carson 4.3.0 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5d25d50d20c3cc3244b3ab246ca7f5b661e097146993fee1cc5b8dd66f978938
-  data.tar.gz: 1d2f6a26fc79dc62688c409557f2b74328f593f2e582af17c4a6fa020bb1b75b
+  metadata.gz: aaef0edd290f56dd797540049069bdb07d2d5e86cef8ca30c6c40d735d37740e
+  data.tar.gz: 6b5d0df422508ef217f275fdaed1ecbc0a6b3b1e800acab0c1520c38a3cd58cd
 SHA512:
-  metadata.gz: 234de9b2d4bad297af4b7bf24bd396629690bde5925fa743d9438316dcbb146f88e444b0aed61a72c022de32e34ba09aeedfb078afc4711973437eb5a38e6279
-  data.tar.gz: 2d3438c23a8146367289413e28d756eee5cb303c58c5820273f471482a83f351d0fc379a3db01a6edbbcdd5f13afbce508b8f999344d0e295dfb6fd74c816f88
+  metadata.gz: eede4e41d8d530bb528d0515352f6879b2c4b8f64dacec0c767128f4f8151dcb22b620d0d946ebac395e5edb199f0296acfd7120c4aa211c3e70fc0069910fe1
+  data.tar.gz: ce5aa317bba3e47807e918a1432ae2ff9b7254f8f921e09420062e84cefd4bdee3eb3de20073e6d8c1167c6ccde487ac267842f4fc17ec2b6dce4ca6eedf70f8

data/RELEASE.md

@@ -7,6 +7,19 @@ Release-note scope rule:
 
 ## Unreleased
 
+## 4.3.1
+
+### Changed
+
+- **Bureau is an enhancement, not a mode.** Config simplified from `workstyle: local/remote` to `bureau: true/false` (default: false). Local delivery is always the foundation. Bureau adds PR + CI on top.
+- **Pre-push hook simplified to no-op.** Pushes to main are always legitimate — local delivery is the base. The hook no longer needs workstyle detection or push guards.
+- **Parcel-on-main guard added.** `carson deliver` blocks when run from main itself — agents must work on a workbench.
+- **Output: "Synced to remote"** replaces "Pushed to remote". Sync is objective.
+
+### Why
+
+The key insight: remote-centred is not a different path — it's local delivery with Bureau enhancement bolted on. One path, optional layer. `workstyle` dissolved into a single `bureau` toggle. 72 insertions, 166 deletions.
+
 ## 4.3.0
 
 ### New

data/VERSION

@@ -1 +1 @@
-4.3.0
+4.3.1

data/config/hooks/pre-push

@@ -1,60 +1,14 @@
 #!/usr/bin/env bash
-# Carson pre-push hook — enforces push policy in governed repositories.
+# Carson pre-push hook.
 #
-# Guards:
-#   1. Blocks direct push to main/master refs.
-#   2. Blocks raw git push in governed repos — agents must use `carson deliver`.
-#      Carson bypasses via --no-verify internally. No env-var signal to spoof.
+# Local delivery is always the base — pushes to main are legitimate.
+# When bureau enhancement is enabled, the Bureau path runs through
+# Runtime.deliver!, not through raw git push. So the hook has nothing
+# to enforce in either case.
 #
-# Bypass: git push --no-verify
+# The hook remains installed for future use (e.g. bureau-specific guards).
+# For now: consume stdin and exit.
 set -euo pipefail
 
