Thank you for your interest. Echo-types is a constructive Agda formalisation; contribution discipline reflects the proof-bearing nature of the codebase.
All commits require Developer Certificate of Origin sign-off:
git commit -s -m "feat: ..."
main— protected; only fast-forward from approved PRs.feat/<topic>— feature branches, squash-merge.fix/<topic>— bug-fix branches.
just verifypasses (full Agda type-check pass againstproofs/agda/All.agdaand the test suites).- CHANGELOG.md updated under
[Unreleased]. .machine_readable/6a2/STATE.a2mllast-updatedbumped if the change is significant.- Banned constructs. No new
believe_me,assert_total,postulate,sorry,Admitted,unsafeCoerce, orObj.magicintroduced. Estate-wide policy. - Guardrails are CI-enforced. All
.agdafiles underproofs/agda/**must declare{-# OPTIONS --safe --without-K #-}at the top.tools/check-guardrails.shruns at CI time across every file (regardless ofAll.agdamembership) and fails on: missing--safe/--without-K, escape pragmas (TERMINATING,REWRITE,NO_POSITIVITY_CHECK, etc.),postulatein code, or unsafe primitives (primTrustMe,primEraseEquality,trustMe). TheExploratoryclassification indocs/echo-types/echo-kernel-note.adoconly excusesAll.agdamembership — it does NOT excuse the guardrail. If you need postulates for a demo or earn-back-gate consumer, the file must live outsideproofs/agda/(no current non-guarded path exists; widening the guardrail's allowlist requires a separate design discussion). - EI-2 discipline. Per
.machine_readable/6a2/STATE.a2ml § ei-2, the integration-recipe distinctness investigation is terminated negatively and is not to be reopened. If a change touches that territory, readSTATE.a2ml § ei-2first; theforbidden-rebrandingslist is a hard fence. - Naming traps.
ModeGraded(with trailingd) is canonical; neverModeGrade. SeeSTATE.a2ml § naming-traps.
At least one maintainer review (see MAINTAINERS.adoc). Bridge-module changes (the cross-system bridges in proofs/agda/Echo*Bridge*.agda) need attention because they fix the load-bearing distinctness story; flag them for explicit review.
echo-types follows the estate-wide Tri-Perimeter Contribution Framework (TPCF) — graduated trust without gatekeeping:
- Perimeter 1 — Core Systems (maintainers only). The proof kernel:
proofs/agda/Echo.agda, the identity-claim spine, the bridge modules, theAll.agda/Smoke.agdawiring, and the guardrail tooling. Direct commits by maintainers only. - Perimeter 2 — Expert Extensions (trusted contributors). New proof modules, decoration instances, and ordinal-track slices. Apply via issue → review → merge under the relevant
proofs/agda/path with the build invariant green. - Perimeter 3 — Community Sandbox (open to all). Docs (
.adoc), tutorial walkthroughs, wiki pages,.well-known/content, and spec proposals.
External contributors use the standard fork-and-pull-request workflow: fork the repository, branch from main, run just validate locally (full Agda verify + kernel-guard), and open a PR. Maintainers (Perimeter 1) may commit directly to feature branches. Every PR must keep All.agda + Smoke.agda green under --safe --without-K and introduce no banned constructs (see the pre-merge checklist above).