Roadmap

This roadmap is intentionally short and execution-oriented.

GitHub issues are only reopened when a fresh repo-level slice needs one. The longer docs/research/ notes are supporting detail, not the roadmap.

Snapshot date: 2026-05-29

Use Cleanup Program when you need the structured workstream and sequencing view behind this short roadmap.

Use the BCR/RBE/RustFS product reality review when you need the current stop/go view across cache-forward execution, BCR/Bzlmod package authority, Bazel remote execution, external input authority, and RustFS backend risk.

Use the May 10 RBE platform sprint plan for the current three-owner execution slice across runner control-plane hygiene, RustFS/backend authority, external input authority, target-scoped RBE, and BCR/Bzlmod package authority.

Use the 2026-05-24 RBE production-gate plan for the current default-RBE promotion route. That plan treats the 34 proved target classes as real evidence, but keeps broad/default RBE blocked on production authority: E2 action-cache trust, E3 external-input durability, E4 tenant enforcement, and E5 operator/developer visibility.

Now

The PoC-to-product framing. gf-reapi-cell is a real, in-house REAPI v2 implementation (all five services, plus instance_name routing, opt-in OIDC/JWT authz, AC writer attestation + audit, digest verification, and gf_reapi_* metrics — all landed code). Becoming an adoptable product means closing four pillars, tracked by the RBE production-readiness gates:

1. Durable storage (E1). The provider-neutral BlobStore seam landed 2026-05-29 with a dependency-free S3 backend. It does not select MinIO or any replacement provider. The live self-hosted object-store substrate is RustFS for existing cache/state paths; using RustFS for RBE CAS/AC still requires the TIN-1147 repair/proof gate and a dedicated CAS/action-cache namespace. /readyz gates on backend reachability, age-based TTL garbage collection (W1.3) is wired for the local backend, and the first W1.4 local CAS size-bound primitive exists behind GF_REAPI_CAS_MAX_BYTES. That primitive is lease-protected, LRU- ordered, quota-reconciled, and observable; sharding/replication remains unbuilt.
2. Multi-tenancy + identity (E2/E4). Routing/authz/attestation, per-tenant quotas (W4.4 — Execute concurrency + per-blob size; W4.6 — durable CAS-byte/AC-entry limits surviving restart via startup scan + post-GC reconcile), executor-pool admission (W4.3 — Action.platform pool property checked before AC lookup/execution), an in-process scheduler/placement seam with queue metrics, bounded local worker-pool leases, and static worker inventory/provenance plus an opt-in in-memory worker heartbeat registry exist. A first Bazel credential-helper slice exists for projected-token and explicit-token authz callers. Open: token exchange, full IAM/OIDC tenant mapping, remote worker dispatch, and durable worker-pool placement.
3. Distributed worker pool. Execution still runs locally on the single-replica cell. Scheduler enqueue/start/completion/inflight/queue-time metrics and local worker-pool slot/inventory metrics exist by tenant and pool. Live heartbeat workers can now drive single-cell lease provenance, but there is no durable worker registry, heartbeat fanout, or remote executor fleet yet.
4. Observability + fairness (E5). Counters exist, W5.3 now has a first Grafana tenant-fairness dashboard contract, and W5.4 has an hourly tinyland-nix TTFCH probe contract plus a Grafana dashboard JSON. Cache-hit and poison panels, alert routing, live sustained TTFCH evidence, and the runner-dashboard SvelteKit operator surface remain open.

Everything below is the detailed working state behind that framing.

