Resolve XoxdWM shared-lane reachability on tinyland-nix

[Jesssullivan]

Downstream tracker: Jesssullivan/XoxdWM#11
Merged downstream evidence PR: Jesssullivan/XoxdWM#34
Linear: https://linear.app/tinyland/issue/TIN-592/prove-xoxdwm-shared-tinyland-nix-runner-reachability

Jesssullivan/XoxdWM has moved its non-hardware self-hosted Nix workflows away from the stale repo-shaped xoxdwm-nix label and onto the shared GloriousFlywheel tinyland-nix capability label.

Evidence from Jesssullivan/XoxdWM on 2026-04-25:

• PR feat(runners): add L40S and A100 GPU runner types #34 merged into main at merge commit 28e8073351980991390d7cd832e72aebe830efb5; its head was 72ba290c6db5d2e6923bc0c38377ede359f0b3f5.
• PR feat(dashboard): Caddy mTLS/Tailscale reverse proxy sidecar #35 merged the Dell host-evidence boundary at merge commit 4f60a0fdff5f8064275301e1e5131946a4f9fe1c.
• XoxdWM self-hosted fast/VR lanes are intentionally skipped unless both USE_SELFHOSTED=true and GF_SHARED_RUNNERS_REACHABLE=true are set.
• Hosted GitHub Actions critical lanes were green before merge: CI, Nix Build & Cache, Native Dependencies (wlroots + sway), Rocky Linux Test, Monado Companion RPM, x86_64 multi-arch, aarch64/s390x cross-builds, NixOS VM integration, and Greptile Review.
• Local XoxdWM validation in the mini-sprint included git diff --check, just truth-lint 18/18, nix flake check --no-build, workflow YAML parse, just --list, and earlier full repo test evidence.

Measured runner state on 2026-04-25:

• Jesssullivan/XoxdWM repo variables include USE_SELFHOSTED=true and USE_VR_HARDWARE=false.
• GF_SHARED_RUNNERS_REACHABLE is not set in Jesssullivan/XoxdWM.
• repos/Jesssullivan/XoxdWM/actions/runners reports zero accessible repo-level self-hosted runners.
• orgs/tinyland-inc/actions/runners shows one online runner, xoxd-bates, labeled self-hosted, macOS, ARM64, darwin; it is not tinyland-nix and is not a Linux Nix lane.
• tinyland-inc runner group Default visibility all has xoxd-bates; the selected runner group is empty.
• Dispatching XoxdWM runner-health.yml now would run hosted Linux and would not prove shared tinyland-nix reachability.

GloriousFlywheel boundary:

• Do not recreate xoxdwm-nix as a repo-scoped runner lane.
• Do not introduce XoxdWM-specific runner labels.
• Keep the workflow-facing contract on shared capability classes such as tinyland-nix.
• Treat remaining queue/reachability state as shared-lane owner-boundary / GitHub App scope / ARC control-plane reachability debt.

Desired fix:

• Decide and execute the compliant owner-boundary / GitHub App scope / ARC registration path that lets Jesssullivan/XoxdWM truthfully reach the shared tinyland-nix lane when the opt-in flags are enabled.
• If that cannot be done yet, keep XoxdWM blocked from counted shared-runner authority rather than papering over it with repo-shaped runner infrastructure.

Acceptance:

• An XoxdWM self-hosted Nix job starts on an actual shared tinyland-nix runner when USE_SELFHOSTED=true and GF_SHARED_RUNNERS_REACHABLE=true are set.
• No XoxdWM repo-scoped runner set or XoxdWM-specific runner label is introduced.
• The GloriousFlywheel enrollment queue stays honest about XoxdWM until that proof exists.

[Jesssullivan]

Downstream XoxdWM update after Jesssullivan/XoxdWM#34 head 8a9bb35:

• XoxdWM has confirmed the migration away from stale xoxdwm-nix labels.
• Fresh PR feat(runners): add L40S and A100 GPU runner types #34 jobs now request tinyland-nix.
• They still show no assigned runner (runner_name=null / no runner name in the jobs API).
• Hosted/Rocky package lanes are running or green on the same head; local XoxdWM validation remains green.

This keeps the blocker scoped here as shared-lane reachability / owner-boundary / GitHub App scope / ARC registration. XoxdWM should not recreate repo-shaped xoxdwm-* runner labels to paper over it.

[Jesssullivan]

XoxdWM consumer-side update from PR #34 head 19b0cec717fdd59ee00338d2102ee2c5f3bea868:

• XoxdWM now gates shared-runner use behind both USE_SELFHOSTED=true and GF_SHARED_RUNNERS_REACHABLE=true.
• Hosted-capable XoxdWM jobs no longer resolve tinyland-inc/GloriousFlywheel/.github/actions/setup-flywheel directly; they use a local hosted-safe ensure-nix consumer shim.
• Hosted fallback lanes are green: CI, Nix Build & Cache, Rocky Linux Test, Native Dependencies, and Monado Companion RPM.
• Multi-arch is green except a still-running hosted Cross-compile aarch64 job. Self-hosted fast/VR jobs are skipped intentionally until the reachability proof exists.

