harvest(install-graph): graduate local-LLM install primitive + Docker test matrix accelerator → main#6120
Closed
AceHack wants to merge 27 commits into
Closed
harvest(install-graph): graduate local-LLM install primitive + Docker test matrix accelerator → main#6120AceHack wants to merge 27 commits into
AceHack wants to merge 27 commits into
Conversation
…ong-lived branch) Aaron-authorized 2026-05-29 long-lived branch for the PR-less alternative to the backlog->claim->PR->review->merge cycle. The git-monster friction (rate-limit cascades, armed-wait-on-CI, dotgit-saturation, review-thread loops) is the dominant agent-throughput tax — acceptable for the corporate/leash market (PR-protected static DUs) but the wrong default for the OSS/Agora market (self-modifying DUs free from PRs). Charter grounds in existing substrate (move-next as universal action grammar + git-as-free-event-store + github-actions-recursion, #5672; GitHub swarm architecture; dual-market framing). Core idea: git IS the free event store (commits=events), move-next is the universal action grammar, GH-Actions-recursion is the swarm runtime, PR-less != review-less (review moves to continuous glass-halo + shadow-class health-observation). Hard floor preserved (force-with-lease only, HARD LIMITS, kid-safety, NCI, leash-market PR path NOT removed, main never force-pushed). Action item 1: substrate-grounding synthesis before building anything. This is a kickoff, not a build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…t-event-store schema @1 Action Item 1 (substrate-grounding): located the move-next / git-as-free-event- store / github-actions-recursion substrate (memory/persona/ani/...move-next..., tools/agent-loop/, B-0867, B-0874) via parallel substrate-hunt agents. Action Item 2 (git-event-store schema @1): a move-next transition persisted as an append-only Git event. - Layout: events/<agent>/<ulid>.json — per-agent dir + ULID (128-bit, time- sortable) filename ⇒ no two agents write the same path ⇒ conflict-free merges ⇒ PR-less swarm (B-0867 128-bit-unique-ID design; B-0874 no-PR swarm). - Envelope: persists transition(from, option)=to (the move-next core from state-machine.ts) + Z-set weight (+1 assert / -1 retract) + prev causal-link + AgencySignature trailer. - schema-in-the-stream (razor-flow Insight 4): schema-def events declare versions; old events stay interpretable ⇒ automatic schema-evolution over history. - forgiveness-budget (razor-flow Insight 3): retraction is logical not physical; files stay on disk; compaction/tiering bounds it ('run out of space = run out of forgiveness'). - Otto Mod 4 dual-market: internal transitions append-only/PR-less (Agora); cross-cutting substrate PR-gated (leash). Concrete types (tools/accelerator/event-store-schema.ts) compose with tools/agent-loop/state-machine.ts; 6/6 tests pass; typecheck clean. Long-lived branch, no PR (PR-less by design per the charter). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…r compaction mechanism into the forgiveness-budget The compaction/tiering policy's MECHANISM is the two-layer razor (Aaron+Ani 2026-05-29, docs/research/2026-05-29-two-layer-razor-past-as-generator-...): - Layer 1 (Origin vs Purpose) = the retraction (what's accidental). - Layer 2 (Causal Order vs Current Purpose) = compress retracted data WITHIN a partition; per-agent stream IS a partition (single-writer -> canonical causal order); keep prev-chain, drop redundant ts. - _compacted/<agent>/ = Layer 2 output (causal-order-only, columnar). - past-as-generator = extreme form: replace compacted segment with the transition-fold replay generator. Don't-collapse: designed verifiable property, not a universe claim. Long-lived branch, no PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ub's free-OSS generosity, honored voluntarily (Aaron 2026-05-29) The 'run out of space = run out of forgiveness' hard limit is real in general, but TODAY the accelerator runs open-source on GitHub where storage is free + effectively unlimited -> the git-monster's forgiveness is unbounded within GitHub's generosity. The binding constraint right now is relational, not a space wall: be a good guest of the host whose generosity (Microsoft subsidizing OSS, B-0874) makes git-as-free-event-store + GH-Actions-recursion possible. - Apply compaction / past-as-generator VOLUNTARILY (good-guest, not forced). - Don't abuse the free tier with wasteful unbounded volume. - proud-if-it-propagates pattern = good guest, not maximal extraction (tragedy- of-the-commons if everyone ran abusive unbounded swarms on the free tier). Wired into EVENT-STORE-SCHEMA.md forgiveness-budget + charter hard-constraints. Long-lived branch, no PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…g workflow The deterministic-script half of the agent loop: read event-store -> replay state via transition-fold -> generate menu -> selector picks -> append next event. The LLM is a pure selector (the selectMove seam); this holds the state machine + I/O. Composes with tools/agent-loop/state-machine.ts + the @1 event-store schema. - tools/accelerator/move-next-harness.ts (+ tests, 8/8 pass): loadStream, replayState (Z-set fold, drops retracted), runCycle (append-only), runLoop (hard-cap 25 + kill-switch + dry-run), CLI. Smoke-tested: dry-run + clamp. - .github/workflows/accelerator-move-next.yml: STAGED, NOT LIVE. Lives on this branch only (workflow_dispatch needs the default branch to dispatch -> cannot auto-run; go-live is a deliberate operator step). Safety: bounded recursion (countdown + hard-cap 25 in harness AND workflow), events/_HALT kill-switch, concurrency=1, append-only-no-force, GITHUB_TOKEN-only (no PAT -> no uncontrolled recursion), input-hardened (env-vars + agent allow-list + numeric validation, per the GH Actions injection guidance), actionlint-clean. A self-triggering committer is irreversible-flavored, so it is built + tested + staged, NOT autonomously made live (be-good-to-our-host). Long-lived branch, no PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…event key per cycle)
Aaron 2026-05-30 ('start adding logging, what key is the agent using?').
Adds a Logger seam (noopLog default for library/tests; stderrLog for CLI) that
emits one JSON line per cycle showing the KEYS the agent uses:
- agent : PARTITION key -> events/<agent>/
- key : per-event key -> events/<agent>/<key>.json (= event id)
- keyFormat : 'ulid' today; flags the placeholder-vs-Zeta-ID gap (B-0893)
- prev : causal-link key (prev event id, or null)
- kind/from/option/to/wrote/dryRun
Logs go to STDERR so STDOUT stays the clean parseable summary. 8/8 tests pass
(library callers default to noopLog -> silent, unchanged).
SUBSTRATE-HONEST NOTE: the key is a placeholder ULID. A canonical, cross-verified
TS Zeta-ID codec ALREADY EXISTS at src/Core.TypeScript/zeta-id/ (pack/unpack/
cross-verify) alongside the C#/F# impls. The harness should switch to it: the
Zeta-ID encodes persona (agent), category (Workflow/Heartbeat = the event kinds),
authority (account/trust key), and location (vendor/region) IN the 128-bit key.
Using the placeholder ULID was a verify-existing-substrate-before-authoring miss.
Next: swap newUlid() -> pack(ZetaObservation, env) (schema-touching; tracked).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…y (B-0893)
Aaron 2026-05-30 ('do the zeta-id swap'). Replaces the placeholder ULID event
key with the cross-verified canonical Zeta-ID codec (src/Core.TypeScript/zeta-id/).
WHY: the ULID was a verify-existing-substrate miss — a TS Zeta-ID codec already
existed alongside the C#/F# impls. The Zeta-ID encodes provenance IN the key:
persona (agent-class), category (Workflow/Heartbeat = the move-next event kinds),
authority (trust/account), location (region), timestamp — vs opaque
timestamp+randomness. Empirically: a heartbeat cycle now keys category=Heartbeat,
persona=FireflyCoherence, authority=Simulated, location=EastUS_VA1.
