dos-kernel 0.22.0__py3-none-win_amd64.whl

dos/lane_overlap.py

@@ -0,0 +1,228 @@
+"""Lane-tree overlap policy for `/dispatch-loop` lane arbitration.
+
+A *lane* (a `--scope` cluster, a keyword scope, or a bare plan) owns a set of
+repo-relative path globs — its `tree`. Two lanes are safe to run concurrently
+when their trees barely intersect; the binary "any overlap = refuse" rule was
+provably too tight for narrow keyword lanes whose tree shares a handful of
+incidental files with a cluster's summary glob.
+
+Read this module as a **lock-compatibility function**, not a swim-lane rule: a
+lane is a leased predicate-lock over a region, and the ratio threshold below is a
+*deliberately loosened* compatibility test (strict disjointness was too
+conservative). That reframing — and why it matters for tuning the threshold and
+for the capability-lattice generalization — is `docs/89_the-lane-is-a-region-lock.md`.
+
+The policy is a pure function — list-in, verdict-out — so it is replay-tested
+in isolation (`tests/test_dispatch_lane.py::TestArbitrateSoftOverlap`), the
+same discipline as `scripts/gate_classify.py`.
+
+  >>> overlap_verdict(["playbooks/ats/workday.yaml"], ["agents/apply_*.py"]).verdict
+  <Verdict.ADMIT_SOFT: 'admit_soft'>
+
+  >>> overlap_verdict(["agents/apply_*.py"], ["agents/apply_*.py"]).verdict
+  <Verdict.REFUSE_EXACT_GLOB: 'refuse_exact_glob'>
+
+A lane that shares the *identical* glob with a live lease refuses as a hard
+collision (REFUSE_EXACT_GLOB), checked before the ratio test so a real
+write-surface overlap cannot be diluted to ADMIT by padding the requesting
+tree with private files. This closed the 2026-06-01 TM↔tailor mutual-wedge:
+TM (8 entries, sharing only `agents/tailor_*.py` + `agents/tailor_steps/...`
+with the tailor cluster) scored 2/8 = 25 % ≤ 33 % and SOFT-ADMITTED under the
+ratio alone, while the reverse direction refused — an asymmetry that
+*guaranteed* a wedge. Exact-glob equality is symmetric and kills it.
+"""
+from __future__ import annotations
+
+from dataclasses import dataclass
+from enum import Enum
+
+from dos._tree import norm_tree_prefix as _norm_tree_prefix
+from dos._tree import prefixes_collide as _prefixes_collide
+
+# Ratio threshold: shared/requested above this = refuse. ⅓ is NOT a calibrated
+# soundness bound — it is a STAND-IN that admits a known hazard. The prior-art
+# audit (`docs/114` §A1) is the load-bearing caveat: lane conflict is a *measure*
+# here ("how much of the requested tree shares prefixes"), but 50 years of
+# concurrency control (Gray et al. 1975, *Granularity of Locks*) make
+# lock-compatibility a *boolean predicate* — two writers may share a contended
+# datum ONLY under operation commutativity (O'Neil 1986, escrow), which arbitrary
+# file overwrites lack. So any ⅓ > 0 admits genuine write–write conflicts on the
+# shared remainder (a silent lost-update `verify()` cannot catch — there is no
+# over-claim against git). The value was read off two observed lanes — a narrow
+# keyword lane that should admit (`--scope workday` at 5/16 = 31 %) vs one sharing
+# substantial code with its cluster (`apply-heavy` at 4/10 = 40 %) — i.e. it is an
+# empirical elbow between two examples, not a derived safe bound.
+#
+# Why it is NOT simply flipped to 0 (the audit's first instinct): `docs/114` §F
+# dispositioned that ratio flip as a *detector re-tune* — it trades away the read
+# concurrency ⅓ buys without closing the underlying hazard (two lanes still collide
+# *under any ratio* at the unmediated write moment; DOS is a PDP with no PEP). The
+# sound fix is a real shared/exclusive lock MODE + a glob-intersection disjointness
+# floor enforced at a `dos`-mediated apply-gate, deferred there rather than half-built
+# as a stricter advisory scalar. A workspace that wants the predicate today can set
+# `dos.toml [overlap] ratio_max = 0` (tightening below ⅓ takes effect; loosening above
+# is capped by the floor — `overlap_policy.floor_decision`).
+OVERLAP_RATIO_MAX = 1 / 3
+
+
+class Verdict(str, Enum):
+    """Admission verdict + reason category. Carried as the policy's typed
+    return so the arbiter can render a legible refusal without re-classifying
+    a free-text string."""
