textus 0.51.0 → 0.52.0

data/lib/textus/maintenance/drain.rb

@@ -0,0 +1,42 @@
+module Textus
+  module Maintenance
+    # Converge-and-exit: seed the full convergence set for the scope, run the
+    # worker until the queue is empty, return a health summary. Exits not-ok if
+    # any job dead-lettered. This is the converge entry point and what CI
+    # runs. Single-pass (serial) on purpose: each produce job self-locks via
+    # Produce::Engine.converge, so running them in turn keeps the build lock
+    # uncontended; a concurrent pool would make all-but-one produce job hit
+    # BuildInProgress and skip.
+    class Drain
+      extend Textus::Contract::DSL
+
+      verb     :drain
+      summary  "Converge everything now: seed produce + retention jobs and drain the queue to empty."
+      surfaces :cli, :mcp
+      cli      "drain"
+      arg :prefix, String, description: "restrict convergence to keys under this dotted prefix"
+      arg :zone,   String, description: "restrict convergence to entries in this zone"
+
+      def initialize(container:, call:)
+        @container = container
+        @call = call
+      end
+
+      def call(prefix: nil, zone: nil)
+        queue = Textus::Ports::Queue.new(root: @container.root)
+        Textus::Jobs::Seeder.new(container: @container, queue: queue, call: @call).seed(prefix: prefix, zone: zone)
+
+        summary = Worker.for(container: @container, queue: queue).drain
+        health = Read::Doctor.new(container: @container, call: @call).call
+
+        {
+          "protocol" => Textus::PROTOCOL,
+          "ok" => summary.failed.zero?,
+          "completed" => summary.completed,
+          "failed" => summary.failed,
+          "health" => health,
+        }
+      end
+    end
+  end
+end

data/lib/textus/maintenance/retention/apply.rb

@@ -0,0 +1,52 @@
+require "fileutils"
+
+module Textus
+  module Maintenance
+    module Retention
+      # The destructive half of convergence: apply retention rows (drop/archive).
+      # Lifted verbatim from the legacy reconcile apply/archive_leaf so drain/serve and
+      # the `sweep` job handler share one path. Runs as the caller's role — never
+      # self-elevates (ADR 0079/0093: destructiveness decides authority).
+      class Apply
+        def initialize(container:, call:)
+          @container = container
+          @call = call
+        end
+
+        def call(rows)
+          out = { dropped: [], archived: [], failed: [] }
+          delete = Write::KeyDelete.new(container: @container, call: @call)
+          rows.each do |row|
+            key = row["key"]
+            begin
+              case row["action"]
+              when "drop"
+                delete.call(key)
+                out[:dropped] << key
+              when "archive"
+                archive_leaf(row)
+                delete.call(key)
+                out[:archived] << key
+              end
+            rescue Textus::Error => e
+              out[:failed] << { "key" => key, "error" => e.message }
+            end
+          end
+          out
+        end
+
+        private
+
+        # Copy the leaf into <store>/archive/<relative-path> before deletion.
+        def archive_leaf(row)
+          src  = row["path"]
+          root = @container.root.to_s
+          rel  = src.delete_prefix("#{root}/")
+          dest = File.join(root, "archive", rel)
+          FileUtils.mkdir_p(File.dirname(dest))
+          FileUtils.cp(src, dest)
+        end
+      end
+    end
+  end
+end

data/lib/textus/maintenance/serve.rb

@@ -0,0 +1,30 @@
+module Textus
+  module Maintenance
+    # The convergence daemon loop: seed scheduled work (TTL re-pull + sweep),
+    # reclaim crashed leases, drain the queue, sleep, repeat. `tick` is one
+    # iteration (unit-testable); `run` loops forever. Drains serially for the
+    # same reason as Drain — each produce job self-locks, so running them in turn
+    # keeps the build lock uncontended.
+    class Serve
+      def initialize(container:, call:)
+        @container = container
+        @call = call
+        @queue = Textus::Ports::Queue.new(root: container.root)
+      end
+
+      def tick
+        Textus::Jobs::Scheduler.new(container: @container, queue: @queue).run_once
+        @queue.reclaim(now: Textus::Ports::Clock.new.now)
+        Worker.for(container: @container, queue: @queue).drain
+      end
+
+      def run(poll: nil)
+        interval = poll || @container.manifest.data.worker_config[:poll]
+        loop do
+          tick
+          sleep(interval)
+        end
+      end
+    end
+  end
+end

