Lucent-Financial-Group · AceHack · May 30, 2026 · May 29, 2026 · May 29, 2026 · May 29, 2026
diff --git a/.github/workflows/accelerator-local-llm-validate.yml b/.github/workflows/accelerator-local-llm-validate.yml
@@ -0,0 +1,81 @@
+# Accelerator — local-LLM entropy-lever validation (off-leash, accelerator branch).
+#
+# Proves the claim: a BARE runner + `install.sh` ⇒ working local-LLM substrate
+# (operator 2026-05-30 "install.sh is our biggest lever against entropy"). Runs the
+# real install graph, asserts the pinned model actually landed + serves, and runs
+# a REAL (not mocked) selection through the local model. This is the gate that
+# graduates the local-LLM core primitive from off-leash (accelerator) to main.
+#
+# Pushing this workflow / any local-LLM file to the accelerator branch triggers it.
+# Heavy (full install + ~400MB model pull); concurrency cancels superseded runs.
+
+name: accelerator-local-llm-validate
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [accelerator/pr-less-git-monster]
+    paths:
+      - "tools/setup/manifests/local-llm"
+      - "tools/setup/common/local-llm.sh"
+      - "tools/setup/linux.sh"
+      - "tools/setup/macos.sh"
+      - "tools/setup/manifests/brew"
+      - "tools/accelerator/local-llm.ts"
+      - "tools/accelerator/validate-local-llm.ts"
+      - ".github/workflows/accelerator-local-llm-validate.yml"
+
+concurrency:
+  group: accelerator-local-llm-validate-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  validate-linux:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 25
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup bun
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
+
+      - name: Run install.sh (the entropy lever — bare runner → substrate)
+        env:
+          # Authenticated mise (per the mise.sh fix) so the toolchain install
+          # doesn't hit the unauthenticated GitHub rate limit.
+          MISE_GITHUB_TOKEN: ${{ github.token }}
+        run: ./tools/setup/install.sh
+
+      - name: Ensure ollama on PATH + daemon serving
+        run: |
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          export PATH="$HOME/.local/bin:$PATH"
+          command -v ollama
+          if ! curl -fsS http://127.0.0.1:11434/api/version >/dev/null 2>&1; then
+            (ollama serve >/dev/null 2>&1 &)
+            for _ in $(seq 1 30); do
+              curl -fsS http://127.0.0.1:11434/api/version >/dev/null 2>&1 && break
+              sleep 1
+            done
+          fi
+          curl -fsS http://127.0.0.1:11434/api/version
+
+      - name: Assert the pinned model landed (declarative manifest)
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          MODEL=$(grep -E '^model' tools/setup/manifests/local-llm | awk '{print $2}')
+          echo "expected model: $MODEL"
+          ollama list
+          ollama list | awk 'NR>1 {print $1}' | grep -qx "$MODEL"
+
+      - name: Mock-backed primitive tests (logic; run anywhere)
+        run: bun test tools/accelerator/local-llm.test.ts
+
+      - name: REAL local-LLM validation (entropy-lever end-to-end)
+        run: |
+          export PATH="$HOME/.local/bin:$PATH"
+          bun tools/accelerator/validate-local-llm.ts --root "$PWD"
diff --git a/.github/workflows/docker-nixos-install-sh-test.yml b/.github/workflows/docker-nixos-install-sh-test.yml
@@ -47,6 +47,12 @@ on:
   push:
     branches:
       - main
+      # Off-leash validation: install.sh changes are built on the accelerator
+      # branch (incl. the local-LLM step) BEFORE harvesting to main (the operator's
+      # off-leash-first model). This test validates install.sh, so it must
+      # re-run when install.sh changes there too — otherwise the primary OS is
+      # only re-validated at harvest time.
+      - accelerator/pr-less-git-monster
     paths:
       - 'tools/setup/**'
       - '.mise.toml'

diff --git a/.github/workflows/docker-ubuntu-install-sh-test.yml b/.github/workflows/docker-ubuntu-install-sh-test.yml
@@ -0,0 +1,73 @@
+# .github/workflows/docker-ubuntu-install-sh-test.yml
+#
+# Docker-based install.sh test on Ubuntu — sibling to docker-nixos-install-sh-test
+# (operator 2026-05-30: "center our docker tests around ubuntu and nixos and have
+# tests for both with install.sh"). The Dockerfile IS the test: it runs install.sh
+# on a bare ubuntu image and validates the core local-LLM primitive (ollama +
+# pinned model + real chooseIndex probe). A failing install.sh / assert fails the
+# build, which fails this job.
