2026 05 12 Owner Boundary Proof And Retirement

GloriousFlywheel - May 12 Owner-Boundary Proof And Retirement Sprint

Status: active sprint packet, created after PR #626 merged at 12340a42f1a0b95f034f67d23554c7d3f6d8b61f

Scope: GF #407, GF #413, GF #412, TIN-550, TIN-592, and TIN-1070. TIN-615, TIN-617, and TIN-618 stay parallel infrastructure lanes.

Current Truth

The merged #626 scoreboard and a fresh 2026-05-12 scoped run agree:

just orgwide-enrollment-scoreboard \
  --repo Jesssullivan/Dell-7810 \
  --repo Jesssullivan/XoxdWM \
  --repo Jesssullivan/scheduling-kit \
  --repo Jesssullivan/scheduling-bridge \
  --format json
  • Jesssullivan/Dell-7810 declares shared tinyland-nix intent, but the repo exposes zero accessible self-hosted runners and no ARC control plane is visible at that repo scope.
  • Jesssullivan/XoxdWM declares shared tinyland-nix intent, but the repo exposes zero accessible self-hosted runners and no ARC control plane is visible at that repo scope.
  • Jesssullivan/scheduling-kit declares shared tinyland-nix intent and has the Jess-overlay-owned personal-package-nix-a ARC registration anchor, but there is still no assigned-job proof and GitHub exposes zero accessible repo runners at rest.
  • Jesssullivan/scheduling-bridge is the same shape through personal-package-nix-b.
  • The live ARC control plane was discoverable during this run; this is no longer the 2026-05-11 temporary Kubernetes API discovery outage.

This means the blocker is owner-boundary reachability and compatibility-lane retirement. It is not raw ARC capacity, runner HPA, bumble OpenEBS adoption, or sting fast-local storage exposure.

just orgwide-enrollment-queue now carries that blocker as operator-facing proof policy, not just prose. The #407, #413, and #412 entries print the related issue, closure canary dispatch policy, required assigned-job proof, and evidence that explicitly does not count. just orgwide-enrollment-queue-contract-check guards those fields so a future queue refresh cannot silently turn a queued job, repo-scoped rescue lane, or pre-retirement package green into closure evidence.

Closure Matrix

Issue Current state Not enough Closure condition
GF #407 / TIN-550 Dell-7810 is intentionally blocked from counted shared-runner authority. A queued tinyland-nix job with runner=null, a Dell-specific runner label, or a repo-scoped Dell ARC lane. A Dell Chapel/kernel dogfood job starts on a real compliant shared tinyland-nix runner through an org/enterprise/shared owner boundary, or Dell is explicitly left blocked.
GF #413 / TIN-592 XoxdWM self-hosted fast paths are gated by GF_SHARED_RUNNERS_REACHABLE. Turning the flag on before runner visibility exists, or recreating xoxdwm-nix. An opt-in XoxdWM Nix job starts on a real compliant shared tinyland-nix runner with no XoxdWM-specific ARC scale set.
GF #412 Package repos use PRIMARY_LINUX_RUNNER_LABELS_JSON=["tinyland-nix"], but still have repo-registration compatibility anchors. Another label migration or a claim that Jess-overlay quarantine equals retirement. personal-package-nix-a/b are removed or replaced by a broader owner-boundary model, and package CI is reproved after the change.
TIN-615 Bumble tuned OpenEBS class adoption is still mixed. Treating bumble storage as DinD scratch or runner proof. Workload-by-workload PVC migration/adoption evidence.
TIN-617 RKE2 HA/quorum design is still open. Treating runner queue behavior as HA proof. Honey/sting quorum and fixed-endpoint design with accepted gates.
TIN-618 Sting NVMe balancing/cooling remains a topology lane. Treating current sting runner overflow as full storage HA. Maintenance-window plan for fast-local placement, thermal limits, and role separation.

Sprint Decisions

  1. Do not create repo-shaped rescue lanes. Dell and XoxdWM must not get dell-*, xoxdwm-*, or equivalent scale sets or labels.
  2. Do not retire package anchors blindly. Removing personal-package-nix-a or personal-package-nix-b before a replacement owner-boundary exists would make the package repos truthful only if the accepted state is “blocked.”
  3. Prefer a shared owner boundary over more ARC shapes. The cleanest proof is moving or mirroring the runner-consuming workflow surface under an enrolled org/enterprise scope that can see tinyland-nix.
  4. Enterprise runner scope is a proof candidate, not an assumption. If an enterprise-level shared runner group can serve personal repos without repo-specific labels or scale sets, prove that explicitly before changing repo flags.
  5. Keep infra lanes separate. TIN-615, TIN-617, and TIN-618 can unblock reliability later, but they do not solve GitHub owner-boundary visibility.