data/lib/textus/maintenance/worker.rb

@@ -0,0 +1,74 @@
+module Textus
+  module Maintenance
+    # Drains the job queue: lease a job, look up its handler in the registry, run
+    # it (as the job's stamped authority — wired in a later phase), then ack on
+    # success or fail (requeue/dead-letter) on a raise. `drain` runs until the
+    # queue is empty and returns a summary. Delivery is at-least-once.
+    class Worker
+      Summary = Struct.new(:completed, :failed, keyword_init: true)
+
+      # The standard convergence worker: the closed handler allow-list plus the
+      # lease TTL from worker_config. Both `drain` and `serve` build it this way.
+      def self.for(container:, queue:)
+        new(
+          queue: queue, registry: Textus::Jobs::Handlers.registry,
+          container: container, lease_ttl: container.manifest.data.worker_config[:lease_ttl]
+        )
+      end
+
+      def initialize(queue:, registry:, container:, lease_ttl: 60)
+        @queue = queue
+        @registry = registry
+        @container = container
+        @lease_ttl = lease_ttl
+      end
+
+      def drain(worker_id: "drain-#{Process.pid}")
+        completed = 0
+        failed = 0
+        loop do
+          leased = @queue.lease(worker_id: worker_id, lease_ttl: @lease_ttl)
+          break unless leased
+
+          case run_one(leased)
+          when :completed     then completed += 1
+          when :dead_lettered then failed += 1
+            # :requeued -> a transient failure; it re-leases on a later iteration
+          end
+        end
+        Summary.new(completed: completed, failed: failed)
+      end
+
+      def drain_pool(pool: 4)
+        summaries = []
+        mutex = Mutex.new
+        threads = Array.new(pool) do |i|
+          Thread.new do
+            s = drain(worker_id: "pool-#{Process.pid}-#{i}")
+            mutex.synchronize { summaries << s }
+          end
+        end
+        threads.each(&:join)
+        Summary.new(
+          completed: summaries.sum(&:completed),
+          failed: summaries.sum(&:failed),
+        )
+      end
+
+      private
+
+      # Returns :completed on ack, or the queue's failure verdict (:requeued |
+      # :dead_lettered) on a raise. A requeued job re-leases on the next loop
+      # iteration, so a transient failure still drains; only a dead-letter is a
+      # terminal failure that counts toward the summary.
+      def run_one(leased)
+        entry = @registry.lookup(leased.job.type)
+        entry.handler.call(job: leased.job, container: @container)
+        @queue.ack(leased)
+        :completed
+      rescue StandardError => e
+        @queue.fail(leased, error: e.message)
+      end
+    end
+  end
+end

data/lib/textus/manifest/capabilities.rb

@@ -13,7 +13,7 @@ module Textus
       DEFAULT_MAPPING = {
         Textus::Role::HUMAN => %w[author propose].freeze,
         Textus::Role::AGENT => %w[propose].freeze,
-        Textus::Role::AUTOMATION => %w[reconcile].freeze,
+        Textus::Role::AUTOMATION => %w[converge].freeze,
       }.freeze
 