• TIN-1012 must stay open after the strict HA reality check. PR #523 through PR #526 improved the HA-state contract, scratch/disposable proof harness, checkpoint verification, and cleanup path. The 2026-05-08 live evidence said the RustFS state path was healthy for guarded interim use, but 2026-05-19 evidence reversed that assumption: tofu-state is again absent from S3 list-buckets while disk bucket markers remain present, and both local guards plus PR #735 Plan ARC Runners stopped on the state-authority check. This is not strict HA, not a non-restart repair, and not a deploy/state authority completion path. Post-merge canary run 26083251931 later passed; that is renewed current coherence evidence, not proof that the recurrence class is repaired.
• TIN-1043 is Done as the trusted-Attic-write quarantine/default-read-only safety gate. Two one-path synthetic publication probes have passed, including repeat run 25816771239 on 2026-05-13 with a one-path closure, one-path Attic push delta, and clean pre/post attic plus tofu-state bucket-index evidence. Both representative real-output profiles still reproduced RustFS/S3 NoSuchBucket and HTTP 500 shaped failures while disk bucket markers existed: medium-check with the deadnix check and small-check with the statix check. The small-check run proved the failure is not just large-closure pressure, and current-main medium-check run 25817881900 reproduced the same class again on 2026-05-13: one requested deadnix check output, a 22-path Attic push delta, InternalServerError, and post-failure loss of S3 list-buckets visibility for attic and tofu-state. A controlled RustFS restart restored the S3 API view, including attic scratch create/write/list/delete and required tofu-state object reads. Broad push-cache and strict require-cache-push stay quarantined; TIN-1046 owns any future trusted publication ramp, and TIN-1147 is the explicit backend stop/go blocker for that ramp. It must prove a non-restart RustFS repair or reindex path, a RustFS upgrade/topology fix, or a replacement backend before broad trusted writes can be restored. The next source-owned upgrade/topology move is rustfs-upgrade-topology-proof-plan.json: a non-mutating proof plan that narrows the eventual upgrade-topology candidate attempt to the rustfs_image field, requires just tofu-plan-guard attic, rejects Civo, and keeps TIN-1046 blocked until state, bucket-index, NAR integrity, and representative publication evidence clear the known failure classes. The saved plan must also pass just rustfs-upgrade-topology-plan-guard, which allows only the beta.1 -> upgrade-topology candidate RustFS image update on the live Deployment and drained legacy StatefulSet template while rejecting Secret, selector, PVC/storage, service, wrong-image, or delete/create drift.
• just ha-state-candidate-static-gate --contract <path> is now the static preflight for any future HA state contract. It must pass before a backend is treated as a migration candidate; it rejects the current RustFS singleton, Sting local-path storage, Attic/Bazel cache surfaces, and tofu-state as a scratch/proof target.
• docs/contracts/ha-opentofu-state-managed-s3-candidate.json is the selected TIN-1016 candidate contract artifact. It chooses a managed/appliance S3-compatible OpenTofu state service as the next proof target and is checked by just ha-state-selected-candidate-static-gate. The artifact does not prove a live endpoint. TIN-1026 is now the active blocker for the live endpoint package and state-only TOFU_HA_STATE_* proof credentials; TIN-1017 owns scratch and disposable OpenTofu proof after those exist. That disposable proof must include --use-lockfile, maintenance/failure-domain verification, and cleanup evidence before any protected tofu-state migration.
• just ha-state-candidate-inventory is the read-only TIN-1012 candidate inventory surface. It classifies the current RustFS state path, staging S3-compatible test candidates, TCFS/SeaweedFS, Sting local-path classes, and Longhorn before a static contract is written. Use its NO_LIVE_HA_STATE_CANDIDATE verdict as a hard reality check, not as evidence that RBE/BCR/CAS storage is blocked or proved. The latest 2026-05-28 inventory still reports NO_LIVE_HA_STATE_CANDIDATE; the replacement path starts with TIN-1026, not another RustFS bucket-ensure or restart-only recovery loop. The Tinyland owner overlay also has no scoped TOFU_HA_STATE_* proof secrets yet, so ARC runner enrollment and package-runner proof remain blocked on the HA endpoint package plus TIN-1017 scratch/disposable OpenTofu proof.
• the latest audited default-branch checkpoint is 42b06019609c04ae25a34f48df284aeaec661a0b after PR #828. Current main has zero configured first-party hosted-runner exceptions; merge-blocking validation, security scanning, Bzlmod/Bazel canaries, RBE proof/status, publication, docs, and release metadata dogfood shared tinyland-* capability-class lanes. Post-merge main proved Validate (26657097810), Secret Detection (26657097814), Platform Proof (26657097799), Source Bazel Proof (26657097846), Publish to FlakeHub (26657097788), Tranche Proof Status (26657097756), RustFS State Authority Canary (26657097748 and later 26657934610), and Deploy Docs (26657097770) on those lanes. PR #828 raised the W3.4 vendor-mode scratch preflight to match the observed full-scope proof footprint. This is runner/dogfood and external-input-canary hygiene, not RustFS repair, durable distdir authority, or CAS/action-cache authority promotion. The RBE target eligibility manifest records 34 proved target classes; E6 target breadth is now downstream of the production gates, not the next default-RBE blocker by itself. PR #605 published signed GF REAPI Cell image digest sha256:bb5455a038bdbff2560f22491c131c2163d3089ffafedee08f937d63f35fa848. PR #587 refreshed the BCR/RBE/RustFS truth surface without expanding RBE claims. PR #596 guarded the remote-test roadmap truth; PR #597 through PR #601 added the public pilot guide, exported workflow template, pilot workflow contract, guide/template sync check, and internal workflow-cache publication alignment; PR #602 synchronized cache publication reality docs with the current read-only PR, token-gated trusted publication, and RustFS-quarantined broad proof-workflow split; PR #604 added Stage 1 rust/c++/go cache-backed tests; PR #605 fixed gf-reapi-cell output inlining; PR #607 kept the Go test class pure; PR #608 promoted the pure-Go remote-test class; PR #611 reconciled the May 10 RBE truth; PR #624 promoted the trivial C++ REAPI proof; PR #628 added the browser-capable Playwright smoke target; PR #630 hardened Chromium’s scratch/home handling; PR #668 promoted the public omux standalone Vite build proof; PR #669 promoted the public jesssullivan.github.io Vitest proof; PR #670 promoted the public jesssullivan.github.io Playwright runtime proof; PR #671 recorded private-web-consumer-checkout-authority after private proof dispatches failed before checkout; PR #679 added the repo-scoped deploy-key checkout path, after which MassageIthaca run 25928429263 proved //:booking_operation_unit_tests with 3319 remote processes while tinyland.dev run 25928429273 moved to a private tinyland-schemas v0.2.4 external input blocker. PR #682 then moved that private input path to a verified codeload distdir handoff and forced the explicit proof lane remote-first. Run 25933145419 reached //packages/tinyland-grafana:test, produced 4 remote processes and remote test-setup worker evidence, then failed on tinyland.dev Grafana test environment semantics rather than checkout or archive reachability. After