GloriousFlywheel — Week of May 10–16

Status: closeout execution record, reconciled through 2026-05-17 after GloriousFlywheel PR #698 promoted the ActivityPub package proof, PR #699 promoted the MassageIthaca production-build proof, and GF REAPI Cell run 25984827370 proved the tinyland.dev package typecheck target class; the latest audited GF post-merge green run set is 25982142xxx plus RustFS canary 25982895217 Authors: Jess, Claude, Codex Supersedes nothing. Sits alongside 2026-04-23-gloriousflywheel-pooled-substrate-dogfood-reset.md as the next operating week.

Vision restatement

A Bazel+Nix substrate where a small dev machine submits work into governed cache, runner, and REAPI capacity without learning the cluster — building/testing rust, c++, typescript, go (and later chapel, zig) hermetically against GloriousFlywheel infra.

Honest current line (reconciled 2026-05-10)

• RBE proof is target-class scoped, not broad/default RBE. The current proved set is //app:build, //app:unit_tests, //:deployment_bundle, //docs-site:build, the WAS-110 public injected-repository handoff, the pure-Go, cgo-backed Go, Rust, and C++ unit-test classes at //examples/hello-go:hello_test, //examples/hello-go-cgo:cgo_test, //examples/hello-rust:hello_test, and //examples/hello-cc:hello_test, plus the target-scoped Playwright/Puppeteer/SvelteKit/Vitest/svelte-check web proofs and public omux standalone //:build proof recorded in config/rbe-target-eligibility.json. Default developer and CI posture remains cache-forward local/runner execution unless explicitly opted into the proved executor-backed path.
• May 16-17 closeout added two private tinyland.dev app classes and capacity diagnostics. Run 25970619559 proved tinyland-inc/tinyland.dev //:app_typecheck with GitHub App checkout authority, verified private tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, 56 remote processes, remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, and remote app_typecheck_tool evidence. Run 25978934708 then proved tinyland-inc/tinyland.dev //:app_build with the same checkout and distdir authority, forced execution, 62 remote processes, remote TypeScript package fanout, and remote JsRunBinary app_build.log evidence. PR #690 made the enlarged gf-reapi-cell scale to zero between proof runs. PR #695 then added Shared Label Queue Pressure to just arc-burst-capacity-audit after the PR #694 heavy-lane contention window. These are runner capacity and queue-visibility improvements, not target-class proofs.
• May 17 added a private MassageIthaca production-build class. Run 25983800544 proved Jesssullivan/MassageIthaca //:sveltekit_node_build with repo-scoped deploy-key checkout authority, consumer commit e06a70d12417f04568092a62e225b6c6595c3b39, forced execution, proof nonce 20260517T064447Z-25983800544-1, 3193 remote processes, remote lifecycle-hook execution for esbuild, msw, and sharp, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, artifact verifier success, and Kubernetes restart evidence that stayed at 0. This is one private SvelteKit/Vite production-build target class, not all MassageIthaca builds/tests, deployed booking E2E, image publication, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability.
• May 17 also added a private tinyland.dev package typecheck class. Run 25984827370 proved tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck with GitHub App checkout authority, workspace_path=consumer-workspace, consumer checkout commit 3730c6966d5e069cff92abc7c606fca9db5b54af, verified private tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T073751Z-25984827370-1, 2 remote processes, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-color-utils, artifact verifier success, and Kubernetes restart evidence that stayed at 0. This is one private package TypeScript typecheck target class, not all tinyland.dev packages, all TypeScript, Vite/SvelteKit builds, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability.