       # Returns { role_name => [verbs] }. When `roles:` is declared we use

data/lib/textus/manifest/data.rb

@@ -10,10 +10,11 @@ module Textus
     # resolution, rules) lives on Manifest::Policy / Resolver / Rules.
     class Data
       AUDIT_DEFAULTS = { max_size: 10_485_760, keep: 5 }.freeze
+      WORKER_DEFAULTS = { pool: 4, poll: 5, lease_ttl: 60, max_attempts: 3 }.freeze
 
       attr_reader :raw, :root, :entries, :declared_zone_kinds,
                   :zone_descs, :zone_owners,
-                  :audit_config, :role_caps, :policy
+                  :audit_config, :worker_config, :role_caps, :policy
 
       def self.validate_key!(key)
         raise UsageError.new("empty key") if key.nil? || key.empty?
@@ -47,6 +48,7 @@ module Textus
         # future `zone_owners.key?(name)` means "owner declared", not "zone exists".
         @zone_owners = Array(raw["zones"]).to_h { |z| [z["name"], z["owner"]] }.compact
         @audit_config = build_audit_config(raw)
+        @worker_config = build_worker_config(raw)
         @role_caps = Capabilities.resolve(raw["roles"])
         # Policy is constructed before entries because Entry validators
         # use the entry's own `derived?` and similar helpers that call into
@@ -67,6 +69,19 @@ module Textus
         }.freeze
       end
 
+      # Worker/queue tunables (ADR: job-queue execution model). All optional;
+      # the daemon (serve) and batch drain read these, falling back to defaults
+      # so a manifest with no `worker:` block runs the queue out of the box.
+      def build_worker_config(raw)
+        w = raw["worker"] || {}
+        {
+          pool: w["pool"] || WORKER_DEFAULTS[:pool],
+          poll: w["poll"] || WORKER_DEFAULTS[:poll],
+          lease_ttl: w["lease_ttl"] || WORKER_DEFAULTS[:lease_ttl],
+          max_attempts: w["max_attempts"] || WORKER_DEFAULTS[:max_attempts],
+        }.freeze
+      end
+
       def build_entries(raw)
         Array(raw["entries"]).map do |e|
           entry = Manifest::Entry::Parser.call(e)

data/lib/textus/manifest/schema/keys.rb

@@ -23,7 +23,7 @@ module Textus
         # `inject_boot`/`provenance` fields are kept here so the schema walk can
         # still emit the migration hint rather than a bare "unknown key".
         SOURCE_KEYS = %w[
-          from handler config template project command sources ttl on_write inject_boot provenance
+          from handler config template project command sources ttl inject_boot provenance
           select pluck sort_by transform
         ].freeze
         # ADR 0093: rule-level GC slot. drop/archive only (refresh gone).

data/lib/textus/manifest/schema/validator.rb

@@ -168,7 +168,7 @@ module Textus
           hints = {
             "lifecycle" => "age GC moved to the `retention:` rule ({ ttl, action: drop|archive }); " \
                            "intake cadence to the entry's `source: { ttl }`",
-            "materialize" => "moved to the entry's `source: { on_write: sync|async }`",
+            "materialize" => "removed — materialization is automatic (a write enqueues a job; run `drain`)",
           }
           hints.each do |old, hint|
             next unless rule.key?(old)
@@ -194,10 +194,10 @@ module Textus
             Array(r["can"]).each do |verb|
               next if CAPABILITIES.include?(verb)
 
-              # The quarantine capability folded into reconcile (ADR 0090); a
+              # The quarantine capability folded into the converge capability (ADR 0090); a
               # manifest still naming the old quarantine capability (`ingest`, or
               # legacy `fetch`) gets a pointed hint rather than a bare error.
-              hint = %w[ingest fetch].include?(verb) ? " — the quarantine capability folded into 'reconcile' (ADR 0090)" : ""
+              hint = %w[ingest fetch].include?(verb) ? " — the quarantine capability folded into 'converge' (ADR 0090)" : ""
               raise BadManifest.new(
                 "unknown capability '#{verb}' for role '#{name}' at '#{path}' " \
                 "(known: #{CAPABILITIES.join(", ")})#{hint}",

