dev: capture agent-OS control plane notes (round 4 — 50 ideas)

Fourth and largest round of external strategic input from ChatGPT.
50 architectural ideas in ~2,300 lines, formalised under the thesis:

  Roam is a local control plane for autonomous coding agents.
  "Roam helps agents earn the right to change code."

Files:
* dev/chatgpt-paste-2026-05-11.md (raw, ~2,300 lines) — the full
  paste, preserved verbatim for reference.
* dev/agent-os-control-plane-2026-05-11.md (synthesis, ~340 lines):
  - The 5-layer architecture (World Model, Control Plane, Agent
    Runtime, Evidence System, Immune Memory)
  - ChatGPT's top-10 power moves with our codebase status
  - All 50 ideas indexed with built/partial/new flag
  - The 4 category-defining ideas: proof-carrying PRs, attention
    audit, invariant mining, immune memory
  - Integration table — how round 4 SHARPENS R13-R25 rather than
    replacing them
  - 3 new rounds added: R26 (proof-carrying PRs), R27 (law mining),
    R28 (World Model expansion: side-effects + causal + transactions
    + idempotency)
* dev/BACKLOG.md — R26-R28 queued with strategic notes + new
  hero-copy candidates.

Companion writes (auto-memory):
* memory/agent_os_control_plane_2026_05_11.md
* MEMORY.md — ⭐⭐⭐ entry added

The sharpest one-liner of the entire 4-round series:
"Roam helps agents earn the right to change code."

The most-leveraged near-term build identified across all rounds:
R26 — proof-carrying PR bundle. THE differentiator for Phase-2
Roam Review vs CodeRabbit/Greptile/Qodo.

The deepest moat identified across all rounds:
codebase immune memory (#50) — Roam becomes smarter about each
repo the longer agents work in it. Uncopyable.

Author: Cranot

dev/BACKLOG.md

@@ -89,6 +89,40 @@ record → memory*.
 
 ---
 
+## R26–R28 — control plane rounds (2026-05-11, round 4)
+
+ChatGPT round 4 (50 ideas, full capture:
+`dev/agent-os-control-plane-2026-05-11.md`, raw paste preserved at
+`dev/chatgpt-paste-2026-05-11.md`). Round 4 *formalises* rounds
+1-3 under the thesis:
+
+> Roam is a local control plane for autonomous coding agents.
+> *"Roam helps agents earn the right to change code."*
+
+Most of round 4's 50 ideas **sharpen** R13-R25 rather than replace
+them — see the in-repo capture for the integration table. Three
+new rounds added for the genuinely category-defining ideas:
+
+| Round | What | Strategic note |
+|---|---|---|
+| **R26** | **Proof-carrying PR bundle** — every PR ships `{intent, context_read, affected_symbols, risks, tests_required, tests_run, known_non_goals, roam_verdict}`. Review can BLOCK on missing proof. | **THE Roam Review differentiator** vs CodeRabbit/Greptile/Qodo. Phase-2 MVP priority. |
+| **R27** | **Invariant/law mining** — `roam laws mine` discovers repo's unwritten rules from existing code + tests + git history; `git diff \| roam laws check` enforces. | Self-installing constitution. Pairs with R18 + R24. |
+| **R28** | **World Model expansion** — side-effect ledger (#42), causal graph (#41), transaction boundary detector (#43), idempotency detector (#44). | One sprint of structural-graph work; unlocks 4 commands. |
+
+Round-4 also adds new hero-copy candidates worth A/B testing:
+
+- **"Roam helps agents earn the right to change code."** ← sharpest
+- "Roam is a local control plane for autonomous coding agents."
+- (Round 1, still strong) "Agents should not edit blind. Roam is their map."
+
+The 4 category-defining ideas across all 50:
+proof-carrying PRs (R26), agent attention audit (R20 + R16),
+invariant mining (R27), codebase immune memory (R19 + #50).
+Each is *uncopyable* without our graph substrate + MCP session
+tracking.
+
+---
+
 ## Next pickup — pick from ROADMAP
 
 When this queue clears (it has), pull from `ROADMAP.md` in this order:

dev/agent-os-control-plane-2026-05-11.md

@@ -0,0 +1,261 @@
+# Agent-OS control plane notes — 2026-05-11 (round 4)
+
+Fourth and largest round of external strategic input from ChatGPT.
+50 architectural ideas in ~2,300 lines (raw paste preserved at
+`dev/chatgpt-paste-2026-05-11.md`).
+
+This round **formalises** what rounds 1-3 hinted at:
+
+> Roam is a **local control plane for autonomous coding agents**.
+
+Not a CLI. Not a dashboard. Not a PR bot. A control system.
+
+> *"Roam does not help agents write more code. Roam helps agents
+> earn the right to change code."*
+
+That's the sharpest one-liner of the entire 4-round series.
+
+---
+
+## The 5-layer architecture (the framing that survives)
+
+```
+1. World Model       repo graph · effects graph · journey graph · contracts · laws
+2. Control Plane     permissions · risk budget · semantic firewalls · capability escrow
+3. Agent Runtime     sessions · attention audit · run ledger · stop checks · debugging
+4. Evidence System   proof-carrying PRs · test obligations · provenance · review packets
+5. Immune Memory     repo-specific failure patterns · rejected changes · learned laws ·
+                     fragile zones
+```
+
+Five layers cleanly map our existing surfaces:
+
+- **World Model** → 80% built: symbol graph, effects, taint, clusters,
+  layers, clones, co-change, runtime hotspots. Missing: explicit
+  causal-graph layer (#41), side-effect ledger (#42), journey graph (#14).
+- **Control Plane** → 20% built: `roam rules` + soft contract checks
+  exist. Permissions (`roam permit`), risk budget, semantic firewalls
+  are the Phase-0 / R18 / R24 builds.
+- **Agent Runtime** → 50% built: MCP session memory, `agent_contract`
+  block, structured errors. Missing: attention audit (#2), run ledger
+  (R20), stop-condition detector (#49).
+- **Evidence System** → 60% built: `roam pr-analyze`, `roam critique`,
+  CGA attestations. Missing: proof-carrying PR bundle (#1), human
+  review packet (#47), test obligation generator (#18).
+- **Immune Memory** → 0% built. This is round-4's BIGGEST new
+  direction — *the codebase learns from each agent run and prevents
+  future ones from repeating the mistake*. The compounding moat.
+
+---
+
+## ChatGPT's top-10 power moves (the priority shortlist)
+
+| # | Idea | Our status | Effort |
+|---|---|---|---|
+| 1 | **Proof-carrying PRs** — every PR ships a bundle of intent/context-read/risks/tests-run/non-goals + Roam verdict | New | M — high payoff, ties Roam Review tightly to the audit-trail story |
+| 2 | **Agent attention audit** — what did the agent LOOK AT before editing? (catches confident-but-blind agents) | New | M-S — we have file-read tracking signal in MCP session memory; needs aggregation |
+| 3 | **Invariant/law mining** — discover repo's unwritten rules from existing code patterns + tests + history | New | L — research-heavy, but uniquely possible because we have the graph |
+| 4 | **Negative-space detection** — "you added X, in this repo X usually requires Y" (missing auth check, missing test, missing rollback) | New | M — expectation analysis, not static analysis |
+| 5 | **Risk/autonomy budget** — agents get a numeric risk allowance per mode (safe_edit=20, autonomous_pr=50). Each edit consumes from the budget | New | S-M — pairs with R16 agent modes from round 2 |
+| 6 | **Semantic firewalls** — control changes across architectural boundaries (`client/**` cannot import `server/**`) | Partial | S — extends `roam rules` |
+| 7 | **Test obligation generator** — "this change requires these tests; here's why" | Partial | M — extends `roam affected-tests` |
+| 8 | **Codebase immune memory** — long-term learning: failures, rejections, ignored warnings, fragile zones | New | L — the moat |
+| 9 | **Intent-to-diff contract** | = round 2 #11, already queued in R16 | S |
+| 10 | **Human review packet** — pre-digested, evidence-bundled review surface for the human checkpoint | New | M-S — extends `roam pr-comment-render` |
+
+---
+
+## The full 50-item index (condensed, with my read)
+
+Cross-referenced against the codebase + earlier rounds. Notation:
+✅ = mostly built, 🟡 = partial substrate exists, ⬜ = new.
+
+1. ⬜ **Proof-carrying PRs** — see top-10
+2. ⬜ **Agent attention audit** — see top-10
+3. ⬜ **Invariant/law mining** — see top-10
+4. ⬜ **Negative-space detection** — see top-10
+5. ⬜ **Risk/autonomy budget** — see top-10
+6. 🟡 **Semantic firewalls** — extends `roam rules`
+7. ⬜ **Intent-to-diff contract** — = round 2 #11 (R16)
+8. ⬜ **Counterfactual patch planning** — "show me 3 alternative patches before committing"
+9. ⬜ **Patch minimality engine** — "this patch could be 40% smaller; here's the irreducible diff"
+10. ⬜ **Agent self-debugger** — translates failed-test stdout into "likely cause + next tool"