+    ADMIT_DISJOINT    = "admit_disjoint"     # no shared prefixes at all
+    ADMIT_SOFT        = "admit_soft"         # shared but under the ratio threshold
+    REFUSE_OVERLAP    = "refuse_overlap"     # shared above the ratio threshold
+    REFUSE_EXACT_GLOB = "refuse_exact_glob"  # both lanes claim an identical glob
+
+
+@dataclass(frozen=True)
+class OverlapDecision:
+    verdict: Verdict
+    shared: int
+    requested: int
+    reason: str
+
+    @property
+    def admissible(self) -> bool:
+        return self.verdict in (Verdict.ADMIT_DISJOINT, Verdict.ADMIT_SOFT)
+
+
+def _exact_glob_collisions(req_tree: list[str], lease_tree: list[str]) -> list[str]:
+    """Requested entries whose normalized prefix EXACTLY equals a lease entry's.
+
+    This is the *hard*-collision detector that the ratio test below cannot
+    see. The ratio test measures *how much* of a lane subsumes another — fine
+    for the incidental case (a narrow keyword lane's specific file falling
+    under a cluster's broad summary glob). But when two lanes name the
+    **identical** glob (`agents/tailor_*.py` on both sides), they are claiming
+    the *same write region*, not incidentally overlapping — and that is a
+    collision at *any* ratio. The bug this closes: a priority plan-lane (TM, 8
+    entries, 6 of them private test files) sharing exactly `agents/tailor_*.py`
+    with a `tailor` cluster lease scored 2/8 = 25 % ≤ 33 % and SOFT-ADMITTED,
+    then the two loops mutually wedged because the reverse direction
+    (tailor 2/3 = 67 %) refused. Exact-glob equality is **symmetric**, so it
+    yields the same verdict in both directions and kills that asymmetry.
+
+    The universal empty prefix (a bare ``**/*`` / ``*.py`` that normalizes to
+    ``""``) is excluded here — a whole-repo glob is handled by the ratio path
+    (it collides with everything, so its ratio is already 100 %); treating it
+    as an "exact glob" would refuse every pair of whole-repo lanes for the
+    wrong reason. Only *named-region* exact matches count.
+    """
+    if not req_tree or not lease_tree:
+        return []
+    lease_exact = {
+        _norm_tree_prefix(p)
+        for p in lease_tree
+        if p and _norm_tree_prefix(p) != ""
+    }
+    if not lease_exact:
+        return []
+    seen: set[str] = set()
+    hits: list[str] = []
+    for r in req_tree:
+        if not r:
+            continue
+        nr = _norm_tree_prefix(r)
+        if nr and nr in lease_exact and nr not in seen:
+            seen.add(nr)
+            hits.append(r)
+    return hits
+
+
+def _shared_count(req_tree: list[str], lease_tree: list[str]) -> int:
+    """Count requested entries that prefix-collide with any lease entry.
+
+    Each requested entry counts at most once regardless of how many lease
+    entries it collides with — symmetric and stable. Prefix collision is the
+    same definition `_tree.lane_trees_disjoint` uses, now shared verbatim via
+    `_tree.prefixes_collide` so the two cannot drift.
+
+    A **leading-glob** entry (`**/*`, `*.py`) normalizes to the empty prefix
+    ``""`` — the *universal* prefix that matches every path. It is KEPT, not
+    dropped: a requested whole-repo glob collides with every lease entry, and a
+    whole-repo lease glob is collided-with by every requested entry. (Only a
+    LITERALLY blank/empty entry — falsy before normalization — carries no path
+    information and is filtered.) This is the fix for the bug where ``**/*`` was
+    truncated to ``""`` and then dropped, making the broadest possible tree read
+    as "touches nothing" and two whole-repo lanes admit concurrently.
+    """
+    if not req_tree or not lease_tree:
+        return 0
+    # Keep the empty prefix when it came from a real (leading-glob) entry; drop
+    # only literally-blank entries that carry no path at all.
+    lease_prefixes = [_norm_tree_prefix(p) for p in lease_tree if p]
+    if not lease_prefixes:
+        return 0
+    shared = 0
+    for r in req_tree:
+        if not r:
+            continue
+        nr = _norm_tree_prefix(r)
+        if any(_prefixes_collide(nr, nl) for nl in lease_prefixes):
+            shared += 1
+    return shared
+
+
+def overlap_verdict(
+    requested_tree: list[str], lease_tree: list[str],
+    *, ratio_max: float = OVERLAP_RATIO_MAX,
+) -> OverlapDecision:
+    """Decide whether a known-tree lane can run alongside a known-tree lease.
