Remote Execution Proof Contract

Remote Execution Proof Contract

GloriousFlywheel currently proves Bazel shared-cache acceleration and explicit, non-default REAPI proof lanes for //app:build, //app:unit_tests, tinyland-inc/omux.xoxd.ai //:unit_tests, tinyland-inc/omux.xoxd.ai //:build, Jesssullivan/jesssullivan.github.io //:types_unit_tests, Jesssullivan/MassageIthaca //:booking_operation_unit_tests, Jesssullivan/MassageIthaca //:svelte_check_test, Jesssullivan/MassageIthaca //:tsc_noemit_test, Jesssullivan/MassageIthaca //:playwright_tmd_smoke, Jesssullivan/MassageIthaca //:sveltekit_node_build, tinyland-inc/tinyland.dev //packages/tinyland-grafana:test, tinyland-inc/tinyland.dev //:app_typecheck, tinyland-inc/tinyland.dev //:app_build, tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck, tinyland-inc/tinyland.dev //:playwright_local_route_smoke, tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke, //:deployment_bundle, //docs-site:build, the WAS-110 public input handoff target, and narrow pure-Go, cgo-backed Go, Rust, C++, browser-smoke, and web package target classes. It does not yet provide broad or default Bazel remote execution.

This document defines the backend-neutral proof contract for the first countable remote-execution lane. It is intentionally not an implementation guide for BuildBuddy, Buildbarn, Buildfarm, NativeLink, or any other peer backend.

For the operator-facing architecture and usage overview, see Bazel Remote Execution.

Current Boundary

The operational repo surface must stay cache-backed unless an operator selects the opt-in executor-backed mode:

  • .bazelrc must not contain executor endpoint literals or placeholder --remote_executor= values
  • ordinary workflows and Just build recipes must remain cache-backed by default
  • scripts/bazel-cache-backed.sh may pass --remote_executor only when BAZEL_REMOTE_EXECUTOR is set and the strict contract classifies the shell as executor-backed
  • BAZEL_REMOTE_CACHE remains the only default Bazel substrate endpoint
  • ARC and GitHub Actions remote jobs do not count as Bazel remote execution

just rbe-boundary-check enforces this boundary.

The explicit proof wrapper is scripts/bazel-rbe-proof.sh. It is excluded from normal operational use by requiring GF_RBE_PROOF_MODE=explicit and by keeping executor endpoints out of .bazelrc, default Just build recipes, and ordinary CI workflows.

The wrapper defaults to the Bazel build command. Remote test promotion must explicitly select the Bazel test command through GF_RBE_PROOF_BAZEL_COMMAND=test or --bazel-command test; building a js_test target is not sufficient evidence that the test runner executed remotely.

The repo-managed operational wrapper, scripts/bazel-cache-backed.sh, supports a separate executor-backed mode after the proof gate. That mode requires both BAZEL_REMOTE_CACHE and BAZEL_REMOTE_EXECUTOR; the wrapper passes each as an explicit Bazel CLI option and keeps shared-cache-backed as the default when no executor is configured.

ARC Runner Endpoint Wiring

The ARC runner module exposes bazel_executor_endpoint as an optional, backend-neutral source for BAZEL_REMOTE_EXECUTOR. It is empty by default and requires bazel_cache_endpoint when set, so runner pods keep separate cache and executor authorities. When configured, the module injects:

  • BAZEL_REMOTE_CACHE
  • BAZEL_REMOTE_EXECUTOR
  • GF_BAZEL_SUBSTRATE_MODE=executor-backed
  • GF_BAZEL_REMOTE_EXECUTION_PLATFORM

Leaving bazel_executor_endpoint empty keeps ARC runners in the current shared-cache-backed posture. This wiring does not make all runner jobs or all Bazel targets RBE-eligible; target-class promotion still goes through config/rbe-target-eligibility.json.

The proof wrapper accepts BAZEL_REPOSITORY_CACHE, BAZEL_DISTDIR, and GF_BAZEL_INJECT_REPOSITORIES so external input authority can be tested in the same explicit REAPI lane. Injected repositories must be verified repo=/absolute/path handoffs before Bazel starts; the wrapper passes them as repeated --inject_repository flags.

Spoke Proof Request And Result Contract

Spoke repositories and ci-templates must not prove executor-backed Bazel by running raw local Bazel or by scraping ordinary CI logs. They request a GloriousFlywheel-owned proof run and consume the resulting artifact.

The caller-facing request shape is docs/contracts/gf-reapi-spoke-proof-request.schema.json. It names the digest-pinned worker image, target, Bazel command, platform identity, optional remote_executor, consumer repository/ref, checkout authority, external-input handoff flags, apply, and force_execution. remote_executor is an endpoint selector only; signing material, mTLS credentials, notary credentials, keychains, and deploy keys must not be passed through request fields or Bazel CLI arguments.

For Darwin proofs, operators should use scripts/dispatch-darwin-rbe-proof.sh instead of manually assembling workflow_dispatch inputs. The wrapper defaults to dry-run, requires an explicit target and grpc(s):// Darwin endpoint, rejects the Linux gf-rbe endpoint, and passes --platform gloriousflywheel-rbe-darwin-aarch64 through the existing proof workflow. The target must also be classified as candidate or proved for gloriousflywheel-rbe-darwin-aarch64 in config/rbe-target-eligibility.json; Linux target eligibility and contract-test placeholder labels do not qualify. Use --dispatch only after the dry-run command and optional --probe-endpoint check match the intended endpoint and target.

Before dispatching, use scripts/check-darwin-rbe-proof-readiness.sh or just darwin-rbe-proof-readiness ... with the same digest, target, command, and Darwin endpoint. The readiness check validates the Darwin platform contracts, renders the dry-run dispatch command, confirms apply=false and forced execution in the workflow inputs, and can optionally check GitHub workflow visibility or hard-bounded TCP reachability. The reachability probe is only endpoint readiness and still is not RBE evidence. The readiness wrapper intentionally has no --dispatch mode; the dispatch step stays in scripts/dispatch-darwin-rbe-proof.sh.

The historical //:darwin_package label is intentionally blocked as a contract-test placeholder. For the tummycrypt package workload, the next green step is no longer “add any Bazel surface”; the downstream repository now has a Bzlmod package-rule fixture at //build/macos:darwin_package_fixture_contract. That target is explicitly fixture-only and must not be promoted. The first finite non-fixture label is now //build/macos:darwin_package_release_artifacts_unsigned, which assembles an unsigned package from pinned v0.12.14 release artifacts. That label is a Darwin candidate for unsigned package-assembly proof only. Signed, notarized, or stapled package claims still require a separate target or proof lane with executor-side signing custody, no public/shared action-cache writes for secret-bearing steps, and darwin-signing-custody.json evidence.