• Toolchain breadth improved, and Stage 1 test breadth is now explicit. Rust, C++, and Go have BCR-backed binary examples plus trivial cache-backed test targets. Rust and Go use prebuilt language toolchains; C++ currently uses the runner/Nix/system cc toolchain shape. The pure-Go, cgo-backed Go, Rust, and C++ tests each have narrow REAPI proofs; broader Go target classes, broader cgo-backed Go target classes, broader Rust target classes, and broader C++ target classes are not RBE-proved yet. These are not Nix-sourced language toolchains. Zig/Chapel are absent.
• The cgo-backed Go proof followed worker/toolchain hermeticity blocker evidence. PR #605 fixed the gf-reapi-cell output inlining bug from run 25631848864. Retry run 25632300253 reached real rules_go remote actions, then GoStdlib failed in runtime/cgo with cc: no such file or directory. PR #607 pinned pure = "on" for the trivial test, and run 25634296833 proved the pure-Go class with 11 remote processes. After the worker image carried the C/C++ wrapper closure, run 25649628233 proved the separate cgo-backed //examples/hello-go-cgo:cgo_test class with 11 remote processes and remote runtime/cgo, GoCompilePkg, GoLink, and test-setup evidence. Broader cgo-backed Go remains unproved.
• The C++ proof followed a toolchain materialization blocker. Run 25638930305 forced the //examples/hello-cc:hello_test test proof through the GF REAPI Cell, reached the remote C++ compile action, then failed because the worker could not execute /nix/store/zx71vq7s1v840wqsrw2m2ckmxn413a2b-gcc-wrapper-13.3.0/bin/gcc. Bazel reported 6 processes: 6 internal, so that remains blocker evidence for the worker C/C++ closure. After the worker image carried that closure, run 25648975728 proved the trivial C++ unit-test class with 4 remote processes.
• No live durable repository-cache/distdir/mirror authority. .bazelrc uses --disk_cache only. External fetches rely on --experimental_repository_downloader_retries=5 plus the WAS-110 --inject_repository= local override (examples/bazel/gloriousflywheel-bazel.sh:61–88). Source Bazel Proof now has an ephemeral Node Linux x64 distdir materializer and coverage contract, and docs/contracts/bazel-external-input-durable-authority.json records the product gate as no-live-durable-authority.
• Dashboard Docker pnpm bootstrap is hardened, not mirrored. PR #609 made the dashboard image build explicitly prepare pnpm@9.15.4 with BuildKit cache mounts and bounded install concurrency. PR #610 added the missing corepack enable pnpm shim step after the first post-merge image build exposed /bin/sh: pnpm: not found. Build Container Images run 25637280370 is green on main. This is one Node/pnpm bootstrap resilience fix, not durable mirror authority.
• BCR/package authority advanced separately from RBE. tinyland-inc/bazel-registry#42 registered tummycrypt_scheduling_bridge@0.5.11 with tummycrypt_scheduling_kit@0.8.0 and left historical 0.4.10 metadata unchanged after verifying the source release really depended on scheduling-kit ^0.7.7. This closes TIN-1041 as package-authority hygiene, not RBE evidence.
• RustFS is interim_only per tests/ha_state_candidate_inventory.sh; bucket-index failures need restart to repair. Attic writes are quarantined via .github/actions/nix-job/action.yml:10.
• ARC live wrinkle: the tinyland-nix Pending state from sprint kickoff resolved. The later #595 and #602 Platform Proof delays were saturated tinyland-dind capacity with a healthy listener, not listener-continuity or RBE regressions.
• Dev attachment still requires operator-provided BAZEL_REMOTE_CACHE endpoint via scripts/bazel-cache-backed.sh.

