feat(daemon): loop body wires executeIntent end-to-end (claim → dispatch → heartbeat)

[chitcommit]

Stacked on #106 (feat/meta-executors-registry). Merge #106 first.

Summary

Closes the meta-orchestrator end-to-end loop. The cluster daemon's persistent leader loop now drives claimed Intents through executeIntent (added in #106), which dispatches via the executor registry, applies the second sovereignty gate, and atomically updates cc_intents.status + writes cc_actions_log.

Removes the injected IntentExecutor abstraction from the foundation skeleton — it was a placeholder per ADR-001 out-of-scope, replaced now that the registry exists.

What changed

daemon/loop.ts

• Drops the IntentExecutor interface and markIntentDispatched / completeIntent / failIntent calls from the loop body — those are now owned by executeIntent, which avoids double-driving the state machine.
• Inner loop body: claimNextIntent → executeIntent → classify ExecutorResult → heartbeat → continue.
• Four outcomes are classified distinctly per the spec:

Outcome	ok	replayed	Action
Fresh successful execution	true	false	bump intentsProcessed, reset backoff
Replayed (terminal audit exists)	true	true	bump intentsReplayed, no backoff, no double-count
Sovereignty refusal	false	—	bump intentsRefused, no backoff (steady-state)
Executor error	false	—	bump intentsErrored, bounded exp backoff (1s → 30s cap)

• Sovereignty refusals are identified by the canonical error prefixes emitted by meta/executors/dispatch.ts (sovereignty re-reckon: and sovereignty snapshot stale ...). Refusals are NOT treated as transient faults.
• Leadership lifecycle, lease heartbeats, reclaimStuckIntents, and AbortSignal-driven shutdown via releaseLeadership are preserved from the skeleton.
• New maxIterations option provides a hard safety cap for tests when the queue might drain to empty before reaching maxIntents.

tests/daemon/loop.spec.ts (new)

Real-Neon integration test. Skips without DATABASE_URL. Seeds two real Goals/Plans/Intents against update_obligation_status plus two real cc_obligations rows, then runs runLeaderLoop with maxIntents=2.

Asserts:

• both intents reach status='done'
• each produces exactly one cc_actions_log row (attempt=1, 64-char hex idempotency_key, status='completed', action_type='status_change')
• both cc_obligations rows actually moved to 'deferred'
• cc_node_leases row shows leadership was released on clean exit (node_id NULL, session_id NULL)
• log stream contains intent_heartbeat_before / intent_heartbeat_after pairs and at least one leader_acquired

End-to-end trace

Test ran on Neon project cool-bar-13270800, branch pr-daemon-loop-executes-intents (parent: pr-a-meta-executors-registry):

RUN  tests/daemon/loop.spec.ts
✓ drains two pending intents, writes audit rows, heartbeats, releases on clean exit (1918ms)
Test Files  1 passed (1)
Tests       1 passed (1)

Lease state after clean exit (post-test query):

role                       | node_id | session_id | claimed_at | heartbeat_at | lease_expires_at
meta-orchestrator-leader   | NULL    | NULL       | NULL       | NULL         | NULL

The loop log stream during the run shows the canonical sequence:

leader_acquired → intent_claimed → intent_heartbeat_before → intent_completed → intent_heartbeat_after
                → intent_claimed → intent_heartbeat_before → intent_completed → intent_heartbeat_after
                → (release on maxIntents)

