@githolon/dsl 0.2.3 → 0.4.0

package/src/workspace_sharding.ts

@@ -0,0 +1,1284 @@
+// NOMOS — Nomos Sovereign: participants act · verify · remember LOCALLY; hosted
+// remotes are replaceable custody/transport, not truth.  ⇒ ONE Nomos GitHolon
+// wasm32-wasip1 artifact {kernel · projection · embedded
+// QuickJS engine} on V8 + WASI-shim, byte-identical everywhere.  V8 = portability; the one
+// wasm = determinism.  No native, no wasmtime, no 2nd artifact, no domain-JS on bare V8.
+// If a file isn't this / hosting this / authoring for this / proving this — it's gone.
+
+/**
+ * THE DERIVED SHARDING LAW (sharding §3/§5/§6 — slice 2 placement, slice 3a homing
+ * invariants, slice 3 delta lane + least-loaded placement).
+ *
+ * `nomos-compile` APPENDS this module to a TAXONOMY-BEARING domain's module list —
+ * both in the canonical manifests (the placement law is hash-bearing law) and in the
+ * generated engine entry (the plans ship in the lump). A taxonomy-FREE package never
+ * imports it (subpath `@githolon/dsl/workspace-sharding`, never the runtime barrel —
+ * the slice-1 hash-stability law: its bytes must not enter other tenants' lumps).
+ *
+ * What it derives, per PACKED axis (`EstateWs.hasMany(SiteHome)` with
+ * `SiteHome.packed()`):
+ *
+ *   * `NomosShardAssignment` — THE SHARD MAP AS LAW on the coordinator. SLICE 3:
+ *     one DETERMINISTIC row per home (`nomos-shard-assignment:<homeKey>`, an Ensure)
+ *     — placement uniqueness BY CONSTRUCTION, idempotent re-offer by Lww. The shard
+ *     is picked LEAST-LOADED by the dispatching client/worker over committed
+ *     subtotal rows (law-state load, §3) and carried IN the payload; the
+ *     `nomosPlacementUnique:*` invariant refuses a CONFLICTING re-offer typed
+ *     (`placement-exists:<heldShard>`) — same home, same shard, forever, until the
+ *     slice-5 move lane flips it through `splitShard`/`sealHandoff`.
+ *   * `NomosHomeReceipt` — §3's "its assignment" fact IN THE SHARD'S OWN CHAIN (the
+ *     assignment RECEIPT leg): `nomosReceiveAssignment` ensures one receipt row per
+ *     home the shard owns, judged by `nomosReceiptHome:*` against the shard's own
+ *     declared identity. The homing invariant (`nomosWrongHome:<directive>`) now
+ *     judges routed writes against THESE receipts — shard-local law-state, no static
+ *     placement formula (the slice-2 fnv pick is retired with least-loaded placement).
+ *   * THE §5.2 DELTA LANE — `nomosPropagateSummary`: shard admission's coalesced
+ *     Order carrying per-(read, group) ABSOLUTE subtotals + the covered range's
+ *     event deltas as content-addressed evidence. The coordinator's ONE gate
+ *     adjudicates it (ruling 4 — full gate recomputation day one):
+ *       1. the PLAN recomputes every claimed absolute from the claimed previous +
+ *          the carried event deltas and REFUSES on mismatch (pure arithmetic over
+ *          the payload — replays byte-identically on every peer);
+ *       2. the `nomosSummaryGate:*` workspace invariant verifies the CLAIMS against
+ *          HELD law-state via `pre:` snapshots (the committed pre-apply reads the
+ *          executor resolves for `pre:`-prefixed refs): `fromOid` must equal the
+ *          recorded per-shard frontier (typed `frontier-gap:<expected>`), and every
+ *          claimed `prev` must equal the held subtotal value (typed
+ *          `summary-mismatch:…`). Held + carried-events ⇒ claimed, byte-compared.
+ *       3. the FOLD is plain Lww over `NomosSummarySubtotal` rows — idempotent,
+ *          replay-safe, kernel-lowered today. The estate total is an ORDINARY
+ *          maintained sum over subtotal rows (`nomosEstateSummary` by `bucket`) —
+ *          O(1) by #31. Subtotal rows ARE checkpoints (ruling 1): each carries the
+ *          shard frontier it is true at; deep-verify (replay-on-suspicion) mounts
+ *          the shard chain, re-verifies from genesis, recounts, byte-compares.
+ *   * `NomosShardRegistry` + `NomosShardPolicy` — the OPEN-SHARD set and the split
+ *     policy as law-state: the worker auto-births `s(k+1)` through the platform lane
+ *     when EVERY open shard's row count crosses the split threshold (ruling 5 — 75%
+ *     of the CAPACITY.md wall by default, law-amendable via `nomosSetShardPolicy`).
+ *   * ROUTE-TAGGED IN-PLAN MINTS — {@link installRouteTaggedMint}: the generated
+ *     entry of a taxonomy-bearing package wraps the sealed sandbox's
+ *     `globalThis.nomos.mint` (at lump top-level eval, pre-freeze) so `create(Agg)`
+ *     mints of PACKED-HOMED aggregates fold the dispatched intent's home ROUTE TAG
+ *     (48 bits of sha256, §4) into the UUIDv7 timestamp slot — same draw budget
+ *     (19 captured rng draws), no clock read, deterministic, byte-identical on
+ *     replay. No wasm change: the tag rides the slot the id-mint law itself demotes
+ *     to metadata.
+ *
+ * ENGINE-BUNDLE-SAFE: no node builtin anywhere in this module's import graph.
+ */
+import { z } from "zod";
+
+import { aggregate, instance } from "./aggregate.js";
+import { t } from "./fields.js";
+import { Lww } from "./drivers.js";
+import { directive } from "./directive.js";
+import { set, strike, withMarker, type PlannedOp } from "./ops.js";
+import { query } from "./query.js";
+import { sum } from "./sum.js";
+import { min, max } from "./extremum.js";
+import { refAs, workspaceInvariant } from "./framework/workspace_invariant.js";
+
+/** One packed axis the factory derives a placement lane for. */
+export interface ShardingAxisSpec {
+  /** The packed workspace-type id (e.g. `site`). */
+  readonly axisType: string;
+  /** The axis ROOT aggregate's wire id (e.g. `Site`). */
+  readonly axisRoot: string;
+  /**
+   * The INITIAL open-shard count (the parent type's `.pool(n)`): shards `s0…s{n-1}`
+   * are open at genesis. SLICE 3: the set GROWS — the worker auto-births `s(k+1)`
+   * (recorded as a `NomosShardRegistry` row through the coordinator's own gate)
+   * when every open shard crosses the split threshold.
+   */
+  readonly shardCount: number;
+}
+
+/** One derived directive route the homing invariant judges (`via:"axis"` only — a
+ * `via:"id"` misroute targets an aggregate that does not exist on the wrong shard,
+ * which the referential gate already refuses; see §3 of the sharding design). */
+export interface ShardingRouteSpec {
+  /** The routed directive id. */
+  readonly directive: string;
+  /** The PACKED workspace-type id the write homes on (matches an axis' `axisType`). */
+  readonly home: string;
+  /** The top-level payload field carrying the home key. */
+  readonly key: string;
+  /** How the key rides: `"axis"` = the axis-root id itself; `"id"` = a homed minted id. */
+  readonly via: "axis" | "id";
+}
+
+export interface ShardingLawSpec {
+  readonly axes: readonly ShardingAxisSpec[];
+  /**
+   * THE DERIVED ROUTES (slice 2's canonical-manifest `routes`, fed back into the law):
+   * per routed directive, the homing invariant `nomosWrongHome:<directive>` is derived
+   * so THE CHAIN GATE ITSELF refuses a wrong-home write (#41 — slice 3a; the edge
+   * bailiff stays as defense-in-depth). OMITTED routes ⇒ no invariants (slice-2 shape).
+   */
+  readonly routes?: readonly ShardingRouteSpec[];
+  /**
+   * THE PACKED HOMING TABLE (slice 3 — the in-plan mint tagger's input): aggregate
+   * wire id → the packed axis type it homes on. Only PACKED-homed aggregates appear.
+   * OMITTED ⇒ in-plan mints stay plain (the slice-2 shape).
+   */
+  readonly homes?: Readonly<Record<string, string>>;
+}
+
+// ── well-known law-state row ids (deterministic — Ensure singletons / keyed rows) ──
+
+/** The well-known Ensure id the homing invariant resolves the identity under. */
+export const NOMOS_SHARD_IDENTITY_ID = "nomos-shard-identity:self";
+/** The shard-policy singleton's row id (coordinator law-state). */
+export const NOMOS_SHARD_POLICY_ID = "nomos-shard-policy:self";
+/**
+ * Deterministic-row-id escape: a framework row id must never PARSE as a
+ * kernel-minted id (`<tag>_<uuid>` — the FIRST "_" splits, and a minted home key
+ * embedded verbatim would make the row id minted-shaped and refuse at the id-mint
+ * gate). Embedded key material therefore escapes "_" %-style — injective, pure,
+ * sandbox-safe ("%"→"%25" first, then "_"→"%5F").
