From 441ae787daebb0ea786ecc2b987883d940d32b11 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 05:10:22 -0400 Subject: [PATCH 01/20] docs: reconcile content federation authority --- README.md | 13 +- ...eration-truth-reconciliation-2026-07-14.md | 400 ++++++++++++++++++ src/routes/.well-known/webfinger/+server.ts | 27 +- .../.well-known/webfinger/webfinger.test.ts | 13 +- 4 files changed, 430 insertions(+), 23 deletions(-) create mode 100644 docs/content-federation-truth-reconciliation-2026-07-14.md diff --git a/README.md b/README.md index 54a61ba..352b058 100644 --- a/README.md +++ b/README.md @@ -86,13 +86,16 @@ flowchart LR StaticChecks --> Browser["Playwright smoke or regression"] Browser --> Lighthouse["Lighthouse report-only"] - Main --> Pages["GitHub Pages deploy"] - Pages --> Prod["transscendsurvival.org"] + Main --> CfProd["Cloudflare Pages production deploy"] + CfProd --> Prod["transscendsurvival.org"] + + Main --> Pages["GitHub Pages rollback deploy"] + Pages --> Rollback["jesssullivan.github.io"] Pages --> Profile["profile refresh dispatch"] - Main --> CfShadow["Cloudflare Pages shadow"] - CfShadow --> Tss["tss.tinyland.dev"] - CfShadow --> Ephemera["tss.ephemera.tinyland.dev"] + PR --> CfBuild["Cloudflare Pages build-only check"] + Manual["manual branch dispatch"] --> CfShadow["Cloudflare Pages branch deploy"] + CfShadow --> Shadow["branch-specific shadow URL"] PR --> Preview["shadow preview"] Preview --> SourceImage["public source image"] diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md new file mode 100644 index 0000000..843c766 --- /dev/null +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -0,0 +1,400 @@ +# Content Federation Truth Reconciliation - 2026-07-14 + +## Purpose + +This document reconciles the current blog, Tinyland content, Pulse, and +ActivityPub work against live behavior, current source, GitHub, Linear, the +`prompts-enqueue` library, and prior agent workflow artifacts. + +It exists because those records have repeatedly collapsed different delivery +stages into one word such as "done," "shipped," or "federated." That has +produced false memories and unsafe sequencing decisions. + +This is an as-of-2026-07-14 audit. Live behavior and open pull requests can +change after this snapshot. + +## Evidence Order + +When records conflict, use this order: + +1. Current live behavior, including the deployed image or commit when known. +2. Current source on the repository default branch. +3. Current package registry and consumer pin state. +4. Current GitHub pull request, issue, and check state. +5. Current Linear issue and initiative state, including recent comments. +6. Ratified decision documents and merged architecture records. +7. Prompt files, workflow journals, plans, and agent memories. + +The last category is historical evidence. It is not runtime authority. + +## Completion Vocabulary + +A capability can pass through all of these stages independently: + +1. **Planned** - an issue, prompt, or implementation plan exists. +2. **Authored** - source exists on a branch or pull request. +3. **Merged** - source is on a default branch. +4. **Released** - a package version or image was published. +5. **Adopted** - the consumer pins and wires the released version. +6. **Deployed** - the adopted build is running in the target environment. +7. **Runtime-mutated** - required bootstrap, secret, or operator state changed. +8. **Live-proven** - the intended public behavior was observed end to end. + +"Workflow completed" only means the orchestration process returned. A +completed workflow can contain agent errors, blocked verification, plan-only +lanes, or pull requests that were never merged. + +## Authority Map + +### Blog: `Jesssullivan/jesssullivan.github.io` + +This repository builds `transscendsurvival.org`. It is a static reader and +display spoke. Local posts and generated snapshots provide first paint, +no-JavaScript behavior, rollback data, and regression fixtures. The Tinyland +blog and Pulse broker feeds hydrate or add display data. + +It is not the durable Tinyland write authority, the Tinyland auth authority, +or the public ActivityPub delivery authority. Its WebFinger response delegates +the ActivityPub actor to `hub.tinyland.dev`; delegation does not make the blog +the actor host. + +The additive merge in `src/routes/blog` means a broker omission does not +delete a checked-in post. A broker-only post can render through the broker +placeholder path, but the broker remains a display contract. + +### Mothership: `tinyland-inc/tinyland.dev` + +This is the application and content-control surface. It owns user resolution, +content detail routes, admin/bootstrap flows, package adoption, and deployment +integration. Source merged here is still not live until the relevant image is +built and deployed and any required runtime state is installed. + +### Hub: `hub.tinyland.dev` + +The hub currently serves dynamic blog and Pulse projection data and hosts the +delegated ActivityPub actor document. Its public metadata explicitly says +public Fediverse delivery is disabled. The actor outbox, followers, and +following collections are currently empty. + +An inbox accepting POST-shaped traffic and a valid actor document prove +endpoint shape. They do not prove signed delivery, remote receipt, follower +lifecycle, or moderation behavior. + +### Package Repositories And Registry + +`tinyland-auth`, `tinyland-invitation`, `tinyland-content`, +`tinyland-content-types`, and `tinyland-security` are reusable source and +release authorities. The registry repository is +`tinyland-inc/bazel-registry`. + +A package release is not mothership adoption. A mothership pin is not a +deployment. Neither proves live behavior. + +### Operator And Secret State + +Kubernetes Secrets, GitHub Actions secrets, attended bootstrap operations, +SOPS custody, and key rotation are separate authorities. Pull requests cannot +claim those mutations unless the operator action and resulting live +fingerprint or behavior were verified. + +## Live Snapshot + +Observed on 2026-07-14: + +| Surface | Current result | Interpretation | +| --- | --- | --- | +| `transscendsurvival.org/blog/week-notes-scroll-wheels-and-chasing-the-sun` | 200 | The production blog serves the post. | +| `tinyland.dev/blog/week-notes-scroll-wheels-and-chasing-the-sun` | 404 | The mothership detail fix is not live. | +| `tinyland.dev/@jesssullivan/notes/2026-04-26-cardinals-before-dawn` with browser HTML Accept | 404 | Browser route does not resolve the note. | +| The same note with a generic Accept header | 307 to the identical URL | The deployed route still has the self-redirect bug. | +| `tinyland.dev/@jesssullivan` with ActivityPub Accept | 200 | The mothership exposes an actor-shaped response. | +| `tinyland.dev/@jesssullivan/outbox` | 404 | The mothership is not the working public outbox authority. | +| `hub.tinyland.dev/@jesssullivan` with ActivityPub Accept | 200 | This is the delegated actor endpoint. | +| Hub outbox, followers, and following | 200 with zero items | Endpoint shape exists; public federation is not demonstrated. | +| Hub inbox GET | 405 with POST/OPTIONS allowed | Shape only; not delivery proof. | +| Hub blog broker | Dynamic, 140 posts | Live display authority is healthy. | +| Hub Pulse broker | Dynamic, 6 items | Pulse projection is live. | +| Hub AP demo stream | Three-item demo dated 2026-05-10 | Controlled, stale demo data; not public delivery. | +| `transscendsurvival.org/stream` | 404 | No production stream route. | +| `tss.tinyland.dev/stream` | 200, `noindex,nofollow` | Shadow surface only. | + +The hub manifests also report `publicFediverseDelivery:false`. The blog's +production-health suite passed its DNS, HTTPS, broker, and hydration checks. +That does not contradict the ActivityPub findings because those checks prove +display projection, not public Fediverse delivery. + +The live `tinyland.dev` deployment was still running a 2026-07-05 image during +this audit. Current `main` contains the terminal-404 note-route fix from pull +request #717, but the deployed image predates it. Linear issue TIN-2787 is +therefore source-complete and live-incomplete. + +The blog's current `main` CI was also red while production health was green. +The hosted lane passed, but two Playwright CV-link assertions failed in the +Bazel remote lane. This is a real test failure rather than a runner-death +signature, but it is unrelated to the healthy broker projection. Merge, +deployment, production health, and whole-repository CI are independent signals. + +## Ratified Decisions + +The following decisions have durable evidence: + +- **Hybrid ActivityPub gate (TIN-2511):** `admin.federation.deliver` is the + intended product authorization gate. Token and allowlist checks remain a + safety rail. +- **Tinyland user authority (TIN-2788):** Option A, the sanctioned admin-user + record/bootstrap path, was selected. Merging the bootstrap source did not + execute the attended runtime bootstrap. +- **Blog editorial taxonomy:** Pulse, noteworthy, and less-noteworthy are + reader and display strata. They are not auth, privacy, or delivery gates. +- **Blog architecture:** Tinyland content can project into the static blog; + the blog remains a reader/spoke rather than a durable write or ActivityPub + authority. +- **Pulse M1 boundary:** the completed milestone covers scaffold, static or + broker projection, and shadow behavior. It explicitly does not prove public + federation. + +The following were not ratified or not completed: + +- **TIN-2648 ActivityPub key custody:** the decision packet recommends a + hardened split, but remains in progress and unratified. Pull request #702 is + a draft decision packet, not an implemented custody system. +- **Public Fediverse delivery:** no live evidence demonstrates a signed post + reaching a real remote follower. +- **TIN-2731 key rotation:** the advertised pull-request key was not installed. + Its recorded private-key scratch artifact no longer exists. + +## Critical Contradiction Ledger + +| Prior claim or shorthand | Current evidence | Disposition | +| --- | --- | --- | +| "The blog is federated" | Blog and Pulse feeds are display projections; hub reports public delivery disabled. | Use "broker projection" unless remote signed delivery is proven. | +| "The blog is the AP authority" | WebFinger delegates the actor to the hub; the blog has no delivery or durable-write authority. | False. | +| "Workflow completed" means the product goal completed | Historical workflows include errored, blocked, and plan-only lanes. | Treat workflow status as orchestration status only. | +| A merged package fix is live | Content and invitation fixes were released, but mothership pins and deployment lagged. | Track release, adoption, deploy, and live proof separately. | +| TIN-2787 is done | Current source is fixed; current live wildcard request still self-redirects. | Reclassify as deploy-regressed or live-incomplete. | +| TIN-2786 blog detail is fixed in production | Package source/release exists; the live mothership detail URL is 404. | Live-incomplete. | +| TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | +| TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | +| Pull request #719 is ready to merge | Its public key fingerprint differs from live; the only recorded matching private artifact is missing. | Unsafe. Generate a new pair under durable custody before updating public material. | +| Pull request #701 is the package-adoption keystone | Pull request #731 supersedes its package pins; only the shared rate-limit-store slice remains unique. | Extract or re-author the unique slice on the current base. Do not merge stale pins. | +| Pulse M1 completion means federation shipped | The milestone explicitly excludes real delivery. | False. | +| GitHub Pages is production | Cloudflare Pages is production; README prose says this, but one diagram still says GitHub Pages. | Fix the stale diagram. | +| tinyland.dev issue #664 proves current broker drift | Live production and hub broker slug sets both contain 140 posts. | Re-verify and close or rewrite the stale issue. | +| Runner cancellation proves a code failure | Several heavy jobs ended through ARC pod loss after prior steps passed. | Classify each run from job and step evidence before rerunning or debugging. | +| The blog WebFinger route resolves arbitrary actors | It ignores the requested resource and returns one fixed Jess delegation. | Describe it as fixed single-identity discovery. | +| #217 streams both live broker feeds | Its shadow route uses posts plus the checked Pulse snapshot. | Keep "shadow blended reader" wording; remove "live-streamed ingestion." | + +## Pull Request Disposition + +### Blog + +- **#217:** clean and green, but remains a shadow-only tiered reader and + blended stream experiment. Its pull-request body still says not to merge. + GitHub readiness does not override that product hold. Do not describe it as + production federation. +- **#216:** open, non-draft node-backend shadow spoke. Its description still + says draft/operator-gated, and its latest remote gate failed during REAPI + token mint while other checks were settling. Restore an accurate hold or + draft state before treating GitHub readiness as authorization. +- **#140 and #72:** stale drafts. Review for unique value before closing. +- **#75:** closed, superseded ActivityPub-shaped Pulse viewer. It never had + inbox processing, signatures, followers, delivery, or live fetch. Do not + revive it as evidence that federation was implemented. +- **#208:** merged and then reverted by #211 because the apex proxy was the + wrong architecture. Canceled tickets derived from that path do not count as + progress. + +### Mothership And Packages + +- **tinyland.dev #731:** current adoption candidate, but security-held by + atomic bootstrap, fail-closed RBAC, invitation principal binding, and + consumer-containment work. It must also be rebuilt for the planned auth 0.8 + and invitation 0.3 contracts. Its green CI is necessary but not sufficient. +- **tinyland.dev #701:** package adoption is superseded by #731. Preserve only + the unique shared rate-limit-store work and rebase it independently. +- **tinyland.dev #719:** hold. The proposed public key has no retained matching + private key in the recorded custody path. +- **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as + image/deploy durability, not federation completion. +- **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or + live custody implementation. +- **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft + security prerequisites for the adoption wave. +- **tinyland-auth #36:** draft productization documentation, not runtime work. + +## Federation Tracker Disposition + +- **tinyland.dev #93:** the ActivityPub epic remains open. Its checklist is + stale, but the remaining product goal is valid. +- **tinyland.dev #100:** Reply, Like, and Boost controls remain disabled across + several current-main surfaces. The issue is still reproducible. +- **tinyland.dev #116:** real interoperability remains open. There is no proof + packet showing a signed post delivered to an external follower. +- **TIN-1119:** its Done state covers a controlled projection boundary, not + public delivery. +- **TIN-2416:** the newer urgent delivery issue correctly keeps public + delivery disabled pending a live signed-peer proof. + +## Package Snapshot + +The registry contains these newer releases: + +- `tinyland-auth` 0.7.1 +- `tinyland-invitation` 0.2.5 +- `tinyland-content` 0.3.2 +- `tinyland-content-types` 0.3.1 +- `tinyland-security` 0.3.2 + +These are immutable Bazel-registry releases. They do not imply successful +publication through every other channel: + +- Invitation 0.2.5 failed its npm and GitHub publication jobs. +- Content 0.3.2 failed clean-tag validation on undeclared first-party imports, + so its publication was skipped. +- Auth 0.7.1 completed its GitHub publish workflow but was not present on + npmjs during this audit. + +The available GitHub credential lacks `read:packages`, so direct GitHub +Packages enumeration was not available. Workflow results and npmjs checks set +the claim boundary above. + +At audit time, mothership `main` still pinned older versions: content 0.2.5, +content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security 0.3.1. This is +the concrete release-versus-adoption gap. + +## Linear Reconciliation + +- The Mothership Beta/Prod initiative is the active implementation umbrella + and remains at risk. +- The ActivityPub federation and RBE initiative combines two independent + axes. Streaming/display progress must not be used as outbound-delivery + progress. +- Presence and Narrative is an umbrella. Current execution has moved to the + Mothership project. +- Pulse Lifecycle MVP is completed only at the M1/M1.5 projection and shadow + boundary. +- Databaseless Auth is marked complete for the historical package MVP. Current + production adoption belongs to the Mothership initiative. +- TIN-2649 is a duplicate of TIN-2716. +- TIN-2647 and TIN-2716 remain adoption/onboarding work. +- TIN-2731 remains in progress. +- TIN-2780 and TIN-2781 prove package source/release work, not mothership + adoption. +- TIN-2784 proves a source fix, not a live signed-Accept interop result. +- TIN-2786 and TIN-2787 have status language that is stronger than current + live behavior. + +Linear issues in this area do not use release associations. Release and +deployment truth currently live in prose and attachments, which makes status +conflation easier. + +## Prompt Queue Reconciliation + +`prompts-enqueue` is a prompt library, not product or runtime authority. Its +own operator notes say prompt completion does not prove product completion. + +| Prompt | Current use | Disposition | +| --- | --- | --- | +| 02 | Draft auth/identity work | Rebaseline before dispatch; version and blocker facts are stale. | +| 09 | Internal OTEL federation | Keep separate from ActivityPub; the word "federation" means telemetry aggregation here. | +| 10 | Historical mothership/federation program | Done and superseded by 67; preserve as history, do not dispatch. | +| 13 | Blog/Pulse spoke work | Architecture boundary is useful, but deployment and WebFinger details are stale. Rebaseline. | +| 48 | Draft workstream | Not dispatch-ready. | +| 51 | Read-side editorial projection | The read projection landed; the editor-to-PR write seam and live deploy remain planned/operator-gated. It is not outbound federation. | +| 67 | Running composite sprint | Rebaseline against current package versions, security holds, and live deployment before further dispatch. | + +The local `prompts-enqueue` checkout was behind its remote default branch +during this audit. Remote GitHub content was used for the current snapshot. + +## Shadow And Discovery Caveats + +- The blog WebFinger endpoint returns the same Jess JRD without inspecting the + requested `resource`. It is a fixed discovery delegate, not a general + resource-aware resolver. +- Pull request #217's shadow `/stream` prerenders from posts plus the checked + Pulse snapshot. It does not fetch both live broker endpoints. "Live-streamed + ingestion" is therefore too strong. +- The #217 pull-request event remains build-only. The current shadow deploy is + driven by pushes to the held branch. The pull-request description's + non-draft deployment explanation does not match the workflow trigger. +- Pulse `salience` and blog `editorial_tier` affect display ordering only. + During this audit the live blog posts and six live Pulse items were untiered. + +## Worktree And Branch Disposition + +No worktrees or branches were removed during this audit. + +Active and meaningful: + +- `shadow-ui` for blog #217. +- `ws5-node-shadow` for open, operator-gated blog #216. +- `footer-fix` for draft blog #140. + +Retired or prunable after one final unique-commit check: + +- Missing `/private/tmp/blog-frontdoor`, whose pull request #218 merged. +- `gates-retry` and `gates-serial`, whose pull requests #221 and #219 merged. +- Locked `.claude/worktrees/agent-a20e1e149a90f570d`, whose PID is gone and + branch equals current `main`. +- Historical `worktree-wf_*` branches that are already ancestors of `main` + and have no remote pull request. +- Merged-PR residue under several `codex/*`, `docs/*`, `feat/*`, `fix/*`, + `infra/*`, `jess/fix-*`, and `posts/*` branches. + +Operator classification required before cleanup: + +- `docs/apex-cf-pages-cutover-runbook`, `jess/activitypub-pulse-draft`, + `jess/vite8-native`, and `week-notes-indeterminism-spring`, which retain + unique commits despite supersession or retirement. +- `shadow-deploy/m1-foundation` and the TIN-596 branch, which have unique + unmerged commits and no current pull request. + +The unrelated untracked `workers/dns-guard/package-lock.json` was not touched. + +Branch retention is structural as well as historical. Automatic branch +deletion after merge is disabled across the audited repositories. No exact +duplicate branch tips were found; cleanup should use ancestry and pull-request +disposition rather than branch age alone. + +## Repository Inventory + +| Repository | Open PRs | Open issues | Branches | +| --- | ---: | ---: | ---: | +| `jesssullivan.github.io` | 4 | 1 | 26 | +| `tinyland.dev` | 23 | 40 | 119 | +| `tinyland-auth` | 3 | 0 | 14 | +| `tinyland-invitation` | 6 | 0 | 9 | +| `tinyland-content` | 0 | 1 | 6 | +| `bazel-registry` | 4 | 1 | 30 | + +These counts are a point-in-time inventory, not progress metrics. Open and +retained branches include explicit supersessions, security-held drafts, and +merged work whose branch was never automatically deleted. + +## Immediate Corrections + +1. Hold #719. Generate a new ActivityPub keypair only when durable private-key + custody and the atomic live/public-key cutover are ready. +2. Correct TIN-2731 and TIN-2648 language so unratified custody work cannot be + read as complete. +3. Reclassify TIN-2787 using the current deployed-image and live-307 evidence. +4. Keep #731 draft until its security prerequisite pull requests and consumer + containment checks are satisfied. +5. Extract #701's unique rate-limit-store slice onto the current package base; + do not land its stale package-adoption diff. +6. Rebaseline prompts 02, 13, and 67 before another orchestration wave. +7. Correct the README deployment diagram. The generated, ignored search index + was regenerated and matched the live 140-post set; it is not a committed + fixture and needs no source change. +8. Re-verify GitHub issue #664 against the matching 140-post live sets. +9. Add deployed commit/image identity to the relevant health surface so + source-complete and live-complete cannot be confused. +10. Add explicit source/release/adopt/deploy/runtime/live fields to the + Mothership acceptance records rather than encoding the chain in comments. + +## Known Audit Gap + +The available GitHub credential can read repositories and workflows but lacks +the `read:project` scope. GitHub Projects v2 could not be inspected. No auth +scope was changed during this audit. Project-board claims should remain +unverified until that read scope is available. diff --git a/src/routes/.well-known/webfinger/+server.ts b/src/routes/.well-known/webfinger/+server.ts index f6e5e4b..1757fd9 100644 --- a/src/routes/.well-known/webfinger/+server.ts +++ b/src/routes/.well-known/webfinger/+server.ts @@ -1,11 +1,12 @@ export const prerender = true; -// The blog (transscendsurvival.org) is NOT an ActivityPub authority. The apex -// must never present itself as one (TIN-1456 / TIN-1537). The canonical actor -// lives on the hub projection broker (hub.tinyland.dev), which owns the AP -// identity, inbox/outbox, and follower ledger. This JRD therefore delegates -// every AP-authority link to the hub actor; only the human-facing profile page -// stays on the blog domain. +// This is a prerendered, single-identity discovery document, not a general +// resource-aware WebFinger resolver. The blog (transscendsurvival.org) is NOT +// an ActivityPub authority and must never present itself as one (TIN-1456 / +// TIN-1537). The canonical actor lives on the hub projection broker +// (hub.tinyland.dev), which owns the AP identity, inbox/outbox, and follower +// ledger. This JRD therefore delegates every AP-authority link to the hub +// actor; only the human-facing profile page stays on the blog domain. const HUB_ACTOR = 'https://hub.tinyland.dev/@jesssullivan'; const HUB_AUTHORIZE_INTERACTION = 'https://hub.tinyland.dev/authorize_interaction?uri={uri}'; @@ -18,18 +19,18 @@ export const _WEBFINGER_RESPONSE = { { rel: 'self', type: 'application/activity+json', - href: HUB_ACTOR + href: HUB_ACTOR, }, { rel: 'http://webfinger.net/rel/profile-page', type: 'text/html', - href: 'https://transscendsurvival.org' + href: 'https://transscendsurvival.org', }, { rel: 'http://ostatus.org/schema/1.0/subscribe', - template: HUB_AUTHORIZE_INTERACTION - } - ] + template: HUB_AUTHORIZE_INTERACTION, + }, + ], }; export function GET() { @@ -37,7 +38,7 @@ export function GET() { headers: { 'Content-Type': 'application/jrd+json', 'Access-Control-Allow-Origin': '*', - 'Cache-Control': 'max-age=86400' - } + 'Cache-Control': 'max-age=86400', + }, }); } diff --git a/src/routes/.well-known/webfinger/webfinger.test.ts b/src/routes/.well-known/webfinger/webfinger.test.ts index 03714b3..8385048 100644 --- a/src/routes/.well-known/webfinger/webfinger.test.ts +++ b/src/routes/.well-known/webfinger/webfinger.test.ts @@ -1,5 +1,5 @@ import { describe, it, expect } from 'vitest'; -import { GET, _WEBFINGER_RESPONSE as WEBFINGER_RESPONSE } from './+server'; +import { GET, prerender, _WEBFINGER_RESPONSE as WEBFINGER_RESPONSE } from './+server'; /** * TIN-1456 / TIN-1537 doctrine: the blog apex is not an ActivityPub authority. @@ -8,6 +8,11 @@ import { GET, _WEBFINGER_RESPONSE as WEBFINGER_RESPONSE } from './+server'; * domain) must never appear as an `application/activity+json` self target. */ describe('blog webfinger JRD', () => { + it('is an intentionally prerendered single-identity delegate', () => { + expect(prerender).toBe(true); + expect(WEBFINGER_RESPONSE.subject).toBe('acct:jess@transscendsurvival.org'); + }); + it('delegates the AP self link to the hub actor, not the apex', () => { const self = WEBFINGER_RESPONSE.links.find((l) => l.rel === 'self'); expect(self?.type).toBe('application/activity+json'); @@ -18,7 +23,7 @@ describe('blog webfinger JRD', () => { const apRefs = [ WEBFINGER_RESPONSE.links.find((l) => l.rel === 'self')?.href, ...WEBFINGER_RESPONSE.aliases, - WEBFINGER_RESPONSE.links.find((l) => l.rel?.endsWith('subscribe'))?.template + WEBFINGER_RESPONSE.links.find((l) => l.rel?.endsWith('subscribe'))?.template, ].filter(Boolean) as string[]; for (const ref of apRefs) { expect(ref).not.toMatch(/https:\/\/tinyland\.dev\b/); @@ -28,9 +33,7 @@ describe('blog webfinger JRD', () => { }); it('keeps the human profile page on the blog domain', () => { - const profile = WEBFINGER_RESPONSE.links.find( - (l) => l.rel === 'http://webfinger.net/rel/profile-page' - ); + const profile = WEBFINGER_RESPONSE.links.find((l) => l.rel === 'http://webfinger.net/rel/profile-page'); expect(profile?.href).toBe('https://transscendsurvival.org'); }); From b595ac1d0c0bfb30afaf7841a450cceb57cbe635 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 09:09:04 -0400 Subject: [PATCH 02/20] docs: correct live federation evidence --- ...eration-truth-reconciliation-2026-07-14.md | 46 +++++++++++-------- src/routes/.well-known/webfinger/+server.ts | 9 ++-- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 843c766..519075a 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -105,8 +105,8 @@ Observed on 2026-07-14: | --- | --- | --- | | `transscendsurvival.org/blog/week-notes-scroll-wheels-and-chasing-the-sun` | 200 | The production blog serves the post. | | `tinyland.dev/blog/week-notes-scroll-wheels-and-chasing-the-sun` | 404 | The mothership detail fix is not live. | -| `tinyland.dev/@jesssullivan/notes/2026-04-26-cardinals-before-dawn` with browser HTML Accept | 404 | Browser route does not resolve the note. | -| The same note with a generic Accept header | 307 to the identical URL | The deployed route still has the self-redirect bug. | +| `tinyland.dev/@jesssullivan/notes/2026-04-26-cardinals-before-dawn` with browser HTML Accept | 404 `User not found` | The redirect loop is absent, but user authority still does not resolve. | +| The same note with ActivityPub Accept | 404 `Author not found` | The redirect loop is absent, but actor/user authority still does not resolve. | | `tinyland.dev/@jesssullivan` with ActivityPub Accept | 200 | The mothership exposes an actor-shaped