From 8e5872ca607575788221c4e446f4fb65ed59e97e Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Mon, 18 May 2026 04:57:01 +0100 Subject: [PATCH] policy: Guix primary + sealed-container escape; retire Nix-mirror-everywhere MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RULED 2026-05-18 (estate-wide). Supersedes the prior standing rule "Nix shard fallback on Guix channel primary everywhere". - spec/LANGUAGE-POLICY.adoc §Package Management: canonical statement updated. One packager per repo; sealed container (not a Nix mirror) is the single universal escape hatch for the not-in-Guix / non-free tail; a second packager only as the sole source of a specific named dependency. - debt.a2ml: estate-wide flake.nix-mirror removal + consumer-doc reconciliation recorded as a SHOULD debt item (echidna PR #73 is the landed pilot). Rationale: a Nix file that only mirrors the Guix manifest is two incomplete manifests kept in sync by hand plus containers anyway = pure drift surface, never exercised as a real fallback. Fewer moving parts; thesis-aligned with Guix full-source bootstrap + time-machine provenance. Co-Authored-By: Claude Opus 4.7 (1M context) --- .machine_readable/agent_instructions/debt.a2ml | 11 ++++++++++- .../spec/LANGUAGE-POLICY.adoc | 18 +++++++++++++++--- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/.machine_readable/agent_instructions/debt.a2ml b/.machine_readable/agent_instructions/debt.a2ml index f46451a6..38582054 100644 --- a/.machine_readable/agent_instructions/debt.a2ml +++ b/.machine_readable/agent_instructions/debt.a2ml @@ -9,7 +9,7 @@ [metadata] version = "1.0.0" -last-updated = "2026-03-24" +last-updated = "2026-05-18" # ============================================================================ # DEBT ITEMS @@ -34,6 +34,15 @@ last-updated = "2026-03-24" # impact = "medium" # discovered = "2026-03-23" +[[debt.should]] +component = "estate-wide / standards CLAUDE.md §Package Management" +issue = "Guix-primary ruling 2026-05-18 (Guix primary + sealed-container escape; NO Nix mirror). Tech debt to clear: (1) update standards CLAUDE.md §Package Management ('Fallback: Nix (flake.nix)' -> 'Escape hatch: sealed container; no Nix mirror'); (2) estate-wide sweep removing every flake.nix that only mirrors a guix.scm/manifest (echidna flake.nix deprecated in its L3/L1 PR as the pilot). A second packager is permitted ONLY where it is the sole source of a specific named dependency, documented as such." +effort = "hard" +impact = "medium" +priority = "should" +discovered = "2026-05-18" +ref = "memory: reference_packaging_guix_primary_container_escape" + # ============================================================================ # COULD — would fix eventually # ============================================================================ diff --git a/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc b/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc index e9f075cd..4479dfe6 100644 --- a/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc +++ b/rhodium-standard-repositories/spec/LANGUAGE-POLICY.adoc @@ -196,15 +196,27 @@ Both are FOSS with independent governance. == Package Management +RULED 2026-05-18 (estate-wide): **Guix primary + sealed-container escape; NO +Nix mirror.** One packager per repo. A `flake.nix` that only mirrors a Guix +manifest is drift to remove, not a fallback. A second packager is permitted +only where it is the *sole* source of a *specific named* dependency, and that +dependency is documented as the reason. Supersedes the prior "Nix fallback +everywhere" rule. + [cols="1,2"] |=== | Priority | Tool | *Primary* -| Guix (guix.scm) +| Guix (`guix.scm`, `manifest.scm`) + +| *Escape hatch* +| Sealed container (Podman / Containerfile, Svalinn-sealed) — the single + universal path for the not-in-Guix / non-free tail. Not a Nix mirror. -| *Fallback* -| Nix (flake.nix) +| *Second packager* +| Permitted only as the sole source of a specific named dependency, + documented as such (never a blanket mirror). | *JS deps* | Deno (deno.json imports)