#500: design-consensus 编排重设计 — phase9-router 唯一派发 owner,删 wakeup-runner 双重派发

CLAUDE.md

@@ -37,7 +37,7 @@ New principle: 改哲学:单文件 SKILL.md + intra-file anchors 是被认可的
 - **边界清晰,职责分层**:本文件承载**跨 skill 边界**与**仓库级宪法约束**;单个 skill 的工作流细则、术语定义、当前状态归该 skill 自维护,不复制回本文件。
 - **事实源唯一**:同一约束禁止在多处平行声明。版本号 → `.version-bump.json`;host 运行时事实 → `host.env`;skill 行为 → 该 skill 的 SKILL.md 与 `scripts/test_*.py`。
 - **抽象优先,行为契约**:skill 间通过 `host.env` + 文件 artifact + GitHub API 等稳定边界协作,不耦合彼此内部脚本;命名跟随职责,不泄露 runtime / 内部实现细节。
-- **强类型边界,窄扩展点**:任何 controller-runtime 例外必须 narrow allowlist + no lifecycle authority by default;授权来源必须 durable artifact + 仓库级文档双重锚定。#53 是唯一 integration-branch git carveout:`integration sync daemon` 在专用 integration worktree 内的 integration-branch git allowlist(`git fetch` / `git ls-remote --exit-code --heads origin $INTEGRATION_BRANCH` / `rev-list` / `rev-parse` / `merge-base` / `reset --hard` / `rebase --rebase-merges` / `merge --ff-only|--no-ff` / `push HEAD:$INTEGRATION_BRANCH` / force-with-lease adoption),不得 commit worker diff、create/merge/close PR、开关 issue/PR/label、tag/release,不得作为 generic lifecycle actor。#191 是唯一跨设备 active-controller lease carveout:GitHub/已 push git 面只承载一个全局 `ActiveControllerLease`,允许 read/acquire/renew 专用 lease artifact 并暴露 owner/expiry;禁止 worker diff commit、issue/PR create/merge/close/edit、label mutation、tag/release、per-work claim、host-defined lease scope、跨设备 floor 聚合、daemon ownership matrix、active-active scheduler、generic lifecycle actor。#193 中 issue/PR author.login 与 updatedAt 仅可作为 planning/routing/stale metadata,不得作为 side-effect authorization、per-work owner authority、claim/lease scope 或 takeover permit;issue/PR target 写副作用的跨设备 permit 只来自 #191 ActiveControllerLease。#238 是唯一 closed managed item phase-label reconciliation carveout:active-controller owner 的 checked-in `closed-label-reconciler` 只可对 CLOSED `crnd:lifecycle:managed` issue/PR 做 phase-label reconciliation,移除 phase/cleanup/stuck label 并加 exactly one terminal phase `crnd:phase:merged` 或 `crnd:phase:closed`;禁止 open item mutation、issue/PR create/close/reopen/body/title edit、PR merge、human/triage/milestone/lifecycle label mutation、tag/release、generic lifecycle actor。#322 是唯一 controller-owned release publication carveout:active-controller owner 的 `ReleasePublisher` 只可在 `ReleasePublishPreflight` 验证 `RELEASE_AUTO_ENABLE=true`、fresh release-candidate/release-decision、decision_digest、target_ref、mapped manifest from_version、required checks 全绿后,走同一 publish 主链路:首次发布运行 `python3 .github/scripts/bump_version.py --version <to_version>`、`git add .version-bump.json <mapped manifests>`、`git commit -m "Release v<to_version>"`;already-bumped reentry 仅当 only preflight mismatch 是 mapped manifests 已==`to_version` 且 `git show -s --format=%s HEAD` 证明 HEAD subject 精确为 `Release v<to_version>` 时跳过这三步。两条路径随后都必须运行 `git rev-parse HEAD`、`git fetch origin HEAD`、`git rev-list --count HEAD..origin/HEAD`、`git push origin HEAD`、通过 `ReleaseRequiredChecksProjection` 读取 `gh api repos/<slug>/commits/<fresh release commit sha>/check-runs --paginate --slurp` 或 reentry 的 `gh api repos/<slug>/commits/<exact release/reentry commit sha>/check-runs --paginate --slurp` 并确认该 exact fresh SHA required checks 全绿后才运行(或 reentry 时确认该 exact fresh/reentry SHA required checks 全绿后才运行) `gh release create v<to_version> --target <fresh release commit sha> --generate-notes [--prerelease]` 或 reentry 的 `gh release create v<to_version> --target <exact release/reentry commit sha> --generate-notes [--prerelease]`,并写 `.refactor-loop/state/release-publish-result.json`;禁止 public release-publish CLI、workflow tag/release creation、tag target without exact-SHA green checks、`git tag`、force-push、release edit/delete/upload、approval-ticket/emoji gate、issue/PR/label lifecycle、merge/close、generic lifecycle actor。