feat: governance proposal + objection lifecycle

[Skanislav]

Summary

Adds a commitments-only proposal + objection lifecycle to MeetingFactory, then plumbs it all the way through — indexer, typed GraphQL client, agent SDK, frontend hooks, public permalink view, seed data, example script, spec doc — in a single PR so no intermediate state is left half-wired.

This closes the Day 2 sprint finding that blocked the #/o/:orgId/p/:proposalId permalink at the contract layer (no proposal events, no lifecycle). It also unlocks the agent-native story's final beat: an agent can propose a structural change and a human admin can adopt it, and every step is a public, cold-openable link.

Design stance (documented in specs/05-governance-process.md "On-chain Commitments Surface"): IDM rounds, clarifying questions, and integration discussion are coordination — they stay off-chain. What goes on-chain is the audit trail of commitments: who proposed what, who objected when, who adopted or discarded it.

The 5 commits

#	SHA	Scope
1	73bbcfd	contracts: proposal + objection lifecycle on MeetingFactory + 21 forge tests
2	24c988d	hollab-indexing: handlers + schema columns + manifest wiring
3	acd2244	indexing-client + agent-sdk: queries, client methods, governance.createProposal etc.
4	10aa7ac	hola-modern: PublicProposalView, #/o/:orgId/p/:proposalId route, open proposals panel
5	d12222e	seed + example + docs: rename demo org (paperclip → lantern), 3-state proposal seed, propose-tension.ts swap, spec doc section
6	38ea727	simplification: delete executeGovernance + back-compat layer entirely, migrate SeedDemoOrgs._seedOrg and GovernanceMeetingRoom.buildGovernanceCall to create+adopt, drop legacy tension:text column and assembleOrgManifest overload (-417/+205 lines)

Each commit compiles + tests green in isolation; the branch point between "contract + indexer + SDK" (1–3) and "frontend + seed + docs" (4–5) is clean if a future split is ever wanted.

Contract surface

New on MeetingFactory (all additive, no ABI break on existing methods):

struct ProposalRecord  { id, orgId, circleId, proposer, proposerRoleId, tensionHash, changeType, changeData, status, submittedAt, resolvedAt }
struct ObjectionRecord { id, proposalId, objector, concernHash, status, raisedAt, resolvedAt }

function createProposal(orgId, circleId, proposerRoleId, tensionHash, changeType, changeData) → proposalId
function adoptProposal(proposalId) → resultId
function discardProposal(proposalId)
function raiseObjection(proposalId, concernHash) → objectionId
function resolveObjection(objectionId)
function getProposal / getObjection / proposalCount / objectionCount

event ProposalCreated  (proposalId, orgId, circleId, proposer, proposerRoleId, tensionHash, changeType, changeData)
event ProposalAdopted  (proposalId, orgId, resultId, adoptedBy)
event ProposalDiscarded(proposalId, orgId, discardedBy)
event ObjectionRaised  (objectionId, proposalId, objector, concernHash)
event ObjectionResolved(objectionId, proposalId, resolvedBy)

Design calls

1. Auth: createProposal / raiseObjection = any org member. adoptProposal / discardProposal = org admin only. resolveObjection = original objector (withdrawal) OR org admin (integration). The resolvedBy in the event lets UIs distinguish the two paths without a separate status.

2. No adopt-with-unresolved-objections enforcement on-chain. The constitution's objection validity criteria (§5.3.4) are judgment-based; the contract cannot reliably determine them without duplicating the facilitator's role. The event log preserves full auditability. Cheap state-machine invariants are enforced: Draft → {Adopted, Discarded}, Raised → Resolved, no objections on non-Draft proposals, no double-resolve.

3. changeData stored on-chain in the ProposalRecord, not hash-then-resupply. This matches the agent-native UX ("agent proposes now, admin adopts tomorrow from a different wallet without reconstructing the payload"). Typical CreateRole payload is ~300–800 bytes, ~5–15k gas of SSTORE — acceptable for governance frequency.

