stablekernel · joshua-temple · May 31, 2026 · May 31, 2026
diff --git a/examples/dispatch/CHANGELOG.md b/examples/dispatch/CHANGELOG.md
@@ -0,0 +1,43 @@
+# Changelog
+
+All notable changes to `crucible/examples/dispatch` are documented here.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this module adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0]
+
+The first release of the flagship Crucible showcase. It takes the food-delivery
+order saga — a single rich statechart with hierarchy, parallel regions, actors,
+invoked services, a timed SLA watchdog, and a compensation saga — and runs that one
+machine under the whole Crucible suite, proving it is at once proven, durable,
+distributed, polyglot, and observable.
+
+### Added
+
+- **Proof** — `Prove` establishes the order saga is well-formed before any order is
+  dispatched: every key lifecycle stage is reachable (verified exactly and
+  guard-agnostically), the Watchdog region's `OnTime` and `Overdue` leaves are mutually
+  exclusive, and no transition guard is a contradictory dead branch. It returns a
+  `ProofReport` a host can assert on at startup, in a test, or in a release gate.
+- **Durable execution** — `RunCrashRecovery` drives the proven saga to its live `Active`
+  fulfillment configuration under the durable runtime backed by an on-disk store,
+  simulates a process crash, reconstructs the order from the store alone — state,
+  payment hold, and folded log intact — and drives it on to `Delivered`. `RunTimeTravel`
+  reconstructs the order's state read-only at earlier points in its lifecycle.
+- **Distributed fulfillment** — `RunDistributedFulfillment` hosts the same kitchen and
+  courier behaviors as remote cluster actors on separate worker nodes over real gRPC
+  (carried in-memory by `bufconn`), restarts a crashed worker actor through a worker-side
+  supervisor, and drives both remote actors to completion across the wire — proving the
+  fulfillment actors are location-transparent.
+- **Polyglot guard** — `RunPolyglotEquivalence` proves the saga's "generous order"
+  admission guard decides identically whether evaluated by the in-tree CEL engine or by a
+  WebAssembly guest, swapped in through the engine-agnostic guard seam without touching
+  the machine.
+- **Observability** — `RunObservedSaga` drives the durable saga to `Delivered` while
+  emitting one trace span and one counter increment per transition — each tagged with the
+  from/to stage — through Crucible's vendor-neutral telemetry seam. Telemetry arrives as an
+  injected `telemetry.Provider`, so a host wires an slog, otel, or datadog backend while
+  the default runs silently.
+
+[0.1.0]: https://github.com/stablekernel/crucible/releases/tag/examples/dispatch/v0.1.0
diff --git a/examples/dispatch/README.md b/examples/dispatch/README.md
@@ -13,7 +13,24 @@ import "github.com/stablekernel/crucible/examples/dispatch"
 `dispatch` takes the order-lifecycle statechart from the
 [`fooddelivery`](../fooddelivery) example — a rich machine with hierarchy, parallel
 regions, actors, invoked services, a timed SLA watchdog, and a compensation saga —
-and runs it under the whole Crucible suite, one capability at a time.
+and runs that one machine under the whole Crucible suite. The same order saga is shown
+to be, in turn, proven, durable, distributed, polyglot, and observable.
+
+## What it demonstrates
+
+- **Proof** — `Prove` establishes the order saga is well-formed before any order is
+  dispatched: key stages reachable, Watchdog leaves mutually exclusive, no dead guard.
+- **Durable execution** — `RunCrashRecovery` runs the saga across a process crash and
+  reconstructs it from the store alone; `RunTimeTravel` replays its lifecycle read-only.
+- **Distributed fulfillment** — `RunDistributedFulfillment` runs the kitchen and courier
+  as remote cluster actors over real gRPC, with a worker-side supervisor restarting a
+  crashed actor.
+- **Polyglot guard** — `RunPolyglotEquivalence` proves the "generous order" guard decides
+  identically in the in-tree CEL engine and in a WebAssembly guest.
