Hardening
Overview
Boardroom includes a hardening layer that ensures artifacts are deterministic, auditable, and recoverable. This is not optional polish - it is load-bearing infrastructure for reliable deliberation.
Deterministic accounting
All costs are tracked in cost_usd_micros (microUSD, where 1 micros = $0.000001). This avoids floating-point drift that accumulates across members and rounds.
Per-member costs are recorded individually and summed for the run total. The memo frontmatter renders cost from the canonical state, not from a separate calculation.
Duration is tracked as elapsed_ms and computed from started_at / closed_at timestamps. The memo renders duration from this canonical value.
Lifecycle statuses
Every run has an explicit terminal status:
| Status | Meaning |
|---|---|
initialized | Run created, not yet started |
running | Deliberation in progress |
closing | End deliberation called, collecting final votes |
closed | Completed normally |
aborted | Terminated due to timeout or error |
failed | Unrecoverable error during deliberation |
superseded | Replaced by a newer run for the same brief |
There is no ambiguous “done” status. A run is either in a known active state or a known terminal state.
No absolute paths
All artifact paths are stored as repo-relative paths. The path validation system rejects absolute paths at write time. This ensures artifacts are portable and do not leak machine-specific information.
Paths are normalized to forward slashes and validated against the repository root.
Schema versioning
State files include an artifact_version field. When the state schema changes, the version increments. Older state files are migrated automatically on load.
This allows the system to evolve without breaking existing artifacts.
Atomic writes
State files are written atomically - written to a temporary file first, then renamed to the final path. This prevents corruption if the process is interrupted during a write.
Orphan recovery
If a run is abandoned (process crash, timeout, or operator abandonment), it enters a stale state. The recovery system detects runs that have not been updated for 10+ minutes and marks them as aborted.
When a new run starts for a brief that has existing open runs, older runs are marked superseded. This prevents zombie runs from accumulating.
Recovery runs automatically at session start. No operator intervention is required.
Memo rendering
The memo is rendered as a pure function of the canonical final state. Frontmatter values (cost, duration, run identity, paths) are derived from state.json, not computed independently. This ensures the memo cannot drift from the authoritative state.
What this means in practice
- Every deliberation produces artifacts you can trust
- Costs will not drift or accumulate errors
- Runs will not silently linger in ambiguous states
- Paths will not leak local machine information
- State files will not corrupt on interruption
- Abandoned runs will be cleaned up automatically