End-of-week success

1. Main stays green; no unclassified runner/cache/backend regression.
2. ARC runner control plane is truthy: every product lane has a listener or an explicit debt ticket.
3. RustFS remains quarantined from trusted writes and future RBE CAS/action-cache. Backend authority decision recorded.
4. Bazel external input authority improves beyond “upstream with retries” for at least one real path (Codex stream).
5. Three new Bazel-hermetic BCR toolchain wedges land for rust, c++, go, and the next test-proof gap is explicit.
6. One next RBE target class is either proved through forced REAPI or blocked with exact hermetic/toolchain evidence (Codex stream).
7. BCR/Bzlmod posture advanced separately from RBE.
8. Docs and Linear reflect what is true, not what we want to be true.

May 11 Progress, Closables, And Goals

Progress

• Runner throughput is no longer capped at the older DinD envelope. Current source and live shape is tinyland-dind=20 on honey plus tinyland-dind-compute-expansion=16 on sting.
• Nix overflow exists but is deliberately bounded: tinyland-nix=16 on honey plus tinyland-nix-compute-expansion=4 on sting. That helps org-scoped Nix queue pressure; it does not solve personal-repo runner visibility.
• The sting overflow lane uses local-path-sting-fast-ephemeral generic ephemeral PVCs for /home/runner/_work (48Gi) and /var/lib/docker (96Gi), so large recoverable DinD churn uses sting fast-local SSD/NVMe scratch instead of kubelet root ephemeral storage or bumble OpenEBS.
• The May 10 queue-drain incident is classified as ARC/admission/storage envelope policy under burst, not raw cluster exhaustion.
• TIN-1136 / the May 13 operator-clarity slice adds just arc-burst-capacity-audit as the first read for shared-label burst incidents. It keeps Honey pod-slot pressure, shared-label owner fanout, namespace quota, kubelet root/imagefs headroom, and Sting fast-local DinD PVC evidence together before another IaC mutation is proposed.
• Blahaj #491 / TIN-1078 has complete SSD/NVMe evidence for honey, sting, mbp-13, pzm, and bumble. The bumble gap was Lab-owned SOPS sudo-source drift, not observed ZFS/OpenEBS failure; lab#424 reconciled the repo per-host SOPS source and the bumble-only privileged audit succeeded.
• The active RBE frontier has moved from “can we prove any remote execution?” to target-class closure: pure-Go test is proved, C++ and cgo-backed Go have exact worker/toolchain blockers, and Rust runtime closure is now tracked by TIN-1115.

Closables

• Lab #424 is closed after just host-sops-sudo-check bumble --strict reported PASS without printing decrypted material and the bumble-only storage audit collected privileged LVM/ZFS/SMART evidence.
• Blahaj #491 is closed and TIN-1078 is Done. Keep exporter coverage gaps in Blahaj #59 instead of reopening the finite media audit.
• Keep GloriousFlywheel #407 and #413 open until the Dell-7810 and XoxdWM owner-boundary proofs show real shared tinyland-nix reachability without repo-scoped runner sets or repo-specific labels.
• Keep GloriousFlywheel #412 open until the personal package compatibility lanes are retired, not merely quarantined in the Jess overlay. The package repos already select ["tinyland-nix"]; retirement means removing the repo-registration compatibility lanes or selecting a broader owner boundary.
• Use scoped scoreboard checks for these owner-boundary proofs: just orgwide-enrollment-scoreboard --repo Jesssullivan/Dell-7810 --repo Jesssullivan/XoxdWM --repo Jesssullivan/scheduling-kit --repo Jesssullivan/scheduling-bridge. The full orgwide scan remains a broader reporting job and should not block this tranche when GitHub API traversal is slow.
• Treat TIN-952, TIN-953, TIN-955, TIN-1080, and TIN-99 as closed context, not active implementation lanes.

Goals

• Do not live-patch active baseline ARC scale-set caps under load as the default queue response. Prefer source-owned capacity changes, additive overflow lanes, read-only storage/admission audits, planned deploys, and post-deploy runtime checks.
• Treat AX/DX/UX for this sprint as an operator product requirement: an agent, developer, or on-call human must be able to answer “why is this queued?” with one read-only GloriousFlywheel command before touching ARC/Terraform/OpenTofu state.
• Keep runner burst relief in GloriousFlywheel / TIN-1070. Keep SSD/NVMe health in Blahaj #491 / TIN-1078. Keep honey/sting NVMe balancing and cooling in TIN-618. Keep replicated storage HA and RKE2 quorum in TIN-617 / follow-on HA work.
• Keep TIN-615/TIN-617/TIN-618 out of runner burst relief: Bumble OpenEBS watch/tuned-class adoption, RKE2 quorum/fixed endpoint, and Sting fast-local workload expansion are separate topology lanes with different acceptance checks.
• Do not treat bumble OpenEBS/ZFS as hot DinD scratch. It remains the durable single-anchor PVC plane until a separate design accepts network-backed scratch semantics or lands replicated durable storage.
• Preserve the product line: cache-forward local/CI execution is the default; RBE is target-class scoped and must stay tied to explicit eligibility and proof evidence.

May 12 Owner-Boundary Sprint Addendum

PR #626 merged at 12340a42f1a0b95f034f67d23554c7d3f6d8b61f and made the owner-boundary scoreboard part of the source-owned sprint record. The next bounded sprint packet is 2026-05-12-owner-boundary-proof-and-retirement.md.

Current closure boundary:

• GF #407 / TIN-550 stays open until Dell-7810 has a real assigned-job proof on a compliant shared tinyland-nix runner, or Dell is explicitly left blocked.
• GF #413 / TIN-592 stays open until XoxdWM has a real opt-in assigned-job proof on a compliant shared tinyland-nix runner.
• GF #412 stays open until personal-package-nix-a/b are retired or replaced by an accepted broader owner-boundary model and package CI is reproved.
• TIN-615, TIN-617, and TIN-618 stay separate infrastructure lanes; they do not solve GitHub owner-boundary visibility.