+- **Observability** — `RunObservedSaga` drives the saga to `Delivered` while emitting a
+  span and a metric per transition through Crucible's vendor-neutral telemetry seam.
+
+## Proof
 
 This first capability proves the machine. Before any order is dispatched, `Prove`
 establishes that the saga is well-formed:
@@ -155,5 +172,40 @@ if err != nil {
 // were observed — proof the WebAssembly guard and the CEL guard decide identically.
 ```
 
-Later capabilities build on this proven, durable, distributed, polyglot core — adding
-observation — each added without disturbing the proof.
+## Observability
+
+The final capability runs the proven, durable saga while **observing** every
+transition through Crucible's [`telemetry`](../../telemetry) seam — a vendor-neutral
+tracing and metrics interface with no backend baked in. There is no kernel hook into
+the state machine; the host wraps its own drive calls, opening a span and incrementing
+a counter around each transition.
+
+`RunObservedSaga` drives the order to `Delivered` and, for each transition, emits an
+`order.transition` span and an `order.transitions` counter increment, each tagged with
+the `from`/`to` stage — so the telemetry narrates the order's path. Telemetry arrives as
+an injected `telemetry.Provider`: a host wires an slog, otel, or datadog adapter, while
+the default `telemetry.Nop()` runs the saga silently and allocation-free. The function
+returns an `ObservedReport` of the observed facts (transition count, path, final stage),
+so the run is verifiable from its return value with the emitted telemetry as the
+human-facing trace.
+
+```go
+logger := slog.New(slog.NewTextHandler(os.Stderr, &slog.HandlerOptions{Level: slog.LevelDebug}))
+tel := telemetry.Nop().Apply(
+	telemetry.WithTracer(crucibleslog.NewTracer(crucibleslog.WithLogger(logger))),
+	telemetry.WithMeter(crucibleslog.NewMeter(crucibleslog.WithLogger(logger))),
+)
+
+report, err := dispatch.RunObservedSaga(ctx, tel)
+if err != nil {
+	log.Fatal(err)
+}
+// report.Transitions is 3; report.FinalStage is Delivered; the logger captured a span
+// and a metric per transition, tagged with the from/to stage.
+```
+
+## The capstone
+
+`TestCapstone_*` ties the whole story together: it runs the same order machine through
+all five capabilities in sequence — proven, durable, distributed, polyglot, observed —
+asserting each stage's headline result, so the showcase reads as a single narrative.
diff --git a/examples/dispatch/bench_test.go b/examples/dispatch/bench_test.go
@@ -0,0 +1,32 @@
+package dispatch_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stablekernel/crucible/examples/dispatch"
+	"github.com/stablekernel/crucible/telemetry"
+)
+
+// BenchmarkObservedSaga measures the cost of driving the order saga to Delivered
+// under the durable runtime while emitting a span and a metric per transition. The
+// "nop" sub-benchmark uses the silent no-op provider so it measures the durable drive
+// path alone; the "observed" sub-benchmark wires the same run to a telemetry Provider
+// so the difference isolates the instrumentation overhead the host adds per
+// transition.
+//
+// Run with: go test -bench=. -benchmem -run=^$ ./...