+ */
+export const escapeRowKey = (s: string): string => s.replace(/%/g, "%25").replace(/_/g, "%5F").replace(/\|/g, "%7C");
+/** The shard map row for a home key (coordinator law-state; uniqueness by construction). */
+export const shardAssignmentRowId = (homeKey: string): string => `nomos-shard-assignment:${escapeRowKey(homeKey)}`;
+/** The shard's own receipt row for a home it owns (shard law-state). */
+export const homeReceiptRowId = (homeKey: string): string => `nomos-home-receipt:${escapeRowKey(homeKey)}`;
+/** The open-shard registry row for a label (coordinator law-state). */
+export const shardRegistryRowId = (label: string): string => `nomos-shard-registry:${label}`;
+/** The per-shard delta-lane frontier watermark (coordinator law-state). */
+export const summaryFrontierRowId = (shard: string): string => `nomos-summary-frontier:${shard}`;
+/** One per-(shard, read, group) committed subtotal row (coordinator law-state). */
+export const summarySubtotalRowId = (shard: string, readId: string, group: string): string =>
+  `nomos-subtotal:${shard}|${escapeRowKey(readId)}|${escapeRowKey(group)}`;
+/** The recorded deep-verify verdict row for a shard (coordinator law-state). */
+export const deepVerifyRowId = (shard: string): string => `nomos-deep-verify:${shard}`;
+/** One sealed checkpoint row (§5.5, slice 4 — coordinator law-state, by seal sequence). */
+export const checkpointSealRowId = (seq: number | string): string => `nomos-checkpoint-seal:${seq}`;
+/** The LATEST seal (the head pointer — same aggregate, well-known id; O(1) to find). */
+export const NOMOS_CHECKPOINT_HEAD_ID = "nomos-checkpoint-seal:head";
+
+/** The estate-total bucket of a scoped read's group (`nomosEstateSummary` group key).
+ *  `|` — printable (the kernel's canonical event decode refuses raw control bytes);
+ *  unambiguous because a SCOPED read's id may not contain `|` (compile-refused);
+ *  group values are free text (the bucket is only ever CONSTRUCTED, never parsed). */
+export const SUMMARY_BUCKET_SEP = "|";
+export const summaryBucket = (readId: string, group: string): string =>
+  `${readId}${SUMMARY_BUCKET_SEP}${group}`;
+
+/** The synthetic per-shard row-count read the load policy consumes (capacity headroom). */
+export const NOMOS_SHARD_ROWS_READ = "nomosShardRows";
+
+/**
+ * THE MOVE STATUS (slice 5 — §6's `moving(target)`, encoded IN the status string so
+ * the assignment row's schema never moves): an assignment mid-handoff reads
+ * `moving:<targetLabel>`; `sealHandoff` flips it back to `active` with
+ * `shard = target` and the map version bumped. One row per home, always.
+ */
+export const MOVING_STATUS_PREFIX = "moving:";
+export const movingStatus = (target: string): string => `${MOVING_STATUS_PREFIX}${target}`;
+/** The move target of a `moving:<label>` status, or undefined for any other status. */
+export const movingTargetOf = (status: unknown): string | undefined =>
+  typeof status === "string" && status.startsWith(MOVING_STATUS_PREFIX)
+    ? status.slice(MOVING_STATUS_PREFIX.length)
+    : undefined;
+
+/** The CAPACITY.md wall + ruling-5 default threshold (rows; law-amendable via policy). */
+export const DEFAULT_WALL_ROWS = 581000;
+export const DEFAULT_SPLIT_THRESHOLD_ROWS = 435750; // 75% of the wall — ruling 5
+
+/**
+ * THE SHARD MAP ROW (coordinator law-state). One aggregate type across all axes —
+ * `homeType` carries the axis. `shard` is the LABEL (`s0`…): the addressable shard
+ * workspace is `<coordinator>--<label>` (custody naming, composed by the hosts —
+ * ids embed the HOME KEY, never the shard ordinal, §4). SLICE 3: the row id is
+ * DETERMINISTIC (`nomos-shard-assignment:<homeKey>`) — one home, one row, forever.
+ */
+export const NomosShardAssignment = aggregate("NomosShardAssignment", {
+  homeType: t.string().merge(Lww),
+  homeKey: t.string().merge(Lww),
+  shard: t.string().merge(Lww),
+  mapVersion: t.int().merge(Lww),
+  status: t.string().merge(Lww), // active | moving | moved (slice 5 flips these)
+  placedAt: t.string().merge(Lww),
+});
+
+/**
+ * THE SHARD'S OWN IDENTITY — law-state in the shard's OWN chain (§3's "its assignment"
+ * fact, the slice-3a slice of it): which shard label this workspace IS. An Ensure
+ * singleton (well-known id `nomos-shard-identity:self`): the worker (the bailiff)
+ * authors it through the shard's own gate right after the law deploys — a custody fact
+ * (the workspace's name) recorded AS LAW, every change attributed + replayable. The
+ * homing invariant reads it; a workspace that never declares one (the coordinator, a
+ * direct unsharded holon, every pre-#41 chain) is judged vacuously (the edge bailiff
+ * remains the outer guard there).
+ */
+export const NomosShardIdentity = aggregate("NomosShardIdentity", {
+  scope: t.string().merge(Lww), // always "self" — the singleton key
+  label: t.string().merge(Lww), // "s0"…, or "" = the coordinator
+  coordinator: t.string().merge(Lww), // the coordinator workspace's name
+  declaredAt: t.string().merge(Lww),
+});
+
+/**
+ * THE ASSIGNMENT RECEIPT (slice 3 — §3's receipt leg): the shard's own chain records
+ * WHICH HOMES IT OWNS, one Ensure row per home key. Authored by the coordinator's
+ * worker after a placement admits, AND optimistically by the routed client before its
+ * first write to a fresh placement (idempotent — same row, same values; the edge
+ * bailiff verifies every session-lane receipt against the coordinator's shard map
+ * before it merges). The homing invariant judges routed writes against these rows.
+ */
+export const NomosHomeReceipt = aggregate("NomosHomeReceipt", {
+  homeKey: t.string().merge(Lww),
+  shard: t.string().merge(Lww),
+  mapVersion: t.int().merge(Lww),
+  status: t.string().merge(Lww), // active | moved (slice 5 — the tombstone IS a redirect: `shard` then names the target)
+  receivedAt: t.string().merge(Lww),
+});
+
+/** The OPEN-SHARD registry row (coordinator law-state; `s0…s{pool-1}` are implicit). */
+export const NomosShardRegistry = aggregate("NomosShardRegistry", {
+  label: t.string().merge(Lww),
+  status: t.string().merge(Lww), // open | retired (slice 5)
+  openedAt: t.string().merge(Lww),
+});
+
+/**
+ * THE SPLIT POLICY singleton (coordinator law-state — ruling 5: 75% ships, the dial
+ * is law-amendable). `wallRows` is the capacitymeter-informed per-shard wall
+ * (CAPACITY.md: ~581k under the co2 shape); `splitThresholdRows` is the auto-birth
+ * trigger (defaults to 75% of the wall when amended without one).
+ */
+export const NomosShardPolicy = aggregate("NomosShardPolicy", {
+  scope: t.string().merge(Lww), // always "self"
+  wallRows: t.int().merge(Lww),
+  splitThresholdRows: t.int().merge(Lww),
+  // §5.5 CHECKPOINT CADENCE (slice 4, ruling 1): seal after every N admitted deltas.
+  // Absent ⇒ the host default (64); 0 ⇒ cadence off (explicit seals only).
+  checkpointEveryDeltas: t.int().merge(Lww),
+  setAt: t.string().merge(Lww),
+});
+
+/**
+ * THE CHECKPOINT SEAL (§5.5, slice 4 — ruling 1 made periodic): a committed
+ * `{shard → frontier}` snapshot + the content hash of the coordinator's subtotal
+ * state at the seal. Subtotal rows ARE the checkpoints (each already carries its
+ * shard frontier + the gate verdict that sealed it); the seal binds a SET of them
+ * to one sequence point, which makes the delta suffix BEHIND the sealed frontiers
+ * ARCHIVAL: replay from genesis still works (nothing is erased), but an auditor
+ * may anchor at the latest seal and deep-verify forward from it. `frontiers` is
+ * canonical JSON (`[{shard, frontier}]`, shard-sorted — the plan re-sorts, so the
+ * folded bytes never depend on payload order); `stateHash` is the host's
+ * content-addressed claim over the shard-sorted subtotal rows at the seal —
+ * deep-verify recomputes it from law-state and byte-compares (anchoring).