-hooks_dir="$(cd "$(dirname "$0")" && pwd)"
-style="$(cat "$hooks_dir/workflow_style" 2>/dev/null || echo "branch")"
-[ "$style" = "trunk" ] && exit 0
-
-# --- Guard 1: block pushes to main/master refs ---
-
-remote_name="${1:-unknown}"
-remote_url="${2:-unknown}"
-has_commit_push=false
-while read -r local_ref local_sha remote_ref remote_sha; do
-	case "$remote_ref" in
-		refs/heads/main|refs/heads/master)
-			echo "Pushes to ${remote_ref#refs/heads/} go through PRs, not direct push." >&2
-			echo "Use \`carson deliver\` instead — it handles push, PR, and merge with safety guards." >&2
-			echo "Bypass: git push --no-verify" >&2
-			exit 1
-			;;
-	esac
-	[[ "$local_sha" != "0000000000000000000000000000000000000000" ]] && has_commit_push=true
-done
-
-# --- Guard 2: block raw git push in governed repos ---
-# All pushes in governed repos are blocked unconditionally.
-# Carson bypasses this hook via --no-verify when pushing internally.
-# No env-var bypass — cannot be spoofed.
-
-config_file="${HOME}/.carson/config.json"
-if [[ -f "$config_file" ]]; then
-	repo_root="$(git rev-parse --show-toplevel 2>/dev/null || echo "")"
-	if [[ -n "$repo_root" ]]; then
-		normalised="$(cd "$repo_root" && pwd -P)"
-		if grep -qF "\"$normalised\"" "$config_file" 2>/dev/null; then
-			echo "This repo is Carson-governed — use \`carson deliver\` instead of raw \`git push\`." >&2
-			echo "Use \`carson deliver\` instead — it handles push, PR, and merge with safety guards." >&2
-			echo "Bypass: git push --no-verify" >&2
-			exit 1
-		fi
-	fi
-fi
-
-# --- Template sync on push ---
-
-if $has_commit_push; then
-	if [[ -n "${CARSON_BIN:-}" ]]; then
-		ruby "$CARSON_BIN" template apply --push-prep || exit 1
-	else
-		carson template apply --push-prep || exit 1
-	fi
-fi
+cat > /dev/null
+exit 0

data/lib/carson/config.rb

@@ -34,7 +34,7 @@ module Carson
 			:govern_agent_provider, :govern_state_path,
 			:govern_check_wait,
 			:poll_interval_at_bureau,
-			:workstyle
+			:bureau
 
 		def self.load( repo_root: )
 			base_data = default_data
@@ -86,7 +86,7 @@ module Carson
 				"deliver" => {
 				"poll_interval_at_bureau" => 30
 			},
-			"workstyle" => "local",
+			"bureau" => false,
 			"govern" => {
 					"repos" => [],
 					"merge" => {
@@ -249,8 +249,7 @@ module Carson
 			deliver_hash = fetch_hash( hash: data, key: "deliver" )
 			@poll_interval_at_bureau = fetch_non_negative_integer( hash: deliver_hash, key: "poll_interval_at_bureau" )
 
-			workstyle_raw = data.fetch( "workstyle", "local" ).to_s.downcase
-			@workstyle = [ "local", "remote" ].include?( workstyle_raw ) ? workstyle_raw.to_sym : :local
+			@bureau = !!data.fetch( "bureau", false )
 
 			govern_hash = fetch_hash( hash: data, key: "govern" )
 			@govern_repos = fetch_optional_string_array( hash: govern_hash, key: "repos" ).map { |path| safe_expand_path( path ) }

data/lib/carson/courier.rb

@@ -64,11 +64,10 @@ module Carson
 	# == Workstyle
 	#
 	# The courier's gesture depends on the workstyle:
-	# - :local — push main to backup vault (simple, no PR, no waiting)
-	# - :remote — ship → waybill → bureau → acceptance (complex Bureau trip)
-	#
-	# The courier doesn't know whether it's doing "backup" or "primary" —
-	# it just delivers to wherever the workstyle dictates.
+	# The courier delivers parcels. The default gesture is local: sync the
+	# vault to the remote. When bureau enhancement is enabled, the courier
+	# also files a PR and waits for Bureau checks — but that path runs
+	# through Runtime.deliver!, not through this default gesture.
 	class Courier
 		# Exit codes — shared contract between Carson employees and the CLI.
 		OK = 0
@@ -80,9 +79,9 @@ module Carson
 		# The courier checks the bureau up to 6 times before leaving.
 		MAX_CHECKS_AT_BUREAU = 6
 
-		def initialize( warehouse, workstyle: :local, ledger: nil, merge_method: "rebase", poll_interval_at_bureau: 30, output: $stdout )
+		def initialize( warehouse, bureau: false, ledger: nil, merge_method: "rebase", poll_interval_at_bureau: 30, output: $stdout )
 			@warehouse = warehouse
-			@workstyle = workstyle
+			@bureau = bureau
 			@ledger = ledger
 			@merge_method = merge_method
 			@poll_interval_at_bureau = poll_interval_at_bureau
@@ -90,10 +89,10 @@ module Carson
 		end
 