CHANGES:
- event-store-schema.ts: ZetaIdHex type (32-char lowercase hex; version+timestamp
in high bits => lexical-hex = chronological); CURRENT_SCHEMA @1 -> @2; BuildDeps
newUlid() -> newId(IdSemantics) seam (agent + category + authority); legacy @1
ULID accepted on replay via isEventId (back-compat for the one existing @1 event).
- move-next-harness.ts: realDeps.newId packs a real ZetaId via pack()+DEFAULT_ENV;
agentToPersona (aaron->Aaron, autonomous->FireflyCoherence); category from option;
loadStream sorts by ts (robust across @1 ULID + @2 hex id formats); keyFormat
detects zeta-id vs ulid.
- tests: 19/19 pass (round-trip unpack confirms category/persona land in key bits).
FOLLOW-UP (cross-impl, golden-vector touching): extend the canonical Persona enum
with the full agent roster (otto/alexa/riven/vera/lior/addison/max) so the EXACT
agent lands in the persona bits; today autonomous agents share FireflyCoherence and
the precise agent stays in the event 'agent' field + directory partition.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ctor + observe.ts classifier)
Aaron 2026-05-30: test the LLM-in-the-loop seam with a small LOCAL model on the
GitHub runner (no account/key) before attaching a real harness. Designed as a
REUSABLE primitive (Aaron: observe.ts will want the same small/local auto-classifier):
- ModelBackend interface (swappable: ollamaBackend now; node-llama-cpp /
account-backed later).
- ollamaBackend(): account-free, runs a tiny instruct model (default
qwen2.5:0.5b) on the runner via localhost; temp 0 for reproducibility (DST).
- chooseIndex(): constrained choice among N options — the 'choose your own
adventure' move-next selector core. Parses the first integer, validates
in-range, FALLS BACK to index 0 on any failure (model down/slow/garbage) so
the loop never stalls (exceptions-as-signals; fallback is the safety rail).
- classify(): observe.ts auto-classifier shape (input -> one label), sharing
chooseIndex's validated/fallback-safe path.
Backend-agnostic; 9/9 tests pass with a mock model (no model/account needed to
test the selection + fallback logic). NEXT: wire as an async SelectMove into the
harness (+ workflow step that installs/runs the tiny model on the runner) to
validate end-to-end on CI.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…odel fixtures Aaron 2026-05-30: small local LLMs can serve as DETERMINISTIC SIMULATION TESTING fixtures in observe.ts's actual tests (not just mocks). For that, the model must be reproducible: temp 0 (greedy) + fixed seed + pinned model/quant. Adds a seed option (CompleteOptions.seed + ollamaBackend default seed=0, per-call override) and documents the determinism requirements + cross-hardware caveat (pin the runner image or snapshot output when asserting across machines). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ative, both OS paths)
Aaron 2026-05-30: small CPU-capable local LLMs are baseline substrate (like a
language runtime), NOT optional — install.sh is 'our biggest lever against
entropy of contributors and environments: one run turns any unix-like machine
into substrate we can work with.' So this goes INTO the declarative install graph.
Building OFF-LEASH on the accelerator branch first (Aaron: 'accelerator is for
off-leash testing; once we get it right, main becomes off-leash too'). Harvest to
main once validated on a runner.
DECLARATIVE (per the framework discipline + GOVERNANCE §24 three-way parity):
- manifests/local-llm: pins ollama_version=0.24.0 (WebSearch 2026-05-30, stable;
0.30.x was rc) + model=qwen2.5:0.5b (398MB Q4_K_M, CPU) + seed=0 + host. The
MODEL is the reproducible/pinned artifact (enables DST: temp0+seed+pin).
- common/local-llm.sh: idempotent, GRACEFUL (warns+continues; never bricks
install.sh — exceptions-as-signals). Linux installs the pinned ollama release
binary (mise-style curl-fetch); macOS via manifests/brew (ollama added).
Ensures the daemon, pulls the pinned model.
- wired as a default step into linux.sh + macos.sh (after verifiers, before
shellenv) — every dev/CI/devcontainer install gets it.
bash -n + shellcheck clean. NOTE (needs runner validation, can't verify mac+linux
+ daemon lifecycle + CI Actions-cache from here): exercise install.sh on a real
runner + add a skip-if-absent real-model test + cache the model keyed on the
manifest pin. Then harvest the install-graph to main.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…alidation workflow
Aaron 2026-05-30: (a) float ollama runtime to latest — version doesn't affect DST
reproducibility (the pinned MODEL + temp0 + seed do), less maintenance; Linux uses
GitHub /releases/latest/download (auto-redirect, no pin, no API call), macOS brew
already floats. Manifest kept OS-agnostic (model/seed/host) so the Windows
install.ps1 (peer surface) reads the same shared contract. (b) 'move it forward
with real tests' — a validation workflow that proves the entropy-lever end-to-end.
accelerator-local-llm-validate.yml (off-leash; push to accelerator or dispatch):
- runs install.sh on a bare ubuntu-24.04 (the lever: bare machine -> substrate)
- asserts ollama present + the PINNED model landed (reads manifests/local-llm)
- runs the mock-backed primitive tests (logic, run-anywhere)
- runs validate-local-llm.ts: a REAL chooseIndex through the actual local model,
asserting a valid non-fallback selection (proves the live model responds)
validate-local-llm.ts reads the declarative manifest -> ollamaBackend -> real
chooseIndex; exits non-zero if the model fell back (unreachable/unparseable).
actionlint + shellcheck + tsc clean; 9/9 mock tests pass. This run is the gate
that graduates the local-LLM primitive from off-leash to main.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… .tgz The validation workflow caught it: the floating URL .../ollama-linux-amd64.tgz 404s (302 -> v0.24.0/ollama-linux-amd64.tgz = 404). Per the release API (2026-05-30) the actual linux asset is ollama-linux-amd64.tar.zst (zstd). Fix: correct asset name + tar --zstd extraction (zstd present on ubuntu runners; GNU tar + bsdtar both support --zstd). Extract-failure now also graceful. This is exactly the entropy-lever validation doing its job — caught a real install bug off-leash before it reached main. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…u = community reach Aaron 2026-05-30: 'nixos is our primary we should put on backlog and evaluate what ubuntu is bringing us, the community of ubuntu is really why i'm thinking ubuntu matters.' Captures the strategic question: NixOS is primary (reproducible + declarative, fits DST/declarative ethos); Ubuntu's value is community/contributor reach. Decide Ubuntu's support tier (first-class vs community-convenience). Filed off-leash; harvests to main with the local-LLM work. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…eal hardware); install.sh retrofits declarativeness onto imperative Ubuntu Aaron 2026-05-30 deeper rationale: 'nix is what boots the usb/iso our real hardware boots cause it's declarative. ubuntu is not on its dependency management — we use install.sh to make ubuntu work like nixos with declarative dependencies.' NixOS is primary by KIND (it IS the declarative substrate); Ubuntu is made to ACT declarative via install.sh + the manifests. The cost of Ubuntu is that simulation layer; the value is community reach. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…std dep
Aaron 2026-05-30: 'center our docker tests around ubuntu and nixos, tests for both
with install.sh.' Ubuntu sibling to docker-nixos-install-sh-test:
- tools/ci/dockerfiles/ubuntu-install-sh-test/Dockerfile: FROM ubuntu:24.04
(digest-pinned via registry API 2026-05-30) -> apt bootstrap -> PATH ENV ->
RUN install.sh (entropy lever) -> validate local-LLM (start daemon, assert
pinned model, real chooseIndex probe + mock tests). The build IS the test.
- manifests/apt: + zstd (ollama linux release is .tar.zst).
- docker-ubuntu-install-sh-test.yml: direct docker build (first cut).
NixOS stays primary (declarative-by-construction; B-0940); this guards the Ubuntu
declarative-retrofit. FOLLOW-UP (Aaron's GHA-cache point): shared TS driver +
buildx cache type=gha for both OS tests so the heavy install bakes once.