The artifact-facing result shape is docs/contracts/gf-reapi-proof-result.schema.json. Every successful gf-reapi-cell-proof.yml run now uploads proof-result.json beside the existing logs. The stable fields for ci-templates, site.scaffold, and spoke docs are:

  • request.target
  • request.bazel_command
  • request.consumer_repository
  • request.consumer_ref
  • request.workflow_run_id
  • worker_image_digest
  • platform
  • executor
  • remote_cache
  • executor_attached
  • cache_attached
  • force_execution
  • remote_processes
  • remote_cache_hits
  • action_cache_hits
  • countable_remote_execution
  • cache_hits_only
  • distdir_manifest_inputs

The only countable RBE result is countable_remote_execution=true. A result with remote_cache_hits > 0 but remote_processes == 0 is cache evidence only. ARC runner placement, GitHub-hosted execution, and cache hits are not executor-backed proof.

scripts/verify-gf-reapi-proof-artifact.sh validates both the legacy text evidence and the machine-readable proof-result.json. It rejects drift between the JSON result and the underlying Bazel/worker logs, so downstream consumers can treat the JSON as the stable API while the raw logs remain audit evidence. For hosted workflow runs, use scripts/download-gf-reapi-proof-artifact.sh with the GitHub Actions run id or URL. The helper requires a completed successful GF REAPI Cell Proof run by default, downloads gf-reapi-cell-proof-${run_id}, then delegates to the verifier with the same target, platform, digest, force-execution, distdir, injected-repository, and Darwin signing/notary/staple gates. Downloading an artifact is not evidence by itself; the verifier must pass before citing the run as countable proof.

For consumer proofs, scripts/bazel-rbe-proof.sh --workspace <dir> runs the Bazel invocation from a checked-out consumer workspace while keeping the executor-bearing wrapper, cache preflight, and evidence contract in GloriousFlywheel. This is the supported path for cross-repo public-input canaries such as WAS-110 without making raw bazel --remote_executor a normal operator instruction. Set GF_RBE_PROOF_BAZEL_CONFIG= when the consumer workspace does not define GloriousFlywheel’s default ci-cached config; the wrapper still passes the explicit remote cache and executor flags.

Private consumer-repository proofs use the hosted GitHub App credential path when require_consumer_app_token=true and TRANCHE_PROOF_GH_APP_CLIENT_ID or TRANCHE_PROOF_GH_APP_ID plus TRANCHE_PROOF_GH_APP_PRIVATE_KEY are configured. The workflow mints a repository-scoped checkout token for supported owners (tinyland-inc and Jesssullivan) with contents: read and passes it only to actions/checkout for the consumer workspace with persist-credentials: false. Public consumer proofs leave require_consumer_app_token=false and use the workflow’s default GITHUB_TOKEN checkout path.

The only supported non-App private checkout escape hatch is explicit: consumer_checkout_authority=repo-scoped-deploy-key or consumer_checkout_authority=owner-scoped-secret, used instead of require_consumer_app_token=true. The deploy-key path uses fixed per-repo secrets named GF_REAPI_CONSUMER_CHECKOUT_SSH_KEY_TINYLAND_DEV and GF_REAPI_CONSUMER_CHECKOUT_SSH_KEY_MASSAGEITHACA. The token path uses fixed repository secrets named GF_REAPI_CONSUMER_CHECKOUT_TOKEN_TINYLAND_INC or GF_REAPI_CONSUMER_CHECKOUT_TOKEN_JESSSULLIVAN, selected by consumer owner. Both paths check out with persist-credentials: false. These are proof-only authority paths for TIN-1127; they do not permit broad PAT workflow inputs and do not make the checkout result RBE evidence.

An actions/create-github-app-token failure saying The permissions requested are not granted to this installation. means the hosted GitHub App lacks repository Contents: Read-only on that installation, or the organization has not approved the permission update yet. It is private authority debt: checkout authority when minting a consumer checkout token, and external-input authority when minting a private archive/distdir token. It must not be counted as RBE target evidence.

The current private web consumer evidence is explicit. MassageIthaca run 25928429263 used the repo-scoped deploy-key authority, checked out Jesssullivan/MassageIthaca, forced execution, reported 3319 remote processes, and passed //:booking_operation_unit_tests; that is narrow private Vite/Vitest target evidence. MassageIthaca run 25938855554 used the same checkout authority, forced execution, proof nonce 20260515T200641Z-25938855554-1, reported 3319 remote processes, and passed //:svelte_check_test with remote sveltekit_sync_bin_/sveltekit_sync_bin, test-setup.sh svelte_check_test_/svelte_check_test, and generate-xml.sh evidence; that is narrow private SvelteKit/svelte-check target evidence. MassageIthaca run 25948484331 used the same checkout authority, forced execution, proof nonce 20260516T005553Z-25948484331-1, reported 3319 remote processes, and passed //:tsc_noemit_test with remote sveltekit_sync_bin_/sveltekit_sync_bin, test-setup.sh tsc_noemit_test_/tsc_noemit_test, and generate-xml.sh evidence; that is narrow private TypeScript no-emit target evidence. MassageIthaca run 25953478878 used the same checkout authority, forced execution, proof nonce 20260516T050753Z-25953478878-1, reported 3318 remote processes, and passed //:playwright_tmd_smoke with remote sveltekit_sync_bin_/sveltekit_sync_bin, vite_build_bin_/vite_build_bin, test-setup.sh playwright_tmd_smoke_/playwright_tmd_smoke, and generate-xml.sh evidence; that is narrow private Playwright TMD smoke evidence over built Vite/SvelteKit output. MassageIthaca run 25983800544 used the same checkout authority, forced execution, proof nonce 20260517T064447Z-25983800544-1, reported 3193 remote processes, and passed //:sveltekit_node_build with remote lifecycle-hook execution for esbuild, msw, and sharp, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0; that is narrow private SvelteKit/Vite production-build evidence. tinyland.dev run 25928429273 used the same checkout authority and got past checkout, then failed before target analysis because Bazel tried to fetch the private tinyland-schemas v0.2.4 archive without external-input auth or distdir placement and GitHub returned 404 Not Found. The tag/release exists. Follow-up proof 25933145419 reached //packages/tinyland-grafana:test through a verified private codeload distdir handoff, forced remote-first execution with no remote-local fallback, reported 4 remote processes, and produced remote test-setup worker evidence, but failed on Grafana test environment semantics. tinyland.dev PR #401 fixed that test hermeticity issue. Main proof 25935041748 then passed //packages/tinyland-grafana:test with the repo-scoped deploy key, verified tummycrypt_tinyland_schemas:0.2.4 codeload distdir handoff, forced execution, proof nonce 20260515T184435Z-25935041748-1, 1531 processes: 468 remote cache hit, 1059 internal, 4 remote, and remote test-setup.sh packages/tinyland-grafana/test_/test evidence. This promotes one private tinyland.dev Grafana package Vitest class only. The codeload handoff remains proof-run staging rather than durable mirror or repository-cache authority. Main proof 25970619559 then passed tinyland-inc/tinyland.dev //:app_typecheck with GitHub App checkout authority, the same verified tummycrypt_tinyland_schemas:0.2.4 private distdir handoff, forced execution, proof nonce 20260516T191944Z-25970619559-1, 5578 processes: 1 action cache hit, 2567 remote cache hit, 2955 internal, 56 remote, remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, remote app_typecheck_tool, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. This promotes one private root app typecheck class only. It does not prove all tinyland.dev builds, all tinyland.dev tests, browser E2E, the Vite production build class, durable private mirror authority, broad/default web RBE, or CAS/action-cache backend suitability. Main proof 25978934708 then passed tinyland-inc/tinyland.dev //:app_build with GitHub App checkout authority, the same verified tummycrypt_tinyland_schemas:0.2.4 private distdir handoff, forced execution, proof nonce 20260517T021820Z-25978934708-1, 6146 processes: 3125 remote cache hit, 2959 internal, 62 remote, remote TypeScript package fanout, remote JsRunBinary app_build.log, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. This promotes one private root Vite/SvelteKit production-build class only. It does not prove all tinyland.dev builds/tests, browser E2E, deployed app behavior, durable private mirror authority, broad/default web RBE, or CAS/action-cache backend suitability. Main proof 25989829826 then passed tinyland-inc/tinyland.dev //:playwright_local_route_smoke with GitHub App checkout authority, the same verified tummycrypt_tinyland_schemas:0.2.4 private distdir handoff, forced execution, proof nonce 20260517T114200Z-25989829826-1, 6155 processes: 3139 remote cache hit, 2963 internal, 53 remote, remote TypeScript tsc, remote Vite build-tool execution, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. The target starts a loopback SvelteKit Node server inside the Bazel test action, fetches /legal/privacy, renders the returned route HTML through Playwright page.setContent with JavaScript disabled, asserts DOM textContent, and shuts the server down. This promotes one private local-server Playwright route-smoke class only. It does not prove all Playwright, all tinyland.dev routes, deployed E2E, full app behavior, durable private mirror authority, broad/default web RBE, or CAS/action-cache backend suitability. Main proof 26051698671 then passed tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke with GitHub App checkout authority, the same verified tummycrypt_tinyland_schemas:0.2.4 private distdir handoff, forced execution, proof nonce 20260518T181314Z-26051698671-1, consumer main commit dcb859f658092dc2a6c0f33223cb9ec9a4055c18, 6319 processes: 1 action cache hit, 3135 remote cache hit, 3052 internal, 132 remote, remote npm lifecycle-hook execution for @tailwindcss/oxide, sharp, and esbuild, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. The target starts a loopback SvelteKit Node server inside the Bazel test action, fetches /legal/privacy, renders the returned route HTML through Puppeteer page.setContent with JavaScript disabled, asserts DOM textContent, and shuts the server down. This promotes one private local-server Puppeteer route-smoke class only. It does not prove all Puppeteer, all tinyland.dev routes, deployed E2E, full app behavior, durable private mirror authority, broad/default web RBE, or CAS/action-cache backend suitability.