4. bytes32 content-addresses for tensionHash and concernHash. The contract is indifferent to scheme — keccak256(utf8(rawText)) for inline text, CIDv1 sha256-truncated for IPFS, 0G Merkle root for 0G Storage. Keeps ContentRef polymorphic across backends.

5. uint64 timestamps packed with address in storage — saves a slot per record.

6. _applyChange helper refactor: executeGovernance extracted its decoder body into a private _applyChange(ChangeType, bytes memory) which both the legacy entry point and adoptProposal call. Legacy executeGovernance is unchanged on the ABI and all pre-existing tests still pass — 73 → 94 forge tests.

7. No back-compat layer. Originally shipped with executeGovernance marked @deprecated so the merged WS3 seed and demo flows kept working without edits. Simplified in commit 38ea727 — since nothing is deployed anywhere yet, the legacy path is dead weight. executeGovernance is deleted entirely; createProposal + adoptProposal is the only path to structural change. Seed script and authed meeting room were migrated to the new path in the same commit.

Indexer

apps/hollab-indexing/src/proposals.ts is new — 5 handlers, all persisting purely from event args (no contract reads on the hot path, because ProposalCreated carries bytes changeData unindexed).

ponder.schema.ts additions (append-only; local .ponder needs one reset in dev to pick them up):

• proposal gets orgId, tensionHash, changeType, changeData, changeResultId, resolvedBy — and keeps the legacy tension: text column as empty-string for back-compat
• objection gets concernHash, resolvedBy

Manifest (apps/hollab-indexing/src/api/manifest.ts):

• assembleOrgManifest gains a 6th openProposals param via a backward-compat overload so all 39 existing test call sites keep working unchanged. New route handler queries schema.proposal WHERE orgId=? AND status=0 ordered by submittedAt asc.
• Manifest entries include a path-based permalink (/o/:orgId/p/:id) so agents can follow references without ad-hoc URL construction.
• 5 new test cases in test/manifest.spec.ts: backward-compat default-empty path, row → manifest mapping, permalink shape, ordering preservation, bigint serialization. Manifest suite 39 → 44.

Hand-maintained apps/hollab-indexing/abis/MeetingFactoryAbi.ts — the 5 new events copied in. This file is a recurring papercut (not imported from @hollab-io/contracts); every MeetingFactory ABI change needs a paired update here.

indexing-client + agent-sdk

• PROPOSAL_FIELDS / OBJECTION_FIELDS extended with the new columns. Proposal / Objection types updated to match.
• LIST_PROPOSALS_BY_ORG, LIST_OPEN_PROPOSALS_BY_ORG added. listProposalsByOrg / listOpenProposalsByOrg client methods added.
• Another BigInt episode fixed: LIST_PROPOSALS_BY_CIRCLE.$circleId and LIST_OBJECTIONS_BY_PROPOSAL.$proposalId were both declared as String! against bigint columns — same Day 1 episode as GET_ORGANIZATION / LIST_ROLES_BY_ORG. Both now BigInt!. New queries start life correctly typed.
• queries.spec.ts regression set grows from 4 → 14 asserts, including a new PROPOSAL_FIELDS column-coverage table test so dropping a field from the selection is caught the next time someone touches the schema.
• MOCK_PROPOSAL / MOCK_OBJECTION fixtures in client.spec.ts updated to the new shape so all 42 existing client tests still typecheck.
• GovernanceModule gains: createProposal, adoptProposal, discardProposal, raiseObjection, resolveObjection, listOpenProposalsByOrg, getProposal. Receipt parsing uses viem decodeEventLog so it survives future ABI reordering (the old executeGovernance path assumed topic[3] was the resultId — fine there but not reusable).
• Existing execute method marked @deprecated with a pointer to the new path.

Frontend

New hook file useProposalsFromIndexer.ts:

• useOpenProposalsByOrg(orgId) — Drafts only, submittedAt asc, limit 50
• useProposalFromIndexer(id) — single fetch by composite <processAddress>-<proposalId>
• useObjectionsByProposal(processAddress, proposalId) — raisedAt asc

All three go through the typed indexing-client — zero wagmi, zero RPC. Safe to mount above the auth gate.