response. | | `tinyland.dev/@jesssullivan/outbox` | 404 | The mothership is not the working public outbox authority. | | `hub.tinyland.dev/@jesssullivan` with ActivityPub Accept | 200 | This is the delegated actor endpoint. | @@ -123,10 +123,12 @@ production-health suite passed its DNS, HTTPS, broker, and hydration checks. That does not contradict the ActivityPub findings because those checks prove display projection, not public Fediverse delivery. -The live `tinyland.dev` deployment was still running a 2026-07-05 image during -this audit. Current `main` contains the terminal-404 note-route fix from pull -request #717, but the deployed image predates it. Linear issue TIN-2787 is -therefore source-complete and live-incomplete. +A later live check during this audit observed a terminal 404 for both note +representations, with no `Location` header or 307 loop. That supports TIN-2787 +being Done for its narrow redirect-loop defect. It does not make the note route +live: `Author not found` and `User not found` are the remaining TIN-2788 +authority failure. The mothership blog-detail URL still returns `Blog post not +found`, so TIN-2786 remains live-incomplete. The blog's current `main` CI was also red while production health was green. The hosted lane passed, but two Playwright CV-link assertions failed in the @@ -171,7 +173,7 @@ The following were not ratified or not completed: | "The blog is the AP authority" | WebFinger delegates the actor to the hub; the blog has no delivery or durable-write authority. | False. | | "Workflow completed" means the product goal completed | Historical workflows include errored, blocked, and plan-only lanes. | Treat workflow status as orchestration status only. | | A merged package fix is live | Content and invitation fixes were released, but mothership pins and deployment lagged. | Track release, adoption, deploy, and live proof separately. | -| TIN-2787 is done | Current source is fixed; current live wildcard request still self-redirects. | Reclassify as deploy-regressed or live-incomplete. | +| TIN-2787 Done means the note route works | Current live requests terminate without the former 307 loop, but still return `Author not found` or `User not found`. | Keep TIN-2787 Done narrowly; route availability remains TIN-2788. | | TIN-2786 blog detail is fixed in production | Package source/release exists; the live mothership detail URL is 404. | Live-incomplete. | | TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | | TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | @@ -179,7 +181,7 @@ The following were not ratified or not completed: | Pull request #701 is the package-adoption keystone | Pull request #731 supersedes its package pins; only the shared rate-limit-store slice remains unique. | Extract or re-author the unique slice on the current base. Do not merge stale pins. | | Pulse M1 completion means federation shipped | The milestone explicitly excludes real delivery. | False. | | GitHub Pages is production | Cloudflare Pages is production; README prose says this, but one diagram still says GitHub Pages. | Fix the stale diagram. | -| tinyland.dev issue #664 proves current broker drift | Live production and hub broker slug sets both contain 140 posts. | Re-verify and close or rewrite the stale issue. | +| tinyland.dev issue #664 proves current broker drift | The 140 published spoke slugs and 140 live broker slugs now match exactly. | Closed the one-shot alarm as resolved; a new drift needs new evidence. | | Runner cancellation proves a code failure | Several heavy jobs ended through ARC pod loss after prior steps passed. | Classify each run from job and step evidence before rerunning or debugging. | | The blog WebFinger route resolves arbitrary actors | It ignores the requested resource and returns one fixed Jess delegation. | Describe it as fixed single-identity discovery. | | #217 streams both live broker feeds | Its shadow route uses posts plus the checked Pulse snapshot. | Keep "shadow blended reader" wording; remove "live-streamed ingestion." | @@ -193,9 +195,10 @@ The following were not ratified or not completed: GitHub readiness does not override that product hold. Do not describe it as production federation. - **#216:** open, non-draft node-backend shadow spoke. Its description still - says draft/operator-gated, and its latest remote gate failed during REAPI - token mint while other checks were settling. Restore an accurate hold or - draft state before treating GitHub readiness as authorization. + says draft/operator-gated. Its latest remote gate passed token minting, then + ended during `Remote check` without a retained source diagnostic. Restore an + accurate hold or draft state before treating GitHub readiness as + authorization; do not attribute that red to token minting. - **#140 and #72:** stale drafts. Review for unique value before closing. - **#75:** closed, superseded ActivityPub-shaped Pulse viewer. It never had inbox processing, signatures, followers, delivery, or live fetch. Do not @@ -245,12 +248,15 @@ The registry contains these newer releases: - `tinyland-content-types` 0.3.1 - `tinyland-security` 0.3.2 -These are immutable Bazel-registry releases. They do not imply successful -publication through every other channel: +These are versioned, checksum-pinned Bazel-registry entries. They are not yet +an end-to-end immutability proof: TIN-2485's append-only registry guard remains +Backlog and TIN-2783's immutable GitHub Release enforcement remains In +Progress. The entries also do not imply successful publication through every +other channel: -- Invitation 0.2.5 failed its npm and GitHub publication jobs. +- Invitation 0.2.5 failed its npm and GitHub Packages publication jobs. - Content 0.3.2 failed clean-tag validation on undeclared first-party imports, - so its publication was skipped. + so its package publication was skipped. - Auth 0.7.1 completed its GitHub publish workflow but was not present on npmjs during this audit. @@ -281,8 +287,8 @@ the concrete release-versus-adoption gap. - TIN-2780 and TIN-2781 prove package source/release work, not mothership adoption. - TIN-2784 proves a source fix, not a live signed-Accept interop result. -- TIN-2786 and TIN-2787 have status language that is stronger than current - live behavior. +- TIN-2786 remains live-incomplete. TIN-2787 is correctly Done only for the + redirect loop; TIN-2788 owns the remaining live user/author-resolution 404. Linear issues in this area do not use release associations. Release and deployment truth currently live in prose and attachments, which makes status @@ -377,7 +383,8 @@ merged work whose branch was never automatically deleted. custody and the atomic live/public-key cutover are ready. 2. Correct TIN-2731 and TIN-2648 language so unratified custody work cannot be read as complete. -3. Reclassify TIN-2787 using the current deployed-image and live-307 evidence. +3. Keep TIN-2787 narrowly scoped to the resolved redirect loop; track the live + user/author-resolution 404 under TIN-2788. 4. Keep #731 draft until its security prerequisite pull requests and consumer containment checks are satisfied. 5. Extract #701's unique rate-limit-store slice onto the current package base; @@ -386,7 +393,8 @@ merged work whose branch was never automatically deleted. 7. Correct the README deployment diagram. The generated, ignored search index was regenerated and matched the live 140-post set; it is not a committed fixture and needs no source change. -8. Re-verify GitHub issue #664 against the matching 140-post live sets. +8. Keep the exact 140-to-140 slug parity proof attached to closed issue #664; + require a fresh alarm and delta before reopening drift work. 9. Add deployed commit/image identity to the relevant health surface so source-complete and live-complete cannot be confused. 10. Add explicit source/release/adopt/deploy/runtime/live fields to the diff --git a/src/routes/.well-known/webfinger/+server.ts b/src/routes/.well-known/webfinger/+server.ts index 1757fd9..2f2dbb4 100644 --- a/src/routes/.well-known/webfinger/+server.ts +++ b/src/routes/.well-known/webfinger/+server.ts @@ -3,10 +3,11 @@ export const prerender = true; // This is a prerendered, single-identity discovery document, not a general // resource-aware WebFinger resolver. The blog (transscendsurvival.org) is NOT // an ActivityPub authority and must never present itself as one (TIN-1456 / -// TIN-1537). The canonical actor lives on the hub projection broker -// (hub.tinyland.dev), which owns the AP identity, inbox/outbox, and follower -// ledger. This JRD therefore delegates every AP-authority link to the hub -// actor; only the human-facing profile page stays on the blog domain. +// TIN-1537). The canonical actor is designated on the hub projection broker +// (hub.tinyland.dev); the presence of inbox/outbox/follower-shaped endpoints +// is not itself delivery proof. This JRD therefore delegates every +// AP-authority link to the hub actor; only the human-facing profile page stays +// on the blog domain. const HUB_ACTOR = 'https://hub.tinyland.dev/@jesssullivan'; const HUB_AUTHORIZE_INTERACTION = 'https://hub.tinyland.dev/authorize_interaction?uri={uri}'; From d8c8f836d57c071e793b8b59088ac7154760703b Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 15:21:24 -0400 Subject: [PATCH 03/20] docs: tighten federation evidence ledger --- ...eration-truth-reconciliation-2026-07-14.md | 103 +++++++++++++----- 1 file changed, 75 insertions(+), 28 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 519075a..8299869 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -72,9 +72,10 @@ built and deployed and any required runtime state is installed. ### Hub: `hub.tinyland.dev` The hub currently serves dynamic blog and Pulse projection data and hosts the -delegated ActivityPub actor document. Its public metadata explicitly says -public Fediverse delivery is disabled. The actor outbox, followers, and -following collections are currently empty. +delegated ActivityPub actor document. The blog and AP demo manifests explicitly +say public Fediverse delivery is disabled; the Pulse snapshot exposes no +delivery-policy field. The actor outbox, followers, and following collections +are currently empty. An inbox accepting POST-shaped traffic and a valid actor document prove endpoint shape. They do not prove signed delivery, remote receipt, follower @@ -118,10 +119,12 @@ Observed on 2026-07-14: | `transscendsurvival.org/stream` | 404 | No production stream route. | | `tss.tinyland.dev/stream` | 200, `noindex,nofollow` | Shadow surface only. | -The hub manifests also report `publicFediverseDelivery:false`. The blog's -production-health suite passed its DNS, HTTPS, broker, and hydration checks. -That does not contradict the ActivityPub findings because those checks prove -display projection, not public Fediverse delivery. +The blog broker and AP demo manifests report +`publicFediverseDelivery:false`. The Pulse public snapshot carries no outbound +delivery-policy field; that absence is not evidence of enabled or disabled +delivery. The blog's production-health suite passed its DNS, HTTPS, broker, +and hydration checks. That does not contradict the ActivityPub findings +because those checks prove display projection, not public Fediverse delivery. A later live check during this audit observed a terminal 404 for both note representations, with no `Location` header or 307 loop. That supports TIN-2787 @@ -130,19 +133,33 @@ live: `Author not found` and `User not found` are the remaining TIN-2788 authority failure. The mothership blog-detail URL still returns `Blog post not found`, so TIN-2786 remains live-incomplete. -The blog's current `main` CI was also red while production health was green. -The hosted lane passed, but two Playwright CV-link assertions failed in the -Bazel remote lane. This is a real test failure rather than a runner-death -signature, but it is unrelated to the healthy broker projection. Merge, -deployment, production health, and whole-repository CI are independent signals. +The trusted `main` run after pull request #227 (run `29326131530`, commit +`6deec66`) was red while production health was green. Its hosted lane passed, +but `Remote check` launched six Tectonic actions into one cold resource cache; +relay fetches stalled while three otherwise unrelated test targets timed out. +This was a workflow-capacity defect, not a Playwright assertion failure or a +broker outage. Pull request #228 is the bounded shared-cache correction: +serial Tectonic warmup, one local Bazel action at a time, and one local test +action at a time inside the ARC runner container. Run `29352692909` +proved the first memory split too restrictive: the pod survived, but Bazel's +1024 MiB heap reached 5,854 of 5,858 actions and then threw a Java heap OOM. +Run `29357986080` reproduced the Bazel-heap failure at 1536 MiB while the live +runner remained below 3.6 GiB RSS. The corrected head assigns 2560 MiB to Bazel +and 1024 MiB to its one serialized Node action, and restarts the Bazel server +between workflow phases so retained analysis state cannot accumulate across +the entire job. The scheduled production-health workflow remained green on +the same base commit, including run `29347653781`. Merge, deployment, +production health, and whole-repository CI remain independent signals. ## Ratified Decisions The following decisions have durable evidence: - **Hybrid ActivityPub gate (TIN-2511):** `admin.federation.deliver` is the - intended product authorization gate. Token and allowlist checks remain a - safety rail. + ratified product authorization gate. Token and allowlist checks remain a + safety rail. This is policy truth, not current runtime wiring: TIN-2680 + records that `canDeliverPulseFederation` still has no production call site, + so the live worker remains handle-allowlist-gated. - **Tinyland user authority (TIN-2788):** Option A, the sanctioned admin-user record/bootstrap path, was selected. Merging the bootstrap source did not execute the attended runtime bootstrap. @@ -169,7 +186,7 @@ The following were not ratified or not completed: | Prior claim or shorthand | Current evidence | Disposition | | --- | --- | --- | -| "The blog is federated" | Blog and Pulse feeds are display projections; hub reports public delivery disabled. | Use "broker projection" unless remote signed delivery is proven. | +| "The