Work Plan

Lane A - Dell-7810

Owner repo: Jesssullivan/Dell-7810.

Current local state: main...origin/main, clean at review time.

Actions:

  1. Re-run just platform-runner-enrollment-status --no-cluster in Dell before any canary.
  2. Keep chapel-ci.yml, chapel-dogfood.yml, and kernel-dogfood.yml manual-only with confirm_runner_reachable=true until a runner is visible.
  3. Choose one owner-boundary path:
    • mirror/move the cacheable dogfood workflow surface under tinyland-inc;
    • prove enterprise shared runner reachability for personal repos;
    • keep Dell explicitly blocked.
  4. Only dispatch a Dell tinyland-nix job after the selected boundary is visible in repo runner inventory or the selected proof mechanism.

Acceptance:

  • GitHub job data shows a Dell job with non-null runner_name.
  • The runner labels prove tinyland-nix capability-class execution.
  • The job reaches the expected cache/Attic environment checks.
  • No Dell-specific scale set, runner label, or repo URL appears in core GF ARC config.

Lane B - XoxdWM

Owner repo: Jesssullivan/XoxdWM.

Current local state: dirty branch codex/xwayland-explicit-compat-gate; do not edit or rebase it from this sprint packet.

Actions:

  1. Keep GF_SHARED_RUNNERS_REACHABLE absent until the shared runner boundary is proved.
  2. Keep hosted fallback and self-hosted-only skip behavior intact.
  3. Use runner-health.yml as the first canary only after the selected owner-boundary path exists.
  4. Do not change hardware-only [self-hosted, honey] VR lanes as part of this non-hardware tinyland-nix proof.

Acceptance:

  • An XoxdWM opt-in Nix job starts with non-null runner_name.
  • The job proves Nix/cache attachment on tinyland-nix.
  • GF_SHARED_RUNNERS_REACHABLE=true is set only after the proof, not before.
  • No xoxdwm-* runner class returns.

Lane C - Package Compatibility Retirement

Owner repo: Jesssullivan/jesssullivan-infra for the live compatibility anchors, with package CI in Jesssullivan/scheduling-kit and Jesssullivan/scheduling-bridge.

Current local state:

  • jesssullivan-infra: branch codex/sting-kvm-overflow, clean at review time.
  • scheduling-kit: main is behind origin/main and dirty; do not edit it from the GF sprint branch.
  • scheduling-bridge: no local worktree was found in /Users/jess/git during this pass.

Actions:

  1. Decide whether the package repos move under an org/shared scope, stay on Jess overlay anchors, or become explicitly blocked.
  2. If retiring, prepare the Jess overlay change that removes personal-package-nix-a/b and run a non-destructive plan review first.
  3. Reprove package CI after removal or replacement. A green run before removal does not close #412.
  4. Keep workflow-facing labels at tinyland-nix throughout.

Acceptance:

  • personal-package-nix-a and personal-package-nix-b are absent from live ARC or replaced by an accepted broader owner-boundary mechanism.
  • scheduling-kit and scheduling-bridge package CI are reproved after the change.
  • The scoreboard moves them out of compatibility-debt classification for the right reason.

Validation Commands

Read-only proof commands:

just orgwide-enrollment-scoreboard \
  --repo Jesssullivan/Dell-7810 \
  --repo Jesssullivan/XoxdWM \
  --repo Jesssullivan/scheduling-kit \
  --repo Jesssullivan/scheduling-bridge \
  --format json

just arc-runner-residue-audit
just arc-runner-taxonomy-guard
just runner-scale-contract-check
just runner-capacity-model-check

Downstream read-only probes:

cd /Users/jess/git/Dell-7810
just platform-runner-enrollment-status --no-cluster

cd /Users/jess/git/XoxdWM
gh variable list --repo Jesssullivan/XoxdWM
gh api repos/Jesssullivan/XoxdWM/actions/runners --paginate

Do not use a queued job as proof. Count only assigned jobs with a real runner name and successful cache/runtime checks.

Next Closable

The next closable is not GF #407, #413, or #412 themselves. The next closable is a decision PR or issue update that selects the owner-boundary path:

  • org/enterprise/shared-scope migration and canary plan;
  • enterprise shared runner proof spike;
  • explicit blocked-state decision for one or more personal repos.

After that decision lands, the proof work can become a narrow implementation slice instead of another broad taxonomy debate.

GloriousFlywheel