+
+    Empty-tree handling is the caller's job (`_lease_blocks` in
+    `fanout_state.py` applies the unknown-blast-radius asymmetry); this
+    function is only for known-vs-known.
+
+      * Any IDENTICAL named glob on both sides → REFUSE_EXACT_GLOB
+        (hard collision, checked first — see `_exact_glob_collisions`; this is
+        symmetric, so it cannot admit-one / refuse-the-other).
+      * No shared prefixes  → ADMIT_DISJOINT.
+      * Shared ≤ ``ratio_max`` of requested tree → ADMIT_SOFT.
+      * Shared > ``ratio_max`` → REFUSE_OVERLAP.
+
+    ``ratio_max`` is the soft-overlap tolerance and defaults to the module
+    constant ``OVERLAP_RATIO_MAX`` (⅓) — so every existing caller is
+    byte-for-byte unchanged. It is a *parameter* (not a hardcode) because the
+    elbow is a calibrated guess, not a theory (`docs/90 §2`): a workspace may
+    declare a different value in ``dos.toml`` ``[overlap] ratio_max`` (folded
+    onto ``SubstrateConfig`` and threaded here by `overlap_policy.PrefixOverlapPolicy`).
+    This is the "thresholds are config, mechanism is kernel" split `liveness`
+    already uses for its windows; the **functional form** (a ratio compare)
+    stays here, and swapping the form entirely is the `overlap_policy` seam.
+    The exact-glob hard floor is INDEPENDENT of ``ratio_max`` — an identical
+    glob is a collision at any tolerance, including 0.
+    """
+    # Hard floor: two lanes naming the same glob claim the same write region.
+    # Checked BEFORE the ratio so a real collision cannot be diluted to
+    # admit by padding the requesting tree with private (non-shared) files.
+    exact = _exact_glob_collisions(list(requested_tree), list(lease_tree))
+    if exact:
+        shared_all = _shared_count(list(requested_tree), list(lease_tree))
+        preview = ", ".join(exact[:3]) + ("…" if len(exact) > 3 else "")
+        return OverlapDecision(
+            Verdict.REFUSE_EXACT_GLOB, shared_all, len(requested_tree),
+            (f"exact-glob overlap: identical glob claimed by both lanes "
+             f"({len(exact)}: {preview}) — same write region, hard collision "
+             "regardless of ratio"),
+        )
+    requested = max(1, len(requested_tree))
+    shared = _shared_count(list(requested_tree), list(lease_tree))
+    if shared == 0:
+        return OverlapDecision(
+            Verdict.ADMIT_DISJOINT, shared, len(requested_tree),
+            "no shared prefixes — fully disjoint",
+        )
+    ratio = shared / requested
+    if ratio > ratio_max:
+        return OverlapDecision(
+            Verdict.REFUSE_OVERLAP, shared, len(requested_tree),
+            (f"overlap too large ({shared}/{len(requested_tree)} = "
+             f"{ratio:.0%} of requested tree shared, threshold "
+             f"{ratio_max:.0%})"),
+        )
+    return OverlapDecision(
+        Verdict.ADMIT_SOFT, shared, len(requested_tree),
+        (f"soft-overlap admit — {shared}/{len(requested_tree)} = "
+         f"{ratio:.0%} of requested tree shared (≤{ratio_max:.0%})"),
+    )

dos/lease_health.py

@@ -0,0 +1,282 @@
+"""lease_health — pure verdicts over lease + child-run liveness facts.
+
+Lifted from the job userland's ``scripts/fanout_state.py`` (MQ3X P2, docs/62).
+Two ``classify`` verdicts in the ``liveness`` / ``health`` mold — facts in, a
+typed verdict out, the clock injected, no I/O:
+
+  * ``classify_lease_health`` — combine a lease's heartbeat age with an
+    already-probed ``activity_state`` into a LANE-LEASE verdict
+    (LIVE / STALLED / ORPHANED_WORKING / DEAD). The host does the FS activity
+    probe and passes the resulting string in; this decides reclaim-vs-keep.
+  * ``classify_child_stall`` — the AST4 child-stall guard: given a child run's
+    log-quiet age, the HEAD-sha delta since the last check, and the archive-sha
+    set, decide ALIVE / DEAD / DOUBLE_ARCHIVE before a /dispatch-loop takeover.