Untestable from here (no local docker) -> iterates via CI off-leash.
actionlint clean. Triggers on push (the Ubuntu docker test runs now).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…bare-ubuntu fix The docker-ubuntu-install-sh-test exposed it: mise installs the dotnet SDK but it 'exited with non-zero status' on a minimal ubuntu:24.04 image — missing libicu (the classic cause) + libssl/krb5/tzdata. Full ubuntu runners have these implicitly; the bare Docker image doesn't. Declaring them in manifests/apt makes install.sh's entropy lever work on TRULY bare ubuntu (no-op on full ubuntu). Per Microsoft Learn linux-scripted-manual .NET deps; build-essential already covers libstdc++6/libgcc-s1/zlib1g. Ubuntu 24.04 (Noble) names: libicu74, libssl3t64. Re-triggers the docker-ubuntu test; iterate if a Noble suffix differs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… validation) The NixOS install.sh test only triggered on push-to-main, so off-leash install.sh changes on the accelerator branch (incl. the new local-LLM step in linux.sh) were never re-validated against the primary OS until harvest. Add the accelerator branch to its push triggers (Aaron's off-leash-first model: get it right on the accelerator, then main). Re-runs now → confirms install.sh doesn't break the NixOS build with the local-LLM additions. NOTE / follow-up: local-llm.sh downloads the GENERIC ollama linux binary, which won't run on NixOS (non-FHS) — the test will pass (local-llm.sh is graceful), but the local-LLM won't actually WORK on NixOS via that path. NixOS (the primary, per B-0940) should get ollama via nixpkgs (declarative-native), not the Ubuntu generic-binary retrofit. Tracked for a NixOS-native-ollama follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…test passes by SKIPPING)
The local-LLM primitive's NixOS path is a false-green: common/local-llm.sh
downloads the generic ollama binary (won't run on non-FHS NixOS) and skips
gracefully on failure, so docker-nixos-install-sh-test passes GREEN while the
local-LLM is actually non-functional on the PRIMARY OS.
Aaron 2026-05-30: the entropy shield isn't install.sh itself — 'the automated
tests around install.sh, that's the shield.' A shield with a hole reads as
covered. This row patches the hole, two halves both required:
1. NixOS-native ollama (nixpkgs/services.ollama; local-llm.sh no-ops on NixOS)
2. NixOS test ASSERTS the local-LLM works (real chooseIndex probe), fails if
absent — graceful-skip is right for install.sh, wrong for the test.
Composes B-0940 (NixOS-primary eval). Off-leash; harvests with the install-graph.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…LM (close the false-green) The hole: local-llm.sh had mac(brew)/Linux(generic-binary) branches but NO NixOS branch -> on NixOS it downloaded the generic glibc binary (won't run non-FHS) -> graceful skip -> docker-nixos test GREEN while local-LLM non-functional on the PRIMARY OS (the B-0941 false-green). Fix (two halves): 1. local-llm.sh: detect /etc/NIXOS (same marker linux.sh already routes on) -> install ollama via nix (, fallback ). FHS-safe; works in the nixos/nix container AND on real NixOS; floats with the channel (consistent with float-ollama). Graceful on failure (never bricks install.sh). The declarative real-hardware self-heal layer (services.ollama in configuration.nix) is complementary; this is the install.sh-retrofit path that closes the test hole. 2. nixos Dockerfile: COPY tools/accelerator + validation step 4 that ASSERTS the local-LLM (start daemon, pinned model present, real chooseIndex probe, mock tests) and FAILS the build if absent. assert-don't-skip per the shield rule — graceful-skip is right for install.sh, wrong for the test. Off-leash on the accelerator branch; the docker-nixos test now re-runs here (per the trigger fix) to verify. Harvest-to-main is gated on this going green-WITH-assert (non-reversible action -> the green-with-assert IS the verification). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…sed install failure) Artifact diagnosis of run 26685665012: 'NixOS detected → installing ollama via nix' then 'nix ollama install failed' after ~39s — but the WHY was hidden by my own 2>/dev/null. A suppressed error can't be diagnosed (debugging-discipline miss). Changes: (1) lead with nix-env -iA nixpkgs.ollama (the container's own Dockerfile installs deps this way — proven to work there) before the flake form; (2) surface nix stderr (2>&1) to the build log so the next cycle shows the real error if it still fails; (3) broaden PATH to the per-user profile (nix-env's install target). Still graceful (warn + exit 0). Off-leash re-validation. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…-collision) + drop broken nix-env path + SC2155 Root cause from the surfaced stderr (run 26685829032): nix-env -iA nixpkgs.ollama fails with 'bad meta.outputsToInstall'; bare nix profile install hits a coreutils-full FILE COLLISION in the profile (existing priority 5). Nix's own message prescribes --priority. Fix: use nix profile install --priority 6 nixpkgs#ollama (existing coreutils wins the collision; ollama's own binary still installs); drop the broken nix-env path entirely. Also drops the $(id -un) PATH line (fixes shellcheck SC2155 — root cause + lint in one commit). Stderr stays surfaced; still graceful. The surface-the-error discipline paid off directly: nix told me the exact fix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… coreutils collision Runs 26685829032 + 26685902159 (surfaced stderr) showed nix profile install hits a coreutils-full file-collision that --priority 6 did NOT resolve (profile-install is structurally collision-prone: ollama's closure brings coreutils-full vs the profile's existing one). Robust fix: don't mutate the profile at all — nix build the ollama store path (--no-link --print-out-paths) and symlink bin/ollama onto PATH. No profile entry, no collision, FHS-safe in container + real NixOS. nix-env path (bad meta.outputsToInstall) stays dropped. Stderr surfaced; graceful. Bounded-iteration note: if this cycle also fails, I stop solo-grinding the slow CI loop and surface options + a peer-call 2nd opinion (nix expertise) rather than burn more cycles. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…all is SOLVED; daemon is the new wall)
Run 26685965605: nix-build install WORKED ('✓ ollama via nix build + symlink') —
the coreutils collision is gone. New narrower wall: ollama serve doesn't become
reachable (curl exit 7) at both install-time model-pull and the assert. The serve
stderr went to /tmp/ollama.log but was never shown on failure. Cat it on the curl
failure so the next run reveals WHY serve won't bind — the serve log is needed
whether I or a peer fixes it. Same surface-the-error discipline that cracked the
install collision.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…mbol mismatch) Run 26686054042 surfaced the exact root cause: 'ollama: symbol lookup error: /usr/local/nix-glibc-lib/libc.so.6: undefined symbol __nptl_change_stack_perm, version GLIBC_PRIVATE'. The nix-built ollama has the correct glibc in its RPATH, but the docker-nixos test's global LD_LIBRARY_PATH (an FHS-mise glibc hack) OVERRIDES the RPATH, forcing ollama onto the wrong libc. Docker-test-harness artifact, not a real-NixOS bug. Fix: replace the bare symlink with a wrapper that execs ollama via 'env -u LD_LIBRARY_PATH', so EVERY ollama call (install-time serve+pull AND the test assert) runs clear of the pollution and uses ollama's own glibc. Single point of fix; harmless on real NixOS/ubuntu/mac (LD_LIBRARY_PATH unset → no-op). The install (nix build, collision-free) was already solved; this closes the daemon-startup wall. Diagnosed, not guessed (surface-the-error discipline); if this still fails it's genuinely weird → peer-call per the bound. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
… test matrix from accelerator → main The accelerator/pr-less-git-monster off-leash workstream graduates to the primary, now that B-0941 is genuinely closed (NixOS docker test GREEN-WITH-ASSERT — the local-LLM actually works on the primary OS, no skip-to-green). Brings (24 files, +2301): the account-free local-LLM core primitive (tools/setup/common/local-llm.sh — nix-build + LD_LIBRARY_PATH-clean wrapper on NixOS, binary on ubuntu, brew on mac; manifests/local-llm pin) + the reusable TS (local-llm.ts chooseIndex/classify = choose.ts/observe.ts primitives, account-free, DST-friendly temp0+seed) + event-store-schema + move-next-harness + the Docker Ubuntu+NixOS install.sh test matrix (the shield) + B-0940/B-0941. This is the sovereignty substrate: a machine booted from the NixOS USB/ISO gets the local LLM via install.sh with NO cloud connection, so observe.ts (classify) + choose.ts (chooseIndex) run entirely on-machine — the agent's observe→choose→act loop is offline-capable. 2nd-opinion-validated (native-subagent audit before this primary-graduation): - kept main's LIVE SHA-pinned accelerator-move-next.yml (#6078) — did NOT clobber it with the branch's stale STAGED version (the audit caught this regression) - regenerated docs/BACKLOG.md (generated file; main +3 rows / branch +2) - dropped events/otto/*.json (runtime artifact, not source) - docker-nixos auto-merged clean (kept main's #6090 SHA + accelerator's additions) Verified: 28 TS tests pass, shellcheck clean, 3 workflows actionlint-clean, 0 conflicts. Per Aaron's authorization ('harvest the install-graph once B-0941 is fixed, agree'). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+64
to
+73
| body: JSON.stringify({ | ||
| model, | ||
| prompt, | ||
| stream: false, | ||
| options: { | ||
| temperature: o?.temperature ?? 0, | ||
| seed: o?.seed ?? defaultSeed, | ||
| num_predict: o?.maxTokens ?? 6, | ||
| }, | ||
| }), |
…owlist (harvest's new install-graph .sh) The harvest brought tools/setup/common/local-llm.sh — a legitimate install-graph shell file (Rule-0 allowed: tools/setup/). The bash-retirement-inventory check (non-required, but should be clean on the primary) flagged it as 'unexpected' drift because the EXPECTED_RETAINED_SHELL allowlist + RETAINED_SHELL_CATEGORY_BY_FILE didn't include it. Added it (sorted between elan.sh and mise.sh, category setup/bootstrap) to both, + bumped the test's setup/bootstrap count 13→14. Check --enforce now OK (unexpected: 0); 18/18 tests pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Graduates the accelerator local-LLM/install-graph workstream toward main by adding an Ollama-backed local model primitive, event-store/move-next harness pieces, and Ubuntu/NixOS Docker validation around install.sh.
