dos-kernel 0.22.0__py3-none-win_amd64.whl

dos/__init__.py

@@ -0,0 +1,261 @@
+"""DOS — the Dispatch Operating System.
+
+The domain-free trust substrate the `job` repo's dispatch family invented by
+accident: a small, boring, deterministic kernel whose primary job is
+**adjudicating ground truth across many unreliable, self-narrating workers** and
+serializing their effects on shared state *without believing what they say they
+did*. The tagline (dispatch-os-vision §0): **the kernel is the part that doesn't
+believe the agents.**
+
+This package is the "Stage-1 kernel extraction" — the spine lifted out of
+the reference userland app's scripts into a standalone, pip-installable,
+**workspace-parameterized** package. It carries the *mechanism* (verdict enum, ship oracle, structured
+refusal, lease arbiter, correlation spine) and **no policy**: which lanes exist,
+where plans live, and what counts as a ship stamp are per-workspace data the
+host supplies via `dos.config.SubstrateConfig`. The package never assumes it
+lives inside the repo whose state it manages.
+
+The syscall ABI (dispatch-os-vision §4), mapped to the modules here:
+
+    verify()           -> dos.oracle        (the truth syscall — artifact over narration)
+    refuse(reason)     -> dos.wedge_reason  (structured refusal — the closed WedgeReason enum)
+                          dos.picker_oracle (provable no-pick verification)
+    lease()/arbitrate()-> dos.arbiter       (the pure admission kernel — ACR Plane ①)
+    spawn()/reap()     -> dos.run_id        (the correlation spine across subprocess boundaries)
+                          dos.lane_journal  (the write-ahead log for lease decisions)
+
+The first userland app written against this kernel is `job` (job search), the
+way `cat` was the first program for Unix.
+"""
+
+from __future__ import annotations
+
+# Single-source the version from installed package metadata so it can never
+# drift from pyproject.toml (it did: __version__ said 0.1.0 while pyproject
+# shipped 0.2.0, so every `dos` CLI command misreported its version). The
+# literal fallback is only hit when running from an uninstalled source tree;
+# keep it equal to pyproject's version for that case.
+#
+# NB: the distribution name is `dos-kernel`, not `dos` (the bare `dos` name on
+# PyPI is an unrelated package). The metadata lookup MUST use the dist name —
+# looking up "dos" would miss our metadata and, if the squatter were installed,
+# could even read ITS version. The import name is still `dos`; only the dist
+# name differs.
+try:
+    from importlib.metadata import version as _pkg_version
+
+    __version__ = _pkg_version("dos-kernel")
+except Exception:  # pragma: no cover - source-tree / not-installed fallback
+    __version__ = "0.22.0"
+
+from dos import config  # noqa: F401  (re-export the seam as the package entry)
+from dos.config import (  # noqa: F401
+    SubstrateConfig,
+    LaneTaxonomy,
+    PathLayout,
+    HomeLayout,
+    job_config,
+    default_config,
+    active,
+    set_active,
+    resolve_dos_home,
+    active_home,
+    set_active_home,
+)
+from dos.reasons import (  # noqa: F401  (the refusal vocabulary, as data)
+    ReasonSpec,
+    ReasonRegistry,
+    BASE_REASONS,
+)
+from dos.stamp import (  # noqa: F401  (the ship-stamp grammar, as data)
+    StampConvention,
+    JOB_STAMP_CONVENTION,
+    GENERIC_STAMP_CONVENTION,
+    parse_phase_labels,
+)
+from dos.retention import (  # noqa: F401  (the scratch-retention caps, as data)
+    RetentionPolicy,
+    GENERIC_RETENTION,
+    UNBOUNDED_RETENTION,
+    should_compact,
+)
+from dos.intervention import (  # noqa: F401  (the actuation ladder, docs/143 §13)