The operator proof harness, scripts/run-gf-reapi-cell-proof.sh, is also excluded from normal operational use. It only renders/applies the digest-pinned GF REAPI Cell manifest and calls scripts/bazel-rbe-proof.sh after GF_RBE_PROOF_MODE=explicit and GF_REAPI_CELL_DIGEST are provided. It forwards the selected Bazel command so build proofs and test proofs cannot be confused in artifact evidence.

Endpoint Contract

The executor contract is separate from the existing cache contract:

variable purpose current status
BAZEL_REMOTE_CACHE action-cache and CAS cache acceleration implemented and proved
BAZEL_REMOTE_EXECUTOR REAPI action execution endpoint opt-in executor-backed mode
GF_BAZEL_SUBSTRATE_MODE selected Bazel substrate mode executor, cache, or local

Executor wrappers must validate cache and executor endpoints independently and pass them to Bazel as explicit CLI options. Do not use literal rc placeholders for endpoints.

The first in-repo endpoint implementation is the GF-owned GF REAPI Cell. It is a minimal proof service, not a selection of a third-party backend and not a promotion of RustFS to RBE CAS/action-cache authority.

Platform Name

The first proved backend-neutral platform identity is:

gloriousflywheel-rbe-linux-x86_64

The first candidate Darwin platform identity is:

gloriousflywheel-rbe-darwin-aarch64

These names describe execution contracts, not backend implementations or node identities. Do not encode repo names, owner names, honey, sting, xoxd-bates, or a peer backend name into a platform identity.

The machine-readable platform contract is docs/contracts/rbe-platform-contracts.json. The Darwin worker/toolchain and signing-custody contract is docs/contracts/rbe-darwin-worker-toolchain-model.json. Validate both with:

just rbe-platform-contracts-check

The platform is only countable after a real backend proves these properties:

  • Linux userspace
  • x86_64 CPU architecture
  • pinned worker image by digest
  • no implicit access to repository-local host paths
  • no implicit network access for actions unless the target documents it
  • no ambient secrets in the action environment
  • action logs expose enough executor evidence to distinguish remote execution from remote cache hits

For gloriousflywheel-rbe-darwin-aarch64, the countable platform proof is not the Linux gf-rbe Kubernetes manifest. It requires apply=false, an operator-provided macOS REAPI endpoint passed as remote_executor / BAZEL_REMOTE_EXECUTOR, --platform gloriousflywheel-rbe-darwin-aarch64, forced remote execution, nonzero remote processes, and a target-class entry in config/rbe-target-eligibility.json. Signed, notarized, or stapled artifacts also require executor-side signing-custody evidence: ephemeral keychain import, keychain cleanup, redacted logs, and notarization/staple assessment output.

Darwin release-artifact proofs that claim signed, notarized, or stapled outputs must include darwin-signing-custody.json in the proof evidence directory. The machine-readable shape is docs/contracts/rbe-darwin-signing-custody-evidence.schema.json. This file records evidence booleans and artifact names only. It must never carry certificate material, notary credentials, keychain passwords, provisioning profile bodies, or mTLS material. Release lanes should verify it with scripts/verify-gf-reapi-proof-artifact.sh --require-darwin-signing-custody, and add --require-darwin-notarization or --require-darwin-stapling when the artifact claim includes those states.

Proof Targets

RBE Target Eligibility Manifest

The machine-checkable target-class gate is config/rbe-target-eligibility.json. just rbe-target-eligibility-check validates that proved targets keep cited remote-process evidence, that candidates stay unclaimed until forced proof lands, and that blocked target classes remain blocked while their source-level hazards still exist.