 		# Deliver a parcel.
-		# Local gesture: push main to backup vault.
-		# Remote gesture: ship to Bureau, file waybill, poll, register.
+		# Default: sync the vault to the remote.
+		# Bureau enhancement: also file waybill, poll, register.
 		def deliver( parcel, title: nil, body_file: nil, commit_message: nil )
-			return deliver_locally( parcel ) if @workstyle == :local
+			return deliver_locally( parcel ) unless @bureau
 
 			result = {
 				command: "deliver",
@@ -255,9 +254,9 @@ module Carson
 			result[ :diagnostic ] = waybill.ci_diagnostic
 		end
 
-		# Local gesture: push main to the backup vault.
+		# Local gesture: sync the vault to the remote.
 		# The parcel is already in the vault (accepted by the Warehouse).
-		# The courier's job is to push the vault state to the remote backup.
+		# The courier's job is to push the vault state to the remote.
 		def deliver_locally( parcel )
 			result = {
 				command: "deliver",
@@ -269,11 +268,9 @@ module Carson
 			main = @warehouse.main_label
 			root = @warehouse.main_worktree_root
 
-			# --no-verify bypasses the pre-push hook that blocks direct pushes
-			# to main in governed repos. This IS Carson's delivery — the vault
-			# accepted the parcel, now the courier backs it up.
+			# The pre-push hook understands local workstyle — no bypass needed.
 			_, stderr, status = Open3.capture3(
-				"git", "-C", root, "push", "--no-verify", remote, main
+				"git", "-C", root, "push", remote, main
 			)
 
 			if status.success?
@@ -284,7 +281,7 @@ module Carson
 				result[ :exit ] = OK
 				result[ :outcome ] = "delivered"
 				result[ :synced ] = false
-				result[ :backup_error ] = stderr.strip
+				result[ :sync_error ] = stderr.strip
 			end
 
 			result

data/lib/carson/runtime/deliver.rb

@@ -20,7 +20,7 @@ module Carson
 					head: current_head
 				)
 				courier = Courier.new( warehouse,
-				workstyle: :remote,
+				bureau: true,
 				ledger: ledger,
 				merge_method: config.govern_merge_method,
 				poll_interval_at_bureau: config.poll_interval_at_bureau,

data/lib/cli.rb

@@ -131,25 +131,19 @@ module Carson
 			OptionParser.new do |parser|
 				parser.banner = "Usage: carson <command> [options]\n       carson <repo> <command> [options]"
 				parser.separator ""
-				parser.separator "Repository governance and workflow automation for coding agents."
-				parser.separator ""
-				parser.separator "Portfolio commands:"
-				parser.separator "    list         List governed repositories"
-				parser.separator "    onboard      Register a repository for governance (requires repo path)"
-				parser.separator "    offboard     Remove a repository from governance (requires repo path)"
-				parser.separator "    refresh      Re-install hooks and configuration (all governed repos)"
-				parser.separator "    version      Show Carson version"
+				parser.separator "Keep agents from breaking main. Keep agents from breaking each other."
 				parser.separator ""
 				parser.separator "Agent workflow:"
-				parser.separator "    checkin      Prepare a fresh workbench from the latest standard"
-				parser.separator "    deliver      Ship committed work — push, PR, merge, cleanup"
+				parser.separator "    checkin      Get a fresh workbench"
+				parser.separator "    deliver      Accept into main and back up to remote"
 				parser.separator ""
-				parser.separator "Repository commands (from CWD or with explicit repo):"
-				parser.separator "    checkout     Release a workbench when done"
-				parser.separator "    status       Show repository delivery state"
-				parser.separator "    audit        Run pre-commit health checks"
+				parser.separator "Portfolio:"
+				parser.separator "    onboard      Start governing a repository"
+				parser.separator "    offboard     Stop governing a repository"
+				parser.separator "    list         Show governed repositories"
+				parser.separator "    version      Show Carson version"
 				parser.separator ""
-				parser.separator "Run `carson <command> --help` for details on a specific command."
+				parser.separator "Run `carson <command> --help` for details."
 			end
 		end
 