+    Intervention,
+    Confidence,
+    InterventionSpec,
+    InterventionLadder,
+    BASE_INTERVENTIONS,
+    InterventionPolicy,
+    DEFAULT_POLICY as DEFAULT_INTERVENTION_POLICY,
+    InterventionDecision,
+    assess_confidence,
+    choose_intervention,
+    synthetic_corrective_result,
+)
+from dos.intervention_eval import (  # noqa: F401  (the net-task-delta eval, docs/143 §13.2)
+    InterventionCase,
+    InterventionReport,
+)
+from dos.enforce import (  # noqa: F401  (the enforcement-handler seam, docs/189 §A1)
+    EffectProposal,
+    EnforcementHandler,
+    ObserveHandler,
+    run_handler,
+    resolve_handler,
+    active_handlers,
+    active_handler_names,
+)
+from dos.tool_stream import (  # noqa: F401  (the loop-economics stall reader, docs/145)
+    StreamState,
+    StreamPolicy,
+    DEFAULT_POLICY as DEFAULT_STREAM_POLICY,
+    StreamStep,
+    ToolStream,
+    StreamVerdict,
+    classify_stream,
+    policy_from_table as stream_policy_from_table,
+)
+from dos.tool_stream_eval import (  # noqa: F401  (the stall-reader recovery eval, docs/145 §9)
+    StreamCase,
+    StreamEvalReport,
+)
+from dos.dangling_intent import (  # noqa: F401  (the premature-completion DETECTOR, docs/150)
+    Dangling,
+    DanglingPolicy,
+    DEFAULT_POLICY as DEFAULT_DANGLING_POLICY,
+    DEFAULT_CUES as DEFAULT_DANGLING_CUES,
+    StopEvidence,
+    DanglingVerdict,
+    classify_stop,
+)
+from dos.firing_label import (  # noqa: F401  (detector self-labeling — the data-multiplier, docs/179)
+    DetectorFiring,
+    LabelOutcome,
+    LabeledPoint,
+    LabelSummary,
+    label_one,
+    label_firings,
+    dedupe_firings,
+)
+from dos.pickable import (  # noqa: F401  (the pre-dispatch gate, docs/168 Concept 2)
+    HoldReason,
+    Pickability,
+    classify as pickable_classify,
+)
+from dos.pick_priority import (  # noqa: F401  (the freshness sort-key, docs/254)
+    AttemptSummary,
+    Freshness,
+    PickPriority,
+    classify as pick_priority_classify,
+)
+from dos import render  # noqa: F401  (the renderer seam — Axis 4 output, RND)
+from dos.render import (  # noqa: F401
+    Renderer,
+    BaseRenderer,
+    TextRenderer,
+    JsonRenderer,
+    BUILTIN_RENDERERS,
+    resolve_renderer,
+    known_renderers,
+    UnknownRenderer,
+)
+from dos.reward import (  # noqa: F401  (the reward-set admission verdict, docs/230/234)
+    RewardVerdict,
+    RewardLabel,
+    admit as reward_admit,
+    AcceptanceAB,
+    acceptance_ab as reward_acceptance_ab,
+)
+
+__all__ = [
+    "__version__",
+    "config",
+    "SubstrateConfig",
+    "LaneTaxonomy",
+    "PathLayout",
+    "HomeLayout",
+    "job_config",
+    "default_config",
+    "active",
+    "set_active",
+    "resolve_dos_home",
+    "active_home",
+    "set_active_home",
+    "ReasonSpec",
+    "ReasonRegistry",
+    "BASE_REASONS",
+    "StampConvention",
+    "JOB_STAMP_CONVENTION",
+    "GENERIC_STAMP_CONVENTION",
+    "parse_phase_labels",
+    "RetentionPolicy",
+    "GENERIC_RETENTION",
+    "UNBOUNDED_RETENTION",
+    "should_compact",
+    "Intervention",
+    "Confidence",
+    "InterventionSpec",
+    "InterventionLadder",
+    "BASE_INTERVENTIONS",
+    "InterventionPolicy",
+    "DEFAULT_INTERVENTION_POLICY",
+    "InterventionDecision",
+    "assess_confidence",
+    "choose_intervention",
+    "synthetic_corrective_result",
+    "InterventionCase",
+    "InterventionReport",
+    "EffectProposal",
+    "EnforcementHandler",
+    "ObserveHandler",
+    "run_handler",
+    "resolve_handler",
+    "active_handlers",
+    "active_handler_names",
+    "StreamState",
+    "StreamPolicy",
+    "DEFAULT_STREAM_POLICY",
+    "StreamStep",
+    "ToolStream",