The first landed proof target is //app:build. Follow-on targets should stay small and hermetic until their inputs and execution requirements are inventoried. The first remote-test, packaging, and docs-site static-rendering proof targets are also landed:

  • //app:unit_tests
  • //:deployment_bundle
  • //docs-site:build
  • //docs-site:playwright_chromium_smoke
  • tinyland-inc/omux.xoxd.ai //:unit_tests
  • tinyland-inc/omux.xoxd.ai //:build
  • tinyland-inc/omux.xoxd.ai //:puppeteer_chromium_smoke
  • tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke
  • tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke
  • tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke
  • Jesssullivan/jesssullivan.github.io //:puppeteer_chromium_smoke
  • Jesssullivan/jesssullivan.github.io //:playwright_chromium_smoke
  • Jesssullivan/jesssullivan.github.io //:sveltekit_vite_build_smoke
  • Jesssullivan/MassageIthaca //:booking_operation_unit_tests
  • Jesssullivan/MassageIthaca //:svelte_check_test
  • Jesssullivan/MassageIthaca //:tsc_noemit_test
  • Jesssullivan/MassageIthaca //:playwright_tmd_smoke
  • Jesssullivan/MassageIthaca //:sveltekit_node_build
  • tinyland-inc/tinyland.dev //packages/tinyland-grafana:test
  • tinyland-inc/tinyland.dev //:app_typecheck
  • tinyland-inc/tinyland.dev //:app_build
  • tinyland-inc/tinyland.dev //packages/tinyland-activitypub:test
  • tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck
  • tinyland-inc/tinyland.dev //:playwright_local_route_smoke
  • tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke

The landed web-stack proof is //docs-site:playwright_chromium_smoke. It is a Chromium-only static-site Playwright smoke target over built Vite/SvelteKit docs-site output. Run 25712694947 used a browser-capable worker image digest, forced bazel_command=test, 1060 remote processes, remote sveltekit_sync, remote vite_build, remote test-setup, and a passing playwright-core smoke with /bin/chromium.

The landed public consumer Puppeteer proof is tinyland-inc/omux.xoxd.ai //:puppeteer_chromium_smoke. It is a Chromium-only static-output Puppeteer smoke target over built Vite/SvelteKit output. Run 25826953857 used the same browser-capable worker image digest, forced bazel_command=test, 137 remote processes, remote sveltekit_sync, remote vite_build, remote test-setup, and a passing puppeteer-core smoke with /bin/chromium.

The landed public consumer Vitest proof is tinyland-inc/omux.xoxd.ai //:unit_tests. It is a bounded Vite/SvelteKit Vitest unit-test target from omux PR #62. Run 25742782051 used bazel_command=test, forced execution, 4 remote processes, remote test-setup, and a passing invocation of unit_tests_/unit_tests run --reporter=verbose --config ./vitest.config.ts.

The landed public consumer standalone build proof is tinyland-inc/omux.xoxd.ai //:build. It is a bounded SvelteKit/Vite production build target. Run 25891956165 used bazel_command=build, forced execution, a non-secret GF_RBE_PROOF_NONCE action-key perturbation, 4 remote processes, remote lifecycle-hook actions for @tailwindcss/oxide and esbuild, remote sveltekit_sync, and remote vite_build evidence.

The landed public consumer Playwright proof is tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke. It is a bounded Chromium static-output smoke target over the public omux SvelteKit/Vite app. Run 25897326537 used bazel_command=test, forced execution, public main commit d3608a5a6325adee0a5e625cf7ad76b470e7b83f, proof nonce 20260515T024138Z-25897326537-1, 6 remote processes, remote lifecycle-hook actions for @tailwindcss/oxide and esbuild, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke, remote generate-xml.sh, and a passing Playwright Chromium smoke with /bin/chromium. This promotes one public omux Playwright target class only; it does not prove broad Playwright, Vitest browser mode, hosted E2E, or Firefox (WebKit is now proved separately for one consumer static-smoke class via run 27330688866).

The landed public consumer local-server Playwright proof is tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke. It is a bounded route-smoke target over declared adapter-static SvelteKit/Vite output. Run 26005817853 used bazel_command=test, forced execution, GitHub App checkout authority, public main commit cd730bdc432b6eb2af4cac7032c040e4ab734da7, proof nonce 20260517T232840Z-26005817853-1, 13 remote processes, remote lifecycle-hook actions for @tailwindcss/oxide and esbuild, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, and a passing /agent-snippet route smoke with /bin/chromium. This promotes one public omux local-route target class only; it does not prove all omux routes, deployed E2E, or broad Playwright.

The landed public consumer local-server Puppeteer proof is tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke. It is a bounded route-smoke target over declared adapter-static SvelteKit/Vite output. Run 26037732121 used bazel_command=test, forced execution, GitHub App checkout authority, public main commit 50e0b796cbc44bc82de67891b1999e7e48cff473, proof nonce 20260518T135044Z-26037732121-1, 10 remote processes, remote lifecycle-hook actions for @tailwindcss/oxide and esbuild, remote sveltekit_sync, remote vite_build, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, and a passing /agent-snippet route smoke with /bin/chromium. This promotes one public omux local-route Puppeteer target class only; it does not prove all omux routes, deployed E2E, broad Puppeteer, or Playwright.

The landed public jesssullivan.github.io Vitest proof is Jesssullivan/jesssullivan.github.io //:types_unit_tests. Run 25892939448 used bazel_command=test, forced execution, proof nonce 20260515T001050Z-25892939448-1, the browser-capable worker image, and reported 2331 processes: 1477 internal, 855 remote. The REAPI worker log includes remote npm package extraction and lifecycle-hook execution for esbuild, sharp, and puppeteer without action-time browser downloads, then remote test-setup.sh types_unit_tests_/types_unit_tests with exit_code=0. This promotes one public SvelteKit/Vite/Vitest types unit-test class only; it does not prove all public ghio tests, broad web RBE, private tinyland.dev, or MassageIthaca.

The landed public jesssullivan.github.io consumer proofs are //:puppeteer_chromium_smoke, //:playwright_chromium_smoke, and //:sveltekit_vite_build_smoke. Runs 25777472760, 25894297074, and 25779597385 used the same browser-capable worker image digest, forced bazel_command=test, 855 remote processes each, and remote test-setup evidence. The Puppeteer class launches the pinned worker Chromium without lifecycle browser downloads; the Playwright class launches the pinned worker Chromium with PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD=1 and explicit executablePath; the SvelteKit/Vite class is a build-smoke test target, not publication or deployment.

The landed private MassageIthaca Vitest proof is Jesssullivan/MassageIthaca //:booking_operation_unit_tests. Run 25928429263 used consumer_checkout_authority=repo-scoped-deploy-key, forced execution, proof nonce 20260515T161719Z-25928429263-1, and the browser-capable worker image recorded in the manifest, and reported 7662 processes: 7 action cache hit, 4343 internal, 3319 remote. Worker logs show remote sveltekit_sync, remote test-setup.sh booking_operation_unit_tests_/booking_operation_unit_tests, and remote generate-xml.sh. This proves one private booking-operation unit-test class only.

The landed private MassageIthaca SvelteKit/svelte-check proof is Jesssullivan/MassageIthaca //:svelte_check_test. Run 25938855554 used consumer_checkout_authority=repo-scoped-deploy-key, bazel_command=test, forced execution, proof nonce 20260515T200641Z-25938855554-1, and the browser-capable worker image recorded in the manifest. Bazel reported 7662 processes: 3 action cache hit, 4343 internal, 3319 remote; worker logs show remote lifecycle-hook execution for esbuild, sharp, @sparticuz/chromium, msw, and @vercel/speed-insights, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote external/bazel_tools/tools/test/test-setup.sh svelte_check_test_/svelte_check_test, and remote generate-xml.sh. This proves one private SvelteKit/svelte-check target class only.