+ */
+export const NomosCheckpointSeal = aggregate("NomosCheckpointSeal", {
+  seq: t.int().merge(Lww),
+  frontiers: t.string().merge(Lww), // canonical JSON: [{shard, frontier}] sorted by shard
+  stateHash: t.string().merge(Lww), // sha256 over the coordinator's subtotal state at the seal
+  sealedAt: t.string().merge(Lww),
+});
+
+/** The canonical (shard-sorted) frontier-set bytes a seal folds — ONE shape on every peer. */
+export const canonicalSealFrontiers = (
+  frontiers: readonly { shard: string; frontier: string }[],
+): string =>
+  JSON.stringify(
+    [...frontiers]
+      .map((f) => ({ shard: f.shard, frontier: f.frontier }))
+      .sort((a, b) => (a.shard < b.shard ? -1 : a.shard > b.shard ? 1 : 0)),
+  );
+
+/**
+ * ONE COMMITTED SUBTOTAL — §5.1's `SummarySubtotal`, the checkpoint row (ruling 1):
+ * the ABSOLUTE per-(shard, read, group) value, true at the shard commit `frontier`,
+ * folded as plain Lww after the gate recomputed it from carried evidence. `bucket`
+ * (= `readId group`) is the maintained estate-total's group key; `kind` records
+ * what the value tallies (`count` | `sum` | `rows` — the load policy reads `rows` —
+ * and, SLICE 8, `min` | `max`: the shard's maintained extremum at the frontier).
+ *
+ * `empty` (slice 8, EXTREMUM kinds only): `1` = the shard's group has NO
+ * contributing member — an empty group has no extremum and `0` is a legitimate
+ * extremum value (the `extremum.ts` null law), so emptiness is a FLAG, never a
+ * sentinel value. The maintained estate extremums below exclude `empty:1` rows;
+ * additive kinds never set the field (their rows fold byte-identically to before
+ * it existed).
+ */
+export const NomosSummarySubtotal = aggregate("NomosSummarySubtotal", {
+  readId: t.string().merge(Lww),
+  group: t.string().merge(Lww),
+  shard: t.string().merge(Lww),
+  kind: t.string().merge(Lww),
+  bucket: t.string().merge(Lww),
+  value: t.int().merge(Lww),
+  frontier: t.string().merge(Lww),
+  empty: t.int().merge(Lww).optional(),
+});
+
+/** THE PER-SHARD DELTA FRONTIER watermark (§5.2 step 1 — contiguity law-state). */
+export const NomosSummaryFrontier = aggregate("NomosSummaryFrontier", {
+  shard: t.string().merge(Lww),
+  frontier: t.string().merge(Lww), // the shard main oid the subtotals are true at
+  readManifestHash: t.string().merge(Lww),
+  updatedAt: t.string().merge(Lww),
+});
+
+/** THE RECORDED DEEP-VERIFY VERDICT (§5.5 — replay-on-suspicion, made operational). */
+export const NomosDeepVerify = aggregate("NomosDeepVerify", {
+  shard: t.string().merge(Lww),
+  frontier: t.string().merge(Lww), // the coordinator-held frontier at check time
+  head: t.string().merge(Lww), // the shard main head the replay verified
+  verdict: t.string().merge(Lww), // verified | mismatch:<…> | invalid:<…>
+  detail: t.string().merge(Lww), // JSON: the per-(read,group) byte-compare table
+  checkedAt: t.string().merge(Lww),
+});
+
+export const nomosDeclareShardIdentity = directive("nomosDeclareShardIdentity")
+  .ensures(NomosShardIdentity)
+  .payload(
+    z.object({
+      label: z.string(), // "" = the coordinator
+      coordinator: z.string().min(1),
+      declaredAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const me = instance(NomosShardIdentity, NOMOS_SHARD_IDENTITY_ID);
+    return [
+      withMarker(set(me, "scope", "self"), "ensures"),
+      set(me, "label", p.label),
+      set(me, "coordinator", p.coordinator),
+      set(me, "declaredAt", p.declaredAt),
+    ];
+  });
+
+/** The receipt leg: record (idempotently) that THIS chain owns `homeKey`. */
+export const nomosReceiveAssignment = directive("nomosReceiveAssignment")
+  .ensures(NomosHomeReceipt)
+  .payload(
+    z.object({
+      homeKey: z.string().min(1),
+      shard: z.string().regex(/^s\d+$/),
+      mapVersion: z.number().int().min(1),
+      receivedAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const row = instance(NomosHomeReceipt, homeReceiptRowId(p.homeKey));
+    return [
+      withMarker(set(row, "homeKey", p.homeKey), "ensures"),
+      set(row, "shard", p.shard),
+      set(row, "mapVersion", p.mapVersion),
+      set(row, "status", "active"),
+      set(row, "receivedAt", p.receivedAt),
+    ];
+  });
+
+// ── §6 — THE SHARD LIFECYCLE (slice 5: splits / migration / sealHandoff) ─────────────
+//
+// The move is THREE law intents, every leg through a gate, custody never truth:
+//   1. `nomosSplitShard` (coordinator) flips the chosen homes' SAME deterministic
+//      assignment rows `active → moving:<target>` — from that commit on, the edge
+//      bailiff parks writes to those homes with the typed `home-moving` refusal.
+//   2. MIGRATION = RE-ADMISSION (the host leg, no directive): the target shard pulls
+//      the moving homes' intents from the source chain and re-admits EACH through its
+//      OWN gate (`apply_intent` — plan re-run, byte-compared, invariants judged;
+//      author preserved, committer = the target's kernel). Then `nomosSealHome`
+//      (source) STRIKES the migrated intents out of the source's fold (append-then-
+//      strike — history is never erased; the projection sheds the rows, so the
+//      source's tallies, deep-verify recount and capacity load all stay honest) and
+//      tombstones the home's receipt: `status = moved`, `shard = <target>` — the
+//      tombstone IS the redirect, and the homing invariant's existing
+//      `wrong-home:<receiptShard>` verdict now NAMES the new home for free.
+//   3. `sealHandoff`'s subtotal close/open is one `nomosPropagateSummary` PAIR
+//      through the SAME summary gate (the close offers the source's post-strike
+//      retally against its held frontier; the open re-derives the target's suffix) —
+//      then `nomosSealHandoff` (coordinator) flips the rows `moving → active` with
+//      `shard = target` and the map version BUMPED (wrong-home refusals carry it;
+//      clients refresh and retry — §4's self-healing lane).
+
+/** Begin a move: flip each home's assignment to `moving:<toShard>` (gate-verified). */
+export const nomosSplitShard = directive("nomosSplitShard")
+  .mutates(NomosShardAssignment)
+  .payload(
+    z.object({
+      fromShard: z.string().regex(/^s\d+$/),
+      toShard: z.string().regex(/^s\d+$/),
+      homeKeys: z.array(z.string().min(1)).min(1).max(64),
+      startedAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    if (p.fromShard === p.toShard) {
+      throw new Error(`split-degenerate: fromShard and toShard are both '${p.toShard}' — a move needs two shards`);
+    }
+    if (new Set(p.homeKeys).size !== p.homeKeys.length) {
+      throw new Error("split-duplicate: a home key appears twice in one split");
+    }
+    return p.homeKeys.flatMap((homeKey) => {
+      const row = instance(NomosShardAssignment, shardAssignmentRowId(homeKey));
+      return [set(row, "status", movingStatus(p.toShard))];
+    });
+  });
+
+/**
+ * Seal a completed handoff: flip each home's assignment `moving:<toShard>` →
+ * `active` on the TARGET shard, with the map version bumped (gate-verified:
+ * the held row must be mid-move to exactly this target, and the bump must be
+ * exactly held+1 — a stale or replayed seal refuses typed).
+ */
+export const nomosSealHandoff = directive("nomosSealHandoff")
+  .mutates(NomosShardAssignment)
+  .payload(
+    z.object({
+      fromShard: z.string().regex(/^s\d+$/),
+      toShard: z.string().regex(/^s\d+$/),
+      homeKeys: z.array(z.string().min(1)).min(1).max(64),
+      mapVersion: z.number().int().min(2),
+      sealedAt: z.string(),
+    }),
+  )
+  .plan((p) =>
+    p.homeKeys.flatMap((homeKey) => {
+      const row = instance(NomosShardAssignment, shardAssignmentRowId(homeKey));
+      return [
+        set(row, "shard", p.toShard),
+        set(row, "status", "active"),
+        set(row, "mapVersion", p.mapVersion),
+      ];
+    }),
+  );
+
+/**
+ * THE SOURCE'S TERMINAL SEAL (authored on the SOURCE shard's own chain by the host
+ * after migration completes — the edge refuses it on the session lane: the seal pen
+ * is the bailiff's): STRIKE every migrated intent out of the fold (append-then-strike
+ * — the kernel's strike-correct reprojection sheds the moved rows, so tallies,
+ * deep-verify and the capacity load stay honest) and tombstone each home's receipt
+ * (`status=moved`, `shard=<target>` — the redirect the homing invariant serves).