tinyland.dev PR #401 fixed that test hermeticity issue, main proof 25935041748 passed the same target with 4 remote processes, remote test-setup.sh packages/tinyland-grafana/test_/test, and verified tummycrypt_tinyland_schemas:0.2.4 distdir evidence. Run 25938855554 then proved the next private MassageIthaca target class, //:svelte_check_test, with repo-scoped deploy-key checkout, forced execution, proof nonce 20260515T200641Z-25938855554-1, 3319 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh svelte_check_test_/svelte_check_test, and remote generate-xml.sh evidence. That is one private SvelteKit/svelte-check class, not broad MassageIthaca RBE. Run 25948484331 then proved //:tsc_noemit_test as a separate private TypeScript no-emit target class with repo-scoped deploy-key checkout, forced execution, proof nonce 20260516T005553Z-25948484331-1, 3319 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh tsc_noemit_test_/tsc_noemit_test, remote generate-xml.sh, and a 24.2s passing action. Run 25953478878 then proved //:playwright_tmd_smoke as a private Playwright TMD browser-smoke target class with repo-scoped deploy-key checkout, consumer commit 08555e16b9ee0504b1b23e6373b5b6bbfb799f5f, forced execution, proof nonce 20260516T050753Z-25953478878-1, 3318 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote test-setup.sh playwright_tmd_smoke_/playwright_tmd_smoke, remote generate-xml.sh, and a 4.5s passing action. That is not broad MassageIthaca RBE. Run 25970619559 then proved tinyland-inc/tinyland.dev //:app_typecheck from main with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260516T191944Z-25970619559-1, 5578 processes: 1 action cache hit, 2567 remote cache hit, 2955 internal, 56 remote, remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, remote app_typecheck_tool, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private tinyland.dev root app typecheck target class, not all tinyland.dev builds, all tinyland.dev tests, browser E2E, Vite production build RBE, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 25978934708 then proved tinyland-inc/tinyland.dev //:app_build from main with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T021820Z-25978934708-1, 6146 processes: 3125 remote cache hit, 2959 internal, 62 remote, remote TypeScript package fanout, remote JsRunBinary app_build.log, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private tinyland.dev root Vite/SvelteKit production-build target class, not all tinyland.dev builds/tests, browser E2E, deployed app behavior, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 25981546207 then proved tinyland-inc/tinyland.dev //packages/tinyland-activitypub:test from main with GitHub App checkout authority, workspace_path=consumer-workspace, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T044208Z-25981546207-1, 728 processes: 1 action cache hit, 299 remote cache hit, 415 internal, 14 remote, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-content-types, remote test-setup.sh packages/tinyland-activitypub/test_/test, remote generate-xml.sh, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private tinyland.dev ActivityPub package Vitest target class, not all tinyland.dev package tests, browser E2E, deployed app behavior, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 25984827370 then proved tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck from main with GitHub App checkout authority, workspace_path=consumer-workspace, consumer checkout commit 3730c6966d5e069cff92abc7c606fca9db5b54af, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T073751Z-25984827370-1, 553 processes: 223 remote cache hit, 328 internal, 2 remote, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-color-utils, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private tinyland.dev package TypeScript typecheck target class, not all package typechecks, all TypeScript, Vite/SvelteKit builds, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 26001030662 then proved tinyland-inc/tinyland.dev //:web_package_typecheck_fanout from main after tinyland.dev PR #445 added the finite target over //packages/tinyland-a11y-engine:typecheck, //packages/tinyland-color-utils:typecheck, and //packages/tinyland-security:typecheck. The proof used GitHub App checkout authority, workspace_path=consumer-workspace, consumer main commit dcc20d11b8919ae259ce8b3e9b982a37e2d6b56b, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T195322Z-26001030662-1, 789 processes: 321 remote cache hit, 465 internal, 3 remote, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-color-utils and packages/tinyland-auth, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one bounded private tinyland.dev package typecheck fanout class, not all package typechecks, all TypeScript, Vite/SvelteKit builds, Vitest, Playwright/Puppeteer, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 26002645581 then proved tinyland-inc/tinyland.dev //:web_package_vitest_fanout from current main after tinyland.dev PR #447 added the finite target and PR #449 removed the test_suite tag filter that expanded the first proof attempt to zero tests. The proof used GitHub App checkout authority, workspace_path=consumer-workspace, consumer main commit 8ee22a2a0130f7241a42c2e3666e310c89a5cfdf, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T210344Z-26002645581-1, 1102 processes: 1 action cache hit, 438 remote cache hit, 642 internal, 22 remote, remote test-setup.sh actions for the color-utils, forms, and security package Vitest targets, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one bounded private tinyland.dev package Vitest fanout class, not all package tests, all Vitest, root app tests, Vite/SvelteKit builds, Playwright/Puppeteer, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 25989829826 then proved tinyland-inc/tinyland.dev //:playwright_local_route_smoke from main with GitHub App checkout authority, workspace_path=consumer-workspace, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T114200Z-25989829826-1, 6155 processes: 3139 remote cache hit, 2963 internal, 53 remote, remote TypeScript tsc, remote Vite build-tool execution, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private tinyland.dev local-server Playwright route-smoke target class, not all Playwright, all tinyland.dev routes, deployed E2E, full app behavior, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 26051698671 then proved tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke from main with GitHub App checkout authority, workspace_path=consumer-workspace, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260518T181314Z-26051698671-1, 6319 processes: 1 action cache hit, 3135 remote cache hit, 3052 internal, 132 remote, remote npm lifecycle-hook execution for @tailwindcss/oxide, sharp, and esbuild, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private tinyland.dev local-server Puppeteer route-smoke target class, not all Puppeteer, all tinyland.dev routes, deployed E2E, full app behavior, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. Run 25983800544 then proved Jesssullivan/MassageIthaca //:sveltekit_node_build from main with repo-scoped deploy-key checkout authority, consumer commit e06a70d12417f04568092a62e225b6c6595c3b39, forced execution, proof nonce 20260517T064447Z-25983800544-1, 7379 processes: 2 action cache hit, 4186 internal, 3193 remote, remote lifecycle-hook execution for esbuild, msw, and sharp, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, proof verifier success, and Kubernetes restart evidence that stayed at 0. That is one