+    "StreamVerdict",
+    "classify_stream",
+    "stream_policy_from_table",
+    "StreamCase",
+    "StreamEvalReport",
+    "DetectorFiring",
+    "LabelOutcome",
+    "LabeledPoint",
+    "LabelSummary",
+    "label_one",
+    "label_firings",
+    "dedupe_firings",
+    "Dangling",
+    "DanglingPolicy",
+    "DEFAULT_DANGLING_POLICY",
+    "DEFAULT_DANGLING_CUES",
+    "StopEvidence",
+    "DanglingVerdict",
+    "classify_stop",
+    "HoldReason",
+    "Pickability",
+    "pickable_classify",
+    "AttemptSummary",
+    "Freshness",
+    "PickPriority",
+    "pick_priority_classify",
+    "render",
+    "Renderer",
+    "BaseRenderer",
+    "TextRenderer",
+    "JsonRenderer",
+    "BUILTIN_RENDERERS",
+    "resolve_renderer",
+    "known_renderers",
+    "UnknownRenderer",
+    "reward",
+    "RewardVerdict",
+    "RewardLabel",
+    "reward_admit",
+    "AcceptanceAB",
+    "reward_acceptance_ab",
+]

dos/_filelock.py

@@ -0,0 +1,255 @@
+"""Shared O_EXCL file-mutex primitives — the ONE home for "lock + value-keyed steal".
+
+The package grew THREE independent hand-rolled `O_EXCL` mutexes — `archive_lock`
+(the Step-9.5 archive ceremony), `lane_lease._Mutex` (the cross-process lane-grant
+critical section), and `home._home_lock` (the machine-local index) — each with its
+own copy of the same acquire/read/steal logic. When the steal was found to be a
+non-value-keyed TOCTOU (two stealers of one stale lock could each displace the
+other's fresh lock and both come away holding the mutex — a double-grant), the fix
+landed in `archive_lock` ONLY, leaving the two siblings carrying the identical bug.
+That is the "fix one site, the duplicate drifts" failure this module exists to end.
+
+So the steal CAS and the O_EXCL write live HERE, parameterized on the lock path, and
+every mutex routes through them — making the naive `unlink()` + `O_EXCL-create` steal
+**unrepresentable** rather than a per-site choice. This is a Layer-1 leaf: pure
+stdlib + a `Path`, no host names, no config, no policy. Each caller still owns its
+own *path resolution* (env override + config seam) and its own retry/TTL policy; only
+the three atomic FS ops — write, read, steal — are shared.
+
+The discipline these encode:
+  * `write_lock`  — atomic `O_CREAT|O_EXCL` create; raises `FileExistsError` if held.
+    The ONLY way a lock is born, so "two writers both think they created it" cannot
+    happen (the kernel serializes O_EXCL).
+  * `read_lock`   — parse a lock file's `key: value` body to a dict (None if absent).
+  * `steal_stale` — a **value-keyed compare-and-swap**: rename the lock to a unique
+    temp, verify the grabbed content IS the stale lock the caller observed (else
+    restore-on-mismatch and concede), then drop it and O_EXCL-create. Only the actor
+    that displaces the EXACT stale lock it saw wins; a racer that already stole +
+    recreated is detected and conceded to. Two concurrent stealers → exactly one owner.
+"""
+from __future__ import annotations
+
+import datetime as dt
+import os
+import random
+import sys
+import time
+from pathlib import Path
+
+
+# ACCESS_DENIED / SHARING_VIOLATION / LOCK_VIOLATION — the three MoveFileEx
+# replace-over-an-open-handle codes seen on win32 (the last from AV/indexer
+# byte-range locks). Only these are retried by `atomic_replace`; any other
+# OSError re-raises at once.
+_REPLACE_RETRY_CODES = (5, 32, 33)
+
+
+def atomic_replace(
+    src: os.PathLike | str,
+    dst: os.PathLike | str,
+    *,
+    budget_s: float = 3.0,
+    base_s: float = 0.05,
+    cap_s: float = 0.4,
+    _stderr=None,
+) -> None:
+    """`os.replace(src, dst)` with bounded exp-backoff retry on win32 rename races.