+ */
+export const nomosSealHome = directive("nomosSealHome")
+  .ensures(NomosHomeReceipt)
+  .payload(
+    z.object({
+      homeKeys: z.array(z.string().min(1)).min(1).max(64),
+      target: z.string().regex(/^s\d+$/),
+      intentIds: z.array(z.string().min(1)).max(2048),
+      sealedAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const ops: PlannedOp[] = [];
+    for (const homeKey of p.homeKeys) {
+      const row = instance(NomosHomeReceipt, homeReceiptRowId(homeKey));
+      ops.push(
+        withMarker(set(row, "homeKey", homeKey), "ensures"),
+        set(row, "shard", p.target),
+        set(row, "status", "moved"),
+        set(row, "receivedAt", p.sealedAt),
+      );
+    }
+    for (const intentId of p.intentIds) ops.push(strike(intentId));
+    return ops;
+  });
+
+/** Open shard `s<k>` (worker-authored when the auto-birth policy trips — ruling 5). */
+export const nomosOpenShard = directive("nomosOpenShard")
+  .ensures(NomosShardRegistry)
+  .payload(z.object({ label: z.string().regex(/^s\d+$/), openedAt: z.string() }))
+  .plan((p) => {
+    const row = instance(NomosShardRegistry, shardRegistryRowId(p.label));
+    return [
+      withMarker(set(row, "label", p.label), "ensures"),
+      set(row, "status", "open"),
+      set(row, "openedAt", p.openedAt),
+    ];
+  });
+
+/** Amend the split policy (the ruling-5 dial; omitted threshold derives 75% of the wall). */
+export const nomosSetShardPolicy = directive("nomosSetShardPolicy")
+  .ensures(NomosShardPolicy)
+  .payload(
+    z.object({
+      wallRows: z.number().int().min(1),
+      splitThresholdRows: z.number().int().min(1).optional(),
+      checkpointEveryDeltas: z.number().int().min(0).optional(), // 0 = cadence off
+      setAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const row = instance(NomosShardPolicy, NOMOS_SHARD_POLICY_ID);
+    const threshold = p.splitThresholdRows ?? Math.max(1, Math.floor((p.wallRows * 3) / 4));
+    return [
+      withMarker(set(row, "scope", "self"), "ensures"),
+      set(row, "wallRows", p.wallRows),
+      set(row, "splitThresholdRows", threshold),
+      ...(p.checkpointEveryDeltas !== undefined ? [set(row, "checkpointEveryDeltas", p.checkpointEveryDeltas)] : []),
+      set(row, "setAt", p.setAt),
+    ];
+  });
+
+/**
+ * Amend a shard's delta frontier DIRECTLY (an Ensure on the watermark row). Two jobs:
+ * it DECLARES `NomosSummaryFrontier` as an ensures target (the id-mint gate admits an
+ * Ensure-introduced aggregate only for declared targets — `nomosPropagateSummary`'s
+ * plan writes this row but targets the subtotal type), and it is the slice-5
+ * `sealHandoff` primitive (closing/opening frontiers across a move). Day to day the
+ * frontier only ever moves THROUGH `nomosPropagateSummary`'s gate.
+ */
+export const nomosAmendSummaryFrontier = directive("nomosAmendSummaryFrontier")
+  .ensures(NomosSummaryFrontier)
+  .payload(
+    z.object({
+      shard: z.string().regex(/^s\d+$/),
+      frontier: z.string(),
+      readManifestHash: z.string(),
+      updatedAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const wm = instance(NomosSummaryFrontier, summaryFrontierRowId(p.shard));
+    return [
+      withMarker(set(wm, "shard", p.shard), "ensures"),
+      set(wm, "frontier", p.frontier),
+      set(wm, "readManifestHash", p.readManifestHash),
+      set(wm, "updatedAt", p.updatedAt),
+    ];
+  });
+
+/** Record a deep-verify verdict (the §5.5 replay-on-suspicion op's committed outcome). */
+export const nomosRecordDeepVerify = directive("nomosRecordDeepVerify")
+  .ensures(NomosDeepVerify)
+  .payload(
+    z.object({
+      shard: z.string().regex(/^s\d+$/),
+      frontier: z.string(),
+      head: z.string(),
+      verdict: z.string().min(1),
+      detail: z.string(),
+      checkedAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const row = instance(NomosDeepVerify, deepVerifyRowId(p.shard));
+    return [
+      withMarker(set(row, "shard", p.shard), "ensures"),
+      set(row, "frontier", p.frontier),
+      set(row, "head", p.head),
+      set(row, "verdict", p.verdict),
+      set(row, "detail", p.detail),
+      set(row, "checkedAt", p.checkedAt),
+    ];
+  });
+
+/**
+ * SEAL A CHECKPOINT (§5.5, slice 4): bind the held per-shard frontiers + the
+ * subtotal state hash to the next sequence point. Host-authored on the cadence
+ * (the worker counts admitted deltas against the policy dial) or explicitly
+ * (`POST /v1/workspaces/<coordinator>/checkpoint`) — but gate-verified either
+ * way: the `nomosCheckpointGate` invariant pins every claimed frontier to the
+ * HELD `NomosSummaryFrontier` watermark (`pre:` reads) and the sequence to
+ * held-head + 1. A seal can never claim a frontier the delta lane never
+ * recorded, and never replay/skip a sequence point.
+ */
+export const nomosCheckpointSeal = directive("nomosCheckpointSeal")
+  .ensures(NomosCheckpointSeal)
+  .payload(
+    z.object({
+      seq: z.number().int().min(1),
+      frontiers: z
+        .array(z.object({ shard: z.string().regex(/^s\d+$/), frontier: z.string().min(1) }))
+        .min(1)
+        .max(4096),
+      stateHash: z.string().min(1),
+      sealedAt: z.string(),
+    }),
+  )
+  .plan((p) => {
+    const seen = new Set<string>();
+    for (const f of p.frontiers) {
+      if (seen.has(f.shard)) throw new Error(`seal-duplicate: shard '${f.shard}' appears twice in one seal`);
+      seen.add(f.shard);
+    }
+    const canonical = canonicalSealFrontiers(p.frontiers);
+    const ops: PlannedOp[] = [];
+    // The numbered seal row AND the head pointer — same aggregate, two deterministic ids.
+    for (const id of [checkpointSealRowId(p.seq), NOMOS_CHECKPOINT_HEAD_ID]) {
+      const row = instance(NomosCheckpointSeal, id);
+      ops.push(
+        withMarker(set(row, "seq", p.seq), "ensures"),
+        set(row, "frontiers", canonical),
+        set(row, "stateHash", p.stateHash),
+        set(row, "sealedAt", p.sealedAt),
+      );
+    }
+    return ops;
+  });
+
+// ── §5.2 — THE DELTA (the one Order the lane rides) ──────────────────────────────────
+
+const summarySubtotalSchema = z.object({
+  readId: z.string().min(1),
+  group: z.string(), // "" = the grand-total group
+  // SLICE 8: `min`/`max` join the lane. Their `prev`/`value` are NULLABLE — null =
+  // "no contributing member" (the extremum.ts empty-group law; 0 is a legitimate
+  // extremum). The PLAN refuses a null on any additive kind (typed) — nullability
+  // is the extremum kinds' vocabulary, never a loosening of counts/sums/rows.
+  kind: z.enum(["count", "sum", "rows", "min", "max"]),
+  prev: z.number().int().nullable(), // the CLAIMED previous absolute (gate-verified against held)
+  value: z.number().int().nullable(), // the CLAIMED new absolute (plan-verified against prev + carried evidence)
+  /**
+   * THE DECLARED RETRACTION (slice 8, extremum kinds only): the covered range
+   * RETRACTED the extremum (a contributing row left/worsened — the non-monotone
+   * case), so `value` is the shard's SUFFIX RE-DERIVATION (its maintained
+   * projection extremum at `toOid`), not an extremize over `prev` + candidates.
+   * The plan REFUSES an undeclared non-monotone chain (a silent retraction can
+   * never fold); a declared one folds as a frontier-pinned, deep-verifiable
+   * fact — exactly the trust-chain posture of the strike-bearing close (§5.5).
+   */
+  rederived: z.boolean().optional(),
+});
+
+const summaryEventSchema = z.object({
+  oid: z.string().min(1), // the shard commit (content address — deep-verify resolves it)
+  intentId: z.string(),
+  // Additive kinds: `delta` is the increment. EXTREMUM kinds (slice 8): `delta`
+  // is the POST-INTENT ABSOLUTE extremum of the bucket (null = the group emptied)
+  // — the evidence chain the plan walks for monotonicity. Null on an additive
+  // kind refuses in the plan (typed).