blog is federated" | Blog and Pulse feeds are display projections. Blog and AP demo manifests report public delivery disabled; Pulse exposes no delivery-policy field. | Use "broker projection" unless remote signed delivery is proven. | | "The blog is the AP authority" | WebFinger delegates the actor to the hub; the blog has no delivery or durable-write authority. | False. | | "Workflow completed" means the product goal completed | Historical workflows include errored, blocked, and plan-only lanes. | Treat workflow status as orchestration status only. | | A merged package fix is live | Content and invitation fixes were released, but mothership pins and deployment lagged. | Track release, adoption, deploy, and live proof separately. | @@ -177,6 +194,7 @@ The following were not ratified or not completed: | TIN-2786 blog detail is fixed in production | Package source/release exists; the live mothership detail URL is 404. | Live-incomplete. | | TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | | TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | +| TIN-1119 Done proves public ActivityPub delivery | Its own acceptance and latest substantive comments explicitly leave live peer delivery, follower custody, moderation, and operator proof open. | Status drift. Use urgent TIN-2416 as the active proof gate and do not infer completion from TIN-1119's state. | | Pull request #719 is ready to merge | Its public key fingerprint differs from live; the only recorded matching private artifact is missing. | Unsafe. Generate a new pair under durable custody before updating public material. | | Pull request #701 is the package-adoption keystone | Pull request #731 supersedes its package pins; only the shared rate-limit-store slice remains unique. | Extract or re-author the unique slice on the current base. Do not merge stale pins. | | Pulse M1 completion means federation shipped | The milestone explicitly excludes real delivery. | False. | @@ -190,15 +208,20 @@ The following were not ratified or not completed: ### Blog -- **#217:** clean and green, but remains a shadow-only tiered reader and - blended stream experiment. Its pull-request body still says not to merge. - GitHub readiness does not override that product hold. Do not describe it as - production federation. +- **#217:** remains a shadow-only tiered reader and blended stream experiment. + Its latest hosted/build checks passed, but the Bazel gate ended during + `Remote check` with no completed-step diagnostic; it is not currently green. + Its pull-request body also says not to merge. Neither a future green rerun + nor GitHub mergeability would override that product hold. Do not describe it + as production federation. - **#216:** open, non-draft node-backend shadow spoke. Its description still says draft/operator-gated. Its latest remote gate passed token minting, then ended during `Remote check` without a retained source diagnostic. Restore an accurate hold or draft state before treating GitHub readiness as authorization; do not attribute that red to token minting. +- **#224 and #225:** separate content/ops lanes, not federation completion + evidence. Their latest Bazel gates also ended mid-`Remote check` without a + completed-step diagnostic. - **#140 and #72:** stale drafts. Review for unique value before closing. - **#75:** closed, superseded ActivityPub-shaped Pulse viewer. It never had inbox processing, signatures, followers, delivery, or live fetch. Do not @@ -210,9 +233,11 @@ The following were not ratified or not completed: ### Mothership And Packages - **tinyland.dev #731:** current adoption candidate, but security-held by - atomic bootstrap, fail-closed RBAC, invitation principal binding, and - consumer-containment work. It must also be rebuilt for the planned auth 0.8 - and invitation 0.3 contracts. Its green CI is necessary but not sufficient. + atomic bootstrap (TIN-2821/TIN-2828/TIN-2829), fail-closed RBAC (TIN-2822), + invitation principal binding, visibility fail-close (TIN-2651/TIN-2656), + and consumer-containment work. It must also be rebuilt for the planned auth + 0.8 and invitation 0.3 contracts. Its green CI is necessary but not + sufficient. - **tinyland.dev #701:** package adoption is superseded by #731. Preserve only the unique shared rate-limit-store work and rebase it independently. - **tinyland.dev #719:** hold. The proposed public key has no retained matching @@ -233,10 +258,16 @@ The following were not ratified or not completed: several current-main surfaces. The issue is still reproducible. - **tinyland.dev #116:** real interoperability remains open. There is no proof packet showing a signed post delivered to an external follower. -- **TIN-1119:** its Done state covers a controlled projection boundary, not - public delivery. +- **TIN-1119:** its Done state contradicts its own still-open acceptance and + its latest substantive comments. Treat this as tracker drift, not as either + controlled-projection closure or public-delivery proof. - **TIN-2416:** the newer urgent delivery issue correctly keeps public delivery disabled pending a live signed-peer proof. +- **TIN-2644 and TIN-2645:** both remain urgent Backlog. The delivery, + moderation, and follower-Accept plane is still hardcoded to `jesssullivan`; + a second author cannot complete a live Follow/Accept/delivery round trip. +- **TIN-2680:** remains Backlog. The ratified role axis exists as a predicate + but is not called by the production worker path. ## Package Snapshot @@ -289,6 +320,13 @@ the concrete release-versus-adoption gap. - TIN-2784 proves a source fix, not a live signed-Accept interop result. - TIN-2786 remains live-incomplete. TIN-2787 is correctly Done only for the redirect loop; TIN-2788 owns the remaining live user/author-resolution 404. +- TIN-1119 is incorrectly Done relative to its own acceptance record. TIN-2416 + is the current urgent live-proof issue and remains In Progress. +- TIN-2644/TIN-2645 and TIN-2680 remain open, so neither multi-author delivery + nor the ratified role axis is live-complete. +- TIN-2822 and TIN-2828/TIN-2829 block the current adoption program with + fail-closed role translation and tenant-atomic bootstrap work. TIN-2651 + separately keeps second-author visibility behind a fail-closed content gate. Linear issues in this area do not use release associations. Release and deployment truth currently live in prose and attachments, which makes status @@ -332,16 +370,25 @@ No worktrees or branches were removed during this audit. Active and meaningful: +- `docs/content-federation-truth-20260714` for this audit (#226). +- `fix/gf-shared-cache-contract` for the bounded shared-cache correction + (#228). - `shadow-ui` for blog #217. - `ws5-node-shadow` for open, operator-gated blog #216. - `footer-fix` for draft blog #140. +- `blog-chore` for open blog #225 and `kvm-post` for open blog #224. These + are independently owned content/ops lanes, not federation cleanup residue. Retired or prunable after one final unique-commit check: - Missing `/private/tmp/blog-frontdoor`, whose pull request #218 merged. - `gates-retry` and `gates-serial`, whose pull requests #221 and #219 merged. -- Locked `.claude/worktrees/agent-a20e1e149a90f570d`, whose PID is gone and - branch equals current `main`. +- `gates-fix`, whose pull request #227 merged, and `gates-mem`, whose pull + request #229 closed after its unique safeguard was folded into #228. Remove + neither until #228 lands and one final unique-commit check passes. +- Locked `.claude/worktrees/agent-a20e1e149a90f570d`, whose recorded PID is + gone and whose branch tip is an ancestor of current `main` with no unique + commit. - Historical `worktree-wf_*` branches that are already ancestors of `main` and have no remote pull request. - Merged-PR residue under several `codex/*`, `docs/*`, `feat/*`, `fix/*`, @@ -366,8 +413,8 @@ disposition rather than branch age alone. | Repository | Open PRs | Open issues | Branches | | --- | ---: | ---: | ---: | -| `jesssullivan.github.io` | 4 | 1 | 26 | -| `tinyland.dev` | 23 | 40 | 119 | +| `jesssullivan.github.io` | 8 | 1 | 30 | +| `tinyland.dev` | 23 | 39 | 120 | | `tinyland-auth` | 3 | 0 | 14 | | `tinyland-invitation` | 6 | 0 | 9 | | `tinyland-content` | 0 | 1 | 6 | From aaaba8de4c099a03e0db7fd130dcb6754c581413 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 15:52:02 -0400 Subject: [PATCH 04/20] docs: refresh federation tracker state --- ...nt-federation-truth-reconciliation-2026-07-14.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 8299869..58c78a8 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -194,7 +194,7 @@ The following were not ratified or not completed: | TIN-2786 blog detail is fixed in production | Package source/release exists; the live mothership detail URL is 404. | Live-incomplete. | | TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | | TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | -| TIN-1119 Done proves public ActivityPub delivery | Its own acceptance and latest substantive comments explicitly leave live peer delivery, follower custody, moderation, and operator proof open. | Status drift. Use urgent TIN-2416 as the active proof gate and do not infer completion from TIN-1119's state. | +| TIN-1119's former Done state proved public ActivityPub delivery | Its acceptance explicitly leaves live peer delivery, follower custody, moderation, and operator proof open; Linear reopened it to In Progress on 2026-07-14. | The status drift was corrected, not the capability. TIN-2416 remains the urgent proof gate. | | Pull request #719 is ready to merge | Its public key fingerprint differs from live; the only recorded matching private artifact is missing. | Unsafe. Generate a new pair under durable custody before updating public material. | | Pull request #701 is the package-adoption keystone | Pull request #731 supersedes its package pins; only the shared rate-limit-store slice remains unique. | Extract or re-author the unique slice on the current base. Do not merge stale pins. | | Pulse M1 completion means federation shipped | The milestone explicitly excludes real delivery. | False. | @@ -258,9 +258,9 @@ The following were not ratified or not completed: several current-main surfaces. The issue is still reproducible. - **tinyland.dev #116:** real interoperability remains open. There is no proof packet showing a signed post delivered to an external follower. -- **TIN-1119:** its Done state contradicts its own still-open acceptance and - its latest substantive comments. Treat this as tracker drift, not as either - controlled-projection closure or public-delivery proof. +- **TIN-1119:** Linear reopened it from Done to In Progress at 19:17 UTC on + 2026-07-14. Its live-delivery acceptance remains open; the state correction + is not public-delivery proof. - **TIN-2416:** the newer urgent delivery issue correctly keeps public delivery disabled pending a live signed-peer proof. - **TIN-2644 and TIN-2645:** both remain urgent Backlog. The delivery, @@ -320,8 +320,9 @@ the concrete release-versus-adoption gap. - TIN-2784 proves a source fix, not a live signed-Accept interop result. - TIN-2786 remains live-incomplete. TIN-2787 is correctly Done only for the redirect loop; TIN-2788 owns the remaining live user/author-resolution 404. -- TIN-1119 is incorrectly Done relative to its own acceptance record. TIN-2416 - is the current urgent live-proof issue and remains In Progress. +- TIN-1119 was reopened to In Progress after its Done-state drift was + corrected. TIN-2416 is the current urgent live-proof issue and also remains + In Progress. - TIN-2644/TIN-2645 and TIN-2680 remain open, so neither multi-author delivery nor the ratified role axis is live-complete. - TIN-2822 and TIN-2828/TIN-2829 block the current adoption program with From 284ec2887df9a04de3e87f0d84e042e89f274f04 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 15:53:58 -0400 Subject: [PATCH 05/20] docs: separate AP package adoption from delivery --- ...nt-federation-truth-reconciliation-2026-07-14.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 58c78a8..899fdb9 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -244,6 +244,9 @@ The following were not ratified or not completed: private key in the recorded custody path. - **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as image/deploy durability, not federation completion. +- **tinyland.dev #737 and #738:** draft citation and proof-runbook work for + TIN-2416. They correct the tracker path and define a future proof packet; + neither is a completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. - **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft @@ -278,6 +281,7 @@ The registry contains these newer releases: - `tinyland-content` 0.3.2 - `tinyland-content-types` 0.3.1 - `tinyland-security` 0.3.2 +- `tinyland-activitypub` 0.3.1 These are versioned, checksum-pinned Bazel-registry entries. They are not yet an end-to-end immutability proof: TIN-2485's append-only registry guard remains @@ -295,9 +299,12 @@ The available GitHub credential lacks `read:packages`, so direct GitHub Packages enumeration was not available. Workflow results and npmjs checks set the claim boundary above. -At audit time, mothership `main` still pinned older versions: content 0.2.5, -content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security 0.3.1. This is -the concrete release-versus-adoption gap. +At audit time, mothership `main` already pinned `tinyland-activitypub` 0.3.1; +the registry marks 0.2.2 through 0.2.5 yanked because they defaulted actor and +object origins to the apex. That is a real source/release/registry/adoption +chain, but it still does not prove deployment or live delivery. Mothership +still pinned older versions for the other adoption wave: content 0.2.5, +content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security 0.3.1. ## Linear Reconciliation From f2f4bad64472235390e9f78e2bd1d19e789ea908 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 15:56:20 -0400 Subject: [PATCH 06/20] docs: refresh superseded AP issue state --- ...tent-federation-truth-reconciliation-2026-07-14.