+
+Plus ``parse_iso`` — the minute-OR-second ISO stamp parser the lease stack needs
+(both resolutions the host stamp and a journal ``replay()`` produce). Generic,
+clock-free; lives here because ``classify_lease_health`` is its first kernel use.
+
+Mechanism-not-policy: the TTL / stall windows are job tuning, supplied on a
+frozen ``LeaseHealthPolicy`` (defaults reproduce the job's historical constants);
+the child-stall quiet window is a ``classify_child_stall`` parameter. The
+verdict STRINGS (LEASE_* / CHILD_*) are the kernel's stable vocabulary.
+"""
+from __future__ import annotations
+
+import datetime as _dt
+from dataclasses import dataclass
+
+# --- lease-health verdict vocabulary --------------------------------------
+LEASE_LIVE = "LIVE"
+LEASE_STALLED = "STALLED"
+LEASE_ORPHANED_WORKING = "ORPHANED_WORKING"
+LEASE_DEAD = "DEAD"
+
+# --- child-stall verdict vocabulary ---------------------------------------
+CHILD_ALIVE = "alive"
+CHILD_DEAD = "dead"
+CHILD_DOUBLE_ARCHIVE = "double-archive"
+# A child that is STILL ALIVE (log growing and/or HEAD advancing) but whose
+# every registered pick is already an ancestor of HEAD — i.e. the productive
+# work is durable in git and the continued aliveness is pure waste (the
+# post-commit re-verify / re-commit limit-cycle). The upper skill should
+# TaskStop it and classify the iteration from git ancestry, not keep waiting.
+CHILD_CHURNING = "child-churning"
+
+
+def parse_iso(s: str) -> _dt.datetime | None:
+    """Parse an ISO stamp → aware UTC datetime; None on malformed input.
+
+    Accepts BOTH resolutions the lane stack produces:
+      * minute  ``%Y-%m-%dT%H:%MZ``    — the host stamp, the common case;
+      * second  ``%Y-%m-%dT%H:%M:%SZ`` — what a journal ``replay()`` writes into
+        a reconstructed lease's ``heartbeat_at``.
+    Accepting the second form is FORWARD-SAFETY, not cosmetics: a replay-restored
+    second-resolution ``heartbeat_at`` fed back to a minute-only parser returns
+    None, which makes the TTL backstop silently skip — an immortal-by-TTL lease.
+    The minute branch is tried first so the hot path is unchanged; second is a
+    strict superset, so existing minute-resolution callers are unaffected.
+    """
+    for fmt in ("%Y-%m-%dT%H:%MZ", "%Y-%m-%dT%H:%M:%SZ"):
+        try:
+            return _dt.datetime.strptime(s, fmt).replace(tzinfo=_dt.timezone.utc)
+        except (ValueError, TypeError):
+            continue
+    return None
+
+
+@dataclass(frozen=True)
+class LeaseHealthPolicy:
+    """The TTL + stall windows that separate the lease-health verdicts — policy.
+
+    Defaults reproduce the job's historical constants exactly (LANE_LEASE_TTL =
+    50 min, stall threshold = 8 min), so a caller passing ``DEFAULT_POLICY`` (or
+    nothing) is byte-identical to the pre-lift code.
+
+      ttl_minutes             — past this heartbeat age the lease is unambiguously
+                                DEAD (the hard TTL backstop, wins over activity).
+      stall_threshold_minutes — at or below this, the lease is LIVE; between this
+                                and the TTL the activity probe decides
+                                STALLED-vs-ORPHANED_WORKING.
+    """
+
+    ttl_minutes: float = 50.0
+    stall_threshold_minutes: float = 8.0
+
+    def __post_init__(self) -> None:
+        if self.ttl_minutes < 0 or self.stall_threshold_minutes < 0:
+            raise ValueError("lease-health windows must be non-negative (minutes)")
+
+
+DEFAULT_POLICY = LeaseHealthPolicy()
+
+
+def classify_lease_health(
+    lease: dict,
+    *,
+    now: _dt.datetime,
+    activity_state: str,
+    policy: LeaseHealthPolicy = DEFAULT_POLICY,
+) -> str:
+    """Pure classifier — combine heartbeat age + activity state into a verdict.
+
+    Inputs are the (already-computed) ``activity_state`` and the lease's
+    heartbeat, so the function is unit-testable without any filesystem I/O.
