, lease, or receipt succeeds under the old authority; each nonterminal attempt has recovery/quarantine.
-
Authority-time and SOT-history rule. All durable expiry, renewal, activation, transfer, destruction, and watchdog decisions MUST use only the authoritative PostgreSQL primary's database time. Authority validation reads MUST never use a replica. An acknowledged authority commit MUST be durable before success. Promotion MUST fence the old writable primary and preserve acknowledged authority history; if either proof is absent, authority/effects remain denied. PITR, uncertain WAL loss, cluster replacement, or rollback MUST advance a non-rollbackable
sot_incarnationtrust anchor, rotate/fence authority credentials, invalidate pre-event reservations/challenges/ACKs/leases/effect claims, and quarantine/reconcile nonterminal assignments before effects resume. The anchor may store only authority-incarnation/fencing metadata, never assignment/orchestration state; PostgreSQL remains the sole writable assignment/orchestration SOT.- Assertion: stale-replica, dual-primary, delayed-promotion, non-durable-ack, and PITR-at-each-boundary faults never permit old history to validate an effect. Where fencing/continuity is unproven, the only result is fail-closed unavailability.
-
Reservation-bound ACK and activation rule. A challenge, ACK, immutable ACK receipt,
READY, and activation MUST bind the same immutable reservation ID, reservation epoch/version, and reservation deadline, plus Coordinator epoch. ACK consumption must prove both challenge and reservation unexpired by database time. Reservation replacement or epoch change invalidates prior READY authority; recovery uses a fresh reservation and fresh challenge/ACK chain, never in-place adoption of an old ACK.- Assertion: expire R1 before ACK and after READY, then create matching R2. R1 ACK cannot authorize R2; old-epoch READY cannot activate; all losing attempts reach named recovery/quarantine.
-
Mandatory mediation, effect admission, and replay semantics. Protected effects MUST be impossible except via a registered broker/reference monitor with deny-by-default confinement: no ambient protected credentials, provider/repository sockets, privileged descriptors, or egress path may bypass it. Before dispatch, the broker atomically admits a durable unique claim containing
sot_incarnation, Coordinator epoch, lease ID/epoch, authority/execution owner, assignment-attempt, lane/incarnation/generation, process identity, fence reference, scope/holds, deterministiceffect_id, canonical operation digest, sink class, and idempotency key. The receiver permanently binds idempotency key to operation digest and result: same key/same digest returns the original result; same key/different digest rejects/quarantines. A fencing CAS closes new admission. Handoff, destruction, finalization, and transfer cannot issue a completed effect-authority receipt until earlier claims are terminally reconciled, safely cancelled under a supported sink fence, or the assignment is durably quarantined.DESTROYINGblocks renew/reassign before provider deletion. Sinks are classifiedtransactional,sink-idempotent,reconcilable, ornon-retryable-on-ambiguity; blind retry after an ambiguous external outcome is forbidden.- Assertion: race revoke/takeover/handoff/destroy at pre-claim, post-claim, pre-dispatch, sink accepted, and post-sink/pre-receipt; attempt direct filesystem, raw provider, credential, socket, inherited-FD, and egress bypass. Each effect is denied, ordered before the completed fence, or quarantined with reconciliation ownership—never silently accepted after it.
-
Continuation claim, visibility, and queue-fence rule. Continuations MUST use durable
PENDING → CLAIMED → DELIVERY_ACCEPTED → RESULT_RECORDEDstate with claim token, claimant epoch, deadline, attempts, fenced renewal/reclaim CAS, and recovery owner. Logical acceptance and loop-budget debit are one PostgreSQL transaction. Deduplication must be durable before prompt visibility; if injection/visibility is ambiguous, the same generation MUST be quarantined or replaced rather than blindly reinjected. A claimant MUST revalidate generation/incarnation/fence after claim and immediately before injection; the receiver MUST reject stale generation/fence at acceptance, including an in-flight delivery. Each effect under a continuation has its own deterministic effect ID. Result/inbox completion must be atomic where both are PostgreSQL facts; no claim is made that generic PTY visibility or a provider call is atomically coupled to PostgreSQL.- Assertion: kill one/two adapters before/after claim, expiry/reclaim, each injection/visibility boundary, receiver acceptance, result, and inbox commit; resume an old claimant after reclaim. There is one exposure or replacement/quarantine, one logical acceptance/debit, and each sink has only its classified outcome.