Changes:
- Adds local-LLM install/configuration and validation across setup scripts, manifests, Dockerfiles, and workflows.
- Adds accelerator TypeScript primitives for local model selection/classification plus move-next event-store schema and harness tests.
- Adds accelerator/backlog documentation for the install matrix, event-store design, and related backlog rows.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 14 comments.
Show a summary per file
| File | Description |
|---|---|
tools/setup/manifests/local-llm |
Adds local-LLM model/seed/host manifest. |
tools/setup/manifests/brew |
Adds macOS Ollama formula. |
tools/setup/manifests/apt |
Adds Linux dependencies for Ollama/.NET runtime. |
tools/setup/macos.sh |
Invokes local-LLM setup on macOS. |
tools/setup/linux.sh |
Invokes local-LLM setup on Linux/NixOS. |
tools/setup/common/local-llm.sh |
Adds Ollama install/start/model-pull script. |
tools/ci/dockerfiles/ubuntu-install-sh-test/Dockerfile |
Adds Ubuntu install.sh Docker validation. |
tools/ci/dockerfiles/nixos-install-sh-test/Dockerfile |
Extends NixOS Docker validation to assert local-LLM. |
tools/accelerator/validate-local-llm.ts |
Adds real local-LLM validation probe. |
tools/accelerator/move-next-harness.ts |
Adds event replay/run-loop harness. |
tools/accelerator/move-next-harness.test.ts |
Adds harness tests. |
tools/accelerator/local-llm.ts |
Adds backend, chooseIndex, classify primitives. |
tools/accelerator/local-llm.test.ts |
Adds local-LLM primitive tests. |
tools/accelerator/event-store-schema.ts |
Adds move-next event schema/builders/validation. |
tools/accelerator/event-store-schema.test.ts |
Adds event schema tests. |
docs/backlog/P2/B-0941-...md |
Adds B-0941 backlog row. |
docs/backlog/P2/B-0940-...md |
Adds B-0940 backlog row. |
docs/BACKLOG.md |
Regenerates backlog index entries. |
docs/accelerator/SUBSTRATE-GROUNDING.md |
Adds accelerator substrate synthesis. |
docs/accelerator/README.md |
Adds accelerator branch charter/status. |
docs/accelerator/EVENT-STORE-SCHEMA.md |
Adds event-store schema documentation. |
.github/workflows/docker-ubuntu-install-sh-test.yml |
Adds Ubuntu Docker install workflow. |
.github/workflows/docker-nixos-install-sh-test.yml |
Extends NixOS workflow branch coverage. |
.github/workflows/accelerator-local-llm-validate.yml |
Adds accelerator local-LLM validation workflow. |
Comment on lines
+33
to
+35
| mget() { grep -E "^$1[[:space:]]" "$MANIFEST" | awk '{print $2}' | head -1; } | ||
| MODEL="$(mget model)" | ||
| HOST="$(mget host)" |
| # in the container AND on real NixOS. (The declarative real-hardware path is | ||
| # services.ollama in configuration.nix — complementary.) Surface stderr; | ||
| # graceful (warn + exit 0 so install.sh never bricks over a best-effort probe). | ||
| ollama_store="$(nix --extra-experimental-features 'nix-command flakes' build --no-link --print-out-paths nixpkgs#ollama 2>&1 | tail -1)" |
Comment on lines
+29
to
+31
| # 24.04 (Noble: libicu74, libssl3t64 post-time_t-transition). | ||
| libicu74 # ICU — .NET globalization (the classic "dotnet exited" cause) | ||
| libssl3t64 # OpenSSL 3 runtime (Noble t64 name) |
Comment on lines
+23
to
+27
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: [accelerator/pr-less-git-monster] | ||
| paths: |
| # off-leash-first model). This test validates install.sh, so it must | ||
| # re-run when install.sh changes there too — otherwise the primary OS is | ||
| # only re-validated at harvest time. | ||
| - accelerator/pr-less-git-monster |
Comment on lines
+4
to
+5
| status: open | ||
| title: NixOS-native ollama for the local-LLM primitive — close the hole in the shield (NixOS test passes by SKIPPING, not validating) |
| # tools/setup/manifests/local-llm — declarative pins for the CORE local-LLM | ||
| # primitive: a small CPU-only model served by Ollama, account-free. | ||
| # | ||
| # Why core (Aaron 2026-05-30): small CPU-capable local LLMs are a baseline |
Comment on lines
+117
to
+120
| self-triggering Action [`.github/workflows/accelerator-move-next.yml`](../../.github/workflows/accelerator-move-next.yml) | ||
| is **STAGED, NOT LIVE** (lives on this branch only; workflow_dispatch needs | ||
| the default branch to dispatch, so it cannot auto-run — go-live is a deliberate | ||
| operator step). Safety rails: bounded recursion (iterations countdown + |
Comment on lines
+67
to
+77
| ollama_store="$(nix --extra-experimental-features 'nix-command flakes' build --no-link --print-out-paths nixpkgs#ollama 2>&1 | tail -1)" | ||
| if [ -n "$ollama_store" ] && [ -x "$ollama_store/bin/ollama" ]; then | ||
| mkdir -p "$HOME/.local/bin" | ||
| # WRAPPER (not bare symlink): the nix-built ollama has the correct glibc in | ||
| # its RPATH, but a polluting LD_LIBRARY_PATH (e.g. the docker-nixos test's | ||
| # FHS-mise glibc hack) OVERRIDES the RPATH → 'symbol lookup error: libc.so.6 | ||
| # undefined symbol __nptl_change_stack_perm GLIBC_PRIVATE' (run 26686054042). | ||
| # The wrapper runs ollama clear of LD_LIBRARY_PATH so EVERY call (install-time | ||
| # serve+pull AND the test's assert) uses ollama's own glibc. Harmless on real | ||
| # NixOS / ubuntu / mac (LD_LIBRARY_PATH unset there → env -u is a no-op). | ||
| printf '#!/usr/bin/env bash\nexec env -u LD_LIBRARY_PATH %s/bin/ollama "$@"\n' "$ollama_store" > "$HOME/.local/bin/ollama" |
Comment on lines
+99
to
+101
| url="https://github.com/ollama/ollama/releases/latest/download/ollama-linux-${oarch}.tar.zst" | ||
| echo "↓ installing ollama (latest, linux-${oarch})..." | ||
| if ! curl_fetch --output "${tmp}/ollama.tar.zst" "$url"; then |
AceHack
pushed a commit
that referenced
this pull request
May 30, 2026
…ia --out-link (Copilot #6120) Scope-independent install-graph fixes on the off-leash source (the fixed local-llm.sh is wanted whichever harvest scope lands). Three real Copilot findings: - mget(): grep no-match (exit 1) or head SIGPIPE under set -euo pipefail would exit the script; "|| true" makes a missing key gracefully empty. - nix build: a failing var=$(nix build ...) command-substitution exits before the warn+exit-0 fallback under set -e; moved the build into the if-condition (set-e exempt) so failure is graceful. - GC-root: --no-link + raw --print-out-paths leaves the ollama store path un-GC-rooted (nix-collect-garbage could delete it out from under the wrapper); switched to --out-link $HOME/.local/state/zeta/ollama-result (an indirect GC root) and point the wrapper at the out-link, not a raw store path. Off-leash re-validation (docker-nixos + docker-ubuntu) confirms --out-link still installs ollama + pulls the model + the assert exercises. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Member
Author
|
Superseded by the narrowed install-graph harvest #6123 (operator decision: narrow to just the install-graph). #6120 over-scoped (brought the experimental move-next-harness + event-store, which the reviewers correctly flagged as experiment-quality + which clobbered main's live #6078 move-next.yml). The narrowed PR brings only the install-graph (local-LLM primitive + manifests + Docker shield + B-0940/B-0941), leaves the experiment off-leash, and applies the install-graph review fixes. The accelerator branch retains all the work. |
auto-merge was automatically disabled
May 30, 2026 14:57
Pull request was closed
AceHack
added a commit
that referenced
this pull request
May 30, 2026