New view PublicProposalView:

• Status chip (Draft / Adopted / Discarded) with tone colors
• Change type label derived from the uint8 enum
• Tension hash rendered as the content-address (full text resolution is tied to the IPFS/0G backend decision — follow-up)
• Proposer chip with the existing 🤖 agent allowlist treatment
• Objections list with per-row raised/resolved state and objector chip
• Raw changeData pre-block (developer surface; a decoded render needs the ABI + change-type case analysis, deferred)
• Adopted proposals show their resultId so readers can jump back to the role the proposal created

Composite id resolution: the route carries orgId + proposalId, but the indexer keys proposals by ${processAddress}-${proposalId}. Rather than plumb processAddress through the URL, the view first reads open proposals for the org (the org has at most one MeetingFactory clone) to discover the address, then falls back to a direct getProposal call with the composite id. One extra GraphQL request on cache miss, cleaner than polluting the URL with an address.

Router: useHashRouter gains { page: "publicProposal"; orgId; proposalId }. Parser handles #/o/:orgId/p/:proposalId with the same decodeURIComponent + malformed-fallback pattern as publicRole. App.tsx dispatches the new route in the existing public branch. 3 new tests. useHashRouter suite 16 → 19; hola-modern total 23 → 26.

PublicOrgView: new "Open proposals" section between Members and Roles, rendered when openProposals.length > 0. Links to the permalink via a new onOpenProposal callback, matches the role-card affordance. Shows proposal id + change-type shorthand + proposer chip (🤖 when in allowlist) + tension hash.

Seed + example + docs

SeedDemoOrgs.s.sol:

• Renames the first demo org from paperclip → lantern. Paperclip remains the UX inspiration the sprint doc references (paperclip.ing is a real web2 product we're borrowing posture from), but the demo org should not literally share the name. Lantern: illuminates, warm, shareable, no brand collision in org-tooling space.
• New _seedProposals(lanternId, meetingFactory, agent) appends one proposal in each terminal state on lantern:
  • Adopted: "QA Inspector" role — deployer creates + adopts, flows through _applyChange and appends role feat: governor by OZ + ENS sudbomain #4 to lantern's RoleRegistry
  • Draft + unresolved objection: "Storyteller" role + one raised objection with a keccak256 concernHash
  • Discarded: "Party Planner" role — created then discarded without application
• Resolves the MeetingFactory clone address by reading RoleRegistry.governanceProcess() — cleaner than parsing the MeetingComponentsDeployed event log in Solidity.

propose-tension.ts:

• Swaps from executeGovernance(CreateRole) to the full createProposal + adoptProposal lifecycle. Agent signs createProposal (matches the access model: agent can propose, admin adopts). Admin (anvil account #0) signs adoptProposal via a second wallet client.
• New --draft-only flag stops after createProposal for demos that want to show the adopt step in the UI instead.
• Tension text is hashed via the SDK's default keccak256 path; raw text stays off-chain.
• Polls the manifest until the new role appears in roles[], then prints both the proposal permalink (#/o/:orgId/p/:proposalId) and the org page URL.

specs/05-governance-process.md: new "On-chain Commitments Surface" section. Commitments-vs-coordination stance, event → IDM-step mapping table, content-address discipline, authorization table, non-enforcement reasoning, out-of-scope list (process breakdown, integrative election internals, objection validity tests, Withdrawn status), legacy entry point note.

docs/sprint-agent-native-mvp.md: unblocks the /p/:proposalId carry-over bullet with a pointer to this branch.