data/lib/textus/manifest/schema/vocabulary.rb

@@ -5,13 +5,13 @@ module Textus
       # 0034; the quarantine + derived ZONE-KINDS folded into one `machine` kind
       # in ADR 0091). Each kind pairs with the capability that authorizes
       # originating bytes in it. ONE source of truth; the derived constants below
-      # cannot drift. A BIJECTION again (0090 had two kinds → reconcile; 0091
+      # cannot drift. A BIJECTION again (0090 had two kinds → the converge capability; 0091
       # collapses them, so kind ↔ capability is 1:1).
       module Vocabulary
         LANES = {
           "canon" => "author",
           "workspace" => "keep",
-          "machine" => "reconcile",
+          "machine" => "converge",
           "queue" => "propose",
         }.freeze
 

data/lib/textus/mcp/server.rb

@@ -94,7 +94,7 @@ module Textus
 
         # ADR 0083: the contract-drift guard gates mutating verbs — every MCP
         # verb that is NOT a pure read (Write:: + the destructive Maintenance::
-        # verbs reconcile/zone_mv/key_*_prefix). Reads and boot bypass it (a stale
+        # verbs drain/zone_mv/key_*_prefix). Reads and boot bypass it (a stale
         # read returns on-disk truth; boot re-orients). Keying on read_verbs
         # (not write_verbs) keeps the destructive Maintenance:: verbs gated.
         @session.check_etag!(contract_etag) unless Catalog.read_verbs.include?(name)

data/lib/textus/ports/build_lock.rb

@@ -5,7 +5,7 @@ require "time"
 module Textus
   module Ports
     # Cross-process build lock: a pid/host-stamped lockfile under the store root
-    # that serializes reconcile's produce/sweep. An instantiable class — it holds
+    # that serializes converge's produce/sweep. An instantiable class — it holds
     # the root and lock state; `self.with(root:)` is a convenience that constructs
     # one and runs the block under the held lock. It already satisfied ADR 0109's
     # single-shape rule (every port is an instantiable class) before that ADR's

data/lib/textus/ports/produce_on_write_subscriber.rb

@@ -2,37 +2,50 @@
 
 module Textus
   module Ports
-    # ADR 0093: on a canon write, converge the derived entries that depend on the
-    # written key (rdeps ∩ derived) by running Produce — scoped + non-destructive.
-    # This IS reconcile narrowed to a write's blast radius; there is no separate
-    # "reactive materialize" subsystem. Per-entry source.on_write (sync|async)
-    # picks inline-under-lock vs deferred. A write INTO a derived entry does not
-    # fan out (recursion guard). Failures never reach the writer (Produce.converge
-    # isolates them). Attached at Store boot, alongside AuditSubscriber.
+    # ADR 0093 / job-queue model: on a canon write, enqueue a `materialize` job
+    # for each derived entry that depends on the written key (rdeps ∩ producible).
+    # Async-only — the write returns immediately; a worker (drain/serve) converges
+    # the jobs. There is no inline `sync` path and no in-process thread: freshness
+    # is re-homed to drain (at the commit/CI gate) and the daemon. A write INTO a
+    # derived entry does not fan out (recursion guard). Produce self-elevates, so
+    # the job is stamped automation. Attached at Store boot, alongside
+    # AuditSubscriber.
     class ProduceOnWriteSubscriber
       def initialize(container)
         @container = container
       end
 
       def attach(bus)
-        bus.on(:entry_written, :produce_on_write) do |ctx:, key:, **|
-          call = Textus::Call.build(role: ctx.role, correlation_id: ctx.correlation_id)
-          on_write(key: key, call: call)
+        bus.on(:entry_written, :produce_on_write) do |key:, **|
+          on_write(key: key)
+        end
+        # Closes the ADR 0087 gap: a delete/rename of a source must re-materialize
+        # its orphaned dependents too, not just a write. These fire distinct
+        # events (:entry_deleted / :entry_renamed), so subscribe to each.
+        bus.on(:entry_deleted, :produce_on_delete) do |key:, **|
+          on_write(key: key)
+        end
+        bus.on(:entry_renamed, :produce_on_rename) do |from_key:, to_key:, **|
+          on_write(key: from_key)
+          on_write(key: to_key)
         end
         self
       end
 
-      def on_write(key:, call:)
+      def on_write(key:)
         return if derived_write?(key) # recursion guard: produce output is not a source change
 
         affected = Textus::Read::Rdeps.new(container: @container).call(key)["rdeps"]
         producible = affected.select { |k| producible?(k) }
         return if producible.empty?
 