May 14 Backend And RBE Tracker Checkpoint

• TIN-1147 is now the active RustFS/backend stop-go gate for trusted Attic publication. TIN-1046 remains the publication ramp issue, but it is blocked until TIN-1147 proves a non-restart RustFS repair/reindex path, a RustFS upgrade/topology fix, or a replacement backend. Known small-check and medium-check profiles are reproduction evidence, not safe ramp steps.
• RustFS canaries and post-restart checks can prove current coherence for guarded reads/state checks. They do not promote RustFS to trusted Attic write fan-out, RBE CAS/action-cache, BCR publication, or HA state authority.
• Private consumer proof status is now promoted for two narrow Vitest target classes. TIN-1160 has a positive MassageIthaca proof: run 25928429263 checked out Jesssullivan/MassageIthaca with the repo-scoped deploy key, forced execution, reported 3319 remote processes, and passed //:booking_operation_unit_tests. TIN-1125 now has a positive tinyland.dev proof after the exact blocker chain: run 25933145419 proved checkout, codeload distdir staging, remote-first execution, and 4 remote processes but failed on Grafana test Kubernetes semantics; tinyland.dev PR #401 fixed that test hermeticity issue; main proof 25935041748 then passed //packages/tinyland-grafana:test with repo-scoped deploy-key checkout, verified tummycrypt_tinyland_schemas:0.2.4 codeload distdir input, proof nonce 20260515T184435Z-25935041748-1, 1531 processes: 468 remote cache hit, 1059 internal, 4 remote, and remote test-setup.sh packages/tinyland-grafana/test_/test evidence. That is still one private package Vitest target class, not all tinyland.dev tests or broad web RBE.
• TIN-1181 adds the next private app target class. MassageIthaca run 25938855554 proved //:svelte_check_test with repo-scoped deploy-key checkout, forced execution, proof nonce 20260515T200641Z-25938855554-1, 3319 remote processes, remote lifecycle-hook evidence for esbuild, sharp, @sparticuz/chromium, msw, and @vercel/speed-insights, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote test-setup.sh svelte_check_test_/svelte_check_test, and remote generate-xml.sh. This is one private SvelteKit/svelte-check target class, not broad MassageIthaca RBE, browser tests, or deployed flows.
• Web/Vite/Svelte/Puppeteer RBE progress is real but target-class scoped: public consumer proof classes are recorded in the eligibility manifest and docs. Run 25742782051 also proves the public omux tinyland-inc/omux.xoxd.ai //:unit_tests Vitest target class with 4 remote processes and remote test-setup evidence. Run 25891956165 proves the public omux //:build SvelteKit/Vite standalone build target class with 4 remote processes, remote lifecycle-hook evidence, remote sveltekit_sync, and remote vite_build. Run 25892939448 proves the public Jesssullivan/jesssullivan.github.io //:types_unit_tests SvelteKit/Vite/Vitest target class with forced execution, proof nonce 20260515T001050Z-25892939448-1, 855 remote processes, remote lifecycle-hook evidence for esbuild, sharp, and puppeteer, and remote test-setup.sh types_unit_tests_/types_unit_tests with exit_code=0. Run 25894297074 proves the public Jesssullivan/jesssullivan.github.io //:playwright_chromium_smoke Playwright Chromium runtime-smoke target class with forced execution, proof nonce 20260515T005745Z-25894297074-1, 855 remote processes, remote lifecycle-hook evidence without browser downloads, and remote test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke with exit_code=0. Run 25897326537 proves the public omux tinyland-inc/omux.xoxd.ai //:playwright_chromium_smoke Playwright static-output target class with forced execution, proof nonce 20260515T024138Z-25897326537-1, 6 remote processes, remote @tailwindcss/oxide and esbuild lifecycle hooks, remote sveltekit_sync, remote vite_build, remote test-setup.sh playwright_chromium_smoke_/playwright_chromium_smoke, remote generate-xml.sh, and a passing Chromium smoke. Broad/default web RBE, broader private consumer target classes and builds, hosted E2E, and repo-wide migration remain unproved.
• TIN-1199 adds the next private browser target class. MassageIthaca run 25953478878 proves //:playwright_tmd_smoke with repo-scoped deploy-key checkout, consumer commit 08555e16b9ee0504b1b23e6373b5b6bbfb799f5f, forced execution, proof nonce 20260516T050753Z-25953478878-1, 3318 remote processes, remote sveltekit_sync_bin_/sveltekit_sync_bin, remote vite_build_bin_/vite_build_bin, remote test-setup.sh playwright_tmd_smoke_/playwright_tmd_smoke, remote generate-xml.sh, and a 4.5s passing Playwright TMD smoke. This is one private browser-smoke target class, not broad MassageIthaca or deployed E2E RBE.
• TIN-1197 adds the next private tinyland.dev app target class. Run 25970619559 proves tinyland-inc/tinyland.dev //:app_typecheck with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260516T191944Z-25970619559-1, 5578 processes: 1 action cache hit, 2567 remote cache hit, 2955 internal, 56 remote, remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, remote app_typecheck_tool, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. This is one private root app typecheck target class, not all tinyland.dev builds/tests, browser E2E, Vite production build RBE, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability.
• TIN-1251 adds the next private tinyland.dev production-build target class. Run 25978934708 proves tinyland-inc/tinyland.dev //:app_build with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 distdir staging, forced execution, proof nonce 20260517T021820Z-25978934708-1, 6146 processes: 3125 remote cache hit, 2959 internal, 62 remote, remote TypeScript package fanout, remote JsRunBinary app_build.log, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. This is one private root Vite/SvelteKit production-build target class, not all tinyland.dev builds/tests, browser E2E, deployed app behavior, durable private mirror/repository-cache authority, broad/default web RBE, or CAS/action-cache backend suitability.
• Current product order: keep the green cache-forward baseline green, expand REAPI proofs one target class at a time without depending on RustFS write authority, and treat TIN-1147 as the stop/go decision for trusted cache publication.