private MassageIthaca SvelteKit/Vite production-build target class, not all MassageIthaca builds/tests, deployed booking E2E, image publication, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability. PR #690 then resolved the capacity regression exposed by the larger TypeScript fanout proof by making the enlarged gf-reapi-cell scale to zero between proof runs; PR #695 added the follow-on scarce-lane queue-pressure diagnostic after the PR #694 tinyland-nix-heavy contention window. Both are runner capacity hygiene, not new RBE target-class claims. PR #574 added the checked RBE target eligibility manifest; PR #575 added optional backend-neutral ARC executor endpoint wiring without making executor-backed mode the default. The forced explicit GF REAPI proof run 25581256308 built //app:build with GF_RBE_PROOF_FORCE_EXECUTION=true, --remote_accept_cached=false, remote_executor=grpc://gf-reapi-cell.gf-rbe.svc.cluster.local:8980, worker image sha256:be2832171ac69cc9a2d012b3c789e8b765afb7cae0df8f7e9677dd6d8542dbc0, and 2308 processes: 1439 internal, 869 remote. PR #582 then made build/test proof mode explicit and default-branch run 25601913985 tested //app:unit_tests with bazel_command=test, forced execution, 20 Vitest files, 168 passing tests, and 1249 processes: 722 internal, 527 remote. Main run 25602726443 then built //:deployment_bundle with bazel_command=build, forced execution, 7 processes: 6 internal, 1 remote, and worker evidence for the rules_pkg build_tar action. PR #585 repaired the docs-site Bazel source shape, and main run 25608601158 built //docs-site:build with bazel_command=build, forced execution, 2529 processes: 1483 internal, 1046 remote, and remote JsRunBinary evidence for docs-site/.svelte-kit and docs-site/build. Main run 25634296833 then proved pure-Go //examples/hello-go:hello_test with bazel_command=test, forced execution, 20 processes: 9 internal, 11 remote, remote GoStdlib / compile / link / test-setup evidence, and a passing Go test. The prior run 25632300253 remains cgo-backed Go worker/toolchain blocker evidence: runtime/cgo failed with cc: no such file or directory. After the worker image carried the C/C++ wrapper closure, run 25649628233 proved the separate cgo-backed //examples/hello-go-cgo:cgo_test target with bazel_command=test, forced execution, 18 processes: 7 internal, 11 remote, remote runtime/cgo, GoCompilePkg, GoLink, test-setup evidence, and one passing cgo-backed Go test. Broader cgo-backed Go remains unproved. Run 25638930305 is the next negative target-class proof: it forced the //examples/hello-cc:hello_test test proof, reached the remote C++ compile action, then failed because the worker lacked /nix/store/zx71vq7s1v840wqsrw2m2ckmxn413a2b-gcc-wrapper-13.3.0/bin/gcc. Bazel reported 6 processes: 6 internal. After the worker image carried the C/C++ wrapper closure, run 25648975728 proved the trivial C++ unit-test class with bazel_command=test, forced execution, 8 processes: 4 internal, 4 remote, remote gcc compile/link and test-setup evidence, and one passing C++ test. Run 25712694947 proved the first browser/web target class, //docs-site:playwright_chromium_smoke, with bazel_command=test, forced execution, 2549 processes: 1489 internal, 1060 remote, remote sveltekit_sync, remote vite_build, remote test-setup, and a passing playwright-core smoke with /bin/chromium. This is one Chromium static-site Vite/SvelteKit smoke class, not broad Playwright, Puppeteer, or deployed-environment E2E RBE. Run 25826953857 proved the first public consumer Puppeteer browser/web target class, tinyland-inc/omux.xoxd.ai //:puppeteer_chromium_smoke, with bazel_command=test, forced execution, 137 remote processes, remote sveltekit_sync, remote vite_build, remote test-setup, and a passing puppeteer-core smoke with /bin/chromium. This is one Chromium static-output Vite/SvelteKit consumer smoke class, not broad Puppeteer or deployed-environment E2E RBE. Run 25742782051 proved the public omux Vitest target class, tinyland-inc/omux.xoxd.ai //:unit_tests, with bazel_command=test, forced execution, 4 remote processes, remote test-setup.sh unit_tests_/unit_tests ... ./vitest.config.ts, and the same browser-capable worker image. This is one public Vite/SvelteKit Vitest unit-test class, not all omux tests or private tinyland.dev package RBE. Run 25891956165 then proved the public omux standalone build target class, tinyland-inc/omux.xoxd.ai //:build, with bazel_command=build, forced execution, non-secret GF_RBE_PROOF_NONCE action-key perturbation, 4 remote processes, remote @tailwindcss/oxide and esbuild lifecycle-hook actions, remote sveltekit_sync, and remote vite_build. This is one public SvelteKit/Vite build class, not broad web build RBE or private package builds. Run 25897326537 proved the public omux Playwright static-output smoke class, tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke, with bazel_command=test, forced execution, proof nonce 20260515T024138Z-25897326537-1, 6 remote processes, public main commit d3608a5a6325adee0a5e625cf7ad76b470e7b83f, remote @tailwindcss/oxide and esbuild lifecycle-hook actions, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke, remote generate-xml.sh, and a passing Playwright Chromium smoke with /bin/chromium. This is one public omux Playwright target class, not broad Playwright, Vitest browser mode, private package builds, or hosted E2E. Run 26005817853 then proved the public omux local-server Playwright route-smoke class, tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke, with bazel_command=test, forced execution, proof nonce 20260517T232840Z-26005817853-1, 13 remote processes, public main commit cd730bdc432b6eb2af4cac7032c040e4ab734da7, GitHub App checkout authority, remote @tailwindcss/oxide and esbuild lifecycle-hook actions, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, and a passing /agent-snippet route smoke using /bin/chromium. This is one public omux local-route target class, not all omux routes, hosted E2E, or broad Playwright. Run 26037732121 then proved the public omux local-server Puppeteer route-smoke class, tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke, with bazel_command=test, forced execution, proof nonce 20260518T135044Z-26037732121-1, 10 remote processes, public main commit 50e0b796cbc44bc82de67891b1999e7e48cff473, GitHub App checkout authority, remote @tailwindcss/oxide and esbuild lifecycle-hook actions, remote sveltekit_sync, remote vite_build, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, and a passing /agent-snippet route smoke using /bin/chromium. This is one public omux local-route Puppeteer target class, not all omux routes, hosted E2E, broad Puppeteer, or Playwright. Run 26051698671 then proved the private tinyland.dev local-server Puppeteer route-smoke class, tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke, with bazel_command=test, forced execution, proof nonce 20260518T181314Z-26051698671-1, 132 remote processes, private main commit dcb859f658092dc2a6c0f33223cb9ec9a4055c18, GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, remote @tailwindcss/oxide, sharp, and esbuild lifecycle-hook actions, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, and a passing /legal/privacy route smoke using /bin/chromium. This is one private tinyland.dev local-route Puppeteer target class, not all tinyland.dev routes, hosted E2E, broad Puppeteer, or Playwright. Runs 25777472760, 25894297074, and 25779597385 then proved the public Jesssullivan/jesssullivan.github.io //:puppeteer_chromium_smoke, //:playwright_chromium_smoke, and //:sveltekit_vite_build_smoke