-        if any_sync?(producible)
-          Textus::Produce::Engine.converge(container: @container, call: call, keys: producible)
-        else
-          Textus::Produce::Engine::AsyncRunner.enqueue(container: @container, call: call, keys: producible)
+        queue = Textus::Ports::Queue.new(root: @container.root)
+        producible.each do |k|
+          queue.enqueue(
+            Textus::Domain::Jobs::Job.new(
+              type: "materialize", args: { "key" => k }, enqueued_by: Textus::Role::AUTOMATION,
+            ),
+          )
         end
       end
 
@@ -55,15 +68,6 @@ module Textus
       rescue Textus::Error
         false
       end
-
-      # Only derived entries carry a source with on_write semantics; a nested
-      # publish_tree entry has no source and defaults to async.
-      def any_sync?(keys)
-        keys.any? do |k|
-          entry = @container.manifest.resolver.resolve(k).entry
-          entry.derived? && entry.source.sync?
-        end
-      end
     end
   end
 end

data/lib/textus/ports/queue.rb

@@ -0,0 +1,130 @@
+require "fileutils"
+require "json"
+require "time"
+
+module Textus
+  module Ports
+    # File-backed durable job queue under `<root>/.run/queue/`. Each job state
+    # is a directory; a job is one `<id>.json` file. Claiming is an atomic
+    # `rename(2)` from ready/ to leased/ — the rename winner owns the job, so a
+    # worker pool needs no central lock. Dedup falls out of the id-as-filename:
+    # enqueueing an id that already exists is a no-op. ADR 0038 (runtime subtree),
+    # ADR 0108 (instantiable port).
+    class Queue
+      STATES = %i[ready leased done failed].freeze
+
+      def initialize(root:)
+        @root = root
+        STATES.each { |s| FileUtils.mkdir_p(Textus::Layout.queue_state(root, s)) }
+      end
+
+      def enqueue(job)
+        dest = path(:ready, job.id)
+        return if File.exist?(dest) # dedup: identical work already queued
+
+        write_atomic(dest, job.to_h)
+      end
+
+      def ready_ids
+        Dir.children(Textus::Layout.queue_state(@root, :ready)).map { |f| File.basename(f, ".json") }
+      end
+
+      # A claimed job plus the path it lives at, so ack/fail act on this copy.
+      Leased = Struct.new(:job, :leased_path, keyword_init: true)
+
+      def lease(worker_id:, lease_ttl:)
+        ready_dir = Textus::Layout.queue_state(@root, :ready)
+        Dir.children(ready_dir).each do |name|
+          src = File.join(ready_dir, name)
+          dst = File.join(Textus::Layout.queue_state(@root, :leased), name)
+          begin
+            File.rename(src, dst) # atomic claim; loser's rename raises ENOENT
+          rescue Errno::ENOENT
+            next # another worker won this one
+          end
+          job = Textus::Domain::Jobs::Job.from_h(JSON.parse(File.read(dst)))
+          stamp_lease(dst, worker_id: worker_id, expires_at: Time.now.utc + lease_ttl)
+          return Leased.new(job: job, leased_path: dst)
+        end
+        nil
+      end
+
+      def ack(leased)
+        dest = File.join(Textus::Layout.queue_state(@root, :done), File.basename(leased.leased_path))
+        File.rename(leased.leased_path, dest)
+      end
+
+      # Increment attempts and either requeue (transient) or dead-letter (attempts
+      # exhausted). Returns :requeued or :dead_lettered so the worker can count
+      # terminal failures distinctly from retries.
+      def fail(leased, error:)
+        job = leased.job
+        job.attempts += 1
+        job.last_error = error
+        dead = job.attempts >= job.max_attempts
+        write_atomic(path(dead ? :failed : :ready, job.id), job.to_h)
+        File.delete(leased.leased_path)
+        dead ? :dead_lettered : :requeued
+      end
+
+      # Return expired leases to ready/ (the holding worker crashed). Returns the
+      # count reclaimed. At-least-once delivery: a job whose handler actually
+      # finished but whose ack was lost will re-run — handlers must be idempotent.
+      def reclaim(now:)
+        leased_dir = Textus::Layout.queue_state(@root, :leased)
+        count = 0
+        Dir.children(leased_dir).each do |name|
+          src = File.join(leased_dir, name)
+          data = JSON.parse(File.read(src))
+          expires = data.dig("lease", "expires_at")
+          next if expires && Time.parse(expires) > now
+
+          dst = File.join(Textus::Layout.queue_state(@root, :ready), name)
+          data.delete("lease")
+          File.write(src, JSON.pretty_generate(data))
+          File.rename(src, dst)
+          count += 1
+        rescue Errno::ENOENT
+          next # raced with another reclaimer / the worker's ack
+        end
+        count
+      end
+
+      def list(state)
+        Dir.children(Textus::Layout.queue_state(@root, state.to_sym)).map { |f| File.basename(f, ".json") }
+      end
+
+      def retry_failed(job_id)
+        src = path(:failed, job_id)
+        data = JSON.parse(File.read(src))
+        data["attempts"] = 0
+        data["last_error"] = nil
+        write_atomic(path(:ready, job_id), data)
+        File.delete(src)
+      end
+
+      def purge(state)
+        dir = Textus::Layout.queue_state(@root, state.to_sym)
+        Dir.children(dir).each { |f| File.delete(File.join(dir, f)) }
+      end
+
+      private
+
+      def stamp_lease(leased_path, worker_id:, expires_at:)
+        data = JSON.parse(File.read(leased_path))
+        data["lease"] = { "worker_id" => worker_id, "expires_at" => expires_at.iso8601 }
+        File.write(leased_path, JSON.pretty_generate(data))
+      end
+
+      def path(state, job_id)
+        File.join(Textus::Layout.queue_state(@root, state), "#{job_id}.json")
+      end
+
+      def write_atomic(dest, hash)
+        tmp = "#{dest}.#{Process.pid}.tmp"
+        File.write(tmp, JSON.pretty_generate(hash))
+        File.rename(tmp, dest) # atomic on same filesystem
+      end
+    end
+  end
+end

