Skip to content

Merge Orchestration · live operational Loop (sense → deliberate → gate → manifest)#495

Merged
hyperpolymath merged 1 commit into
mainfrom
claude/peaceful-pascal-IRlgq
Jun 14, 2026
Merged

Merge Orchestration · live operational Loop (sense → deliberate → gate → manifest)#495
hyperpolymath merged 1 commit into
mainfrom
claude/peaceful-pascal-IRlgq

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented Jun 14, 2026

Copy link
Copy Markdown
Owner

The live operational loop — where the gate finally bites

The runtime spine + the three operationalisation pieces are all merged, but they were unconnected modules. Hypatia.MergeOrchestration.Loop is the single entry point that threads them into one real run over the shared store:

observations ─▶ Sensor.sense ─▶ (KinCompetence) ─▶ Strategist/KinCouncil ─▶ KinGate ─▶ merge-decisions.jsonl

Why this is more than a sequencer

This is the first place KinGate actually constrains Dispatcher output. A decision stays auto_execute only if it can claim the repo. Two layers of mutual exclusion:

  • In-cycle — at most one armed PR per repo per run. A second same-repo arm is deferred to report_only (tracked with a MapSet through the fold), so the actuator never receives two auto_execute entries for a repo whose base is about to move. (The persistent lease alone wouldn't catch this — both arms come from the same holder, so KinGate would renew, not conflict.)
  • Cross-agent / cross-cycleKinGate acquires the persistent per-repo lease; if another holder (another agent, or a still-live previous cycle) holds it, the arm is deferred.
  • Meta — refused at the gate (LE2), defence-in-depth behind the Strategist's own meta ⇒ flag.

A deferred arm is rewritten to report_only with a [gate:…] rationale, so the actuator's independent re-verification sees a non-executable entry.

Token-free by construction

The loop only reads the store (observations the farm producer deposited, signed attestations, pool policies) and writes the manifest + lease records. The actuator (.git-private-farm, the PAT holder) is a separate process that reads the manifest and merges — the loop never calls it.

Store layout under opts[:store]: observations/ · pools/ · attestations/ · leases/ · merge-decisions.jsonl.

Design / testability

  • plan/6 is pure given an injected acquire fn — the gate logic tests with no filesystem.
  • run/1 is the thin I/O shell; JSON codec injectable (Jason in prod), :trust takes a GoT snapshot (empty ⇒ uniform council), :now overridable.

Testing (actual, not looks-right)

58 ExUnit, 0 failures (was 54) under Elixir 1.14, mix-format-clean, scanner-clean:

58 tests, 0 failures

The +4 Loop tests exercise the gate for real (over the actual FileStore):

  • two same-repo arms in one cycle → first auto_execute, second report_only (same-repo-this-cycle);
  • an arm when another holder already holds the repo lease → report_only (lease-held:robot-repo-automaton);
  • a mixed cycle → %{total: 4, armed: 2, deferred: 0, review: 1, flagged: 1}, gating only the arms;
  • a full run/1 over a real store of observation/pool/attestation files → reads, gates, writes the manifest, persists the lease.
  • plus a Jason-guarded run/1 (real JSON codec) that runs in CI.

Scope / safety

  • Not auto-armed — core-tier lib/, your review.
  • Additive: one new module + its test; no change to any existing module.

Where this leaves it

The pipeline now runs end to end in one callLoop.run(store: …) does sense → deliberate → gate → manifest. The only thing left is a scheduled trigger (a Mix task or a tick on an existing GenServer) that calls Loop.run/1 on a cron with a live GoT trust snapshot (KinCompetence.trust_from_got/2) — pure wiring to an existing scheduler, no new brain logic — plus the owner follow-ons (a5 standards adoption; P3 handshake + mass_squash in the actuator; the farm Actions-billing fix).

Generated by Claude Code

@claude
feat(merge-orchestration): live operational Loop -- where the gate fi…
cd97438 
…nally bites

One entry point threading the merged modules over the shared store:

  observations -> Sensor.sense -> (KinCompetence) -> Strategist/KinCouncil
               -> KinGate -> merge-decisions.jsonl

This is the first place KinGate actually constrains Dispatcher output. A
decision stays auto_execute only if it CLAIMS the repo; two mutual-exclusion
layers:
  * in-cycle -- at most one armed PR per repo per run (a 2nd same-repo arm is
    deferred to report_only via a MapSet), so the actuator never gets two
    auto_execute entries for a repo whose base is about to move;
  * cross-agent / cross-cycle -- KinGate acquires the persistent per-repo lease;
    another holder (another agent, or a still-live previous cycle) -> deferred.
  * meta claims refused at the gate (LE2) -- defence in depth behind the
    Strategist's meta=>flag guard.

Token-free: the loop only READS the store (observations the farm producer
deposited, signed attestations, pool policies) and WRITES the manifest + lease
records. The actuator is a separate process that reads the manifest and merges.

plan/6 is pure given an injected acquire fn (gate logic tests with no
filesystem); run/1 is the thin I/O shell; JSON codec injectable (Jason in prod).

58 ExUnit (was 54): +4 Loop -- in-cycle dedup, cross-agent lease conflict (both
via the real FileStore gate), mixed-cycle stats, full store->manifest round-trip;
+1 Jason-guarded. 0 failures, local elixir 1.14, mix-format-clean, scanner-clean.
@github-actions

github-actions Bot commented Jun 14, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 42 issues detected

Severity Count
🔴 Critical 0
🟠 High 0
🟡 Medium 42
View findings 
[
  {
    "reason": "Repository has 5 non-main remote branch(es). Policy: single main branch only.",
    "type": "GS007",
    "file": ".",
    "action": "delete_remote_branches",
    "rule_module": "git_state",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "src/ui/gossamer/README.adoc",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "scripts/ci-tools/Cargo.toml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "scripts/bench-tools/Cargo.toml",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "ffi/zig/README.adoc",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "docs/reports/audit/audit-2026-04-15-post.md",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "docs/integration/github-registry.adoc",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "docs/integration/github-registry.adoc",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "docs/integration/a2ml-k9.md",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  },
  {
    "reason": "Code scanning (Hypatia): hypatia/structural_drift/SD022 -- Hypatia structural_drift: SD022 -- 11 day(s) old",
    "type": "CSA001",
    "file": "docs/architecture/system-integration.md",
    "action": "review",
    "rule_module": "code_scanning_alerts",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath merged commit 32da8f2 into main Jun 14, 2026
36 checks passed
@hyperpolymath hyperpolymath deleted the claude/peaceful-pascal-IRlgq branch June 14, 2026 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hyperpolymath @claude