The landed private MassageIthaca TypeScript no-emit proof is Jesssullivan/MassageIthaca //:tsc_noemit_test. Run 25948484331 used consumer_checkout_authority=repo-scoped-deploy-key, bazel_command=test, forced execution, proof nonce 20260516T005553Z-25948484331-1, and the browser-capable worker image recorded in the manifest. Bazel reported 7662 processes: 4 action cache hit, 4343 internal, 3319 remote; worker logs show remote lifecycle-hook execution for esbuild, sharp, @sparticuz/chromium, msw, and @vercel/speed-insights, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote external/bazel_tools/tools/test/test-setup.sh tsc_noemit_test_/tsc_noemit_test, and remote generate-xml.sh. The test passed in 24.2s. This proves one private TypeScript no-emit target class only.

The landed private MassageIthaca Playwright TMD proof is Jesssullivan/MassageIthaca //:playwright_tmd_smoke. Run 25953478878 used consumer_checkout_authority=repo-scoped-deploy-key, bazel_command=test, forced execution, proof nonce 20260516T050753Z-25953478878-1, consumer commit 08555e16b9ee0504b1b23e6373b5b6bbfb799f5f, and the browser-capable worker image recorded in the manifest. Bazel reported 7670 processes: 3 action cache hit, 4352 internal, 3318 remote; worker logs show remote lifecycle-hook execution for esbuild, sharp, @sparticuz/chromium, msw, and @vercel/speed-insights, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote external/bazel_tools/tools/test/test-setup.sh playwright_tmd_smoke_/playwright_tmd_smoke, and remote generate-xml.sh. The test passed in 4.5s. This proves one private Playwright TMD browser-smoke target class only.

The landed private MassageIthaca SvelteKit/Vite production-build proof is Jesssullivan/MassageIthaca //:sveltekit_node_build. Run 25983800544 used consumer_checkout_authority=repo-scoped-deploy-key, bazel_command=build, forced execution, proof nonce 20260517T064447Z-25983800544-1, consumer commit e06a70d12417f04568092a62e225b6c6595c3b39, and the browser-capable worker image recorded in the manifest. Bazel reported 7379 processes: 2 action cache hit, 4186 internal, 3193 remote; worker logs show remote lifecycle-hook execution for esbuild, msw, and sharp, remote sveltekit_sync_bin_/sveltekit_sync_bin, and remote vite_build_bin_/vite_build_bin. The proof artifact verifier passed and Kubernetes restart evidence stayed at 0. This proves one private SvelteKit/Vite production-build target class only.

The landed private tinyland.dev Grafana Vitest proof is tinyland-inc/tinyland.dev //packages/tinyland-grafana:test. Run 25935041748 used repo-scoped deploy-key checkout, the verified private codeload distdir handoff for tummycrypt_tinyland_schemas:0.2.4, bazel_command=test, forced execution, proof nonce 20260515T184435Z-25935041748-1, and the browser-capable worker image recorded in the manifest. Bazel reported 1531 processes: 468 remote cache hit, 1059 internal, 4 remote; worker logs show remote esbuild lifecycle-hook execution, remote TypeScript compile evidence, remote external/bazel_tools/tools/test/test-setup.sh packages/tinyland-grafana/test_/test, and remote generate-xml.sh. This proves one private Grafana package Vitest class only. The codeload distdir handoff remains proof-run staging, not durable private mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.

The landed private tinyland.dev ActivityPub Vitest proof is tinyland-inc/tinyland.dev //packages/tinyland-activitypub:test. Run 25981546207 used GitHub App checkout authority, workspace_path=consumer-workspace, the verified private codeload distdir handoff for tummycrypt_tinyland_schemas:0.2.4, bazel_command=test, forced execution, proof nonce 20260517T044208Z-25981546207-1, and the browser-capable worker image recorded in the manifest. Bazel reported 728 processes: 1 action cache hit, 299 remote cache hit, 415 internal, 14 remote; worker logs show remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-content-types, remote external/bazel_tools/tools/test/test-setup.sh packages/tinyland-activitypub/test_/test, and remote generate-xml.sh. The proof artifact verifier passed with the required distdir input, and Kubernetes restart evidence stayed at 0. This proves one private ActivityPub package Vitest class only. The codeload distdir handoff remains proof-run staging, not durable private mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.

The landed private tinyland.dev package TypeScript typecheck proof is tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck. Run 25984827370 used GitHub App checkout authority, workspace_path=consumer-workspace, the verified private codeload distdir handoff for tummycrypt_tinyland_schemas:0.2.4, bazel_command=build, forced execution, proof nonce 20260517T073751Z-25984827370-1, consumer checkout commit 3730c6966d5e069cff92abc7c606fca9db5b54af, and the browser-capable worker image recorded in the manifest. Bazel reported 553 processes: 223 remote cache hit, 328 internal, 2 remote; worker logs show remote esbuild lifecycle-hook execution and remote TypeScript tsc for packages/tinyland-color-utils. The proof artifact verifier passed with the required distdir input, and Kubernetes restart evidence stayed at 0. This proves one private package TypeScript typecheck class only. The codeload distdir handoff remains proof-run staging, not durable private mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.

The landed private tinyland.dev local-server Playwright route-smoke proof is tinyland-inc/tinyland.dev //:playwright_local_route_smoke. Run 25989829826 used GitHub App checkout authority, workspace_path=consumer-workspace, the verified private codeload distdir handoff for tummycrypt_tinyland_schemas:0.2.4, bazel_command=test, forced execution, proof nonce 20260517T114200Z-25989829826-1, consumer main commit efa977e701c449dce84065e138f3c8a303ce8334, and the browser-capable worker image recorded in the manifest. Bazel reported 6155 processes: 3139 remote cache hit, 2963 internal, 53 remote; worker logs show remote TypeScript tsc, remote Vite build-tool execution, remote external/bazel_tools/tools/test/test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, and remote generate-xml.sh. The proof artifact verifier passed with the required distdir input, and Kubernetes restart evidence stayed at 0. This proves one private local-server Playwright route-smoke class only. The codeload distdir handoff remains proof-run staging, not durable private mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.

The landed private tinyland.dev local-server Puppeteer route-smoke proof is tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke. Run 26051698671 used GitHub App checkout authority, workspace_path=consumer-workspace, the verified private codeload distdir handoff for tummycrypt_tinyland_schemas:0.2.4, bazel_command=test, forced execution, proof nonce 20260518T181314Z-26051698671-1, consumer main commit dcb859f658092dc2a6c0f33223cb9ec9a4055c18, and the browser-capable worker image recorded in the manifest. Bazel reported 6319 processes: 1 action cache hit, 3135 remote cache hit, 3052 internal, 132 remote; worker logs show remote lifecycle-hook execution for @tailwindcss/oxide, sharp, and esbuild, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote external/bazel_tools/tools/test/test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, and remote generate-xml.sh. The proof artifact verifier passed with the required distdir input, and Kubernetes restart evidence stayed at 0. This proves one private local-server Puppeteer route-smoke class only. The codeload distdir handoff remains proof-run staging, not durable private mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.