+
+    The ONE retry-hardened replace the package's atomic-write sites share
+    (`home._atomic_write_jsonl`, `home._write_card`, `run_id.write_run_json`) —
+    it belongs beside the O_EXCL write/read/steal primitives because it is the
+    same class of atomic FS op, parameterized on a path and carrying no policy.
+
+    On win32 `os.replace` -> `MoveFileEx` raises WinError 5 (ACCESS_DENIED) / 32
+    (SHARING_VIOLATION) / 33 (LOCK_VIOLATION) whenever ANY other process holds an
+    open handle to the DESTINATION during the rename — a lock-skipping reader, a
+    `dos top` tail, `git add`, an AV/Search-indexer/OneDrive scan. A bare
+    `os.replace` has NO retry, so the FIRST such collision kills the write
+    mid-ceremony. This bounds-retries only on `_REPLACE_RETRY_CODES`, and only
+    until `budget_s` elapses; any other OSError (or a non-Windows error, where
+    `winerror is None`) re-raises immediately, so on POSIX it degrades to exactly
+    one attempt (os.replace already overwrites atomically under open readers
+    there). A one-line WARN is emitted before each backoff sleep so a foreign
+    handle held LONGER than the budget is visible in the log rather than silently
+    absorbed and then crashing opaquely. Pure stdlib (os/time/random) — the
+    kernel "PyYAML-only" litmus holds.
+    """
+    stderr = _stderr if _stderr is not None else sys.stderr
+    deadline = time.monotonic() + budget_s
+    attempt = 0
+    while True:
+        try:
+            os.replace(src, dst)
+            return
+        except OSError as e:
+            attempt += 1
+            winerr = getattr(e, "winerror", None)
+            if winerr not in _REPLACE_RETRY_CODES or time.monotonic() >= deadline:
+                raise
+            sleep_s = min(base_s * (2 ** (attempt - 1)), cap_s) + random.uniform(0, 0.02)
+            print(
+                f"dos: warning: atomic replace onto {os.fspath(dst)} hit WinError "
+                f"{winerr} (attempt {attempt}); a reader/scan holds it open — "
+                f"retrying in {sleep_s:.2f}s",
+                file=stderr,
+            )
+            time.sleep(sleep_s)
+
+
+def unlink_retry(
+    path: os.PathLike | str,
+    *,
+    budget_s: float = 1.0,
+    base_s: float = 0.02,
+    cap_s: float = 0.2,
+    _stderr=None,
+) -> bool:
+    """`os.unlink(path)` with bounded exp-backoff retry on the win32 open-handle races.
+
+    The release-side sibling of `atomic_replace`. On win32, deleting a file ANY other
+    process holds open raises WinError 5/32/33 (ACCESS_DENIED / SHARING_VIOLATION /
+    LOCK_VIOLATION) — the same MoveFileEx-family codes — so a bare `lock.unlink()` to
+    DROP a mutex can spuriously raise the instant a racing acquirer has the lock file
+    open mid-read/mid-steal. A dropped release then leaks the lock until its TTL, and a
+    raised release crashes the caller's `finally`. This retries only those codes within
+    `budget_s`; a missing file is success (the lock is already gone — the goal). Any
+    other OSError, or a POSIX error where `winerror is None`, re-raises at once (POSIX
+    unlink under an open handle succeeds anyway, so it degrades to one attempt there).
+    Returns True if the file is gone (unlinked or already absent), False only if the
+    budget elapsed with the handle still held — the caller treats that as "left for the
+    TTL to reap", never a crash. Pure stdlib — the kernel "PyYAML-only" litmus holds.
