opsm (odds-and-sods-package-manager) → provenance + freshness + regeneration engine: end dogfooding staleness permanently

[hyperpolymath]

Self-contained briefing. You should not need any prior chat context to act on this. Hand it to a fresh Claude/Codex/etc. with access to odds-and-sods-package-manager (opsm) and the wider estate. A ready-to-paste starter prompt is at the bottom.

1. The problem (stated cold)

The estate dogfoods itself: components are written in the estate's own evolving languages/tools (AffineScript, ephapax, the iser-tools, Zig, Idris2, …). When a source language or tool changes, every downstream component built in/against it can silently go stale — and there is currently no recorded link between a built/vendored component and the exact toolchain version it was produced against. So the question "which of my components are now out of date, and which need real work?" can only be answered by manual archaeology, repeatedly, forever.

Concrete trigger: gossamer is written in ephapax, but ephapax had a proof-error redesign (its type/soundness model changed). Does gossamer need a full rewrite? Today there's no mechanical way to know.

2. What opsm is, and how this relates

odds-and-sods-package-manager (opsm) is the estate package manager (opsm_ex/ backend + opsm-ui ReScript frontend; note opsm's own V HTTP client is being migrated to uapi_connector_* per the unified-zig-api work). This issue extends opsm from "resolve + fetch + build packages" into a provenance-aware, drift-detecting, regeneration-capable package manager. opsm is the right home because it already owns the dependency graph and build orchestration — it just needs to also own provenance and freshness.

3. Verdict policy (do NOT blanket-redesign)

Triage every component by drift class:

• No drift — toolchain unchanged within compatibility ⇒ nothing to do.
• Surface drift (signatures/names moved) ⇒ re-generate / recompile. Mechanical.
• Semantic drift (guarantees changed — what a proof-error fix usually is) ⇒ rework only the sites that relied on the changed guarantee.

For a typed/proven upstream, re-typecheck the component and let the compiler/prover enumerate the exact migration surface. Full ground-up redesign is warranted only if the component's core design depended on a capability that was removed. → gossamer: re-typecheck against the new ephapax; localised errors = guided migration; whole-structure rejection = partial redesign of just the affected layers.

4. The design (opsm enhancement)

1. Provenance manifest per component (opsm-managed): canonical source-of-truth location; pinned version/commit of every language/tool it was built or generated against; generated vs hand-written flag; the generator + its inputs if generated.
2. Lockfile over the full transitive toolchain graph → drift becomes a diff; builds become reproducible. Materialise toolchains hermetically via Guix (primary) / Nix (fallback) — don't reinvent hermeticity.
3. Drift gate (CI): classify none/surface/semantic. Use the Idris2 ABI as the compatibility contract — the component's ABI proof still type-checks against the new toolchain ⇒ compatible; it fails ⇒ semantic drift. Flag or fail accordingly. This is the "forever" guarantee: staleness can never again be silent.
4. Regenerate-on-drift: generated components → opsm re-runs the generator against the new toolchain and re-verifies (ABI proofs + the test/bench blitz, Campaign: estate-wide test + bench blitz (every repo, every level, cross-repo) + fix panic-attack-on-test-fail #108) → auto-heal. Hand-written components → opsm opens a drift task (issue) with the prover's flagged sites attached.
5. Canonical-source ↔ vendored-copy sync: where a component lives canonically in repo A but is vendored/dogfooded into repo B, opsm tracks the link and re-syncs from source (Copybara-style), instead of leaving drifting copies.

5. Anything else worth thinking about

• Bootstrap / dogfooding cycles. Self-hosting compilers make the toolchain graph cyclic (X built with X). The drift model must compute a fixpoint, not assume a DAG — get this wrong and a self-hosting language can never be declared "fresh."
• Regeneration determinism. The drift gate is only sound if generators are deterministic (same source + toolchain ⇒ stable output). opsm should detect & flag non-deterministic generators.
• Drift-severity policy per component: pin vs track-latest vs auto-migrate — configurable, not one-size.
• ABI coverage is the dependency. The ABI-proof-as-contract only works where a component has an Idris2 ABI (estate standard, Campaign (master): codify + roll out the immutable estate standards (pure-Zig FFI, Idris2 ABI, hexadeca-unified, SNIF-not-NIF, Rust/SPARK) #111). opsm's gate and the Idris2-ABI standard are co-dependent — roll them out together.
• Provenance = supply-chain attestation. The manifests double as SLSA-style attestations; integrate with the stapeln / cerro-torre verified-container pipeline.
• Human triage queue for semantic-drift tasks (surface via opsm-ui).
• opsm heals itself first (it's currently a drift victim — the V→uapi migration) as the proof-of-concept.

6. First milestone (the start point)

1. Define the provenance manifest schema + lockfile format (in opsm_ex).
2. Implement the drift gate against the Idris2-ABI contract for one real pair — gossamer ↔ ephapax — and produce its verdict (surface vs semantic, with flagged sites).
3. Wire regenerate-on-drift for one generated component (an iser-tool output) end-to-end.
4. Surface drift status in opsm-ui.

7. Starter prompt for a fresh agent

You are extending `odds-and-sods-package-manager` (opsm) — the hyperpolymath estate
package manager (opsm_ex backend + opsm-ui ReScript frontend) — into a provenance +
freshness + regeneration engine, to permanently kill "dogfooding staleness" (estate
components silently rotting when the estate's own languages/tools evolve).

Read this issue in full first. Then:
1. Inventory opsm's current model (how it records deps, fetches, builds).
2. Add a per-component provenance manifest (source-of-truth, pinned toolchain versions,
   generated-vs-handwritten) + a transitive-toolchain lockfile, materialised via Guix/Nix.
3. Implement a CI drift gate that classifies none/surface/semantic drift using each
   component's Idris2 ABI proof as the compatibility contract (re-typecheck against the
   new toolchain; pass = compatible, fail = semantic drift).
4. Prove it on gossamer↔ephapax: produce the redesign-vs-guided-migration verdict with
   flagged sites. Then wire regenerate-on-drift for one generated component.
Mind: bootstrap cycles (fixpoint, not DAG), generator determinism, source↔vendor sync.
Co-dependency: this needs the Idris2-ABI standard (see the standards campaign issue).

Scope note

opsm, gossamer, and ephapax were not reachable from the session that authored this issue (it could read only 6 repos) — so the above is grounded in the estate architecture, not opsm's source. The assigned agent must map it onto opsm's actual code. Related: #108 (test/bench), #109 (SNIF), #110 (coprocessor), #111 (standards), #113 (adapter), #114 (audit).

---

Filed via Claude Code — https://claude.ai/code/session_01JNCDaWMB8NV6nAPrvmTg4w