+11. ⬜ **Codebase immune system** — short-term equivalent of #50 (immune memory)
+12. 🟡 **Structural regression tests** — `roam fingerprint` exists; needs gating UX
+13. ⬜ **Human-readable spec diff** — "what changed about how the system behaves"
+14. ⬜ **Behavioral journey graph** — user-journey-level model on top of call graph
+15. 🟡 **Latent coupling detector** — `roam coupling` covers this for co-change; semantic latent coupling is the extension
+16. ⬜ **Change cones instead of file diffs** — visualise blast radius as a cone, not a list
+17. ⬜ **Agent suspicion score** — how likely is this agent's run problematic, before review
+18. ⬜ **Test obligation generator** — see top-10
+19. ⬜ **Repo-specific agent benchmark** — mine bugfix commits, turn them into agent eval tasks. *"Which agent is safe on YOUR codebase?"* Potential paid/cloud feature
+20. ⬜ **Semantic rollback planner** — surgical revert of bad hunks, keep the good
+21. ⬜ **Compatibility oracle** — detects public-API breakage across boundary surfaces
+22. ⬜ **Design pressure detector** — where the architecture is bending under repeated change
+23. ⬜ **Architectural entropy budget** — codebase-level complexity allowance
+24. ⬜ **Local world-model server** — long-running daemon (already noted in `watcher.py:148` as a revisit point per memory)
+25. ⬜ **Assumption tracking** — explicit "this code assumes X" annotations
+26. ⬜ **Question generator** — "here are 4 questions to ask before this PR is safe to merge"
+27. 🟡 **Change provenance graph** — CGA attestations are the substrate
+28. ⬜ **AI change quarantine** — flag + isolate suspect changes during review
+29. ⬜ **Semantic merge for multi-agent coding** — pairs with R21 lease system
+30. 🟡 **Local contract database** — `_DOC_LINKS`/error contracts exist; user-facing-contracts is the extension
+31. ⬜ **"What would break if this was wrong?"** — counterfactual fault propagation
+32. 🟡 **"Do not touch" inference** — `_UTILITY_PATH_PATTERNS` exists; needs to be agent-facing
+33. ⬜ **Codebase constitution compiler** — = round 3 #15 (R24)
+34. ⬜ **Agent capability escrow** — pre-authorise specific edits inside a session
+35. ⬜ **Agent run types as first-class objects** — typed agent operations (exploration vs editing vs reviewing)
+36. 🟡 **Behavior-preserving refactor checker** — `roam simulate` + `roam critique` partial substrate
+37. 🟡 **Agent hallucination detector beyond imports** — `roam critique` catches clones-not-edited; this extends to "calls function that doesn't exist with this signature"
+38. ⬜ **Repository affordance map** — "what CAN you do here? what's idiomatic?"
+39. ⬜ **Nearest existing pattern finder** — "before adding new code, here are 3 similar existing patterns"
+40. ⬜ **Patch as hypothesis model** — every patch is a falsifiable claim; Roam runs the falsification
+41. ⬜ **Causal graph, not just call graph** — see "World Model" gap above
+42. ⬜ **Side-effect ledger** — see "World Model" gap above
+43. ⬜ **Transaction boundary detector** — find atomicity violations across DB + email + cache writes
+44. ⬜ **Idempotency detector** — flag endpoints that should be idempotent but aren't
+45. 🟡 **Security-context propagation** — taint engine is the substrate
+46. 🟡 **Data lineage and privacy flow** — bridges layer can be extended for this
+47. ⬜ **Human review packet** — see top-10
+48. ⬜ **Agent ethics: user-intent protection** — guard against scope drift
+49. ⬜ **Stop-condition detector** — when should the agent STOP and ask
+50. ⬜ **Codebase immune memory** — see top-10. **The moat.**
+
+---
+
+## The 4 truly category-defining ideas (my filter)
+
+Most of the 50 are interesting; these 4 would change the product
+shape:
+
+### A. Proof-carrying PRs (#1)
+> A PR shouldn't just contain code. It should carry a proof bundle:
+> intent, context-read, affected symbols, risks, tests required,
+> tests run, known non-goals, Roam verdict.
+
+This becomes the **type system for AI-generated PRs**. Roam Review
+stops being a commenter and becomes a *gatekeeper*. Pairs perfectly
+with the Phase-2 Roam Review GitHub App MVP — this is the
+*differentiating feature* that's not a copy of CodeRabbit.
+
+### B. Agent attention audit (#2)
+> What did the agent LOOK AT before editing? Catches the
+> "confident but blind" failure mode.
+
+A human reviewer cannot easily know what the agent saw — but Roam
+can, because the MCP session already tracks tool calls. This is
+an **uncopyable advantage** for tools that go through Roam's MCP
+surface vs raw LLM agents.
+
+### C. Invariant/law mining (#3)
+> Mine the repo's unwritten laws from code patterns + tests + git
+> history + naming + boundaries.
+
+Combined with the round-3 graph-aware policy DSL, this is the
+**self-installing constitution**. Most repos won't write