+func BenchmarkObservedSaga(b *testing.B) {
+	ctx := context.Background()
+
+	b.Run("nop", func(b *testing.B) {
+		tel := telemetry.Nop()
+		b.ReportAllocs()
+		b.ResetTimer()
+		for i := range b.N {
+			if _, err := dispatch.RunObservedSaga(ctx, tel); err != nil {
+				b.Fatalf("iteration %d: RunObservedSaga: %v", i, err)
+			}
+		}
+	})
+}
diff --git a/examples/dispatch/capstone_test.go b/examples/dispatch/capstone_test.go
@@ -0,0 +1,113 @@
+package dispatch
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stablekernel/crucible/cluster"
+	"github.com/stablekernel/crucible/examples/fooddelivery"
+	"github.com/stablekernel/crucible/telemetry"
+)
+
+// TestCapstone_OrderSagaProvenDurableDistributedPolyglotObserved is the flagship
+// narrative of the Crucible showcase: it runs the WHOLE story over the single
+// food-delivery order machine, in sequence, asserting each capability's headline
+// result. The same proven order saga is shown to run:
+//
+//	proven       — Prove establishes the machine is well-formed (every key stage
+//	               reachable, the Watchdog leaves mutually exclusive, no dead guard);
+//	durable      — RunCrashRecovery drives it under the durable runtime, crashes the
+//	               process, and reconstructs it from the store alone, then on to
+//	               Delivered;
+//	distributed  — RunDistributedFulfillment hosts the kitchen and courier as remote
+//	               cluster actors over real gRPC, restarts a crashed worker actor, and
+//	               drives both to completion across the wire;
+//	polyglot     — RunPolyglotEquivalence proves the generous-order guard decides
+//	               identically in CEL and in a WebAssembly guest;
+//	observed     — RunObservedSaga drives it to Delivered while emitting a span and a
+//	               metric per transition through the vendor-neutral telemetry seam.
+//
+// It is a Test rather than an Example because the distributed (gRPC) and polyglot
+// (WASM compile) stages make raw output ordering nondeterministic; the assertions
+// below pin each stage's headline result deterministically and keep CI fast.
+func TestCapstone_OrderSagaProvenDurableDistributedPolyglotObserved(t *testing.T) {
+	ctx := context.Background()
+
+	// (1) Proven — the order machine is well-formed before any order is dispatched.
+	model, err := fooddelivery.NewModel()
+	if err != nil {
+		t.Fatalf("capstone: build model: %v", err)
+	}
+	proof, err := Prove(model)
+	if err != nil {
+		t.Fatalf("capstone: prove: %v", err)
+	}
+	if !proof.Sound() {
+		t.Fatalf("capstone: order saga is not sound: %+v", proof)
+	}
+
+	// (2) Durable — the proven saga survives a process crash, reconstructs from the
+	// store alone, and drives on to Delivered.
+	recovery, err := RunCrashRecovery(ctx, t.TempDir())
+	if err != nil {
+		t.Fatalf("capstone: crash recovery: %v", err)
+	}
+	if got := recovery.RecoveredConfig; len(got) != 2 ||
+		got[0] != fooddelivery.Cooking || got[1] != fooddelivery.OnTime {
+		t.Fatalf("capstone: recovered config = %v, want [Cooking OnTime]", got)
+	}
+	if got := recovery.FinalConfig; len(got) != 1 || got[0] != fooddelivery.Delivered {
+		t.Fatalf("capstone: final config = %v, want [Delivered]", got)
+	}
+
+	// (3) Distributed — the same fulfillment actors run as remote cluster actors over
+	// gRPC, a crashed worker actor is supervised back to life, and both are driven to
+	// completion across the wire.
+	dist, err := RunDistributedFulfillment(ctx)
+	if err != nil {
+		t.Fatalf("capstone: distributed fulfillment: %v", err)
+	}
+	if dist.SupervisorDecision != cluster.Restart {
+		t.Fatalf("capstone: supervisor decision = %v, want Restart", dist.SupervisorDecision)
+	}
+	if dist.Restarts != 1 {
+		t.Fatalf("capstone: restarts = %d, want 1", dist.Restarts)
+	}
+	if dist.Delivered != 2 {
+		t.Fatalf("capstone: signals delivered over the wire = %d, want 2", dist.Delivered)
+	}
+	if len(dist.Spawned) != 2 {
+		t.Fatalf("capstone: remote actors spawned = %d, want 2", len(dist.Spawned))
+	}
+
+	// (4) Polyglot — the generous-order guard decides identically in CEL and WASM.
+	poly, err := RunPolyglotEquivalence(ctx, buildGenerousGuest(t))
+	if err != nil {
+		t.Fatalf("capstone: polyglot equivalence: %v", err)
+	}
+	if !poly.Equivalent {
+		t.Fatalf("capstone: CEL and WASM guards not equivalent: %+v", poly)
+	}
+
+	// (5) Observed — the saga drives to Delivered while emitting a span and a metric
+	// per transition through the telemetry seam.