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 899fdb9..0ccb849 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -255,12 +255,15 @@ The following were not ratified or not completed: ## Federation Tracker Disposition -- **tinyland.dev #93:** the ActivityPub epic remains open. Its checklist is - stale, but the remaining product goal is valid. +- **tinyland.dev #93:** closed as not planned on 2026-07-14 because Linear now + owns the program. This is tracker supersession, not product completion; its + closing comment's TIN-1119 Done wording was superseded when Linear reopened + TIN-1119 thirteen minutes later. - **tinyland.dev #100:** Reply, Like, and Boost controls remain disabled across several current-main surfaces. The issue is still reproducible. -- **tinyland.dev #116:** real interoperability remains open. There is no proof - packet showing a signed post delivered to an external follower. +- **tinyland.dev #116:** also closed as not planned in favor of Linear + TIN-1429/TIN-2416. Its own closing record says the external Mastodon follow, + moderation/Accept decision, follower state, and proof packet remain open. - **TIN-1119:** Linear reopened it from Done to In Progress at 19:17 UTC on 2026-07-14. Its live-delivery acceptance remains open; the state correction is not public-delivery proof. From 9c0b08d57bbfda3833b4a0d974d9ee2dd40e0a84 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 16:00:21 -0400 Subject: [PATCH 07/20] docs: identify canonical federation initiatives --- docs/content-federation-truth-reconciliation-2026-07-14.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 0ccb849..44e9a36 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -316,6 +316,11 @@ content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security 0.3.1. - The ActivityPub federation and RBE initiative combines two independent axes. Streaming/display progress must not be used as outbound-delivery progress. +- Each of those initiatives has a completed duplicate parking record with a + near-identical name. The canonical Mothership initiative is + `d3995f72-f1a4-415d-818c-cde93df767d3`; the canonical AP/RBE initiative is + `28bd82da-48b0-41a4-bfcb-73e7d668a077`. Do not attach work to the completed + duplicates or read their completion as program completion. - Presence and Narrative is an umbrella. Current execution has moved to the Mothership project. - Pulse Lifecycle MVP is completed only at the M1/M1.5 projection and shadow From d20526d9162b899bbcc150bfb6c5cccb0067592e Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 16:07:35 -0400 Subject: [PATCH 08/20] docs: name package release channels --- docs/content-federation-truth-reconciliation-2026-07-14.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 44e9a36..e0cf2f2 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -298,6 +298,12 @@ other channel: - Auth 0.7.1 completed its GitHub publish workflow but was not present on npmjs during this audit. +A fresh public npmjs query found these package heads: auth 0.3.3, invitation +0.2.2, content 0.2.3, content-types 0.2.4, security 0.3.1, and ActivityPub +0.2.5. None matches the corresponding Bazel-registry head listed above. +"Released" therefore needs a named channel; a registry promotion is not an +npm publication. + The available GitHub credential lacks `read:packages`, so direct GitHub Packages enumeration was not available. Workflow results and npmjs checks set the claim boundary above. From 3e8ae146f813ca1a0c9d462c39b475c4c61d20a2 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 17:06:19 -0400 Subject: [PATCH 09/20] docs: close federation audit review gaps --- ...eration-truth-reconciliation-2026-07-14.md | 94 +++++++++++++------ .../.well-known/webfinger/webfinger.test.ts | 5 +- 2 files changed, 66 insertions(+), 33 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index e0cf2f2..92ace9f 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -84,8 +84,8 @@ lifecycle, or moderation behavior. ### Package Repositories And Registry `tinyland-auth`, `tinyland-invitation`, `tinyland-content`, -`tinyland-content-types`, and `tinyland-security` are reusable source and -release authorities. The registry repository is +`tinyland-content-types`, `tinyland-security`, and `tinyland-activitypub` are +reusable source and release authorities. The registry repository is `tinyland-inc/bazel-registry`. A package release is not mothership adoption. A mothership pin is not a @@ -147,9 +147,17 @@ Run `29357986080` reproduced the Bazel-heap failure at 1536 MiB while the live runner remained below 3.6 GiB RSS. The corrected head assigns 2560 MiB to Bazel and 1024 MiB to its one serialized Node action, and restarts the Bazel server between workflow phases so retained analysis state cannot accumulate across -the entire job. The scheduled production-health workflow remained green on -the same base commit, including run `29347653781`. Merge, deployment, -production health, and whole-repository CI remain independent signals. +the entire job. Capacity run `29359644809` then passed every phase in 45m22s; +the complete runner pod peaked at 6,640 MiB and fell below 1 GiB after Bazel +shutdown. Exact-head run `29362660354` passed every required check on commit +`7a4cfcd`, including the initial substrate attachment, four phase-local +credential refreshes, and all 330 Playwright cases. Pull request #228 merged +that head as commit `a97ce361`. Its trusted-`main` run `29364671782` then +passed hosted build, substrate-boundary, and the complete remote gate on the +merge commit, exercising the separate cache-write path through check, test, +and e2e. The scheduled production-health workflow remained green on the prior +base commit, including run `29347653781`. Merge, deployment, production +health, and whole-repository CI remain independent signals. ## Ratified Decisions @@ -179,8 +187,14 @@ The following were not ratified or not completed: a draft decision packet, not an implemented custody system. - **Public Fediverse delivery:** no live evidence demonstrates a signed post reaching a real remote follower. -- **TIN-2731 key rotation:** the advertised pull-request key was not installed. - Its recorded private-key scratch artifact no longer exists. +- **TIN-2731 key rotation:** normalized SPKI SHA-256 comparison found pull + request #719's proposed public key + (`5f9279a949939b0e7b53bf28f1520191875258714deffd0a71523b58d84d48ac`) + differs from the live actor key + (`cd4a49fe889ffa997ec0100a8bfa3cbeebefd815c131c4c1550af25fb5b53737`). + The audit did not inspect private material, and the recorded session-only + scratch custody could not be verified. Hold the rotation until matching + private custody and an atomic cutover are established. ## Critical Contradiction Ledger @@ -195,10 +209,10 @@ The following were not ratified or not completed: | TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | | TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | | TIN-1119's former Done state proved public ActivityPub delivery | Its acceptance explicitly leaves live peer delivery, follower custody, moderation, and operator proof open; Linear reopened it to In Progress on 2026-07-14. | The status drift was corrected, not the capability. TIN-2416 remains the urgent proof gate. | -| Pull request #719 is ready to merge | Its public key fingerprint differs from live; the only recorded matching private artifact is missing. | Unsafe. Generate a new pair under durable custody before updating public material. | +| Pull request #719 is ready to merge | Its normalized public-key fingerprint differs from live, and matching private custody was not verifiable from the recorded session-only handoff. | Unsafe. Prove durable matching custody and an atomic cutover; generate a new pair if that proof cannot be recovered. | | Pull request #701 is the package-adoption keystone | Pull request #731 supersedes its package pins; only the shared rate-limit-store slice remains unique. | Extract or re-author the unique slice on the current base. Do not merge stale pins. | | Pulse M1 completion means federation shipped | The milestone explicitly excludes real delivery. | False. | -| GitHub Pages is production | Cloudflare Pages is production; README prose says this, but one diagram still says GitHub Pages. | Fix the stale diagram. | +| GitHub Pages is production | Cloudflare Pages is production; this audit corrects the stale README diagram while preserving GitHub Pages as rollback. | False. Keep the diagram, runbook, and declared DNS posture aligned. | | tinyland.dev issue #664 proves current broker drift | The 140 published spoke slugs and 140 live broker slugs now match exactly. | Closed the one-shot alarm as resolved; a new drift needs new evidence. | | Runner cancellation proves a code failure | Several heavy jobs ended through ARC pod loss after prior steps passed. | Classify each run from job and step evidence before rerunning or debugging. | | The blog WebFinger route resolves arbitrary actors | It ignores the requested resource and returns one fixed Jess delegation. | Describe it as fixed single-identity discovery. | @@ -208,6 +222,9 @@ The following were not ratified or not completed: ### Blog +- **#228:** merged after exact-head CI proved the bounded shared-cache contract + and all browser tests. Its separate trusted-`main` run passed and is the + cache-write proof; the pull-request run alone did not exercise that path. - **#217:** remains a shadow-only tiered reader and blended stream experiment. Its latest hosted/build checks passed, but the Bazel gate ended during `Remote check` with no completed-step diagnostic; it is not currently green. @@ -240,8 +257,9 @@ The following were not ratified or not completed: sufficient. - **tinyland.dev #701:** package adoption is superseded by #731. Preserve only the unique shared rate-limit-store work and rebase it independently. -- **tinyland.dev #719:** hold. The proposed public key has no retained matching - private key in the recorded custody path. +- **tinyland.dev #719:** hold. The proposed public-key fingerprint differs from + live, and the audit could not verify matching private custody from the + session-only handoff. No private key was read during this comparison. - **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as image/deploy durability, not federation completion. - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for @@ -277,7 +295,7 @@ The following were not ratified or not completed: ## Package Snapshot -The registry contains these newer releases: +The Bazel registry contains these newer entries: - `tinyland-auth` 0.7.1 - `tinyland-invitation` 0.2.5 @@ -308,12 +326,14 @@ The available GitHub credential lacks `read:packages`, so direct GitHub Packages enumeration was not available. Workflow results and npmjs checks set the claim boundary above. -At audit time, mothership `main` already pinned `tinyland-activitypub` 0.3.1; -the registry marks 0.2.2 through 0.2.5 yanked because they defaulted actor and -object origins to the apex. That is a real source/release/registry/adoption -chain, but it still does not prove deployment or live delivery. Mothership -still pinned older versions for the other adoption wave: content 0.2.5, -content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security 0.3.1. +At audit time, `tinyland-activitypub` had source on its default branch, a +published GitHub Release `v0.3.1`, a Bazel-registry 0.3.1 entry, and a 0.3.1 +pin on mothership `main`. The registry marks 0.2.2 through 0.2.5 yanked because +they defaulted actor and object origins to the apex. That named-channel chain +still does not prove deployment or live delivery; public npm remained at +0.2.5. Mothership still pinned older versions for the other adoption wave: +content 0.2.5, content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security +0.3.1. ## Linear Reconciliation @@ -388,29 +408,33 @@ during this audit. Remote GitHub content was used for the current snapshot. ## Worktree And Branch Disposition -No worktrees or branches were removed during this audit. +The audit-owned `/private/tmp/blog-gf-cache-reconcile` worktree was removed +after #228 merged, its checkout was clean, and its exact HEAD matched the +merged pull-request head. No branch was deleted. No operator-owned or unrelated +agent worktree was modified. Active and meaningful: - `docs/content-federation-truth-20260714` for this audit (#226). -- `fix/gf-shared-cache-contract` for the bounded shared-cache correction - (#228). - `shadow-ui` for blog #217. - `ws5-node-shadow` for open, operator-gated blog #216. - `footer-fix` for draft blog #140. - `blog-chore` for open blog #225 and `kvm-post` for open blog #224. These are independently owned content/ops lanes, not federation cleanup residue. +Worktree presence is not pull-request authority. The `blog-chore` and +`kvm-post` checkouts track `origin/main` instead of their actual remote +branches; both actual branches are two commits ahead of the local checkout. +`ws5-node-shadow` correctly tracks its remote branch but is also two commits +behind. Those independently owned lanes were reported, not rewritten. + Retired or prunable after one final unique-commit check: - Missing `/private/tmp/blog-frontdoor`, whose pull request #218 merged. - `gates-retry` and `gates-serial`, whose pull requests #221 and #219 merged. - `gates-fix`, whose pull request #227 merged, and `gates-mem`, whose pull - request #229 closed after its unique safeguard was folded into #228. Remove - neither until #228 lands and one final unique-commit check passes. -- Locked `.claude/worktrees/agent-a20e1e149a90f570d`, whose recorded PID is - gone and whose branch tip is an ancestor of current `main` with no unique - commit. + request #229 closed after its unique safeguard was folded into #228. They + remain untouched pending an owner-side final unique-commit check. - Historical `worktree-wf_*` branches that are already ancestors of `main` and have no remote pull request. - Merged-PR residue under several `codex/*`, `docs/*`, `feat/*`, `fix/*`, @@ -418,6 +442,9 @@ Retired or prunable after one final unique-commit check: Operator classification required before cleanup: +- `.claude/worktrees/agent-a20e1e149a90f570d` was inspected only because the + user explicitly requested a worktree audit. It remains agent-owned and is + neither classified nor authorized for cleanup here. - `docs/apex-cf-pages-cutover-runbook`, `jess/activitypub-pulse-draft`, `jess/vite8-native`, and `week-notes-indeterminism-spring`, which retain unique commits despite supersession or retirement. @@ -435,11 +462,14 @@ disposition rather than branch age alone. | Repository | Open PRs | Open issues | Branches | | --- | ---: | ---: | ---: | -| `jesssullivan.github.io` | 8 | 1 | 30 | -| `tinyland.dev` | 23 | 39 | 120 | +| `jesssullivan.github.io` | 7 | 1 | 30 | +| `tinyland.dev` | 25 | 37 | 122 | | `tinyland-auth` | 3 | 0 | 14 | | `tinyland-invitation` | 6 | 0 | 9 | | `tinyland-content` | 0 | 1 | 6 | +| `tinyland-content-types` | 0 | 0 | 5 | +| `tinyland-security` | 4 | 0 | 8 | +| `tinyland-activitypub` | 0 | 0 | 4 | | `bazel-registry` | 4 | 1 | 30 | These counts are a point-in-time inventory, not progress metrics. Open and @@ -448,8 +478,9 @@ merged work whose branch was never automatically deleted. ## Immediate Corrections -1. Hold #719. Generate a new ActivityPub keypair only when durable private-key - custody and the atomic live/public-key cutover are ready. +1. Hold #719. Prove durable private custody matching the proposed public key + and prepare an atomic live/public-key cutover. Generate a new pair only if + that matching custody cannot be recovered. 