+  deltas: z
+    .array(z.object({ readId: z.string().min(1), group: z.string(), delta: z.number().int().nullable() }))
+    .max(64),
+});
+
+export const nomosPropagateSummary = directive("nomosPropagateSummary")
+  .ensures(NomosSummarySubtotal)
+  .payload(
+    z.object({
+      shard: z.string().regex(/^s\d+$/),
+      fromOid: z.string(), // "" = the shard's first delta (a virgin coordinator record)
+      toOid: z.string().min(1),
+      readManifestHash: z.string(),
+      propagatedAt: z.string(),
+      subtotals: z.array(summarySubtotalSchema).min(1).max(1024),
+      events: z.array(summaryEventSchema).max(4096),
+    }),
+  )
+  .plan((p) => {
+    // ── THE GATE RECOMPUTATION, arithmetic half (ruling 4 — day one, in the law) ──
+    // Pure over the payload. ADDITIVE kinds (count/sum/rows): every claimed absolute
+    // must equal the claimed previous plus the carried events' deltas. EXTREMUM
+    // kinds (slice 8 — min/max): the carried events are POST-INTENT ABSOLUTES; the
+    // plan walks the chain prev → e1 → … → en and verifies EXTREMIZE-ON-MONOTONE
+    // (every step only ever improves the extremum, and the final step IS the
+    // claim); a NON-MONOTONE step (a retraction — the extremum's row left or
+    // worsened) folds ONLY when the subtotal DECLARES it (`rederived: true`, the
+    // shard's suffix re-derivation) — silent retraction is a typed refusal, and a
+    // declared one stays deep-verifiable (mount the shard, recount, byte-compare).
+    // Every carried delta must land in a claimed subtotal (no hidden effects). The
+    // held-state half — fromOid == the recorded frontier, claimed prev == the held
+    // subtotal — is the `nomosSummaryGate` invariant's `pre:` reads. Together:
+    // held + carried evidence ⇒ claimed, or refuse.
+    if (p.fromOid === p.toOid) {
+      throw new Error(`summary-empty: fromOid and toOid are both '${p.toOid}' — an empty range propagates nothing`);
+    }
+    const isExtremum = (kind: string) => kind === "min" || kind === "max";
+    const claimed = new Map<
+      string,
+      { kind: string; prev: number | null; value: number | null; sum: number; running: number | null; touched: boolean; nonMonotone: boolean }
+    >();
+    for (const s of p.subtotals) {
+      const key = summaryBucket(s.readId, s.group);
+      if (claimed.has(key)) throw new Error(`summary-duplicate: subtotal (${s.readId}, '${s.group}') claimed twice`);
+      if (!isExtremum(s.kind) && (s.prev === null || s.value === null)) {
+        throw new Error(`summary-null:${s.readId}: a '${s.kind}' subtotal carries null — null is the extremum kinds' empty-group vocabulary, never an additive value`);
+      }
+      claimed.set(key, { kind: s.kind, prev: s.prev, value: s.value, sum: 0, running: s.prev, touched: false, nonMonotone: false });
+    }
+    for (const ev of p.events) {
+      for (const d of ev.deltas) {
+        const c = claimed.get(summaryBucket(d.readId, d.group));
+        if (c === undefined) {
+          throw new Error(
+            `summary-incomplete: event ${ev.oid.slice(0, 10)} carries a delta for (${d.readId}, '${d.group}') ` +
+              `but no subtotal claims that group — every touched group must carry its absolute`,
+          );
+        }
+        if (isExtremum(c.kind)) {
+          // The carried value is the post-intent ABSOLUTE; monotone = it only improves.
+          const v = d.delta;
+          const improves =
+            v !== null && (c.running === null || (c.kind === "min" ? v <= c.running : v >= c.running));
+          if (!improves && !(v === null && c.running === null)) c.nonMonotone = true;
+          c.running = v;
+          c.touched = true;
+        } else {
+          if (d.delta === null) {
+            throw new Error(`summary-null:${d.readId}: a '${c.kind}' event delta is null — only extremum kinds carry the empty-group null`);
+          }
+          c.sum += d.delta;
+        }
+      }
+    }
+    for (const s of p.subtotals) {
+      const c = claimed.get(summaryBucket(s.readId, s.group))!;
+      if (isExtremum(s.kind)) {
+        const final = c.touched ? c.running : c.prev;
+        if (final !== s.value) {
+          throw new Error(
+            `summary-mismatch: (${s.readId}, '${s.group}') claims ${s.value === null ? "null" : s.value} but the ` +
+              `carried evidence chain ends at ${final === null ? "null" : final} — the evidence does not reproduce the claim`,
+          );
+        }
+        if (c.nonMonotone && s.rederived !== true) {
+          throw new Error(
+            `extremum-retraction:${s.readId}:${s.group}: the covered range retracts the ${s.kind} (a non-monotone ` +
+              `step) — a silent retraction never folds. Re-derive the absolute from the shard's projection and ` +
+              `declare it (rederived: true); deep-verify remains the recourse`,
+          );
+        }
+      } else if ((s.prev as number) + c.sum !== s.value) {
+        throw new Error(
+          `summary-mismatch: (${s.readId}, '${s.group}') claims ${s.value} but prev ${s.prev} + ` +
+            `carried deltas ${c.sum} = ${(s.prev as number) + c.sum} — the evidence does not reproduce the claim`,
+        );
+      }
+    }
+    const ops = [];
+    for (const s of p.subtotals) {
+      const row = instance(NomosSummarySubtotal, summarySubtotalRowId(p.shard, s.readId, s.group));
+      ops.push(
+        withMarker(set(row, "readId", s.readId), "ensures"),
+        set(row, "group", s.group),
+        set(row, "shard", p.shard),
+        set(row, "kind", s.kind),
+        set(row, "bucket", summaryBucket(s.readId, s.group)),
+        set(row, "value", s.value ?? 0),
+        set(row, "frontier", p.toOid),
+        // EXTREMUM kinds carry the emptiness FLAG (0 is a legitimate extremum);
+        // additive rows never set the field — byte-identical to the slice-3 shape.
+        ...(isExtremum(s.kind) ? [set(row, "empty", s.value === null ? 1 : 0)] : []),
+      );
+    }
+    const wm = instance(NomosSummaryFrontier, summaryFrontierRowId(p.shard));
+    ops.push(
+      withMarker(set(wm, "shard", p.shard), "ensures"),
+      set(wm, "frontier", p.toOid),
+      set(wm, "readManifestHash", p.readManifestHash),
+      set(wm, "updatedAt", p.propagatedAt),
+    );
+    return ops;
+  });
+
+// ── helpers ───────────────────────────────────────────────────────────────────────────
+
+const pascal = (s: string) =>
+  s.replace(/[_\s-]+(\w)/g, (_m, c: string) => c.toUpperCase()).replace(/^./, (c) => c.toUpperCase());
+const camel = (s: string) => {
+  const p = pascal(s);
+  return p.length ? p[0]!.toLowerCase() + p.slice(1) : p;
+};
+
+/** The derived placement directive's id for a packed axis type (`site` → `birthSite`). */
+export function placementDirectiveId(axisType: string): string {
+  return `birth${pascal(axisType)}`;
+}
+
+/** The derived placement payload's home-key field for a packed axis (`site` → `siteId`). */
+export function placementHomeKeyField(axisType: string): string {
+  return `${camel(axisType)}Id`;
+}
+
+// ── THE ROUTE TAG, engine-side (the §4 self-routing mint — pure JS, no wasm change) ──
+//
+// sha256 over UTF-8, byte-for-byte the client/edge tag (`workspace_routing.ts`
+// `routeTagHexOfHomeKey`): the first 48 bits of sha256("nomos-route:" + homeKey) as
+// 12 lowercase hex chars. Compact, dependency-free, deterministic — it must run
+// inside the sealed QuickJS sandbox (no crypto, no node builtins).