What is NOT in this PR

• No new executors. Mercury / payments / any other intent_type ships separately.
• No production deploy. The systemd unit and VM bootstrap live in feat(daemon): supervisor unit + chittyserv-vm bootstrap (stops before start) #105 (feat/daemon-supervisor-vm-bootstrap). PR feat(daemon): supervisor unit + chittyserv-vm bootstrap (stops before start) #105's entrypoint passes a stub executor; once both feat(meta): extract executor registry, wire executeIntent, ADR-001 amendment (PR-A) #106 and this PR merge, feat(daemon): supervisor unit + chittyserv-vm bootstrap (stops before start) #105 needs a one-line follow-up to drop the stub and rebase. Not in scope here.
• No multi-node coordination beyond single-node leader. The existing single-role lease pattern is preserved.
• No schema additions on cc_intents / cc_actions_log beyond what feat(meta): extract executor registry, wire executeIntent, ADR-001 amendment (PR-A) #106 added. The stop-condition checked: the loop body did NOT need new fields.
• No changes to meta/executors/* or meta/intent.ts::executeIntent. This PR consumes them; it does not refactor them.
• No changes to ActionAgent. ActionAgent's chat path remains independent; both surfaces are siblings consuming the executor registry per ADR-001 amendment.

Validation

• npm run typecheck — clean
• SKIP_INTEGRATION=1 npm test — 15 passed, 13 skipped
• Integration test (above) — passed against real Neon

Test plan

• Real-Neon integration covers the two-intent happy path
• Replay-as-noop and sovereignty refusal paths are explicit branches in the loop with distinct log lines and counters (covered by unit-level reasoning; happy-path integration test exercises the executed branch)
• Follow-up: extend the integration test with a refused intent (requires a stale-snapshot fixture and an actor with sub-autonomous trust) and an errored intent (e.g., obligation_id pointing at a deleted row)

🤖 Generated with Claude Code

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	chittycommand	56603bc	Jun 04 2026, 12:58 PM

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3f8c5067-67ad-4c8d-88da-c47370abfb84

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/daemon-loop-executes-intents

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.

[chitcommit]

Code review findings (automated)

Critical

• intent_heartbeat_before doesn't actually heartbeat (daemon/loop.ts:269) — log line is named _before but no DB heartbeat is forced before dispatch. Background setInterval(dispatchHeartbeat, ...) doesn't update lastHeartbeat closure variable, leading to misleading naming + an actual gap between claim and first interval tick (up to innerHeartbeatMs, half the lease). For 30s lease this is ~15s gap. Fix: update lastHeartbeat from inside the interval, rename or force synchronous heartbeat. Confidence 88.
• Lease-loss not detected during dispatch (daemon/loop.ts) — dispatchHeartbeat interval logs heartbeat_lost_during_intent when heartbeat returns falsy, but does NOT abort the in-flight executeIntent, does NOT set a flag the outer loop checks, does NOT cancel via AbortController. If a newer leader takes over mid-dispatch, old leader keeps executing → split-brain writes to cc_actions_log under stale leadership. executeIntent's idempotency may save the audit row from duplication but the split-brain write happens. Fix: pass AbortSignal into executeIntent derived from heartbeat success. Confidence 85.

Important

• Sovereignty refusal detection is string-prefix coupling — isSovereigntyRefusal() matches prefixes from meta/executors/dispatch.ts. Any reword silently reclassifies refusals as errors → triggers exponential backoff on valid steady-state outcome. Replace with typed discriminator (result.refusal: true or errorCode: 'sovereignty_refusal') on ExecutorResult. Confidence 86.
• maxIntents semantics changed — Now counts processed + replayed + refused + errored toward cap. Field name suggests "max successful" to readers. Document or rename to maxTerminalOutcomes. Confidence 82.

Suggestion

• The loop branching paths (replayed / refused / errored) have no unit-level test coverage now that IntentExecutor injection was dropped. Add a second integration test seeding an intent with obligation_id pointing at a nonexistent UUID to exercise the error path + backoff.

Confirmed OK

• Backoff bounds: 1s → 30s cap, reset on success/replay/refusal ✓
• Test cleanup + SIGTERM releaseLeadership on maxIntents ✓

[github-actions]

1. @coderabbitai review
2. @copilot review
3. @codex review
4. @claude review
   Adversarial review request: evaluate security, policy bypass paths, regression risk, and merge-gating bypass attempts.

[chatgpt-codex-connector]

To use Codex here, create a Codex account and connect to github.