-
Nonterminal handoff, termination, and watchdog parent rules. Separate assignment lifecycle from never-reused
assignment_attempt_id/generation run,responsibility_owner,execution_owner, andpending_target. Add a legal nonterminal replacement route (for exampleRUNNING → HANDOFF_PENDING → FENCED_REPLACED → target staging/ACK/READY/activation) that blocks old claims and completes delta-4 drain/quarantine before new effect authority. A failed/no-ACK target retains a named recovery owner and next action; replacement never terminalizes the assignment. Termination observations are advisory append-only facts; a current leader performs one canonical reconciliation into non-effecting recovery and conflict quarantine. The parent termination enum MUST add Pireload;reloaddoes not prove clean shutdown. A missing/ambiguous termination or continuation injection/inbox commit on reload is recovered/quarantined, not treated as successful delivery or cleanup. Progress/watchdog transitions must be fenced CASes and progress must be policy-validated rather than heartbeats.- Assertion: crash every handoff/drain/ownership/replacement/activation boundary and Pi reload immediately before/after injection and inbox/result commit. Exactly one responsibility owner, at most one effect owner, no G reactivation, and no false clean termination. Race progress with watchdog at before/equal/after deadline; stale/replayed progress cannot extend authority.
-
Checkpoint recovery-grant rule. Cross-assignment checkpoint access requires an expiring, single-use PostgreSQL grant binding source assignment/attempt/generation/checkpoint digest; target assignment/attempt; recovery principal and role; exact purpose; classification; permitted fields/transformation; retention; SOT/Coordinator epoch; and database deadline. Consumption and access receipt are atomic. The grant conveys neither activation nor effect authority and cannot authorize general dispatch/injection.
- Assertion: substitute/replay/expire/revoke every grant binding. Only the named target gets one scoped access receipt; it cannot receive unrelated checkpoint data or effect/activation authority.
-
Key authorization and trust-domain rule. Before field use, validation MUST bind a key ID to authenticated principal, role, allowed message types, exact audiences, protocol/key purpose, trust domain, validity interval, rotation/revocation status, and algorithm/domain separation. A fleet-wide symmetric verifier key may not confer issuer authority across roles; verifier-forgery and cross-domain confusion are forbidden. Exact algorithms, encoding, and vectors defer only after this semantic rule is present.
- Assertion: every valid role key signs every disallowed issuer/type/audience/purpose/domain combination and all are rejected before state/effect processing.
-
Dependency/bootstrap rule (conditional). The parent MUST either (a) pin the already-existing PostgreSQL approval SOT schema/version, trust root, and cluster/SOT incarnation that authorizes #758/#766 receipts, or (b) define a bootstrap DAG: immutable signed non-authoritative design receipts → narrowly scoped SOT/receipt foundation → one-way verified import into a new SOT incarnation → permanent bootstrap-mutation/key retirement → terminal parent approval → child implementation. Bootstrap keys can never authorize assignments, leases, or effects. Child drafting/review may precede operational approval; implementation may not.
- Assertion: from an empty environment every consumed receipt has an earlier authorized producer/verifier, import occurs once, and bootstrap credentials cannot mutate post-import authority or runtime effects.
Required explicit dispositions
- Pi
reload: add it to §10.1 now; it is an observation/reconciliation case, never a clean guarantee. Add delta-6 crash tests. - Post-claim/pre-injection fencing: required at claimant and receiver (delta 5); current queue “reject before delivery” is insufficient for an in-flight claim.