+
+const SHA256_K = [
+  0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
+  0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,
+  0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+  0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,
+  0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,
+  0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+  0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,
+  0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
+];
+
+function utf8Bytes(s: string): number[] {
+  const out: number[] = [];
+  for (let i = 0; i < s.length; i++) {
+    let c = s.charCodeAt(i);
+    if (c < 0x80) out.push(c);
+    else if (c < 0x800) out.push(0xc0 | (c >> 6), 0x80 | (c & 0x3f));
+    else if (c >= 0xd800 && c <= 0xdbff && i + 1 < s.length) {
+      const lo = s.charCodeAt(i + 1);
+      if (lo >= 0xdc00 && lo <= 0xdfff) {
+        c = 0x10000 + ((c - 0xd800) << 10) + (lo - 0xdc00);
+        out.push(0xf0 | (c >> 18), 0x80 | ((c >> 12) & 0x3f), 0x80 | ((c >> 6) & 0x3f), 0x80 | (c & 0x3f));
+        i++;
+      } else out.push(0xef, 0xbf, 0xbd);
+    } else out.push(0xe0 | (c >> 12), 0x80 | ((c >> 6) & 0x3f), 0x80 | (c & 0x3f));
+  }
+  return out;
+}
+
+/** sha256 hex of a string's UTF-8 bytes — pure, sandbox-safe, deterministic. */
+export function sha256HexSync(text: string): string {
+  const msg = utf8Bytes(text);
+  const bitLen = msg.length * 8;
+  msg.push(0x80);
+  while (msg.length % 64 !== 56) msg.push(0);
+  // 64-bit big-endian length (length < 2^53 — exact in float)
+  const hi = Math.floor(bitLen / 0x100000000);
+  msg.push((hi >>> 24) & 0xff, (hi >>> 16) & 0xff, (hi >>> 8) & 0xff, hi & 0xff);
+  msg.push((bitLen >>> 24) & 0xff, (bitLen >>> 16) & 0xff, (bitLen >>> 8) & 0xff, bitLen & 0xff);
+  const h = [0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19];
+  const w = new Array<number>(64);
+  const rotr = (x: number, n: number) => (x >>> n) | (x << (32 - n));
+  for (let off = 0; off < msg.length; off += 64) {
+    for (let i = 0; i < 16; i++) {
+      w[i] = ((msg[off + 4 * i]! << 24) | (msg[off + 4 * i + 1]! << 16) | (msg[off + 4 * i + 2]! << 8) | msg[off + 4 * i + 3]!) >>> 0;
+    }
+    for (let i = 16; i < 64; i++) {
+      const s0 = rotr(w[i - 15]!, 7) ^ rotr(w[i - 15]!, 18) ^ (w[i - 15]! >>> 3);
+      const s1 = rotr(w[i - 2]!, 17) ^ rotr(w[i - 2]!, 19) ^ (w[i - 2]! >>> 10);
+      w[i] = (w[i - 16]! + s0 + w[i - 7]! + s1) >>> 0;
+    }
+    let [a, b, c, d, e, f, g, hh] = h as [number, number, number, number, number, number, number, number];
+    for (let i = 0; i < 64; i++) {
+      const S1 = rotr(e, 6) ^ rotr(e, 11) ^ rotr(e, 25);
+      const ch = (e & f) ^ (~e & g);
+      const t1 = (hh + S1 + ch + SHA256_K[i]! + w[i]!) >>> 0;
+      const S0 = rotr(a, 2) ^ rotr(a, 13) ^ rotr(a, 22);
+      const maj = (a & b) ^ (a & c) ^ (b & c);
+      const t2 = (S0 + maj) >>> 0;
+      hh = g; g = f; f = e; e = (d + t1) >>> 0; d = c; c = b; b = a; a = (t1 + t2) >>> 0;
+    }
+    h[0] = (h[0]! + a) >>> 0; h[1] = (h[1]! + b) >>> 0; h[2] = (h[2]! + c) >>> 0; h[3] = (h[3]! + d) >>> 0;
+    h[4] = (h[4]! + e) >>> 0; h[5] = (h[5]! + f) >>> 0; h[6] = (h[6]! + g) >>> 0; h[7] = (h[7]! + hh) >>> 0;
+  }
+  return h.map((x) => x.toString(16).padStart(8, "0")).join("");
+}
+
+/** The 48-bit route tag of a home key — agrees byte-for-byte with the client/edge tag. */
+export function routeTagHexSync(homeKey: string): string {
+  return sha256HexSync(`nomos-route:${homeKey}`).slice(0, 12);
+}
+
+/** The 48-bit tag slot of a minted id (the UUIDv7 leading 12 hex), or undefined. */
+function tagSlotOfMintedId(id: string): string | undefined {
+  const i = id.indexOf("_");
+  if (i <= 0) return undefined;
+  const body = id.slice(i + 1).replace(/-/g, "").toLowerCase();
+  return /^[0-9a-f]{32}$/.test(body) ? body.slice(0, 12) : undefined;
+}
+
+/**
+ * ROUTE-TAGGED IN-PLAN MINTS (§4, the slice-2 boundary closed): wrap the sealed
+ * sandbox's `globalThis.plan` and `globalThis.nomos.mint` so that, WHILE a routed
+ * directive's plan runs, an in-plan `create(Agg)` mint of a PACKED-HOMED aggregate
+ * folds the intent's home ROUTE TAG into the UUIDv7 timestamp slot. Called by the
+ * GENERATED ENTRY of a taxonomy-bearing package, at lump top-level eval — BEFORE the
+ * engine freezes `globalThis` (the same window `registerEngine` uses for its own
+ * assignments). Determinism: the tagged mint consumes the SAME 19 captured rng draws
+ * a plain mint consumes and reads no clock — a replayed plan re-mints byte-identical
+ * ids. Outside the sealed sandbox (compile-lane imports, tests) this is a no-op.
+ */
+export function installRouteTaggedMint(spec: ShardingLawSpec): void {
+  const routes = new Map((spec.routes ?? []).map((r) => [r.directive, r]));
+  const homes = spec.homes ?? {};
+  if (routes.size === 0 || Object.keys(homes).length === 0) return;
+  const g = globalThis as {
+    plan?: (job: unknown) => unknown;
+    nomos?: { mint(typeTag: string): string; [k: string]: unknown };
+    __ports?: { rng(): number };
+  };
+  const prevPlan = g.plan;
+  const baseNomos = g.nomos;
+  const ports = g.__ports;
+  if (typeof prevPlan !== "function" || !baseNomos || typeof baseNomos.mint !== "function" || !ports) {
+    return; // not the sealed sandbox — nothing to install
+  }
+  let currentTag: string | null = null;
+  const nib = () => Math.floor(ports.rng() * 16).toString(16);
+  const nibs = (n: number) => { let s = ""; for (let i = 0; i < n; i++) s += nib(); return s; };
+  const taggedMint = (typeTag: string): string => {
+    if (currentTag === null || homes[String(typeTag)] === undefined) return baseNomos.mint(typeTag);
+    const tg = currentTag;
+    const variant = "89ab".charAt(Math.floor(ports.rng() * 4));
+    return (
+      String(typeTag) + "_" + tg.slice(0, 8) + "-" + tg.slice(8, 12) + "-7" + nibs(3) +
+      "-" + variant + nibs(3) + "-" + nibs(12)
+    );
+  };
+  g.nomos = Object.freeze({ ...baseNomos, mint: taggedMint });
+  g.plan = (job: unknown) => {
+    const intent = (job as { intent?: { directiveId?: string; payload?: Record<string, unknown> } } | null)?.intent ?? {};
+    const route = typeof intent.directiveId === "string" ? routes.get(intent.directiveId) : undefined;
+    currentTag = null;
+    if (route !== undefined) {
+      const v = intent.payload?.[route.key];
+      if (typeof v === "string" && v.length > 0) {
+        currentTag = route.via === "axis" ? routeTagHexSync(v) : (tagSlotOfMintedId(v) ?? null);
+      }
+    }
+    try {
+      return prevPlan(job);
+    } finally {
+      currentTag = null;
+    }
+  };
+}
+
+/**
+ * Build the derived sharding-law module for a taxonomy. Deterministic in `spec`
+ * (the generated entry calls it with compile-derived literals, so the lump bytes —
+ * and the domain hash — move iff the taxonomy moves).
+ */
+export function shardingLawModule(spec: ShardingLawSpec): Record<string, unknown> {
+  const mod: Record<string, unknown> = {
+    NomosShardAssignment,
+    NomosShardIdentity,
+    NomosHomeReceipt,
+    NomosShardRegistry,
+    NomosShardPolicy,
+    NomosSummarySubtotal,
+    NomosSummaryFrontier,
+    NomosDeepVerify,
+    NomosCheckpointSeal,
+    nomosDeclareShardIdentity,
+    nomosReceiveAssignment,
+    nomosOpenShard,
+    nomosSetShardPolicy,
+    nomosPropagateSummary,
+    nomosAmendSummaryFrontier,
+    nomosRecordDeepVerify,
+    nomosCheckpointSeal,
+    nomosSplitShard,
+    nomosSealHandoff,
+    nomosSealHome,
+    nomosShardAssignmentByHomeKey: query("nomosShardAssignmentByHomeKey")
+      .key("homeKey")
+      .returns(NomosShardAssignment),
+    nomosShardIdentityByScope: query("nomosShardIdentityByScope")
+      .key("scope")
+      .returns(NomosShardIdentity),
+    nomosSummarySubtotalByShard: query("nomosSummarySubtotalByShard")
+      .key("shard")
+      .returns(NomosSummarySubtotal),
+    nomosShardRegistryByStatus: query("nomosShardRegistryByStatus")
+      .key("status")
+      .returns(NomosShardRegistry),
+    // THE ESTATE TOTAL (§5.1): an ORDINARY maintained sum over committed subtotal
+    // rows, grouped by `bucket` = readId group — O(1) by #31. A scoped read's
+    // estate value = the coordinator's local tally + this sum at its bucket.
+    nomosEstateSummary: sum("nomosEstateSummary", "value").of(NomosSummarySubtotal).by("bucket"),
+    // THE ESTATE EXTREMUMS (§5.2, slice 8): ORDINARY maintained min/max over the
+    // SAME committed subtotal rows, by bucket — extremums over disjoint shards
+    // compose by extremizing per-shard extremums, so the estate value is O(1) off
+    // the projection's long-maintained extrema lane (the #47 RPC reads it). Rows
+    // flagged `empty:1` (a shard whose group has no contributing member) are
+    // EXCLUDED — an empty group has no extremum, and 0 is a legitimate value.