#396 是唯一 unattended wakeup-runner carveout:active-controller owner 的 checked-in `wakeup-runner` 只可消费 `wakeup-plan` 产出的 evidence-bound closed action projection,并对每个 action 重新验证 clean `EXIT=0` source marker、review truth table、OPEN/live GitHub state、#191 owner、release #322 preflight 或 helper-specific precondition 后,机械调用既有 controller helper 或 #396 narrow helper。`wakeup-plan` 是唯一 action projection fact source但不是 standalone authorization source;daemon 不得读 prompt body 决策,不得新增 `ControllerTurnDecision`/controller-turn worker/schema,不得接受 argv/shell/cmd/command_line/commands/env/git/gh/executor/lifecycle_authority/lifecycle_owner/generic command fields,不得把 `.refactor-loop/host.env` 当 host production SSOT。允许动作仅限 spawn codex、named helper `dispatch_design_consensus` through phase9-router deterministic routes、named helper `dispatch_consensus_implementation`、named helper `publish_implementation_output`、named helper `open_release_rollup_pr_from_action`、publish worker output、dispatch reviewers/fix/remote-ci worker、apply triage decision、merge PR under review truth table、close managed item from drop marker、publish release through #322;禁止任意 git/gh 命令、workflow tag/release、label/merge/close outside existing helper or named #396 helper、active-active scheduler、generic lifecycle actor。#403 是唯一大 issue 分解 carveout:active-controller owner 的 checked-in apply helper 只可消费已验证的 `IssueDecompositionPlan`,创建 `crnd:lifecycle:managed` child design issues 并评论父 issue;父 epic 保持 open/tracking,禁止 close/reopen/body-title edit,禁止 daemon/worker 建 issue、public issue factory、wakeup-plan decompose 投影或 generic lifecycle actor。通用授权、escape hatch、宽口径修宪一律视为设计未完成。
+- **强类型边界,窄扩展点**:任何 controller-runtime 例外必须 narrow allowlist + no lifecycle authority by default;授权来源必须 durable artifact + 仓库级文档双重锚定。#53 是唯一 integration-branch git carveout:`integration sync daemon` 在专用 integration worktree 内的 integration-branch git allowlist(`git fetch` / `git ls-remote --exit-code --heads origin $INTEGRATION_BRANCH` / `rev-list` / `rev-parse` / `merge-base` / `reset --hard` / `rebase --rebase-merges` / `merge --ff-only|--no-ff` / `push HEAD:$INTEGRATION_BRANCH` / force-with-lease adoption),不得 commit worker diff、create/merge/close PR、开关 issue/PR/label、tag/release,不得作为 generic lifecycle actor。#191 是唯一跨设备 active-controller lease carveout:GitHub/已 push git 面只承载一个全局 `ActiveControllerLease`,允许 read/acquire/renew 专用 lease artifact 并暴露 owner/expiry;禁止 worker diff commit、issue/PR create/merge/close/edit、label mutation、tag/release、per-work claim、host-defined lease scope、跨设备 floor 聚合、daemon ownership matrix、active-active scheduler、generic lifecycle actor。#193 中 issue/PR author.login 与 updatedAt 仅可作为 planning/routing/stale metadata,不得作为 side-effect authorization、per-work owner authority、claim/lease scope 或 takeover permit;issue/PR target 写副作用的跨设备 permit 只来自 #191 ActiveControllerLease。#238 是唯一 closed managed item phase-label reconciliation carveout:active-controller owner 的 checked-in `closed-label-reconciler` 只可对 CLOSED `crnd:lifecycle:managed` issue/PR 做 phase-label reconciliation,移除 phase/cleanup/stuck label 并加 exactly one terminal phase `crnd:phase:merged` 或 `crnd:phase:closed`;禁止 open item mutation、issue/PR create/close/reopen/body/title edit、PR merge、human/triage/milestone/lifecycle label mutation、tag/release、generic lifecycle actor。