+#
+# Off-leash on the accelerator branch (operator: "accelerator is for off-leash
+# testing; once we get it right, main becomes off-leash too"). This is the gate
+# that guards graduating the local-LLM install primitive to main.
+#
+# FIRST CUT uses a direct `docker build` (vs the nixos TS driver) for simplicity.
+# FOLLOW-UP (the operator's GHA-cache point): consolidate both OS tests onto a shared TS
+# driver + buildx `cache-from/to: type=gha` so the heavy install (1.2GB ollama +
+# toolchain) bakes once and iteration runs inside the cached image.
+#
+# Security: no github.event.* values interpolated into run: lines.
+
+name: docker-ubuntu-install-sh-test
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [accelerator/pr-less-git-monster]
+    paths:
+      - "tools/ci/dockerfiles/ubuntu-install-sh-test/**"
+      - "tools/setup/**"
+      - "tools/accelerator/local-llm.ts"
+      - "tools/accelerator/validate-local-llm.ts"
+      - ".mise.toml"
+      - ".dockerignore"
+      - ".github/workflows/docker-ubuntu-install-sh-test.yml"
+  # Run on PRs to main too — after harvest the install-graph lives on main, so a
+  # PR touching it must be Ubuntu-tested (mirrors docker-nixos-install-sh-test).
+  # The shield must cover main, not just the accelerator branch: a test that only
+  # fires off-leash is a hole that reads as covered.
+  pull_request:
+    types: [opened, reopened, synchronize, ready_for_review]
+    paths:
+      - "tools/ci/dockerfiles/ubuntu-install-sh-test/**"
+      - "tools/setup/**"
+      - "tools/accelerator/local-llm.ts"
+      - "tools/accelerator/validate-local-llm.ts"
+      - ".mise.toml"
+      - ".dockerignore"
+      - ".github/workflows/docker-ubuntu-install-sh-test.yml"
+
+concurrency:
+  group: docker-ubuntu-install-sh-test-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  docker-ubuntu-test:
+    name: docker-ubuntu-install-sh-test
+    runs-on: ubuntu-24.04
+    # Cold build: full install.sh (mise toolchain + lean + jars) + ollama 1.2GB +
+    # 398MB model pull. Generous bound for the first uncached run.
+    timeout-minutes: 40
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: docker build (the test — install.sh + local-LLM validation inside)
+        run: |
+          docker build \
+            -f tools/ci/dockerfiles/ubuntu-install-sh-test/Dockerfile \
+            -t zeta-ubuntu-install-sh-test \
+            .
diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
@@ -889,6 +889,8 @@ are closed (status: closed in frontmatter)._
 - [ ] **[B-0934](backlog/P2/B-0934-backlog-index-integrity-required-or-advisory-decision-2026-05-29.md)** Decide whether backlog-index-integrity is required or explicitly advisory
 - [ ] **[B-0937](backlog/P2/B-0937-redundancy-checks-across-satellites-and-rules-mirror-beacon-rhyme-retirement-hub-over-budget-detector-2026-05-29.md)** Redundancy-checks across satellites + rules — duplicate-content audit, mirror→beacon rhyme-retirement, hub-over-budget detector
 - [ ] **[B-0939](backlog/P2/B-0939-self-propagating-markdown-compiler-rule-bootstrap-traveler-template-every-md-propagates-or-doesnt-compile-aaron-mika-2026-05-30.md)** Self-propagating-Markdown compiler-rule + bootstrap-traveler template (every .md is a self-propagating pattern through time or it doesn't compile)
+- [ ] **[B-0940](backlog/P2/B-0940-evaluate-ubuntu-support-value-nixos-primary-community-reach-aaron-2026-05-30.md)** Evaluate what Ubuntu support brings us — NixOS is primary; Ubuntu's value is community/contributor reach
+- [x] **[B-0941](backlog/P2/B-0941-nixos-native-ollama-local-llm-hole-in-the-shield-test-passes-by-skipping-aaron-2026-05-30.md)** NixOS-native ollama for the local-LLM primitive — close the hole in the shield (NixOS test passes by SKIPPING, not validating)
 - [ ] **[B-0942](backlog/P2/B-0942-co-dominant-git-mirrors-git-native-crdt-coordination-no-host-needed-aaron-2026-05-30.md)** Co-dominant git mirrors + git-native CRDT coordination — no host needed for coordination (local + GitHub + GitLab/Gitea/Forgejo + free-OSS git as co-dominant collaborating mirrors)
 
 ## P3 — convenience / deferred

diff --git a/...evaluate-ubuntu-support-value-nixos-primary-community-reach-aaron-2026-05-30.md b/...evaluate-ubuntu-support-value-nixos-primary-community-reach-aaron-2026-05-30.md
@@ -0,0 +1,88 @@
+---