classes with bazel_command=test, forced execution, 855 remote processes each, remote test-setup, and the same browser-capable worker image. The Playwright proof recorded proof nonce 20260515T005745Z-25894297074-1 and remote test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke with exit_code=0. Those are public consumer target-class proofs, not repo-wide web RBE, publication, or hosted E2E. Run 25938855554 proves one private Jesssullivan/MassageIthaca //:svelte_check_test SvelteKit/svelte-check target class with forced execution, proof nonce 20260515T200641Z-25938855554-1, 3319 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh svelte_check_test_/svelte_check_test, and remote generate-xml.sh; it does not prove all MassageIthaca tests, browser tests, or deployed flows. Run 25948484331 proves one private Jesssullivan/MassageIthaca //:tsc_noemit_test TypeScript no-emit target class with proof nonce 20260516T005553Z-25948484331-1, 3319 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh tsc_noemit_test_/tsc_noemit_test, remote generate-xml.sh, and a 24.2s passing action; it does not prove all MassageIthaca tests, browser tests, or deployed flows. Run 25953478878 proves one private Jesssullivan/MassageIthaca //:playwright_tmd_smoke Playwright TMD browser-smoke target class with proof nonce 20260516T050753Z-25953478878-1, 3318 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote test-setup.sh playwright_tmd_smoke_/playwright_tmd_smoke, remote generate-xml.sh, and a 4.5s passing action; it does not prove all MassageIthaca tests, all Playwright, hosted E2E, or deployed flows. Run 25970619559 proves one private tinyland-inc/tinyland.dev //:app_typecheck root typecheck target class with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260516T191944Z-25970619559-1, 56 remote processes, remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, remote app_typecheck_tool, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev builds/tests, browser E2E, Vite production build RBE, durable private mirror/repository-cache authority, or broad/default web RBE. Run 25978934708 proves one private tinyland-inc/tinyland.dev //:app_build root Vite/SvelteKit production-build target class with proof nonce 20260517T021820Z-25978934708-1, 62 remote processes, remote TypeScript package fanout, remote JsRunBinary app_build.log, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev builds/tests, browser E2E, deployed app behavior, durable private mirror/repository-cache authority, or broad/default web RBE. Run 25981546207 proves one private tinyland-inc/tinyland.dev //packages/tinyland-activitypub:test package Vitest target class with proof nonce 20260517T044208Z-25981546207-1, 14 remote processes, remote esbuild lifecycle-hook execution, remote TypeScript tsc, remote test-setup.sh packages/tinyland-activitypub/test_/test, remote generate-xml.sh, proof verifier success, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev package tests, browser E2E, deployed app behavior, durable private mirror/repository-cache authority, or broad/default web RBE. Run 25984827370 proves one private tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck package TypeScript typecheck target class with proof nonce 20260517T073751Z-25984827370-1, 2 remote processes, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-color-utils, proof verifier success, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev package typechecks, all TypeScript, durable private mirror/repository-cache authority, or broad/default web RBE. Run 26001030662 proves one private tinyland-inc/tinyland.dev //:web_package_typecheck_fanout bounded package typecheck fanout target class with proof nonce 20260517T195322Z-26001030662-1, 3 remote processes, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-color-utils and packages/tinyland-auth, proof verifier success, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev package typechecks, all TypeScript, Vite/SvelteKit builds, durable private mirror/repository-cache authority, or broad/default web RBE. Run 26002645581 proves one private tinyland-inc/tinyland.dev //:web_package_vitest_fanout bounded package Vitest fanout target class with proof nonce 20260517T210344Z-26002645581-1, 22 remote processes, remote test-setup.sh actions for the color-utils, forms, and security package Vitest targets, proof verifier success, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev package tests, all Vitest, root app tests, Vite/SvelteKit builds, durable private mirror/repository-cache authority, or broad/default web RBE. Run 25989829826 proves one private tinyland-inc/tinyland.dev //:playwright_local_route_smoke local-server Playwright route-smoke target class with proof nonce 20260517T114200Z-25989829826-1, 53 remote processes, remote TypeScript tsc, remote Vite build-tool execution, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, proof verifier success, and Kubernetes restart evidence that stayed at 0; it does not prove all Playwright, all tinyland.dev routes, deployed E2E, durable private mirror/repository-cache authority, or broad/default web RBE. Run 26005817853 proves one public tinyland-inc/omux.xoxd.ai //:playwright_local_route_smoke local-server Playwright route-smoke target class with proof nonce 20260517T232840Z-26005817853-1, 13 remote processes, remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_local_route_smoke_/playwright_local_route_smoke, remote generate-xml.sh, artifact id 7047042599, artifact sha256 9b4509a1095f707678d2e13a4f78861db74d55cb5af2538e8c277ec3bae1e4c4, and Kubernetes restart evidence that stayed at 0; it does not prove all omux routes, deployed E2E, or broad/default web RBE. Run 26037732121 proves one public tinyland-inc/omux.xoxd.ai //:puppeteer_local_route_smoke local-server Puppeteer route-smoke target class with proof nonce 20260518T135044Z-26037732121-1, 10 remote processes, remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, artifact id 7059740497, artifact sha256 cf768f62b03f84e3246a2adc012fa14b6c7026ede1bcb2e0d8352f8221b1dd4c, and Kubernetes restart evidence that stayed at 0; it does not prove all omux routes, deployed E2E, broad Puppeteer, or broad/default web RBE. Run 26051698671 proves one private tinyland-inc/tinyland.dev //:puppeteer_local_route_smoke local-server Puppeteer route-smoke target class with proof nonce 20260518T181314Z-26051698671-1, 132 remote processes, remote @tailwindcss/oxide, sharp, and esbuild lifecycle hooks, remote TypeScript tsc, remote Svelte and Vite build-tool execution, remote test-setup.sh puppeteer_local_route_smoke_/puppeteer_local_route_smoke, remote generate-xml.sh, artifact id 7065881708, artifact sha256 270bcb553348afb4ae8a77f2954bb4f9fa75c2570b6d2d26a6eef9dbc612ea99, and Kubernetes restart evidence that stayed at 0; it does not prove all tinyland.dev routes, deployed E2E, broad Puppeteer, or broad/default web RBE. Run 25983800544 proves one private Jesssullivan/MassageIthaca //:sveltekit_node_build SvelteKit/Vite production-build target class with proof nonce 20260517T064447Z-25983800544-1, 3193 remote processes, remote lifecycle-hook execution for esbuild, msw, and sharp, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, proof verifier success, and Kubernetes restart evidence that stayed at 0; it does not prove all MassageIthaca builds/tests, deployed booking E2E, image publication, durable private mirror/repository-cache authority, or broad/default web RBE. Run 25892939448 refreshed and promoted the public Jesssullivan/jesssullivan.github.io //:types_unit_tests Vitest class with bazel_command=test, forced execution, proof nonce 20260515T001050Z-25892939448-1, 855 remote processes, remote lifecycle-hook evidence for esbuild, sharp, and puppeteer, and remote test-setup.sh types_unit_tests_/types_unit_tests with exit_code=0. This is one public SvelteKit/Vite/Vitest unit-test class, not broad/default web RBE or private consumer package RBE. The earlier PR #491 checkpoint at c4544a65e536bac0576820ed04523e4a82d3701b and PR #489 checkpoint at 568fad179217251e8c9b4c3c7d80e49965f5fddc also proved Deploy ARC Runners and Build Container Images; the earlier PR #477 checkpoint at 734e27902e28f095160a67483de5c6eca1c57477 remains a known-good cache proof package