data/lib/textus/produce/acquire/handler.rb

@@ -6,7 +6,7 @@ module Textus
       # Invokes a :resolve_handler hook handler by name under a timeout — the single
       # home for "call the intake handler under a deadline" (ADR 0048 D1). Shared by
       # Produce::Acquire::Intake (the internal ingest mechanism — no public verb since ADR 0079)
-      # as driven by the `reconcile` sweep and `textus hook run` (ADR 0089 made
+      # as driven by the converge sweep (drain/serve) and `textus hook run` (ADR 0089 made
       # ingest system-pushed; there is no read or put trigger).
       # Always passes a Container as `caps:` so the hook contract (ADR 0027) is
       # uniform across every entry point. Maps Timeout::Error to a UsageError;

data/lib/textus/produce/acquire/intake.rb

@@ -5,7 +5,7 @@ module Textus
     module Acquire
       # Internal ingest executor for one machine-zone intake entry. No longer a
       # public verb (ADR 0079 collapsed the `fetch` surface): used by the
-      # `reconcile` sweep and `textus hook run` only — ingest is system-pushed
+      # converge sweep (drain/serve) and `textus hook run` only — ingest is system-pushed
       # (ADR 0089 removed the read-through that once also drove it).
       class Intake
         FETCH_TIMEOUT_SECONDS = Textus::Produce::Acquire::Handler::FETCH_TIMEOUT_SECONDS
@@ -96,9 +96,9 @@ module Textus
           normalized = self.class.normalize_action_result(result, format: mentry.format)
           Textus::Domain::Policy::GuardFactory.new(
             manifest: @manifest, schemas: @schemas,
-          ).for(:reconcile, key).check!(
+          ).for(:converge, key).check!(
             Textus::Domain::Policy::Evaluation.new(
-              actor: @call.role, transition: :reconcile, origin: nil,
+              actor: @call.role, transition: :converge, origin: nil,
               target: key, envelope: nil, manifest: @manifest
             ),
           )

