Summary
Follow-up to the predicate binding-semantics precursor (#591, merged). Turn the merge verdict into a policy function over the typed predicate bundle that #591 introduced, and make the bundle's event-bound members the unit of a per-actor queue whose admission is gated by the change's capability footprint.
This is the artifact the ADR docs/prx/predicate-bundle-verdict.md sketches. Spec/design, not yet build — and it stays sequenced behind the intake-to-plan transition spec (see Sequencing).
Background
#591 landed the type-level seam:
- a per-predicate binding tag —
property (re-derivable hermetically; can't be rubber-stamped) vs event (a re-attributable assertion an actor produced over H; never stands alone);
RequiredPredicate + an optional requiredPredicates bundle on transitionContractSchema;requiredPredicatesOf() as the single read seam (legacy singular fields project to a one-member property-bound bundle).
Today the operative merge verdict is canEnterReadyToMerge() (packages/prx/src/machine/machines/workflow.ts) — a hardcoded conjunction over three string axes. The capability envelope (packages/prx/src/agents/capability_envelope.ts) already models scope × reversibility → approval as a monotone matrix, but keyed by action, not by a change's footprint.
Scope
MergeabilityVerdict as policy-over-bundle. Generalize canEnterReadyToMerge from a flat conjunction into a verdict computed by policy over requiredPredicatesOf(contract). The verdict is the function over the bundle; no single event-predicate stands alone.- Per-binding queues.
property members fan out in parallel (no actor, no queue); event members are the only members that enqueue, each against its producing actor's bounded queue. Serialization of a UoW collapses to exactly its event-bound members.
- Capability-footprint → required-predicate mapping (queue admission). Map a change's capability footprint (blast radius) to the predicates it requires, reusing the envelope's monotone-matrix shape on the change-footprint axis. This is drum-buffer-rope: the human/critic queue is the drum; footprint-gating is the rope throttling release into it. A docs change requires no event predicate and never enters the human queue; a credential-routing change requires a stronger (possibly multi-party) event predicate.
- Event-member weighting. An
event member from a critic sharing the author model's priors is weak evidence dressed as independent — weight it as one partial signal, and only when genuinely differently-conditioned.
Load-bearing assumption (falsifiable)
The fraction of review effort that is mechanizable is large enough that gating on property predicates materially cuts human review-minutes per PR. If most review cost is irreducible intent-reasoning, the bundle shrinks the queue only at the margin and the senior-engineer tax persists. Stated here so it's tested, not assumed.
Sequencing
Behind the intake-to-plan transition spec (lower-risk, continues the already-open lifecycle axis). This issue carries the higher-risk, empirically-loaded part and depends on nothing intake-to-plan needs. The #591 vocabulary is the shared spine both target.
Non-goals
- No change to runtime gate behaviour beyond the verdict generalization.
- Not the intake-to-plan spec (separate, sequenced ahead).
See docs/prx/predicate-bundle-verdict.md.
Summary
Follow-up to the predicate binding-semantics precursor (#591, merged). Turn the merge verdict into a policy function over the typed predicate bundle that #591 introduced, and make the bundle's
event-bound members the unit of a per-actor queue whose admission is gated by the change's capability footprint.This is the artifact the ADR
docs/prx/predicate-bundle-verdict.mdsketches. Spec/design, not yet build — and it stays sequenced behind the intake-to-plan transition spec (see Sequencing).Background
#591 landed the type-level seam:
property(re-derivable hermetically; can't be rubber-stamped) vsevent(a re-attributable assertion an actor produced over H; never stands alone);RequiredPredicate+ an optionalrequiredPredicatesbundle ontransitionContractSchema;requiredPredicatesOf()as the single read seam (legacy singular fields project to a one-member property-bound bundle).Today the operative merge verdict is
canEnterReadyToMerge()(packages/prx/src/machine/machines/workflow.ts) — a hardcoded conjunction over three string axes. The capability envelope (packages/prx/src/agents/capability_envelope.ts) already modelsscope × reversibility → approvalas a monotone matrix, but keyed by action, not by a change's footprint.Scope
MergeabilityVerdictas policy-over-bundle. GeneralizecanEnterReadyToMergefrom a flat conjunction into a verdict computed by policy overrequiredPredicatesOf(contract). The verdict is the function over the bundle; no single event-predicate stands alone.propertymembers fan out in parallel (no actor, no queue);eventmembers are the only members that enqueue, each against its producing actor's bounded queue. Serialization of a UoW collapses to exactly its event-bound members.eventmember from a critic sharing the author model's priors is weak evidence dressed as independent — weight it as one partial signal, and only when genuinely differently-conditioned.Load-bearing assumption (falsifiable)
The fraction of review effort that is mechanizable is large enough that gating on
propertypredicates materially cuts human review-minutes per PR. If most review cost is irreducible intent-reasoning, the bundle shrinks the queue only at the margin and the senior-engineer tax persists. Stated here so it's tested, not assumed.Sequencing
Behind the intake-to-plan transition spec (lower-risk, continues the already-open lifecycle axis). This issue carries the higher-risk, empirically-loaded part and depends on nothing intake-to-plan needs. The #591 vocabulary is the shared spine both target.
Non-goals
See
docs/prx/predicate-bundle-verdict.md.