+
+    Returns one of ``LEASE_LIVE`` / ``LEASE_STALLED`` / ``LEASE_ORPHANED_WORKING``
+    / ``LEASE_DEAD``.
+
+      * No timestamp at all → treat as immediately stale (age = inf): a malformed
+        lease must not block forever.
+      * age > ttl → DEAD (hard backstop).
+      * age ≤ stall_threshold → LIVE.
+      * stall_threshold < age ≤ ttl → the activity probe decides:
+          LIVE_DOWNSTREAM / UNKNOWN → ORPHANED_WORKING (never reclaim on missing
+          evidence); QUIET → STALLED (genuinely dead → reclaim).
+    """
+    hb = parse_iso(lease.get("heartbeat_at", "") or lease.get("acquired_at", ""))
+    if hb is None:
+        age_min = float("inf")
+    else:
+        age_min = (now - hb).total_seconds() / 60.0
+    if age_min > policy.ttl_minutes:
+        return LEASE_DEAD
+    if age_min <= policy.stall_threshold_minutes:
+        return LEASE_LIVE
+    if activity_state == "LIVE_DOWNSTREAM":
+        return LEASE_ORPHANED_WORKING
+    if activity_state == "UNKNOWN":
+        return LEASE_ORPHANED_WORKING
+    # activity_state == "QUIET" — genuinely dead.
+    return LEASE_STALLED
+
+
+@dataclass
+class ChildStallResult:
+    """Typed verdict of the AST4 child-stall guard — what /dispatch-loop's upper
+    skill should do before taking over a child /dispatch's Steps 8-9.
+
+    ``verdict`` is one of CHILD_ALIVE / CHILD_DEAD / CHILD_DOUBLE_ARCHIVE /
+    CHILD_CHURNING.
+    ``log_age_seconds`` is how long the log has been quiet (None if absent).
+    ``archive_count`` is the number of archive commits seen for the run-ts.
+    ``shipped_pick_count`` / ``registered_pick_count`` are the ancestry facts
+    that drive the CHURNING verdict (how many of this run's registered picks are
+    already ancestors of HEAD, vs how many it registered). Both 0 on a path that
+    did not supply them, so the churn check is inert unless the caller measured.
+    ``reason`` is a one-line human explanation.
+    """
+
+    verdict: str
+    log_age_seconds: float | None = None
+    log_grew: bool = False
+    new_commit: bool = False
+    archive_count: int = 0
+    archive_shas: list[str] | None = None
+    shipped_pick_count: int = 0
+    registered_pick_count: int = 0
+    reason: str = ""
+
+    def __post_init__(self) -> None:
+        if self.archive_shas is None:
+            self.archive_shas = []
+
+    def to_dict(self) -> dict:
+        return {
+            "verdict": self.verdict,
+            "log_age_seconds": self.log_age_seconds,
+            "log_grew": self.log_grew,
+            "new_commit": self.new_commit,
+            "archive_count": self.archive_count,
+            "archive_shas": self.archive_shas,
+            "shipped_pick_count": self.shipped_pick_count,
+            "registered_pick_count": self.registered_pick_count,
+            "reason": self.reason,
+        }
+
+
+def classify_child_stall(
+    *,
+    log_age_seconds: float | None,
+    last_commit_sha: str | None,
+    current_head_sha: str | None,
+    archive_shas: list[str] | None = None,
+    quiet_window_s: float = 600.0,
+    registered_pick_count: int = 0,
+    shipped_pick_count: int = 0,
+) -> ChildStallResult:
+    """PURE verdict logic for the AST4 child-stall guard. No I/O — every input is
+    a pre-collected fact, the typed verdict is returned.
+
+    Decision order:
+      1. double-archive first — if the child already shipped its archive, the
+         takeover is moot regardless of liveness; reconcile to the child's.
+      2. churn — the child is ALIVE (log grew and/or HEAD advanced) but every
+         registered pick is already an ancestor of HEAD, so the continued
+         aliveness is pure waste; TaskStop it and classify from git ancestry.
+         Checked BEFORE the alive branches precisely because churn IS alive —
+         the only thing separating it from healthy progress is "is the work
+         already shipped", and once that holds the aliveness is definitionally
+         waste. ``shipped_pick_count``/``registered_pick_count`` are the
+         caller's ancestry measurement; a path that does not measure leaves
+         both 0 and this branch is inert (byte-identical to the old behaviour).
+      3. log-grew (a-fail) → alive. A growing log is unambiguous liveness.