The landed consumer WebKit static-smoke proof is Jesssullivan/darkmap.phasi.space //:playwright_webkit_shell_smoke plus //:playwright_webkit_mobile_hud_smoke. Run 27330688866 was driven by the consumer browser-rbe-proof dispatch 27330681726 (workflow_dispatch, target //:webkit_smoke_suite, force_execution=true) on 2026-06-11 with bazel_command=test, forced execution, and worker image digest sha256:9db80cc90cb6736430cdbfcf0a0773fd89073d897ec084b9b141ded1d58661af — the first image carrying the PR #885 gf-webkit-launcher shim. Bazel reported 1703 processes: 985 internal, 718 remote; //:playwright_webkit_shell_smoke passed in 4.5s, //:playwright_webkit_mobile_hud_smoke passed in 14.1s, and the consumer pins @playwright/test exactly to 1.59.1 against the worker webkit-2272 runtime. The negative control is the first dispatch (darkmap run 27329374675, cell run 27329382732), which failed closed in 1.1s per target on the image-global LD_LIBRARY_PATH glibc poisoning before the shim landed. This proves one consumer WebKit static-smoke target class only, not all WebKit targets, broad Playwright, or Firefox.

Browser-backed proof targets also have a separate machine-checkable authority: docs/contracts/browser-runtime-authority.json. just browser-runtime-authority-contract-check validates that Chromium comes from the pinned worker image, that Playwright/Puppeteer browser downloads stay out of REAPI actions, and that public pilot guidance does not turn those proofs into a broad/default web RBE claim.

The //app:unit_tests proof only counts because it used a forced proof with bazel_command=test, nonzero remote process count, and worker evidence for the Vitest test runner. A build-command run for //app:unit_tests is useful debugging data, but it does not promote a remote-test target class.

Do not start product eligibility with OpenTofu validation, KVM jobs, firmware image assembly, or targets that require private blobs. Those may become eligible later after their tools, inputs, environment assumptions, and execution requirements are inventoried.

The next language-test promotions after //docs-site:build are deliberately target-class scoped. //examples/hello-go:hello_test is scoped explicitly to pure-Go with pure = "on". Forced REAPI run 25631848864 exposed a gf-reapi-cell bug where every declared output was inlined into the Execute response instead of only ExecuteRequest.InlineOutputFiles; PR #605 fixed that contract. Retry 25632300253 applied the fixed cell image, reached rules_go remote execution with 10 processes: 8 internal, 2 remote, then failed in GoStdlib runtime/cgo with cc: no such file or directory. Run 25634296833 proved the pure-Go target with bazel_command=test, forced execution, 11 remote processes, worker image sha256:bb5455a038bdbff2560f22491c131c2163d3089ffafedee08f937d63f35fa848, and remote GoStdlib, compile, link, and test-setup evidence. After the worker image carried the C/C++ wrapper closure, run 25649628233 proved the separate cgo-backed //examples/hello-go-cgo:cgo_test class with remote runtime/cgo, GoCompilePkg, GoLink, and test-setup evidence. Broader cgo-backed Go remains unproved. Rust test attempt 25647399161 forced the //examples/hello-rust:hello_test test proof through the same worker image and reached the remote rules_rust compile action, but the worker failed to load libz.so.1 for the rules_rust rustc binary. Image sha256:fb77cc74124c1b235981ecf85e71b8de3d14d7b0d7e316c1172c52698990453c fixed that library gap. Follow-up run 25648006195 recorded one successful remote rules_rust compile action, then failed linking process_wrapper because the worker lacked the Nix gcc-wrapper path selected by rules_cc. After the worker image carried the C/C++ wrapper closure, run 25648670844 proved the trivial Rust unit-test class with 5 remote processes and one passing test. The first C++ test attempt, run 25638930305, forced the //examples/hello-cc:hello_test test proof through the same worker image and reached the remote compile action, but the worker failed to execute /nix/store/zx71vq7s1v840wqsrw2m2ckmxn413a2b-gcc-wrapper-13.3.0/bin/gcc; Bazel reported 6 processes: 6 internal, so that run is negative proof evidence. After the worker image carried the C/C++ wrapper closure, run 25648975728 proved the trivial C++ unit-test class with 4 remote processes, remote gcc compile/link and test-setup evidence, and one passing test. GF REAPI Cell run 25608601158 proved //docs-site:build with bazel_command=build, forced execution, 1046 remote processes, worker image sha256:be2832171ac69cc9a2d012b3c789e8b765afb7cae0df8f7e9677dd6d8542dbc0, and remote JsRunBinary evidence for docs-site/.svelte-kit and docs-site/build. The earlier run 25607350105 remains inventory evidence only: it failed during package loading because the target used a parent-package glob("../docs/**/*.md"). The promoted scope is static docs-site rendering, not docs deployment or public publication.

Countable Evidence

A default-branch proof counts only if it records:

  • the exact wrapper invocation
  • non-empty BAZEL_REMOTE_EXECUTOR
  • non-empty BAZEL_REMOTE_CACHE
  • Bazel CLI flags showing both --remote_executor and --remote_cache
  • a build log showing remote processes, not only remote cache hits
  • the target label and platform identity
  • worker image digest or equivalent provenance
  • unsupported targets tagged local-only or explicitly excluded

Cache hits, remote CI job dispatch, and successful ARC runner scheduling are useful substrate evidence. They are not remote-execution proof.

Current countable proof evidence:

  • PR #564 merged the GF-owned proof-cell fixes needed for //app:build.
  • Proof workflow 25579178623 built //app:build through --remote_executor=grpc://gf-reapi-cell.gf-rbe.svc.cluster.local:8980 with worker image sha256:be2832171ac69cc9a2d012b3c789e8b765afb7cae0df8f7e9677dd6d8542dbc0.
  • Bazel reported 2308 processes: 1439 internal, 869 remote and both app/sveltekit_sync and app/vite_build exited 0 on the REAPI worker.
  • A later cache-warm main rerun reported remote action-cache hits instead of fresh remote execution. Fresh proof runs must set GF_RBE_PROOF_FORCE_EXECUTION=true, which passes --remote_accept_cached=false, adds --nocache_test_results for test proofs, injects a non-secret GF_RBE_PROOF_NONCE action environment value to perturb action keys on cache-warm targets, and fails if Bazel reports only remote cache hits. The proof harness also passes --noremote_cache_compression because the current proof cell does not advertise compressed remote-cache support; production broad/default RBE needs an explicit compression support decision before inheriting arbitrary consumer .bazelrc compression defaults.
  • PRs #570, #571, and #572 made the WAS-110 public input handoff workflow repeatable and machine-verified. Main run 25589377905 built //:public_vendor_handoff_fixture from the consumer workspace with forced execution, INFO: 2 processes: 1 internal, 1 remote., worker provenance, and injected was110_vendor_blobs evidence.
  • PR #582 separated build-mode and test-mode proof evidence. Main run 25601913985 tested //app:unit_tests with bazel_command=test, forced execution, worker image sha256:be2832171ac69cc9a2d012b3c789e8b765afb7cae0df8f7e9677dd6d8542dbc0, INFO: 1249 processes: 722 internal, 527 remote., 20 Vitest test files, 168 passing tests, and remote worker evidence for external/bazel_tools/tools/test/test-setup.sh app/unit_tests_/unit_tests.
  • Main run 25602726443 built //:deployment_bundle with bazel_command=build, forced execution, worker image sha256:be2832171ac69cc9a2d012b3c789e8b765afb7cae0df8f7e9677dd6d8542dbc0, INFO: 7 processes: 6 internal, 1 remote., and remote worker evidence for the rules_pkg build_tar action producing deployment_bundle.tar.gz.
  • Run 25647399161 is negative proof evidence for the Rust unit-test target class. It reached the remote rules_rust compile action for //examples/hello-rust:hello_test, then failed because the REAPI worker runtime lacked libz.so.1 for the rules_rust rustc binary and produced no countable nonzero remote process proof.
  • Run 25648006195 is later negative proof evidence for the same Rust class. It used worker image sha256:fb77cc74124c1b235981ecf85e71b8de3d14d7b0d7e316c1172c52698990453c, recorded one successful remote rules_rust compile action, then failed because the worker lacked /nix/store/zx71vq7s1v840wqsrw2m2ckmxn413a2b-gcc-wrapper-13.3.0/bin/gcc. Bazel reported 173 processes: 172 internal, 1 remote; at that point Rust had remote execution evidence but still no passing test proof.
  • Run 25648670844 is positive proof evidence for the trivial Rust unit-test class. It used worker image sha256:98b78964245baf5d5fbb0ab382c1106c3d4006a3a30918c0a1a8f5e0fad9f62a, bazel_command=test, and forced execution. Bazel reported 175 processes: 170 internal, 5 remote; //examples/hello-rust:hello_test passed with one test. Worker logs show remote rules_rust compile actions, remote test execution via external/bazel_tools/tools/test/test-setup.sh examples/hello-rust/hello_test, and remote XML generation.
  • Run 25638930305 is negative proof evidence for the C++ unit-test target class. It reached the remote C++ compile action for //examples/hello-cc:hello_test, then failed with a missing Nix gcc-wrapper path on the worker and produced no countable nonzero remote process proof.
  • Run 25648975728 is positive proof evidence for the trivial C++ unit-test class. It used worker image sha256:98b78964245baf5d5fbb0ab382c1106c3d4006a3a30918c0a1a8f5e0fad9f62a, bazel_command=test, and forced execution. Bazel reported 8 processes: 4 internal, 4 remote; //examples/hello-cc:hello_test passed with one test. Worker logs show remote gcc compile/link actions, remote test execution via external/bazel_tools/tools/test/test-setup.sh examples/hello-cc/hello_test, and remote XML generation.
  • Run 25649628233 is positive proof evidence for the trivial cgo-backed Go unit-test class. It used worker image sha256:98b78964245baf5d5fbb0ab382c1106c3d4006a3a30918c0a1a8f5e0fad9f62a, bazel_command=test, and forced execution. Bazel reported 18 processes: 7 internal, 11 remote; //examples/hello-go-cgo:cgo_test passed with one test. Worker logs show remote GoStdlib including runtime/cgo, remote cgo GoCompilePkg with cgo_go_srcs, remote GoLink using the Nix gcc wrapper as extar and extld, and remote test execution via external/bazel_tools/tools/test/test-setup.sh examples/hello-go-cgo/cgo_test_/cgo_test.
  • Run 25712694947 is positive proof evidence for the Chromium static-site Playwright smoke class. It used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, and forced execution. Bazel reported 2549 processes: 1489 internal, 1060 remote; //docs-site:playwright_chromium_smoke passed with /bin/chromium. Worker logs show remote sveltekit_sync, remote vite_build, and remote test execution via external/bazel_tools/tools/test/test-setup.sh docs-site/playwright_chromium_smoke_/playwright_chromium_smoke.
  • Run 25826953857 is positive proof evidence for the public omux Chromium static-output Puppeteer smoke class. It used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, and forced execution. Bazel reported 3162 processes: 1 action cache hit, 1043 remote cache hit, 1982 internal, 137 remote; //:puppeteer_chromium_smoke passed with /bin/chromium. Worker logs show remote puppeteer-core@24.43.1 extraction, remote sveltekit_sync, remote vite_build, and remote test execution via external/bazel_tools/tools/test/test-setup.sh puppeteer_chromium_smoke_/puppeteer_chromium_smoke.
  • Run 25897326537 is positive proof evidence for the public omux Chromium static-output Playwright smoke class. It used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, forced execution, and proof nonce 20260515T024138Z-25897326537-1. Bazel reported 3162 processes: 1 action cache hit, 1174 remote cache hit, 1982 internal, 6 remote; //:playwright_chromium_smoke passed with /bin/chromium. Worker logs show remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test execution via external/bazel_tools/tools/test/test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke, and remote generate-xml.sh.
  • Run 26037732121 is positive proof evidence for the public omux local-server Puppeteer route-smoke class. It used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, forced execution, GitHub App checkout authority, and proof nonce 20260518T135044Z-26037732121-1. Bazel reported 3162 processes: 2 action cache hit, 1170 remote cache hit, 1982 internal, 10 remote; //:puppeteer_local_route_smoke passed with /bin/chromium. Worker logs show remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test execution via external/bazel_tools/tools/test/test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, and remote generate-xml.sh.
  • Run 26051698671 is positive proof evidence for the private tinyland.dev local-server Puppeteer route-smoke class. It used GitHub App checkout authority, verified private distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260518T181314Z-26051698671-1. Bazel reported 6319 processes: 1 action cache hit, 3135 remote cache hit, 3052 internal, 132 remote; //:puppeteer_local_route_smoke passed with /bin/chromium. Worker logs show remote @tailwindcss/oxide, sharp, and esbuild lifecycle hooks, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test execution via external/bazel_tools/tools/test/test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, and remote generate-xml.sh.
  • Run 25742782051 is positive proof evidence for the public omux Vitest unit-test class only. It used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, and forced execution. Bazel reported 1437 processes: 2 action cache hit, 551 remote cache hit, 882 internal, 4 remote; worker logs show remote test execution via external/bazel_tools/tools/test/test-setup.sh unit_tests_/unit_tests run --reporter=verbose --config ./vitest.config.ts. This does not prove all Vitest, all omux tests, private tinyland.dev package tests, browser E2E, or broad/default web RBE.