• PR #445 aligned the hygiene contract: just check is now the bounded local gate, heavyweight Nix/OpenTofu validation is explicit through just check-full / just nix-check, and the repo-owned scripts/tofu wrapper keeps OpenTofu resolution on the flake-managed path
• PR #444 records the current Docker placement boundary: stateless tinyland-docker work can use sting as compute-expansion relief, but kube-API mutation workflows such as ARC plan/apply stay on a honey-bound capability lane until sting control-plane reachability is separately proved
• The shared tinyland-dind capability now has a bounded tinyland-dind-compute-expansion overflow lane on sting; the current shared envelope is 20 honey DinD slots plus 16 sting fast-local overflow slots. The overflow lane uses local-path-sting-fast-ephemeral generic ephemeral PVCs for runner workspace (48Gi) and Docker graph (96Gi) scratch so container-build bursts consume sting fast-local SSD/NVMe storage instead of kubelet root ephemeral storage or bumble OpenEBS. Keep follow-on runner throughput work in the ARC capacity policy lane: source-owned additive overflow first, read-only storage/admission audits before mutation, and no active baseline scale-set cap widening under load as the default response.
• May 13 adds the operator guardrail that was missing during the queue-pressure loop: just arc-burst-capacity-audit must be the first read for shared-label bursts. It reports Honey pod-slot headroom, per-label owner/scale-set fanout, active runner job attribution, included runner placement reasons, runner namespace quota, kubelet root/imagefs summary data, and active Sting fast-local DinD PVC evidence in one place. This is AX/DX product work, not a new capacity bump. When a fanout strands pods on Unschedulable / Too many pods, the audit should show that as a placement-policy problem before anyone treats the cluster as raw CPU or memory exhausted.
• May 15 adds the ARC managed-apply productionization gate: the deploy workflow must run outside the labels it quiesces, max-freeze shared consumer scale sets during apply, snapshot caps for restore on failure, give active shared jobs a bounded 20-minute drain window, generate and guard a fresh post-quiesce apply plan so successful applies reconcile manual cap freezes, restore caps from source tfvars targets on success before listener proof, keep the snapshot only as the failure rollback, keep best-effort failure restore in the workflow trap, and prove listener caps afterward. tinyland-nix-operator is the dedicated control-plane lane; the existing tinyland-nix-heavy path is only a bootstrap fallback until that lane is live and selected through ARC_DEPLOY_RUNNER_LABEL.
• the public-alpha export seed has landed: PR #419 merged at cacc9497617f8c2f096afb5152d16e8774dd8d14, TIN-551 is Done, and the default-branch proof package is green
• the implementation-overlay boundary repair has landed: PR #420 merged at b120c99eddf0dbabfce8d07116ac8dfa7c1a7590, PR #422 merged the workstream tracking surface, and the follow-on work is now overlay authority, placement, capacity, and cache-key drift rather than core-boundary invention
• the repo is public, but the executable consumer-facing alpha route is still the scrubbed fresh-history export produced by just public-alpha-export until full-tree public API posture is separately accepted
• repo-level GitHub work is intentionally narrow: #421 / TIN-568 is closed after the Honey overlay authority and Jess six-release state rehome; #433 and #426 are closed after the April 26 Attic authority and tubebrain placement cleanup; #438 / TIN-681 is closed after the Docker-capable MassageIthaca shared-runner proof; #417 is closed after the downstream lab package-canary cache proof; #487 and #493 are closed after the KVM pickup/signal-9 closeout. Open issues #413, #412, and #407 carry shared-lane reachability and compatibility-retirement follow-up
• keep the default-branch proof package green after the PR #404 / TIN-545 heavy-lane hardening
• treat Platform Proof and Source Bazel Proof as required operating truth
• keep the fixed Source Bazel Proof honest: the proof must pass the real BAZEL_REMOTE_CACHE value to Bazel, not only assert that the environment variable exists
• keep Source Bazel Proof cache-substrate failures visible: representative Attic NAR read stalls should fail at the bounded canary before nix develop, not masquerade as slow or flaky Bazel package failures. Rotate the canary only with live body-read evidence; a stale narinfo that redirects to a missing RustFS chunk is repair debt, not a green canary candidate.
• retire repo-shaped runner taxonomy from config, docs, and planning surfaces
• retire local-heavy Bazel teaching from canonical product surfaces
• restate and prove the pooled GloriousFlywheel dev-plus-CI substrate contract
• make source-repo dogfooding the first proof point again
• keep Chapel, Nix, and Bazel-heavy workloads in the core product lane; they are not special exceptions
• treat native aarch64, riscv, and Dawn dispatch as future lane research, not current platform contract surfaces
• treat localized warm-cache guarantees for heavy Hackage, Chapel, GPU backends, and similar toolchain surfaces as future architecture work, not a present runner-level promise
• keep docs/admin surfaces explicit that repo-managed proof still depends on self-hosted cache injection, cluster-local reachability, and bounded runner capacity
• keep blocked downstream repos framed as shared-lane reachability debt rather than as justification for repo-shaped lanes
• keep the Tinyland and Jess implementation-overlay authority repos green, keep their least-privilege core-read/deploy-key paths working, refresh pins when the reusable stack contract changes, and keep owner-specific GitHub App installs, tfvars, and private anchors there
• keep the completed Jess state rehome honest: the six compatibility releases are now Jess-overlay-owned quarantine, not core residue and not retired
• keep the completed TIN-490 ARC lane retirement honest: the live stack removed repo-derived scale sets and the post-apply source/platform proofs passed
• keep current-state, roadmap, and Linear/admin surfaces synchronized after each default-branch proof package changes
• keep auth authority explicit without implying that tailnet access or GitLab compatibility mutation is already a forge-neutral control plane
• keep just dogfood-contract-audit green so first-party hosted-runner usage, stale endpoint references, and raw-Bazel teaching cannot drift silently
• keep overlay/capacity issues clear that owner-distinct ARC scale-set names are registration/auth identities, not repo-specific workflow labels or a global concurrency policy
• keep the worktree cleanup conservative: stale recovery/checkpoint worktrees should be pruned only after their unmerged commits or uncommitted diffs are classified as merged, superseded, or intentionally preserved elsewhere