@@ -813,20 +807,20 @@ module Carson
 
 			options = { json: false, title: nil, body_file: nil, commit_message: nil }
 			deliver_parser = OptionParser.new do |parser|
-				parser.banner = "Usage: carson deliver [--json] [--title TITLE] [--body-file PATH] [--commit MESSAGE]"
+				parser.banner = "Usage: carson deliver [--json] [--commit MESSAGE]"
 				parser.separator ""
-				parser.separator "Push the current branch, create or refresh the pull request, and hand the branch to Carson."
-				parser.separator "Use --commit to create one all-dirty delivery commit before Carson pushes and opens the PR."
+				parser.separator "Accept committed work into main and sync to remote."
+				parser.separator "Use --commit to stage and commit all changes before delivery."
 				parser.separator ""
 				parser.separator "Options:"
 				parser.on( "--json", "Machine-readable JSON output" ) { options[ :json ] = true }
-				parser.on( "--title TITLE", "PR title (defaults to branch name)" ) { |value| options[ :title ] = value }
-				parser.on( "--body-file PATH", "File containing PR body text" ) { |value| options[ :body_file ] = value }
-				parser.on( "--commit MESSAGE", "Commit all dirty user changes before delivery" ) { |value| options[ :commit_message ] = value }
+				parser.on( "--title TITLE", "PR title (remote workstyle only)" ) { |value| options[ :title ] = value }
+				parser.on( "--body-file PATH", "PR body file (remote workstyle only)" ) { |value| options[ :body_file ] = value }
+				parser.on( "--commit MESSAGE", "Commit all changes before delivery" ) { |value| options[ :commit_message ] = value }
 				parser.separator ""
 				parser.separator "Examples:"
 				parser.separator "    carson deliver                               Deliver existing commits"
-				parser.separator "    carson deliver --commit \"fix: harden flow\"   Commit dirty changes, then deliver"
+				parser.separator "    carson deliver --commit \"fix: harden flow\"   Commit then deliver"
 			end
 			deliver_parser.parse!( arguments )
 			if options.fetch( :commit_message, nil ).to_s.strip.empty? && !options.fetch( :commit_message, nil ).nil?
@@ -1023,15 +1017,15 @@ module Carson
 			when "template:apply"
 				runtime.template_apply!( push_prep: parsed.fetch( :push_prep, false ) )
 			when "deliver"
-				if runtime.config.workstyle == :local
-					dispatch_deliver_locally( parsed: parsed, runtime: runtime )
-				else
+				if runtime.config.bureau
 					runtime.deliver!(
 						title: parsed.fetch( :title, nil ),
 						body_file: parsed.fetch( :body_file, nil ),
 						commit_message: parsed.fetch( :commit_message, nil ),
 						json_output: parsed.fetch( :json, false )
 					)
+				else
+					dispatch_deliver_locally( parsed: parsed, runtime: runtime )
 				end
 			when "recover"
 				runtime.recover!(
@@ -1102,6 +1096,14 @@ module Carson
 			json = parsed.fetch( :json, false )
 			output = runtime.output
 
+			# Guard: cannot deliver from main itself.
+			if parcel.on_main?( runtime.config.main_branch )
+				result = { command: "deliver", status: "block",
+					error: "Cannot deliver from #{runtime.config.main_branch}.",
+					recovery: "carson checkin <name>" }
+				return report_deliver( result: result, json: json, output: output )
+			end
+
 			# Step 1: Prepare.
 			prep = warehouse.prepare!( parcel, message: message )
 			unless prep[ :status ] == "ok"
@@ -1119,12 +1121,12 @@ module Carson
 				return report_deliver( result: accept, json: json, output: output )
 			end
 
-			# Step 3: Courier delivers backup.
-			courier = Courier.new( warehouse, workstyle: :local, output: output )
-			backup = courier.deliver( parcel )
+			# Step 3: Courier syncs to remote.
+			courier = Courier.new( warehouse, output: output )
+			sync = courier.deliver( parcel )
 
 			# Combine results.
-			result = accept.merge( backup.slice( :outcome, :synced, :backup_error ) )
+			result = accept.merge( sync.slice( :outcome, :synced, :sync_error ) )
 			result[ :command ] = "deliver"
 			result[ :outcome ] ||= "delivered"
 			report_deliver( result: result, json: json, output: output )
@@ -1146,9 +1148,9 @@ module Carson
 				when "ok"
 					output.puts "#{BADGE} #{result[ :branch ]} merged into main."
 					if result[ :synced ]
-						output.puts "#{BADGE} Pushed to #{result.fetch( :remote_main, "remote" )}."
-					elsif result[ :backup_error ]
-						output.puts "#{BADGE} Backup failed."
+						output.puts "#{BADGE} Synced to remote."
+					elsif result[ :sync_error ]
+						output.puts "#{BADGE} Sync failed."
 						output.puts "  \u2192 git push"
 					end
 				when "block", "error"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: carson
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.1
 platform: ruby
 authors:
 - Hailei Wang