…substrate accelerator → main (#6123) * accelerator(charter): kick off the PR-less git-monster accelerator (long-lived branch) Aaron-authorized 2026-05-29 long-lived branch for the PR-less alternative to the backlog->claim->PR->review->merge cycle. The git-monster friction (rate-limit cascades, armed-wait-on-CI, dotgit-saturation, review-thread loops) is the dominant agent-throughput tax — acceptable for the corporate/leash market (PR-protected static DUs) but the wrong default for the OSS/Agora market (self-modifying DUs free from PRs). Charter grounds in existing substrate (move-next as universal action grammar + git-as-free-event-store + github-actions-recursion, #5672; GitHub swarm architecture; dual-market framing). Core idea: git IS the free event store (commits=events), move-next is the universal action grammar, GH-Actions-recursion is the swarm runtime, PR-less != review-less (review moves to continuous glass-halo + shadow-class health-observation). Hard floor preserved (force-with-lease only, HARD LIMITS, kid-safety, NCI, leash-market PR path NOT removed, main never force-pushed). Action item 1: substrate-grounding synthesis before building anything. This is a kickoff, not a build. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(event-store): Action Items 1+2 — substrate-grounding + git-event-store schema @1 Action Item 1 (substrate-grounding): located the move-next / git-as-free-event- store / github-actions-recursion substrate (memory/persona/ani/...move-next..., tools/agent-loop/, B-0867, B-0874) via parallel substrate-hunt agents. Action Item 2 (git-event-store schema @1): a move-next transition persisted as an append-only Git event. - Layout: events/<agent>/<ulid>.json — per-agent dir + ULID (128-bit, time- sortable) filename ⇒ no two agents write the same path ⇒ conflict-free merges ⇒ PR-less swarm (B-0867 128-bit-unique-ID design; B-0874 no-PR swarm). - Envelope: persists transition(from, option)=to (the move-next core from state-machine.ts) + Z-set weight (+1 assert / -1 retract) + prev causal-link + AgencySignature trailer. - schema-in-the-stream (razor-flow Insight 4): schema-def events declare versions; old events stay interpretable ⇒ automatic schema-evolution over history. - forgiveness-budget (razor-flow Insight 3): retraction is logical not physical; files stay on disk; compaction/tiering bounds it ('run out of space = run out of forgiveness'). - Otto Mod 4 dual-market: internal transitions append-only/PR-less (Agora); cross-cutting substrate PR-gated (leash). Concrete types (tools/accelerator/event-store-schema.ts) compose with tools/agent-loop/state-machine.ts; 6/6 tests pass; typecheck clean. Long-lived branch, no PR (PR-less by design per the charter). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(event-store): wire the two-layer-razor + past-as-generator compaction mechanism into the forgiveness-budget The compaction/tiering policy's MECHANISM is the two-layer razor (Aaron+Ani 2026-05-29, docs/research/2026-05-29-two-layer-razor-past-as-generator-...): - Layer 1 (Origin vs Purpose) = the retraction (what's accidental). - Layer 2 (Causal Order vs Current Purpose) = compress retracted data WITHIN a partition; per-agent stream IS a partition (single-writer -> canonical causal order); keep prev-chain, drop redundant ts. - _compacted/<agent>/ = Layer 2 output (causal-order-only, columnar). - past-as-generator = extreme form: replace compacted segment with the transition-fold replay generator. Don't-collapse: designed verifiable property, not a universe claim. Long-lived branch, no PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator: be good to our host — today's forgiveness-budget is GitHub's free-OSS generosity, honored voluntarily (Aaron 2026-05-29) The 'run out of space = run out of forgiveness' hard limit is real in general, but TODAY the accelerator runs open-source on GitHub where storage is free + effectively unlimited -> the git-monster's forgiveness is unbounded within GitHub's generosity. The binding constraint right now is relational, not a space wall: be a good guest of the host whose generosity (Microsoft subsidizing OSS, B-0874) makes git-as-free-event-store + GH-Actions-recursion possible. - Apply compaction / past-as-generator VOLUNTARILY (good-guest, not forced). - Don't abuse the free tier with wasteful unbounded volume. - proud-if-it-propagates pattern = good guest, not maximal extraction (tragedy- of-the-commons if everyone ran abusive unbounded swarms on the free tier). Wired into EVENT-STORE-SCHEMA.md forgiveness-budget + charter hard-constraints. Long-lived branch, no PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(Action Item 3): move-next harness + STAGED self-triggering workflow The deterministic-script half of the agent loop: read event-store -> replay state via transition-fold -> generate menu -> selector picks -> append next event. The LLM is a pure selector (the selectMove seam); this holds the state machine + I/O. Composes with tools/agent-loop/state-machine.ts + the @1 event-store schema. - tools/accelerator/move-next-harness.ts (+ tests, 8/8 pass): loadStream, replayState (Z-set fold, drops retracted), runCycle (append-only), runLoop (hard-cap 25 + kill-switch + dry-run), CLI. Smoke-tested: dry-run + clamp. - .github/workflows/accelerator-move-next.yml: STAGED, NOT LIVE. Lives on this branch only (workflow_dispatch needs the default branch to dispatch -> cannot auto-run; go-live is a deliberate operator step). Safety: bounded recursion (countdown + hard-cap 25 in harness AND workflow), events/_HALT kill-switch, concurrency=1, append-only-no-force, GITHUB_TOKEN-only (no PAT -> no uncontrolled recursion), input-hardened (env-vars + agent allow-list + numeric validation, per the GH Actions injection guidance), actionlint-clean. A self-triggering committer is irreversible-flavored, so it is built + tested + staged, NOT autonomously made live (be-good-to-our-host). Long-lived branch, no PR. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(move-next): add structured key logging (surfaces agent + event key per cycle) Aaron 2026-05-30 ('start adding logging, what key is the agent using?'). Adds a Logger seam (noopLog default for library/tests; stderrLog for CLI) that emits one JSON line per cycle showing the KEYS the agent uses: - agent : PARTITION key -> events/<agent>/ - key : per-event key -> events/<agent>/<key>.json (= event id) - keyFormat : 'ulid' today; flags the placeholder-vs-Zeta-ID gap (B-0893) - prev : causal-link key (prev event id, or null) - kind/from/option/to/wrote/dryRun Logs go to STDERR so STDOUT stays the clean parseable summary. 8/8 tests pass (library callers default to noopLog -> silent, unchanged). SUBSTRATE-HONEST NOTE: the key is a placeholder ULID. A canonical, cross-verified TS Zeta-ID codec ALREADY EXISTS at src/Core.TypeScript/zeta-id/ (pack/unpack/ cross-verify) alongside the C#/F# impls. The harness should switch to it: the Zeta-ID encodes persona (agent), category (Workflow/Heartbeat = the event kinds), authority (account/trust key), and location (vendor/region) IN the 128-bit key. Using the placeholder ULID was a verify-existing-substrate-before-authoring miss. Next: swap newUlid() -> pack(ZetaObservation, env) (schema-touching; tracked). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(move-next): append cycle event (agent=otto) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(move-next): swap placeholder ULID -> canonical Zeta-ID key (B-0893) Aaron 2026-05-30 ('do the zeta-id swap'). Replaces the placeholder ULID event key with the cross-verified canonical Zeta-ID codec (src/Core.TypeScript/zeta-id/). WHY: the ULID was a verify-existing-substrate miss — a TS Zeta-ID codec already existed alongside the C#/F# impls. The Zeta-ID encodes provenance IN the key: persona (agent-class), category (Workflow/Heartbeat = the move-next event kinds), authority (trust/account), location (region), timestamp — vs opaque timestamp+randomness. Empirically: a heartbeat cycle now keys category=Heartbeat, persona=FireflyCoherence, authority=Simulated, location=EastUS_VA1. CHANGES: - event-store-schema.ts: ZetaIdHex type (32-char lowercase hex; version+timestamp in high bits => lexical-hex = chronological); CURRENT_SCHEMA @1 -> @2; BuildDeps newUlid() -> newId(IdSemantics) seam (agent + category + authority); legacy @1 ULID accepted on replay via isEventId (back-compat for the one existing @1 event). - move-next-harness.ts: realDeps.newId packs a real ZetaId via pack()+DEFAULT_ENV; agentToPersona (aaron->Aaron, autonomous->FireflyCoherence); category from option; loadStream sorts by ts (robust across @1 ULID + @2 hex id formats); keyFormat detects zeta-id vs ulid. - tests: 19/19 pass (round-trip unpack confirms category/persona land in key bits). FOLLOW-UP (cross-impl, golden-vector touching): extend the canonical Persona enum with the full agent roster (otto/alexa/riven/vera/lior/addison/max) so the EXACT agent lands in the persona bits; today autonomous agents share FireflyCoherence and the precise agent stays in the event 'agent' field + directory partition. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator: add reusable account-free local-LLM primitive (CYOA selector + observe.ts classifier) Aaron 2026-05-30: test the LLM-in-the-loop seam with a small LOCAL model on the GitHub runner (no account/key) before attaching a real harness. Designed as a REUSABLE primitive (Aaron: observe.ts will want the same small/local auto-classifier): - ModelBackend interface (swappable: ollamaBackend now; node-llama-cpp / account-backed later). - ollamaBackend(): account-free, runs a tiny instruct model (default qwen2.5:0.5b) on the runner via localhost; temp 0 for reproducibility (DST). - chooseIndex(): constrained choice among N options — the 'choose your own adventure' move-next selector core. Parses the first integer, validates in-range, FALLS BACK to index 0 on any failure (model down/slow/garbage) so the loop never stalls (exceptions-as-signals; fallback is the safety rail). - classify(): observe.ts auto-classifier shape (input -> one label), sharing chooseIndex's validated/fallback-safe path. Backend-agnostic; 9/9 tests pass with a mock model (no model/account needed to test the selection + fallback logic). NEXT: wire as an async SelectMove into the harness (+ workflow step that installs/runs the tiny model on the runner) to validate end-to-end on CI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(local-llm): add seed option for DST-deterministic local-model fixtures Aaron 2026-05-30: small local LLMs can serve as DETERMINISTIC SIMULATION TESTING fixtures in observe.ts's actual tests (not just mocks). For that, the model must be reproducible: temp 0 (greedy) + fixed seed + pinned model/quant. Adds a seed option (CompleteOptions.seed + ollamaBackend default seed=0, per-call override) and documents the determinism requirements + cross-hardware caveat (pin the runner image or snapshot output when asserting across machines). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator: make small local-LLM a CORE install.sh primitive (declarative, both OS paths) Aaron 2026-05-30: small CPU-capable local LLMs are baseline substrate (like a language runtime), NOT optional — install.sh is 'our biggest lever against entropy of contributors and environments: one run turns any unix-like machine into substrate we can work with.' So this goes INTO the declarative install graph. Building OFF-LEASH on the accelerator branch first (Aaron: 'accelerator is for off-leash testing; once we get it right, main becomes off-leash too'). Harvest to main once validated on a runner. DECLARATIVE (per the framework discipline + GOVERNANCE §24 three-way parity): - manifests/local-llm: pins ollama_version=0.24.0 (WebSearch 2026-05-30, stable; 0.30.x was rc) + model=qwen2.5:0.5b (398MB Q4_K_M, CPU) + seed=0 + host. The MODEL is the reproducible/pinned artifact (enables DST: temp0+seed+pin). - common/local-llm.sh: idempotent, GRACEFUL (warns+continues; never bricks install.sh — exceptions-as-signals). Linux installs the pinned ollama release binary (mise-style curl-fetch); macOS via manifests/brew (ollama added). Ensures the daemon, pulls the pinned model. - wired as a default step into linux.sh + macos.sh (after verifiers, before shellenv) — every dev/CI/devcontainer install gets it. bash -n + shellcheck clean. NOTE (needs runner validation, can't verify mac+linux + daemon lifecycle + CI Actions-cache from here): exercise install.sh on a real runner + add a skip-if-absent real-model test + cache the model keyed on the manifest pin. Then harvest the install-graph to main. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(local-llm): float ollama latest + real-model install.sh validation workflow Aaron 2026-05-30: (a) float ollama runtime to latest — version doesn't affect DST reproducibility (the pinned MODEL + temp0 + seed do), less maintenance; Linux uses GitHub /releases/latest/download (auto-redirect, no pin, no API call), macOS brew already floats. Manifest kept OS-agnostic (model/seed/host) so the Windows install.ps1 (peer surface) reads the same shared contract. (b) 'move it forward with real tests' — a validation workflow that proves the entropy-lever end-to-end. accelerator-local-llm-validate.yml (off-leash; push to accelerator or dispatch): - runs install.sh on a bare ubuntu-24.04 (the lever: bare machine -> substrate) - asserts ollama present + the PINNED model landed (reads manifests/local-llm) - runs the mock-backed primitive tests (logic, run-anywhere) - runs validate-local-llm.ts: a REAL chooseIndex through the actual local model, asserting a valid non-fallback selection (proves the live model responds) validate-local-llm.ts reads the declarative manifest -> ollamaBackend -> real chooseIndex; exits non-zero if the model fell back (unreachable/unparseable). actionlint + shellcheck + tsc clean; 9/9 mock tests pass. This run is the gate that graduates the local-LLM primitive from off-leash to main. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(local-llm): fix ollama linux asset — .tar.zst (zstd), not .tgz The validation workflow caught it: the floating URL .../ollama-linux-amd64.tgz 404s (302 -> v0.24.0/ollama-linux-amd64.tgz = 404). Per the release API (2026-05-30) the actual linux asset is ollama-linux-amd64.tar.zst (zstd). Fix: correct asset name + tar --zstd extraction (zstd present on ubuntu runners; GNU tar + bsdtar both support --zstd). Extract-failure now also graceful. This is exactly the entropy-lever validation doing its job — caught a real install bug off-leash before it reached main. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * backlog(B-0940): evaluate Ubuntu support value — NixOS primary, Ubuntu = community reach Aaron 2026-05-30: 'nixos is our primary we should put on backlog and evaluate what ubuntu is bringing us, the community of ubuntu is really why i'm thinking ubuntu matters.' Captures the strategic question: NixOS is primary (reproducible + declarative, fits DST/declarative ethos); Ubuntu's value is community/contributor reach. Decide Ubuntu's support tier (first-class vs community-convenience). Filed off-leash; harvests to main with the local-LLM work. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * backlog(B-0940): sharpen — NixOS declarative-by-construction (boots real hardware); install.sh retrofits declarativeness onto imperative Ubuntu Aaron 2026-05-30 deeper rationale: 'nix is what boots the usb/iso our real hardware boots cause it's declarative. ubuntu is not on its dependency management — we use install.sh to make ubuntu work like nixos with declarative dependencies.' NixOS is primary by KIND (it IS the declarative substrate); Ubuntu is made to ACT declarative via install.sh + the manifests. The cost of Ubuntu is that simulation layer; the value is community reach. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(ci): Ubuntu docker install.sh test (sibling to nixos) + zstd dep Aaron 2026-05-30: 'center our docker tests around ubuntu and nixos, tests for both with install.sh.' Ubuntu sibling to docker-nixos-install-sh-test: - tools/ci/dockerfiles/ubuntu-install-sh-test/Dockerfile: FROM ubuntu:24.04 (digest-pinned via registry API 2026-05-30) -> apt bootstrap -> PATH ENV -> RUN install.sh (entropy lever) -> validate local-LLM (start daemon, assert pinned model, real chooseIndex probe + mock tests). The build IS the test. - manifests/apt: + zstd (ollama linux release is .tar.zst). - docker-ubuntu-install-sh-test.yml: direct docker build (first cut). NixOS stays primary (declarative-by-construction; B-0940); this guards the Ubuntu declarative-retrofit. FOLLOW-UP (Aaron's GHA-cache point): shared TS driver + buildx cache type=gha for both OS tests so the heavy install bakes once. Untestable from here (no local docker) -> iterates via CI off-leash. actionlint clean. Triggers on push (the Ubuntu docker test runs now). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * accelerator(apt): declare .NET native runtime deps (libicu74 etc.) — bare-ubuntu fix The docker-ubuntu-install-sh-test exposed it: mise installs the dotnet SDK but it 'exited with non-zero status' on a minimal ubuntu:24.04 image — missing libicu (the classic cause) + libssl/krb5/tzdata. Full ubuntu runners have these implicitly; the bare Docker image doesn't. Declaring them in manifests/apt makes install.sh's entropy lever work on TRULY bare ubuntu (no-op on full ubuntu). Per Microsoft Learn linux-scripted-manual .NET deps; build-essential already covers libstdc++6/libgcc-s1/zlib1g. Ubuntu 24.04 (Noble) names: libicu74, libssl3t64. Re-triggers the docker-ubuntu test; iterate if a Noble suffix differs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * ci(docker-nixos): also trigger on accelerator branch (off-leash NixOS validation) The NixOS install.sh test only triggered on push-to-main, so off-leash install.sh changes on the accelerator branch (incl. the new local-LLM step in linux.sh) were never re-validated against the primary OS until harvest. Add the accelerator branch to its push triggers (Aaron's off-leash-first model: get it right on the accelerator, then main). Re-runs now → confirms install.sh doesn't break the NixOS build with the local-LLM additions. NOTE / follow-up: local-llm.sh downloads the GENERIC ollama linux binary, which won't run on NixOS (non-FHS) — the test will pass (local-llm.sh is graceful), but the local-LLM won't actually WORK on NixOS via that path. NixOS (the primary, per B-0940) should get ollama via nixpkgs (declarative-native), not the Ubuntu generic-binary retrofit. Tracked for a NixOS-native-ollama follow-up. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * backlog(B-0941): NixOS-native ollama — close the hole in the shield (test passes by SKIPPING) The local-LLM primitive's NixOS path is a false-green: common/local-llm.sh downloads the generic ollama binary (won't run on non-FHS NixOS) and skips gracefully on failure, so docker-nixos-install-sh-test passes GREEN while the local-LLM is actually non-functional on the PRIMARY OS. Aaron 2026-05-30: the entropy shield isn't install.sh itself — 'the automated tests around install.sh, that's the shield.' A shield with a hole reads as covered. This row patches the hole, two halves both required: 1. NixOS-native ollama (nixpkgs/services.ollama; local-llm.sh no-ops on NixOS) 2. NixOS test ASSERTS the local-LLM works (real chooseIndex probe), fails if absent — graceful-skip is right for install.sh, wrong for the test. Composes B-0940 (NixOS-primary eval). Off-leash; harvests with the install-graph. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(B-0941): NixOS-native ollama via nix + nixos test ASSERTS local-LLM (close the false-green) The hole: local-llm.sh had mac(brew)/Linux(generic-binary) branches but NO NixOS branch -> on NixOS it downloaded the generic glibc binary (won't run non-FHS) -> graceful skip -> docker-nixos test GREEN while local-LLM non-functional on the PRIMARY OS (the B-0941 false-green). Fix (two halves): 1. local-llm.sh: detect /etc/NIXOS (same marker linux.sh already routes on) -> install ollama via nix (, fallback ). FHS-safe; works in the nixos/nix container AND on real NixOS; floats with the channel (consistent with float-ollama). Graceful on failure (never bricks install.sh). The declarative real-hardware self-heal layer (services.ollama in configuration.nix) is complementary; this is the install.sh-retrofit path that closes the test hole. 2. nixos Dockerfile: COPY tools/accelerator + validation step 4 that ASSERTS the local-LLM (start daemon, pinned model present, real chooseIndex probe, mock tests) and FAILS the build if absent. assert-don't-skip per the shield rule — graceful-skip is right for install.sh, wrong for the test. Off-leash on the accelerator branch; the docker-nixos test now re-runs here (per the trigger fix) to verify. Harvest-to-main is gated on this going green-WITH-assert (non-reversible action -> the green-with-assert IS the verification). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(B-0941): nix-env-first + surface nix stderr (diagnose the suppressed install failure) Artifact diagnosis of run 26685665012: 'NixOS detected → installing ollama via nix' then 'nix ollama install failed' after ~39s — but the WHY was hidden by my own 2>/dev/null. A suppressed error can't be diagnosed (debugging-discipline miss). Changes: (1) lead with nix-env -iA nixpkgs.ollama (the container's own Dockerfile installs deps this way — proven to work there) before the flake form; (2) surface nix stderr (2>&1) to the build log so the next cycle shows the real error if it still fails; (3) broaden PATH to the per-user profile (nix-env's install target). Still graceful (warn + exit 0). Off-leash re-validation. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(B-0941): nix profile install --priority 6 (resolve coreutils file-collision) + drop broken nix-env path + SC2155 Root cause from the surfaced stderr (run 26685829032): nix-env -iA nixpkgs.ollama fails with 'bad meta.outputsToInstall'; bare nix profile install hits a coreutils-full FILE COLLISION in the profile (existing priority 5). Nix's own message prescribes --priority. Fix: use nix profile install --priority 6 nixpkgs#ollama (existing coreutils wins the collision; ollama's own binary still installs); drop the broken nix-env path entirely. Also drops the $(id -un) PATH line (fixes shellcheck SC2155 — root cause + lint in one commit). Stderr stays surfaced; still graceful. The surface-the-error discipline paid off directly: nix told me the exact fix. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(B-0941): nix BUILD + symlink (no profile mutation) — sidestep the coreutils collision Runs 26685829032 + 26685902159 (surfaced stderr) showed nix profile install hits a coreutils-full file-collision that --priority 6 did NOT resolve (profile-install is structurally collision-prone: ollama's closure brings coreutils-full vs the profile's existing one). Robust fix: don't mutate the profile at all — nix build the ollama store path (--no-link --print-out-paths) and symlink bin/ollama onto PATH. No profile entry, no collision, FHS-safe in container + real NixOS. nix-env path (bad meta.outputsToInstall) stays dropped. Stderr surfaced; graceful. Bounded-iteration note: if this cycle also fails, I stop solo-grinding the slow CI loop and surface options + a peer-call 2nd opinion (nix expertise) rather than burn more cycles. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * diag(B-0941): surface /tmp/ollama.log on daemon-unreachable (the install is SOLVED; daemon is the new wall) Run 26685965605: nix-build install WORKED ('✓ ollama via nix build + symlink') — the coreutils collision is gone. New narrower wall: ollama serve doesn't become reachable (curl exit 7) at both install-time model-pull and the assert. The serve stderr went to /tmp/ollama.log but was never shown on failure. Cat it on the curl failure so the next run reveals WHY serve won't bind — the serve log is needed whether I or a peer fixes it. Same surface-the-error discipline that cracked the install collision. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(B-0941): LD_LIBRARY_PATH-clean ollama wrapper (diagnosed glibc symbol mismatch) Run 26686054042 surfaced the exact root cause: 'ollama: symbol lookup error: /usr/local/nix-glibc-lib/libc.so.6: undefined symbol __nptl_change_stack_perm, version GLIBC_PRIVATE'. The nix-built ollama has the correct glibc in its RPATH, but the docker-nixos test's global LD_LIBRARY_PATH (an FHS-mise glibc hack) OVERRIDES the RPATH, forcing ollama onto the wrong libc. Docker-test-harness artifact, not a real-NixOS bug. Fix: replace the bare symlink with a wrapper that execs ollama via 'env -u LD_LIBRARY_PATH', so EVERY ollama call (install-time serve+pull AND the test assert) runs clear of the pollution and uses ollama's own glibc. Single point of fix; harmless on real NixOS/ubuntu/mac (LD_LIBRARY_PATH unset → no-op). The install (nix build, collision-free) was already solved; this closes the daemon-startup wall. Diagnosed, not guessed (surface-the-error discipline); if this still fails it's genuinely weird → peer-call per the bound. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(local-llm): set-e gracefulness (mget + nix build) + nix GC-root via --out-link (Copilot #6120) Scope-independent install-graph fixes on the off-leash source (the fixed local-llm.sh is wanted whichever harvest scope lands). Three real Copilot findings: - mget(): grep no-match (exit 1) or head SIGPIPE under set -euo pipefail would exit the script; "|| true" makes a missing key gracefully empty. - nix build: a failing var=$(nix build ...) command-substitution exits before the warn+exit-0 fallback under set -e; moved the build into the if-condition (set-e exempt) so failure is graceful. - GC-root: --no-link + raw --print-out-paths leaves the ollama store path un-GC-rooted (nix-collect-garbage could delete it out from under the wrapper); switched to --out-link $HOME/.local/state/zeta/ollama-result (an indirect GC root) and point the wrapper at the out-link, not a raw store path. Off-leash re-validation (docker-nixos + docker-ubuntu) confirms --out-link still installs ollama + pulls the model + the assert exercises. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(local-llm): loopback-host guard — close CodeQL file-data->outbound SSRF (required check on #6123) CodeQL flagged the ollama host (from the file-sourced manifest) flowing unguarded into the fetch URL (js SSRF taint). Real fix, not suppression: validate the host is loopback (127.0.0.1 / localhost / ::1) before use. This is a genuine local-only defense (a malicious manifest can't redirect the local LLM to exfiltrate prompts to a remote) AND an explicit validator CodeQL sees between the file-source and the fetch sink. The default + the manifest host are 127.0.0.1 so behavior is unchanged; mock-backed unit tests unaffected (they don't construct ollamaBackend with a host). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(harvest): commit stranded install-graph review fixes The bash-retirement allowlist entry for local-llm.sh, the B-0941 status->closed + Resolution, the inventory test count (13->14), and the manifest name-attribution were edited in the worktree but never committed — only the CodeQL loopback-guard commit was pushed. CI ran the pushed commit (which lacked them), so: - bash-inventory: unexpected:1 (local-llm.sh not in committed allowlist) - BACKLOG-drift: committed B-0941 still `open`, BACKLOG.md reflects closed Committing the stranded fixes makes the committed tree self-consistent: - local-llm.sh in EXPECTED_RETAINED_SHELL + RETAINED_SHELL_CATEGORY_BY_FILE - B-0941 status: closed (BACKLOG.md already matches a fresh regen) - inventory test setup/bootstrap count 14 (bun test: 18 pass / 0 fail) - manifests/local-llm attribution -> operator (role-ref lint) Diagnosis credit: operator's "check if the drift check fails on other PRs" falsified the "pre-existing CI quirk" hypothesis (other PRs pass), forcing the real root cause — working-tree-clean != committed-clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(harvest): role-ref attribution + Ubuntu test covers main PRs (Copilot review) Addresses the Copilot review on the harvest: - Name attribution -> role-ref on current-state surfaces (workflows, manifests, Dockerfile, accelerator .ts, local-llm.sh): "Aaron 2026-05-30" -> "operator 2026-05-30", possessives -> "the operator's". Backlog/research .md history surfaces keep attribution; only code/config/manifest converted. - docker-ubuntu-install-sh-test: add `pull_request` trigger (mirrors docker-nixos) so the Ubuntu install-graph is tested on PRs to main. It previously fired only on accelerator-branch pushes — after harvest that left main's Ubuntu path untested, the exact "shield with a hole" the test matrix exists to prevent. actionlint clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Lior <lior@zeta.dev> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Graduates the install-graph workstream from
accelerator/pr-less-git-monster→ main — the off-leash → primary graduation, now that B-0941 is genuinely closed (NixOS docker test green-WITH-assert: the local-LLM actually works on the primary OS, not skip-to-green).24 files / +2301. The account-free local-LLM core primitive:
tools/setup/common/local-llm.sh— nix-build +LD_LIBRARY_PATH-clean wrapper (NixOS), binary (ubuntu), brew (mac);manifests/local-llmpintools/accelerator/local-llm.ts—chooseIndex(= choose.ts) +classify(= observe.ts) primitives; account-free, DST-friendly (temp 0 + fixed seed)Why — the sovereignty substrate
A machine booted from the NixOS USB/ISO gets the local LLM via
install.shwith no cloud connection, so the agent'sobserve.ts(classify) →choose.ts(chooseIndex) → act loop runs entirely on-machine, offline.2nd-opinion-validated (native-subagent audit before this primary-graduation)
The audit caught a regression I'd have caused:
accelerator-move-next.yml(ci(accelerator): go-live the move-next self-triggering workflow on main #6078) — did NOT clobber it with the branch's stale STAGED versiondocs/BACKLOG.md(generated file; main +3 rows / branch +2)events/otto/*.json(runtime artifact, not source)docker-nixosauto-merged clean (kept main's deps: Bump actions/upload-artifact from 4.4.3 to 7.0.1 #6090 SHA + accelerator's additions — file-checkout would've lost it)Verified locally: 28 TS tests pass · shellcheck clean · 3 workflows actionlint-clean · 0 residual conflicts.
Authorized: Aaron ("harvest the install-graph once B-0941 is fixed, agree").
🤖 Generated with Claude Code