+      4. new-commit-since-last-check (b-fail) → alive. The child committed.
+      5. BOTH quiet AND no new commit → dead; takeover may proceed.
+
+    ``quiet_window_s`` default (600s) matches the job's
+    CHILD_STALL_QUIET_WINDOW_SECONDS; override for tests / operator tuning.
+
+    The churn check's kill-safety rests on the caller's ``shipped_pick_count``
+    being NEVER-OVER-counted (a foreign-lane commit in the window must not
+    inflate it); the job's ``ship_oracle.ancestry_ship_count`` guarantees that
+    (it counts only commits whose subject names a registered phase AND that are
+    ancestors of HEAD). With ``shipped < registered`` the verdict falls through
+    to alive — a still-producing child is never killed.
+    """
+    shas = [s for s in (archive_shas or []) if s]
+    if len(set(shas)) >= 2:
+        return ChildStallResult(
+            CHILD_DOUBLE_ARCHIVE, log_age_seconds=log_age_seconds,
+            archive_count=len(set(shas)), archive_shas=shas,
+            shipped_pick_count=shipped_pick_count,
+            registered_pick_count=registered_pick_count,
+            reason=(f"{len(set(shas))} archive commits exist for this run-ts "
+                    f"({', '.join(s[:8] for s in sorted(set(shas)))}) — child "
+                    f"self-recovered and shipped its own archive; reconcile to "
+                    f"the child's artefacts, do NOT produce a competing one."))
+    # (a) log-growth test: a log that grew within the quiet window → alive.
+    log_grew = log_age_seconds is not None and log_age_seconds < quiet_window_s
+    # (b) new-commit test: a commit since the last check → still committing.
+    new_commit = bool(
+        current_head_sha and last_commit_sha
+        and current_head_sha != last_commit_sha
+    )
+    # Churn: alive (by either signal) AND every registered pick already shipped.
+    # registered_pick_count > 0 guards against the no-picks iteration (a drain /
+    # a /replan has nothing to ship, so it can never be "all shipped").
+    work_all_shipped = (
+        registered_pick_count > 0
+        and shipped_pick_count >= registered_pick_count
+    )
+    if work_all_shipped and (log_grew or new_commit):
+        signal = "writing" if log_grew else "committing"
+        return ChildStallResult(
+            CHILD_CHURNING, log_age_seconds=log_age_seconds,
+            log_grew=log_grew, new_commit=new_commit,
+            archive_count=len(set(shas)), archive_shas=shas,
+            shipped_pick_count=shipped_pick_count,
+            registered_pick_count=registered_pick_count,
+            reason=(f"all {registered_pick_count} registered pick(s) are "
+                    f"ancestors of HEAD ({shipped_pick_count} shipped) yet the "
+                    f"child is still {signal} — post-commit churn, not progress; "
+                    f"TaskStop it and classify the iteration from git ancestry."))
+    if log_grew:
+        return ChildStallResult(
+            CHILD_ALIVE, log_age_seconds=log_age_seconds, log_grew=True,
+            archive_count=len(set(shas)), archive_shas=shas,
+            shipped_pick_count=shipped_pick_count,
+            registered_pick_count=registered_pick_count,
+            reason=(f"child log grew {log_age_seconds:.0f}s ago "
+                    f"(< {quiet_window_s:.0f}s quiet window) — still writing, "
+                    f"not stalled."))
+    if new_commit:
+        return ChildStallResult(
+            CHILD_ALIVE, log_age_seconds=log_age_seconds, new_commit=True,
+            archive_count=len(set(shas)), archive_shas=shas,
+            shipped_pick_count=shipped_pick_count,
+            registered_pick_count=registered_pick_count,
+            reason=(f"HEAD advanced {last_commit_sha[:8]} → "
+                    f"{current_head_sha[:8]} since last check — child still "
+                    f"committing, not stalled."))
+    # Both signals quiet → genuinely dead; the takeover precondition holds.
+    age_txt = (f"quiet {log_age_seconds:.0f}s" if log_age_seconds is not None
+               else "log absent")
+    return ChildStallResult(
+        CHILD_DEAD, log_age_seconds=log_age_seconds,
+        archive_count=len(set(shas)), archive_shas=shas,
+        shipped_pick_count=shipped_pick_count,
+        registered_pick_count=registered_pick_count,
+        reason=(f"child genuinely dead: {age_txt} (≥ {quiet_window_s:.0f}s "
+                f"window) AND no new commit since last check — takeover of "
+                f"Steps 8-9 may proceed."))