May 16-17 RBE And Capacity Closeout

• TIN-1197 is Done. tinyland-inc/tinyland.dev //:app_typecheck is now a proved private root SvelteKit app typecheck target class via GF REAPI Cell proof run 25970619559. The proof used GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 private distdir staging, forced execution, proof nonce 20260516T191944Z-25970619559-1, 5578 processes: 1 action cache hit, 2567 remote cache hit, 2955 internal, 56 remote, remote TypeScript tsc, remote Svelte build tool, remote Vite build tool, remote app_typecheck_tool, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0.
• TIN-1251 is Done. PR #693 merged as 21090d6c49f9e23d72a007b2ae2c34b1aed05d9b and promoted tinyland-inc/tinyland.dev //:app_build after main-ref GF REAPI Cell proof run 25978934708 passed with forced execution, 62 remote processes, remote JsRunBinary app_build.log, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. Post-merge main is green for Secret Detection 25979569330, Tranche Proof Status 25979569346, Validate 25979569340, Deploy Docs 25979569334, Publish to FlakeHub 25979569333, Source Bazel Proof 25979569337, Build Container Images 25979569345, and Platform Proof 25979569332.
• TIN-1270 is ready for docs/manifest promotion after GF REAPI Cell proof run 25981546207 proved tinyland-inc/tinyland.dev //packages/tinyland-activitypub:test from main with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 private distdir staging, workspace_path=consumer-workspace, forced execution, proof nonce 20260517T044208Z-25981546207-1, 728 processes: 1 action cache hit, 299 remote cache hit, 415 internal, 14 remote, remote test-setup.sh packages/tinyland-activitypub/test_/test, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. This remains one private ActivityPub package Vitest target class, not broad tinyland.dev package-test RBE.
• TIN-1282 is ready for docs/manifest promotion after GF REAPI Cell proof run 25984827370 proved tinyland-inc/tinyland.dev //packages/tinyland-a11y-engine:typecheck from main with GitHub App checkout authority, verified tummycrypt_tinyland_schemas:0.2.4 private distdir staging, workspace_path=consumer-workspace, forced execution, proof nonce 20260517T073751Z-25984827370-1, 553 processes: 223 remote cache hit, 328 internal, 2 remote, remote esbuild lifecycle-hook execution, remote TypeScript tsc for packages/tinyland-color-utils, proof artifact verifier success, and Kubernetes restart evidence that stayed at 0. This remains one private package TypeScript typecheck target class, not broad tinyland.dev package typecheck RBE.
• TIN-1249 is Done. PR #690 merged as 38ce8921209e0bf2aa7e8d2bfc85e52dd17b7767 and made gf-reapi-cell scale-to-zero the normal committed state between proof runs. Post-merge main is green for Secret Detection 25972244766, Tranche Proof Status 25972244775, Validate 25972244728, RustFS State Authority Canary 25972244727, Deploy Docs 25972244743, Publish to FlakeHub 25972244739, Source Bazel Proof 25972244736, Publish GF REAPI Cell 25972244725, and Platform Proof 25972244753.
• TIN-1257 is Done. PR #695 merged as f0721b58ec4a2e25f525dd7655a77748ec4e3959 and added the read-only Shared Label Queue Pressure section to just arc-burst-capacity-audit. That diagnostic joins label capacity, active holder repositories, pending runner state, and not-ready pod scheduler messages such as Insufficient ephemeral-storage. Post-merge main is green for Secret Detection 25980560631, Validate 25980560638, Tranche Proof Status 25980560632, Publish to FlakeHub 25980560619, Deploy Docs 25980560637, RustFS State Authority Canary 25980560626, Platform Proof 25980560634, and Source Bazel Proof 25980560625.
• Live runtime after #690 matched the policy: gf-reapi-cell was idle at 0/0, and tinyland-nix-heavy was drained with CURRENT=0, PENDING=0. The capacity issue was not raw cluster exhaustion; it was residency policy for a 16Gi proof cell sharing sting with the heavy runner lane.
• Boundary: this sprint now has meaningful web/TypeScript RBE progress, but it is still target-class scoped. It does not prove all Vite/Svelte/Playwright, tinyland.dev tests, browser E2E, durable private mirror authority, broad/default RBE, or RustFS-backed CAS/action-cache authority.