#322 是唯一 controller-owned release publication carveout:active-controller owner 的 `ReleasePublisher` 只可在 `ReleasePublishPreflight` 验证 `RELEASE_AUTO_ENABLE=true`、fresh release-candidate/release-decision、decision_digest、target_ref、mapped manifest from_version、required checks 全绿后,走同一 publish 主链路:首次发布运行 `python3 .github/scripts/bump_version.py --version <to_version>`、`git add .version-bump.json <mapped manifests>`、`git commit -m "Release v<to_version>"`;already-bumped reentry 仅当 only preflight mismatch 是 mapped manifests 已==`to_version` 且 `git show -s --format=%s HEAD` 证明 HEAD subject 精确为 `Release v<to_version>` 时跳过这三步。两条路径随后都必须运行 `git rev-parse HEAD`、`git fetch origin HEAD`、`git rev-list --count HEAD..origin/HEAD`、`git push origin HEAD`、通过 `ReleaseRequiredChecksProjection` 读取 `gh api repos/<slug>/commits/<fresh release commit sha>/check-runs --paginate --slurp` 或 reentry 的 `gh api repos/<slug>/commits/<exact release/reentry commit sha>/check-runs --paginate --slurp` 并确认该 exact fresh SHA required checks 全绿后才运行(或 reentry 时确认该 exact fresh/reentry SHA required checks 全绿后才运行) `gh release create v<to_version> --target <fresh release commit sha> --generate-notes [--prerelease]` 或 reentry 的 `gh release create v<to_version> --target <exact release/reentry commit sha> --generate-notes [--prerelease]`,并写 `.refactor-loop/state/release-publish-result.json`;禁止 public release-publish CLI、workflow tag/release creation、tag target without exact-SHA green checks、`git tag`、force-push、release edit/delete/upload、approval-ticket/emoji gate、issue/PR/label lifecycle、merge/close、generic lifecycle actor。#396 是唯一 unattended wakeup-runner carveout:active-controller owner 的 checked-in `wakeup-runner` 只可消费 `wakeup-plan` 产出的 evidence-bound closed action projection,并对每个 action 重新验证 clean `EXIT=0` source marker、review truth table、OPEN/live GitHub state、#191 owner、release #322 preflight 或 helper-specific precondition 后,机械调用既有 controller helper 或 #396 narrow helper。`wakeup-plan` 是唯一 action projection fact source但不是 standalone authorization source;daemon 不得读 prompt body 决策,不得新增 `ControllerTurnDecision`/controller-turn worker/schema,不得接受 argv/shell/cmd/command_line/commands/env/git/gh/executor/lifecycle_authority/lifecycle_owner/generic command fields,不得把 `.refactor-loop/host.env` 当 host production SSOT。允许动作仅限 spawn codex、named helper `dispatch_consensus_implementation`、named helper `publish_implementation_output`、named helper `open_release_rollup_pr_from_action`、publish worker output、dispatch reviewers/fix/remote-ci worker、apply triage decision、merge PR under review truth table、close managed item from drop marker、publish release through #322;禁止任意 git/gh 命令、workflow tag/release、label/merge/close outside existing helper or named #396 helper、active-active scheduler、generic lifecycle actor。#403 是唯一大 issue 分解 carveout:active-controller owner 的 checked-in apply helper 只可消费已验证的 `IssueDecompositionPlan`,创建 `crnd:lifecycle:managed` child design issues 并评论父 issue;父 epic 保持 open/tracking,禁止 close/reopen/body-title edit,禁止 daemon/worker 建 issue、public issue factory、wakeup-plan decompose 投影或 generic lifecycle actor。通用授权、escape hatch、宽口径修宪一律视为设计未完成。
 - **抽象一旦能被滥用即设计未完成**:允许绕过审查边界、merge gate、CLAUDE.md 修宪门槛的通用机制必须继续收窄。
 - **删除优先**:废弃 skill、deprecated wrapper、`*.bak/*.old/*.deprecated` 直接删除,不保留兼容空壳;历史由 git 与 CHANGELOG 保留。
 - **变更必须可验证**:行为约束必须落到机械验证手段(behavior test / source-regression test / 段落 lint);仅靠"agent 应该记得"承载的约束视为未落地。