This narrows #413 to the GloriousFlywheel-owned contract proof: make GF_SHARED_RUNNERS_REACHABLE=true meaningful for Jesssullivan/XoxdWM by proving repo enrollment / GitHub App scope / ARC runner assignment for tinyland-nix from that repository boundary.

[Jesssullivan]

Downstream XoxdWM update from Jesssullivan/XoxdWM#34 head 794af712b35614721035d1792e775c64ce8dee5f:

• XoxdWM no longer selects tinyland-nix from PR jobs unless both USE_SELFHOSTED=true and GF_SHARED_RUNNERS_REACHABLE=true are set.
• Hosted-capable jobs keep using the local hosted-safe ensure-nix consumer shim; they do not directly resolve private/external GloriousFlywheel actions before fallback can apply.
• Self-hosted fast/VR lanes are intentionally skipped on the current head.
• Secondary aarch64 and s390x cross-builds are now bounded informational hosted lanes, not runner-reachability proof.

That leaves this issue as the right owner for proving when GF_SHARED_RUNNERS_REACHABLE=true is truthful for Jesssullivan/XoxdWM: repo enrollment / GitHub App scope / ARC runner assignment for the shared tinyland-nix capability, without recreating repo-shaped xoxdwm-* runner labels.

[Jesssullivan]

Status refresh from the XoxdWM/linux-xr hygiene pass on 2026-04-25:

• GloriousFlywheel PR Add public-alpha dogfood contract guard #408 is now merged: Add public-alpha dogfood contract guard #408
• The contract/proof checks on that PR were green, with the cross-org canary still intentionally skipped.
• This issue remains open: landing the dogfood contract guard is not the same as proving Jesssullivan/XoxdWM can schedule an opt-in self-hosted Nix job on a real shared tinyland-nix runner.

Current downstream state: XoxdWM PR #34 and PR #35 are merged; XoxdWM #11 remains the downstream tracker for this same shared-runner reachability boundary.

[Jesssullivan]

XoxdWM consumer checkpoint from 2026-04-26:

• Jesssullivan/XoxdWM is clean on main at fca3c4c; latest PR fix(auth): use dynamic imports for @simplewebauthn/browser to fix SSR #43 merge CI passed.
• XoxdWM repo variables remain USE_SELFHOSTED=true and USE_VR_HARDWARE=false; GF_SHARED_RUNNERS_REACHABLE is not set.
• XoxdWM self-hosted fast lanes are therefore still intentionally skipped by design instead of queuing on an unproven shared lane.
• PR Gate RBE sprint authority #437 now shows the core platform proof jobs green for tinyland-docker, tinyland-dind, tinyland-nix, and tinyland-nix-heavy; cross-org canary enrollment remains skipped.

Interpretation: the GloriousFlywheel substrate proof has advanced, but this issue should remain open until the XoxdWM repo boundary has an explicit reachability proof strong enough to set GF_SHARED_RUNNERS_REACHABLE=true without recreating repo-shaped runner labels.

[Jesssullivan]

Follow-up from XoxdWM consumer monitoring:

• PR Gate RBE sprint authority #437 is no longer draft.
• gh pr checks reports all substrate proof/validation checks passing, including tinyland-docker, tinyland-dind, tinyland-nix, and tinyland-nix-heavy.
• The only non-pass item is the skipped Cross-org canary enrollment check.
• GitHub still reports mergeability as UNKNOWN at this moment.

For Jesssullivan/XoxdWM, this is encouraging substrate evidence, but not yet a repo-boundary enrollment proof. GF_SHARED_RUNNERS_REACHABLE should remain unset until the cross-org canary/enrollment path is explicitly proven or waived by policy.

[Jesssullivan]

2026-05-11 owner-boundary refresh:

• Fresh repos/Jesssullivan/XoxdWM/actions/runners check reports total_count=0 and no accessible self-hosted runners.
• Repo variables remain USE_SELFHOSTED=true and USE_VR_HARDWARE=false; GF_SHARED_RUNNERS_REACHABLE is still absent, so the self-hosted fast lanes should remain intentionally skipped.
• The current tinyland-nix and tinyland-nix-compute-expansion lanes help org-scoped Nix capacity, but they do not prove personal-repo visibility from Jesssullivan/XoxdWM.

Keeping #413 open. No XoxdWM canary was dispatched because the repo boundary still cannot see a shared runner, and recreating repo-shaped xoxdwm-* labels remains the wrong fix.

[Jesssullivan]

PR #626 is open with the source-owned owner-boundary proof update and scoped scoreboard check:
#626

It records the current #407/#413/#412 state without live runner mutation. Final post-rebase validation had one live-cluster caveat: ARC/Kubernetes discovery timed out, so the scoreboard now reports that condition explicitly instead of treating it as no ARC control plane.