+id: B-0940
+priority: P2
+status: open
+title: Evaluate what Ubuntu support brings us — NixOS is primary; Ubuntu's value is community/contributor reach
+tier: strategic-evaluation
+ask: Aaron 2026-05-30
+created: 2026-05-30
+last_updated: 2026-05-30
+decomposition: leaf
+composes_with:
+  - tools/setup/install.sh
+  - .github/workflows/docker-nixos-install-sh-test.yml
+  - .claude/rules/dv2-data-split-discipline-activated.md
+tags: [install-sh, nixos, ubuntu, ci, docker, three-way-parity, strategic]
+type: evaluation
+---
+
+# B-0940 — Evaluate what Ubuntu support brings us (NixOS primary)
+
+## Origin
+
+Aaron 2026-05-30 (during the Docker Ubuntu+NixOS test build): *"i would also say
+nixos is our primary we should put on backlog and evaluate what ubuntu is bringing
+us, the community of ubuntu is really why i'm thinking ubuntu matters."*
+
+## The question
+
+**NixOS is the primary target — declarative BY CONSTRUCTION.** Aaron 2026-05-30
+(the deeper rationale): *"nix is what boots the usb/iso our real hardware boots
+cause it's declarative. ubuntu is not on its dependency management — we use
+install.sh to make ubuntu work like nixos with declarative dependencies."*
+
+This is the load-bearing distinction:
+
+- **NixOS** boots the **real hardware** (the USB/ISO that boots actual machines)
+  *because* the whole system — OS config + dependency closure — is declarative and
+  reproducible by construction. No bridge needed; declarativeness is native.
+- **Ubuntu** is **imperative** in its dependency management (apt, ad-hoc installs).
+  It has no native declarative-deps property.
+- **`install.sh` + the declarative manifests** (manifests/local-llm, .mise.toml,
+  manifests/apt/brew, …) are the **bridge that retrofits NixOS-like declarative
+  dependencies ONTO Ubuntu** — i.e. install.sh's job on Ubuntu is literally "make
+  Ubuntu behave like NixOS." That's the entropy-lever framing applied to a
+  non-declarative base OS.
+
+So NixOS is primary not just by preference but by *kind*: it IS the declarative
+substrate; Ubuntu is made to *act* declarative via install.sh. The cost of Ubuntu
+is maintaining that simulation layer (the install.sh Ubuntu path + apt deps +
+floating-binary installs); the value is what the next paragraph weighs.
+
+**Ubuntu's value is community/contributor reach**, not technical superiority.
+Aaron's framing: Ubuntu matters because of its *community* — contributor
+familiarity, the default-mental-model for most devs, GitHub-hosted runner
+ubiquity (ubuntu-latest is the CI default), and the volume of Ubuntu-targeting
+prior art. The question is whether that reach justifies Ubuntu as a *first-class*
+install/CI target or whether it's community-convenience only.
+
+## What to evaluate
+
+- **Contributor reach**: how many would-be contributors are Ubuntu-default vs
+  willing to use NixOS? Does first-class Ubuntu lower the contribution barrier
+  enough to matter?
+- **CI ubiquity**: `ubuntu-24.04` is the default GH-hosted runner; NixOS in CI is
+  container/QEMU-mediated. What does dropping/keeping Ubuntu cost in CI surface?
+- **Maintenance cost** of the Ubuntu path: the `apt` manifest, the floating-binary
+  installs (e.g. the ollama `.tar.zst` linux install in `common/local-llm.sh`),
+  and the non-reproducibility vs NixOS's pinned closure.
+- **Decision**: Ubuntu stays first-class (community justifies it) OR Ubuntu becomes
+  community-convenience-only (best-effort, NixOS is the supported/reproducible
+  path) OR some tiered support level.
+
+## Acceptance
+
+1. A short decision doc (in `docs/research/` or as this row's Resolution) weighing
+   Ubuntu's community-reach value against its maintenance + non-reproducibility
+   cost, with NixOS established as primary.
+2. A clear support-tier statement for Ubuntu (first-class / community-convenience /
+   tiered) that the install-graph + CI strategy follow.
+
+## Notes
+
+Surfaced alongside the Docker Ubuntu+NixOS install.sh test pair (both OSes run
+install.sh in containers; per Aaron's "center our docker tests around ubuntu and
+nixos"). This row is the *strategic* counterpart: building the Ubuntu test does not
+by itself decide Ubuntu's long-term support tier — this row does. NixOS-primary is
+the standing default; Ubuntu is retained pending this evaluation because of its
+community reach.