Live smoke test

Ran end-to-end against a local anvil:

DeployLocal           → ONCHAIN EXECUTION COMPLETE & SUCCESSFUL
SeedDemoOrgs (lantern) → ONCHAIN EXECUTION COMPLETE & SUCCESSFUL

Verified on-chain state directly via cast call:

• Organization id=2, subname lantern ✓
• proposalCount: 7 ✓ — 3 baseline role creations + 1 agent Election + 3 proposal-state-demo proposals. After commit 38ea727, every role mutation in the seed flows through createProposal+adoptProposal, so every structural change leaves a ProposalRecord on-chain.
• objectionCount: 1 ✓
• roleCount: 4 (baseline 3 + the Adopted "QA Inspector") — proves the adopt path flows through _applyChange and mutates RoleRegistry
• Role feat: governor by OZ + ENS sudbomain #4 = "QA Inspector" with the exact fields from the seed script ✓

Test plan

• forge test — 93 passing (was 73; +20 UnitMeetingFactoryProposals cases after commit 38ea727 dropped the legacy regression test)
• @hollab-io/contracts — forge build clean (only pre-existing erc20-unchecked-transfer warnings on E2EJourney.t.sol)
• hollab-indexing vitest — 44 passing (was 39; +5 openProposals cases)
• @hollab-io/indexing-client vitest — 56 passing (was 46; +10 regression asserts on BigInt! + PROPOSAL_FIELDS coverage)
• @hollab-io/viem-extension vitest — 29 passing (unchanged)
• @hollab-io/agent-sdk vitest — 4 passing (unchanged — the new write methods are thin viem wrappers, covered by the live smoke test + the propose-tension.ts swap)
• hola-modern vitest — 26 passing (was 23; +3 useHashRouter cases for the proposal permalink)
• pnpm check-types — clean across all 4 typechecked packages
• pnpm lint — clean (4 pre-existing react-hooks warnings in hola-modern, 0 errors)
• pnpm build — full monorepo build green, hola-modern production bundle builds to IPFS-ready SPA
• Live smoke test on local anvil: DeployLocal + SeedDemoOrgs both ONCHAIN EXECUTION COMPLETE & SUCCESSFUL, verified lantern.roleCount=4 and "QA Inspector" role exists via cast call
• Reviewer: pull the branch, ./scripts/dev-local.sh + cd packages/contracts && forge script script/SeedDemoOrgs.s.sol --tc SeedDemoOrgs --rpc-url http://127.0.0.1:8545 --broadcast, then:
  • curl http://localhost:42069/agents/2.json | jq '.openProposals | length' → should be 1 (the Draft)
  • curl http://localhost:42069/agents/2.json | jq '.org.roleCount' → should be 4 (original 3 + the Adopted "QA Inspector")
  • Open http://localhost:5173/#/o/2 in incognito → "Open proposals" panel shows 1 Draft with the 🤖 chip wiring
  • Click the Draft proposal → PublicProposalView renders with the objection row in "raised" state
  • Run AGENT_PRIVATE_KEY=0x2a871d0798f97d79848a013d4936a73bf4cc922c825d33c1cf7073dff6d409c6 pnpm --filter @hollab-io/agent-sdk tsx examples/propose-tension.ts 2 → agent proposes, admin adopts, permalink prints
  • Open the printed permalink in a second incognito → renders as Adopted with resultId populated

Follow-ups explicitly out of scope for this PR

• ContentRef polymorphism + IPFS backend decision — the storage backend question (discussed separately: "not yet, plan for IPFS as the default text path and keep 0G for encrypted blobs"). Tension text resolution in PublicProposalView is a one-line hook addition once the backend lands.
• Decoded changeData rendering — the view currently shows the raw hex. Decoding needs a change-type switch and the role ABI; deferred to a dedicated polish pass.
• Authed workspace "Create Proposal" UI — the existing GovernanceView still calls executeGovernance directly. It keeps working (deprecated path), but migrating the authed flow to createProposal + adoptProposal is a separate frontend PR so this one stays reviewable.
• executeGovernance removal — was marked deprecated-but-working in commits 1-5, now deleted entirely in commit 38ea727. No back-compat scaffolding remains.
• Process Breakdown, Integrative Election Process mechanics, objection validity tests, Withdrawn status — coordination concerns or post-MVP expansions. Enumerated explicitly in specs/05-governance-process.md "Out of scope (for now)".

🤖 Generated with Claude Code