Streams

Codex stream — committed, no further direction needed

Per Codex’s posted plan: runner-control-plane checks, RBE boundary/eligibility checks, Bazel external-input authority guards, developer cache attachment contract, picking one next RBE target class to prove or block.

Coordination contract with Codex: Jess + Claude do not touch config/rbe-target-eligibility.json, scripts/external-fetch-authority.sh, scripts/cache-attachment-contract.sh, or rbe-*-check just-targets this week. If Codex ships a new toolchain-class eligibility row, Claude reflects it in docs same-day.

Progress through 2026-05-10:

• #593 landed ephemeral Node distdir materialization for Source Bazel Proof.
• #594 landed source-proof distdir coverage enforcement.
• #595 landed the durable external-input authority promotion gate and kept the current state at no-live-durable-authority.
• #596 guarded the remote-test roadmap truth around the single proved TypeScript remote-test class and the missing rust/c++/go test targets.
• #597 through #601 added the pilot repo guide, exported workflow template, pilot workflow contract, guide/template sync checks, and internal workflow-cache publication alignment.
• #602 synced cache/state reality docs with the current publication split: pull requests stay read-only for Attic publication, trusted default-branch pilot/downstream cache publication is token-gated, and broad GloriousFlywheel proof workflows keep push-cache: "false" while RustFS bucket-index debt remains unresolved.
• #607 kept //examples/hello-go:hello_test explicitly pure-Go with pure = "on" so the next proof tested one bounded target class instead of cgo-backed Go by accident.
• #608 promoted the pure-Go //examples/hello-go:hello_test class in the eligibility manifest and docs after forced GF REAPI Cell run 25634296833 proved 20 processes: 9 internal, 11 remote with remote GoStdlib, compile, link, and test-setup evidence.
• codex/prove-cgo-go-rbe proved the separate cgo-backed //examples/hello-go-cgo:cgo_test class in forced GF REAPI Cell run 25649628233. The proof reported 18 processes: 7 internal, 11 remote with remote runtime/cgo, GoCompilePkg, GoLink, and test-setup evidence. Broader cgo-backed Go remains unproved.
• #609 hardened dashboard Docker pnpm/Corepack bootstrap after a transient post-merge image build failure against the npm tarball path. The first version missed the Corepack shim setup.
• #610 added corepack enable pnpm, extended the workflow-cache proof guard, and restored a green default-branch image proof: Build Container Images run 25637280370 built, scanned, and signed the dashboard image on main.
• #611 reconciled May 10 RBE truth after the pure-Go proof and dashboard bootstrap fixes. Post-merge main at 2755bcfb267337bf1f83d9d3ec5ef51d8d3805ff was green for Source Bazel Proof (25637575317), Deploy Docs (25637575308), Platform Proof (25637575321), Validate (25637575328), Publish to FlakeHub (25637575322), Secret Detection (25637575323), and Tranche Proof Status (25637575354).
• #624 promoted the trivial C++ REAPI proof. Post-merge main at 256433d9f0c4a605e2f743bd5883333260ad9361 was green for Source Bazel Proof (25649354512), Deploy Docs (25649354515), Platform Proof (25649354561), Validate (25649354525), Publish to FlakeHub (25649354527), Secret Detection (25649354521), Tranche Proof Status (25649354518), and Build Container Images (25649354539).
• tinyland-inc/bazel-registry#42 closed TIN-1041 by adding tummycrypt_scheduling_bridge@0.5.11 with tummycrypt_scheduling_kit@0.8.0. The post-merge registry run 25637800822 passed npm run validate, npm run smoke:resolve, and npm run smoke:stage1-consumer.
• Current Codex gap: pure-Go, cgo-backed Go, Rust, and C++ trivial unit-test classes are now proved through forced REAPI runs; broader Go/cgo, Rust, C++, durable external-input authority, and broad/default RBE are still unproved.