data/lib/textus/produce/engine.rb

@@ -8,17 +8,16 @@ module Textus
     #   derived (from: command)  -> skip the build; publish_via publishes
     #                               existing store bytes via mode resolution
     #                               (None when no targets -> skipped)
-    # Runs as the reconcile build actor (self-elevating); the passed `call`
+    # Runs as the converge build actor (self-elevating); the passed `call`
     # supplies only correlation_id/dry_run. Callers choose the key set: the
-    # write subscriber passes rdeps ∩ derived; reconcile passes
+    # write subscriber passes rdeps ∩ derived; the converge pass passes
     # all-derived + stale-intake.
     class Engine
-      # Locked + failure-isolated convergence — the shared entry point for the
-      # write trigger (ADR 0093). Both the sync path (inline, in the subscriber)
-      # and the async path (AsyncRunner) call this. A held lock is a soft miss
-      # (an in-flight build/reconcile already produces fresh output); any other
-      # error is republished as :produce_failed and never raised at the
-      # writer (ADR 0087 §5 failure isolation, preserved).
+      # Locked + failure-isolated convergence — the entry point worker handlers
+      # call to materialize a key set (ADR 0093 / job-queue model). A held lock
+      # is a soft miss (an in-flight build/converge already produces fresh
+      # output); any other error is republished as :produce_failed and never
+      # raised at the caller (ADR 0087 §5 failure isolation, preserved).
       def self.converge(container:, call:, keys:)
         Textus::Ports::BuildLock.with(root: container.root) do
           new(container: container, call: call).call(keys: keys)
@@ -73,10 +72,10 @@ module Textus
       end
 
       def build_actor_call
-        build_role = @manifest.policy.actor_for("reconcile") or
+        build_role = @manifest.policy.actor_for("converge") or
           raise Textus::UsageError.new(
-            "no role holds the 'reconcile' capability",
-            hint: "declare a role with `can: [reconcile]` in .textus/manifest.yaml",
+            "no role holds the 'converge' capability",
+            hint: "declare a role with `can: [converge]` in .textus/manifest.yaml",
           )
         Textus::Call.build(
           role: build_role,
@@ -91,53 +90,6 @@ module Textus
           reader: Textus::Read::Get.new(container: @container, call: call)
         )
       end
-
-      # In-process deferral for the async write trigger (ADR 0087/0093).
-      # Spawns a tracked thread that runs Produce.converge after the write
-      # returns; a one-time at_exit joins
-      # all pending threads so a short-lived CLI process cannot exit before an
-      # async rebuild completes. The write itself never blocks.
-      module AsyncRunner
-        @mutex   = Mutex.new
-        @threads = []
-        @hooked  = false
-
-        class << self
-          def enqueue(container:, call:, keys:)
-            thread = Thread.new { Textus::Produce::Engine.converge(container: container, call: call, keys: keys) }
-            track(thread)
-            thread
-          end
-
-          # Block until every spawned async rebuild has finished. Idempotent;
-          # safe to call from at_exit and directly from tests.
-          def drain
-            pending = @mutex.synchronize { @threads.dup }
-            pending.each(&:join)
-            @mutex.synchronize { @threads.delete_if { |t| !t.alive? } }
-            nil
-          end
-
-          private
-
-          def track(thread)
-            @mutex.synchronize do
-              @threads.delete_if { |t| !t.alive? }
-              @threads << thread
-              install_drain_hook
-            end
-          end
-
-          # Register the join-before-exit hook exactly once. Guarded by the
-          # caller holding @mutex.
-          def install_drain_hook
-            return if @hooked
-
-            @hooked = true
-            at_exit { drain }
-          end
-        end
-      end
     end
   end
 end