  • Runs 25777472760 and 25779597385 are positive proof evidence for the public jesssullivan.github.io Puppeteer Chromium smoke and SvelteKit/Vite build-smoke target classes. Both used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, and forced execution. Bazel reported 2331 processes: 1477 internal, 855 remote for each proof; worker logs show remote test-setup for puppeteer_chromium_smoke and sveltekit_vite_build_smoke.
  • Run 25894297074 is positive proof evidence for the public jesssullivan.github.io Playwright Chromium runtime-smoke target class. It used worker image sha256:a567696e341f6eb0589ece9efd6014a2133a4f10831bdad31e8dd84055eff8a0, bazel_command=test, forced execution, and proof nonce 20260515T005745Z-25894297074-1. Bazel reported 2331 processes: 1477 internal, 855 remote; worker logs show remote external/bazel_tools/tools/test/test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke with exit_code=0 and remote generate-xml.sh.
  • Run 25928429263 is positive proof evidence for the private MassageIthaca booking-operation Vitest target class. It used repo-scoped deploy-key checkout, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260515T161719Z-25928429263-1. Bazel reported 7662 processes: 7 action cache hit, 4343 internal, 3319 remote; worker logs show remote sveltekit_sync, remote test-setup.sh booking_operation_unit_tests_/booking_operation_unit_tests, and remote generate-xml.sh.
  • Run 25938855554 is positive proof evidence for the private MassageIthaca SvelteKit/svelte-check target class. It used repo-scoped deploy-key checkout, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260515T200641Z-25938855554-1. Bazel reported 7662 processes: 3 action cache hit, 4343 internal, 3319 remote; worker logs show remote lifecycle-hook execution for esbuild, sharp, @sparticuz/chromium, msw, and @vercel/speed-insights, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh svelte_check_test_/svelte_check_test, and remote generate-xml.sh.
  • Run 25948484331 is positive proof evidence for the private MassageIthaca TypeScript no-emit target class. It used repo-scoped deploy-key checkout, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260516T005553Z-25948484331-1. Bazel reported 7662 processes: 4 action cache hit, 4343 internal, 3319 remote; worker logs show remote lifecycle-hook execution for esbuild, sharp, @sparticuz/chromium, msw, and @vercel/speed-insights, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh tsc_noemit_test_/tsc_noemit_test, remote generate-xml.sh, and a passing TypeScript no-emit action in 24.2s.
  • Run 25953478878 is positive proof evidence for the private MassageIthaca Playwright TMD browser-smoke target class. It used repo-scoped deploy-key checkout, consumer commit 08555e16b9ee0504b1b23e6373b5b6bbfb799f5f, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260516T050753Z-25953478878-1. Bazel reported 7670 processes: 3 action cache hit, 4352 internal, 3318 remote; worker logs show remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote test-setup.sh playwright_tmd_smoke_/playwright_tmd_smoke, remote generate-xml.sh, and a passing Playwright TMD smoke action in 4.5s.
  • Run 25935041748 is positive proof evidence for the private tinyland.dev Grafana package Vitest target class. It used repo-scoped deploy-key checkout, verified codeload distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260515T184435Z-25935041748-1. Bazel reported 1531 processes: 468 remote cache hit, 1059 internal, 4 remote; worker logs show remote test-setup.sh packages/tinyland-grafana/test_/test, remote generate-xml.sh, remote lifecycle-hook execution, and a passing Vitest action. The private codeload handoff is proof-run staging only, not durable mirror or repository-cache authority.
  • Run 25981546207 is positive proof evidence for the private tinyland.dev ActivityPub package Vitest target class. It used GitHub App checkout authority, workspace_path=consumer-workspace, verified codeload distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260517T044208Z-25981546207-1. Bazel reported 728 processes: 1 action cache hit, 299 remote cache hit, 415 internal, 14 remote; worker logs show remote test-setup.sh packages/tinyland-activitypub/test_/test, remote generate-xml.sh, remote lifecycle-hook execution, remote TypeScript tsc, and a passing Vitest action. The private codeload handoff is proof-run staging only, not durable mirror or repository-cache authority.
  • Run 25984827370 is positive proof evidence for the private tinyland.dev package TypeScript typecheck target class. It used GitHub App checkout authority, workspace_path=consumer-workspace, verified codeload distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=build, forced execution, proof nonce 20260517T073751Z-25984827370-1, and consumer checkout commit 3730c6966d5e069cff92abc7c606fca9db5b54af. Bazel reported 553 processes: 223 remote cache hit, 328 internal, 2 remote; worker logs show remote esbuild lifecycle-hook execution and remote TypeScript tsc for packages/tinyland-color-utils. The private codeload handoff is proof-run staging only, not durable mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.
  • Run 25970619559 is positive proof evidence for the private tinyland-inc/tinyland.dev //:app_typecheck root SvelteKit app typecheck target class. It used GitHub App checkout authority, verified private distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=build, forced execution, and proof nonce 20260516T191944Z-25970619559-1. Bazel reported 5578 processes: 1 action cache hit, 2567 remote cache hit, 2955 internal, 56 remote; worker logs show remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, remote app_typecheck_tool, and no Kubernetes pod restart/OOM. The private distdir handoff is proof-run staging only, not durable mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.
  • Run 25978934708 is positive proof evidence for the private tinyland-inc/tinyland.dev //:app_build root Vite/SvelteKit production build target class. It used GitHub App checkout authority, verified private distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=build, forced execution, and proof nonce 20260517T021820Z-25978934708-1. Bazel reported 6146 processes: 3125 remote cache hit, 2959 internal, 62 remote; worker logs show remote TypeScript package fanout and remote JsRunBinary app_build.log. The private distdir handoff is proof-run staging only, not durable mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.
  • Run 26051698671 is positive proof evidence for the private tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke local-server Puppeteer route-smoke target class. It used GitHub App checkout authority, verified private distdir input tummycrypt_tinyland_schemas:0.2.4, the browser-capable worker image recorded in the manifest, bazel_command=test, forced execution, and proof nonce 20260518T181314Z-26051698671-1. Bazel reported 6319 processes: 1 action cache hit, 3135 remote cache hit, 3052 internal, 132 remote; worker logs show remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, and remote generate-xml.sh. The private distdir handoff is proof-run staging only, not durable mirror, repository-cache, CAS/action-cache, or broad/default RBE authority.

WAS-110 Public Inputs

Pinned public WAS-110 community archives can be staged into an approved durable mirror and then materialized into a generated Bazel repository before Bazel starts. The generated repository should be passed through GF_BAZEL_INJECT_REPOSITORIES, which the explicit proof wrapper now forwards to Bazel as --inject_repository.

That is input-authority hardening. The first WAS-110 public input remote action now has explicit workflow proof evidence through the checked-out consumer repo. That does not make private blobs eligible for public CAS or make every firmware target remote-executable.

Private WAS-110 blobs require a lab-approved private CAS/worker trust boundary or local-only execution requirements.

Follow-On Work

  • TIN-663: keep this platform identity backend-neutral.
  • TIN-664: keep executor endpoint literals out of .bazelrc; use the endpoint-free executor-backed config only through validated wrappers.
  • TIN-669: extend the repo-managed wrapper through opt-in executor-backed mode while preserving cache-backed defaults.
  • TIN-671: keep the proof workflow digest-pinned and evidence-producing.
  • TIN-665: recorded the first countable //app:build remote-worker proof.
  • TIN-1027: closed by the GF-owned minimal REAPI cell endpoint and forced proof lane; productization continues through explicit wrapper, workflow, and backend-authority follow-ups.

GloriousFlywheel