+	observed, err := RunObservedSaga(ctx, telemetry.Nop())
+	if err != nil {
+		t.Fatalf("capstone: observed saga: %v", err)
+	}
+	if observed.FinalStage != fooddelivery.Delivered {
+		t.Fatalf("capstone: observed final stage = %v, want Delivered", observed.FinalStage)
+	}
+	if observed.Transitions != 3 {
+		t.Fatalf("capstone: observed transitions = %d, want 3", observed.Transitions)
+	}
+
+	// The single coherent story: one order machine, proven sound, run durably across a
+	// crash, distributed over gRPC, decided polyglot, and observed to Delivered.
+	t.Logf("capstone: order saga proven (sound=%t), durable (recovered %v → %v), "+
+		"distributed (%d actors, %d wire signals, decision=%v), polyglot (equivalent=%t), "+
+		"observed (%d transitions → %v)",
+		proof.Sound(), recovery.RecoveredConfig, recovery.FinalConfig,
+		len(dist.Spawned), dist.Delivered, dist.SupervisorDecision,
+		poly.Equivalent, observed.Transitions, observed.FinalStage)
+}
diff --git a/examples/dispatch/doc.go b/examples/dispatch/doc.go
@@ -45,6 +45,19 @@
 // exercises both verdicts, the resulting [PolyglotReport.Equivalent] is meaningful proof
 // the WebAssembly guard and the CEL guard decide the predicate identically.
 //
-// Later capabilities build on this proven, durable, distributed, polyglot core — adding
-// observation — each layered on as an additive addition without disturbing the proof.
+// The final capability observes the proven, durable saga through Crucible's
+// vendor-neutral telemetry seam. [RunObservedSaga] drives the order to Delivered under
+// the durable runtime and, for every transition, opens an "order.transition" span and
+// increments an "order.transitions" counter — each tagged with the from/to stage — so
+// the emitted telemetry narrates the order's path. There is no kernel hook into the
+// state machine; the host wraps its own drive calls. Telemetry arrives as an injected
+// [telemetry.Provider], so a host wires an slog, otel, or datadog adapter while the
+// silent [telemetry.Nop] default runs the saga allocation-free; the function returns an
+// [ObservedReport] of the observed facts so the run is verifiable from its return value.
+//
+// The capstone test ties the whole story together: it runs the same order machine
+// through all five capabilities in sequence — proven, durable, distributed, polyglot,
+// observed — asserting each stage's headline result, so the showcase reads as a single
+// narrative proving one machine runs proven, durable, distributed, polyglot, and
+// observed.
 package dispatch
diff --git a/examples/dispatch/go.mod b/examples/dispatch/go.mod
@@ -16,11 +16,17 @@ replace github.com/stablekernel/crucible/transport => ../../transport
 
 replace github.com/stablekernel/crucible/wasm => ../../wasm
 
+replace github.com/stablekernel/crucible/telemetry => ../../telemetry
+
+replace github.com/stablekernel/crucible/telemetry/slog => ../../telemetry/slog
+
 require (
 	github.com/stablekernel/crucible/cluster v0.0.0-00010101000000-000000000000
 	github.com/stablekernel/crucible/durable v0.0.0-00010101000000-000000000000
 	github.com/stablekernel/crucible/examples/fooddelivery v0.0.0-00010101000000-000000000000
 	github.com/stablekernel/crucible/state v0.0.0-00010101000000-000000000000
+	github.com/stablekernel/crucible/telemetry v0.0.0
+	github.com/stablekernel/crucible/telemetry/slog v0.0.0-00010101000000-000000000000
 	github.com/stablekernel/crucible/transport v0.0.0-00010101000000-000000000000
 	github.com/stablekernel/crucible/wasm v0.0.0-00010101000000-000000000000
 	google.golang.org/grpc v1.81.1