2. Correct TIN-2731 and TIN-2648 language so unratified custody work cannot be read as complete. 3. Keep TIN-2787 narrowly scoped to the resolved redirect loop; track the live @@ -459,7 +490,8 @@ merged work whose branch was never automatically deleted. 5. Extract #701's unique rate-limit-store slice onto the current package base; do not land its stale package-adoption diff. 6. Rebaseline prompts 02, 13, and 67 before another orchestration wave. -7. Correct the README deployment diagram. The generated, ignored search index +7. Keep the corrected README deployment diagram aligned with Cloudflare Pages + production and GitHub Pages rollback. The generated, ignored search index was regenerated and matched the live 140-post set; it is not a committed fixture and needs no source change. 8. Keep the exact 140-to-140 slug parity proof attached to closed issue #664; diff --git a/src/routes/.well-known/webfinger/webfinger.test.ts b/src/routes/.well-known/webfinger/webfinger.test.ts index 8385048..6555ca9 100644 --- a/src/routes/.well-known/webfinger/webfinger.test.ts +++ b/src/routes/.well-known/webfinger/webfinger.test.ts @@ -4,8 +4,9 @@ import { GET, prerender, _WEBFINGER_RESPONSE as WEBFINGER_RESPONSE } from './+se /** * TIN-1456 / TIN-1537 doctrine: the blog apex is not an ActivityPub authority. * Every AP-authority link (self, aliases, subscribe) must delegate to the hub - * projection broker (hub.tinyland.dev); the apex (tinyland.dev / the blog - * domain) must never appear as an `application/activity+json` self target. + * projection broker (hub.tinyland.dev). Neither the mothership apex + * (tinyland.dev) nor the blog apex (transscendsurvival.org) may appear as an + * `application/activity+json` self target. */ describe('blog webfinger JRD', () => { it('is an intentionally prerendered single-identity delegate', () => { From 27c3b08a29353dd9a85b5b644a3f0ad2741bc12c Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 18:48:15 -0400 Subject: [PATCH 10/20] docs: fail closed on federation discovery claims --- ...eration-truth-reconciliation-2026-07-14.md | 18 ++++++++----- src/routes/.well-known/webfinger/+server.ts | 26 ++++++++----------- .../.well-known/webfinger/webfinger.test.ts | 18 +++++-------- 3 files changed, 29 insertions(+), 33 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 92ace9f..249bb44 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -54,9 +54,10 @@ no-JavaScript behavior, rollback data, and regression fixtures. The Tinyland blog and Pulse broker feeds hydrate or add display data. It is not the durable Tinyland write authority, the Tinyland auth authority, -or the public ActivityPub delivery authority. Its WebFinger response delegates -the ActivityPub actor to `hub.tinyland.dev`; delegation does not make the blog -the actor host. +or the public ActivityPub delivery authority. Its current prerendered +WebFinger file points at `hub.tinyland.dev`, but it ignores the required +`resource` query parameter. That is not a standards-compliant resolver and +does not make either the blog or the static file an ActivityPub authority. The additive merge in `src/routes/blog` means a broker omission does not delete a checked-in post. A broker-only post can render through the broker @@ -201,7 +202,7 @@ The following were not ratified or not completed: | Prior claim or shorthand | Current evidence | Disposition | | --- | --- | --- | | "The blog is federated" | Blog and Pulse feeds are display projections. Blog and AP demo manifests report public delivery disabled; Pulse exposes no delivery-policy field. | Use "broker projection" unless remote signed delivery is proven. | -| "The blog is the AP authority" | WebFinger delegates the actor to the hub; the blog has no delivery or durable-write authority. | False. | +| "The blog is the AP authority" | The blog has no delivery or durable-write authority. Its static WebFinger file points at the hub but is not resource-aware. | False. | | "Workflow completed" means the product goal completed | Historical workflows include errored, blocked, and plan-only lanes. | Treat workflow status as orchestration status only. | | A merged package fix is live | Content and invitation fixes were released, but mothership pins and deployment lagged. | Track release, adoption, deploy, and live proof separately. | | TIN-2787 Done means the note route works | Current live requests terminate without the former 307 loop, but still return `Author not found` or `User not found`. | Keep TIN-2787 Done narrowly; route availability remains TIN-2788. | @@ -215,7 +216,7 @@ The following were not ratified or not completed: | GitHub Pages is production | Cloudflare Pages is production; this audit corrects the stale README diagram while preserving GitHub Pages as rollback. | False. Keep the diagram, runbook, and declared DNS posture aligned. | | tinyland.dev issue #664 proves current broker drift | The 140 published spoke slugs and 140 live broker slugs now match exactly. | Closed the one-shot alarm as resolved; a new drift needs new evidence. | | Runner cancellation proves a code failure | Several heavy jobs ended through ARC pod loss after prior steps passed. | Classify each run from job and step evidence before rerunning or debugging. | -| The blog WebFinger route resolves arbitrary actors | It ignores the requested resource and returns one fixed Jess delegation. | Describe it as fixed single-identity discovery. | +| The blog WebFinger route is a valid fixed single-user resolver | It ignores the required `resource` parameter, returns Jess for missing and foreign resources, and cannot vary by query while prerendered. RFC 7033 requires 400 for an absent or malformed resource and 404 for an unknown resource. | False. TIN-2880 tracks a query-aware fail-closed edge handler or removal of the advertised discovery surface. | | #217 streams both live broker feeds | Its shadow route uses posts plus the checked Pulse snapshot. | Keep "shadow blended reader" wording; remove "live-streamed ingestion." | ## Pull Request Disposition @@ -395,8 +396,11 @@ during this audit. Remote GitHub content was used for the current snapshot. ## Shadow And Discovery Caveats - The blog WebFinger endpoint returns the same Jess JRD without inspecting the - requested `resource`. It is a fixed discovery delegate, not a general - resource-aware resolver. + requested `resource`. This is not merely a single-user limitation: it fails + RFC 7033's required 400 response for a missing or malformed resource and 404 + response for an unknown resource. The static route needs a query-aware edge + replacement or removal under TIN-2880 before the blog can claim valid + WebFinger discovery. - Pull request #217's shadow `/stream` prerenders from posts plus the checked Pulse snapshot. It does not fetch both live broker endpoints. "Live-streamed ingestion" is therefore too strong. diff --git a/src/routes/.well-known/webfinger/+server.ts b/src/routes/.well-known/webfinger/+server.ts index 2f2dbb4..5d95fff 100644 --- a/src/routes/.well-known/webfinger/+server.ts +++ b/src/routes/.well-known/webfinger/+server.ts @@ -1,13 +1,9 @@ export const prerender = true; -// This is a prerendered, single-identity discovery document, not a general -// resource-aware WebFinger resolver. The blog (transscendsurvival.org) is NOT -// an ActivityPub authority and must never present itself as one (TIN-1456 / -// TIN-1537). The canonical actor is designated on the hub projection broker -// (hub.tinyland.dev); the presence of inbox/outbox/follower-shaped endpoints -// is not itself delivery proof. This JRD therefore delegates every -// AP-authority link to the hub actor; only the human-facing profile page stays -// on the blog domain. +// This prerendered fallback cannot inspect WebFinger's required `resource` +// query parameter and is not a standards-compliant resolver (TIN-2880). The +// blog is not an ActivityPub authority (TIN-1456 / TIN-1537). The JRD points +// at the hub actor projection; endpoint shape is not delivery proof. const HUB_ACTOR = 'https://hub.tinyland.dev/@jesssullivan'; const HUB_AUTHORIZE_INTERACTION = 'https://hub.tinyland.dev/authorize_interaction?uri={uri}'; @@ -20,18 +16,18 @@ export const _WEBFINGER_RESPONSE = { { rel: 'self', type: 'application/activity+json', - href: HUB_ACTOR, + href: HUB_ACTOR }, { rel: 'http://webfinger.net/rel/profile-page', type: 'text/html', - href: 'https://transscendsurvival.org', + href: 'https://transscendsurvival.org' }, { rel: 'http://ostatus.org/schema/1.0/subscribe', - template: HUB_AUTHORIZE_INTERACTION, - }, - ], + template: HUB_AUTHORIZE_INTERACTION + } + ] }; export function GET() { @@ -39,7 +35,7 @@ export function GET() { headers: { 'Content-Type': 'application/jrd+json', 'Access-Control-Allow-Origin': '*', - 'Cache-Control': 'max-age=86400', - }, + 'Cache-Control': 'max-age=86400' + } }); } diff --git a/src/routes/.well-known/webfinger/webfinger.test.ts b/src/routes/.well-known/webfinger/webfinger.test.ts index 6555ca9..03714b3 100644 --- a/src/routes/.well-known/webfinger/webfinger.test.ts +++ b/src/routes/.well-known/webfinger/webfinger.test.ts @@ -1,19 +1,13 @@ import { describe, it, expect } from 'vitest'; -import { GET, prerender, _WEBFINGER_RESPONSE as WEBFINGER_RESPONSE } from './+server'; +import { GET, _WEBFINGER_RESPONSE as WEBFINGER_RESPONSE } from './+server'; /** * TIN-1456 / TIN-1537 doctrine: the blog apex is not an ActivityPub authority. * Every AP-authority link (self, aliases, subscribe) must delegate to the hub - * projection broker (hub.tinyland.dev). Neither the mothership apex - * (tinyland.dev) nor the blog apex (transscendsurvival.org) may appear as an - * `application/activity+json` self target. + * projection broker (hub.tinyland.dev); the apex (tinyland.dev / the blog + * domain) must never appear as an `application/activity+json` self target. */ describe('blog webfinger JRD', () => { - it('is an intentionally prerendered single-identity delegate', () => { - expect(prerender).toBe(true); - expect(WEBFINGER_RESPONSE.subject).toBe('acct:jess@transscendsurvival.org'); - }); - it('delegates the AP self link to the hub actor, not the apex', () => { const self = WEBFINGER_RESPONSE.links.find((l) => l.rel === 'self'); expect(self?.type).toBe('application/activity+json'); @@ -24,7 +18,7 @@ describe('blog webfinger JRD', () => { const apRefs = [ WEBFINGER_RESPONSE.links.find((l) => l.rel === 'self')?.href, ...WEBFINGER_RESPONSE.aliases, - WEBFINGER_RESPONSE.links.find((l) => l.rel?.endsWith('subscribe'))?.template, + WEBFINGER_RESPONSE.links.find((l) => l.rel?.endsWith('subscribe'))?.template ].filter(Boolean) as string[]; for (const ref of apRefs) { expect(ref).not.toMatch(/https:\/\/tinyland\.dev\b/); @@ -34,7 +28,9 @@ describe('blog webfinger JRD', () => { }); it('keeps the human profile page on the blog domain', () => { - const profile = WEBFINGER_RESPONSE.links.find((l) => l.rel === 'http://webfinger.net/rel/profile-page'); + const profile = WEBFINGER_RESPONSE.links.find( + (l) => l.rel === 'http://webfinger.net/rel/profile-page' + ); expect(profile?.href).toBe('https://transscendsurvival.org'); }); From 3b62e3af9e0c86224cfe586c7833d066991aaf5f Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 19:08:05 -0400 Subject: [PATCH 11/20] docs: reconcile federation tracker authority --- ...eration-truth-reconciliation-2026-07-14.md | 28 +++++++++++-------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 249bb44..53e38d1 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -209,7 +209,8 @@ The following were not ratified or not completed: | TIN-2786 blog detail is fixed in production | Package source/release exists; the live mothership detail URL is 404. | Live-incomplete. | | TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | | TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | -| TIN-1119's former Done state proved public ActivityPub delivery | Its acceptance explicitly leaves live peer delivery, follower custody, moderation, and operator proof open; Linear reopened it to In Progress on 2026-07-14. | The status drift was corrected, not the capability. TIN-2416 remains the urgent proof gate. | +| TIN-1119's Done state proves public ActivityPub delivery | Its acceptance explicitly leaves live peer delivery, follower custody, moderation, and operator proof open. On 2026-07-14 it was returned to Done only as a superseded planning record, with a banner stating that its acceptance was not met. | False. TIN-2416 is the sole urgent proof gate. | +| Tailnet-valued `ORIGIN` / `PUBLIC_BASE_URL` prove AP identity drift | AP builders use the separate `TINYLAND_FEDERATION_ORIGIN` contract, and the live actor advertises hub-only IDs. The confirmed public defect is stale `stonewallunderground.com` output from `tinyland.dev`'s static sitemap and robots files. | Narrowed under TIN-2874; do not block the AP proof on an unobserved identity failure. | | Pull request #719 is ready to merge | Its normalized public-key fingerprint differs from live, and matching private custody was not verifiable from the recorded session-only handoff. | Unsafe. Prove durable matching custody and an atomic cutover; generate a new pair if that proof cannot be recovered. | | Pull request #701 is the package-adoption keystone | Pull request #731 supersedes its package pins; only the shared rate-limit-store slice remains unique. | Extract or re-author the unique