+    """
+    stderr = _stderr if _stderr is not None else sys.stderr
+    deadline = time.monotonic() + budget_s
+    attempt = 0
+    while True:
+        try:
+            os.unlink(os.fspath(path))
+            return True
+        except FileNotFoundError:
+            return True  # already gone — the release goal is met
+        except OSError as e:
+            attempt += 1
+            winerr = getattr(e, "winerror", None)
+            if winerr not in _REPLACE_RETRY_CODES:
+                raise
+            if time.monotonic() >= deadline:
+                print(
+                    f"dos: warning: could not unlink {os.fspath(path)} (WinError "
+                    f"{winerr} — a reader/scan holds it open); leaving it for TTL reap",
+                    file=stderr,
+                )
+                return False
+            sleep_s = min(base_s * (2 ** (attempt - 1)), cap_s) + random.uniform(0, 0.01)
+            time.sleep(sleep_s)
+
+
+def now_iso() -> str:
+    """The lock-body timestamp format every mutex stamps (`acquired_at`)."""
+    return dt.datetime.now(dt.timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+def lock_body(owner: str) -> str:
+    """The canonical lock-file body: owner + acquired_at + pid, one `key: value` per line.
+
+    Centralized so the steal CAS's value-comparison (owner + acquired_at) reads the
+    same fields every writer stamps. A caller that needs extra fields may append, but
+    these three are the contract `steal_stale` keys on."""
+    return f"owner: {owner}\nacquired_at: {now_iso()}\npid: {os.getpid()}\n"
+
+
+def read_lock(path: Path) -> dict | None:
+    """Parse a lock file's `key: value` body into a dict; None if absent/unreadable.
+
+    The single parser the canonical read AND the steal CAS share (so the value the
+    CAS compares is read the same way the holder wrote it). Never raises."""
+    if not path.exists():
+        return None
+    try:
+        contents = path.read_text(encoding="utf-8")
+    except OSError:
+        return None
+    info: dict = {}
+    for line in contents.splitlines():
+        if ":" in line:
+            k, _, v = line.partition(":")
+            info[k.strip()] = v.strip()
+    return info
+
+
+def write_lock(path: Path, owner: str) -> None:
+    """Atomic `O_CREAT|O_EXCL` create. Raises `FileExistsError` if the lock is held.
+
+    The ONLY way a lock comes into existence — O_EXCL is the kernel-serialized
+    primitive that guarantees exactly one creator. `mkdir(parents=True)` first so a
+    fresh `.dos/` tree doesn't fail the create."""
+    path.parent.mkdir(parents=True, exist_ok=True)
+    fd = os.open(str(path), os.O_WRONLY | os.O_CREAT | os.O_EXCL)
+    try:
+        os.write(fd, lock_body(owner).encode("utf-8"))
+    finally:
+        os.close(fd)
+
+
+def steal_stale(path: Path, owner: str, stale: dict) -> bool:
+    """Atomically steal the SPECIFIC stale lock `stale` at `path` for `owner`. True iff WON.
+
+    `stale` is the lock-info dict the caller just `read_lock`'d — the exact stale lock
+    it decided to steal. Stealing is a **compare-and-swap keyed on that identity**
+    (owner + acquired_at), not on the path alone — which is what closes the TOCTOU the
+    naive `unlink()` + `write_lock()` had: there, the unlink took no owner and re-read
+    nothing, so two stealers of one stale lock could each unlink the other's fresh lock
+    and O_EXCL-create onto the emptied path — both believed they held the mutex.
+
+    The CAS, three steps, each an atomic FS op:
+      1. `os.rename` the lock to a per-stealer UNIQUE temp (atomic; a stealer that
+         already moved the inode makes ours raise → we lost → return False/retry).
+      2. **Verify the temp's content IS the stale lock we observed.** A path-only
+         rename is insufficient: a racing stealer that already stole + RE-CREATED a
+         fresh lock would have ours move *their* fresh lock — so on a mismatch we
+         atomically PUT IT BACK (rename temp→path) and concede. This value check is
+         what makes it a true CAS: we only ever displace the stale lock, never a
+         winner's live one.
+      3. Drop the verified-stale temp and O_EXCL-create our own. A racer that
+         re-created the lock in the residual window makes the O_EXCL raise
+         FileExistsError → we lost → return False without clobbering theirs.
+
+    Every failure path returns False and leaves the FS consistent (displaced lock
+    restored, or our temp cleaned up); only a clean win returns True. A unique temp
+    name (pid + monotonic_ns) keeps concurrent stealers from colliding on the temp.