+    // Buckets partition by readId, so additive rows never pollute an extremum
+    // read's bucket. A scoped min/max's estate value = extremize(the
+    // coordinator's local extremum, this read at its bucket).
+    nomosEstateExtremumMin: min("nomosEstateExtremumMin", "value")
+      .of(NomosSummarySubtotal)
+      .where((p) => p.field("empty").ne(1))
+      .by("bucket"),
+    nomosEstateExtremumMax: max("nomosEstateExtremumMax", "value")
+      .of(NomosSummarySubtotal)
+      .where((p) => p.field("empty").ne(1))
+      .by("bucket"),
+  };
+
+  // ── §5.2 step 1+2 — THE SUMMARY GATE (held state versus the claims, via `pre:`) ──
+  // The plan above already proved claimed = claimedPrev + Σ carried deltas (pure
+  // arithmetic). This invariant pins the claims to HELD law-state, read PRE-APPLY
+  // (the executor's `pre:` namespace — the plan overwrites these very rows):
+  //   * contiguity — fromOid must equal the recorded per-shard frontier (a gap,
+  //     reorder, or fork refuses typed `frontier-gap:<expected>`; the shard re-emits
+  //     from there — the suffix re-derivation lane);
+  //   * recomputation — every claimed `prev` must equal the held subtotal value
+  //     (`summary-mismatch:…`): held + carried events ⇒ claimed, byte-compared.
+  mod["nomosSummaryGate_nomosPropagateSummary"] = workspaceInvariant("nomosSummaryGate:nomosPropagateSummary")
+    .on("nomosPropagateSummary")
+    .reads(({ intent }) => {
+      const shard = String(intent["shard"] ?? "");
+      const subtotals = Array.isArray(intent["subtotals"]) ? (intent["subtotals"] as { readId?: unknown; group?: unknown }[]) : [];
+      return [
+        refAs("frontier", "NomosSummaryFrontier", `pre:${summaryFrontierRowId(shard)}`),
+        ...subtotals.map((s, i) =>
+          refAs(`prev${i}`, "NomosSummarySubtotal", `pre:${summarySubtotalRowId(shard, String(s.readId ?? ""), String(s.group ?? ""))}`),
+        ),
+      ];
+    })
+    .assert((snapshots, ctx) => {
+      const intent = ctx?.intent ?? {};
+      const held = snapshots["frontier"]?.["frontier"];
+      const heldFrontier = typeof held === "string" ? held : "";
+      const fromOid = typeof intent["fromOid"] === "string" ? (intent["fromOid"] as string) : "";
+      if (fromOid !== heldFrontier) {
+        return { reject: `frontier-gap:${heldFrontier === "" ? "genesis" : heldFrontier}` };
+      }
+      const subtotals = Array.isArray(intent["subtotals"]) ? (intent["subtotals"] as { readId?: unknown; group?: unknown; prev?: unknown; kind?: unknown }[]) : [];
+      for (let i = 0; i < subtotals.length; i++) {
+        const s = subtotals[i]!;
+        const heldRow = snapshots[`prev${i}`] ?? {};
+        const heldRaw = heldRow["value"];
+        if (s.kind === "min" || s.kind === "max") {
+          // EXTREMUM kinds (slice 8): the held prev is NULL when no row exists yet
+          // OR the held row is flagged empty — null is vocabulary, never 0.
+          const heldValue: number | null =
+            typeof heldRaw !== "number" || heldRow["empty"] === 1 ? null : heldRaw;
+          const claimedPrev = s.prev === null ? null : typeof s.prev === "number" ? s.prev : NaN;
+          if (claimedPrev !== heldValue) {
+            return {
+              reject: `summary-mismatch:${String(s.readId)}:held:${heldValue === null ? "null" : heldValue}:claimedPrev:${String(s.prev)}`,
+            };
+          }
+          continue;
+        }
+        const heldValue = typeof heldRaw === "number" ? heldRaw : 0;
+        const claimedPrev = typeof s.prev === "number" ? s.prev : NaN;
+        if (claimedPrev !== heldValue) {
+          return {
+            reject: `summary-mismatch:${String(s.readId)}:held:${heldValue}:claimedPrev:${String(s.prev)}`,
+          };
+        }
+      }
+      return { accept: true };
+    });
+
+  // ── §5.5 — THE CHECKPOINT GATE (slice 4, ruling 1): a seal's claims are judged
+  //    against HELD law-state, pre-apply (the plan overwrites the head pointer):
+  //      * IDEMPOTENT RE-OFFER — a seal row already held with the SAME canonical
+  //        frontiers + state hash re-folds byte-identically (accept), even after
+  //        the lane moved on; DIFFERENT content under a held sequence refuses
+  //        typed `seal-exists:<seq>`;
+  //      * FRONTIER PINNING — every claimed frontier must equal the recorded
+  //        per-shard watermark (`seal-frontier-mismatch:<shard>:<held>`): a seal
+  //        can never bind a frontier the delta lane never committed;
+  //      * SEQUENCING — seq must be the held head + 1 (`seal-replay:<expected>`):
+  //        no skipped or replayed sequence points. ──
+  mod["nomosCheckpointGate_nomosCheckpointSeal"] = workspaceInvariant("nomosCheckpointGate:nomosCheckpointSeal")
+    .on("nomosCheckpointSeal")
+    .reads(({ intent }) => {
+      const frontiers = Array.isArray(intent["frontiers"]) ? (intent["frontiers"] as { shard?: unknown }[]) : [];
+      const seq = typeof intent["seq"] === "number" ? (intent["seq"] as number) : "?";
+      return [
+        refAs("head", "NomosCheckpointSeal", `pre:${NOMOS_CHECKPOINT_HEAD_ID}`),
+        refAs("own", "NomosCheckpointSeal", `pre:${checkpointSealRowId(seq)}`),
+        ...frontiers.map((f, i) =>
+          refAs(`front${i}`, "NomosSummaryFrontier", `pre:${summaryFrontierRowId(String(f?.shard ?? ""))}`),
+        ),
+      ];
+    })
+    .assert((snapshots, ctx) => {
+      const intent = ctx?.intent ?? {};
+      const claimedSeq = typeof intent["seq"] === "number" ? (intent["seq"] as number) : NaN;
+      const frontiers = Array.isArray(intent["frontiers"])
+        ? (intent["frontiers"] as { shard?: unknown; frontier?: unknown }[])
+        : [];
+      const canonical = canonicalSealFrontiers(
+        frontiers.map((f) => ({ shard: String(f?.shard ?? ""), frontier: String(f?.frontier ?? "") })),
+      );
+      // 1. the idempotent re-offer: the SAME seal re-folds; different content refuses.
+      const own = snapshots["own"] ?? {};
+      if (typeof own["seq"] === "number") {
+        return own["stateHash"] === intent["stateHash"] && own["frontiers"] === canonical
+          ? { accept: true }
+          : { reject: `seal-exists:${String(claimedSeq)}` };
+      }
+      // 2. every claimed frontier must be the HELD watermark.
+      for (let i = 0; i < frontiers.length; i++) {
+        const f = frontiers[i] ?? {};
+        const heldRaw = snapshots[`front${i}`]?.["frontier"];
+        const held = typeof heldRaw === "string" ? heldRaw : "";
+        if (held === "" || held !== f.frontier) {
+          return { reject: `seal-frontier-mismatch:${String(f.shard)}:${held === "" ? "genesis" : held}` };
+        }
+      }
+      // 3. the next sequence point, exactly.
+      const headSeq = typeof (snapshots["head"] ?? {})["seq"] === "number" ? ((snapshots["head"] ?? {})["seq"] as number) : 0;
+      if (claimedSeq !== headSeq + 1) return { reject: `seal-replay:${headSeq + 1}` };
+      return { accept: true };
+    });
+
+  // ── §6 — THE MOVE GATE (slice 5): the lifecycle flips are judged against the HELD
+  //    rows (`pre:` reads — the plans overwrite them). A split may only move ACTIVE
+  //    homes it actually holds on the named source; a handoff seal may only land on
+  //    rows mid-move to exactly its target, with the map version bumped exactly once.