slice on the current base. Do not merge stale pins. | | Pulse M1 completion means federation shipped | The milestone explicitly excludes real delivery. | False. | @@ -264,8 +265,11 @@ The following were not ratified or not completed: - **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as image/deploy durability, not federation completion. - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for - TIN-2416. They correct the tracker path and define a future proof packet; - neither is a completed live signed-peer proof. + TIN-2416. #737 still leaves a current glossary citation and a misleading + test title. #738 is not executable as written: the advertised inbox reaches + the generic handler rather than the follower-store/moderation proof plane, + and its fingerprint command does not compare normalized SPKI DER. Neither + draft is merged behavior or a completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. - **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft @@ -276,18 +280,21 @@ The following were not ratified or not completed: - **tinyland.dev #93:** closed as not planned on 2026-07-14 because Linear now owns the program. This is tracker supersession, not product completion; its - closing comment's TIN-1119 Done wording was superseded when Linear reopened - TIN-1119 thirteen minutes later. + closing comment's TIN-1119 Done wording is true only for tracker disposition, + not for the issue's unmet acceptance criteria. - **tinyland.dev #100:** Reply, Like, and Boost controls remain disabled across several current-main surfaces. The issue is still reproducible. - **tinyland.dev #116:** also closed as not planned in favor of Linear TIN-1429/TIN-2416. Its own closing record says the external Mastodon follow, moderation/Accept decision, follower state, and proof packet remain open. -- **TIN-1119:** Linear reopened it from Done to In Progress at 19:17 UTC on - 2026-07-14. Its live-delivery acceptance remains open; the state correction - is not public-delivery proof. +- **TIN-1119:** Done only as a superseded planning record. Its description now + explicitly says the live-delivery acceptance was not met and points at + TIN-2416 as the sole execution gate. - **TIN-2416:** the newer urgent delivery issue correctly keeps public delivery disabled pending a live signed-peer proof. +- **AP Federation Phase 1:** off track for its 2026-07-15 target. The project + still has six Backlog issues and no replacement date was invented during + this audit. - **TIN-2644 and TIN-2645:** both remain urgent Backlog. The delivery, moderation, and follower-Accept plane is still hardcoded to `jesssullivan`; a second author cannot complete a live Follow/Accept/delivery round trip. @@ -362,9 +369,8 @@ content 0.2.5, content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security - TIN-2784 proves a source fix, not a live signed-Accept interop result. - TIN-2786 remains live-incomplete. TIN-2787 is correctly Done only for the redirect loop; TIN-2788 owns the remaining live user/author-resolution 404. -- TIN-1119 was reopened to In Progress after its Done-state drift was - corrected. TIN-2416 is the current urgent live-proof issue and also remains - In Progress. +- TIN-1119 is Done only as a superseded tracker with unmet acceptance. + TIN-2416 is the current urgent live-proof issue and remains In Progress. - TIN-2644/TIN-2645 and TIN-2680 remain open, so neither multi-author delivery nor the ratified role axis is live-complete. - TIN-2822 and TIN-2828/TIN-2829 block the current adoption program with From 82dd4f90018b4c44de9ebb368d6ef5aa38209426 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 19:32:25 -0400 Subject: [PATCH 12/20] docs: refresh AP Phase 1 backlog count --- docs/content-federation-truth-reconciliation-2026-07-14.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 53e38d1..1b04c7f 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -293,8 +293,9 @@ The following were not ratified or not completed: - **TIN-2416:** the newer urgent delivery issue correctly keeps public delivery disabled pending a live signed-peer proof. - **AP Federation Phase 1:** off track for its 2026-07-15 target. The project - still has six Backlog issues and no replacement date was invented during - this audit. + has seven Backlog issues, including TIN-2883 for the newly confirmed stale + worker manifest/test contract. No replacement date was invented during this + audit. - **TIN-2644 and TIN-2645:** both remain urgent Backlog. The delivery, moderation, and follower-Accept plane is still hardcoded to `jesssullivan`; a second author cannot complete a live Follow/Accept/delivery round trip. From 9170b1c589be8bb247a0b7402eb8fd9b16dc4323 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 19:50:51 -0400 Subject: [PATCH 13/20] docs: make draft PR guidance state-neutral --- ...tent-federation-truth-reconciliation-2026-07-14.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 1b04c7f..236157f 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -265,11 +265,12 @@ The following were not ratified or not completed: - **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as image/deploy durability, not federation completion. - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for - TIN-2416. #737 still leaves a current glossary citation and a misleading - test title. #738 is not executable as written: the advertised inbox reaches - the generic handler rather than the follower-store/moderation proof plane, - and its fingerprint command does not compare normalized SPKI DER. Neither - draft is merged behavior or a completed live signed-peer proof. + TIN-2416. Before #737 merges, current gates must point only at TIN-2416 while + TIN-1119 remains solely as dated history or roster provenance. #738 is not + executable as written: the advertised inbox reaches the generic handler + rather than the follower-store/moderation proof plane, and its fingerprint + command does not compare normalized SPKI DER. Neither draft is merged + behavior or a completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. - **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft From 5e093516f1eac87f0773a30ea64e1120aa27137d Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 20:23:49 -0400 Subject: [PATCH 14/20] docs: refresh federation draft findings --- ...t-federation-truth-reconciliation-2026-07-14.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 236157f..3c0b8d4 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -265,12 +265,14 @@ The following were not ratified or not completed: - **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as image/deploy durability, not federation completion. - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for - TIN-2416. Before #737 merges, current gates must point only at TIN-2416 while - TIN-1119 remains solely as dated history or roster provenance. #738 is not - executable as written: the advertised inbox reaches the generic handler - rather than the follower-store/moderation proof plane, and its fingerprint - command does not compare normalized SPKI DER. Neither draft is merged - behavior or a completed live signed-peer proof. + TIN-2416. #737 head `98c2f8be6` still emits TIN-1429 as a live gate; before + it merges, current gates must point only at TIN-2416 while TIN-1119 remains + solely as dated history or roster provenance. #738 head `6dc94a6` now hashes + normalized SPKI DER, closing that earlier review finding, but the runbook is + still not executable: the advertised inbox reaches the generic handler + rather than the follower-store/moderation proof plane, its routing decision + is unimplemented, TIN-2801 remains frozen, and key convergence is still + gated. Neither draft is merged behavior or a completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. - **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft From 778949d7d872f519c60e6e420d4cc3efc79aa841 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 20:44:41 -0400 Subject: [PATCH 15/20] docs: reconcile current federation PR states --- ...eration-truth-reconciliation-2026-07-14.md | 42 +++++++++---------- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 3c0b8d4..f019aed 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -228,19 +228,15 @@ The following were not ratified or not completed: and all browser tests. Its separate trusted-`main` run passed and is the cache-write proof; the pull-request run alone did not exercise that path. - **#217:** remains a shadow-only tiered reader and blended stream experiment. - Its latest hosted/build checks passed, but the Bazel gate ended during - `Remote check` with no completed-step diagnostic; it is not currently green. - Its pull-request body also says not to merge. Neither a future green rerun - nor GitHub mergeability would override that product hold. Do not describe it - as production federation. -- **#216:** open, non-draft node-backend shadow spoke. Its description still - says draft/operator-gated. Its latest remote gate passed token minting, then - ended during `Remote check` without a retained source diagnostic. Restore an - accurate hold or draft state before treating GitHub readiness as - authorization; do not attribute that red to token minting. + All required checks on head `bc08910b1` are green, but its pull-request body + still says not to merge and its live inputs still lack reviewed tier/salience + values. Green CI is not product promotion. Keep it shadow-only and do not + describe it as production federation. +- **#216:** merged at `0907bb6e` on 2026-07-14. Main now carries the + node-backend shadow-spoke scaffold, but merge is not runtime promotion and + does not make the blog an ActivityPub or Tinyland write authority. - **#224 and #225:** separate content/ops lanes, not federation completion - evidence. Their latest Bazel gates also ended mid-`Remote check` without a - completed-step diagnostic. + evidence. #224 remains open; #225 merged at `084ca03b` on 2026-07-14. - **#140 and #72:** stale drafts. Review for unique value before closing. - **#75:** closed, superseded ActivityPub-shaped Pulse viewer. It never had inbox processing, signatures, followers, delivery, or live fetch. Do not @@ -265,14 +261,14 @@ The following were not ratified or not completed: - **tinyland.dev #721:** draft digest-safe staging deploy work. Treat it as image/deploy durability, not federation completion. - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for - TIN-2416. #737 head `98c2f8be6` still emits TIN-1429 as a live gate; before - it merges, current gates must point only at TIN-2416 while TIN-1119 remains - solely as dated history or roster provenance. #738 head `6dc94a6` now hashes - normalized SPKI DER, closing that earlier review finding, but the runbook is - still not executable: the advertised inbox reaches the generic handler - rather than the follower-store/moderation proof plane, its routing decision - is unimplemented, TIN-2801 remains frozen, and key convergence is still - gated. Neither draft is merged behavior or a completed live signed-peer proof. + TIN-2416. #737 head `c251074f1` now emits TIN-2416 as the sole current gate, + while TIN-1119 remains solely as dated history or roster provenance. #738 + head `6dc94a6` now hashes normalized SPKI DER, closing that earlier review + finding, but the runbook is still not executable: the advertised inbox + reaches the generic handler rather than the follower-store/moderation proof + plane, its routing decision is unimplemented, TIN-2801 remains frozen, and + key convergence is still gated. Neither draft is merged behavior or a + completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. - **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft @@ -351,9 +347,9 @@ content 0.2.5, content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security - The Mothership Beta/Prod initiative is the active implementation umbrella and remains at risk. -- The ActivityPub federation and RBE initiative combines two independent - axes. Streaming/display progress must not be used as outbound-delivery - progress. +- The ActivityPub federation and RBE initiative combines three independent + axes: outbound delivery, streaming/display product, and RBE/spoke CI. + Progress on any one must not be used as completion evidence for another. - Each of those initiatives has a completed duplicate parking record with a near-identical name. The canonical Mothership initiative is `d3995f72-f1a4-415d-818c-cde93df767d3`; the canonical AP/RBE initiative is From aef149c8fd9ec9938c023dfd34515fca94573b7b Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 20:52:51 -0400 Subject: [PATCH 16/20] docs: record federation blocker graph --- docs/content-federation-truth-reconciliation-2026-07-14.