+    """
+    tmp = path.parent / f".{path.name}.steal.{os.getpid()}.{time.monotonic_ns()}"
+    stale_owner = str((stale or {}).get("owner", ""))
+    stale_at = str((stale or {}).get("acquired_at", ""))
+    try:
+        os.rename(str(path), str(tmp))  # step 1: claim whatever is at the path, atomically
+    except (FileNotFoundError, OSError):
+        return False  # already moved/removed by another stealer — we did not win
+    # Step 2: CAS check — is what we grabbed the stale lock we MEANT to steal?
+    grabbed = read_lock(tmp)
+    grabbed_owner = str((grabbed or {}).get("owner", ""))
+    grabbed_at = str((grabbed or {}).get("acquired_at", ""))
+    if grabbed_owner != stale_owner or grabbed_at != stale_at:
+        # Grabbed a DIFFERENT lock than observed — a racer already won + recreated.
+        # Put it back atomically and concede; if the restore loses to yet another
+        # racer, drop our temp. Never co-own.
+        try:
+            os.rename(str(tmp), str(path))
+        except OSError:
+            try:
+                os.unlink(str(tmp))
+            except OSError:
+                pass
+        return False
+    # Step 3: it WAS the stale lock — drop it and O_EXCL-create our own.
+    try:
+        os.unlink(str(tmp))
+    except OSError:
+        pass
+    try:
+        write_lock(path, owner)
+    except FileExistsError:
+        # A racer re-created the lock between our verified rename and our create.
+        # We lost — do NOT clobber theirs.
+        return False
+    return True

dos/_job_policy.py

@@ -0,0 +1,97 @@
+"""dos._job_policy — the reference app's STRUCTURAL lane fallback, as a leaf.
+
+This is the domain-free **structural fallback** taxonomy: only the exclusive
+lanes (``orchestration`` / ``global``), no curated work-lane trees. The
+authoritative work-lane taxonomy is NOT here — it lives in the consumer repo's
+``dos.toml [lanes]`` (read by ``job_config`` via ``load_workspace_config``). This
+literal stands in only when a workspace has no ``[lanes]`` declaration (a foreign
+checkout, a test tmp_path).
+
+History: this module held the full job domain taxonomy (``apply`` / ``tailor`` /
+``discovery`` / ``recruiter`` / … with job-specific file globs). That was
+userland policy baked into the kernel package — the layering wart the
+``dos.drivers.job`` docstring called out (2026-06-01 audit). It first moved here
+from ``dos.config`` (the "third home both layers may import" relocation); then on
+2026-06-06, per dos/119 + the dynamic-claim-area model, the domain names and
+their globs were removed entirely (a lane is a HANDLE resolving to a derived
+per-pick claim, not a curated tree — ``--scope apply`` resolves via the host's
+``_dynamic_claim_space``). What remains is the structural fallback only. See
+``docs/_design/kernel-userland-taxonomy-split-2026-06-06.md`` in the consumer repo.
+
+Layer position: it imports ONLY ``LaneTaxonomy`` (the domain-free dataclass) from
+``dos.config``, and nothing else from the package. ``dos.config.job_config`` reads
+this literal back via a **lazy import inside the function body** (not a module-top
+import), so there is no module-load cycle: ``_job_policy`` statically depends on
+``config`` (for the class); ``config`` depends on ``_job_policy`` only at
+``job_config()`` *call* time. ``dos.drivers.job`` (layer 4) re-exports from here,
+so the public import surface is ``from dos.drivers.job import JOB_LANE_TAXONOMY``
+while the kernel core (``dos.config``) no longer *defines* the domain taxonomy.
+
+The de-clustering (2026-06-02, operator directive "delete the cluster concept,
+it's bad"): ``concurrent`` and ``autopick`` are **empty**. The kernel arbiter
+(`dos.arbiter.arbitrate`) admits concurrency purely by tree-disjointness
+(`DisjointnessPredicate`) — it never consults ``concurrent``; that tuple only fed
+the legacy bare-walk fallback and the TUI/`man lane` display. So an empty
+``concurrent`` does NOT serialize anything: two disjoint lanes still both acquire.