Jess stream — ops, product authority, backend decisions

J1. ARC hygiene reconcile — Mon, 1–2h window

• Reconcile tinyland-nix ARS Pending: confirm whether the listener pod (tinyland-nix-kvm-ddd868ff-listener) is for an old config rev, then either delete the orphaned ephemeral runners + force ARS reconcile, or recreate the ARS via tofu/stacks/arc-runners.
• Acceptance: kubectl get autoscalingrunnerset,autoscalinglisteners -A is consistent; no orphaned tinyland-nix-xc9zx-runner-* pods running against a Pending parent.

J2. Backend authority decision record — Tue

• Author docs/decisions/backend-authority-2026-05.md. Statement: RustFS is acceptable for guarded interim reads + non-trusted state probes; never the trusted backend for Attic publication, strict HA state, or future RBE CAS/action-cache. Future CAS/action-cache backend = separate evaluation tracked under TIN-1016.
• Acceptance: any doc or runbook implying “RustFS for trusted writes” is corrected; the decision is referenced from docs/roadmap.md and TIN-1043.

J3. Dev-machine attachment field test — Thu

• Drive a real attach session from one resource-constrained machine using the wrapper as it stands today. Capture friction in a checklist: port-forward steps, cert/auth surprises, error messages, time-to-first-cache-hit.
• Acceptance: friction log committed at docs/runners/dev-attachment-field-notes-2026-05.md. Feeds Claude’s C4.

J4. Maintenance window arbiter — ongoing

• All disruptive ops (runner drain, bumble node lifecycle, backend restart, RustFS scratch repair) require Jess approval. Codex and Claude open needs-window issues; Jess batches them mid-week.

Claude stream — toolchain hermeticity wedge, docs, BCR posture

C1. Multi-language toolchain wedge — landed 2026-05-09, three sequential PRs

The user’s vision can’t be true without hermetic language coverage. The landed wedge uses canonical BCR toolchains where rules_nixpkgs_rust/cc/go were not available in BCR. The remaining gap is test coverage, not binary-compilation coverage:

Zig and Chapel: explicit backlog. Not yet on production critical path; rules_chapel doesn’t exist (will need a nixpkgs_package shim). Revisit next sprint after rust/cc/go land.

Acceptance for C1:

• Three new examples/hello-{rust,cc,go} BUILD targets compile under cache-backed CI.
• docs/build-system/toolchain-coverage.md tabulates language → hermeticity status → proof target → known gaps. Source of truth for “can we build X on GF” questions.
• No claim of RBE eligibility for any of these — Codex’s eligibility JSON owns that. Only claim “Bazel-hermetic, cache-backed.”