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index f019aed..d2f5e3e 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -230,7 +230,8 @@ The following were not ratified or not completed: - **#217:** remains a shadow-only tiered reader and blended stream experiment. All required checks on head `bc08910b1` are green, but its pull-request body still says not to merge and its live inputs still lack reviewed tier/salience - values. Green CI is not product promotion. Keep it shadow-only and do not + values. TIN-2891 now owns that missing producer-data contract and blocks + TIN-2641. Green CI is not product promotion. Keep it shadow-only and do not describe it as production federation. - **#216:** merged at `0907bb6e` on 2026-07-14. Main now carries the node-backend shadow-spoke scaffold, but merge is not runtime promotion and @@ -290,7 +291,9 @@ The following were not ratified or not completed: explicitly says the live-delivery acceptance was not met and points at TIN-2416 as the sole execution gate. - **TIN-2416:** the newer urgent delivery issue correctly keeps public - delivery disabled pending a live signed-peer proof. + delivery disabled pending a live signed-peer proof. Its blocker graph now + includes TIN-1427 for the still-unmet advertised-inbox to follower-store, + moderation, and durable Follow/Accept/Undo seam. - **AP Federation Phase 1:** off track for its 2026-07-15 target. The project has seven Backlog issues, including TIN-2883 for the newly confirmed stale worker manifest/test contract. No replacement date was invented during this From 66e56a2ee317acc9278d851eb141f9431d131be6 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 20:57:12 -0400 Subject: [PATCH 17/20] docs: ground federation worktree inventory --- ...eration-truth-reconciliation-2026-07-14.md | 36 +++++++------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index d2f5e3e..ac2c4b3 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -426,32 +426,20 @@ after #228 merged, its checkout was clean, and its exact HEAD matched the merged pull-request head. No branch was deleted. No operator-owned or unrelated agent worktree was modified. -Active and meaningful: +The registered worktree inventory at the end of this audit has four entries: - `docs/content-federation-truth-20260714` for this audit (#226). -- `shadow-ui` for blog #217. -- `ws5-node-shadow` for open, operator-gated blog #216. -- `footer-fix` for draft blog #140. -- `blog-chore` for open blog #225 and `kvm-post` for open blog #224. These - are independently owned content/ops lanes, not federation cleanup residue. - -Worktree presence is not pull-request authority. The `blog-chore` and -`kvm-post` checkouts track `origin/main` instead of their actual remote -branches; both actual branches are two commits ahead of the local checkout. -`ws5-node-shadow` correctly tracks its remote branch but is also two commits -behind. Those independently owned lanes were reported, not rewritten. - -Retired or prunable after one final unique-commit check: - -- Missing `/private/tmp/blog-frontdoor`, whose pull request #218 merged. -- `gates-retry` and `gates-serial`, whose pull requests #221 and #219 merged. -- `gates-fix`, whose pull request #227 merged, and `gates-mem`, whose pull - request #229 closed after its unique safeguard was folded into #228. They - remain untouched pending an owner-side final unique-commit check. -- Historical `worktree-wf_*` branches that are already ancestors of `main` - and have no remote pull request. -- Merged-PR residue under several `codex/*`, `docs/*`, `feat/*`, `fix/*`, - `infra/*`, `jess/fix-*`, and `posts/*` branches. +- `shadow-ui` at #217's exact head `bc08910b1`; the pull request is a draft. +- `footer-fix` at #140's exact head `915ccea0b`; the pull request is a draft. +- `ws5-node-shadow` at local head `37dfb7033`. Pull request #216 has already + merged at `0907bb6e`, from remote head `3c233d9f`; this behind checkout is + merged-lane residue, not an open operator gate or source of runtime truth. + +Open pull request #224 has no registered local worktree. Merged pull request +#225 likewise has no registered worktree. The earlier `blog-chore`, `kvm-post`, +and gate-retry worktrees are absent from `git worktree list`; they are not +pending registered-worktree cleanup. No operator-owned worktree was removed or +rewritten during this audit. Operator classification required before cleanup: From 82d5a2598d71e07178f58bbb0de9b9b7075a8cdd Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 21:04:03 -0400 Subject: [PATCH 18/20] docs: distinguish merged redirect fix from live state --- ...eration-truth-reconciliation-2026-07-14.md | 27 +++++++++++-------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index ac2c4b3..850e058 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -109,6 +109,7 @@ Observed on 2026-07-14: | `tinyland.dev/blog/week-notes-scroll-wheels-and-chasing-the-sun` | 404 | The mothership detail fix is not live. | | `tinyland.dev/@jesssullivan/notes/2026-04-26-cardinals-before-dawn` with browser HTML Accept | 404 `User not found` | The redirect loop is absent, but user authority still does not resolve. | | The same note with ActivityPub Accept | 404 `Author not found` | The redirect loop is absent, but actor/user authority still does not resolve. | +| The same note with wildcard/default Accept | 307 to the identical request path | PR #717's terminal-response source fix is not deployed; generic clients still loop. | | `tinyland.dev/@jesssullivan` with ActivityPub Accept | 200 | The mothership exposes an actor-shaped response. | | `tinyland.dev/@jesssullivan/outbox` | 404 | The mothership is not the working public outbox authority. | | `hub.tinyland.dev/@jesssullivan` with ActivityPub Accept | 200 | This is the delegated actor endpoint. | @@ -127,12 +128,14 @@ delivery. The blog's production-health suite passed its DNS, HTTPS, broker, and hydration checks. That does not contradict the ActivityPub findings because those checks prove display projection, not public Fediverse delivery. -A later live check during this audit observed a terminal 404 for both note -representations, with no `Location` header or 307 loop. That supports TIN-2787 -being Done for its narrow redirect-loop defect. It does not make the note route -live: `Author not found` and `User not found` are the remaining TIN-2788 -authority failure. The mothership blog-detail URL still returns `Blog post not -found`, so TIN-2786 remains live-incomplete. +A later live check during this audit observed terminal 404 responses for +explicit browser and ActivityPub Accept values, but wildcard/default Accept +still returned 307 with a `Location` identical to the request path. PR #717 +merged the correct terminal-response source fix, but production has not adopted +it. TIN-2787 is therefore source-fixed and deployment-incomplete; TIN-2788 +separately owns the `Author not found` and `User not found` authority failure. +The mothership blog-detail URL still returns `Blog post not found`, so TIN-2786 +remains live-incomplete. The trusted `main` run after pull request #227 (run `29326131530`, commit `6deec66`) was red while production health was green. Its hosted lane passed, @@ -205,7 +208,7 @@ The following were not ratified or not completed: | "The blog is the AP authority" | The blog has no delivery or durable-write authority. Its static WebFinger file points at the hub but is not resource-aware. | False. | | "Workflow completed" means the product goal completed | Historical workflows include errored, blocked, and plan-only lanes. | Treat workflow status as orchestration status only. | | A merged package fix is live | Content and invitation fixes were released, but mothership pins and deployment lagged. | Track release, adoption, deploy, and live proof separately. | -| TIN-2787 Done means the note route works | Current live requests terminate without the former 307 loop, but still return `Author not found` or `User not found`. | Keep TIN-2787 Done narrowly; route availability remains TIN-2788. | +| TIN-2787 Done means the redirect fix is live | PR #717 merged the source fix, but wildcard/default live requests still 307 to the identical URL. | False. TIN-2787 is back In Progress until a deployed-image canary passes; user/author resolution remains TIN-2788. | | TIN-2786 blog detail is fixed in production | Package source/release exists; the live mothership detail URL is 404. | Live-incomplete. | | TIN-2788 bootstrap merged means the user exists | Pull request #720 merged; the attended bootstrap was not run. | Runtime-incomplete. | | TIN-2648 Option B is ratified | Linear is in progress; #702 says merge would be the ratification event. | False. | @@ -370,8 +373,9 @@ content 0.2.5, content-types 0.2.4, auth 0.6.0, invitation 0.2.3, and security - TIN-2780 and TIN-2781 prove package source/release work, not mothership adoption. - TIN-2784 proves a source fix, not a live signed-Accept interop result. -- TIN-2786 remains live-incomplete. TIN-2787 is correctly Done only for the - redirect loop; TIN-2788 owns the remaining live user/author-resolution 404. +- TIN-2786 remains live-incomplete. TIN-2787 is source-fixed by merged #717 + but is back In Progress because the wildcard/default production request still + self-redirects. TIN-2788 owns the separate live user/author-resolution 404. - TIN-1119 is Done only as a superseded tracker with unmet acceptance. TIN-2416 is the current urgent live-proof issue and remains In Progress. - TIN-2644/TIN-2645 and TIN-2680 remain open, so neither multi-author delivery @@ -484,8 +488,9 @@ merged work whose branch was never automatically deleted. that matching custody cannot be recovered. 2. Correct TIN-2731 and TIN-2648 language so unratified custody work cannot be read as complete. -3. Keep TIN-2787 narrowly scoped to the resolved redirect loop; track the live - user/author-resolution 404 under TIN-2788. +3. Deploy and canary PR #717's TIN-2787 terminal-response fix after the + TIN-2801 freeze permits it; keep the separate user/author-resolution 404 + under TIN-2788. 4. Keep #731 draft until its security prerequisite pull requests and consumer containment checks are satisfied. 5. Extract #701's unique rate-limit-store slice onto the current package base; From 8d90c0ee53cd013e3c3a61632be78f8bb51a26d4 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 21:20:26 -0400 Subject: [PATCH 19/20] docs: reconcile AP key lineage and proof spec --- ...eration-truth-reconciliation-2026-07-14.md | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index 850e058..e19e569 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -191,14 +191,16 @@ The following were not ratified or not completed: a draft decision packet, not an implemented custody system. - **Public Fediverse delivery:** no live evidence demonstrates a signed post reaching a real remote follower. -- **TIN-2731 key rotation:** normalized SPKI SHA-256 comparison found pull - request #719's proposed public key +- **TIN-2731 key lineage and custody:** normalized SPKI SHA-256 comparison + found pull request #719's proposed public key (`5f9279a949939b0e7b53bf28f1520191875258714deffd0a71523b58d84d48ac`) differs from the live actor key (`cd4a49fe889ffa997ec0100a8bfa3cbeebefd815c131c4c1550af25fb5b53737`). - The audit did not inspect private material, and the recorded session-only - scratch custody could not be verified. Hold the rotation until matching - private custody and an atomic cutover are established. + Current evidence does not show that the installed `cd4a...` pair was + exposed. The audit did not inspect private material, and durable custody + could not be verified. Hold #719 until the operator ratifies either retaining + `cd4a...` with proven escrow or rotating atomically to a proven replacement; + require four-surface fingerprint convergence for the selected pair. ## Critical Contradiction Ledger @@ -267,11 +269,12 @@ The following were not ratified or not completed: - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for TIN-2416. #737 head `c251074f1` now emits TIN-2416 as the sole current gate, while TIN-1119 remains solely as dated history or roster provenance. #738 - head `6dc94a6` now hashes normalized SPKI DER, closing that earlier review - finding, but the runbook is still not executable: the advertised inbox - reaches the generic handler rather than the follower-store/moderation proof - plane, its routing decision is unimplemented, TIN-2801 remains frozen, and - key convergence is still gated. Neither draft is merged behavior or a + head `237adba90` preserves normalized SPKI DER hashing and now explicitly + labels itself a non-executable proof specification. It corrects the ConfigMap + apply and rollback surface, makes the advertised-inbox/proof-plane seam a hard + gate, requires bounded retry/drain evidence, and adds final NodeInfo/public-copy + reconciliation. TIN-2801, TIN-2731, TIN-2883, the route convergence, and every + live peer proof still remain open. Neither draft is merged behavior or a completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. @@ -483,9 +486,11 @@ merged work whose branch was never automatically deleted. ## Immediate Corrections -1. Hold #719. Prove durable private custody matching the proposed public key - and prepare an atomic live/public-key cutover. Generate a new pair only if - that matching custody cannot be recovered. +1. Hold #719. Ratify either durable custody for the installed `cd4a...` pair or + an atomic cutover to a proven replacement, then converge the checked-in, + runtime public, runtime private-derived, and served actor fingerprints. An + `Update{Person}` broadcast is required only when the selected public key + changes. 2. Correct TIN-2731 and TIN-2648 language so unratified custody work cannot be read as complete. 3. Deploy and canary PR #717's TIN-2787 terminal-response fix after the From f616408a8c2815edae89d6c0902b9a270d9b2472 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Tue, 14 Jul 2026 21:22:43 -0400 Subject: [PATCH 20/20] docs: track corrected proof-packet head --- ...-federation-truth-reconciliation-2026-07-14.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/docs/content-federation-truth-reconciliation-2026-07-14.md b/docs/content-federation-truth-reconciliation-2026-07-14.md index e19e569..962da48 100644 --- a/docs/content-federation-truth-reconciliation-2026-07-14.md +++ b/docs/content-federation-truth-reconciliation-2026-07-14.md @@ -269,13 +269,14 @@ The following were not ratified or not completed: - **tinyland.dev #737 and #738:** draft citation and proof-runbook work for TIN-2416. #737 head `c251074f1` now emits TIN-2416 as the sole current gate, while TIN-1119 remains solely as dated history or roster provenance. #738 - head `237adba90` preserves normalized SPKI DER hashing and now explicitly - labels itself a non-executable proof specification. It corrects the ConfigMap - apply and rollback surface, makes the advertised-inbox/proof-plane seam a hard - gate, requires bounded retry/drain evidence, and adds final NodeInfo/public-copy - reconciliation. TIN-2801, TIN-2731, TIN-2883, the route convergence, and every - live peer proof still remain open. Neither draft is merged behavior or a - completed live signed-peer proof. + head `4223d0bc2` preserves normalized SPKI DER hashing, makes its key gate + neutral between a ratified retain path and a ratified rotate path, and + explicitly labels itself a non-executable proof specification. It corrects + the ConfigMap apply and rollback surface, makes the + advertised-inbox/proof-plane seam a hard gate, requires bounded retry/drain + evidence, and adds final NodeInfo/public-copy reconciliation. TIN-2801, + TIN-2731, TIN-2883, route convergence, and every live peer proof still remain + open. Neither draft is merged behavior or a completed live signed-peer proof. - **tinyland.dev #702 / TIN-2648:** decision packet only; no ratification or live custody implementation. - **tinyland-auth #41 and #42, tinyland-invitation #12 and #14:** draft