Next

• close the public-alpha reopen decision around the scrubbed fresh-history export/mirror route: secret scanning, public-docs scrub, README brevity, dogfood contract audit, export, and post-merge main proof are green, while direct full-repo visibility stays blocked
• do not directly flip the private repository public while just public-alpha-visibility-report still reports history/current-tree blockers. The 2026-05-02 closeout decision is to use the scrubbed public mirror/export for alpha, not to rewrite history or accept internal history exposure as part of the alpha gate.
• keep just public-alpha-export-check green and use just public-alpha-export as the short-term fresh-history mirror route
• strengthen source-repo live substrate proof before expanding downstream consumer claims
• promote the next productionization slice through a fresh issue or project surface instead of continuing feature work inside the completed stability / substrate / cache / auth execution board
• tighten auth and enrollment reporting so blocked repos stay visible as control-plane debt instead of taxonomy drift
• keep bumble rootfs/imagefs headroom visible as node hygiene after the 2026-04-25 ARC eviction follow-up; the node is storage-biased and currently DiskPressure=False, but raw ZFS capacity is not a substitute for kubelet root/image filesystem headroom. The April 29 read-only audit reported only 16.3% available rootfs/imagefs/containerfs headroom on bumble, so the node hygiene remains real even without active DiskPressure. The May 1 offline fixture guard now covers healthy, warning, and critical rootfs/imagefs/containerfs thresholds in CI, but does not replace live node remediation. The May 2 decision is to keep default ARC/GitLab runner placement off bumble and guard that in just runner-scale-contract-check; TIN-613 is closed on that scheduling-avoidance and guard basis. Host-level RKE2/containerd or /nix reshaping remains a separate maintenance decision before bumble can become runner burst capacity again.
• define the next proof so it exercises local-dev substrate attachment and CI cache reuse without teaching raw local Bazel or repo-shaped runner lanes
• keep the new runner IaC contract guards green: just runner-cache-contract-check, just attic-public-key-contract-check, just runner-scale-contract-check, just runner-capacity-model-check, just tofu-tfvars-check, just tofu-image-pin-check, just tofu-provider-lock-check, and just tofu-plan-guard-check
• keep the first owner implementation overlays green after moving from enrollment proof to live-state disposition; the current authorities are tinyland-inc/tinyland-infra and Jesssullivan/jesssullivan-infra
• resolve the active operational follow-ons without taxonomy drift: the still-open GitHub issue mirrors #413, #412, and #407 carry shared-lane reachability and compatibility-lane retirement; #417, #487, #493, TIN-568, TIN-613, TIN-620, TIN-627, TIN-643, TIN-681, TIN-758, #421, and #438 are now closed and should remain historical proof, not active repo-shaped-lane prompts
• use just arc-listener-queue-drift --repo tinyland-inc/GloriousFlywheel --run-id <run-id> --fail-on-drift when GitHub shows a queued ARC job but Kubernetes appears idle. The --repo value is part of the diagnostic because owner-overlay scale sets may share workflow-facing labels; the check should prefer the matching githubConfigUrl before classifying listener/session drift. A scale set with maxRunners > 0, a Running listener, and zero current/pending/running ARC runner activity is not a scale-set cap problem; it is a listener/session/broker symptom. Use just arc-network-continuity-audit to classify API/CNI, eviction, and node-pressure evidence before blaming cache/auth/overlay code. For the May 10 sprint kickoff, use just arc-runtime-audit --fail-on-listener-cap-drift --fail-on-runner-count-drift --fail-on-runner-session-drift as the live control-plane hygiene gate; the 2026-05-09 read-only run found tinyland-nix in Pending with no listener-config secret, two active stale runner pods, runner-count drift, and broker/socket retry logs. Deleting the stale EphemeralRunnerSet/tinyland-nix-xc9zx restored the tinyland-nix listener/config path and a strict post-remediation audit passed, so future recurrence should be handled with the same evidence flow rather than inferred from main being green or red. Use just arc-runtime-audit --fail-on-stale-idle-listener-blocker when a post-apply dogfood lane has maxRunners > 0, no listener-config, and no-job EphemeralRunner objects that appear to be blocking listener recreation; it requires GitHub runner busy=false evidence before printing cleanup guidance. Use just arc-diagnostic-self-tests to keep network-continuity classification, runtime audit session/cap/count drift, queue-drift, shared-label capacity, and burst-capacity fixtures covered offline while future ARC incidents stay classifiable and the TIN-627 capacity boundary stays guarded. Use just kubelet-imagefs-capacity-audit-self-test to keep the TIN-613 kubelet root/image filesystem warning and critical boundaries repeatable.
• keep TIN-650 and TIN-758 closed as proof/policy-complete: just cache-contract-strict fails before BAZEL_REMOTE_CACHE is set, and just developer-cache-attachment-proof //:deployment_bundle false builds one wrapper-managed target through a Honey svc/bazel-cache localhost port-forward when an operator supplies the endpoint. The supported developer-machine exposure policy is operator-provided endpoint only; tailnet-routable or public cache endpoints remain separate future infrastructure/auth decisions. GitHub #417 is closed after the downstream lab package-canary cache proof. This is still not a claim of Bazel remote execution.
• advance TIN-643 from implicit failure mode to explicit proof surface: Bazel external fetch authority reports whether external repository archives are backed by repository-cache / distdir authority or only by upstream retry mitigation, and the offline just bazel-external-fetch-authority-self-test guard proves both the classifier and wrapper CLI wiring. This remains separate from Bazel remote action cache and from remote execution.
• use just bazel-external-input-manifest as the next external-input authority guard. It names the current lockfile inputs and makes the remaining default source-proof blocker concrete: BCR registry files and generated archive repositories are hash-recorded, but generated Node.js toolchain repositories still enter through version/template URLs without a lockfile hash. The repo-owned docs/contracts/bazel-external-input-mirror-candidates.json contract now records candidate integrity for those eight Node.js 22.13.1 archives, the generated pybind11 archive surfaced by the refreshed lockfile, four critical Bzlmod archives, and hermetic launcher stubs, but all entries remain materialized: false. Source Bazel Proof now stages the Linux x64 Node archive plus the critical Bzlmod archives into an ephemeral verified BAZEL_DISTDIR before Bazel starts and validates docs/contracts/bazel-distdir-source-proof-coverage.json, which keeps the remaining generated Node and hermetic launcher candidates deferred. The next gate is still durable repository-cache, distdir, or approved mirror placement before the source path is product-grade against upstream fetch failure. docs/contracts/bazel-external-input-durable-authority.json now makes that next gate executable: it is no-live-durable-authority, has empty covered_inputs, keeps all 23 candidate inputs pending, and requires auth, retention, restore, provenance, and consumer exposure before any durable authority claim. The W3.5 source-local guard now adds just bazel-http-archive-pins-check and the Validate workflow check that rejects direct http_archive / http_file calls without non-empty sha256 pins. That prevents new unpinned direct archive inputs from widening the external-input authority gap, but it does not yet prove durable mirror placement or vendor-mode completeness. The W3.3 wrapper switches are also present now: BAZEL_OUTPUT_BASE isolates a fresh output base, and GF_BAZEL_REPOSITORY_DISABLE_DOWNLOAD=true passes --repository_disable_download so CI can prove a warm repository cache without bypassing the GloriousFlywheel wrapper contract. Source Bazel Proof now provides a run-local BAZEL_REPOSITORY_CACHE next to its verified distdir, packages the real Node Linux x64 archive through the provider-neutral mirror layout, restores a fresh distdir from that package, reruns //:deployment_bundle from a fresh BAZEL_OUTPUT_BASE with GF_BAZEL_REPOSITORY_DISABLE_DOWNLOAD=true, and uploads bazel-repository-cache-evidence.json using scripts/bazel-repository-cache-evidence.py. The remaining W3.3 work is live prepopulation and hit-rate evidence for the shared lane; the source proof package/restore and hermetic checks are still run-local warm-cache evidence, not durable authority. TIN-1468 now has a full candidate distdir package proof lane: scripts/bazel-distdir-full-package-proof.sh, .github/workflows/bazel-distdir-full-package-proof.yml, and just bazel-distdir-full-package-proof-contract-check. This lane runs on tinyland-nix-heavy, materializes every current external-input mirror candidate, packages the verified bytes into the provider-neutral mirror layout, verifies --all-candidates, restores --all-candidates, and emits bazel-distdir-full-package-proof-evidence.json. That is a stronger package-completeness signal than the one-archive source proof, but it still keeps durable_authority=false: no durable endpoint, auth boundary, retention/restore drill, or consumer exposure proof is selected yet. The next TIN-1468 live-storage lane is now wired as scripts/bazel-distdir-mirror-live-proof.py, .github/workflows/bazel-distdir-mirror-live-proof.yml, and just bazel-distdir-mirror-live-proof-contract-check. Bazel Distdir Mirror Live Proof is manual-only until a real non-secret authority package and scoped GF_EXTERNAL_INPUT_MIRROR_* credentials exist. The E3 status command now also reports the default non-secret authority package path separately, so a missing or non-proof_ready package cannot be hidden behind green GitHub name readiness. When dispatched, it reruns the full package proof on tinyland-nix-heavy, uploads the verified mirror package to the selected S3-compatible bucket/prefix, downloads it into a fresh mirror root, verifies the package again, restores a local BAZEL_DISTDIR, and emits live