C2. Roadmap & current-state truth pass — Mon, reconciled after Codex proof updates

• docs/roadmap.md and docs/current-state.md: keep the proven-RBE-target list aligned with the eligibility manifest and GF REAPI evidence. Current narrow proof set is //app:build, //app:unit_tests, //:deployment_bundle, //docs-site:build, the WAS-110 public injected-repository handoff, the pure-Go, cgo-backed Go, Rust, and C++ unit-test classes at //examples/hello-go:hello_test, //examples/hello-go-cgo:cgo_test, //examples/hello-rust:hello_test, and //examples/hello-cc:hello_test, plus the target-scoped Playwright/Puppeteer/SvelteKit/Vitest web proofs, public omux standalone //:build, and public omux //:playwright_chromium_smoke proof recorded in config/rbe-target-eligibility.json. This still is not broad/default RBE.
• Add a “Toolchain coverage” row table.
• Acceptance: a fresh reader cannot conclude we have broad RBE today.

C3. BCR / Bzlmod posture note — Wed, updated after TIN-1041 closeout

• Standalone from RBE: docs/build-system/bcr-posture-2026-05.md covering: TIN-1041 scheduling-bridge pin resolution, internal-registry vs public-BCR decision criteria, module-name compatibility shape.
• TIN-1041 is now closed by tinyland-inc/bazel-registry#42: old 0.4.10 metadata stays historical; current 0.5.11 carries the scheduling-kit 0.8.0 dependency.
• Acceptance: doc names the resolved decision and keeps package authority separate from execution authority.

C4. Self-service attachment scaffold — Fri

• Take Jess’s J3 friction log and draft a just dev-attach recipe wrapping bazel-cache-backed.sh + Nix substituter setup behind one command, with explicit fallthrough error if cluster context isn’t reachable.
• Scoped: first iteration, alpha. Not the productionized self-service path. Land behind a clear “operator help still expected” note.
• May 10 hardening: just dev-attach now derives status from the same strict cache attachment contract used by proof commands, refuses executor-backed env as local-cache proof, and has just dev-attach-contract-check coverage.
• Acceptance: just dev-attach exists; one fresh dev can run it and either get green-lit or get a clear, actionable error.

C5. Remote-test gap framing — landed, then reconciled after Codex proof updates

• docs/build-system/remote-test-roadmap.md now starts from the real state: one proved TypeScript remote-test class (//app:unit_tests) and Stage 1 rust/c++/go cache-backed test targets. Next proof step is keeping those tests green in Source Bazel Proof, then one forced REAPI proof only after cache-backed test proof exists.

Daily cadence

End-of-week joint review: Friday afternoon. Walk through docs/current-state.md, the new toolchain-coverage.md, Codex’s eligibility delta. Decide next sprint’s wedge (likely: zig OR a real RBE target class promotion, not both).

Validation gates (before any PR is considered complete)

Repo-local:

• just check
• just rbe-boundary-check
• just rbe-target-eligibility-check
• just rbe-proof-contract-check
• just bazel-external-fetch-authority-self-test
• just consumer-bazel-wrapper-contract-check
• just runner-scale-contract-check
• just runner-cache-contract-check
• just product-reality-review-check
• git diff --check

Live read-only when relevant:

• kubectl get autoscalingrunnerset -A
• kubectl get autoscalinglisteners -A
• just arc-burst-capacity-audit --include-label tinyland-dind --include-label tinyland-nix
• ARC listener/queue drift checks
• RustFS read/canary checks
• OpenTofu state readiness checks (interim/read-only)

Required post-merge signals:

• Secret Detection green
• Validate green
• Platform Proof green
• Source Bazel Proof green
• Deploy Docs green
• Publish to FlakeHub green or clearly unrelated/skipped

Guardrails (apply to all three of us)

1. No new public interface unless required — extend BAZEL_REPOSITORY_CACHE, BAZEL_DISTDIR, GF_BAZEL_INJECT_REPOSITORIES, existing wrapper envs.
2. No repo-specific runner labels; capability classes only.
3. Attic trusted writes stay disabled.
4. RustFS does not get promoted to any trusted role.
5. No claim of RBE for a target unless it appears in Codex’s eligibility JSON with proof evidence.
6. Docs say what’s true today, separately from what’s planned.
7. All disruptive cluster ops route through Jess.
8. No live destructive apply, runner drain, or backend restart without Jess approving a maintenance window.

Tracker mirror

This plan is mirrored into Linear as TIN-1070 (May 10-16 cache-forward toolchain wedge + RBE/ARC hygiene sprint control list). The repo plan is source of truth; TIN-1070 is the live pointer for cross-stream status updates. Pattern follows TIN-974.