+And ``autopick=()`` means a bare request no longer auto-picks a privileged trio —
+the host supplies an explicit priority-first ``auto_pick_order`` (built from its
+``dispatch_lane_priority`` ladder), so a bare loop picks the top-priority pickable
+plan's lane.
+
+The dynamic-claim-area step (2026-06-06, dos/119): ``trees`` no longer carries the
+work-lane regions either. ``--scope apply`` does NOT look up a curated
+``trees["apply"]`` — the host resolves it to the narrow per-pick footprint via
+``_dynamic_claim_space``. So ``trees`` here holds ONLY the ``global`` exclusive
+lane's region (``**/*``). ``orchestration`` is declared exclusive but carries NO
+tree: exclusive lanes are EXEMPT from ``config_lint.LANE_WITHOUT_TREE`` (the
+arbiter admits them on liveness alone, never a tree — ``config_lint.py`` only
+checks ``concurrent``/``autopick`` members), and ``tree_for`` returns ``[]``
+cleanly for it. The host phased-plan globs that used to sit on ``orchestration``
+(``scripts/next_up*.py``/``scripts/replan_*.py``/``docs/_plans/``) were userland
+policy — they belong in the consumer repo's ``dos.toml [lanes.trees]``, not in
+this kernel leaf — and were reaped 2026-06-08 (the userland-coupling audit; see
+``docs/_audits/USERLAND_REAP_AUDIT_2026-06-08.md``). ``aliases`` is empty (the
+``ff``/``recruiter``/``ui``/``auth`` self-aliases were userland and are gone).
+The authoritative job taxonomy is the consumer repo's ``dos.toml [lanes]``; this
+literal is the structural fallback.
+"""
+
+from __future__ import annotations
+
+from dos.config import LaneTaxonomy
+
+# The reference userland app's STRUCTURAL lane fallback — domain-free, NOT the
+# authoritative taxonomy. The authoritative work-lane taxonomy now lives in the
+# consumer repo's `dos.toml [lanes]` (read by `job_config` via
+# `load_workspace_config`); this literal is only the fallback used when a
+# workspace has no `[lanes]` declaration (a foreign checkout, a test tmp_path).
+#
+# dos/119 + DCA (dynamic-claim-area): a lane is a HANDLE that resolves to a
+# derived per-pick CLAIM, not a curated tree. So there are NO curated work-lane
+# trees here anymore — the domain names (apply/tailor/discovery/recruiter/fleet/
+# ui/auth) and their job-specific globs (`agents/apply_*.py`, `go/internal/ui/`,
+# …) were userland policy that does not belong in this kernel package; they were
+# removed 2026-06-06 (see `docs/_design/kernel-userland-taxonomy-split-2026-06-06.md`
+# in the consumer repo). `--scope apply` now resolves dynamically via the host's
+# `_dynamic_claim_space` (the narrow per-pick footprint), never a curated tree.
+#
+# What remains is structural ONLY: the two exclusive lanes, which run ALONE and
+# never enter the disjointness algebra. Only `global` carries a tree (`**/*`);
+# `orchestration` carries NONE — exclusive lanes are exempt from the
+# `LANE_WITHOUT_TREE` lint (the arbiter admits an exclusive lane on liveness
+# alone), so a tree-less `orchestration` is correct and `tree_for` returns `[]`
+# for it. The host phased-plan globs it used to carry
+# (`scripts/next_up*.py`/`scripts/replan_*.py`/`docs/_plans/`) were userland
+# policy that does not belong in this kernel leaf; the consumer declares them in
+# its own `dos.toml [lanes.trees]`. `concurrent`/`autopick` are empty
+# (de-clustered 2026-06-02): concurrency is gated by tree-disjointness alone;
+# bare auto-pick is priority-first via the host's ladder.
+JOB_LANE_TAXONOMY = LaneTaxonomy(
+    concurrent=(),
+    exclusive=("orchestration", "global"),
+    autopick=(),
+    trees={
+        "global": ("**/*",),
+    },
+    aliases={},
+)