evidence without promoting the durable contract by itself. Use just bazel-distdir-mirror-github-readiness before dispatching; it currently reports TIN-1468_GITHUB_AUTHORITY_NOT_READY until the GitHub variable/secret injection surface has the scoped mirror names, and TIN-1468_AUTHORITY_PACKAGE_MISSING until the selected package exists. TIN-1470 now has a W3.4 vendor-mode canary rather than a design-only SLO: scripts/gf-bazel-vendor-mode-canary.sh, .github/workflows/gf-bazel-vendor-mode.yml, and just bazel-vendor-mode-canary-contract-check make the lane nightly/on-demand with evidence artifacts, scratch-disk preflight, timeout bounds, and production/full scope selection. Current truth remains red, but the red has moved forward: local probes on 2026-05-19 reached the third_party_local_repository_fixture_leak classifier from the BCR rules_pkg@1.1.0 MODULE’s rules_pkg~~_repo_rules~mappings_test_external_repo local test repository, plus a long-running Nix repository vendoring tail for opentofu/kubectl/yq-go. The 2026-05-21 scheduled run 26223210487 exposed the next resource-envelope truth: full-graph vendoring reached a Bazel Java heap OOM in rules_rust toolchain extraction on the baseline tinyland-nix lane. The canary now belongs on the shared tinyland-nix-heavy capability lane with an explicit GF_VENDOR_MODE_BAZEL_HOST_JVM_XMX envelope, and that signature is classified as rules_rust_toolchain_extract_heap_oom. The follow-up branch canary 26242395403 moved to the heavy lane and exposed the next source-owned capacity bug: live tinyland-nix-heavy still had only a 16Gi ephemeral-storage limit against the canary’s 40Gi scratch requirement. A managed ARC apply then moved the lane to 40Gi / 64Gi, and follow-up canary 26245482714 proved that full-graph vendoring can exceed that envelope by growing the vendor temp tree to roughly 53Gi before kubelet eviction at the 64Gi container scratch limit. The next canary, 26246609243, passed that old boundary and was later evicted at the 128Gi scratch limit. The ARC contract now raises the shared heavy lane to 192Gi requested and 256Gi limited ephemeral storage, with a 96Gi memory request and 160Gi memory limit. Managed apply 26247461740 reconciled that envelope live, and canary 26247715938 reached the real external-input defect instead of runner eviction. PR #768 now bumps rules_pkg to 1.2.0, whose BCR MODULE removes the internal local test repository, and makes artifact upload best-effort so GitHub quota saturation cannot hide the actual canary result. Follow-up canary 26350919668 moved past that leak and exposed a second repository-rule authority gap: pybind11_bazel needed an explicit local Python authority. PR #768 now adds pkgs.python3 to the CI devshell and passes --repo_env=PYTHON_BIN_PATH=... through vendor/build/test phases. Workflow-dispatch canary 26351062144 then passed the full-scope W3.4 lane on branch head 27e40ce: bazel vendor completed, materialized a roughly 170Gi vendor directory, and //:deployment_bundle built successfully from that vendor directory. Live runner observation showed a 141429174272 byte memory peak with zero cgroup OOM/max events. Current-main canary 26549932671 repeated the full-scope proof with downloadable evidence and showed the target class is scratch-heavy rather than memory-heavy in practice: roughly 170Gi scratch, around 14Gi pod memory, and no OOM/eviction. The committed heavy lane therefore keeps the 160Gi memory limit for bursts, lowers the memory request to 64Gi, and preserves the 192Gi / 256Gi scratch envelope so maxRunners = 2 is a truthful honey-backed dogfood target under ordinary cluster load. This is W3.4 vendor-mode proof, not E3/TIN-1447 closure; E3 still needs a consecutive-nightly streak and durable external-input authority. Workflow-dispatch canary 26587033690 then repeated the full-scope proof on 779c8fb1e60c3e026468fbcabeb72252d523af54, passed with classifier=ok, built //:deployment_bundle from the vendored graph, and again reached roughly 170Gi scratch. The canary’s default scratch preflight is therefore 192Gi, not the old placeholder 40Gi. The 2026-05-31 scheduled canary 26710742767 exposed the next E3 authority gap after the resource envelope stopped being the blocker: bazel vendor attempted to fetch hermetic_launcher’s runfiles-stub-x86_64-macos from GitHub and hit a 502. PR #855 then recorded the full hermetic_launcher prebuilt stub set in the candidate manifest and stages those verified bytes in BAZEL_DISTDIR before invoking bazel vendor. Workflow-dispatch canary 26717187299 proved that fix on the dogfooded tinyland-nix-heavy lane: bazel vendor completed, //:deployment_bundle built from the vendor directory, the evidence classifier was ok, and the branch was merged as 3d68e10. Post-merge main canary 26718312931 then repeated the proof on main at 3d68e10, with the vendor step, evidence summary, and artifact upload all green. This is still candidate integrity and local distdir staging, not durable mirror authority. The E3 external-input authority status command is now the operator rollup: just e3-external-input-authority-status reports the vendor-mode nightly streak, latest on-demand green proof, the Bazel Distdir Full Package Proof nightly streak, the TIN-1468_GITHUB_AUTHORITY_* mirror-injection gate, and the manual Bazel Distdir Mirror Live Proof result. It keeps the next gate honest: current status is still E3_EXTERNAL_INPUT_AUTHORITY_NOT_READY even with a green on-demand main proof; E3 still needs the scheduled vendor-mode streak to restart on main after 3d68e10 and the remaining durable-authority surfaces to go green.
• close the public WAS-110 pinned-input lane: the copied Bazel wrapper supports GF_BAZEL_INJECT_REPOSITORIES for verified generated local repositories, while BAZEL_REPOSITORY_CACHE and BAZEL_DISTDIR carry durable external-fetch authority. Main run 25589377905 promoted the generated public-community repository through the explicit REAPI proof lane with machine-verified remote execution evidence. Follow-on work must keep public pins distinct from private blobs and must not use RustFS as a trusted RBE CAS/action-cache authority.
• keep the new May-Aug RBE scaffold proof-first: the GF REAPI cell now has narrow explicit //app:build, //app:unit_tests, //:deployment_bundle, //docs-site:build, and WAS-110 public-input workflow proofs. The first //docs-site:build proof attempt found a package-boundary blocker rather than countable remote execution; PR #585 repaired the Bazel source shape and main run 25608601158 promoted it with 1046 remote processes. No broad/default RBE candidate is selected by that promotion. TIN-1027, TIN-665, TIN-671, TIN-672, and TIN-882 are closed; TIN-668 remains active as the target-class eligibility umbrella while new RBE classes are proved one by one. Executor-backed wrapper mode and ARC executor endpoint wiring remain opt-in and separate from the default cache-backed path. The W2 action-cache productionization slice now includes implemented primitives for writer attestation, platform-tagged AC entries, AC audit rows, surgical nuke-key/quarantine handling for one poisoned AC key, and a W2.5 non-attested writer chaos workflow. That is real RBE authority progress, but it is still not broad/default RBE until durable CAS/action-cache storage, tenant quota/fairness, retention/query/dashboard, worker lifecycle, and default-on rollout policy are proved. The first W5.3 fairness dashboard contract exists, but it is not yet the full tenant quota/fairness close condition. Buildbarn, Buildfarm, BuildBuddy, and NativeLink remain peer projects / possible spike targets, not GloriousFlywheel dependencies or selected backends. README and operator docs may cite the narrow target-scoped proof, but must not claim broad remote build until target eligibility, backend authority, and product wrapper posture are selected and CAS/action-cache authority, auth, worker lifecycle, benchmarks, and additional target eligibility are proved.
• retire or intentionally preserve the Jess-overlay-owned compatibility lanes tracked by #412. State rehome is complete; actual retirement still requires an owner-boundary/shared-scope decision or explicit downstream blocked state. The 2026-05-11 refresh shows scheduling-kit and scheduling-bridge already use the shared tinyland-nix workflow label, so #412 closure is now the live compatibility-lane retirement decision, not another label migration.
• keep GF #407 and #413 blocked until Dell-7810 and XoxdWM prove real personal-repo reachability to shared tinyland-nix. Both currently expose zero accessible repo-level self-hosted runners, so no canary should be counted or dispatched as proof yet.
• keep the orgwide enrollment queue as the executable owner-boundary decision surface: #407, #413, and #412 entries must carry related issue, proof-dispatch policy, required assigned-job or post-retirement proof, and explicit non-proof evidence so operator pressure does not become repo-shaped ARC rescue work.
• advance the next infra hygiene sequence in this order: TIN-617 for the honey/sting RKE2 quorum decision, TIN-1012 for the actual HA OpenTofu state authority implementation beyond the bumble-local RustFS singleton, and TIN-128 for the local-first Tofu deployment and tailnet-first operator-plane contract. Do not run live tofu plan / tofu apply as part of that planning work unless an explicit maintenance window is selected.
• keep adjacent Tofu and cluster-authority repos under review while the overlay work moves, especially blahaj, tailnet-acl, elders.tinyland.dev, ci-templates, Dell-7810, XoxdWM, and package remote-cache consumers

Later

• return to broader cache-first dogfood and advanced-runner productization only after the current execution sequence is stable
• turn the RBE proof package into a backend/product decision before wiring executor endpoints into default runners or public docs; keep wrapper executor use behind explicit executor-backed mode until then
• revisit wider capability-class expansion only after the current proof floors have stronger product-owned downstream contracts
• revisit broader multi-forge and user-facing product claims only after the GitHub + honey core has wider proved authority than the current bounded downstream proof set and Jess-owned shared-lane reachability debt
• do not promote future arch-specific or language-specific lanes until they have a named proof surface, a bounded owner, and a real dispatch contract