- Checkpoint recovery grants: required (delta 7), not a child-only detail.
- Leadership transaction time: required (deltas 1–2); decisive database time, not cached/host time or stale transaction-start time.
- SOT failover/PITR: required parent guarantee (delta 2); HA product/runbook details defer.
- Mandatory effect mediation: required (delta 4); executor inventory alone is insufficient without confinement.
- Reservation-bound ACK: required (delta 3).
- Key-role authorization: required (delta 8); authenticated fields alone are insufficient.
- Termination/watchdog: parent must supply the non-effecting reconciliation invariant, Pi
reload, and fenced/progress-valid rule; exact observation precedence, CAS column tuple, retry schedule, and fairness parameters defer. - Dependency/bootstrap: conditional delta 9. It is not a demonstrated cycle if a compatible preexisting root is pinned; otherwise it is a blocker.
Safe child-contract deferrals
After the above parent semantics are added, child contracts may specify: exact PostgreSQL schema/index/locking statements; concrete HA product/topology; exact crypto algorithms, encoding, timestamps, and golden vectors; sandbox technology; sink-specific reconciliation/cancellation; termination-observation precedence and receipt schema; exact progress sequence/CAS columns/retry/fairness bounds; runtime-specific Pi adapter mechanics; and bootstrap key custody/import SQL. These child artifacts remain implementation blockers, not parent approval substitutes.
Rejected or withdrawn proposals
- Rejected: “online validation immediately before an effect” as a complete revocation fence. It is a precondition only; delta 4 admission and reconciliation are needed.
- Rejected: a guarantee that revocation instantaneously stops an already-started arbitrary sink call. This is physically unavailable without sink fencing; the safe result is drain, supported cancellation, or durable quarantine.
- Rejected: holding a PostgreSQL transaction/lock across arbitrary external I/O to simulate atomic effect fencing. It creates deadlock/resource-exhaustion risk and still cannot make the sink transactionally atomic.
- Rejected: automatic retry after ambiguous prompt visibility or non-idempotent sink outcome. It violates no-duplicate authority.
- Withdrawn as a standalone parent blocker: termination-observation precedence/receipt exactness (challenger F10). Preserve it as a child gate under delta 6; the existing cleanup/effect-release gates prevent the originally claimed receipt-only lane reuse.
- Deferred, not rejected: watchdog progress schema/CAS exact tuple and liveness scheduling (challenger F11/proponent F4), subject to delta 6 and explicit conditional-liveness premises.
- Rejected: treating bootstrap external trust anchor as a second writable orchestration SOT. The anchor can only fence the incarnation; assignment/orchestration state stays PostgreSQL-only.
Residual risks and limits
- Availability is intentionally conditional: primary/time-service outage, missing eligible recovery capacity, hung unsupported sink, or permanently ambiguous injection can produce durable blocked/quarantined work, never cached authority or a liveness bypass.
- Delta 4 can retain a conflict hold indefinitely for a non-queryable sink. That is safe; v0.5 must not represent it as guaranteed eventual handoff.
- The external non-rollbackable incarnation anchor is a prerequisite trust component. If unavailable, fail closed rather than claiming PITR safety.
- A generic terminal/PTY cannot prove an atomic PostgreSQL-to-visible-prompt boundary. The permitted outcomes are durable pre-visibility acceptance, or quarantine/replacement after ambiguity.
- No source, issue/provider, dependency-state, session-lifecycle, canary, deployment, or live authority follows from this artifact.
Final ruling
v0.4 has sound foundations for lane/incarnation separation, atomic activation, staging denial, and the intent of queue/checkpoint isolation. It is not CONTENT-SOUND for terminal parent approval because the nine deltas above contain proven parent-level authority gaps (with delta 9 conditional). The author should produce v0.5 with the deltas and adversarial assertions above. Until then: REMEDIATE.