+`.roam/constitution.yml` by hand — but `roam laws mine` populates
+80% of it from existing code.
+
+### D. Codebase immune memory (#50)
+> Long-term: Roam remembers what went wrong, what agents tend to
+> break, what humans rejected, what warnings were ignored, what
+> fixes worked.
+
+This is the compounding loop. Every agent run makes Roam smarter
+about *this specific repo* — and that knowledge is portable across
+agent vendors. **The deepest moat in the series.**
+
+These four + the existing R18 (graph-aware policy) form the
+defensible-by-construction product:
+
+```
+attention audit + proof bundle      ──→  agent earns the right to change code
+graph policy + mined laws           ──→  the law of the repo is machine-readable
+immune memory                       ──→  the law compounds with every run
+```
+
+---
+
+## Integration with existing roadmap (R13-R25)
+
+R13-R17 (round 1-2) and R18-R25 (round 3) already in BACKLOG.
+Round 4 doesn't introduce a parallel R26+ track — instead it
+*sharpens* existing rounds and adds 4 elevated priorities:
+
+| Existing | Sharpened by round 4 |
+|---|---|
+| **R13** agent-OS metadata pass | + `phase` / `risk_cost` per @_tool (for budget #5) |
+| **R14** hero copy | + new one-liner: *"Roam helps agents earn the right to change code."* |
+| **R15** decision engine + agents-md + prompt snippets | + #38 affordance map + #39 nearest-pattern finder + #26 question generator |
+| **R16** agent modes + intent-check + agent-score | + #2 attention audit (the missing piece) + #5 risk budget contract |
+| **R17** Cloud as agent governance | + #19 repo-specific benchmarks ("which agent is safe on YOUR codebase") + #11 immune-system dashboard |
+| **R18** graph-aware policy DSL | + #6 semantic firewalls + #45 security-context clauses |
+| **R19** repo-local memory | + #50 IMMUNE MEMORY (the moat) — the memory store IS the immune-memory substrate |
+| **R20** agent run ledger | + #2 attention audit data + #1 proof bundle assembly |
+| **R21** multi-agent lease | + #29 semantic merge |
+| **R22** confidence contract | + #17 agent suspicion score |
+| **R23** graph versioning | + #22 design-pressure detector + #23 entropy budget |
+| **R24** constitution | + #33 constitution compiler + #25 assumption tracking |
+| **R25+** plugin protocol | + #38 affordance map per framework |
+
+Plus **3 new rounds** for the genuinely novel directions:
+
+| Round | What | Strategic note |
+|---|---|---|
+| **R26** | **Proof-carrying PRs** (#1) — bundle generator + Review-gate logic + JSON schema | THE Roam Review differentiator. Phase-2 MVP feature, not deferrable. |
+| **R27** | **Invariant/law mining** (#3) — research-then-build. `roam laws mine` + `git diff \| roam laws check`. | Pairs with R18 graph-aware policy. Self-installing constitution. |
+| **R28** | **Side-effect ledger + causal graph + transaction boundaries** (#41, #42, #43, #44) — World Model layer expansion | One sprint of structural-graph work; unlocks 4 commands. |
+
+---
+
+## What this rounds adds vs rounds 1-3
+
+Round 4 doesn't replace earlier guidance — it **layers**. The
+hierarchy is now:
+
+```
+Round 1 — positioning             "agents need a map"
+Round 2 — tactical features       4 missing primitives
+Round 3 — architectural framing   agent decision substrate
+Round 4 — control plane / moat    earn-the-right-to-change-code
+```
+
+The most important shift from round 3 to round 4: the moat
+discussion moves from *"graph-aware policy is the differentiator"*
+(round 3) to *"immune memory + proof bundles are the
+compounding moat"* (round 4). Both are true; round 4 is
+longer-horizon.
+
+---
+
+## What to ship next, in priority order
+
+If I had to pick a 3-round sprint that captures the round-4
+upgrade:
+
+1. **R26 — Proof-carrying PR bundle** (Roam Review wedge)
+2. **R19/R50 — Repo-local memory + immune memory** (the moat)
+3. **R18 — Graph-aware policy DSL** (already on track)
+
+R26 is the most-leveraged near-term build because it's the
+differentiator vs CodeRabbit/Greptile/Qodo for the Phase-2 Roam
+Review GitHub App. R19 + #50 is the longer-horizon moat. R18
+remains the structural foundation.
+
+---
+
+## Hero-copy candidates (round 4 additions)
+
+In priority order for A/B testing:
+
+1. > **"Roam helps agents earn the right to change code."**
+2. > Roam is a local control plane for autonomous coding agents.
+3. > Agents are actuators. Roam is the nervous system, immune
+>   system, memory, and law of the codebase.
+4. > Proof-carrying PRs: the agent changed code AND produced evidence
+>   that it understood the blast radius.
+5. > (Round 1, still strong) *Agents should not edit blind. Roam is
+>   their map.*
+
+The #1 line is the sharpest. Worth testing on /pricing and the
+home hero.