+  //    Every refusal is typed with the held state — the named remedy. ──
+  const moveReads = ({ intent }: { intent: Record<string, unknown> }) => {
+    const homeKeys = Array.isArray(intent["homeKeys"]) ? (intent["homeKeys"] as unknown[]) : [];
+    return homeKeys.map((k, i) =>
+      refAs(`held${i}`, "NomosShardAssignment", `pre:${shardAssignmentRowId(String(k ?? ""))}`),
+    );
+  };
+  mod["nomosMoveGate_nomosSplitShard"] = workspaceInvariant("nomosMoveGate:nomosSplitShard")
+    .on("nomosSplitShard")
+    .reads(moveReads)
+    .assert((snapshots, ctx) => {
+      const intent = ctx?.intent ?? {};
+      const fromShard = String(intent["fromShard"] ?? "");
+      const homeKeys = Array.isArray(intent["homeKeys"]) ? (intent["homeKeys"] as unknown[]) : [];
+      for (let i = 0; i < homeKeys.length; i++) {
+        const held = snapshots[`held${i}`] ?? {};
+        const heldShard = held["shard"];
+        if (typeof heldShard !== "string" || heldShard.length === 0) {
+          return { reject: `split-unplaced:${String(homeKeys[i])}` };
+        }
+        if (heldShard !== fromShard) return { reject: `wrong-source:${heldShard}` };
+        const status = held["status"];
+        if (typeof status === "string" && status !== "" && status !== "active") {
+          return { reject: `not-active:${status}` };
+        }
+      }
+      return { accept: true };
+    });
+  mod["nomosMoveGate_nomosSealHandoff"] = workspaceInvariant("nomosMoveGate:nomosSealHandoff")
+    .on("nomosSealHandoff")
+    .reads(moveReads)
+    .assert((snapshots, ctx) => {
+      const intent = ctx?.intent ?? {};
+      const toShard = String(intent["toShard"] ?? "");
+      const homeKeys = Array.isArray(intent["homeKeys"]) ? (intent["homeKeys"] as unknown[]) : [];
+      const claimedVersion = typeof intent["mapVersion"] === "number" ? (intent["mapVersion"] as number) : NaN;
+      for (let i = 0; i < homeKeys.length; i++) {
+        const held = snapshots[`held${i}`] ?? {};
+        const target = movingTargetOf(held["status"]);
+        if (target === undefined) return { reject: `not-moving:${String(held["status"] ?? "unplaced")}` };
+        if (target !== toShard) return { reject: `wrong-target:${target}` };
+        const heldVersion = typeof held["mapVersion"] === "number" ? (held["mapVersion"] as number) : 1;
+        if (claimedVersion !== heldVersion + 1) return { reject: `bad-map-version:${heldVersion + 1}` };
+      }
+      return { accept: true };
+    });
+
+  // ── THE HOMING INVARIANT, per routed `via:"axis"` directive (#41 — slice 3a;
+  //    slice 3: judged against the shard's OWN ASSIGNMENT RECEIPTS, not a static
+  //    formula — least-loaded placement is law-state, never a pure function) ──
+  // No identity declared (label absent/"") ⇒ vacuously holds — the coordinator, a
+  // direct unsharded workspace, and every pre-#41 chain judge exactly as before (the
+  // edge bailiff stays the outer guard there). A `via:"id"` misroute needs no invariant:
+  // its target does not exist on the wrong shard, which the referential gate refuses.
+  const axisByType = new Map(spec.axes.map((a) => [a.axisType, a]));
+  for (const route of spec.routes ?? []) {
+    if (route.via !== "axis") continue;
+    const axis = axisByType.get(route.home);
+    if (axis === undefined) {
+      throw new Error(
+        `workspace-sharding: route for directive '${route.directive}' homes on '${route.home}' ` +
+          `but no packed axis of that type exists — the taxonomy and the routes disagree. ` +
+          `Recompile from one source (nomos-compile derives both).`,
+      );
+    }
+    const keyField = route.key;
+    mod[`nomosWrongHome_${route.directive}`] = workspaceInvariant(`nomosWrongHome:${route.directive}`)
+      .on(route.directive)
+      .reads(({ intent }) => [
+        refAs("shardIdentity", "NomosShardIdentity", NOMOS_SHARD_IDENTITY_ID),
+        refAs("receipt", "NomosHomeReceipt", homeReceiptRowId(String(intent[keyField] ?? ""))),
+      ])
+      .assert((snapshots, ctx) => {
+        const identity = snapshots["shardIdentity"] ?? {};
+        const label = identity["label"];
+        // No declared identity (or the coordinator's "") ⇒ this workspace makes no
+        // homing claim ⇒ the invariant holds vacuously.
+        if (typeof label !== "string" || label.length === 0) return { accept: true };
+        const homeKey = ctx?.intent?.[keyField];
+        if (typeof homeKey !== "string" || homeKey.length === 0) {
+          // A routed directive whose home field is absent is an unroutable write —
+          // refuse with the named remedy (the field is required by the route law).
+          return { reject: `wrong-home:unroutable:${keyField}` };
+        }
+        const receipt = snapshots["receipt"] ?? {};
+        const receiptShard = receipt["shard"];
+        if (typeof receiptShard !== "string" || receiptShard.length === 0) {
+          // No receipt: this chain has never been assigned the home. The typed remedy
+          // points at the receipt leg; the edge bailiff (coordinator-sighted) NAMES
+          // the correct workspace on the same refusal lane.
+          return { reject: `wrong-home:unassigned:${homeKey}` };
+        }
+        return receiptShard === label
+          ? { accept: true }
+          : { reject: `wrong-home:${receiptShard}` };
+      });
+  }
+
+  // ── THE RECEIPT'S OWN HOMING (a receipt claiming a foreign shard never folds) ──
+  mod["nomosReceiptHome_nomosReceiveAssignment"] = workspaceInvariant("nomosReceiptHome:nomosReceiveAssignment")
+    .on("nomosReceiveAssignment")
+    .reads(() => [refAs("shardIdentity", "NomosShardIdentity", NOMOS_SHARD_IDENTITY_ID)])
+    .assert((snapshots, ctx) => {
+      const label = snapshots["shardIdentity"]?.["label"];
+      if (typeof label !== "string" || label.length === 0) return { accept: true };
+      const claimed = ctx?.intent?.["shard"];
+      return claimed === label ? { accept: true } : { reject: `wrong-home:receipt:${String(claimed)}` };
+    });
+
+  for (const axis of spec.axes) {
+    if (!Number.isInteger(axis.shardCount) || axis.shardCount < 1) {
+      throw new Error(
+        `workspace-sharding: axis '${axis.axisType}' has shardCount ${axis.shardCount} — ` +
+          `declare the initial open-shard count as .pool(n) on the parent workspaceType.`,
+      );
+    }
+    const keyField = placementHomeKeyField(axis.axisType);
+    const axisType = axis.axisType;
+    const dirId = placementDirectiveId(axis.axisType);
+    // THE PLACEMENT (slice 3 — least-loaded): the shard rides IN the payload (picked
+    // by the dispatching client/worker over committed load subtotals — law-state,
+    // never a live read a plan takes); the row id is the home key (ONE active
+    // assignment per home, by construction); a conflicting re-offer refuses typed.
+    mod[dirId] = directive(dirId)
+      .ensures(NomosShardAssignment)
+      .payload(
+        z.object({
+          [keyField]: z.string().min(1),
+          shard: z.string().regex(/^s\d+$/),
+          placedAt: z.string(),
+        }),
+      )
+      .plan((p: Record<string, string>) => {
+        const homeKey = p[keyField]!;
+        const row = instance(NomosShardAssignment, shardAssignmentRowId(homeKey));
+        return [
+          withMarker(set(row, "homeType", axisType), "ensures"),
+          set(row, "homeKey", homeKey),
+          set(row, "shard", p.shard!),
+          set(row, "mapVersion", 1),
+          set(row, "status", "active"),
+          set(row, "placedAt", p.placedAt!),
+        ];
+      });
+    // PLACEMENT UNIQUENESS (task #42 item 5): an idempotent re-offer (same shard)
+    // re-folds the same row; a CONFLICTING one refuses typed with the held shard.
+    // THE MOVE-LANE GUARD (slice 5): a re-offer may only reproduce a FRESH placement
+    // byte-for-byte — a home mid-move refuses `home-moving:<target>` (park, retry),
+    // and a home the §6 lane has ever moved (mapVersion > 1) refuses
+    // `placement-exists:<heldShard>` (the plan would regress status/mapVersion to
+    // their birth values; the routed client answers such re-offers from the held
+    // row WITHOUT authoring).
+    mod[`nomosPlacementUnique_${dirId}`] = workspaceInvariant(`nomosPlacementUnique:${dirId}`)
+      .on(dirId)
+      .reads(({ intent }) => [
+        refAs("held", "NomosShardAssignment", `pre:${shardAssignmentRowId(String(intent[keyField] ?? ""))}`),
+      ])
+      .assert((snapshots, ctx) => {
+        const held = snapshots["held"] ?? {};
+        const heldShard = held["shard"];
+        if (typeof heldShard !== "string" || heldShard.length === 0) return { accept: true };
+        const target = movingTargetOf(held["status"]);
+        if (target !== undefined) return { reject: `home-moving:${target}` };
+        const heldVersion = typeof held["mapVersion"] === "number" ? (held["mapVersion"] as number) : 1;
+        const offered = ctx?.intent?.["shard"];
+        return offered === heldShard && heldVersion === 1
+          ? { accept: true } // the idempotent re-offer — same home, same shard, fresh era
+          : { reject: `placement-exists:${heldShard}` };
+      });
+  }
+  return mod;
+}